Bitcoin Killswitch

[TwinWinNerD]

Also, there are "Red Alert" scenarios, that would fix malicious attacks in the shortterm, even 51% attacks, but there is nothing longterm!

Sure there is. If we are being 51% attacked by a miner using SHA256 ASICS we could switch to another hashing algorithm. If we are being 51% attacked by some multi-purpose hardware that can efficiently run many hashing algorithms, then we can replace the POW system with something else.

While these kind of changes will be hard to swallow and you may have a hard time convincing people to make these kind of changes, they are always an option.

I meant longterm in the sence that we don't change from SHA256. The majority of hashpower will always win there longterm. But that is not an issue but foremost a feature.

You are absolutely right, in the end a switch to delegated proof of stake or something similar is a good alternative, though I hope it never get chosen out of a NEED due to an attack!

[adamstgBit]

the majority overrule hashing power.

you know what i mean?
i'm wondering if you guys agree with this or not?

Whatever you seem to mean is not true. The hardcoded checkpoints decided by devs overrule overything.

say everyone wants to kick off a huge malicious miner off the network, ( it makes no sense for a miner to act maliciously but lets say it happening ), someone with like 30% hashing power start attacking, everyone wants to kick him off, the core is patched to block this miner, everyone upgrades because they wish it, and there you go, majority overruled hashing power.

point is hashing is just a way of achieving consensus in an automated way, and can be side swiped given "manual" consensus.

There is literally no way this would work. You could block IPs submitting blocks, or find another workaround.
BUT if this guy is really malicious, than he is watching everything very carefully and will be proactively changing his IP and setting to something different.

Also, there are "Red Alert" scenarios, that would fix malicious attacks in the shortterm, even 51% attacks, but there is nothing longterm!

exactly.

all i'm trying to say is that, its our network, and we choose how it works in every detail, just because someone has alot of hashing power doesn't give him any real, long term, power over the system, the will of the majority supersede all.

Bitcoin could as a last resort become a pure POS coin for a while too.

it doesn't need to

hashing power will ALWAYS service US, the moment it doesn't we ignore it

[keithers]

Well hypothetically of there was a killswitch and it was triggered, it would kill bitcoin (hence the name killswitch). Most technically savvy people who read the code would have noticed this however.

[An amorous cow-herder]

Without checkpoints a competing blockchain starting of the genesis block with a simple 7% difficulty growth per switch would be at the same length as the current blockchain. And just be running at ~ 300GH/s.

It would help if you learned how Bitcoin works.   "Longest chain" doesn't mean highest block height it means the chain consisting of valid blocks with the highest total cummulative difficulty.   Your chain with 7% difficulty growth every 2016 blocks would never be the longest chain.  There are no shortcuts to the longest chain.    The current longest chain is ~2^70 hashes worth of work.  The only way to make one longer would be to do more work.

Citation required (preferably a link to the source file).

In other words you are saying that if two chains started with the same hashrate and one chain mined at this rate constantly (2016 blocks per 14 days, or 4032 per 28 days) while an other one alternates between this hashrate and double the hashrate (thus creating the first 2016 blocks in 7 days and then 28 days thereafter, or 35 days per 4032 blocks) the later chain would be valid even if this is shorter since it has a higher "cumulative difficulty"?

So you are saying that an attacker with sufficient hashrate (e.g. a company or gov with access to a huge batch of next-gen asics) could just fork of an old block and create a new valid shorter chain as long as cumulative has rate is higher???

[Roy Badami]

Without checkpoints a competing blockchain starting of the genesis block with a simple 7% difficulty growth per switch would be at the same length as the current blockchain. And just be running at ~ 300GH/s.

It would help if you learned how Bitcoin works.   "Longest chain" doesn't mean highest block height it means the chain consisting of valid blocks with the highest total cummulative difficulty.   Your chain with 7% difficulty growth every 2016 blocks would never be the longest chain.  There are no shortcuts to the longest chain.    The current longest chain is ~2^70 hashes worth of work.  The only way to make one longer would be to do more work.

Citation required (preferably a link to the source file).

In other words you are saying that if two chains started with the same hashrate and one chain mined at this rate constantly (2016 blocks per 14 days, or 4032 per 28 days) while an other one alternates between this hashrate and double the hashrate (thus creating the first 2016 blocks in 7 days and then 28 days thereafter, or 35 days per 4032 blocks) the later chain would be valid even if this is shorter since it has a higher "cumulative difficulty"?

So you are saying that an attacker with sufficient hashrate (e.g. a company or gov with access to a huge batch of next-gen asics) could just fork of an old block and create a new valid shorter chain as long as cumulative has rate is higher???

Yes.

Here's a thought experiment for you.  Imagine that the day Satoshi launched Bitcoin someone forked the blockchain, right from the Genesis block.  He's been mining, on a tiny computer, since that day.  On his chain, the difficulty never went much above 1, because he's the only miner - but his chain still produces one block every ten minutes.   He's been doing this since day 1, and his blockchain is about the same length as the real one.  It varies from time to time - sometimes his chain is a couple of blocks longer, sometimes a couple of blocks shorter.

Today, his chain is a couple of blocks longer than the public chain.  Today, he broadcasts all his blocks to the world.

In a naive world, his 313631 blocks would be considered longer than the official chain of 313629 blocks, and every client on the planet would immediately have a block reorganisation, and accept his chain as valid.

But Satoshi wasn't naive.  In the real world, his chain is worthless, because a block mined at difficulty 18 billion is considered to be 18 billion times more work than a block mined at difficulty 1.

Of course, there are all sorts of other reasons why the attack wouldn't work - you can never have a block reoganisation that goes back past the last checkpoint, and anyway, the average block interval on the public chain is significantly less than 10 minutes due to rising hash rate (so in reality the public chain would be longer in terms of block height anyway).  But I hope this example helps you see why Satoshi designed it this way.

roy

[An amorous cow-herder]

Citation required (preferably a link to the source file).

Yes.

I really would prefer a link to the source. Found those for checkpoints, but a quick google didnt find anything corresponding to a "cumulative difficulty".

Here's a thought experiment for you.  Imagine that the day Satoshi launched Bitcoin someone forked the blockchain, right from the Genesis block.  He's been mining, on a tiny computer, since that day.  On his chain, the difficulty never went much above 1, because he's the only miner - but his chain still produces one block every ten minutes.   He's been doing this since day 1, and his blockchain is about the same length as the real one.  It varies from time to time - sometimes his chain is a couple of blocks longer, sometimes a couple of blocks shorter.

I already played that thought experiment. Given the average increase of ~7% per difficulty switch this hypothetical chain would have a difficulty of 1.07^155 or roughly 36k.

Today, his chain is a couple of blocks longer than the public chain.  Today, he broadcasts all his blocks to the world.

In a naive world, his 313631 blocks would be considered longer than the official chain of 313629 blocks, and every client on the planet would immediately have a block reorganisation, and accept his chain as valid.

But Satoshi wasn't naive.  In the real world, his chain is worthless, because a block mined at difficulty 18 billion is considered to be 18 billion times more work than a block mined at difficulty 1.

As i said i still want to see that in code.
Because what you are saying is very naive. I dont believe Satoshi was that naive.
Given the exponentially decrease in network security (due to block reward halvings) relative to the worth of the network the attack would just get cheaper relative to potential disruption. As soon as undoing a transaction (even if its more than 6 blocks old) is a lot cheaper than actually loosing the money you spent, hey whats to stop someone. Well, except for the central bitcoin authority adding more checkpoints.

[Roy Badami]

Because what you are saying is very naive. I dont believe Satoshi was that naive.

It's a thought experiment, so by definition it's naive.  The purpose wasn't to demonstrate a real attack scenario - it was to try and help motivate why this is a better way to define the longest chain.

[An amorous cow-herder]

The purpose wasn't to demonstrate a real attack scenario - it was to try and help motivate why this is a better way to define the longest chain.

Do you mean "why you would think this would be a better way" or that "its actually being done this way"?

[jl2012]

What would be the consequences?

orphaned block, not a shit was given.

And if the block was several blocks longer than the "valid" block chain?
<edit>I mean, if the "attacking" blockchain was longer?<edit>

The attacking blockchain will be considered as invalid by other people, and will be ignored. It's length is irrelevant

By the way, this topic has nothing to do with this speculation section.

[Roy Badami]

The purpose wasn't to demonstrate a real attack scenario - it was to try and help motivate why this is a better way to define the longest chain.

Do you mean "why you would think this would be a better way" or that "its actually being done this way"?

It is actually being done this way.  Why do you think otherwise?

Not a link to the code, I know, but the developer documentation says "Assuming a fork only contains valid blocks, normal peers always follow the longest fork (the most difficult chain to recreate) and throw away (orphan) blocks belonging to shorter forks." https://bitcoin.org/en/developer-guide#block-height-and-forking

Let me turn this around.  Everyone is telling you it is done this way - why are you somehow convinced it isn't?

[piramida]

The code you are looking for is comparison between blockchain difficulties. The parameter is nChainWork which is a sum of work of all found blocks on the chain. This parameter decides which chain lives (main.cpp line 80 for example)

[An amorous cow-herder]

Let me turn this around.  Everyone is telling you it is done this way - why are you somehow convinced it isn't?

Simply because your link says the opposite of what you said.

... due to the fact that the longest chain is by definition the true chain.

[An amorous cow-herder]

The code you are looking for is comparison between blockchain difficulties. The parameter is nChainWork which is a sum of work of all found blocks on the chain. This parameter decides which chain lives (main.cpp line 80 for example)

Ok, finally a decent answer, gonna check it.

[aminorex]

in this most ridiculous sanrio it would fly.

In this most ridiculous Sanrio it would fly:

[aminorex]

By the way, this topic has nothing to do with this speculation section.

Risk is always central to speculation, so I disagree.  It's silly, but it's not irrelevant.

Now my Eva Air grab, that was irrelevant.

[cinnamon_carter]

keep dreaming go back to sleep

[Roy Badami]

No, the developer documentation says "the most difficult chain to recreate", but I really don't know why we're arguing about this.

[An amorous cow-herder]

No, the developer documentation says "the most difficult chain to recreate", but I really don't know why we're arguing about this.

Well, to be precise it says

Assuming a fork only contains valid blocks, normal peers always follow the longest fork (the most difficult chain to recreate) and throw away (orphan) blocks belonging to shorter forks.

and

For a client to be fooled, an adversary would need to give a complete alternative block chain history that is of greater difficulty than the current “true” chain, which is impossible due to the fact that the longest chain is by definition the true chain.

Even assuming that "the most difficult to recreate" implies total hashrate and not length thats fairly ambigous.
But anyway, piramida had it right. The comparator on line 80 (starting at line 76) is used by FindMostWorkChain, which in turn is called by ActivateBestChain. And there is no arguing with the code there.

The reason for the argumenting is fairly simple. If total cumulative hashing power is the deciding factor an attacking entity merely needs overwhelming hashing power to revert all transactions since any given point after the last checkpoint. In other words if any an event such as a sudden advance in technology, a majority if mining gear being sold after a reward halving etc ..., allows for a sudden shift in hashing distribution it is fairly easy to create a more difficult chain. To roll back time by time by n blocks within a timeframe with m further blocks you only need to beat the current chain (simplyfying here with a constant hashrate, principle stands one way or another though) (n+m)/m times the hash rate of the official network. E.g. a competing chain running at twice the hashing power of the official chain could roll back 1 day of transactions per passing day.

Using the length of the block chain, while being being having other disadvantages, is not susceptile to such a sudden increase in hashing power. To roll back n blocks within the next n blocks you need (again assuming the real chain stays at constant difficulty c) to exponentially grow the hashing power to catch up. Even assuming someone where to double the initial power c with every difficulty adjustment (and thus halving the time needed to create his own blocks) he would need 2^(2*no. of difficulty switches) the hasing power to catch up. In other words 4* the power to reverse 2016 blocks, spending the first week recreating the last 2016 blocks at double rate and spending the next week to create the 2016 new blocks at quadrouple rate. Trying to reverse 4032 blocks would require 16x current hashrate etc ...

[adamstgBit]

[Omikifuse]

There is the 51% attack, but anyone in position to do that would be gaining tons of money with mining.

So it would be more like suicide bomb switch.


If it happens, goodbye to descentralized currencies