Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1VeUKD-0000Dm-EJ for Bitcoin-development@lists.sourceforge.net; Thu, 07 Nov 2013 18:29:01 +0000 Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.223.174 as permitted sender) client-ip=209.85.223.174; envelope-from=lidstrom83@gmail.com; helo=mail-ie0-f174.google.com; Received: from mail-ie0-f174.google.com ([209.85.223.174]) by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1VeUKB-0003iS-Kk for Bitcoin-development@lists.sourceforge.net; Thu, 07 Nov 2013 18:29:01 +0000 Received: by mail-ie0-f174.google.com with SMTP id qd12so1464719ieb.5 for ; Thu, 07 Nov 2013 10:28:54 -0800 (PST) MIME-Version: 1.0 X-Received: by 10.50.119.161 with SMTP id kv1mr2959533igb.51.1383848933020; Thu, 07 Nov 2013 10:28:53 -0800 (PST) Received: by 10.64.81.230 with HTTP; Thu, 7 Nov 2013 10:28:52 -0800 (PST) In-Reply-To: References: <5279D49D.5050807@jerviss.org> <20131107034404.GA5140@savin> <20131107132442.GB22476@savin> Date: Thu, 7 Nov 2013 11:28:52 -0700 Message-ID: From: Daniel Lidstrom To: Mike Hearn Content-Type: multipart/alternative; boundary=001a1134421613bbcc04ea9a7006 X-Spam-Score: -0.3 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: doubleclick.net] -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (lidstrom83[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (lidstrom83[at]gmail.com) 1.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1VeUKB-0003iS-Kk Cc: Bitcoin Dev , webmaster@ghash.io, webmaster@cex.io Subject: Re: [Bitcoin-development] we can all relax now X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Nov 2013 18:29:01 -0000 --001a1134421613bbcc04ea9a7006 Content-Type: text/plain; charset=ISO-8859-1 Hey Peter, something seems wrong with your above analysis: I think a miner would withhold his block not because it leads to a greater probability of winning the next one, but because it increases his expected revenue. Suppose a cabal with fraction q of the total hashing power is n blocks ahead on a secret branch of that has mined r_tot coins, and let r_next be its next block's reward. If the cabal chooses not to broadcast its secret chain until at least the next block, its expected revenue after the next block is found is (1 - (1-q)^(n+1))*(r_tot + r_next) If it does broadcast, its expected revenue after the next block is found is r_tot + q * r_next If the cabal seeks only to maximize immediate revenue, then after a bit of algebra we find that it will withhold its chain if q > 1 - ( 1 + r_tot / r_next )^(-1/n) So if the cabal has just mined his first block off of the public chain, i.e. n = 1, and if the block reward is relatively stable, i.e. r_next = r_tot, then it needs q > 50% to profitably withhold, not the 29.2% you calculated. From this formula we can also see that if the miner wins the race and withholds again, then he must grow q to compensate for the increase in r_tot, and any decrease in n. So generally publication becomes increasingly in the cabal's interest, and secret chains will tend not to grow too large (intuition tells me that simulations using the above formula should bear this out). This seem correct to you? On Thu, Nov 7, 2013 at 9:14 AM, Mike Hearn wrote: > Once the ASIC race calms down because everyone has one, has more or less > optimal power supplies, process improvements aren't easily reachable > anymore etc then I'd expect people to dissipate from the large pools > because eliminating their fees will become the next lowest hanging fruit to > squeeze out extra profit. There's no particular reason we need only a > handful of pools that control a major fraction of the hashpower. > > If we end up with a few hundred pools or lots of miners on p2pool, then a > lot of these theoretical attacks become not very relevant (I don't think ID > sacrifices will be so common or large as to justify a pile of custom mining > code+strategies at any point ...) > > > On Thu, Nov 7, 2013 at 2:24 PM, Peter Todd wrote: > >> On Thu, Nov 07, 2013 at 02:56:56PM +1000, Gavin Andresen wrote: >> > > P.S: If any large pools want to try this stuff out, give me a shout. >> You >> > > have my PGP key - confidentiality assured. >> > > >> > >> > If I find out one of the large pools decides to run this 'experiment' on >> > the main network, I will make it my mission to tell people to switch to >> a >> > more responsible pool. >> >> I hope they listen. >> >> A few months ago ASICMiner could have made use of that attack if my >> memories of their peak hashing power were correct. They certainely could >> have used the selfish miner version, (we need better name for that) >> although development costs would eat into profits. >> >> GHash.IO, 22%, says they're a "private Bitfury ASIC mining pool" - dunno >> what they mean by that, but they're involved with CEX.IO who has >> physical control of a bunch of hashing power so I guess that means their >> model is like ASICMiners. They're a bit short of 30%, but maybe some >> behind-the-scenes deals would fix that, and/or lowering the barrier with >> reactive block publishing. (a better name) >> >> > And if you think you can get away with driving up EVERYBODY's orphan >> rate >> > without anybody noticing, you should think again. >> >> ...and remember, if you only do the attack a little bit, you still can >> earn more profit, and only drive up the orphan rate a little bit. So who >> knows, maybe the orphans are real, or maybe they're an attack? ASICMiner >> was involved with a bunch of orphans a while back... >> >> You know what this calls for? A witchhunt! >> >> BURN THE LARGE POOLS! >> >> > > P.P.S: If you're mining on a pool with more than, like, 1% hashing >> > > power, do the math on varience... Seriously, stop it and go mine on a >> > > smaller pool, or better yet, p2pool. >> > > >> > >> > That I agree with. >> >> Glad to hear. >> >> -- >> 'peter'[:-1]@petertodd.org >> 0000000000000007bd936f19e33bc8b8f9bb1f4c013b863ef60a7f5a6a5d2112 >> >> >> ------------------------------------------------------------------------------ >> November Webinars for C, C++, Fortran Developers >> Accelerate application performance with scalable programming models. >> Explore >> techniques for threading, error checking, porting, and tuning. Get the >> most >> from the latest Intel processors and coprocessors. See abstracts and >> register >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk >> _______________________________________________ >> Bitcoin-development mailing list >> Bitcoin-development@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/bitcoin-development >> >> > > > ------------------------------------------------------------------------------ > November Webinars for C, C++, Fortran Developers > Accelerate application performance with scalable programming models. > Explore > techniques for threading, error checking, porting, and tuning. Get the most > from the latest Intel processors and coprocessors. See abstracts and > register > http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > > --001a1134421613bbcc04ea9a7006 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Hey Peter, something seems wrong with your = above=20 analysis: I think a miner would withhold his block not because it leads to a greater probability of winning the next one, but because it=20 increases his expected revenue.

Suppose a cabal with fraction q of the total hashing power is n=20 blocks ahead on a secret branch of that has mined r_tot coins, and let=20 r_next be its next block's reward.=A0 If the cabal chooses not to=20 broadcast its secret chain until at least the next block, its expected=20 revenue after the next block is found is

(1 - (1-q)^(n+1))*(r_tot + r_next)

If it does broadcast, its exp= ected revenue after the next block is found is

r_tot + q * r_next

If the cabal seeks only to maximize immediate revenue, then after a bit of al= gebra we find that it will withhold its chain if

q > 1 - ( 1 + r_tot / r_next )^(-1/n)

So if the ca= bal has just mined his first block off of the public chain, i.e. n =3D 1, a= nd if the block reward is relatively stable, i.e. r_next =3D r_tot, then it= needs q > 50% to profitably withhold, not the 29.2% you calculated.

From this formula we can also see that if the miner wins the= race and withholds again, then he must grow q to compensate for the increa= se in r_tot, and any decrease in n.=A0 So generally publication becomes inc= reasingly in the cabal's interest, and secret chains will tend not to g= row too large (intuition tells me that simulations using the above formula = should bear this out).

This seem correct to you?


On Thu, Nov 7, 2013 = at 9:14 AM, Mike Hearn <mike@plan99.net> wrote:
Once the ASIC race calms do= wn because everyone has one, has more or less optimal power supplies, proce= ss improvements aren't easily reachable anymore etc then I'd expect= people to dissipate from the large pools because eliminating their fees wi= ll become the next lowest hanging fruit to squeeze out extra profit. There&= #39;s no particular reason we need only a handful of pools that control a m= ajor fraction of the hashpower.=A0

If we end up with a few hundred pools or lots of miners on p= 2pool, then a lot of these theoretical attacks become not very relevant (I = don't think ID sacrifices will be so common or large as to justify a pi= le of custom mining code+strategies at any point ...)


On Thu, Nov 7, 2013 at 2:24 PM, Peter Todd <pete@petertod= d.org> wrote:
On T= hu, Nov 07, 2013 at 02:56:56PM +1000, Gavin Andresen wrote:
> > P.S: If any large pools want to try this stuff out, give me a sho= ut. You
> > have my PGP key - confidentiality assured.
> >
>
> If I find out one of the large pools decides to run this 'experime= nt' on
> the main network, I will make it my mission to tell people to switch t= o a
> more responsible pool.

I hope they listen.

A few months ago ASICMiner could have made use of that attack if my
memories of their peak hashing power were correct. They certainely could have used the selfish miner version, (we need better name for that)
although development costs would eat into profits.

GHash.IO, 22%, says they're a "private Bitfury ASIC mining pool&qu= ot; - dunno
what they mean by that, but they're involved with CEX.IO who has
physical control of a bunch of hashing power so I guess that means their model is like ASICMiners. They're a bit short of 30%, but maybe some behind-the-scenes deals would fix that, and/or lowering the barrier with reactive block publishing. (a better name)

> And if you think you can get away with driving up EVERYBODY's orph= an rate
> without anybody noticing, you should think again.

...and remember, if you only do the attack a little bit, you still ca= n
earn more profit, and only drive up the orphan rate a little bit. So who knows, maybe the orphans are real, or maybe they're an attack? ASICMine= r
was involved with a bunch of orphans a while back...

You know what this calls for? A witchhunt!

BURN THE LARGE POOLS!

> > P.P.S: If you're mining on a pool with more than, like, 1% ha= shing
> > power, do the math on varience... Seriously, stop it and go mine = on a
> > smaller pool, or better yet, p2pool.
> >
>
> That I agree with.

Glad to hear.

--
'peter'[:-1]@pet= ertodd.org
0000000000000007bd936f19e33bc8b8f9bb1f4c013b863ef60a7f5a6a5d2112

---------------------------= ---------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explor= e
techniques for threading, error checking, porting, and tuning. Get the most=
from the latest Intel processors and coprocessors. See abstracts and regist= er
http://pubads.g.doubleclick.net/gam= pad/clk?id=3D60136231&iu=3D/4140/ostg.clktrk
___________________= ____________________________
Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-de= velopment



-----------------------------------------------------------------------= -------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explor= e
techniques for threading, error checking, porting, and tuning. Get the most=
from the latest Intel processors and coprocessors. See abstracts and regist= er
http://pubads.g.doubleclick.net/gam= pad/clk?id=3D60136231&iu=3D/4140/ostg.clktrk
___________________= ____________________________
Bitcoin-development mailing list
Bitcoin-develo= pment@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-de= velopment


--001a1134421613bbcc04ea9a7006--