|
I see multiple issues with the scenario in the OP.
1. You say that $100B will be spent on mining by retailers, and assume this must take the form of owning mining hardware themselves to the exclusion of freelance miners. But it seems they can just as easily sponsor it in other ways, such as assurance contracts payable to miners or paying PPS pools directly. The people actually doing the hashing could still be freelancers, some of them at least.
2. "They want their customers' transactions processed quickly" - I don't find this likely. Walmart isn't going to wait 10 minutes (actually much more, see below) to accept payment from a customer. They'll accept 0-confirm txs, and rightfully so - 99.99% of their customers won't double-spend. So the confirmations really only affect their ability to use these funds further. The idea that they will pay 5% of their revenue to get the funds maybe an hour earlier is ludicrous - that's a 188-digit APR (better than Pirate!)
Also, I don't think most Bitcoin payments will take the form of transactions. There will be intermediary services with various trust requirements (Bitcoin's powerful scripting allows for some options with little trust). So the customers should be able to do instant irreversible payments without needing confirmations for the payment.
3. There will be people sending transactions which the retailers don't care about, and they will pay fees to get them included. Depending on the retailer's policy on accepting transactions for their fee, this could leave some revenue to sponsor freelance mining.
4. You speak of this as a scenario in which Bitcoin is successful. I don't. If mining is dominated by big retailers who only care about their own transactions then Bitcoin can hardly be thought of as decentralized, which defeats the purpose. (The incentive structure which makes it feasible to do freelance mining if one so chooses is more important than how many different groups end up actually doing it. Which is also important, of course.)
5. You present a false dichotomy between "not use Bitcoin" and "pay as much as Bitcoin saves them on mining". Even as a "first order estimate" it fails to take into account that the retailer will only spend money on this if the situation with the spending is sufficiently better than the situation without the spending. If the Bitcoin network functions properly transactions will be included eventually even with a modest fee. The retailer doesn't have that much to gain by adding its own hashpower to the mix. How this plays out exactly depends on the details of the scenario. In a scenario where so few miners would include the transactions to Walmart that it has something to gain by hashing for it, it means that even with its hashing it will be included only in a fraction of the blocks, so the confirmations would still take much more than 10 minutes.
6. Bitcoin would need to be extremely "widespread and ubiquitous" for Walmart to even consider mining or sponsoring it. Maybe it will happen but it will be a long, long time in the future.
Anyway, I guess I agree with the main point - mining is currently a speculative investment, and as Bitcoin catches on it will become less speculative, and correspondingly less potentially profitable.
|
|
|
|
I may be wrong, but i think that the best solution would be to implement @kjj's idea with difficulty automatically increasing exponentially if block chain fork is longer than Y blocks.
This is still pure Proof Of Work, not really cementing. It would simply require much more than 51% to fork blockchain after Y number of blocks.
It's soft cementing (wet cement?). It probably has some advantages over hard cementing, but essentially it has the same tradeoffs. |
|
|
|
I though you meant the act of physically excreting excrement all over mt gox. I was like? What the hell? Doesn't everyone?
It was an intended pun. In my opinion, there are MILLIONS of dollars out there that would eagerly wait on the sidelines to scoop up a good deal on BTC, but whose owners wouldn't trust leaving them in an exchange to wait for somebody's dump to happen. We look at the bids on the MtGox orderbook and pretend this is the true world demand for bitcoins. LOL is what I think, hence why I am buying up coins.
Those millions of dollars can and will enter the bitcoin economy if people could do their dumps directly to the people waiting to buy them.
I'm not convinced. Even if some of the demand is latent, there's still a lot of depth. Selling 500 BTC would cause about 0.4% slippage, which is not as bad as the trouble of finding OTC buyers. Exchanges exist for a reason and that reason isn't going away any time soon. |
|
|
|
Be sure to have it recorded.
I will if the facilities have recording equipment ... but it will be in Hebrew, so I'm not sure how good it would do you guys  About that - I think it might be worth it to do the talks in English, precisely for the recording to be more broadly usable. What's the expected length of your talk ?
30 minutes. |
|
|
|
The blockchain is stored in the data directory, which can be configured with the datadir parameter. For example: "C:\Program Files (x86)\Bitcoin\bitcoin-qt.exe" -datadir="E:\Data\Bitcoin"
Note that the wallet file is also stored in the data directory. Symlinks may also be of use to you. so that command will change the database to sit on the E: drive? If you run Bitcoin with this command (as opposed to running it without this parameter), it will look for the database in the E:\Data\Bitcoin directory, and as necessary download it to that directory. How you use it exactly depends on your exact setup, but assuming you have a Windows machine and a shortcut that points to "C:\Program Files (x86)\Bitcoin\bitcoin-qt.exe", and you want the database to reside in E:\Data\Bitcoin (or any other directory), you should: 1. Move your already existing database to E:\Data\Bitcoin. 2. Change the shortcut to point to "C:\Program Files (x86)\Bitcoin\bitcoin-qt.exe" -datadir="E:\Data\Bitcoin". |
|
|
|
The blockchain is stored in the data directory, which can be configured with the datadir parameter. For example: "C:\Program Files (x86)\Bitcoin\bitcoin-qt.exe" -datadir="E:\Data\Bitcoin"
Note that the wallet file is also stored in the data directory. Symlinks may also be of use to you. |
|
|
|
2. Make sure that replied-to threads are automatically added to watchlist (I think this is the default but doesn't hurt to check).
It wasn't the default, but I just changed that. Cool. |
|
|
|
Erm, don't take this the wrong way, but this seems like a strawman to me. If an attacker has you isolated, they can already feed you bogus blocks, and there isn't a damn thing you can do about it. In a parity proof-of-work system, when the isolation is broken, your node will resync with the rest of the world. But the damage (to you) has already been done, it was done when you accepted blocks that you thought were current, but really weren't. Throwing them out and loading the correct blocks doesn't fix anything, and might actually make it harder for you to realize what happened.
This is the trade in reality.
You get: your node can fix itself when reconnected to the global network.
You pay: The entire global network is vulnerable to hidden chains, whatever damage you suffered while disconnected is unchanged, you don't necessarily know that you were attacked.
Seems like a terrible trade to me.
Maybe. I think the ability to recover is important, both practically and for the theoretical "correctness" of the system. The best part of my proposal is that it doesn't change the network rules at all. It is still pure proof of work. The only change is that the burden of proof for a reorganization is higher than it is now, and it scales with the amount of danger than such a reorganization represents. I used "Pure PoW" in the narrower sense of sticking to the longest branch (which depends only on the current observed data and not the history of receiving it). Take a look at Table 2 in Meni's paper: "The maximal safe transaction value, in BTC, as a function of the attacker's hashrate
q and the number of con�firmations n."
Lets go with a 33% hashpower attacker, at 6 confirmations you can assume any transaction up to about 300 bitcoins is safe.
(disclaimer: I haven't taken the time to digest Meni's analysis, I'm going to assume his numbers are correct).
Thank you for this. I would however like to emphasize that table 2 is probably the least reliable item in the paper, it assumes a specific model for an attack which is likely to diverge significantly from reality. (And doesn't even follow the math of that model to the end because of the complexity of the calculations.) So while I encourage y'all to keep thinking about it as an interesting theoretical problem, it is only slightly higher on my personal priority list than worrying about quantum computers breaking ECDSA.
I see what you're saying. When you say it's only slightly higher than breaking ECDSA, you mean that THIS PROBLEM IS SO EXTREME AND URGENT THAT WE NEED TO FREAK OUT ABOUT IT RIGHT NOW! No? Ok. |
|
|
|
I more-or-less agree with with the rest of your post, this is the part i have doubts about: Suppose you're a new node joining the network. Of course you are not cemented on anything. You see some nodes broadcasting a short chain and some an incompatible, longer chain. Who do you believe? If you default to the longer chain, you could fall right into the majority attacker's net. If you use something else you make it easier to carry out an attack without majority hashrate.
How is this different when using cementing ? I mean clients already take longest chain when offered multiple chains or different length. No change here. (Unless you were talking about the majority rule, not cementing itself) Without cementing, new nodes use the longest branch, as do all other nodes. In case there's a majority attacker, he can make attacks but at least the nodes are consistent with each other. With cementing, if a certain attack is executed, new nodes will be detached from the rest of the network (e.g., the veteran network is cemented on a shorter branch, but the new node will join the attacker's longer branch). At the very least it shows that cementing doesn't make the network (where "the network" includes the ability of nodes to join it) immune to such attacks. |
|
|
|
. . . So the only time a block reorg longer than 10 blocks will ever happen is because an advanced double spending attack.
Logically, implementing cementing after Y blocks (where Y = relatively big number, like 15, 20 or 50) should be an absolutely viable solution to our problems . . .
Doesn't this already occur on an ad-hoc basis when new versions of the client are released through the process of creating a "checkpoint"? Yes, but checkpoints are much more infrequent, and require upgrading the client. How exactly ?
By running multiple nodes spanned over various IP addresses, of course. Yes, but in no way will this be easy to do. It would require simultaneously VERY significant resources in multiple countries around the world AND >51% Hashing power, AND few million $ to buy Bitcoins to perform an attack. Which makes it infeasible for almost every possible adversary on the planet. Attack like this would be almost impossible to do, even for government of a very rich country (we all know what country I am talking about). If the IP vote overrides the longer chain, it is not clear you still need majority hashrate. You can use your IPs to vote on your minority branch. How this works exactly will depend on the specific implementation and attack. Also, the cost is additive. You'll need the cost of multiple IPs + cost of hashpower + cost of bitcoins. Tripling the resource cost isn't so impressive if the attacker might have a thousand-to-one resource advantage. So the only time a block reorg longer than 10 blocks will ever happen is because an advanced double spending attack.
Logically, implementing cementing after Y blocks (where Y = relatively big number, like 15, 20 or 50) should be an absolutely viable solution to our problems.
Unless there are other drawbacks, not mentioned in this discussion.
Suppose you're a new node joining the network. Of course you are not cemented on anything. You see some nodes broadcasting a short chain and some an incompatible, longer chain. Who do you believe? If you default to the longer chain, you could fall right into the majority attacker's net. If you use something else you make it easier to carry out an attack without majority hashrate. In this way the attacker can prevent new nodes from joining reliably. Not "some poor victim somewhere will be attacked". Nobody can join the network. Unless, of course, we spend some time thinking about a framework for higher-level overriding. And I will repeat myself and say there are two primary attacks with majority hashrate - double-spending and rejection. Cementing helps with one. What about the other? I surely could use @Gavin's opinion here.
I agree, when we do start seriously thinking about this, we will need more knowledgeable people to take part. |
|
|
|
How exactly ?
By running multiple nodes spanned over various IP addresses, of course. Also, if we implement cementing after Y confirmations as a quick fix and set Y to something relatively high (like 20), shouldn't everybody be safe this way ?
Maybe. Let's put it this way - cementing is simple and obvious, if it was that great Satoshi would have implemented it from the start. So we shouldn't do any "quick fix" without a solid understanding of the reasons for the decision and a thorough analysis of the dynamics of the new system. I mean, were there ever blocks reorgs longer than 10 blocks ? Do they even occur naturally?
AFAIK no, and depends on the definition of "naturally" but essentially no. What is a network fork Meni?
A network fork is when one client thinks some block is valid and another client thinks it is invalid. Short-term forks are normal but longer-term ones are effectively splitting the original network into two (or more) separate networks. What if 75% of the clients make a choice? Could be a network fork?
Yes, then 75% of the clients will be on one network and the other 25% will be in a separate, incompatible network (assuming there was in fact a reorg that required making a choice). In fact those that chose cementing may be further divided between them based on what they observed during various reorgs. However, if the 75% is by hashrate, then those clients will eventually build a longer chain, which the non-cementers will switch to, with a massive disruptive reorg. Which will happen again every time there is such a fork. I think at it like this: every individual client/member can go in automatic only if less than 6 block re-orgs happen, and ask for user intervention if something bigger happens? It could present some evidence about it's "confusion" to help the user decide (re-org size, double spends, transaction quantity, blocks from known pools, etc).
If the user makes a choice then the clients will fork based on what their users choose (unless, of course, for some reason all users' choices lead to the same results). What does you mathematics tell you about this?
Not sure if serious. |
|
|
|
This is just a form of cementing. The obvious hurdle is that different nodes see things at different times and thus this is not a signal that will converge to universal agreement (unlike vanilla longest-branch). More concretely, a node could be stuck on the wrong version. This can be used only if there is a higher-level signal that can override the cementing. (Currently it's hardcoded checkpoints, but they're too infrequent to be practical).
What if overriding cementing would require some kind of majority vote ? So every time a client receives a new/alternate chain, which overrides something already cemented, it also checks if majority of the network agrees with this ? This could be done by connecting to let's say... 128 randomly selected peers but limited to single node per 65536 IP block (X.X.*.*). Do I make any sense, or is this a stupid idea ? It's not very robust. Even with the IP range restriction it should be easy for an attacker to game this. Proof of Stake is exactly an attempt to do a majority vote based on the harder-to-fake ownership of coins. It may or may not have a place in the hierarchy. So the question we must ask ourselves is: what is more important - (1) protecting the entire network against powerful adversaries, or (2) protecting single (<1%) stranded clients gone wild because of either an attack, or local network malfunction ?
For me, the answer will be always (1).
I can see the marketing copy - "With Bitcoin, you are in full control of your money, and payments cannot be reversed! Unless you're one of the 1% whom we don't care about, and then payments to you could be completely bogus." Seriously though, I don't disagree but moving away from pure PoW is a fundamental design change and we need to consider it carefully to keep disruption and unwanted side-effects at an absolute minimum. If nodes aren't safe when participating in the network then the network is meaningless. And as mentioned, if we consider majority attack to be plausible we need to protect against rejection attacks, not just double-spending. It is likely this will never be economically viable.
I am not exactly taking economic viability into equation. I am saying that some entity may execute such attack even if it is totally not economically viable.Why? See my post above for various motivations. They are all "economic" with sufficiently broad usage of the term, but not in the most direct sense. Edit: I would love to have an option in the Satoshi client that gives me the choice to accept or deny any re-org bigger than 6 confirmations. Having the feature and educating people about it would render an attack like that pretty useless.
This isn't a client-level choice, it's a network fork. |
|
|
|
Then i will expand my thought experiment. Let's say that Bitcoin network has grown, and people use it to trade 100.000.000$ worth of goods & currencies weekly.
1. A powerful adversary spends 50.000.000$ to buy 1.000.000 Bitcoins from MTGOX
2. He builds his alternate double - spending chain for a week, while in the meantime, people buy 100.000.000$ worth of goods & currencies using Bitcoin
3. After a week, adversary introduces his chain fork which double-spends his 1.000.000BTC to his address
4. At least 100.000.000$ worth of currencies & goods that were bought through the week are lost
5. This causes major havoc in the Bitcoin world, people's trust in the currency is seriously undermined.
6. ?? ??
7. PROFIT !
So how do we avoid this ?
If even I have produced this scenario, it is reasonable to think that powerful adversaries may already be working on it.
Also, another logical conclusion of mine is that all alt-currencies like Litecoin are useless, because attack like above can be arranged with ease using little hashing power.
There is no step 7. This attack is non-economic, meaning that the attacker has to be willing to burn a lot of wealth to do the attack. This alone severely limits the categories of potential attackers, but it is not unreasonable to think that such an attacker might show up some day, so it deserves some attention. The incentives to carry out the attack are well documented. 1. Someone could take a large short position on Bitcoin, carry out the attack, and profit from the panic selling. 2. Banks and similar organizations can do it to maintain their monopoly. 3. Governments could do it for fear of illegitimate uses of Bitcoin. To counter this, I proposed an exponential difficulty ramp for reorganizations. Reorgs of up to X blocks (6 might be a good value for X) happen normally, with the longer chain winning. Reorgs beyond X blocks require Y(B-X) more difficulty in the new chain than the old chain, where B is the number of blocks to be thrown out. Y could be pretty small and still give good safety, maybe 1.1 or 1.05. For example, for X=6 and Y=1.05, reversing 100 blocks would need ~50 times the total network power, not half. And replacing 144 blocks (1 day) would require ~400 times the network power. Recipients of large transactions would be able to decide on their own how long they needed to wait to meet their own safety requirements. Selling a billion dollar widget? Wait a week, and then the attacker would need 1*1021 times the total network hashing power to unbury it.
This is just a form of cementing. The obvious hurdle is that different nodes see things at different times and thus this is not a signal that will converge to universal agreement (unlike vanilla longest-branch). More concretely, a node could be stuck on the wrong version. This can be used only if there is a higher-level signal that can override the cementing. (Currently it's hardcoded checkpoints, but they're too infrequent to be practical). Also, in itself it is useless against attacking by rejecting all other blocks and excluding all transactions. What I think really saves us from this scenario is that hashing capacity of sufficient power for the attack does not currently exist in the world, in a readily available form. There just aren't enough physical Radeon's in the world, in purchasable form, for someone to gather them easily or quickly, even with a huge budget. The attacker's best bet would be to spend about a year developing an ASIC, but that attack window is not going to stay open much longer.
Since we're talking about governments and such, they can surely fund the development of ASICs more efficient than those available on the market, followed by mass production, in a quantity that takes into account from the start how the market will look like 1-2 years in the future. |
|
|
|
a) What happens to all the transactions from the original chain that happened after the 1.000.000 BTC transaction ? Are they all erased from existence ?
All these transactions will become invalid and will remain so forever (assuming everyone now builds on the attacker's branch and nobody replaces it with yet another one). It's actually worse than what you described because transactions can have multiple inputs. The attacker will get his 1M back, and also all coins which trace back to the original double-spent transaction (which can be much more than 1M, even all coins in existence) will be shuffled around. Then i will expand my thought experiment. Let's say that Bitcoin network has grown, and people use it to trade 100.000.000$ worth of goods & currencies weekly. 1. A powerful adversary spends 50.000.000$ to buy 1.000.000 Bitcoins from MTGOX 2. He builds his alternate double - spending chain for a week, while in the meantime, people buy 100.000.000$ worth of goods & currencies using Bitcoin 3. After a week, adversary introduces his chain fork which double-spends his 1.000.000 BTC to his address 4. At least 100.000.000$ worth of currencies & goods that were bought through the week are lost 5. This causes major havoc in the Bitcoin world, people's trust in the currency is seriously undermined. 6. ?? ?? 7. PROFIT ! So how do we avoid this ? If even I have produced this scenario, it is reasonable to think that powerful adversaries may already be working on it. It is well known that if someone has sustained majority hashrate and wishes to use it to damage Bitcoin, it is bad. So the options are: 1. Hope no entity wishing to destroy Bitcoin will obtain majority hashrate. 2. Adopt a more comprehensive branch selection solution which is harder to attack. #2 would probably take the form of a hierarchy of various levels of synchronization signals, each of which can be cemented but overridden by the next, slower level. I imagine one of the top levels will be broadcasting a "block hash of the week" all over the internet and via TV, radio, newspaper, billboards etc. This way, if someone gets stuck on the wrong version, he will notice. To protect against excluding all transactions, a DAG structure may have to be adopted. Also, another logical conclusion of mine is that all alt-currencies like Litecoin are useless, because attack like above can be arranged with ease using little hashing power.
The incentive to attack them is correspondingly small, however. This of course does not apply to MM alts; also, even with Litecoin it did not have a serious attack yet (that I know of), and hypothetically it could one day surpass Bitcoin in total compute power. c) Will the original chain be erased from every client's database instantly the moment when a longer valid chain is supplied, or is there some other mechanism at work here ?
See a, the client keeps forks, however this might change when pruning enters the picture. Ok, so my logical conclusion is that pruning cannot be implemented, until we solve this problem once and for all. Depends on the kind of pruning. Also, even with pruning implemented there are still expected to be archive nodes. |
|
|
|
a) What happens to all the transactions from the original chain that happened after the 1.000.000 BTC transaction ? Are they all erased from existence ?
All these transactions will become invalid and will remain so forever (assuming everyone now builds on the attacker's branch and nobody replaces it with yet another one). It's actually worse than what you described because transactions can have multiple inputs. The attacker will get his 1M back, and also all coins which trace back to the original double-spent transaction (which can be much more than 1M, even all coins in existence) will be shuffled around. However, AFAIK the transactions aren't literally erased. The current client version at least keeps blocks which are not part of the main chain, it just doesn't do anything with them. b) What happens if the alternate chain completely drops many other (unrelated) transactions that were previously accepted into blocks and received from 1 to 100 confirmations ? Are these transactions completely lost (I) ? Or perhaps only confirmations are lost, and the transactions are unconfirmed (II) ?
I think that if a block is invalidated, all transactions in it which are not double-spent go back to the memory pool and can be included in the next block. Even if not, the client that originally sent the transaction still has it and can rebroadcast it, it is still just as valid. c) Will the original chain be erased from every client's database instantly the moment when a longer valid chain is supplied, or is there some other mechanism at work here ?
See a, the client keeps forks, however this might change when pruning enters the picture. |
|
|
|
|
The number of unclaimed bonds is down to 186.
Some bondholders haven't responded with a payment address despite two email messages sent starting a week ago. I will wait until the beginning of next week before I split these bonds between SIAI, Bitcoin100 and the Bitcoin foundation, and proceed with regular coupon payments.
Since these bondholders have filed a claim with neither me nor GLBSE in almost 3 months, there is no other data about them other than the email addresses I received, and it is unlikely they will respond after not having done so for a week and a half, I think that's the most reasonable option.
|
|
|
|
|
Why do you think an attacker is more likely to make multiple spends from the same address than a legitimate customer?
An attacker trying to double-spend 0-confirm will likely use a Finney attack. He may do it with several merchants at once but it will likely be from a different sending address per merchant.
The traditional method (which I think is not yet completely implemented) is to wait a few seconds and check that none of your peers knows of a conflicting transaction, and hope the attacker won't do Finney. This is more than fine for buying coffee; for buying a car, not so much.
|
|
|
|
|
Show Posts
