path: root/f7/f81b68c614e75c443211876f43efd9721feeba

Delivery-date: Tue, 23 Jul 2024 09:19:39 -0700
Received: from mail-oo1-f56.google.com ([209.85.161.56])
	by mail.fairlystable.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <bitcoindev+bncBDBNTKFG4EDRBEVQ762AMGQEEXXUMVY@googlegroups.com>)
	id 1sWIEk-0007mO-VW
	for bitcoindev@gnusha.org; Tue, 23 Jul 2024 09:19:39 -0700
Received: by mail-oo1-f56.google.com with SMTP id 006d021491bc7-5ccb04330ccsf4472556eaf.3
        for <bitcoindev@gnusha.org>; Tue, 23 Jul 2024 09:19:38 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1721751572; cv=pass;
        d=google.com; s=arc-20160816;
        b=IMhUiizp0Ycyrj+EkpzXMg/FSWYM0LXkpcnr+bk5qF7J7w/weRcod7qaNiMwT19msg
         AgLbXzPpMemE49nL1TS9h/bVYKhlpDAfqXZE0j9G/6bIBUi80TOhDFdOPdZoZ/WhfxAx
         x5cicgGHpV4YYbxPHeZ3CU7NXEuDRQ0XkZ4WrcZ5UgKViVmy31/+pdCZU6xYhZVDzkk9
         LrPYQ+j/nTeTz3yRxoegl2JGxEJgJ3LlKajk61T3Mtfy00UOjOmFkj2DD8Uabvz5OLCy
         APIjToFyh2+vxZQdBfLhg4ruk93qq8ntFunwhUefOjOyO1TVO1iR/EPG3DkeGUVCc6FN
         6zHQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:content-transfer-encoding
         :content-disposition:mime-version:message-id:subject:to:from:date
         :sender:dkim-signature;
        bh=JvkpqKYmLYDeWo7dP1niAa0SBJUBAGwAgtXadfwB29Q=;
        fh=uzBleHtgOhsRsUsYhJ3afpucRXBT6V27Jl6BurcxBFY=;
        b=hnKO5LE6e6ySQpWUcuuQvrR/r+tkZuTyIDVqmRFpctpv3fxw25Q8T1xuIECdQRgkB3
         QCvidu0uFp71iAaXoAwIUsCy1GOAnhsHrSUNsO159PEPvt1R7h3OUH0yEcoN47S0s1yb
         bV1kne40Jso+EcACX79/aF1/eki0lBpfuMa4yAG0bZqvUp2UPZhHpJUleCmh4WnzjMFT
         ebkBgOKNSMYqNfnvA7aFIt8mhs4ITGdxCltfKqx028qFTNg1EEkBzImRvJXHiAm69IM1
         2AZ/FKZdT8ZgxApxZY6bZWxrqVb65KUeDJyT2Pum1gxgZmXIel9LctYKCyHLscY4cYEt
         WOEw==;
        darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       spf=pass (google.com: domain of aj@erisian.com.au designates 172.104.61.193 as permitted sender) smtp.mailfrom=aj@erisian.com.au
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1721751572; x=1722356372; darn=gnusha.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-authentication-results
         :x-original-sender:content-transfer-encoding:content-disposition
         :mime-version:message-id:subject:to:from:date:sender:from:to:cc
         :subject:date:message-id:reply-to;
        bh=JvkpqKYmLYDeWo7dP1niAa0SBJUBAGwAgtXadfwB29Q=;
        b=sxE2g0JLkPHnD/dmrujPDrLkmtDYv4wLZOV5Ug+YYpN8YkhkV4jHhUrq0Xv8qHeiEL
         u9ja4EzZCOi61AMj4UYeGGNkbR58pvV5AcyrFl3O7ypMYOVp4h6wOWYUuBKkCCmeOERo
         vKZyGm1pjQ8/goUofTR5sLftMXuiRvNu91l41Z7Rpg0Xy2aLlDB6l9yGBqE4sARtU3Oe
         h22n0VmeXta+A9rwFBmQQXJ2HEGk1ioSKQ9cN0z/+/o2tGaUZzsj8CBj7GyV7VClVJ8i
         VE2JueNAKEcDsYp/bUzgaRpPZGURlBNNjz6+XvwMitBJHMu4VjeYsUAG3du+QYAG79mG
         wEiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1721751572; x=1722356372;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-authentication-results
         :x-original-sender:content-transfer-encoding:content-disposition
         :mime-version:message-id:subject:to:from:date:x-beenthere
         :x-gm-message-state:sender:from:to:cc:subject:date:message-id
         :reply-to;
        bh=JvkpqKYmLYDeWo7dP1niAa0SBJUBAGwAgtXadfwB29Q=;
        b=ikwxRtY2eO1+5NkPUJ39eN1ZiO6Lh6lVlM5uP8Nwp5omT2vm+wYAabCuFJaz55X3f4
         +vHrljCZmuiSxhAqMvHMEbqk7OBX4BDN0zzH8ubLNw/y21LjbHyVrBtXJ9Ja1z9SJvfo
         QKTSbhBVZQUyUOetUf5u4m/8zY1Zc8cbtAB74tkMu07+6J93t7D+BVfMNsuGCitDmNAL
         jWovEItVDa3rJPwdNqzD+6NvRx0s13vjMZmTnfcOypUnIpgdRR6O9qtIULVHJoriK2Q8
         JVSNApwE3GjIve0wivnqHuu8eTvJGlbTksgiItYEnsb3LaEVxtEKAzW6gxMgaF5ipNKy
         nCSQ==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCUVChsDbXIhSj5T/fTVhTbUgiciqq4lptV7A0taQJXhakeTnyLEJp1OiBY4hWMwkSouXWX8dSusnJITut+DRtgOHJNW7MY=
X-Gm-Message-State: AOJu0YyMpp+AMx+HkML67wiF1qQSOSR3c/Q+K4q0MXPiVLA/6oQ0Q+Fh
	BmOp8Dm/kJyO/uyCPgisR5+YcCRK0J8R9wFfjYC50xDLh3FBOs3K
X-Google-Smtp-Source: AGHT+IHoDzY/wSF8USm9naHKdLk+ytpPjobycmlHUFFN4sOfIE9/P4gMOk8bdAnenHDUasDaK53HCg==
X-Received: by 2002:a05:6820:1b15:b0:5c6:9320:53a3 with SMTP id 006d021491bc7-5d564fb672fmr14903515eaf.4.1721751572176;
        Tue, 23 Jul 2024 09:19:32 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:a4a:106:0:b0:5c4:40e9:9160 with SMTP id 006d021491bc7-5d51a246fc5ls5434440eaf.0.-pod-prod-01-us;
 Tue, 23 Jul 2024 09:19:30 -0700 (PDT)
X-Received: by 2002:a05:6820:1c87:b0:5cd:13ff:4fa6 with SMTP id 006d021491bc7-5d564eec276mr406400eaf.2.1721751570421;
        Tue, 23 Jul 2024 09:19:30 -0700 (PDT)
Received: by 2002:a05:6808:984:b0:3d9:302f:bb85 with SMTP id 5614622812f47-3dadf171cc4msb6e;
        Tue, 23 Jul 2024 08:02:35 -0700 (PDT)
X-Received: by 2002:a05:6870:1715:b0:254:d163:c3aa with SMTP id 586e51a60fabf-2638df302acmr9141858fac.16.1721746954815;
        Tue, 23 Jul 2024 08:02:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1721746954; cv=none;
        d=google.com; s=arc-20160816;
        b=hEnLZ6mM3uEg9ObwzoFj5FHVc7QDuTaC4J7AfmHWd6sPys1UmaoPd1ut04v9AkZ/nK
         yyjsyeQXez8/bJVsnx8m3hwrwlMffF6lChNkT5QO91c3f1+eFEUk6XTkMi4Pmg8Ejshz
         LGWITd7kGZuqDVd7teKUVJZK44eDrJ7Xzp2SMHax02VX27hkghLMCCmBI8taCB3HJYZq
         xE0BHfy4wcn2KaGS8qjby/PdMh4ZWryvCX+DRHAuaK18klNCSnadUoj2KGWvU2ONZqgX
         +K9Se9NbTFV3rUgmSFumit2er38xUtjLg1uHIS0FVhiRStJ8S09e3QfpJzr7MVEAZdnR
         jfOQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:content-disposition:mime-version
         :message-id:subject:to:from:date;
        bh=xaaPNedDkXs3mk58+HfoUJH9ql7lZIPGOJeuygSyFFY=;
        fh=VcGcg+Zjs9gw1uDcHbxsAILhBAcecnbJzZRdxgKVDIc=;
        b=u23u/WIhBFLiruW+nlJFDMycR0zf/AD5ux8cSQ5YltIA477LMyVJiRmTOHxHyYDzUR
         jlPb5WLQh5VakpqwVwDG6+t6tL+AviY5FVeXqOj5Wiwca2HPzhtLD7o+db/2gf5lKw4P
         +46oNR5UT3ChEHGz1RcNBaQVX0Gp8WyTnR89YbXcp89EToBfJeS+E/aZEMf9XtWhkOO+
         dK0enpAKvHvOfnM9JW54dmEeeZddFPTKThX2m8ulZDqdj7mwnIdoQwBc2LUrtr7bzyE6
         gkbnYq4YLOeon3FSSJnqDvFJBobw0oI/5RpvwEyFfMN1BiPhk+Wz5jsSnoP93EOMJ+GK
         rshQ==;
        dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of aj@erisian.com.au designates 172.104.61.193 as permitted sender) smtp.mailfrom=aj@erisian.com.au
Received: from cerulean.erisian.com.au (azure.erisian.com.au. [172.104.61.193])
        by gmr-mx.google.com with ESMTPS id 586e51a60fabf-2610cad2ef7si398776fac.3.2024.07.23.08.02.34
        for <bitcoindev@googlegroups.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 23 Jul 2024 08:02:34 -0700 (PDT)
Received-SPF: pass (google.com: domain of aj@erisian.com.au designates 172.104.61.193 as permitted sender) client-ip=172.104.61.193;
Received: from aj@azure.erisian.com.au
	by cerulean.erisian.com.au with esmtpsa  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <aj@erisian.com.au>)
	id 1sWH25-0004bN-Fq
	for bitcoindev@googlegroups.com; Wed, 24 Jul 2024 01:02:32 +1000
Received: by email (sSMTP sendmail emulation); Wed, 24 Jul 2024 01:02:24 +1000
Date: Wed, 24 Jul 2024 01:02:24 +1000
From: Anthony Towns <aj@erisian.com.au>
To: bitcoindev@googlegroups.com
Subject: [bitcoindev] Mining pools, stratumv2 and oblivious shares
Message-ID: <Zp/GADXa8J146Qqn@erisian.com.au>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
X-Spam_score: 0.0
X-Spam_bar: /
X-Original-Sender: aj@erisian.com.au
X-Original-Authentication-Results: gmr-mx.google.com;       spf=pass
 (google.com: domain of aj@erisian.com.au designates 172.104.61.193 as
 permitted sender) smtp.mailfrom=aj@erisian.com.au
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.8 (/)

Hi *,

1. stratumv2 templates via client-push
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

The stratumv2 design document suggests:

> Use a separate communication channel for transaction selection so
> that it does not have a performance impact on the main mining/share
> communication, as well as can be run in three modes - disabled (i.e.pool
> does not yet support client work selection, to provide an easier
> transition from Stratum v1), client-push (to maximally utilize the
> client=E2=80=99s potential block-receive-latency differences from the poo=
l),
> and client-negotiated (for pools worried about the potential of clients
> generating invalid block templates).

 -- https://stratumprotocol.org/specification/02-Design-Goals/

To me, the "client-push" approach (vs the client-negotiated approach)
seems somewhat unworkable (at least outside of solo mining).

In particular, if you're running a pool and have many clients generating
their own templates, and you aren't doing KYC on those clients, and aren't
fully validating every proposed share, then it becomes very easy to do a
"block withholding attack" [0] -- just locally create invalid blocks,
submit shares as normal, receive payouts as normal for partial shares
because the shares aren't being validated, and if you happen to find
an actual block, the pool loses out because none of your blocks were
actually valid. (You can trivially make your block invalid by simply
increasing the pool payout by 1 sat above the correct value)

Validating arbitrary attacker submitted templates seems likely to be
expensive, as they can produce transactions which aren't already in your
mempool, are relatively expensive to validate, and potentially conflict
with transactions that other clients are selecting, causing you to have
to churn txs in and out of your mempool.

Particularly if an attacker could have an array of low hashpower workers
all submitting different templates to a server, it seems like it would
be relatively easy to overload any small array of template-validater
nodes, given a pure client-push model. In which case client-push would
only really make sense for pure solo-mining, where you're running your
own stratumv2 server and your own miners and have full control (and thus
trust) from end to end.

Does that make sense, or am I missing something?

I think a negotiated approach could look close to what Ocean's template
selection looks like today: that is the pool operator runs some nodes with
various relay policies that generate blocks, and perhaps also allows for
externally submitted templates that it validates. Then clients request
work according to their preferences, perhaps they specify that they
prefer the "no-ordinals template", or perhaps "whatever template has the
highest payout (after pool fees)". The pool tracks the various templates
it's offered in order to validate shares and to broadcast valid blocks
once one is found.

A negotiated approach seems also more amenable to including out of band
payments, such as mempool.space's accelerator, whether those payments
are distributed to miners or kept by the pool.

This could perhaps also be closer to the ethereum model of
proposer/builder separation [7], which may provide a modest boost
to MEV/MEVil resistance -- that is if there is MEV available via some
clever template construction, specialist template builders can construct
specialised templates paying slightly higher fees and submit those to
mining pools, perhaps splitting any excess profits between the pool and
template constructor. Providing a way for external parties to submit
high fee templates to pools (rate-limited by a KYC-free bond payment
over LN perhaps), seems like it would help limit the chances of that
knowledge being kept as a trade secret to one pool or mining farm, which
could then use its excess profits to become dominant, and then gain too
much ability to censor txs. Having pools publish the full templates for
auditing purposes would allow others to easily incrementally improve on
clever templates by adding any high-fee censored transactions back in.

2. block withholding and oblivious shares
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Anyway, as suggested by the subject-line and the reference to [0],
I'm still a bit concerned by block withholding attacks -- where an
attacker finds decentralised pools and throws hashrate at them to make
them unprofitable by only sending the 99.9% of shares that aren't valid
blocks, while withholding/discarding the 0.1% of shares that would be
a valid block. The result being that decentralised non-KYC pools are
less profitable and are replaced by centralised KYC pools that can
ban attackers, and we end up with most hashrate being in KYC pools,
where it's easier for the pools to censor txs, or miners to be found
and threatened or have their hardware confiscated. (See also [6])

If it were reasonable to mine blocks purely via the tx merkle root,
with only the pool knowing the coinbase or transaction set at the time
of mining, I think it could be plausible to change the PoW algorithm to
enable oblivious shares: where miners can't tell if a given valid share
corresponds to a valid block or not, but pools and nodes can still easily
easily validate work form just the block header.

In particular I think an approach like this could work:

  * take the top n-bits of the prev hash in the header, which are
    currently required to be all zeroes due to `powLimit` (n=3D0 for regtes=
t,
    n<=3D8 in general)
  * stop requiring these bits to be zero, instead interpret them as
    `nBitsShareShift`, from 0 to up to 255
  * when nBitsShareShift > 0, check that the share hash is less than or
    equal to (2**256 - 1) >> nBitsShareShift, where the share hash is
    calculated as
      sha256d( nVersion, hashPrevBlock, sha256d( hashMerkleRoot ),
               nTime, nBits, nNonce )
  * check that the normal block hash is not greater than
      FromCompact(nBits) << nBitsShareShift

Note that this would be a light-client visible hard fork -- any blocks
that set nBitsShareShift to a non-zero value would be seen as invalid
by existing software that checks header chains.

It's also possible to take a light-client invisible approach by decreasing
the value of nBits, but providing an `nBitsBump` that new nodes validate
but existing nodes do not (see [1] eg). This has the drawback that it
would become easy to fool old nodes/light clients into following the
wrong chain, as they would not be fully validating proof-of-work, which
already breaks the usual expectations of a soft fork (see [2] eg). Because
of that, a hard fork approach seems safer here to me. YMMV, obviously.

The above approach requires two additional sha256d operations when
nodes or light clients are validating header work, but no additional
data, which seems reasonable, and should require no changes to machines
capable of header-only mining -- you just use sha256d(hashMerkleRoot)
instead of hashMerkleRoot directly.

In this scenario, pools are giving their client sha256d(hashMerkleRoot)
rather than hashMerkleRoot or a transaction tree directly, and
`nBitsShareShift` is set based on the share difficulty. Pools then
check the share is valid, and additionally check whether the share has
sufficient work to be a valid block, which they are able to do because
unlike the miner, they can calculate the normal block hash.

The above assumes that the pool has full control over the coinbase
and transaction selection, and that the miner/client is not able to
reconstruct all that data from its mining job, so this would be another
reason why a pool would only support a client-negotiated approach for
templates, not a client-push approach. Note that miners/clients could
still *audit* the work they've been given if the pool makes the full
transaction set (including coinbase) for a template available after each
template expires.

Some simple numbers: if a miner with control of 10% hashrate decided
to attack a decentralised non-KYC pool with 30% hashrate, then they
could apply 3.3% hashrate towards a blockwithholding attack, reducing
the victim's income to 90% (30% hashrate finding blocks vs 33% hashrate
getting payouts) while only reducing their own income to 96.7% (6.7%
hashrate at 100% payout, 3.3% at 90%). If they decided to attack a miner
with 50% hashrate, they would need to provide 5.55% of total hashrate to
reduce the victim's income to 90%, which would reduce their own income
to 94.45% (4.45% at 100%, 5.55% at 90%).

I've seen suggestions that block withholding could be used as a way
to attack pools that gain >50% hashpower, but as far as I can see it's
only effective against decentralised, non-KYC pools, and more effective
against small pools than large ones, which seems more or less exactly
backwards to what we'd actually want...

Some previous discussion of block withholding and KYC is at [3] [4]
[5].

3. extra header nonce space
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D

Given BIP320, you get 2**48 values to attempt per second of nTime,
which is about 281 TH/s, or enough workspace to satisfy a single S21 XP
at 270 TH/s. Maybe that's okay, but maybe it's not very much.

Since the above would already be a (light-client visible) hard fork, it
could make sense to also provide extra nonce space that doesn't require
touching the coinbase transaction (since we're relying on miners not
having access to the contents of the tx merkle tree).

One approach would be to use the leading zeroes in hashPrevBlock as
extra nonce space (eg, [8]). That's particularly appealing since it
scales exactly with difficulty -- the higher the difficulty, the more
nonce space you need, but the more required zeroes you have. However
the idea above unfortuantely reduces the available number of zero bits
in the previous block hash by that block's choice of nBitsShareShift,
which may take a relatively large value in order to reduce traffic with
the pool. So sadly I don't think that approach would really work.

Another way to do that could work might be to add perhaps 20 bytes of
extra nonce to the header, and calculate the block hashes as:

  normal hash -> sha256d(
       nVersion, hashPrevBlock,
       sha256d( merkleRoot, TagHash_BIPxxx(extraNonce) ),
       nTime, nBits, nNonce
  )

and

  share hash -> sha256d(
       nVersion, hashPrevBlock,
       sha256d( sha256d(merkleRoot), TagHash_BIPxxx(extraNonce) ),
       nTime, nBits, nNonce
  )

That should still be compatible with existing mining hardware. Though it
would mean nodes are calculating 5x sha256d and 1x taghash to validate
a block header's PoW, rather than just 1x sha256d (now) or 3x sha256d
(above).

This approach would also not require changes in how light clients verify
merkle proofs of transaction inclusion in blocks, I believe. (Using a
bip340-esque TagHash for the extraNonce instead of nothing or sha256d
hopefully prevents hiding fake transactions in that portion)

4. plausibility
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

It's not clear to me how serious a problem block withholding is. It
seems like it would explain why we have few pools, why they're all
pretty centralised, and why major ones care about KYC, but there are
plenty of other explanations for both those things. So even if this
was an easy fix, it's not clear to me how much sense it makes to think
about. And beyond that's it's a consensus change (ouch), a hard fork
(ouch, ouch) and one that requires every light client to upgrade (ouch,
ouch, ouch!). However, all of that is still just code, and none of those
things are impossible to achieve, if they're worth the effort. I would
expect a multiyear deployment timeline even once the code was written
and it was widely accepted as a good idea, though.

If this is a serious problem for the privacy and decentralisation of
mining, and a potential threat to bitcoin's censorship resistance,
it seems to me like it would be worth the effort.

5. conclusions?
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Anyway, I wanted to write my thoughts on this down somewhere they could
be critiqued. Particularly the idea that everyone building their own
blocks for public pools running stratumv2 doesn't actually make that much
sense, as far as I can see.

I think the share approach in section 2 and the extranonce approach in
section 3 are slightly better than previous proposed approaches I've seen,
so are worth having written down somewhere.

Cheers,
aj

[0] https://bitcoil.co.il/pool_analysis.pdf

[1] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-December/0=
12051.html

[2] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-February/0=
12443.html

[3] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-December/0=
12060.html

[4] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-December/0=
12111.html

[5] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-December/0=
12069.html

[6] https://bitcoinops.org/en/topics/pooled-mining/#block-withholding-attac=
ks

[7] https://ethereum.org/en/roadmap/pbs/

[8] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-December/0=
15386.html

--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/=
bitcoindev/Zp/GADXa8J146Qqn%40erisian.com.au.