<div dir="ltr"><div class="gmail_quote"><div dir="ltr">John Levine <<a href="mailto:johnl@iecc.com">johnl@iecc.com</a>>, 28 May 2018 Pzt, 23:14 tarihinde şunu yazdı:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Have there been any good papers on the security model of blockchains?<br>
I'm thinking of stuff like collusion, network partitioning, miners<br>
losing interest or being bribed, and of course latent software bugs.<br>
In some cases it's not obvious to me how you'd even tell that an<br>
attack was happening until much later.<br></blockquote><div><br></div><div>I think the boundary of the blockchain security model is drawn by the super-rational attack, where it is far from trivial to detect the system is under attack, and there is no defense mechanism due to the anchor-to-iceberg problem inherent in the design. I summarize below my previous post on the subject:</div><div><br></div><div>


















<p class="gmail-graf" style="margin:6pt 0cm 0.0001pt;background:white;font-size:12pt;font-family:"Times New Roman",serif"><span style="color:rgba(0,0,0,0.84);font-family:Arial,sans-serif;font-size:10pt;letter-spacing:-0.05pt">QUOTE </span><br></p><p class="gmail-graf" style="margin:6pt 0cm 0.0001pt;background:white;font-size:12pt;font-family:"Times New Roman",serif"><span style="font-family:Arial,sans-serif;font-size:10pt;letter-spacing:-0.05pt;color:rgba(0,0,0,0.84)">Assumptions:</span><br></p>

<p class="gmail-graf" style="margin:6pt 0cm 0.0001pt;background:white;text-decoration-style:initial;text-decoration-color:initial;color:rgba(0,0,0,0.84);font-size:12pt;font-family:"Times New Roman",serif" name="7689" id="gmail-7689"><span style="font-size:10pt;font-family:Arial,sans-serif;letter-spacing:-0.05pt">1. The Establishment
(Gov+FED+Banks+Corproteuracy) is under the threat of disruption by Bitcoin.<span></span></span></p>

<p class="gmail-graf" style="margin:6pt 0cm 0.0001pt;background:white;text-decoration-style:initial;text-decoration-color:initial;color:rgba(0,0,0,0.84);font-size:12pt;font-family:"Times New Roman",serif" name="6e09" id="gmail-6e09"><span style="font-size:10pt;font-family:Arial,sans-serif;letter-spacing:-0.05pt">2. It fights back for
survival when this threat becomes serious.<span></span></span></p>

<p class="gmail-graf" style="margin:6pt 0cm 0.0001pt;background:white;text-decoration-style:initial;text-decoration-color:initial;color:rgba(0,0,0,0.84);font-size:12pt;font-family:"Times New Roman",serif" name="489c" id="gmail-489c"><span style="font-size:10pt;font-family:Arial,sans-serif;letter-spacing:-0.05pt">3. It has enough power
(money) to get more than 50% hash power.<span></span></span></p>

<p class="gmail-graf" style="margin:6pt 0cm 0.0001pt;background:white;text-decoration-style:initial;text-decoration-color:initial;color:rgba(0,0,0,0.84);font-size:12pt;font-family:"Times New Roman",serif" name="3a8f" id="gmail-3a8f"><span style="font-size:10pt;font-family:Arial,sans-serif;letter-spacing:-0.05pt">The attack scenario:<span></span></span></p>

<p class="gmail-graf" style="margin:6pt 0cm 0.0001pt;background:white;text-decoration-style:initial;text-decoration-color:initial;color:rgba(0,0,0,0.84);font-size:12pt;font-family:"Times New Roman",serif" name="4c73" id="gmail-4c73"><span style="font-size:10pt;font-family:Arial,sans-serif;letter-spacing:-0.05pt">1. The attacker (the
Establishment) gains the majority hash-power to rule the longest chain.
Deciding what transactions to select from the mempool, deciding the next block.<span></span></span></p>

<p class="gmail-graf" style="margin:6pt 0cm 0.0001pt;background:white;text-decoration-style:initial;text-decoration-color:initial;color:rgba(0,0,0,0.84);font-size:12pt;font-family:"Times New Roman",serif" name="16b6" id="gmail-16b6"><span style="font-size:10pt;font-family:Arial,sans-serif;letter-spacing:-0.05pt">2. The attacker forms
sybil agents. This is trivial. Thanks to permisionlessness:) Bitcoin indeed
recommends everyone to create sybil agents for each transaction (key
pairs/addresses).<span></span></span></p>

<p class="gmail-graf" style="margin:6pt 0cm 0.0001pt;background:white;text-decoration-style:initial;text-decoration-color:initial;color:rgba(0,0,0,0.84);font-size:12pt;font-family:"Times New Roman",serif" name="4c19" id="gmail-4c19"><span style="font-size:10pt;font-family:Arial,sans-serif;letter-spacing:-0.05pt">3. The attacker fuels its
sybil agents with a constant (not much) amount of bitcoins.<span></span></span></p>

<p class="gmail-graf" style="margin:6pt 0cm 0.0001pt;background:white;text-decoration-style:initial;text-decoration-color:initial;color:rgba(0,0,0,0.84);font-size:12pt;font-family:"Times New Roman",serif" name="275c" id="gmail-275c"><span style="font-size:10pt;font-family:Arial,sans-serif;letter-spacing:-0.05pt">4. Sybil agents flood the
system with valid transaction requests with transaction fees varying slightly
above the average.<span></span></span></p>

<p class="gmail-graf" style="margin:6pt 0cm 0.0001pt;background:white;text-decoration-style:initial;text-decoration-color:initial;color:rgba(0,0,0,0.84);font-size:12pt;font-family:"Times New Roman",serif" name="0dce" id="gmail-0dce"><span style="font-size:10pt;font-family:Arial,sans-serif;letter-spacing:-0.05pt">5. Sybil miners select
these valid sybil transactions filling the entire block space and denying most
if not all of the honest transactions.<span></span></span></p>

<p class="gmail-graf" style="margin:6pt 0cm 0.0001pt;background:white;text-decoration-style:initial;text-decoration-color:initial;color:rgba(0,0,0,0.84);font-size:12pt;font-family:"Times New Roman",serif" name="a393" id="gmail-a393"><span style="font-size:10pt;font-family:Arial,sans-serif;letter-spacing:-0.05pt">6. Sybil miners send the
transaction fees back to the sybil agents through atomic swap, zero knowledge,
etc. pathways escaping tracking. Thanks to privacy:)<span></span></span></p>

<p class="gmail-graf" style="margin:6pt 0cm 0.0001pt;background:white;text-decoration-style:initial;text-decoration-color:initial;color:rgba(0,0,0,0.84);font-size:12pt;font-family:"Times New Roman",serif" name="681a" id="gmail-681a"><span style="font-size:10pt;font-family:Arial,sans-serif;letter-spacing:-0.05pt">7. The feedback loop
provides the vicious cycle which helps the attacker sustain an infinite loop
attack with a constant amount of money. We all know that no one (not even
Bitcoin) survives an infinite loop.<span></span></span></p>

<p class="gmail-graf" style="margin:6pt 0cm 0.0001pt;background:white;text-decoration-style:initial;text-decoration-color:initial;color:rgba(0,0,0,0.84);font-size:12pt;font-family:"Times New Roman",serif" name="b19e" id="gmail-b19e"><span style="font-size:10pt;font-family:Arial,sans-serif;letter-spacing:-0.05pt">Since Bitcoin is
censor-proof, your coin equals mine, all valid transactions are equal, it is
legitimate that transaction fees can determine the choice from the mempool and
that the system is based on dont-trust-the-miners game theoretical approach;
there is no solution to the above attack scenario. Actually, it would be
non-trivial to understand the system is under attack. I could not find a
solution in Bitcoin. I shared it with top technical guys this weekend at the
Bitcoin Ethereum Superconference in Dallas. And none provided an answer. Some
said it is mathematically impossible to find a solution and admitted that it is
a serious problem. One very famous, legendary developer said that this is not a
problem because such an attack will not happen. He was drunk and I did not take
him seriously apart from the observation that people can become very religious
on scientific topics. I forwarded this observation as a warning to myself.<span></span></span></p>

<p class="gmail-graf" style="margin:6pt 0cm 0.0001pt;background:white;text-decoration-style:initial;text-decoration-color:initial;color:rgba(0,0,0,0.84);font-size:12pt;font-family:"Times New Roman",serif" name="d3ba" id="gmail-d3ba"><span style="font-size:10pt;font-family:Arial,sans-serif;letter-spacing:-0.05pt">The above scenario owes
its success to the feedback loop from the miners back to the sybil agents.
Otherwise, we would not bother the cost of 51% hash-power. Just send valid
transaction requests involving higher transaction fees to flood the system. As
long as you do not control the blockchain you may keep spending transaction
fees irreversibly and cannot guarantee to block the entire chain. Miners (pool
managers) aware of the attack may collaborate to deny your transactions not to
lose their business in the long term. That feedback loop is possible because
POW is based on a scheme based on a fair race against the adversary. This makes
it easy for the attacker to acquire the authoritative power on the system.
Amazing design insisted with the assumption that the powerful target to disrupt
will not attack back for survival!<span></span></span></p>

<p class="gmail-graf" style="margin:6pt 0cm 0.0001pt;background:white;text-decoration-style:initial;text-decoration-color:initial;color:rgba(0,0,0,0.84);font-size:12pt;font-family:"Times New Roman",serif" name="64f2" id="gmail-64f2"><span style="font-size:10pt;font-family:Arial,sans-serif;letter-spacing:-0.05pt">There are other less
costly, more effective super-rational attack scenarios involving speculative
approaches and it can easily be shown that the superrational attacker can get
the entire cryptocurrency space down easily through the vicious-cycle scheme
described above together with helper methods. The attacker can use its Exchange
in collusion with its sybil miners to selectively allow rushes from Bitcoin
towards the target currency (say USD). In this scenario, everybody would run to
save their precious money not giving a damn to Bitcoin.<span></span></span></p>

<p class="gmail-graf" style="margin:6pt 0cm 0.0001pt;background:white;text-decoration-style:initial;text-decoration-color:initial;color:rgba(0,0,0,0.84);font-size:12pt;font-family:"Times New Roman",serif" name="1d55" id="gmail-1d55"><span style="font-size:10pt;font-family:Arial,sans-serif;letter-spacing:-0.05pt">Long story short: PoW is
a bad idea to be used on the processor side. It is an extremely inefficient way
to secure the system. If use PoW (I don’t recommend at all) use only when you
can provide any degree of an unfair race against the attacker (client side). Even then it has
its own issues.<span></span></span></p>

<p class="gmail-graf" style="margin:6pt 0cm 0.0001pt;background:white;text-decoration-style:initial;text-decoration-color:initial;color:rgba(0,0,0,0.84);font-size:12pt;font-family:"Times New Roman",serif" name="d6ed" id="gmail-d6ed"><span style="font-size:10pt;font-family:Arial,sans-serif;letter-spacing:-0.05pt">POS and DPOS are also
vulnerable to the above attack because the super-rational attacker can get the
majority of the stake and as we learned from our democracy practice money gets
the votes. At DPOS people vote for candidates they do not know in person. They
vote based on incentives, lotteries advertised in campaigns. The super-rational
attacker with more money (and gain) would propose more, campaign better to
attract more votes. Secret services (like CIA) have such professional spies and
entities that it will be impossible for us to identify their real identities.
They span the entire space of people from selling hotdog on the street to
presidents of countries. It would be naive to guarantee that DPOS will never
allow money to get majority stake. Indeed, this weekend, I challenged Stan
Larimer (the godfather of Bitshares) face to face in a friendly manner among
his fans with the above attack scenario and he could not provide a solution and
said “let’s forward this to Dan” giving me his email.<span></span></span></p>

<p class="gmail-graf" style="margin:6pt 0cm 0.0001pt;background:white;text-decoration-style:initial;text-decoration-color:initial;color:rgba(0,0,0,0.84);font-size:12pt;font-family:"Times New Roman",serif" name="d8f4" id="gmail-d8f4"><span style="font-size:10pt;font-family:Arial,sans-serif;letter-spacing:-0.05pt">This is what I call the
anchor-to-iceberg problem. If you anchor to an iceberg, the attacker with enough energy can just melt it down. POW, POS, DPOS all anchor to things that are
convertible to money. This allows the super-rational attacker to gain control
of the system provided that it has enough money to spare. This combined with
the game-theoretical, permisionless, censor-proof, privacy-seeking system
dictates the fact that any crypto-currency system immune to super-rational
attack must anchor to something that gives the hard promise like the sun rising
every morning from the east and going down every evening on the west. A very
simple promise. But a hard one to break. A hard promise that you cannot break
with money.</span><span style="font-family:sans-serif;font-size:13px;color:rgb(34,34,34)"> </span></p><p class="gmail-graf" style="margin:6pt 0cm 0.0001pt;background:white;text-decoration-style:initial;text-decoration-color:initial;color:rgba(0,0,0,0.84);font-size:12pt;font-family:"Times New Roman",serif" name="d8f4" id="gmail-d8f4"><span style="font-family:sans-serif;font-size:13px;color:rgb(34,34,34)">UNQUOTE</span></p></div></div></div>