Funding network security in the future

[Mike Hearn]

I didn't notice this thread was resurrected.

Miners who want to complete an assurance contract with their own funds can only reliably do that if they keep their own pledge private. But then they're not getting all the money for the mining, they only get 10 BTC instead of the 50 BTC others are targeting or whatever. So they can't hash as fast, because they have less money to do it, so they're less likely to find a block and those other pledges they were trying to claim for themselves end up being taken by other miners. They end up with nothing.

Still, if it doesn't work out like that, there are other ways to set things up as pointed out up thread: you can delay the ability to claim the raised funds by a number of blocks using a kind of height-relative lock time and then you can't keep pledges private any more or control who gets to claim them. I would worry more about the nature of trying to raise funds for a continuous good - I'm not aware of any other examples of assurance contracts being used in such a way, and that feels like a more fundamental open problem than people playing games with the protocol.

Anyway, by the time this is a real issue, perhaps nobody will care about PoW based block chains. I'd be disappointed if this was the last idea humanity ever had for solutions to the byzantine generals problem.  So it's fun to speculate about but I'm in Gavin's camp - when the time comes to jump this hurdle, people will find a way.

[1714037426]

1714037426

[1714037426]

1714037426

[1714037426]

1714037426

[1714037426]

1714037426

[go1111111]

Similarly, if in the distant future some sidechain has 10x the funds going into mining than the Bitcoin mainchain, paranoid entities are likely to strongly prefer holding their funds in that chain, even at the cost of some dilution to their holdings (as long as the dilution is minimal enough - obviously there's a gradient).

If the security in the main chain is much weaker than on the sidechain, 51% attackers on the main chain can steal "frozen" coins, causing even more dilution on the sidechain whenever they do so. So people would want the main chain to be roughly as secure as the sidechain.

[odolvlobo]

...
Anyway, by the time this is a real issue, perhaps nobody will care about PoW based block chains. I'd be disappointed if this was the last idea humanity ever had for solutions to the byzantine generals problem.  So it's fun to speculate about but I'm in Gavin's camp - when the time comes to jump this hurdle, people will find a way.

Please correct me if I'm wrong, but isn't this an issue right now? Assuming that mining is profitable (i.e. mining revenue is greater than cost), a 51% attack would essentially cost nothing because the attacker would receive all the mining revenue (which exceeds his cost because we assume that mining is profitable). This is independent of subsidy in relation to transaction fees.

[instagibbs]

Please correct me if I'm wrong, but isn't this an issue right now? Assuming that mining is profitable (i.e. mining revenue is greater than cost), a 51% attack would essentially cost nothing because the attacker would receive all the mining revenue (which exceeds his cost because we assume that mining is profitable). This is independent of subsidy in relation to transaction fees.

51% attacks will always be a problem for consensus systems of any sort.

[Gavin Andresen]

Please correct me if I'm wrong, but isn't this an issue right now? Assuming that mining is profitable (i.e. mining revenue is greater than cost), a 51% attack would essentially cost nothing because the attacker would receive all the mining revenue (which exceeds his cost because we assume that mining is profitable). This is independent of subsidy in relation to transaction fees.

You are wrong.

Example that should make it clear:

Honest miner with 50% hash power:  will mine 6 blocks every two hours (on average). Rest of the network will mine the other 6 blocks.

Attacking miner with 50% hash power: will mine 6 blocks every four hours (on average), because they refuse to build on anybody else's blocks.

Result: if the attacker is the longest chain, they'll get half as many BTC as honest mining (if they are unlucky and are not the longest chain, they'll get zero).

If they could keep up the attack for a full month until difficulty adjusts then they'll start making what they would have been making if they were honest.

[go1111111]

Attacking miner with 50% hash power: will mine 6 blocks every four hours (on average), because they refuse to build on anybody else's blocks.

If the attacker had 51% of the hash power, they could get 100% of the mining rewards though right? Because whenever anyone else mined a block, the attacker can always overtake that chain with one in which they mine every block.

odolvlobo seems to be asking about a strange sort of 51% attack. The typical kind that gets talked about is that you have some pre-existing coins and you use your large hashrate to double spend those coins. The attack being suggested is to simply grab all the mining rewards and spend those.

On its surface this sounds like a good "attack" because you basically can mine coins at half the cost that honest miners were paying to mine. If I had 51% of all hashpower and was wondering whether to carry out this kind of attack, I'd worry that my actions would tank the BTC price once people realized that one miner controlled all mining, and that I would have to settle for a much lower price for my mining rewards.

This situation is basically the "mining cartel" that Cubic Earth was posting about. Right now Discus Fish, GHash.IO, KnCMiner, and BTCGuild have over 51% of hashrate. Suppose they have 55% so they could form a private agreement to only build on each other's blocks. Now they are getting 100% of block rewards instead of 55%, almost doubling their revenue and maybe increasing their profits by 10x. Miners in other pools will then want to switch to one of these pools, because they are the only pools that make any money. These pools will not want to let in more people (technically, more hash power) though, because they don't need more people to control the network. Why split the mining rewards with more people when you don't have to? The cartel would want to stay just big enough to not jeopardize their control of the network.

As miners outside of the cartel realized the futility of competing with the cartel, they'd stop mining, meaning the cartel would be free to lower their own hash rate to further increase their profits.

Eventually, the cartel may be able to lower their hash rate to almost nothing (and therefore earn huge profits). In this case network security would not be provided by actual hashing, but by the knowledge that if anyone tried to attack the network, the cartel would then turn on their full hash rate capability until the attacking chain was overtaken. Maybe the cartel would mine at 100% for brief spurts just to assure the community of their power. In this situation people would realize it was futile to attack the network, so they wouldn't try.

Note that merchants would know to not trust any non-cartel-mined block, so an attacker couldn't even get a temporary window of opportunity to profit.

Anyone know if this cartel situation has been analyzed in more depth anywhere?

[2112]

As miners outside of the cartel realized the futility of competing with the cartel, they'd stop mining, meaning the cartel would be free to lower their own hash rate to further increase their profits.

Eventually, the cartel may be able to lower their hash rate to almost nothing (and therefore earn huge profits). In this case network security would not be provided by actual hashing, but by the knowledge that if anyone tried to attack the network, the cartel would then turn on their full hash rate capability until the attacking chain was overtaken. Maybe the cartel would mine at 100% for brief spurts just to assure the community of their power. In this situation people would realize it was futile to attack the network, so they wouldn't try.

Note that merchants would know to not trust any non-cartel-mined block, so an attacker couldn't even get a temporary window of opportunity to profit.

Anyone know if this cartel situation has been analyzed in more depth anywhere?

I did a brief analysis over 2 years ago in my long-term mining prognosis post (from the signature):

https://bitcointalk.org/index.php?topic=91101.0

Because it is effectively a reductio ad absurdum of the whole^* Bitcoin concept you are not likely to get much response or discussion about the idea.

Edit: ^(*) Not really the whole, but mostly the might-makes-right aspect of the current proof-of-work.

[Gavin Andresen]

You are wrong.

Example that should make it clear....

Wait... no... that example is only valid for the "attacker takes over existing mining pools" case, where formerly honest miners are co-opted to be evil (or gang up in a cartel to be evil).

If somebody collects as much hashing power as the rest of the network combined and then suddenly attacks, then yes, indeed, difficulty stays the same, the attacker gets all the mining rewards, and there are twice as many stale blocks as before.  Attacker gets 6 block rewards per hour.

If they were to mine honestly, blocks would be created twice as fast until difficulty adjusted, so they'd get 6 block rewards per hour for a week (same as if they decide to attack). Then difficulty would double, and they'd get only 3 per hour.

[TierNolan]

As miners outside of the cartel realized the futility of competing with the cartel, they'd stop mining, meaning the cartel would be free to lower their own hash rate to further increase their profits.

As the hashing power drops, the cartel has an incentive to kick members.  That means that the smallest member has an incentive to not join in the first place.

One of the issues is that mining pools don't actually control all of their hashing power.  If they annoy the community, they could lose support.

Note that merchants would know to not trust any non-cartel-mined block, so an attacker couldn't even get a temporary window of opportunity to profit.

The 6 block confirm system would pretty much eliminate that anyway.  The cartel's chain is unlikely to fall 6 blocks behind.

[odolvlobo]

Attacking miner with 50% hash power: will mine 6 blocks every four hours (on average), because they refuse to build on anybody else's blocks.

If the attacker had 51% of the hash power, they could get 100% of the mining rewards though right? Because whenever anyone else mined a block, the attacker can always overtake that chain with one in which they mine every block.

odolvlobo seems to be asking about a strange sort of 51% attack. The typical kind that gets talked about is that you have some pre-existing coins and you use your large hashrate to double spend those coins. The attack being suggested is to simply grab all the mining rewards and spend those.

...

My point is not to point out the particular attack that was described. The point is that as long as mining is profitable there are attacks or exploits that are not protected by the cost of mining, now or in the future.

[DumbFruit]

My point is not to point out the particular attack that was described. The point is that as long as mining is profitable there are attacks or exploits that are not protected by the cost of mining, now or in the future.

Mining isn't even profitable right now. Competition drives down profit margins as it increases efficiency. I wouldn't worry too much about that. There's no way for mining to be perpetually profitable.

As long as you're referring to profits and not revenue, that is...

[go1111111]

As the hashing power drops, the cartel has an incentive to kick members.  That means that the smallest member has an incentive to not join in the first place.

One of the issues is that mining pools don't actually control all of their hashing power.  If they annoy the community, they could lose support.

Usually the smallest member's actions won't be decisive though, so I think a small miner would always want to join the cartel if possible even if they worried about being kicked out, because it's very profitable and their alternative is 0 profit.

The cartel might kick miners out, although it carries a risk that an outside coalition could become stronger than them. Let's say the coalition started with 55% of all hashpower. Outside miners stop mining, the cartel reduces their hashing to 8% of capacity, and they kick some people out until they control only 50% of total hashpower instead of 55%. So now 50% of total hashpower is outside the cartel and making no money, but this 50% knows that if they could just organize themselves and either make an investment in more mining equipment or recruit some miners away from the existing cartel, they could take control and earn 100% of mining rewards. This would be a disaster for the cartel, so I don't think they'd want to kick too many people out.

The "new cartel" could also set a policy of never kicking anyone out. Maybe miners wouldn't believe them, but if they did it'd give small miners in the existing cartel who worried about being kicked out an incentive to switch.

I think the fact that pools don't control their hash power makes the cartel situation better for the Bitcoin community -- by ensuring that the cartel policy is roughly what the majority of miners want (otherwise they'd form a new cartel).

Note that merchants would know to not trust any non-cartel-mined block, so an attacker couldn't even get a temporary window of opportunity to profit.

The 6 block confirm system would pretty much eliminate that anyway.  The cartel's chain is unlikely to fall 6 blocks behind.

What I mean is that an attacker might have an idea to do a double spend by mining just one block, putting a transaction to a merchant only in their block (not broadcasting it to anyone else) and taking advantage of merchants who wait for only one confirmation. When this block gets orphaned, their transaction to the merchant will be rolled back, assuming the cartel doesn't harvest transactions from orphaned blocks even if they have no fees.

My point is not to point out the particular attack that was described. The point is that as long as mining is profitable there are attacks or exploits that are not protected by the cost of mining, now or in the future.

Consider the case where someone wants to pull off an attack but they have no hashpower now. So they buy enough hashpower so they have 30% of total hashpower. Then they do their attack. Mining is only barely profitable in the long run -- mining equipment is priced at a level where you likely need to mine for a super long time to make back your investment. So after the attack the attacker needs to mine honestly for a year or so to be truly costless (and still, there's a lot of risk that their forecast of the future hashrate was off, and they'll lose a lot of money).

I think the traditional argument against this is that such attacks would undermine faith in the network and lower the BTC price, so if an attacker had enough hashpower to pull off a 51% attack, then by causing the BTC price to drop they'd be significantly reducing their future revenue, likely more than offsetting any benefit from their attack.

Mining isn't even profitable right now. Competition drives down profit margins as it increases efficiency.

Correct -- all mining profits will be competed away to 0 in the long run (absent a cartel), since mining is close to perfect competition. But odolvlobo's argument can be recast to say that an attack would be "costless" instead of profitable, since if an attacker could use his mining investment to mine he at least would come out somewhat near breaking even (again assuming his attack didn't wreak too much havoc).

[DumbFruit]

Mining isn't even profitable right now. Competition drives down profit margins as it increases efficiency.

Correct -- all mining profits will be competed away to 0 in the long run (absent a cartel), since mining is close to perfect competition. But odolvlobo's argument can be recast to say that an attack would be "costless" instead of profitable, since if an attacker could use his mining investment to mine he at least would come out somewhat near breaking even (again assuming his attack didn't wreak too much havoc).

So the competitors in mining would lose nothing by colluding, but could significantly gain, absent consumer boycotting.
Perhaps instead of fighting market forces, mining collusion should be encouraged. If the collusion is detrimental to it's consumers, then the consumers have plenty of other places to go.
Instead of decentralization of Bitcoin, we could think of decentralization in the broader sense of a currency marketplace.
That's pretty much the same as throwing in the towel, but at least it can be recognized that the death of individually decentralized currency isn't the death of decentralized currency marketplaces.

It's depressing to think about mining companies getting together to try to decide what the appropriate transaction fee should be. That's certainly not the vision I bet most of us had when we first learned about Bitcoin.

[Flashman]

Random thought with no regard to the technicalities, a percentage demurrage, deferred by contributing hashpower. Using a spitball of current figures, seems like it "costs" about 20GH to maintain 1 coin, divvying up total hash by coins issued. However, we'd then get a problem that you'd maybe have to mine direct to the wallet where all your coins are to validate the lack of demurrage for those coins. Unless it could work on a sort of merged or sidechained antidemurrage credit, so mine how you like and xfer the credits to where your coins are. Haven't done full evaluation and not sure what the calc will look like 25 years hence or whenever the real problem starts, but something of the order of 5% demurrage per annum seems to fit. Then if coin owner does not mine, or possibly buy credits off those that mine and sell instantly, that demurred coin gets tacked onto block reward.

I don't know if it will need to be as high as 5% by that time maybe not even necessary until much later, presuming cost to maintain giver %age of network hash (constant share of blocks) remains roughly consistant, then mining a single coin block with a $25000 coin value makes it look a lot more profitable than todays ~$10,000 block value.... and I've seen blocks now that have almost an extra coin in tx fees.

This may of course have an effect, seen as either desirable or undesirable, that it eventually returns all "lost" coins to circulation. Okay, most of all of them, damn Xeno.


edit: derp, I realise I more or less looped the calc there, turns out "cost to maintain current level of service" as it were is pretty close to current block reward, when calculated with current typical ASIC efficiencies, current price, current hashrate etc.... we will be expecting that to self tune for many years yet.

[go1111111]

I've been thinking about "weak subjectivity" lately as a method of securing blockchains, after Vitalik started advocating it as a good form of consensus. It embraces a different security model than Bitcoin, requiring more trust. The Bitcoin wizards are very skeptical of this, saying the security model basically boils down to "just ask coinbase which chain is the real one." However it seems to me that in practice, weak subjectivity might end up approximating full trustlessness very closely. My argument is below. I'm very interested in getting critiques about how specifically this model is likely to be attacked.

For anyone not familiar with weak subjectivity, see Vitalik's explanation at https://blog.ethereum.org/2014/11/25/proof-stake-learned-love-weak-subjectivity/

The tl:dr version is that in this system, if you're not online for some period of time, say 4 months, you need to get a blockchain checkpoint from other people, because you won't be able to tell which one is valid on your own. For anyone who has been online since the genesis block, they don't need to trust anyone. Also, once you do get a checkpoint, you don't need to trust people further going forward (beyond your continued trust that you got the right checkpoint), unless you go offline for > 4 months in the future and come back. Given this, all new nodes need to use trust to get an initial checkpoint.

So the obvious argument against this is: "if new or returning nodes have to ask coinbase what the correct chain is, why don't we just use a fully centralized system operated by coinbase?"

However, it seems that no one who actually cares about security would put their trust in one entity, instead you'd want to ask a lot of entities which chain is correct. Let's imagine in the future Bitcoin has switched to a weak subjective security model, and I'm coming online after 4 months away. Here's who I would ask about the correct chain:

Peter Todd, Gavin Andressen, the Darkwallet guys, Coinbase, my friend who I used to work with who operates a full Bitcoin node, Bitstamp, the Electronic Frontier Foundation, Julian Assange, Greg Maxwell, Mike Hearn, Bram Cohen, Paul Sztorc, Nick Szabo, Robert Sams, Adam Back,  Matthew Green, Andrew Miller, Richard Gendal Brown, Bilaji Srinivasan, Naval Ravikant.

So that's 20 entities who I think would (a) have an opinion on which chain is real, and (b) be fairly likely to give me an honest answer.

Let's assume I ask all of these 20 sources, and they all tell me the same chain is the legit one. In that case, what should I think is the probability that they are all giving me the same wrong information? Since I have to trust them, there's some chance that they're all wrong. But under what realistic circumstances could this happen? And is that really significantly more likely than some hacker having taken over my computer in the current Bitcoin world, and feeding me info about about a false chain?

The general idea is that similar to how zero-knowledge proofs work (where you can keep asking questions until the probability that the proover doesn't have a real solution is arbitrarily small), in a world of weak subjectivity I can keep asking different sources and investigating their trustworthiness until the probability that they're all lying to me is extremely small (The analogy isn't perfect because people lying to me about checkpoints aren't fully independent events). Because anyone can run a full node, there's not some easy set of people for governments or other censors to go after if they want to suppress info about the real chain.

My intuition though is that asking the 20 sources above is millions of times less likely to result in me getting a wrong checkpoint than asking just Coinbase, and that this probability is so close to 0 as to be negligible.

Can someone who is more skeptical of weak subjectivity describe a concrete scenario in which someone like me taking steps like I outline above would fail to get the right chain?
 

[2112]

Can someone who is more skeptical of weak subjectivity describe a concrete scenario in which someone like me taking steps like I outline above would fail to get the right chain?

The "right" chain is the chain that is supported by the exchange that is willing to swap your coins for other things of value. Any discrepancies between the exchanges are decided by the arbitrageurs with capital, not by eggheads with propaganda position papers.

That is the difference between the real financial systems and the long-cons trading baloney.

[gmaxwell]

The "right" chain is the chain that is supported by the exchange that is willing to swap your coins for other things of value.

Seems to have worked out great for all those buying into MTGOX's view of the world.

[DumbFruit]

Vitalik summarizes the problem with "Weak Subjectivity" here;

This security assumption, the idea of “getting a block hash from a friend”, may seem unrigorous to many; Bitcoin developers often make the point that if the solution to long-range attacks is some alternative deciding mechanism X, then the security of the blockchain ultimately depends on X, and so the algorithm is in reality no more secure than using X directly – implying that most X, including our social-consensus-driven approach, are insecure.

He then fails to rephrase the problem and addresses that incorrect rephrasing of the problem. This is called a "Straw man".

However, this logic ignores why consensus algorithms exist in the first place. Consensus is a social process, and human beings are fairly good at engaging in consensus on our own without any help from algorithms; perhaps the best example is the Rai stones, where a tribe in Yap essentially maintained a blockchain recording changes to the ownership of stones (used as a Bitcoin-like zero-intrinsic-value asset) as part of its collective memory. The reason why consensus algorithms are needed is, quite simply, because humans do not have infinite computational power, and prefer to rely on software agents to maintain consensus for us. Software agents are very smart, in the sense that they can maintain consensus on extremely large states with extremely complex rulesets with perfect precision, but they are also very ignorant, in the sense that they have very little social information, and the challenge of consensus algorithms is that of creating an algorithm that requires as little input of social information as possible.

He rephrases the problem as fundamentally a computational problem, that the only reason trusting X is not usually ok is because we don't have computation to help us understand X and appropriately trust X.
This is not the problem with "Weak Subjectivity", this is not the reason why trusting X is a problem, and it begs the question by presuming that doing this "Weak Subjectivity" is better than simply trusting in X via any kind of system X wants to implement.

Or in other words;

Bitcoin developers often make the point that if the solution to long-range attacks is some alternative deciding mechanism X, then the security of the blockchain ultimately depends on X, and so the algorithm is in reality no more secure than using X directly...

[go1111111]

The "right" chain is the chain that is supported by the exchange that is willing to swap your coins for other things of value. Any discrepancies between the exchanges are decided by the arbitrageurs with capital, not by eggheads with propaganda position papers.

The exchanges get their power from offering services to the people who want to trade. If an exchange wanted to adopt an illegitimate chain, people would clearly see they were using an illegitimate chain, using the method I described above, so demand for its services would plummet and it would be overtaken by competitors using the right chain. If you think people wouldn't be able to tell which chain was real on their own, without being told by the exchanges, you should give some argument why you think the method I describe above wouldn't work.

This is not the problem with "Weak Subjectivity", this is not the reason why trusting X is a problem, and it begs the question by presuming that doing this "Weak Subjectivity" is better than simply trusting in X via any kind of system X wants to implement.

I agree that Vitalik's rephrasing of the issue isn't great. Are you claiming that weak subjectivity offers no more security than full subjectivity (aka, just coming to a consensus by trusting various people without any underlying rules as described in the weak subjective system)? If so I'll try to give a better argument than Vitalik in my next reply.

I'm still curious to hear how people specifically think my method of discovering the true chain would fail.

[2112]

The exchanges get their power from offering services to the people who want to trade. If an exchange wanted to adopt an illegitimate chain, people would clearly see they were using an illegitimate chain, using the method I described above, so demand for its services would plummet and it would be overtaken by competitors using the right chain. If you think people wouldn't be able to tell which chain was real on their own, without being told by the exchanges, you should give some argument why you think the method I describe above wouldn't work.

Well, who's going to be mining if not exchanges, when the general mining becomes continuously non-profitable?

Seems to have worked out great for all those buying into MTGOX's view of the world.

I don't think that MtGox was postulating the existence of different blockchains.

The way I understood the blockchain discrepancy in May of 2013 was that Bitcoin Foundation and/or core developer team evaluated transactions on both of the competing chains, choose one branch and then reimbursed the affected exchange (OKcoin?) or the affected user (macbook_air?). Edit: Apparently I misremembered things. A double spend was successful, but not reimbursed by the Bitcoin Foundation nor the core development team. https://github.com/bitcoin/bips/blob/master/bip-0050.mediawiki End of edit.

I don't think that Bitcoin Foundation would have enough capital to do all future reimbursement in case of chain discrepancies.

The regular accounting behaviors when the "books don't close" is to halt or suspend trading until the mutually agreeable resolution could be achieved. In my opinion no large capital entities will risk Bitcoin trading when they have no say in the decisions made when the discrepancy occurs.

One could argue that the May 2013 event was resolved in favor of those running buggy software and to the detriment of those running the software free of the bug that causes fork. That bug could be easily fixed with simple 2 line DB_CONFIG file and restart of the Bitcoin client, which would take much less than 10 minutes.

On the other hand I understand the pressure that was put on the core development team to issue a "patch" and "new compiled executables", especially from the people unfamiliar with operational issues of the database systems.

Finally the core development team is always torn between the needs of two vastly different subgroups of the Bitcoin milieu: the anarchists and the statists (or etatists, meaning those who are OK with the existing state's governments, not anti-dynamists). In the future I could envision a chain split between a monetary exchange (Bitcoin<->FIAT, subject to KYC and other regulations) and e.g. ammunition exchange or survivalist gear exchange patronized by the anarchists. This is the situation where I think you wouldn't ask the Bitcoin elders about the chain correctness, but you'll simpy synchronize to the chain that will allow you to trade your Bitcoins for USD or bullets, depending on your particular needs.