Bitcoin Forum
December 09, 2016, 01:53:24 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Double spend vulnerability due to withholding exceptionally difficult blocks?  (Read 2994 times)
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1344


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
March 14, 2011, 02:50:23 AM
 #1

I thought of a plausible double spend vulnerability...can anyone confirm or debunk?

While mining, occasionally you'll get a block whose difficulty value far exceeds the minimum threshold.  For example, not too long ago, I got a block that was "accepted, 000002xx" (poclbm) which if I calculate right, corresponds to a difficulty well above 5 million, while the threshold for acceptance at the time was something along the lines of seeing "accepted, 0001xxxx" or lower (the difficulty in the 55,000 range IIRC).

It's my understanding that block chains are accepted based on their total difficulty, not so much their length.

What would happen if I had a modified bitcoin client that was constantly trying to hash a block that spends all my BTC's to other addresses that I own, and then I ran my miners solely to create a block with an extraordinary large difficulty that vastly exceeded the minimum threshold.  (This presumably could take me weeks)

Once I was successful in generating such a block, if I were to hold onto that block for a while and not relay it to the network, I could probably have a window of several hours to do lots of spending before turning it loose and having it invalidate the chain and take back my money.

If I had pulled such a thing off at the time, the blocks I'd be invalidating would probably consist of lots of blocks of difficulty similar to 55,000, after only a couple hours, even the next ten or twenty new blocks are highly unlikely to add up to 5 million.  So, after I finished my spending spree, I'd publish my replacement block, which would invalidate several recent blocks and replace them with my transactions that spent all that BTC back to myself.

If I did such a thing, I could probably rip off merchants and exchangers who consider a transaction good after six or some other small number of confirmations.

Yea or nay?

If yea, an easy remedy would be to limit the "premium" of weight ascribed to blocks that have vastly greater difficulty than the minimum threshold for acceptance.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
1481291604
Hero Member
*
Offline Offline

Posts: 1481291604

View Profile Personal Message (Offline)

Ignore
1481291604
Reply with quote  #2

1481291604
Report to moderator
1481291604
Hero Member
*
Offline Offline

Posts: 1481291604

View Profile Personal Message (Offline)

Ignore
1481291604
Reply with quote  #2

1481291604
Report to moderator
1481291604
Hero Member
*
Offline Offline

Posts: 1481291604

View Profile Personal Message (Offline)

Ignore
1481291604
Reply with quote  #2

1481291604
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481291604
Hero Member
*
Offline Offline

Posts: 1481291604

View Profile Personal Message (Offline)

Ignore
1481291604
Reply with quote  #2

1481291604
Report to moderator
1481291604
Hero Member
*
Offline Offline

Posts: 1481291604

View Profile Personal Message (Offline)

Ignore
1481291604
Reply with quote  #2

1481291604
Report to moderator
1481291604
Hero Member
*
Offline Offline

Posts: 1481291604

View Profile Personal Message (Offline)

Ignore
1481291604
Reply with quote  #2

1481291604
Report to moderator
theymos
Administrator
Legendary
*
expert
Offline Offline

Activity: 2506


View Profile
March 14, 2011, 03:27:37 AM
 #2

It's the target difficulty that is used in the "length" calculation, not individual block hashes.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
Mike Hearn
Legendary
*
expert
Offline Offline

Activity: 1526


View Profile
March 14, 2011, 09:36:26 AM
 #3

Difficulty transitions are checked according to a shared global formula. You can't create a block that has some random difficulty you just made up. It has to match the difficulty calculated by the formula, which looks at how many blocks were solved in a two week time window.
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1344


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
March 14, 2011, 06:35:09 PM
 #4

Difficulty transitions are checked according to a shared global formula. You can't create a block that has some random difficulty you just made up. It has to match the difficulty calculated by the formula, which looks at how many blocks were solved in a two week time window.

I was not referring to changing the value in the target difficulty field of the block structure.  Rather, I was referring to the difficulty "value" of the hash itself, which is 2^32 divided by the second 32 bits of the hash, which is what needs to meet or exceed the target difficulty, and which just about always exceeds the target difficulty by some measure, sometimes small, sometimes big.

It's the target difficulty that is used in the "length" calculation, not individual block hashes.

This makes sense, and if that's how it's done, that means the issue pretty much doesn't exist.


Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
iya
Member
**
Offline Offline

Activity: 81


View Profile
March 14, 2011, 07:34:38 PM
 #5

I was not referring to changing the value in the target difficulty field of the block structure.  Rather, I was referring to the difficulty "value" of the hash itself, which is 2^32 divided by the second 32 bits of the hash, which is what needs to meet or exceed the target difficulty, and which just about always exceeds the target difficulty by some measure, sometimes small, sometimes big.

It's just statistics. If you find a hash which is smaller than the required minimum, it's not unlikely that it is much smaller.
This doesn't mean that the block was harder – there is no such thing.
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1344


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
March 15, 2011, 12:30:23 AM
 #6

It's just statistics. If you find a hash which is smaller than the required minimum, it's not unlikely that it is much smaller.
This doesn't mean that the block was harder – there is no such thing.

It's not so much me thinking the block is "harder": If the block was given more weight in determining the longest chain just because it represented a greater apparent "proof of work", it would potentially enable a vicious double spend scenario.  To the extent the block is given no more weight than the minimum difficulty regardless of the has value as theymos said, the problem I suggested could exist, doesn't exist.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
Jim Hyslop
Member
**
Offline Offline

Activity: 98


View Profile
March 20, 2011, 06:46:24 PM
 #7

It's just statistics. If you find a hash which is smaller than the required minimum, it's not unlikely that it is much smaller.
This doesn't mean that the block was harder – there is no such thing.
I disagree. I consider a block "harder" to solve if it requires more guesses. A block where the nonce value is 1 is easier to solve, IMO, than a block where the nonce value is 1,000,000. Some blocks won't even have a solution - no value of the nonce from 0 through 0xFFFFFFFF (inclusive) will generate a hash that meets the target requirement. Would you not consider that block impossible to solve? And is impossibility not a measure of difficulty?

To the extent the block is given no more weight than the minimum difficulty regardless of the has value as theymos said, the problem I suggested could exist, doesn't exist.
What you described sounds like the "finney attack" (or at least, my understanding of the Finney attack).

You do have a window of opportunity, but it would be measured in minutes, not hours. On average, your window will be 10 minutes minus the time it took you to find your solution (and, of course, averages cannot be applied to individual events, so you cannot predict exactly how much time you really have). Unless the value you're trying to double-spend is high, you're better off just submitting the block and claiming the 50BTC reward.

Like my answer? Did I help? Tips gratefully accepted here: 1H6wM8Xj8GNrhqWBrnDugd8Vf3nAfZgMnq
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1344


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
March 20, 2011, 10:05:14 PM
 #8

I disagree. I consider a block "harder" to solve if it requires more guesses. A block where the nonce value is 1 is easier to solve, IMO, than a block where the nonce value is 1,000,000. Some blocks won't even have a solution - no value of the nonce from 0 through 0xFFFFFFFF (inclusive) will generate a hash that meets the target requirement. Would you not consider that block impossible to solve? And is impossibility not a measure of difficulty?

The nonce isn't the only thing that matters, it's only 32 bits of the entire hash input.  There's also the extraNonce and the time, as well as the hash of the transaction list, which is different for everybody.  There are more bits that have to be "guessed" than the nonce to find a solution.

Otherwise this is like suggesting that because you walked out your front door and found a $20 dollar bill lying in the street, that $20 dollar bills are easy to find.

Right now, only one hash attempt in about 327 trillion (at current dificulty level) will solve a block.  That's a far wider range than 0 thru 0xFFFFFFFF.  It's more like one in about 0xFFFFFFFFFFFF.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
Jim Hyslop
Member
**
Offline Offline

Activity: 98


View Profile
March 20, 2011, 11:26:57 PM
 #9

I disagree. I consider a block "harder" to solve if it requires more guesses. A block where the nonce value is 1 is easier to solve, IMO, than a block where the nonce value is 1,000,000. Some blocks won't even have a solution - no value of the nonce from 0 through 0xFFFFFFFF (inclusive) will generate a hash that meets the target requirement. Would you not consider that block impossible to solve? And is impossibility not a measure of difficulty?

The nonce isn't the only thing that matters, it's only 32 bits of the entire hash input.  There's also the extraNonce and the time, as well as the hash of the transaction list, which is different for everybody.  There are more bits that have to be "guessed" than the nonce to find a solution.
The extra nonce and the time are relatively stable compared to the nonce. I didn't mention them because I consider them part of the block to be solved: the extra nonce changes the Merkle root, and the timestamp is in the block itself.

Quote
Otherwise this is like suggesting that because you walked out your front door and found a $20 dollar bill lying in the street, that $20 dollar bills are easy to find.
Huh I really don't see how you came to that conclusion from what I wrote. I never said that because one was easy to find, they are all easy to find. I compared two single occurrences, and asserted that one was easier than the other, therefore it is possible to say that some blocks are harder to solve than others.

Besides which, your analogy is flawed. Finding a $20 bill is a random event, unless you spend your day hunting for $20 bills. Finding a solution to a block is (or should be) a methodical approach: try one value. If it doesn't work, try the next value. If it doesn't work, try the next value. And so on, until you exhaust the values, at which point you adjust one of the other two parameters (extra nonce and timestamp), or generate a whole new block with a different set of transactions.

A guess involves adjusting one or more of the nonce, extra nonce or timestamp. More guesses mean more work for the CPU, more work means it is harder.

All of which strengthens my claim: some blocks are harder to solve than others.

Like my answer? Did I help? Tips gratefully accepted here: 1H6wM8Xj8GNrhqWBrnDugd8Vf3nAfZgMnq
Pieter Wuille
Legendary
*
qt
Offline Offline

Activity: 1036


View Profile WWW
March 21, 2011, 01:32:22 AM
 #10

All of which strengthens my claim: some blocks are harder to solve than others.

I disagree, the work you need to for every block on average is identical. It is the criterion you use for marking a certain block as good or bad what will cause the difficulty. And as long as that criterion is (integer value of hash is less than given_number), all blocks that match have identical difficulty. The fact that only some of those blocks would also match a higher difficulty (and thus a different criterion), doesn't change that.

You could of course talk about the effective number of hashes one needed to try to find a block, instead of their average expected number of hashes, as you say. That's possible and reasonable, but not very useful in this context.

aka sipa, core dev team

Tips and donations: 1KwDYMJMS4xq3ZEWYfdBRwYG2fHwhZsipa
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1344


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
March 21, 2011, 04:33:00 AM
 #11

Quote
Otherwise this is like suggesting that because you walked out your front door and found a $20 dollar bill lying in the street, that $20 dollar bills are easy to find.
Huh I really don't see how you came to that conclusion from what I wrote. I never said that because one was easy to find, they are all easy to find. I compared two single occurrences, and asserted that one was easier than the other, therefore it is possible to say that some blocks are harder to solve than others.

If the $20 bill is sitting at your doorstep and not mine, then easier for you, but not for me.  That's not the same thing as easy.

Quote from: Jim Hyslop
A block where the nonce value is 1 is easier to solve

... if you mean "easier to solve when one happens to have luckily picked the right nonce and timestamp to make that possible..." then you're right.  Of course, Jennifer Aniston is easy too... if she happens to show up drunk on my doorstep after a wild series of wrong turns through Salt Lake City that shake off her entire posse...





Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
Jim Hyslop
Member
**
Offline Offline

Activity: 98


View Profile
March 21, 2011, 04:53:47 AM
 #12

Quote
Otherwise this is like suggesting that because you walked out your front door and found a $20 dollar bill lying in the street, that $20 dollar bills are easy to find.
Huh I really don't see how you came to that conclusion from what I wrote. I never said that because one was easy to find, they are all easy to find. I compared two single occurrences, and asserted that one was easier than the other, therefore it is possible to say that some blocks are harder to solve than others.

If the $20 bill is sitting at your doorstep and not mine, then easier for you, but not for me.  That's not the same thing as easy.
Did you even read what I wrote? I never claimed anything was easy.

Quote
Quote from: Jim Hyslop
A block where the nonce value is 1 is easier to solve
Stay current, please, I abandoned that argument already.

Quote
... if you mean "easier to solve when one happens to have luckily picked the right nonce and timestamp to make that possible..." then you're right.  Of course, Jennifer Aniston is easy too... if she happens to show up drunk on my doorstep after a wild series of wrong turns through Salt Lake City that shake off her entire posse...
Please stop with the irrelevant, nonsensical analogies.

OK, do you agree with this statement: it takes longer to find a solution to some blocks than it does for other blocks.
Yes or no?

Like my answer? Did I help? Tips gratefully accepted here: 1H6wM8Xj8GNrhqWBrnDugd8Vf3nAfZgMnq
Jim Hyslop
Member
**
Offline Offline

Activity: 98


View Profile
March 21, 2011, 04:55:50 AM
 #13

All of which strengthens my claim: some blocks are harder to solve than others.

I disagree, the work you need to for every block on average is identical.
On average, yes. But we aren't discussing averages, we are discussing individual blocks.

Quote
You could of course talk about the effective number of hashes one needed to try to find a block, instead of their average expected number of hashes, as you say. That's possible and reasonable, but not very useful in this context.
That's basically what I'm getting at.

Like my answer? Did I help? Tips gratefully accepted here: 1H6wM8Xj8GNrhqWBrnDugd8Vf3nAfZgMnq
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1344


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
March 21, 2011, 05:05:04 AM
 #14

OK, do you agree with this statement: it takes longer to find a solution to some blocks than it does for other blocks.
Yes or no?

Each block is just as hard to solve as any other block with the same difficulty.  Some get solved sooner than later, and that's 100% due to pure chance, 0% to do with the intrinsic properties of the block.

Suppose someone solves a block in 5 seconds.  Then, for whatever reason, (perhaps due to a software bug that allowed an illegal transaction, as happened once before) we decide that we need to roll back that block and every one after it.  The same block must be re-solved.  Will the same block require 5 seconds to solve the second time?  I think not.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!