delete

[rangedriver]

I said 22 days for it to come through, this is day 11.

ETA is Oct. 12, 5 days from now.

That's not long... I'll be happy when this saga is behind us. For better or worse.

(If worse I'll be a little more angry than happy...but so be it)

Yeh.... Until 22 days passes with nothing happening and BCX and TFM decide to change the goalposts yet again: "Oh, sorry everyone - just made a new calculation and it transpires the attack won't materialise for another 6 months..."

Wake up people. This is a psychological attack not a technical one.

[1714706631]

1714706631

[1714706631]

1714706631

[OrientA]

If we increase the total hash power, will that elongate the judgement day?

More honest hash power is always more secure for any coin. Beyond that everything is a matter of guesswork.

Is this the reason why the hash rate is so high compared to the price?

[TheFascistMind]

Thus the secret chain can end up the longest chain without needing 50% of the hashrate.

This can never happen because the chain length is sum of difficulty not block count, although with some probability you might have a slightly lower hash rate and still get lucky and win more than half of the (weighted) blocks, as usual.

I agree if the comparison of two forks is the sum of the modular additive inverses of the block hashes.

In my prior post, I was trying to figure out how it was possible that the secret chain could be "longer" when it has less hashrate. Originally I didn't think it was possible, which is why I ignored the ideas from that thread and had presented other ideas further upthread. Then I reread that thread again.

Perhaps Auroracoin had a bug in that it only compared # of blocks? Or as you say Nite69 seemed to not know what he was talking about. That is what I originally wrote in my prior post, then just before I posted it I changed it because I guess I got confused in my haste as I was trying to figure what the heck those guys (Nite69 et all) were describing.

[TheFascistMind]

Clearly you see now the potential problem in Cryptonote with the 20% discard rule. It enables the secret chain to hide a bunch of blocks without causing a rise in difficulty.

No, it isn't clear. You can't really hide any blocks just by making them outliers because the outliers starting at the most recent end of the adjustment window (for example if you timestamped into the future) still have to slide through the middle before exiting the window on the other end. So you can only defer them from contributing to the adjustment for a little while, but eventually they do get counted (similar in effect to a window-based adjustment like Bitcoin).  The outliers at the farthest-in-the-past end might be able to slide off without ever being counted, but even if you could figure out how to drop blocks there right away, that would only increase difficulty, not decrease it. There still might be a flaw, but we have to do better than that to graduate from FUD.

Not printing the timestamps far into the future, rather the statistics of the variations in gaps between the timestamps. You could bunch some them closer at a faster rate in time so they are deemed statistical outliers (I presume, haven't seen the math presented in any white paper), so they don't get counted in the computation of the difficulty.

But even this won't matter if the total difficulty of the forks is compared as the sum of modular additive inverses of the block hashes, then there is no way the secret fork can be longer (other than diluting the honest fork's hashrate with DDoS or orphans via selfish mining or block propagation interference).

Thus I rescind my opinion that BCX  is attacking with such a secret fork. He could possibly attack with some other vulnerability (such as my idea about messing with the ROI of miners thus driving network hashrate down), but not this one.

Edit: the ideas about messing with the ROI of the miners remain. If you can push the hashrate up higher than it should be then prevent or delay the readjustment and also selfish mine, you can amplify the ROI pain on the honest miners over selfish mining alone.

[JorgeStolfi]

I don't know if I understood the latest posts right, but:

Suppose that, in his private netwoek, the attacker has tricked the Monero protocol to lower the difficulty to 1/2 of what would be appropriate for his hashpower.  So he is capable of generating blocks with 30 sec mean gap, instead of 60 sec.

However, if the attacker finds a solution after t seconds, instead of posting it right away, he keeps mining for another t seconds. Then, among all solutions that he found, he posts the one with the smallest hash.

That way, the private blockchain still has 1 block every 60 seconds on average, so the protocol will not raise the difficulty.  However, the complemented hashes will be higher than normal on average.  So, the alternate blockchain, while just as long as the legitimate one, will probably have a greater "weight".

Would this attack (or a variation thereof) work?

[TheFascistMind]

Yeh.... Until 22 days passes with nothing happening and BCX and TFM decide to change the goalposts yet again: "Oh, sorry everyone - just made a new calculation and it transpires the attack won't materialise for another 6 months..."

I wouldn't ascribe to such nonsense. I am trying to figure out what form a possible attack could potentially be, so I would know what symptoms to look for if any, and so maybe I could dismiss the entire thing early or increase my expectations.

Also to make sure I have designed around any such possible attack in my own coinz.

[TheFascistMind]

...but we have to do better than that to graduate from FUD.

What is your guess about this vaporware below? Don't worry you won't offend me, just be frank.

Does such a credible and correct unpublished white paper exist? Yes or no?

Here is a quadruple dose of FUD...

Wouldn't it be ideal if a coin's whitepaper has a mathematical proof that it isn't vulnerable to anything less than a 50% attack (other than the normal 6 confirmations type risk of double-spend)?

And wouldn't it be porn, if that proof showed that every other proof-of-work coin (including Bitcoin) is so vulnerable?

And wouldn't it triple sexy if that proof showed that all (untraceable block chain) anonymous coins can't be fixed to remove that vulnerability?

Excuse my drooling, I can't contain myself.

Edit: I have not withheld any quantification of TW attack on CN afaik. I shared all of my (limited) knowledge on that. I am referring to something different above.

[NewLiberty]

If we increase the total hash power, will that elongate the judgement day?

More honest hash power is always more secure for any coin. Beyond that everything is a matter of guesswork.

Is this the reason why the hash rate is so high compared to the price?

The same can be said for BTC at the moment.

[TheFascistMind]

I don't know if I understood the latest posts right, but:

Suppose that, in his private netwoek, the attacker has tricked the Monero protocol to lower the difficulty to 1/2 of what would be appropriate for his hashpower.  So he is capable of generating blocks with 30 sec mean gap, instead of 60 sec.

However, if the attacker finds a solution after t seconds, instead of posting it right away, he keeps mining for another t seconds. Then, among all solutions that he found, he posts the one with the smallest hash.

That way, the private blockchain still has 1 block every 60 seconds on average, so the protocol will not raise the difficulty.  However, the complemented hashes will be higher than normal on average.  So, the alternate blockchain, while just as long as the legitimate one, will probably have a greater "weight".

Would this attack (or a variation thereof) work?

Afaics, smooth is correct. There is no way to build a chain of hashes that has a greater sum of their modular additive inverses than your hashrate can generate, i.e. that metric is invariant w.r.t. to the difficulty level . Thus as long as forks are measured by that metric, the longer one will always be the one with the greater hashrate (except for small probabilities of success with less hashrate) regardless the relative difficulty rates.

It seems you were sort of thinking about the way a selfish mining attack works, c.f. Majority is not Enough: Bitcoin Mining is Vulnerable.

[Coinshot]

I said 22 days for it to come through, this is day 11.

ETA is Oct. 12, 5 days from now.

Its still ongoing? I thought it was over.

This time it better lead to something. The last deadline passed with a whimper.

[NewLiberty]

I am trying to figure out what form a possible attack could potentially be.

This brings me some enjoyment as well, doing security engineering.  I've a wicked mind, the whole world looks broken to me.  There are cracks in everything, and all these candy colored pots of gold everywhere are just free for the taking with no barrier other than these darned ethical handcuffs that keep me from grabbing them all.

It is so easy to design something that simply works, and so rare to design something that can't be broken simply, but those things are simply beautiful things.

I don't know if I understood the latest posts right, but:

Suppose that, in his private netwoek, the attacker has tricked the Monero protocol to lower the difficulty to 1/2 of what would be appropriate for his hashpower.  So he is capable of generating blocks with 30 sec mean gap, instead of 60 sec.

However, if the attacker finds a solution after t seconds, instead of posting it right away, he keeps mining for another t seconds. Then, among all solutions that he found, he posts the one with the smallest hash.

That way, the private blockchain still has 1 block every 60 seconds on average, so the protocol will not raise the difficulty.  However, the complemented hashes will be higher than normal on average.  So, the alternate blockchain, while just as long as the legitimate one, will probably have a greater "weight".

Would this attack (or a variation thereof) work?

Afaics, smooth is correct. There is no way to build a chain of hashes that has a greater sum of their modular additive inverses than your hashrate can generate, i.e. that metric is invariant w.r.t. to the difficulty level . Thus as long as forks are measured by that metric, the longer one will always be the one with the greater hashrate (except for small probabilities of success with less hashrate) regardless the relative difficulty rates.

Yes, the TW will fail against Monero's code in that context.
The next context was "Will it fail fast?"  Essentially, if a TW were launched, even though it is doomed to not be the longest chain, would the time it takes to make that determination by the honest nodes (and thus not doing so much hashing) allow dishonest nodes to continue building on the TW chain, or even to just build on the good chain but win more blocks by essentially denying hashes to nodes busy with making this determination?

The distributed checkpointing allows for the ability to get all the honest nodes back to work even if there is a novel form of attack based on any type of chain forking attack, not just the TW, and further allows for self service of the solution.

[TheFascistMind]

The next context was "Will it fail fast?"  Essentially, if a TW were launched, even though it is doomed to not be the longest chain, would the time it takes to make that determination by the honest nodes (and thus not doing so much hashing) allow dishonest nodes to continue building on the TW chain, or even to just build on the good chain but win more blocks by essentially denying hashes to nodes busy with making this determination?

That is a novel attack. Normally verifying each hash of a fork takes much less computational power than was consumed to generate each hash, because at normal difficulty levels it requires 1000s or more of hash computations before a block solution is found but only 1 hash computation to verify the block solution hash. But if you can lower the difficulty to the minimum then each block solution could consume only 1 hash computation and thus verifying would consume as much hash power as generating.

Thus the honest hashrate would be consumed for some duration verifying the extremely long fork of the attacker, while the attacker will be mining nearly exclusively on the honest fork during that delay, so the attacker can rewind some portion of the honest fork before the honest nodes finish verifying and rejecting the attackers diversionary long fork.

The attacker wouldn't necessarily need very much hashrate, rather a lot of time to generate a super long secret fork.

The simple mitigation is to not verify further newly presented forks for which the difficulty drops very significantly below the currently known fork. We assume we don't want to consider too long lived forks any way, so if difficulty drops that much it is very unlikely is rose back up again sufficiently to catch up.

The distributed checkpointing allows for the ability to get all the honest nodes back to work even if there is a novel form of attack based on any type of chain forking attack, not just the TW, and further allows for self service of the solution.

I don't understand how decentralized checkpointing can work because if you don't put them on the block chain, then there is no decentralized record, and nodes don't know if they are part of the majority otherwise. If you put them on the block chain, they can be unwound by an attack.

Do you mean centrally issued checkpoints?

[Spoetnik]

Oh my dog, Sputnuts noise is back.  

Enjoy the walls of text.

watch your ass you will get banned smart ass !

trust me i know i did the same thing your doing and got a ban for it LOL

[Spoetnik]

notice the same two guys bumping away any criticism her guys ?

anyone say a word and they grin and get giddy and think their crafty and post 12 time sin a row random bullshit !
trying to sweep up the negativity around Monero under the rug in the process..

like hearing a blow hard ramble on about Monero non stop guys ?

[coinits]

notice the same two guys bumping away any criticism her guys ?

anyone say a word and they grin and get giddy and think their crafty and post 12 time sin a row random bullshit !
trying to sweep up the negativity around Monero under the rug in the process..

like hearing a blow hard ramble on about Monero non stop guys ?

Then stick to your Jackpot thread and keep doing the same thing over here that you dislike being done over there. Why do you even bother? Oh yeah... you are a troll.

[Este Nuno]

notice the same two guys bumping away any criticism her guys ?

anyone say a word and they grin and get giddy and think their crafty and post 12 time sin a row random bullshit !
trying to sweep up the negativity around Monero under the rug in the process..

like hearing a blow hard ramble on about Monero non stop guys ?

Except in this face TheFascistMind isn't a Monero supporter at all. So I don't think that theory really holds up.

[rangedriver]

Plus there are many of us - including yourself. In fact, the trolls give Monero all the power it needs.

[NewLiberty]

The next context was "Will it fail fast?"  Essentially, if a TW were launched, even though it is doomed to not be the longest chain, would the time it takes to make that determination by the honest nodes (and thus not doing so much hashing) allow dishonest nodes to continue building on the TW chain, or even to just build on the good chain but win more blocks by essentially denying hashes to nodes busy with making this determination?

That is a novel attack. Normally verifying each hash of a fork takes much less computational power than was consumed to generate each hash, because at normal difficulty levels it requires 1000s or more of hash computations before a block solution is found but only 1 hash computation to verify the block solution hash. But if you can lower the difficulty to the minimum then each block solution could consume only 1 hash computation and thus verifying would consume as much hash power as generating.

Thus the honest hashrate would be consumed for some duration verifying the extremely long fork of the attacker, while the attacker will be mining nearly exclusively on the honest fork during that delay, so the attacker can rewind some portion of the honest fork before the honest nodes finish verifying and rejecting the attackers diversionary long fork.

The attacker wouldn't necessarily need very much hashrate, rather a lot of time to generate a super long secret fork.

The simple mitigation is to not verify further newly presented forks for which the difficulty drops very significantly below the currently known fork. We assume we don't want to consider too long lived forks any way, so if difficulty drops that much it is very unlikely is rose back up again sufficiently to catch up.

The distributed checkpointing allows for the ability to get all the honest nodes back to work even if there is a novel form of attack based on any type of chain forking attack, not just the TW, and further allows for self service of the solution.

I don't understand how decentralized checkpointing can work because if you don't put them on the block chain, then there is no decentralized record, and nodes don't know if they are part of the majority otherwise. If you put them on the block chain, they can be unwound by an attack.

Do you mean centrally issued checkpoints?

This novel attack was contemplated when searching for any way a TW attack could have any effect at all.
It was considered in the solution offered within the 72 hour "first threat window".

The checkpoints may be issued centrally or not.  Checkpoints are not put on the block chain.  The decentralized record exists in the same systems that the block chain exists, on the miner systems, but not in the block chain.  To say that makes it not a decentralized record, strikes me as strange.

Adding checkpoints is a human intervention, and always has been.  There may be automations added to further reduce the efforts, and I am aware of some that have been discussed by the XMR dev team, but thanks to the BCX threat, Monero remains the current leader in defenses against this sort of attack.

[NewLiberty]

notice the same two guys bumping away any criticism her guys ?

anyone say a word and they grin and get giddy and think their crafty and post 12 time sin a row random bullshit !
trying to sweep up the negativity around Monero under the rug in the process..

like hearing a blow hard ramble on about Monero non stop guys ?

Except in this face TheFascistMind isn't a Monero supporter at all. So I don't think that theory really holds up.

TFM is one of a very rare breed and highly valued for that.  Problem finders are rare enough, problem fixers are also rare.  When these are found in the same person, and further that person has an interest in privacy and cryptography and financial technologies, their input ought be cultivated and valued.

Often "problem finders" are equated with FUDsters, but... fear can either be justified or not.

My role here is primarily sifting through the justified fears and the unjustifed ones.
Where I can provide the calm that knowledge brings, and therein reduce a few uncertainties, I may be helpful in channeling efforts to where they can be most productive.

Currently there is an abundance of unjustified fear as well as some few very justified ones.  Most all the discussion however, is on the unjustified fears.

[Spoetnik]

notice the same two guys bumping away any criticism her guys ?

anyone say a word and they grin and get giddy and think their crafty and post 12 time sin a row random bullshit !
trying to sweep up the negativity around Monero under the rug in the process..

like hearing a blow hard ramble on about Monero non stop guys ?

Except in this face TheFascistMind isn't a Monero supporter at all. So I don't think that theory really holds up.

ya i have noticed it seems that way and his behavior has been curious on this topic.
this guy has been suspected of being BCX ? and who else ? LOL
all i see is he is hammering the living shit out of this topic non stop with science gibberish.
he's acting like a cliche'd character i have seen in many comedies as well as around our scene
such as a well known guy who would pop up on cryptsy chat and pick a topic and hammer it for hours with walls of text.
with topics such as Greek Mythology.. the entire place that time was screaming at the guy to just STFU already and he went on and on lol
i forgot the guys name sorry..
he's acting like this.. http://aqua-teen.com/quotes/aqua-teen-hunger-force-season-1-quotes/cybernetic-ghost-of-christmas-past-from-the-future-quotes/

and then we have "Smooth" LOL
the little lapdog that tags along trying to be one of the big boys.. look at me look at me.. i am smart too ! honest i am .. i am really .. i am !!! LOL

meanwhile what they are doing is hijacking this topic as an advertisement for Monero and white washing and criticism
by blasting it the second anyone says anything.. i'm not 100% sure if these guys are just fucked in the head or playing games or what or BOTH ahahha

bottom line.. MOOOONNNEEERRROOOO

let's talk about Monero PLEEEEEEEASE !!!!
i can't get enough i need mooooooaaaaaar !!!11111

edit:
it's funny that we have the KING of Monero spamming (the reptiel guy) saying with many Shill accounts crap about Signal to noise ratio
and they are putting it in place here.. manipulation

edit2:
search this forum for keywords "Signal noise ratio"