public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Matt Corallo <lf-lists@mattcorallo•com>
To: Ittay <ittay.eyal@cornell•edu>
Cc: Ittay via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] Bitcoin-NG whitepaper.
Date: Wed, 28 Oct 2015 02:08:52 +0000	[thread overview]
Message-ID: <56302E34.7070906@mattcorallo.com> (raw)
In-Reply-To: <CABT1wWm0QXjGAXgrBMT7w+25kcsEJnP8JZ5RSpuk3aefX45+wQ@mail.gmail.com>

Oops, just realized I never responded to this...

On 10/15/15 15:09, Ittay wrote:
> Thanks, Matt. Response inline. 
> 
> On Wed, Oct 14, 2015 at 2:57 PM, Matt Corallo <lf-lists@mattcorallo•com
> <mailto:lf-lists@mattcorallo•com>> wrote:
> 
>     That conversation missed a second issue. Namely that there is no way
>     to punish people if there is a double spend in a micro block that
>     happens in key block which reorg'd away the first transaction. eg
>     one miner mines a transaction in a micro block, another miner
>     (either by not having seen the first yet, or being malicious -
>     potentially the same miner) mines a key block which reorgs away the
>     first micro block and then, in their first micro block, mines a
>     double spend. This can happen at any time, so you end up having to
>     fall back to regular full blocks for confirmation times :(.
> 
> 
> If NG is to be used efficiently, microblocks are going to be very
> frequent, and so such forks should occur at almost every key-block
> publication. Short reorgs as you described are the norm. A user should
> wait before accepting a transaction to make sure there was no key-block
> she missed. The wait time is chosen according to the network propagation
> delay (+as much slack as the user feels necessary). This is similar to
> the situation in Bitcoin when you receive a block. To be confident that
> you have one confirmation you should wait for the propagation time of
> the network to make sure there is no branch you missed. 

I think you're overstating how short the wait times can be. They need to
be much longer than the network propagation delay.

> As for the malicious case: the attacker has to win the key-block, have
> the to-be-inverted transaction in the previous epoch, and withhold his
> key-block for a while. That being said, indeed our fraud proof scheme
> doesn't catch such an event, as it is indistinguishable from benign
> behavior. 

The attacker does not need to withold their keyblock at all. All the
attacker does is, for every transaction they ever send, after it is
included in a microblock, set their hashpower to start mining a keyblock
immediately prior to this microblock. When they find a keyblock, they
immediately announce it and start creating microblocks, the first of
which double-spends the previous transaction. If they dont win the key
block, oh well, their payment went through normally and they couldn't
double-spend.

In chatting with Glenn about this, we roughly agreed that the
confirmation time for microblocks possibly doesn't need to be a full
key-block, but it needs to be a reasonable period after which such an
attacker would lose more in fees than the value of their double-spend
(ie because the key-block afterwards gets 20% more in fees than the
key-block before hand). In any case, the game theory here starts to get
rather complicated and it doesn't make me want to suggest accepting
microblocks as confirmations is safe.

>     Also, Greg Slepak brought up a good point on twitter at
>     https://twitter.com/taoeffect/status/654358023138209792. Noting that
>     this model means users could no longer pick transactions in a mining
>     pool which was set up in such a way (it could be tweaked to do so
>     with separate rewards and pubkeys, but now the user can commit fraud
>     at a much lower cost - their own pool reward, not the block's total
>     reward).
> 
> 
> Agreed x3: This is a good point, it is correct, and the tweak is dangerous. 
> Do you perceive this as a significant practical issue? 

It is not a practical issue today because no one does it, but it is a
massive issue in that the splitting of pool rewards and transaction
selection is one of the few easy wins we have left in the fight against
mining centralization. Mining centralization today is absolutely awful,
and closing off our only big win would be tragic.

>     On October 14, 2015 11:28:51 AM PDT, Ittay via bitcoin-dev
>     <bitcoin-dev@lists•linuxfoundation.org
>     <mailto:bitcoin-dev@lists•linuxfoundation.org>> wrote:
> 
> 
>         On Wed, Oct 14, 2015 at 2:12 PM, Bryan Bishop <kanzure@gmail•com
>         <mailto:kanzure@gmail•com>> wrote:
> 
>             On Wed, Oct 14, 2015 at 1:02 PM, Emin Gün Sirer
>             <bitcoin-dev@lists•linuxfoundation.org
>             <mailto:bitcoin-dev@lists•linuxfoundation.org>> wrote:
>             > while the whitepaper has all the nitty gritty details:
>             >      http://arxiv.org/abs/1510.02037
> 
>             Taking reward compensation back by fraud proofs is not
>             enough to fix
>             the problems associated with double spending (such as,
>             everyone has to
>             wait for the "real" confirmations instead of the "possibly
>             double-spend" confirmations). Some of this was discussed in
>             -wizards
>             recently:
>             http://gnusha.org/bitcoin-wizards/2015-09-19.log
> 
> 
>         Fraud proof removes all the attacker's revenue. It's like the
>         attacker sacrifices an entire block for double spending in the
>         current system. I think Luke-Jr got it right at that discussion. 
> 
>         Best, 
>         Ittay 
> 
>         ------------------------------------------------------------------------
> 
>         bitcoin-dev mailing list
>         bitcoin-dev@lists•linuxfoundation.org
>         <mailto:bitcoin-dev@lists•linuxfoundation.org>
>         https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> 
> 


  reply	other threads:[~2015-10-28  2:08 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-10-14 18:02 Emin Gün Sirer
2015-10-14 18:12 ` Bryan Bishop
2015-10-14 18:28   ` Ittay
2015-10-14 18:57     ` Matt Corallo
2015-10-15 15:09       ` Ittay
2015-10-28  2:08         ` Matt Corallo [this message]
2015-11-06 20:48           ` Ittay
2015-10-14 18:14 ` Sergio Demian Lerner
     [not found] ` <20151014182055.GC23875@mcelrath.org>
2015-10-14 18:38   ` Ittay
2015-10-14 18:39   ` Emin Gün Sirer
2015-10-14 22:21     ` odinn
2015-10-15  1:59       ` Matt Corallo
2015-10-15  8:48         ` odinn
2015-10-15 15:12           ` Ittay
2015-10-15 18:43             ` odinn
2015-10-14 20:52 ` Bob McElrath
2015-11-09 18:33 ` Emin Gün Sirer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=56302E34.7070906@mattcorallo.com \
    --to=lf-lists@mattcorallo$(echo .)com \
    --cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
    --cc=ittay.eyal@cornell$(echo .)edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox