Why not 10 coins per block and a block every 2 minutes?

[netrin]

As long as everyone faces the same risk of wasting computational time, I dont't see why tho
is matters to miners.

Because the greater the waste ratio the greater the advantage to the previous awarded miner, which is an advantage to a malicious miner. The waste due to latency is expected to increase as the network grows and we really do not have a huge margin. Increases in waste proportionally increases the likelihood that any block/transaction is invalid. And waste is ... wasteful.

[1714956557]

1714956557

[1714956557]

1714956557

[bji]

You are calculating the chance that any single attack of many attacks will succeed. I am discussing the chance that an attacker will win a single attack by chasing the block chain. I'm claiming that a 51% hash power attacker can always win (with unlimited time and resources) while a 49% hash power attacker, if he doesn't win immediately will have diminishing chances as time goes on (even with unlimited time and resources).

I know that with 51% hash power the attacker will always succeed eventually.  Anything over 50% gives statistical certitude that the attacker will eventually succeed.  It's really a question of how long it is likely to take and how much effort an attacker would be willing to expend with such a small advantage to eventually succeed.

For a brief time I was thinking about how to compute the chance of computing 2, or 3, or N blocks before the rest of the network can compute 1.  I am not entirely sure how to do the math, but I think it would be very interesting if someone does.

[ctoon6]

I know that with 51% hash power the attacker will always succeed eventually.  Anything over 50% gives statistical certitude that the attacker will eventually succeed.  It's really a question of how long it is likely to take and how much effort an attacker would be willing to expend with such a small advantage to eventually succeed.

For a brief time I was thinking about how to compute the chance of computing 2, or 3, or N blocks before the rest of the network can compute 1.  I am not entirely sure how to do the math, but I think it would be very interesting if someone does.

its possible to abuse the network with less than 50%. you can abuse the network with .0001% of the hashing power, the question is only how successful you will be at trying to abuse the network. with even as low as 30% you could still occasionally get blocks in succession and cause damage. but if you want to be able to cause damage more often you will need more power, closer to 70% is my gut feeling.

[MoonShadow]

I know that with 51% hash power the attacker will always succeed eventually.  Anything over 50% gives statistical certitude that the attacker will eventually succeed.  It's really a question of how long it is likely to take and how much effort an attacker would be willing to expend with such a small advantage to eventually succeed.

For a brief time I was thinking about how to compute the chance of computing 2, or 3, or N blocks before the rest of the network can compute 1.  I am not entirely sure how to do the math, but I think it would be very interesting if someone does.

its possible to abuse the network with less than 50%. you can abuse the network with .0001% of the hashing power, the question is only how successful you will be at trying to abuse the network. with even as low as 30% you could still occasionally get blocks in succession and cause damage. but if you want to be able to cause damage more often you will need more power, closer to 70% is my gut feeling.

But just getting blocks in doesn't cause any damage, you have to be able to overwrite prior blocks, which isn't possible with less than 50% of the total network hashing power, and still isn't terriblely likey at 51%.  Thus, you are correct guessing that 70% is a more realistic number.  In order to assault the blockchain in real time, the attacker would have to be able to seriously dominate the entire honest network.  However, if the attacker were building a chain in secret, he could possibily build one in secret that overwrites a prior block to reverse a transaction wherein the attacker previously spent funds.  But this kind of attack is damage limited to the person who was dealing with the attacker, and he would still need enough of a majority to build and release his chain before any new checkpoints have been added.

[bji]

But just getting blocks in doesn't cause any damage, you have to be able to overwrite prior blocks, which isn't possible with less than 50% of the total network hashing power, and still isn't terriblely likey at 51%.

Of course it's possible to do it with less than 50%, it's just less likely.

[enmaku]

I still haven't seen a mathematically founded answer to a question I've been asking for ages:

What percent of 0/unconfirmed transactions become orphaned, are fraudulent or otherwise never make it to 6/confirmed?

If that percentage is lower than current merchant service company fees, we're still a point-of-sale winner when accepted at 0/unconfirmed and that much IS instant.

[MoonShadow]

But just getting blocks in doesn't cause any damage, you have to be able to overwrite prior blocks, which isn't possible with less than 50% of the total network hashing power, and still isn't terriblely likey at 51%.

Of course it's possible to do it with less than 50%, it's just less likely.

No, it's not.  Not if we are talking about the same thing.  It is not possible to reverse a confirmation of a transaction, and thus double spend, without 50% or more of the total network hashing ability.  That is shown in Satoshi's white paper.

[netrin]

I still haven't seen a mathematically founded answer to a question I've been asking for ages:

What percent of 0/unconfirmed transactions become orphaned, are fraudulent or otherwise never make it to 6/confirmed?

If that percentage is lower than current merchant service company fees, we're still a point-of-sale winner when accepted at 0/unconfirmed and that much IS instant.

0/unconfirmed are transactions the network potentially does not know about. I've created numerous that have never gone to 1/unconfirmed, and the network has NO RECORD of them. Would you settle for stats from 1/unconfirmed to 6/confirmed? In an earlier thread, Kjj said:

The block explorer reorg log is showing 15 reorgs in the last 8538 blocks.  We generally assume that about half the forks lead to a reorganization in a given node*, so that is about 30 forks.  That is about one fork per 284 blocks, which is close to my estimate of 300 blocks per fork.

So, I would expect a two block fork every 90 thousand blocks or so, maybe every 80 thousand using the block explorer data.  That is every year and a half, by the way.  A three block fork should show up under honest circumstances about once every 450 to 500 years.

A shorter block time target would probably lead to more frequent forks, measured in blocks per fork, but it isn't obvious what the function would be.  Halving the block time target, for example, would lead to probably more than double the forks per year.  It could probably be simulated, but hasn't that I know of.

* The best predictor of which block will win in a fork is the fraction of the network seeing that block.  If we assume that the distribution is more or less random, they should both average out to around 50%.

[bji]

But just getting blocks in doesn't cause any damage, you have to be able to overwrite prior blocks, which isn't possible with less than 50% of the total network hashing power, and still isn't terriblely likey at 51%.

Of course it's possible to do it with less than 50%, it's just less likely.

No, it's not.  Not if we are talking about the same thing.  It is not possible to reverse a confirmation of a transaction, and thus double spend, without 50% or more of the total network hashing ability.  That is shown in Satoshi's white paper.

So with 25% hashing power and some luck I can't rewrite a new block chain starting at a block, say, 2 blocks old, and extending out 1 additional block, before someone else adds 1 block to the current head?  Although it is statistically unlikely I don't see how it's impossible.  If I tried hard enough and long enough it is inevitable that I would be able to do this at some point.  It is also inevitable that the 75% of the network, if it were coordinated to try to extend the "real" block chain instead of mine, would eventually win back the block chain.

It is inevitable that > 50% has ultimate control over the block chain, but < 50% could have control for short stretches, and that would be very disruptive.

[ctoon6]

So with 25% hashing power and some luck I can't rewrite a new block chain starting at a block, say, 2 blocks old, and extending out 1 additional block, before someone else adds 1 block to the current head?  Although it is statistically unlikely I don't see how it's impossible.  If I tried hard enough and long enough it is inevitable that I would be able to do this at some point.  It is also inevitable that the 75% of the network, if it were coordinated to try to extend the "real" block chain instead of mine, would eventually win back the block chain.

It is inevitable that > 50% has ultimate control over the block chain, but < 50% could have control for short stretches, and that would be very disruptive.

that's how i see it, and if the over 51% hasher had some bad luck, they would not be in control during that period.

[netrin]

The 25 % attacker is so much less likely to overtake the honest block chain, that it's statistically to his advantage to double his resources rather than quadruple his attempts.

[ctoon6]

in the real world we do not have limitless resources, you would be capped by electricity and the amount of GPUs you would be able to acquire.

[MoonShadow]

But just getting blocks in doesn't cause any damage, you have to be able to overwrite prior blocks, which isn't possible with less than 50% of the total network hashing power, and still isn't terriblely likey at 51%.

Of course it's possible to do it with less than 50%, it's just less likely.

No, it's not.  Not if we are talking about the same thing.  It is not possible to reverse a confirmation of a transaction, and thus double spend, without 50% or more of the total network hashing ability.  That is shown in Satoshi's white paper.

So with 25% hashing power and some luck I can't rewrite a new block chain starting at a block, say, 2 blocks old, and extending out 1 additional block, before someone else adds 1 block to the current head?  Although it is statistically unlikely I don't see how it's impossible.  If I tried hard enough and long enough it is inevitable that I would be able to do this at some point.  It is also inevitable that the 75% of the network, if it were coordinated to try to extend the "real" block chain instead of mine, would eventually win back the block chain.

It is inevitable that > 50% has ultimate control over the block chain, but < 50% could have control for short stretches, and that would be very disruptive.

Neither disruptive nor damaging.  The system does this regularly, and is designed to cleanly handle it.  They are call "reorganizations".  From the perspective of the network, part of the network disagrees about the last block or two; but as you said yourself, the honest majority will overtake the network, and all attempts to force a blockchain split with less than a hashing majority result in futility.  The network doesn't even care.  And even though it's not impossible to overwrite one or two blocks in a row with 25% of the hashing power, the odds are still vanishingly small considering your trying to swim upstream at 2.5 feet per second against a flow of 7.5 feet per second.  There is more to it all than you seem to grok.

[bji]

There is more to it all than you seem to grok.

We grok it just fine, and you haven't said anything that wasn't said already.

[MoonShadow]

There is more to it all than you seem to grok.

We grok it just fine, and you haven't said anything that wasn't said already.

Then what is the disconnect?  Have you read the white paper?  If so, are you sure that you understood it?  Bitcoin has a lot of moving parts, really.  The possibility of a blockchain attack doing any lasting harm is directly addressed in Satoshi's white paper, and what I think that you guys are describing isn't possible with less than a majority hashing power.  Not just unlikely, but astronomicly unlikely.  In the same threat range of the sudden reversal of the law of gravity, or the rapid dimming of the Sun.  You do realize that neither is impossible, but they are so far removed from possible that any rational person simply rounds off to zero.  Same with the odds that a minority attacker can just stumble into an attack that lasts two or more consecutive blocks.  In order for an attacker to double spend in this manner, he first has to allow the first transaction into the blockchain in order to get the vendor to accept the deal complete (assuming that he doesn't expect more confirms, the default is 6) and once in a block; said minority attacker must create two blocks of the proper difficulty before the rest of the network can produce one.  That's why I said it's posssible at 50% but it's still unlikely.  Given 6+ confirms, even an attacker with 51% of the network hashing power would have an astronomical and vanishing likelyhood of reversing that far back; all of which has to occur before the honest network can produce another block.  Even if the attacker was producing his dishonest blocks in the dark to be released all at once, he still only has a 51% of creating the 7th block to seal them in before the rest of the network does.

[gmaxwell]

Then what is the disconnect?  Have you read the white paper?  If so, are you sure that you understood it?  Bitcoin has a lot of moving parts, really.  The possibility of a blockchain attack doing any lasting harm is directly addressed in Satoshi's white paper, and what I think that you guys are describing isn't possible with less than a majority hashing power. 

The disconnect here is that you're talking about "lasting harm" in the context of the network.  If I get one confirm, give you the keys to my car, you drive off and the blockchain reorganizes so your payment goes someplace else (due to double spending on another branch)— lasting harm was done by any sane measure.

If you wait long enough then you can make the risk arbitrarily small, though the buyers risk starts increasing with too much delay and large delay aren't always tolerable.   

If the network is more concentrated (lower latency, longer block intervals) then it is less likely for someone to pull off an uncertain low depth attack because there will be fewer instances of multiple forks with a non-trivial survival chance.

 

[kjj]

Then what is the disconnect?  Have you read the white paper?  If so, are you sure that you understood it?  Bitcoin has a lot of moving parts, really.  The possibility of a blockchain attack doing any lasting harm is directly addressed in Satoshi's white paper, and what I think that you guys are describing isn't possible with less than a majority hashing power. 

The disconnect here is that you're talking about "lasting harm" in the context of the network.  If I get one confirm, give you the keys to my car, you drive off and the blockchain reorganizes so your payment goes someplace else (due to double spending on another branch)— lasting harm was done by any sane measure.

If you wait long enough then you can make the risk arbitrarily small, though the buyers risk starts increasing with too much delay and large delay aren't always tolerable.   

If the network is more concentrated (lower latency, longer block intervals) then it is less likely for someone to pull off an uncertain low depth attack because there will be fewer instances of multiple forks with a non-trivial survival chance.

Escrow.

[bji]

Then what is the disconnect?

The disconnect is that there are alot of competing threads within this thread and the comments are all fragmented within these discussions, and you're taking that as an opportunity to assume that nobody understands bitcoin.  It is rude to tell everyone that they don't understand bitcoin because there are differences of opinion.

Yes, I have read the white paper, and yes, I understand it.  The point being argued, at least that I was arguing, is against this notion that 51% is some magical number.  

51% is a magic number, or rather majority is "magical".  If one excludes the other safeguards, and just considers the raw security of the blockchain & total hashing power, a simple majority hasher could eventually double spend a prior transaction by slowly overtaking the blockchain in the dark and dumping his false chain upon the network.  The hasher with 49.9% can never do this.  Ever.  Or if you prefer, the odds against a minority hasher with 49.9% of the hashing power sustainablely taking over the blockchain starts at roughly 1:1 at the first block, but then trends towards infinity.

The kind of attacks that 51% enables are also possible with less than 51%, is what I am saying.  I agree with you that the chances of success are very low; but they're also very low at 51%, and only slightly lower at 40%.  At 51% hashing power you have to 'get lucky' to generate blocks so rapidly that you have a chance to muck with the block chain, and at 40% you also have to get lucky, just a bit luckier.

It is true that the majority hashing power, as long as it is all applied to the same purpose, will always win out in the end, but there will always be 'skirmishes' possible where anyone at all, regardless of their hashing power, although with exponentially decreasing likelihood as the hashing power gets lower, 'win' temporarily.  It is also possible for someone of low hashing power to rewrite the top block of the block chain, but it is unclear how disruptive this is.

As I have already pointed out, the 'skirmishes' are harmless.  In fact, they are an expected part of the network's daily functions.  Reorgs occur often enough that it's probable that it happens daily, but there is no way to know for certain because, by definition, such reorgs occur because the reorging nodes found themselves on the minority side of a blockchain split.  There is some evidence that as much as 0.3% of all blocks found by the network are found by a node after another node had already found and published the same block.  Based upon this, it might be closer to every three days, on average.

Certainly, clients that wait for 6 confirmations as recommended are safe from any attempt to subvert the block chain that cannot muster 7 blocks before the chain is extended by one block; and I agree that the chances of anyone, even a majority hashing power holder in the range of 51% - 75% or so, being able to generate 7 blocks before anyone else generates 1, are astronomically low (although rising to within the realm of possibility at 75%, but that would require an extreme amount of hashing power).

However, it is also possible that block chain forks, however they come about, will be disruptive;

How, then, would they be disruptive?

 certainly there are lots of people who seem to be impatient and want to wait for only 1 confirmation (there are people - for example those who started this thread - who want to trust transactions that have only been validated by 1 block on a 2-minutes-per-block schedule), and those people can easily be screwed by a block chain fork of any length (of course it's their fault for trusting unreliable blocks; but how damaging is it to the reputation of bitcoin for people who don't understand the technology behind it to have transactions reverted?  Time will tell).

Additionally, I am not sure how miners handle pending transactions that they've already seen in a block.  Do they drop all transactions from their 'pending transactions' queue whenever they see a block with that transaction in it, on the assumption that they will never want to try to put the transaction into a block again since in the 99.999% of the cases where blocks are valid, they really will never want to try to put that transaction in a block again.  If they do, then one fork in the block chain propogated to a significant number of miners has a good chance of either severely delaying transactions (because they are now only in the pending queues of the remaining miners who *didn't* see the forked, ultimately-doomed, blocks), or dropping the transaction entirely (if the forked block was seen by all miners who then dropped the transaction from their queue).  Of course clients can (and I guess, should) send replacement transactions with a new sequence number at periodic intervals if their transaction doesn't show up in a block, although I don't know if the current client does that or what the most efficient and sustainable rate for clients to be doing this is.

Transactions are dropped upon seeing a valid block containing them.  Transactions are resent by the original client after a certain number of blocks, if the transaction isn't seen in the blockchain.

[kjj]

Yes, I have read the white paper, and yes, I understand it.  The point being argued, at least that I was arguing, is against this notion that 51% is some magical number.  The kind of attacks that 51% enables are also possible with less than 51%, is what I am saying.  I agree with you that the chances of success are very low; but they're also very low at 51%, and only slightly lower at 40%.  At 51% hashing power you have to 'get lucky' to generate blocks so rapidly that you have a chance to muck with the block chain, and at 40% you also have to get lucky, just a bit luckier.

51% is a magic number.  For an offline attack, 51% is the point where if you start right now, you can be sure that you will be some number of blocks ahead in the future, if you wait long enough.  Really 50% + 1 is the magic number, but we round to 51%.

Additionally, I am not sure how miners handle pending transactions that they've already seen in a block.  Do they drop all transactions from their 'pending transactions' queue whenever they see a block with that transaction in it, on the assumption that they will never want to try to put the transaction into a block again since in the 99.999% of the cases where blocks are valid, they really will never want to try to put that transaction in a block again.  If they do, then one fork in the block chain propogated to a significant number of miners has a good chance of either severely delaying transactions (because they are now only in the pending queues of the remaining miners who *didn't* see the forked, ultimately-doomed, blocks), or dropping the transaction entirely (if the forked block was seen by all miners who then dropped the transaction from their queue).  Of course clients can (and I guess, should) send replacement transactions with a new sequence number at periodic intervals if their transaction doesn't show up in a block, although I don't know if the current client does that or what the most efficient and sustainable rate for clients to be doing this is.

Yes, miners delete pending transactions if they are seen in a new block coming in from the network.  But when there is a reorganization, all transactions that were in the invalid blocks and not also in the newly valid blocks are automatically put back into the queue, after validating them using the transactions from the new blocks.

[netrin]

The disconnect is that there are alot of competing threads within this thread and the comments are all fragmented within these discussions, and you're taking that as an opportunity to assume that nobody understands bitcoin.  It is rude to tell everyone that they don't understand bitcoin because there are differences of opinion.

  "Everyone is entitled to his own opinion. But, Senator, you are not entitled to your own facts"
     -- Daniel Patrick Moynihan, 2003 or James R. Schlesinger, 1973

Yes. There are those discussing probabilities to override a single block and there are those discussing double spending attacks in general. No one argues that a node with 1% hashing power has a 1% chance of taking a block if he begins at the same time as all other honest nodes. No one argues that a node with 40% hashing power has some slight chance of taking two blocks. But if we discuss a real attack, involving multiple blocks, the difference between 40% and 51% is enormous. While a 40% attacker might be immediately lucky, if he's not he should give up. On the other hand a 51% attacker is GUARANTEED to override the block chain eventually.

While you can complain about a PROOF involving unlimited time and resources, you can not dispute the fact that the 40% attacker has an unlikely chance which becomes exceedingly more unlikely with time, while a 50+% attacker has a likely chance which becomes more likely with time.

I agree with you that the chances of success are very low; but they're also very low at 51%, and only slightly lower at 40%.  At 51% hashing power you have to 'get lucky' to generate blocks so rapidly that you have a chance to muck with the block chain, and at 40% you also have to get lucky, just a bit luckier.

NO. This is only true on the first block attempt. These chances rapidly diverge with each subsequent honest block generation.

It is true that the majority hashing power, as long as it is all applied to the same purpose, will always win out in the end, but there will always be 'skirmishes' possible where anyone at all...

YES, but NO. Not unless you are discussing competing malice or network isolation. Honest nodes will acknowledge defeat, malicious nodes will not, much like this thread.

Certainly, clients that wait for 6 confirmations as recommended are safe from any attempt to subvert the block chain that cannot muster 7

I didn't follow your train of thought completely, but... just because we feel certain that 6 confirmations is written in stone, that stone can always theoretically be broken, with transactions reversed Dwolla style.

blocks before the chain is extended by one block; and I agree that the chances of anyone, even a majority hashing power holder in the range of 51% - 75% or so, being able to generate 7 blocks before anyone else generates 1...

Let me interrupt again. The attacker only needs to generate 7+ before the honest nodes generate 6, perhaps a few more for good measure.