1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
|
Return-Path: <el33th4x0r@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id E869ADFD
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 20 Dec 2015 17:00:59 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-qg0-f44.google.com (mail-qg0-f44.google.com
[209.85.192.44])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id B75D214F
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 20 Dec 2015 17:00:58 +0000 (UTC)
Received: by mail-qg0-f44.google.com with SMTP id 74so22249231qgh.1
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 20 Dec 2015 09:00:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=mime-version:in-reply-to:references:from:date:message-id:subject:to
:content-type; bh=GF7pDR8cXCEhrstHhS1oTizcMAI5vd1CDJHlu789apY=;
b=Bja5Tq62V5Z6s2wKWVrGTLDwnJZ19rvG7vjsL/vH8q+Yx0qZK+tKJNz3HLeANvJSuC
NnawHddnNFf/uVjTCX/JRFa0qUn4B1w9oX4KEGjppKZA0Nd7dr0txLaMDel4W4K/5jP2
mgsINEJFeYaUPB2jEIJf2X+LfeotHYmUK3deb1Er8fikr3dgI8MqMPsu8oCR1ekTDq+Q
dx4KJptaHDy5HM+eN50pcaXeXKfaBAw/VPH5VxuWsJFGLp03r9CXMLPC/I/mJj9BLRXF
bDXwvORNoVpdoduar8o5yptw/iTXJxnFLQbqxjXfHJ/BUPIrJDfpHUf6x9Evnzq2m4xa
f97Q==
X-Received: by 10.140.94.56 with SMTP id f53mr19456875qge.0.1450630857872;
Sun, 20 Dec 2015 09:00:57 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.29.73 with HTTP; Sun, 20 Dec 2015 09:00:37 -0800 (PST)
In-Reply-To: <20151220132842.GA25481@muck>
References: <20151219184240.GB12893@muck>
<CAAcC9yvh2ma2dFhNDEKs7vfXyQF9L+T0YtRvOsJ15AbfVti=cw@mail.gmail.com>
<219f125cee6ca68fd27016642e38fdf1@xbt.hk>
<CAAcC9ys_t7X0WpQ8W3577M8GLiA5sPV2F1BJ9qZbnMkE-1j3+Q@mail.gmail.com>
<aff8da46a69bdd7ef92ca87725866a5c@xbt.hk>
<CAPkFh0vNECi1OmBwki+8NNAQbe6EG2FEE4RR5z=kYVLLDFHUXg@mail.gmail.com>
<20151220132842.GA25481@muck>
From: =?UTF-8?Q?Emin_G=C3=BCn_Sirer?= <el33th4x0r@gmail.com>
Date: Sun, 20 Dec 2015 12:00:37 -0500
Message-ID: <CAPkFh0t-+WhZYVLyT_auLa87zAATNOH=CpU4S5H=n6S1wmZ-oQ@mail.gmail.com>
To: Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary=001a11466d1cfbff6d0527575077
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW
autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Subject: Re: [bitcoin-dev] We need to fix the block withholding attack
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Development Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Dec 2015 17:01:00 -0000
--001a11466d1cfbff6d0527575077
Content-Type: text/plain; charset=UTF-8
On Sun, Dec 20, 2015 at 8:28 AM, Peter Todd <pete@petertodd.org> wrote:
> There are a number of techniques that can be used to detect block
> withholding attacks that you are not aware of. These techniques usually
> have the characteristic that if known they can be avoided, so obviously
> those who know about them are highly reluctant to reveal what exactly
> they are. I personally know about some of them and have been asked to
> keep that information secret, which I will.
>
Indeed, there are lots of weak measures that one could employ against
an uninformed attacker. As I mentioned before, these are unlikely to be
effective against a savvy attacker, and this is a good thing.
> In the context of KYC, this techniques would likely hold up in court,
> which means that if this stuff becomes a more serious problem it's
> perfectly viable for large, well-resourced, pools to prevent block
> withholding attacks, in part by removing anonymity of hashing power.
> This would not be a positive development for the ecosystem.
>
KYC has a particular financial-regulation connotation in Bitcoin circles,
of which I'm sure you're aware, and which you're using as a spectre.
You don't mean government-regulated-KYC a la FINCEN and Bitcoin
exchanges like Coinbase, you are just referring to a pool operator
demanding to know that its customer is not coming from its competitors'
data centers.
And your prediction doesn't seem well-motivated or properly justified.
There are tons of conditionals in your prediction, starting with the premise
that every single open pool would implement some notion of identity
checking. I don't believe that will happen. Instead, we will have the bigger
pools become more suspicious of signing up new hash power, which is a
good thing. And we will have small groups of people who have some reason
for trusting each other (e.g. they know each other from IRC, conferences,
etc) band together into small pools. These are fantastic outcomes for
decentralization.
Secondly, DRM tech can also easily be used to prevent block withholding
> attacks by attesting to the honest of the hashing power. This is being
> discussed in the industry, and again, this isn't a positive development
> for the ecosystem.
>
DRM is a terrible application. Once again, I see that you're trying to use
those
three letters as a spectre as well, knowing that most people hate DRM, but
keep in mind that DRM is just an application -- it's like pointing to Adobe
Flash
to taint all browser plugins.
The tech behind DRM is called "attestation," and it provides a technical
capability not possible by any other means. In essence, attestation can
ensure that
a remote node is indeed running the code that it purports to be running.
Since
most problems in computer security and distributed systems stem from not
knowing what protocol the attacker is going to follow, attestation is the
only
technology we have that lets us step around this limitation.
It can ensure, for instance,
- that a node purporting to be Bitcoin Core (vLatest) is indeed running an
unadulterated, latest version of Bitcoin Core
- that a node claiming that it does not harvest IP addresses from SPV
clients indeed does not harvest IP addresses.
- that a cloud hashing outfit that rented out X terahashes to a user did
indeed rent out X terahashes to that particular user,
- that a miner operating on behalf of some pool P will not misbehave and
discard perfectly good blocks
and so forth. All of these would be great for the ecosystem. Just getting
rid
of the cloudhashing scams would put an end to a lot of heartache.
> Keep in mind that when an open pool gets big, like GHash did and
> > two other pools did before them, the only thing at our disposal used
> > to be to yell at people about centralization until they left the big
> > pools and reformed into smaller groups. Not only was such yelling
> > kind of desperate looking, it wasn't incredibly effective, either.
> > We had no protocol mechanisms that put pressure on big pools to
> > stop signing up people. Ittay's discovery changed that: pools that
> > get to be very big by indiscriminately signing up miners are likely to
> > be infiltrated and their profitability will drop. And Peter's post is
> > evidence that this is, indeed, happening as predicted. This is a
> > good outcome, it puts pressure on the big pools to not grow.
>
> GHash.io was not a pure pool - they owned and operated a significant
> amount of physical hashing power, and it's not at all clear that their %
> of the network actually went down following that 51% debacle.
>
Right, it's not clear at all that yelling at people has much effect. As much
fun as I had going to that meeting with GHash in London to ask them to
back down off of the 51% boundary, I am pretty sure that yelling at large
open pools will not scale. We needed better mechanisms for keeping pools
in check.
And Miner's Dilemma (MD) attacks are clearly quite effective. This is a
time when we should count our blessings, not work actively to render
them inoperable.
Currently a significant % of the hashing power - possibly a majority -
> is in the form of large hashing installations whose owners individually,
> and definitely in trusting groups, have enough hashing power to solo
> mine. Eyal's results indicate those miners have incentives to attack
> pools, and additionally they have the incentive of killing off pools to
> make it difficult for new competition to get established, yet they
> themselves are not vulnerable to that attack.
>
There are indeed solo miners out there who can attack the big open
pools. The loss of the biggest open pools would not be a bad outcome.
Pools >25% pose a danger, and the home miner doesn't need a pool
>25% for protection against variance.
> Peter, you allude to a specific suggestion from Luke-Jr. Can you
> > please describe what it is?
>
> Basically you have the pool pick a secret k for each share, and commit
> to H(k) in the share. Additionally the share commits to a target divider
> D. The PoW validity rule is then changed from H(block header) < T, to be
> H(block header) < T * D && H(H(block header) + k) < max_int / D
>
Thanks, this requires a change to the Bitcoin PoW. Good luck with that!
Once again, this suggestion would make the GHash-at-51% situation
possible again. Working extra hard to re-enable those painful days
sounds like a terrible idea.
- egs
--001a11466d1cfbff6d0527575077
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote">On S=
un, Dec 20, 2015 at 8:28 AM, Peter Todd <span dir=3D"ltr"><<a href=3D"ma=
ilto:pete@petertodd.org" target=3D"_blank">pete@petertodd.org</a>></span=
> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;bo=
rder-left:1px #ccc solid;padding-left:1ex">There are a number of techniques=
that can be used to detect block<br>
withholding attacks that you are not aware of. These techniques usually<br>
have the characteristic that if known they can be avoided, so obviously<br>
those who know about them are highly reluctant to reveal what exactly<br>
they are. I personally know about some of them and have been asked to<br>
keep that information secret, which I will.<br></blockquote><div><br></div>=
<div>Indeed, there are lots of weak measures that one could employ against=
=C2=A0</div><div>an uninformed attacker. As I mentioned before, these are u=
nlikely to be</div><div>effective against a savvy attacker, and this is a g=
ood thing.</div><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D=
"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
In the context of KYC, this techniques would likely hold up in court,<br>
which means that if this stuff becomes a more serious problem it's<br>
perfectly viable for large, well-resourced, pools to prevent block<br>
withholding attacks, in part by removing anonymity of hashing power.<br>
This would not be a positive development for the ecosystem.<br></blockquote=
><div><br></div><div>KYC has a particular financial-regulation connotation =
in Bitcoin circles,=C2=A0</div><div>of which I'm sure you're aware,=
and which you're using as a spectre.=C2=A0</div><div>You don't mea=
n government-regulated-KYC a la FINCEN and Bitcoin</div><div>exchanges like=
Coinbase, you are just referring to a pool operator</div><div>demanding to=
know that its customer is not coming from its competitors'</div><div>d=
ata centers.</div><div><br></div><div>And your prediction doesn't seem =
well-motivated or properly justified.=C2=A0</div><div>There are tons of con=
ditionals in your prediction, starting with the premise<br></div><div>that =
every single open pool would implement some notion of identity=C2=A0</div><=
div>checking. I don't believe that will happen. Instead, we will have t=
he bigger</div><div>pools become more suspicious of signing up new hash pow=
er, which is a</div><div>good thing. And we will have small groups of peopl=
e who have some reason</div><div>for trusting each other (e.g. they know ea=
ch other from IRC, conferences,=C2=A0</div><div>etc) band together into sma=
ll pools. These are fantastic outcomes for</div><div>decentralization.</div=
><div><br></div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8e=
x;border-left:1px #ccc solid;padding-left:1ex">Secondly, DRM tech can also =
easily be used to prevent block withholding<br>
attacks by attesting to the honest of the hashing power. This is being<br>
discussed in the industry, and again, this isn't a positive development=
<br>
for the ecosystem.<br></blockquote><div><br></div><div>DRM is a terrible ap=
plication. Once again, I see that you're trying to use those</div><div>=
three letters as a spectre as well, knowing that most people hate DRM, but=
=C2=A0</div><div>keep in mind that DRM is just an application -- it's l=
ike pointing to Adobe Flash</div><div>to taint all browser plugins.</div><d=
iv><br></div><div>The tech behind DRM is called "attestation," an=
d it provides a technical=C2=A0</div><div>capability not possible by any ot=
her means. In essence, attestation can ensure that</div><div>a remote node =
is indeed running the code that it purports to be running. Since=C2=A0</div=
><div>most problems in computer security and distributed systems stem from =
not</div><div>knowing what protocol the attacker is going to follow, attest=
ation is the only=C2=A0</div><div>technology we have that lets us step arou=
nd this limitation.=C2=A0</div><div><br></div><div>It can ensure, for insta=
nce,=C2=A0</div><div>=C2=A0 - that a node purporting to be Bitcoin Core (vL=
atest) is indeed running an</div><div>unadulterated, latest version of Bitc=
oin Core=C2=A0</div><div>=C2=A0 - that a node claiming that it does not har=
vest IP addresses from SPV=C2=A0</div><div>clients indeed does not harvest =
IP addresses.</div><div>=C2=A0 - that a cloud hashing outfit that rented ou=
t X terahashes to a user did=C2=A0<br></div><div>indeed rent out X terahash=
es to that particular user,=C2=A0</div><div>=C2=A0 - that a miner operating=
on behalf of some pool P will not misbehave and</div><div>discard perfectl=
y good blocks</div><div>and so forth. All of these would be great for the e=
cosystem. Just getting rid</div><div>of the cloudhashing scams would put an=
end to a lot of heartache.</div><div><br></div><blockquote class=3D"gmail_=
quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1=
ex"><span>
> Keep in mind that when an open pool gets big, like GHash did and<br>
> two other pools did before them, the only thing at our disposal used<b=
r>
> to be to yell at people about centralization until they left the big<b=
r>
> pools and reformed into smaller groups. Not only was such yelling<br>
> kind of desperate looking, it wasn't incredibly effective, either.=
<br>
> We had no protocol mechanisms that put pressure on big pools to<br>
> stop signing up people. Ittay's discovery changed that: pools that=
<br>
> get to be very big by indiscriminately signing up miners are likely to=
<br>
> be infiltrated and their profitability will drop. And Peter's post=
is<br>
> evidence that this is, indeed, happening as predicted. This is a<br>
> good outcome, it puts pressure on the big pools to not grow.<br>
<br>
</span>GHash.io was not a pure pool - they owned and operated a significant=
<br>
amount of physical hashing power, and it's not at all clear that their =
%<br>
of the network actually went down following that 51% debacle.<br></blockquo=
te><div><br></div><div>Right, it's not clear at all that yelling at peo=
ple has much effect. As much</div><div>fun as I had going to that meeting w=
ith GHash in London to ask them to</div><div>back down off of the 51% bound=
ary, I am pretty sure that yelling at large</div><div>open pools will not s=
cale. We needed better mechanisms for keeping pools</div><div>in check.</di=
v><div><br></div><div>And Miner's Dilemma (MD) attacks are clearly quit=
e effective. This is a</div><div>time when we should count our blessings, n=
ot work actively to render</div><div>them inoperable.</div><div><br></div><=
blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px=
#ccc solid;padding-left:1ex">
Currently a significant % of the hashing power - possibly a majority -<br>
is in the form of large hashing installations whose owners individually,<br=
>
and definitely in trusting groups, have enough hashing power to solo<br>
mine. Eyal's results indicate those miners have incentives to attack<br=
>
pools, and additionally they have the incentive of killing off pools to<br>
make it difficult for new competition to get established, yet they<br>
themselves are not vulnerable to that attack.<br></blockquote><div><br></di=
v><div>There are indeed solo miners out there who can attack the big open</=
div><div>pools. The loss of the biggest open pools would not be a bad outco=
me.</div><div>Pools >25% pose a danger, and the home miner doesn't n=
eed a pool=C2=A0</div><div>>25% for protection against variance.=C2=A0</=
div><div><br></div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 =
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span>
> Peter, you allude to a specific suggestion from Luke-Jr. Can you<br>
> please describe what it is?<br>
<br>
</span>Basically you have the pool pick a secret k for each share, and comm=
it<br>
to H(k) in the share. Additionally the share commits to a target divider<br=
>
D. The PoW validity rule is then changed from H(block header) < T, to be=
<br>
H(block header) < T * D && H(H(block header) + k) < max_int /=
D<br></blockquote><div><br></div><div>Thanks, this requires a change to th=
e Bitcoin PoW. Good luck with that!=C2=A0</div><div><br></div><div>Once aga=
in, this suggestion would make the GHash-at-51% situation=C2=A0</div><div>p=
ossible again. Working extra hard to re-enable those painful days=C2=A0</di=
v><div>sounds like a terrible idea.=C2=A0</div><div><br></div><div>- egs</d=
iv><div><br></div></div></div></div>
--001a11466d1cfbff6d0527575077--
|