[Cryptography] The Golden Ratio Attack on Bitcoin.

Ray Dillinger bear at sonic.net
Wed Jul 15 19:08:22 EDT 2015 

You may have heard of the recent "stress test" on Bitcoin.

It is an attack.  I guess I get to name it, so I'll call it the Golden
Ratio Attack.

It is not strictly cryptographic, but it's a serious attack on a
cryptographic system and it's being executed.

Any miner who controls more than one over the Golden Ratio of the mining
power makes a profit while paying the fees it takes to maintain a
permanent backlog of transactions, for as long as the blocks are more
than half full of other transactions.

The following assumes expenses roughly equal for miners relative to the
amount of hashing power they control.  This is not exactly true, because
a miner someplace where electricity is subsidized (like China) has
substantially lower expenses.  In such a place the fraction of mining
power required to make it profitable would be even less.

The *initial* "stress test" was a test to see whether the miner
controlled sufficient hashing power to make a profit by doing this.  We
can assume that test was successful, because now this miner is doing it.
 Probably permanently.

The miner decides how much they want per transaction (anything that the
traffic will bear, as long as it keeps blocks more than half full of
real transactions), then keeps the backlog sufficiently full with bogus
transactions to prevent any tx that pay less than that from going through.

Maintaining the backlog subsidizes other people's mining as well as
their own, but means they don't need to compete with miners willing to
process transactions for less money in fees because those miners aren't
willing to process transactions for less fees when any transactions with
more fees are available.

Let's work the math.  If 2/3 of the transactions actually processed are
"real", then whoever is maintaining the backlog is paying the tx fees
for 1/3 of every block. If this is someone with half the mining power
then they get half of their third back, so their average cost per block
is the fees for 1/6 of the block.  If we are talking about someone with
half the mining power, their average return per block is 1/2 the fees
for a block.  Because 1/2 is greater than 1/3, they are making a profit.

The breakeven point for the biggest miner was when his fraction of the
mining power plus the fraction of each block devoted to legitimate
transactions was equal to one.  We can conclude that whoever is doing
this, if he started the instant it was profitable, controlled 2/(1 +
sqrt(5)) of the mining power at that time.  This happens to be the
inverse of the Golden Ratio.

It will continue to be in the financial best interests of any miner
controlling more than 2/(1 + sqrt(5)) of the mining power for as long as
blocks are more than half full with legitimate transactions.

This does not affect, and is not influenced by revenue from block
subsidies AT ALL.

All miners will see increased fee revenues in the competitive market.
They will respond to more revenue by  investing more in equipment.
Those miners are still competing fairly with each other, though they
will make less on their investment than whoever's maintaining the
backlog.  It is not in their best interests to add bogus transactions to
the queue because with a smaller fraction than 2/(1+sqrt(5)) of the
mining power they would lose money on the fees they invest.

But any miner for whom this IS profitable, will make additional revenue
that the fair market among miners does not.  What percentage more,
depends on what fraction of the hashing power he controls. Any such
miner is competing at an advantage and will eventually drive all other
miners out of the market.

Miners for whom this is profitable must control at least 2/(1+sqrt(5))
of the mining power.  Therefore there can be no more than two miners
doing it at a profit.  And it's got positive feedback, so those two
cannot compete fairly. Assuming there are two, the instant one of them
has more hashing power than the other, he has a competitive advantage
over the other (gets back as revenue a greater fraction of all fees
spent) than the other miner) and will eventually drive him out of the
market.

Bear

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150715/65185a80/attachment.sig>

More information about the cryptography mailing list