Dear community of Bitcoiners,
My name is Lear Bahack and I am an Israeli student for mathematics working lately on Bitcoin security analysis and possible constructions of pure proof-of-stake crypto-coins.
Today I had to pinch myself several times because I felt like I am in a bad dream: several months ago I thought of two less-than-50% hash-power theoretical attacks, and waited quietly until November 13th, the IEEE Security and Privacy conference submission deadline. Meanwhile another team has publicly published a simultaneously obtained research, regarding my "Block-Discarding-Attack" which they call shellfish-mining.
The authors propagated their independently obtained results in a rush, in order to make artificial panic around the world. Intentionally misleading blog post written by the authors and titled "Bitcoin is Broken", claims that a pool having 25% of the total hash power can destroy the Bitcoin system right now. Well, this is simply untrue. I can only hope the authors did so in order to promote their first-published paper and not as a way to make easy money, by exploiting the volatile exchange rate.
So there are several things need to be said:
1. First of all, the attack is not new. Both me and the other researchers independently discovered the attack on 2013, however the idea have been tracked to a thread of this forum as early as 2010:
https://bitcointalk.org/index.php?topic=2227.msg30064#msg30064,
https://bitcointalk.org/index.php?topic=2227.msg30083#msg30083.
The idea has long being forgotten since it was obvious to this thread's participants that the idea is definitely unpractical.
A careful mathematical analysis done recently by both me and the other researchers shows that a solo miner with more than 25% of the total hash power and a magical ability to propagate her/his block faster than all other miners, will be able to make mining for the honest miners unprofitable, and theoretically become the only miner.
Although of highly theoretical importance, the Block-Discarding-Attack / Shellfish mining strategy is not an actual threat!
2. The attack is based on secretly holding new mined blocks while trying to mine the next block on top of a secret one. Hence, it is obviously not applicable to pools. A pool must share the secrete block with each of its anonymous members, that could be anyone including the blockchain.info website.
3. As mentioned, I have found another completely different less than 50% hash-power attack, based on innovative idea I will publish soon. Moreover, my mathematical analysis shows that the shellfish-mining strategy is only a one of many block-discarding attack strategies, and that some of them are theoretically applicable especially to some alt-coins. Nevertheless I hereby declare that all attacks are of theoretical importance only!
4. Arguably a Bitcoin protocol change should be made to countermeasure the Block-Discarding-attack. Although the threat is mostly theoretic, indeed it is better to be on the safe side. The other researchers suggest a possible change that will make all network nodes propagate any block they have received, even if there is more than just one.
While this proposal is possible, I suggest a different solution aimed to punish the attacker who intentionally creating forks. My fork-punishment solution is simple to implement and is not based upon asking the users to increase their amount of transmitted data (which they have an incentive not to do).
Let's call a pair of two blocks mined on top of the same older block a "fork evidence". I suggest that a block composer that includes a fork evidence as part of his/her block, where one of the evidence forked blocks is a predecessor of the newly composed block, will be rewarded half of the reward goes to the forked block, and the forked block owner will be totally disrewarded.
This option should obviously be limited to, say, 10 blocks ahead of the fork. This way the reward will not be frizzed longer than it is frizzed now, and an attacker from the future having an improved hash-rate with respect to the past, will not be able to easily create forks and get rewarded.
Attacker (from the present) will have no immediate incentive to artificially make forks since she/he is expected to lose at least half of a block-reward per a fork. However, attacker willing to temporary loses a lot for performing eventually profitable attack, can still do so theoretically.
5. Although I am much frustrated about it, I acknowledge the fact that the other researchers published their results first. We should all respect them for that, although I hope the next time a theoretical attack will be found, researchers will not publish misleading information but the most accurate information.
I will be posting here soon about my improved results. Meanwhile I will just say don’t panic. We have no reason to
Lear.