Bitcoin Forum

http://amincd.tumblr.com/post/7191580728/my-response-to-ben-lauries-last-word-on-bitcoin

Ben Laurie wrote a paper that he described on twitter as his ‘last word’ on bitcoin, which explains his view on why bitcoin is either not a decentralized system, or that if it is, how it could be a more efficient one.
The paper is linked to in the blog post here: Decentralised Currencies Are Probably Impossible (But Let’s At Least Make Them Efficient) (http://www.links.org/?p=1179).

Laurie’s basic point is that since bitcoin’s development team uses ‘checkpoints’, which are hard-coded points in the block-chain that cannot be changed through the protocol’s usual method of establishing an authoritative chain, to make transactions that occurred at or before the checkpoint safe from a > 50% attack (https://en.bitcoin.it/wiki/Weaknesses#Attacker_has_a_lot_of_computing_power), bitcoin is either not decentralized, if one considers the insertion of these checkpoints as centrally coordinated, or that there is a more resource efficient means of achieving decentralized consensus in the method used to insert the checkpoints.

His conclusion is that a decentralized currency using the method of arriving at consensus that is used to agree on the inclusion of the checkpoints in bitcoin’s block chain, as its sole means of establishing an authoritative block-chain, would be far more energy efficient than the bitcoin protocol’s mining method.

I believe Laurie’s paper is missing a key element in bitcoin’s reliance on hashing power as the primary means of achieving consensus: it can survive attacks by governments.

If bitcoin relied solely on a core development team to establish the authoritative block chain, then the currency would have a Single Point of Failure, that governments could easily target if they wanted to take bitcoin down. As it is, every one in the bitcoin community knows that if governments started coming after bitcoin’s development team, the insertion of checkpoints might be disrupted, but the block chain could go on.

Checkpoints are just an added security measure, that are not essential to bitcoin’s operation and that are used as long as the option exists. It is important for the credibility of a decentralized currency that it be possible for it to function without such a relatively easy to disrupt method of establishing consensus, and bitcoin, by relying on hashing power, can.

i think the checkpoints are just as you say; insurance lock downs of the block chain.  Bitcoin is safe.

So if I take out the checkpoints that means it's suddenly decentralized.  ::)

I can't believe the weird shit people fixate on when they hear about bitcoin.

About one month ago, I wrote a little paper

http://www.newbitcoin.org/documents/newbitcoin.pdf

in which I stated that ‘Bitcoins are not truly decentralized’ and that developers should refrain from hard coding ’correct block hashes’ in a reference implementation.

At that time I didn’t fully realize the implications of what Ben Laurie now stated more formally. So the rest of the paper is an attempt to establish an improved decentralized currency, based on a ‘block-chain’ created by 50% or more cpu-power.

Meanwhile I have come to the conclusion that it can be easily proved that as soon as bitcoins would become truly valuable, it would be lucrative to ‘fraud’ the system by gaining more than 50% of that cpu-power.

1) Gain 50%+ of the computing power.
2) Generate transactions favouring you and have them included into the block chain.
3) In the mean-time, with your 50%+ power, start creating a forked chain, with your coins double-spended in different transactions.
4) Publish the fork when your original transactions are accepted and collect the benefits of your new transactions.

At the moment each block generates 50 new bitcoins, and it would take a huge investment already to gain 50%+ of the cpu-power involved.

In the long run however, blocks will only be rewarded with transaction fees and (a market equilibrium will form where) the cost of producing the hashing power needed to find a block will be equivalent to the total of transaction fees in that block.

Assuming transaction fees are much lower than the value of transactions in a block, the cost of forking a block are then much lower than the rewards of the double-spended coins.

I tend to agree with the sentiment, if not the details, of lauries objection, i.e. that bitcoin should be made more efficient.

What I wish were possible is if proof-of-work could based on furthering some scientific endeavour – searching for life in space, folding protein chains, etc. I have NO idea how this could work technically, however. Perhaps something like, you chose which project you wish to support, and the open market trades that work into a fair amount of coins that you can then spend. Or something. I really haven’t though this through, it’s just a sentiment.

The reason you have no idea how it could work is because it can't work.  We hash the chain directly because it is impossible to fake the effort.  Using anything else opens the door for forgery.

:D love this phrase.. that really does sum up so much of the bitcoin criticism that I've heard.. fixation!

I like the idea of proof-of-existence, where you plug yourself into your computer, and one Satoshi is distributed for every heartbeat.

When they become truly valuable, transaction fees will be worth far more than they are now, which will increase difficulty, meaning the cost of attaining 50%+ of the hashing power will be far higher than it is now.

It would also never be lucrative to fraud the system through a 50%+ attack because it would reduce the value of the bitcoins you have.


The cost of producing hashs is not a short term cost. It requires a long term investment in the hardware that produces them, so unless there's a way to double spend for hundreds of blocks without crashing the value of bitcoins, it would not be worth it. It would be more lucrative to just be honest.

This article, thinly masquerading as a scholarly work, is full of crap. It is a clear example of what happens when a non-programmer, non-technical person combines a word processor with a PDF creation tool.

This PDF is also rubbish. Every point in section #3 is incorrect, and demonstrates the author's lack of understanding of the system. For example:


Wrong...the payee saves a copy of the transaction. Just one of the numerous errors in the paper.

Oh, and Steve's paper has been refuted many times in many of the threads that he has posted it into.  Perhaps ridiculed would be a better word.

I wasted some time on it a couple of weeks ago (http://forum.bitcoin.org/index.php?topic=14693.msg213365#msg213365).

With 'truly valuable' I mean value that can be depended on, no matter what that value is. I certainly don't want to speculate about whether that value be higher or lower, but if it were higher, transaction fees would be worth more than now. But if I do a rough guess of the transaction fees (by inspecting a few blocks on the blockexplorer), they're now about 0.05 - 0.20 bitcoins per block.

That means, if exchange rates wouldn't change, a ROI of 0.2% of what it is now and with that an expected difficulty of 0.2% of what it is now. A not so huge investment is necessary for that.

I know, fees could rise, the exchange rates could rise, the number of transactions per block could rise. However, it's always safe to assume fees will be much less than total transaction value in a block, and therefore it's lucrative to calculate hashes of an forked block-chain with double-spent transactions.

'Ridiculed' is exactly the right word. And the reason I choose to waste my time on such reactions.

Oh...haha, ok. So pretty much all of my thoughts that came to mind as I read the original paper have already been expressed times ten by other people.

I think the reason that PDFs like this evoke so much anger is that since they are camouflaged as peer reviewed research papers,
intelligent readers are expecting high quality. Reading the original Satoshi paper was VERY exciting and stimulating to the imagination! But when we go in with high expectations and then find drivel, we are understandably upset.

You didn't waste any time on mine.  I'm still waiting for you to respond to any of my criticisms.

Actually I did respond:

http://forum.bitcoin.org/index.php?topic=14693.msg215507#msg215507

That's not actually a response.  Just a statement about your intention not to respond.

It's a response stating the conditions on which I will respond with respect to content.

I see now your motto is 'Usually right, but not polite.', and I'm wondering how far that'll get you. My motto would be: I'm happy to be proven wrong and I thank those who spend their time and effort to do so. But if you want me to return the favour, you'll have to ask nicely.

The author, Ben Laurie, is actually a software engineer and cryptographer.


If bitcoin is to be a successful currency, exchange rates and number of transactions will rise by orders of magnitude by the time coin generation per block has become negligible.


Once again:

The cost of producing hashs is not a short term cost. It requires a long term investment in the hardware that produces them, so unless there's a way to double spend for hundreds of blocks without crashing the value of bitcoins, it would not be worth it. It would be more lucrative to just be honest.

Proponents of bitcoin have trouble grasping the fact that "evil empire" won't care about the lucrativity. Bitcoin is powered by fiat and probably always will be, there is almost no way to separate the two unless electric companies start taking bitcoins as payment. If someone wants to mess with bitcoin purely to mess with it, the resources required are far from insurmountable. Crashing bitcoin would be the endgame, not a side effect.

I was addressing a claim that it would be lucrative to gain 50%+ of the network power and double spend. I wasn't claiming that people would only want to fraud bitcoin for personal profit.

With that premise, that could very well be.



The whole double-spending scenario is proportional to bitcoin value. If value were to go up orders of magnitude, the number of blocks needed to get your investment back goes down the same order of magnitude.

Thanks for conceding that.


But difficulty, and therefore cost of a double spend attack, is also proportional to bitcoin value, so the rise in the potential reward of a double spend attack, is canceled out by the rise in cost in pulling it off, as bitcoin value increases.

You're welcome  |-)

I don't agree, as the cost of pulling it of is proportional to transaction fee cost, which is much lower than transaction value.

Let's look at the current state of bitcoin:

Rewards are 50 (temporally minted) + 0.10 (fees) bitcoins per block.

Resulting hashrate is 11326 (payed by temporally minted) + 23.6 (payed by fees) Ghash / second.

If nothing were to change in the value of bitcoins or transaction fees, I'd eventually have to produce 23.6 Ghash / second for a succesful attack. Which would cost me roughly 15 kW electricity (ca. 3$ per hour) and (very) roughly 1$ depreciation per hour of my hardware. Let's say it costs 5$ per hour all together.

I can then sustain an attack where I forge (double spend) say 100$ (which will not be conspicuous) for 20 hours (which should be more than enough to collect).

But the ratio of cost to transaction value stays the same regardless of what the value of bitcoin is, since the cost of pulling it off increases at the same rate as the transaction value does, as the value of bitcoin increases.


It would definitely be much easier to attack bitcoin if transaction volume doesn't increase by the time coin generation becomes negligible, but your calculation of cost doesn't take into account the large initial investment required to acquire a large amount of hashing power, which is not just purchasing the hardware, but getting the facility, putting in the man-hours to set it up, etc all of which have a huge fixed cost, and therefore the need to double spend for many blocks, to make back the cost of the investment.


So after all that effort in getting 23 GH/s, you only make $2,000?

Don't know exactly what you mean here, maybe you are agreeing that all values are proportional to bitcoin value?

No, in my example I used only one transaction of 100$, which would not be conspicuous. And it would probably not attract any attention if a few more of those transactions were slipped in.

True, I did not take into account the initial acquisition value (which I would estimate at 10.000$ in the example above). I only took into account the depreciation of that hardware (and then added another $ per hour). I think that's not unreasonable and standard procedure in profit/loss calculations. The same trick could be pulled of multiple times with that very same hardware, or the hardware can be used for different purposes (e.g. video rendering) afterwards.

In the example I overestimated the cost, so there's a break-even when hashing for 20 hours at 5$ / hour and a 100$ scam. My point would be that it can be profitable to gain 51% of hashing power, and the problem of creating consensus as stated in Ben Laurie's paper is far from hypothetical.

I'm disputing your claim that an attack becomes more attractive as the value of bitcoin increases. I'm pointing out the extra cost of the attack would cancel out the extra reward.

You did clarify later on that by 'valuable', you meant a more a steady/dependable price, and not necessarily a higher market price, so I guess in light of this my response is not that applicable to your point, and we can move on..


I don't think the attack could be pulled off multiple times. Either the value of bitcoin would plummet, or the network hashrate would increase significantly prevent future such attacks. The attack can't be a recurring source of income.

Then who would be paying for that significantly increased network hashrate?

I do agree there's a risk that bitcoin value would plummet, therefore my premise 'a truly valuable bitcoin, with a value that can be depended on'. So either the example shows such a scheme would be profitable, or that bitcoin value can never be depended on.

Volunteers perhaps.

In any case, this is all such an extreme hypothetical, that it's not really worth exploring more IMO. We're debating how secure bitcoin will be in 20+ years IF the transaction volume is comparable to today's.

I think if we want to discuss it further, it would be best to do it by pm as this is somewhat off-topic.

Not being able to make up one's mind on what a certain subject is or isn't kinda hints at how much of an expert one is in that subject.

The Bitcoin eligible voters are not "the majority of computing power in existence" because computing power is not a fungible, homogeneous substance. You can easily see a 10^4 performance ratio on specialized versus commodity hardware (ASIC vs CPU), so that the Bitcoin network becomes impervious to attack if it makes up only 0.01% of the "computing power of the world" as expressed in transistors*Hz. Rather, Bitcoin, like most other currencies  in the world, is up against any adversary more financially powerful than it's backers (the miners). So if you are willing to invest more than the compounded mining profit, you can take the majority vote and influence consensus, by expanding the computing power of the world in the form of efficient mining machines.

It's pretty clear that rewriting the history is not equivalent with stealing everybody's money, rather it means destroying the system and making the coins worthless, so the likely attackers will not be profit-motivated by any definition of profit expressed in bitcoins. We could talk about governments, banks, competing currencies, lulz etc. It's only a matter of speculation if an attacker likely to act in such a manner exists. Furthermore, as the network expands the window of opportunity closes to exclude small scale lulz-motivated attackers, and allow only governments or large corporations. The hashing power of the network already surpasses what could be accomplished by ~10 million commodity PCs, excluding even the largest botnets as worthy attackers.

There would be an incentive, by double-spending coins and making a profit that way, see example above.


About 99.8% of the hashing power of the network is currently paid for by temporal rewards of 50 bitcoins per block.

I was referring to the specific attack described in the paper, rewriting history from block one and assigning to yourself all bitcoins, which is clearly a stupid way to steal bitcoins - they instantly become worthless.
Regarding merely double spending your bitcoins that's even less of a concern: you still need to amass millions of dollars worth of hardware and millions dollars worth of bitcoins - so that you can double spend them a few times and recover your hardware costs. It also means you need to find a trading partner willing to sell you millions of dollars worth of merchandise for bitcoins, and do so in an anonymous fashion preferably over the internet so as to not get caught. Good luck with that plan.

The temporary mining revenue of 50 BTC/block and later 25 or 12.5 BTC will be worth much more if the bitcoin network is regularly used for multi-million dollar transactions as opposed to buying a few grams of hash or an alpaca sock.

This is all reason why profit-oriented attackers are implausible, or at least their profit will be derived from the failure of bitcoins: speculators, governments, banks etc.

I agree, that would be a stupid 'attack', at least not a very profitable one. In the paper it serves the purpose of proving that, even though not profitable, it is possible, and therefore undermining the principle of Bitcoin's block-chain as consensus. At least, as long as not 50% of total existing computer power is used 'in an honest way'.


Have a look at the example above, I projected current bitcoin statistics to the moment there's no coin generation anymore. I dare you (or anyone) to alter some input values, like bitcoin value, transaction value, whatever, and I'll try to show such a scheme is still lucrative.

One more question, what do you mean by: "as to not get caught"?

posted by misterbigg:

LOL (http://en.wikipedia.org/wiki/Ben_Laurie)

Much of what gets posted on this forum is a clear example of what happens when people assume they are right, and that anyone who contradicts them must be an ignorant savage.     


Frank

Firstly I don't find any relevance in speculating what will happen in a few decades from now. The block bonus will stay above 12.5 BTC for the next decade, and it's entirely possible that bitcoin will run it's course during this decade and fail for unrelated reasons. This is the internet after all. I've expressed my doubts that the "mine for fee" model is sound from a game-theoretical perspective: it seems the users are incentivized to pay a fee as small as possible (maybe 1 satoshi) since there's no way miners can differentiate on the market.

For the purpose of our discussion, in the foreseeable future and without massive growth of the number of transactions, the main motivation of the miners is the block bonus. At current prices the block bonus is over 500$/block and all other things equal it should maintain that $ value even if it drops to 12.5BTC: the miners that don't hoard are the main source of liquidity and if they inject less BTC the price will rise proportionally. So in order to rent 50% of the network you need to pay at least 1500$/h

Secondly, you assume you will be able to amass this hashing power surreptitiously and use it repeatedly without being detected. That's not realistic. Honest miners are unlikely to rent you the hashpower since it's obvious why you needed it. Furthermore, if the average player is small, you will incur a high price in contacting many of them, and you will need to pay way above market rates to attract them. You will need to advertise and attract further suspicion upon yourself. It seems highly unlikely that your criminal endeavor reach the same economy of scale and efficiency the open network has. You will either build your own hardware, a capital intensive task, or buy it off the black market at very high prices in order to maintain discretion, from a handful of players (Large conspiracies inevitably fail). An hour of 50% hashpower will then cost maybe 150.000$, not 1500$

Assuming you finally get to 50%, using it for a whole day will quickly attract the suspicion of the community. It's not reasonable to expect to use it more than a few times without crashing the bitcoin price and halting most bitcoin trades. You can't double spend a few bitcoins many times, you need to double spend many bitcoins a few times in order to recover your fixed costs, and before your attack tanks the exchange rate due to panic.


Assuming you manage to do all of the above and successfully double spend 1 million $ in BTC, the fraud becomes apparent quickly. If you buy a large house you will get caught and be indicted, I have no doubt about that. You need to launder the money quickly and maintain anonymity to pull a double spend. I believe it's much more effective to simply short the market and attack the network directly, assuming you have 50% hash rate (borrow BTC and sell out, then buy back in at pennies, no need be anonymous, just make sure the attack can't be traced back to you).

Then we have a Bitcoin that will work (or not due to other reasons) for the next decade. I wouldn't be satisfied with that and I think as soon as people realize that Bitcoin is not 'for ever', they will not accept it for one decade either.


If all other things equal, block bonus will be about 12.6 (0.1 fees) * 15$ (current rate) = 189$ per block after the next decade. And if all things equal, it will be 0.1 (fees) * 15$ = 1.5$ per block in normal Bitcoin operation, after the coin generation phase.


If Bitcoin would be well accepted and a solid economy would depend on it, frauding a few Bitcoins wouldn't stop that. Either there's not going to be a solid Bitcoin economy or it will be feasible to double-spend some coins often enough to get one's investment back (and more).


I don't see the need to do so secretly, isn't Bitcoin supposed to be 'not backed by law or goverment'? I'd not be committing fraud, I'd just be playing by the rules of the game!

The 10 year timespan is reasonable because the the coins don't become worthless after 10 years (at 6.25BTC/block), just twice more prone to a theoretical attack that is still very hard to pull off. There's plenty of time to fix the system and change the block rules for example to impose a minimal fee, thus making the "mine for fee model" sustainable.

Maintaining that bitcoins will be worth still 15$ in 6 years time (when the bonus drops to 12.5) is not actually "keeping all other things equal". It implies a major source of liquidity on the market in order to displace those miners that are currently cashing out. So I think a revenue lower bound of 1500$/hour is highly probable for the mining revenue in the next 10 years. On the other hand most of the buyers are currently motivated by hype and speculative mania, and they will be long gone if the price stays rock solid for years. This is why extrapolation for the next decades are useless, the pyramid monetary scheme will long destroy it before double spend becomes a major threat.


Frauding a few bitcoins, once discovered, is irrefutable evidence that someone has gained ownership of the 50% hashrate underpinning the security of the system. Since that someone can launch a devastating attack at any moment, aimed not at double spending but at disruption, and the same someone can rewrite history to assign ownership of all coins to himself, informationally efficient markets will drive the price very low to counteract that possibility.


That does not mean your trades are not subject to the law of the country where they are performed. Since bitcoins have a fair market value they are taxable and fraud will attract criminal responsibility. People have been indicted for stealing WoW gold. If you barter for a house with bitcoins and fail to deliver them the contract is void, and if you do it with intent you are committing fraud. Intent can easily be proven with your ECDSA signature on two transactions with the same source.

Yup, you're right, I (or someone else) might have to do so secretly. I don't agree the 10 year timespan is reasonable, but I'm sure we'd never come to an agreement on that. I'm signing out (http://forum.bitcoin.org/index.php?topic=26738.0), this is my last post in this thread.

wow! I found out about this paper quite late... It was forwarded to me by a friend...

This is basically my response to that friend to which I arrived rather hastily and independently i.e. before reading this thread or any comments on the article.

For whatever it worth.


"

Interesting, I had a quick read. He maybe a smart and credible guy,
but he does not get it, IMO.

His points on snapshots are rather irrelevant so I'll ignore it.

Than, first of all, he is trying to solve a non-problem and fails to
see that issue he is trying to solve is not a bug but a feature.

There is no problem with energy consumption, it is a very low price to
pay for getting rid of all the middlemen leaching a few percent from
every money transfer. Moreover, energy spent by miners on securing the
bloc chain is rather negligible in comparison to energy spent on other
ways to do money, when you consider, for example energy, required to
haul all the cash and gold in armoured trucks, smelting gold bullions,
coining coins, smelting metal for the bank vaults and so on...

Second of all, his "efficient solution" is very weak. Essentially, he
is proposing to replace voting weighted by pure computational power
(surely not very energy efficient way) to voting weighted by a number
of clients plugged into the network, without proposing any viable way
(since it is impossible) to ensure that this number of clients is not
faked. Therefore, he is effectively shifting proof-of-work concept
from doing lots of sha-256 calculations to opening lots of ports on
lots of IP's simultaneously. This could solve a problem of quick
propagations and wide distribution of information, but surely not a
problem of "double spending". Total epic fail!

He also has completely missed economic part of the system where
initial bitcoin inflation serves the purpose of subsidy to enable
quick growth of the network and making it secure from 50% attacks.

Busted... And bitcoin heavy hitters did not get to this yet, it is just me.


"

Did I get something badly wrong there?