[Cryptography] Another Bitcoin issue (maybe) (was: BitCoin bug reported)

Peter Todd pete at petertodd.org
Fri Feb 14 20:24:05 EST 2014

On Fri, Feb 14, 2014 at 08:52:52AM -0500, Phillip Hallam-Baker wrote:
> There is a similar risk in that the mining guilds have a network effect and
> it is better to be part of the biggest guild with the best tools. So the
> Ukrainian guild recently had to voluntarily shed members to avoid getting
> up to 51%.
> But there is nothing to stop a collusion under the table between the
> miners. And given the interest organized crime has taken in mining, that
> collusion can be coerced. We lost a couple of guys who are presumed
> murdered by the Russian mob a couple of years back and Ulrich is on charges
> of attempted murder. So a scenario in which the mob works out who controls
> the machines coordinating the mining rigs and literally puts a gun to their
> kids heads if they don't help them steal a few tens of millions seems very
> likely to me.

There exists a completely peer-to-peer mining pool, p2pool, that itself
is decentralized with no central authorities administering it. Even
without that those owning hashing power can easily switch pools as well
as sell their hashing power to those pools anonymously. The
third-largest pool doesn't even require registration of any kind and
pays out mining rewards directly from the blocks they create; they don't
hold a significant amount of Bitcoins themselves.

The operation of hashing power itself has an inherent bias towards
decentralization due to simple physics: It's costs less per joule to get
rid of a small amount of waste heat than a large amount because surface
area increases by the square and volume by the cube. In addition there
are many opportunities to get rid of smaller amounts of waste heat by
cheaply doing things like heating domestic hot water, strategies that
are less viable on a large scale.

The real centralization danger with mining is that no-one has figured
out how to make a PoW algorithm that doesn't allow for significant cost
efficiencies through ASICs; the economics of IC manufacturing are such
that only a very small number of firms, less than a dozen, control the
market and thus any PoW-based consensus system. Meanwhile the early
attempt of scrypt have failed badly; an ASIC has now been created
targetting scrypt and the joule/hash efficiency increase, the marginal
cost of hashing, compared to commodity hardware was higher than the
SHA256^2 algorithm in Bitcoin. I don't think anyone knows how to design
a PoW algorithm without this joule/hash efficiency increase
unfortunately; scrypt shows the memory-hard approach is flawed.

Pools are another centralization danger, however in this case we do have
reasonable ways to limit the incentives for pools to grow larger. For
instance you can make it possible for hashers to steal block rewards
they find, possibly undetectably with blind proofs, which renders large
pools useless as they'll be ripped off by those owning hashing power. In
conjuction with that you can reduce varience for small hashers to the
point where they can be true miners again with changes to how the
consensus works, e.g. with per-transaction PoW. Remarkably this can be
implemented in Bitcoin as a backwards compatible soft-fork; the
political challenge of doing so would be the hard part.

> Another area where cheating looks possible is in these 'proven secure'
> bitcoin gambling sites.
> Most of the sites tell you that they aren't cheating and for most
> Bitcoiners, that is enough. Though some are careful enough to look at the
> 'I'm not cheating page' where you can press buttons that tell you the site
> isn't cheating, honestly. Or if you are really paranoid you can download an
> open source program provided by the site owner and run it. And that will
> tell you that the site owner isn't cheating.
> Hows that for confidence building?
> I can't see any specifications or explanations on the sites I have visited
> so I can't see if the protocols are vulnerable to other forms of attack. I
> am pretty sure that there are attacks that are going to be possible if the
> site owner colludes with the miners. One easy way to cheat would be to only
> include losing bets in the blockchain. Which would be visible in the
> results of course. Unless the site owner made sure to only cash out by
> making an equal number of known winning bets.

Colluding with "the" miners requires 100% co-operation for the attacks
you are talking about. For instance, in the case of winning bets in
SatoshiDice-style betting services the winning bets that do not get mined
in a block immediately, perhaps by collusion with 95% of all miners,
simply sit around until one of the remaining 5% does include them.

Now strictly speaking >50% can collude so that blocks containing winning
bets are ignored entirely, but then you're back to the underlying
security assumption of Bitcoin itself.

In any case the mathematically provably betting stuff can be just as
easily done without the Bitcoin blockchain, e.g. https://just-dice.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 685 bytes
Desc: Digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140214/00f378a6/attachment.pgp>

More information about the cryptography mailing list