

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.


rocks
Legendary
Offline
Activity: 1149


May 09, 2015, 09:10:01 PM 

BTW, it is also a myth that >50% is needed to successfully doublespend with a "51%attack". It is needed to guarantee success, but with a substantial share <50% you still have a significant probability of success for whatever finite number of confirmations is considered "enough" by the recipient. If the payoff is high enough this can easily be worth it.
This is where the 6 confirmation rule comes from. Even if someone had 49% hash power it, the probability that they could role back 6 blocks is negligible. So if you have 6 confirmations the odds that a high but less than 50% attacker could reverse a payment is too low to matter. But once you have 51%, you can always determine the longest chain and could eventually roll back any number of blocks.




smooth
Legendary
Offline
Activity: 1624


May 09, 2015, 09:51:00 PM 

BTW, it is also a myth that >50% is needed to successfully doublespend with a "51%attack". It is needed to guarantee success, but with a substantial share <50% you still have a significant probability of success for whatever finite number of confirmations is considered "enough" by the recipient. If the payoff is high enough this can easily be worth it.
This is where the 6 confirmation rule comes from. Even if someone had 49% hash power it, the probability that they could role back 6 blocks is negligible. So if you have 6 confirmations the odds that a high but less than 50% attacker could reverse a payment is too low to matter. But once you have 51%, you can always determine the longest chain and could eventually roll back any number of blocks. No! 6 confirmations comes from the assumption of the attacker having 10% hash rate or less (represented by q in the quote below) Solving for P less than 0.1%...
P < 0.001 q=0.10 z=5 q=0.15 z=8 q=0.20 z=11 q=0.25 z=15 q=0.30 z=24 q=0.35 z=41 q=0.40 z=89 q=0.45 z=340
As the attacker's share of the the hash rate approaches 50% the situation gets much, much worse. At 45% in his example you need >340 confirmations for the attack to succeed less than 1/1000.




rocks
Legendary
Offline
Activity: 1149


May 09, 2015, 10:11:33 PM 

BTW, it is also a myth that >50% is needed to successfully doublespend with a "51%attack". It is needed to guarantee success, but with a substantial share <50% you still have a significant probability of success for whatever finite number of confirmations is considered "enough" by the recipient. If the payoff is high enough this can easily be worth it.
This is where the 6 confirmation rule comes from. Even if someone had 49% hash power it, the probability that they could role back 6 blocks is negligible. So if you have 6 confirmations the odds that a high but less than 50% attacker could reverse a payment is too low to matter. But once you have 51%, you can always determine the longest chain and could eventually roll back any number of blocks. No! 6 confirmations comes from the assumption of the attacker having 10% hash rate or less (represented by q in the quote below) Solving for P less than 0.1%...
P < 0.001 q=0.10 z=5 q=0.15 z=8 q=0.20 z=11 q=0.25 z=15 q=0.30 z=24 q=0.35 z=41 q=0.40 z=89 q=0.45 z=340
As the attacker's share of the the hash rate approaches 50% the situation gets much, much worse. At 45% in his example you need >340 confirmations for the attack to succeed less than 1/1000. At 49% the odds of reversing 6 confirmations may not be 1/1000, but they are still quite low probability, low enough that it is not a reliable attack.




Peter R
Legendary
Offline
Activity: 1064


May 09, 2015, 10:31:51 PM 

BTW, it is also a myth that >50% is needed to successfully doublespend with a "51%attack". It is needed to guarantee success, but with a substantial share <50% you still have a significant probability of success for whatever finite number of confirmations is considered "enough" by the recipient. If the payoff is high enough this can easily be worth it.
This is where the 6 confirmation rule comes from. Even if someone had 49% hash power it, the probability that they could role back 6 blocks is negligible. So if you have 6 confirmations the odds that a high but less than 50% attacker could reverse a payment is too low to matter. But once you have 51%, you can always determine the longest chain and could eventually roll back any number of blocks. No! 6 confirmations comes from the assumption of the attacker having 10% hash rate or less (represented by q in the quote below) Solving for P less than 0.1%...
P < 0.001 q=0.10 z=5 q=0.15 z=8 q=0.20 z=11 q=0.25 z=15 q=0.30 z=24 q=0.35 z=41 q=0.40 z=89 q=0.45 z=340
As the attacker's share of the the hash rate approaches 50% the situation gets much, much worse. At 45% in his example you need >340 confirmations for the attack to succeed less than 1/1000. At 49% the odds of reversing 6 confirmations may not be 1/1000, but they are still quite low probability, low enough that it is not a reliable attack. An attacker with 49% of the hashpower will succeed in doublespending a 6confirm transaction 96% of the time:




Zangelbert Bingledack
Legendary
Offline
Activity: 1036


May 09, 2015, 10:33:43 PM 

Nice! Straight to the top. Looks like it's on course for several hundred.




cypherdoc
Legendary
Offline
Activity: 1764


May 09, 2015, 10:35:02 PM 

2. i think that the majority of ppl in this world want to be honest and wish to live in a society that has order. no one wants to live in chaos. everybody loses. in order for society to continue to progress and evolve, order, dependability, and a semblance of honesty is needed. thus, in a system with so much potential to do good, like Bitcoin, the overwhelming desire is for participants to want to do what makes the system thrive. to the extent that cheating, dishonesty, and colluding erodes confidence and threatens that goal, most participants will avoid those activities.
That is the same faith we put into a topdown democracy. Fact is a power vacuum sucks in those who can maximize the exploitation of the power vacuum. You are violating the fundamental tenet of Satoshi's white paper which is decentralized trust, meaning we don't have to trust that people are honest. you fail to comprehend what i was saying. the above is simply an observation of mine on human behavior which i think is valid. Satoshi's brilliance was that he designed what appears to be a rock solid system that allows it's participants to fulfill their desired behaviors w/o fear of widespread cheating. the incentives programmed into Bitcoin align with their desired behaviors and in fact fosters them. the need for trust is removed for the early adopters. bootstrappers like me saw this brilliance and have invested accordingly and each day that goes by that the protocol doesn't get hacked or that a miner or a cabal of miners fails to perform a 51% is evidence that the system is getting stronger and stronger and more resilient. what's quite obvious is that more and more deep pocketed investors are climbing onboard which makes it much harder for gvts or any bad actor to interfere. we're experiencing a growing economy. if there is any trust necessary it will come from nontech types who can't understand all the nuances and game theory i've outlined above. but their trust is irrelevant for this trustless system to work. they will learn to "trust" the system as it is. the longer Bitcoin stays unhacked the greater that trust will grow from the masses. we're seeing it all around us and ppl like you can't seem to see it. b/c you're a tech you fall squarely into the group i long ago defined: "The geeks fail to understand that which they hath created" You are blacksliding because there doesn't appear to be any solution the fact that pools become concentrated due to the variance cost to them not. It is pure economics.
what centralization? i see the charts decentralizing. and the proof in the pudding is that there are still no 51% attacks despite your FUD and Bitcoin keeps on growing. and ghash has been reduced to a shadow of itself.




cypherdoc
Legendary
Offline
Activity: 1764


May 09, 2015, 10:42:27 PM 

The pools don't have any large investment in hardware. Thus they are free to maximize revenue by any paradigm which does so, including collusion and selling out to the banksters who captured the State and the fiat levers. Economics rules, not morals.
huge inconsistency in logic for someone who claims to be logical. or maybe it's just from someone who lacks comprehension of how Bitcoin incentives work in practice? so if the pools didn't invest in their hardware, then logically you're referring to pools that aggregate individual mining power. if that is the case, how can pool operators freely collude and sell out to banksters or any other attacker when those same individuals can just as freely yank their power out of the pool and point it elsewhere as we saw in ghash?




cypherdoc
Legendary
Offline
Activity: 1764


May 09, 2015, 10:52:06 PM 

Something that's more interesting than the anonymint noise is the underappreciated fact that Satoshi believed Bitcoin's profit incentives were so strong that even if an individual accumulated a majority of the hashing power their desire to be profitable in bitcoin terms would be so strong that they wouldn't use that power to attack the network.
Maybe he was right and maybe he was wrong, but the people who are insisting that Bitcoin mining is too centralized should at least start out making their arguments by acknowledging that position and explaining why they believe it is incorrect.
yes, why not use that 51% of power to mine 51% of the BTC rewards plus fees which is a guaranteed calculable process? why instead would they perform a 51% attack to double spend a cup of coffee at a retail store? i don't say that in jest b/c anything bought online would undergo 6 confirmations before the product ever got shipped out and anything bought at a retail store for substantially more than a cup of coffee would likely be held to a standard of at least 1 confirmation before walking out the door. in fact the incentive was so strong that the 3 pools over the last 6 yrs that got close to 51%, BTCGuild, ghash, and Artforz's pool all either backed down voluntarily or got forced down.




rocks
Legendary
Offline
Activity: 1149


May 09, 2015, 11:10:38 PM 

BTW, it is also a myth that >50% is needed to successfully doublespend with a "51%attack". It is needed to guarantee success, but with a substantial share <50% you still have a significant probability of success for whatever finite number of confirmations is considered "enough" by the recipient. If the payoff is high enough this can easily be worth it.
This is where the 6 confirmation rule comes from. Even if someone had 49% hash power it, the probability that they could role back 6 blocks is negligible. So if you have 6 confirmations the odds that a high but less than 50% attacker could reverse a payment is too low to matter. But once you have 51%, you can always determine the longest chain and could eventually roll back any number of blocks. No! 6 confirmations comes from the assumption of the attacker having 10% hash rate or less (represented by q in the quote below) Solving for P less than 0.1%...
P < 0.001 q=0.10 z=5 q=0.15 z=8 q=0.20 z=11 q=0.25 z=15 q=0.30 z=24 q=0.35 z=41 q=0.40 z=89 q=0.45 z=340
As the attacker's share of the the hash rate approaches 50% the situation gets much, much worse. At 45% in his example you need >340 confirmations for the attack to succeed less than 1/1000. At 49% the odds of reversing 6 confirmations may not be 1/1000, but they are still quite low probability, low enough that it is not a reliable attack. An attacker with 49% of the hashpower will succeed in doublespending a 6confirm transaction 96% of the time: I understand the probability equations, but am trying to understand the logic in how they are being used and how an attacker with less than 50% could have an almost 100% chance of forcing a new longer chain. I would expect that no matter what the probability of being successful would be less than 50%. Let's say I had 49% of the hash rate. I then made a payment (transaction A) to someone, who after 6 confirmation would consider the transaction valid and would then transfer something else over to me. I also immediately construct a different transaction B that double spends and invalidates transaction A. Transaction A broadcasts to the network, and 51% of the hash rate starts hashing on that transaction. Simultaneously I dedicate my 49% of the hash rate on creating confirmations on transaction B. I also have to keep my chain a secret, so that the P2P network will only see the chain with transaction A and at some point acknowledge 6 confirmation on transaction A. After this happens the other person transfers something to myself (lets say a title to a car). Once I have received my counter payment (the title) my goal is to now reverse the original transaction A, by announcing a new longer chain containing transaction B to the network. In order to reverse this, I now have to have a longer chain (i.e. 7 or more) in order to make the the network reorg and switch to my chain (if I only announce a new chain of 6, the network will continue to use the first chain of 6 it received). Since my hash rate is 49%, and the rest of the network has 51%, it seems that the odds of the secret chain I've been working on (with 49%) being longer than the chain the rest of the network (51%) has been working on is less than 50/50. And again since my chain needs to be longer to force a reorg, the odds are less. I'm not saying that a 49% attacker cannot reverse 6 confirm transactions, but it seems it has to be a bit less than 50% of the time.




Peter R
Legendary
Offline
Activity: 1064


May 09, 2015, 11:18:51 PM 

An attacker with 49% of the hashpower will succeed in doublespending a 6confirm transaction 96% of the time: I understand the probability equations, but am trying to understand the logic in how they are being used and how an attacker with less than 50% could have an almost 100% chance of forcing a new longer chain. ... I think there's two ways to look at it: 1. Clearly, if an attacker has 50.0001%, then he has a 100% chance of eventually forging the longest chain. If the attacker has 49.9999% instead, it makes sense that he'd have almost 100% chance, but not quite (why would it suddenly drop to less than 50%?). 2. It's the attacker who gets to choose when to broadcast the attack chain. Just by random luck, there's a good chance that at some point the attacker will hit a lucky streak and mine several blocks in quick succession. When he hits this lucky streak and pulls ahead of the honest chain, he broadcasts his attack chain.




bassclef


May 09, 2015, 11:24:59 PM 

huge inconsistency in logic for someone who claims to be logical. or maybe it's just from someone who lacks comprehension of how Bitcoin incentives work in practice?
He's just jealous that he didn't think of Bitcoin before Satoshi. But he's apparently created something better, so we will wait with bated breath until he reveals it to the world and his superior intellect will finally get the recognition that it deserves.




cypherdoc
Legendary
Offline
Activity: 1764


May 09, 2015, 11:28:53 PM 

An attacker with 49% of the hashpower will succeed in doublespending a 6confirm transaction 96% of the time: I understand the probability equations, but am trying to understand the logic in how they are being used and how an attacker with less than 50% could have an almost 100% chance of forcing a new longer chain. ... I think there's two ways to look at it: 1. Clearly, if an attacker has 50.0001%, then he has a 100% chance of eventually forging the longest chain. If the attacker has 49.9999% instead, it makes sense that he'd have almost 100% chance, but not quite (why would it suddenly drop to less than 50%?). 2. It's the attacker who gets to choose when to broadcast the attack chain. Just by random luck, there's a good chance that at some point the attacker will hit a lucky streak and mine several blocks in quick succession. When he hits this lucky streak and pulls ahead of the honest chain, he broadcasts his attack chain. but assuming the attacker with 49% hashrate starts constructing his alternative secret chain at the same moment he pays for his toaster at the check out stand, there is absolutely no chance that he'll hit that lucky streak of block formation within the next hour or 6 blocks.




Peter R
Legendary
Offline
Activity: 1064


May 09, 2015, 11:33:44 PM 

An attacker with 49% of the hashpower will succeed in doublespending a 6confirm transaction 96% of the time: I understand the probability equations, but am trying to understand the logic in how they are being used and how an attacker with less than 50% could have an almost 100% chance of forcing a new longer chain. ... I think there's two ways to look at it: 1. Clearly, if an attacker has 50.0001%, then he has a 100% chance of eventually forging the longest chain. If the attacker has 49.9999% instead, it makes sense that he'd have almost 100% chance, but not quite (why would it suddenly drop to less than 50%?). 2. It's the attacker who gets to choose when to broadcast the attack chain. Just by random luck, there's a good chance that at some point the attacker will hit a lucky streak and mine several blocks in quick succession. When he hits this lucky streak and pulls ahead of the honest chain, he broadcasts his attack chain. but assuming the attacker with 49% hashrate starts constructing his alternative secret chain at the same moment he pays for his toaster at the check out stand, there is absolutely no chance that he'll hit that lucky streak of block formation within the next hour or 6 blocks. Yes, that's a really good point Cypherdoc. The equation I used (which I took from the Satoshi white paper), gives the probability that the attacker will be able to double spend if he is willing to work on the attack chain forever. In reality, he would give up at some point. It would be interesting to calculate the probability that the attacker succeeds within X number of blocks.




cypherdoc
Legendary
Offline
Activity: 1764


May 09, 2015, 11:38:27 PM 

An attacker with 49% of the hashpower will succeed in doublespending a 6confirm transaction 96% of the time: I understand the probability equations, but am trying to understand the logic in how they are being used and how an attacker with less than 50% could have an almost 100% chance of forcing a new longer chain. ... I think there's two ways to look at it: 1. Clearly, if an attacker has 50.0001%, then he has a 100% chance of eventually forging the longest chain. If the attacker has 49.9999% instead, it makes sense that he'd have almost 100% chance, but not quite (why would it suddenly drop to less than 50%?). 2. It's the attacker who gets to choose when to broadcast the attack chain. Just by random luck, there's a good chance that at some point the attacker will hit a lucky streak and mine several blocks in quick succession. When he hits this lucky streak and pulls ahead of the honest chain, he broadcasts his attack chain. but assuming the attacker with 49% hashrate starts constructing his alternative secret chain at the same moment he pays for his toaster at the check out stand, there is absolutely no chance that he'll hit that lucky streak of block formation within the next hour or 6 blocks. Yes, that's a really good point Cypherdoc. The equation I used (which I took from the Satoshi white paper), gives the probability that the attacker will be able to double spend if he is willing to work on the attack chain forever. In reality, he would give up at some point. It would be interesting to calculate the probability that the attacker succeeds within X number of blocks. and forever is financially impractical b/c at 49% hashrate statistically he will begin to fall further and further behind to the pt that the lucky "spurt" in block formation will most likely not be enough to propel him ahead of the 51% chain.




Zangelbert Bingledack
Legendary
Offline
Activity: 1036


May 09, 2015, 11:39:13 PM 

Here's a thought about Gmax's "big block attack" where powerful miners try to eliminate their competition by producing very large blocks that the smaller miners can't handle:
In the absence of a blocksize cap, if I understand correctly, the limiting factor on how big a miner can profitably make their blocks (the orphan rate) correlates negatively with bandwidth in the network, but bandwidth itself it a major factor limiting smaller miners' ability to handle those large blocks. Is there some way that, in essence, the inability of the network to handle large blocks issued by a powerful miner would itself defeat the attack by frequently orphaning such blocks? (Thus making it prohibitively expensive to sustain the attack long enough to actually put any miners out of business.)
This sounds too good to be true, since it suggests a kind of soft consensus mechanism where miners would be prevented from "doing their own thing" too much precisely because others couldn't keep up. I await correction from someone more familiar with mining.




cypherdoc
Legendary
Offline
Activity: 1764


May 09, 2015, 11:48:59 PM 

Here's a thought about Gmax's "big block attack" where powerful miners try to eliminate their competition by producing very large blocks that the smaller miners can't handle:
In the absence of a blocksize cap, if I understand correctly, the limiting factor on how big a miner can profitably make their blocks (the orphan rate) correlates negatively with bandwidth in the network, but bandwidth itself it a major factor limiting smaller miners' ability to handle those large blocks. Is there some way that, in essence, the inability of the network to handle large blocks issued by a powerful miner would itself defeat the attack by frequently orphaning such blocks? (Thus making it prohibitively expensive to sustain the attack long enough to actually put any miners out of business.)
This sounds too good to be true, since it suggests a kind of soft consensus mechanism where miners would be prevented from "doing their own thing" too much precisely because others couldn't keep up. I await correction from someone more familiar with mining.
are you sure (bolded part)? the bigger the network bandwidth, the faster a bloat block constructed by an attacking large miner would propagate thus increasing their chances of tormenting smaller miners. conversely, the smaller the bandwidth, the higher the latency and thus the higher probability of the bloat block being orphaned resulting in failure of the attack.




Zangelbert Bingledack
Legendary
Offline
Activity: 1036


May 10, 2015, 12:00:33 AM 

An attacker with 49% of the hashpower will succeed in doublespending a 6confirm transaction 96% of the time: I understand the probability equations, but am trying to understand the logic in how they are being used and how an attacker with less than 50% could have an almost 100% chance of forcing a new longer chain. ... I think there's two ways to look at it: 1. Clearly, if an attacker has 50.0001%, then he has a 100% chance of eventually forging the longest chain. If the attacker has 49.9999% instead, it makes sense that he'd have almost 100% chance, but not quite (why would it suddenly drop to less than 50%?). 2. It's the attacker who gets to choose when to broadcast the attack chain. Just by random luck, there's a good chance that at some point the attacker will hit a lucky streak and mine several blocks in quick succession. When he hits this lucky streak and pulls ahead of the honest chain, he broadcasts his attack chain. On this, is it the case that every failed attempt essentially wastes all the block rewards the miner would have otherwise gotten? So for example with 50% of all the hashing power if they had an expected block income of 3 blocks at 25 BTC apiece during their 6confirmation doublespend attempt, they forego an average of 75 BTC every time they attempt this unsuccessfully?* Does that mean, assuming they have to try an average of 2^6 = 64 times to succeed, the attacker would need to be buying something worth more than 75 x 64 = 4800 BTC (currently about $1 million) to have an expected profit? If so, then the price rising 100x again requires them to be buying an item worth $100 million, etc. so it seems pretty solid. *Actually significantly less I guess because if they for example mine two blocks then miss the third one, they start over so they are only out around 25 for two blocks they were offline for.




inca
Legendary
Offline
Activity: 1162


May 10, 2015, 12:04:31 AM 

Yes, but profit based incentives only work if you assume the adversary is motivated by greed. Excepting a major technical failure or something better appearing, the only foes I worry about with respect to bitcoin already own printers  and they aren't afraid to use them!
The question then becomes whether or not any technical solution is possible against attackers who have printers and aren't afraid to use them. Wouldn't it suck to implement countermeasures against such attackers that not only won't work and also hinder legitimate use or, even worse, make attacks more likely instead of less likely? I would have to agree that it would be impossible to defend bitcoin against an adversary with unlimited funds. They could attack the network directly with a 51% attack to smash confidence in the nascent store of value (that would go down badly on Wall st), or simply do as we must imagine they are doing now and use regulatory and legal means to try and keep bitcoin contained. But lets not forget the old price manipulation strategy, our friendly overlords central bankers have a vast experience of controlling financial markets now. My position is probably that even if they do kill bitcoin as a viable counter currency and store of value, that like a hydra, another will grow in it's wake, this time hardened in some way. It may be in their interests to simply allow bitcoin to exist as a digital asset, a digital curio, in the knowledge that currently it will not scale up sufficiently to function as a reserve currency.




Zangelbert Bingledack
Legendary
Offline
Activity: 1036


May 10, 2015, 12:05:02 AM 

Here's a thought about Gmax's "big block attack" where powerful miners try to eliminate their competition by producing very large blocks that the smaller miners can't handle:
In the absence of a blocksize cap, if I understand correctly, the limiting factor on how big a miner can profitably make their blocks (the orphan rate) correlates negatively with bandwidth in the network, but bandwidth itself it a major factor limiting smaller miners' ability to handle those large blocks. Is there some way that, in essence, the inability of the network to handle large blocks issued by a powerful miner would itself defeat the attack by frequently orphaning such blocks? (Thus making it prohibitively expensive to sustain the attack long enough to actually put any miners out of business.)
This sounds too good to be true, since it suggests a kind of soft consensus mechanism where miners would be prevented from "doing their own thing" too much precisely because others couldn't keep up. I await correction from someone more familiar with mining.
are you sure (bolded part)? the bigger the network bandwidth, the faster a bloat block constructed by an attacking large miner would propagate thus increasing their chances of tormenting smaller miners. conversely, the smaller the bandwidth, the higher the latency and thus the higher probability of the bloat block being orphaned resulting in failure of the attack. I'm very much not sure since I'm not familiar with mining technicals, but I think that's what I was saying: the lower the bandwidth in the network, the higher chance of failure of the attack. The key thing I meant to ask, though, is whether a high amount of bandwidth in the network implies a high average capacity of the miners, meaning it's harder to torment them? In other words, in proposing that attack, is Gmax assuming two mutually incompatible situations are present at once: 1) the network is so slow on average that big blocks can torment many of the miners, and the network is so fast on average that the big blocks won't be orphaned?




