[Cryptography] Security model of blockchains ?

Ersin Taskin hersintaskin at gmail.com
Fri Jun 22 03:44:48 EDT 2018

John Levine <johnl at iecc.com>, 28 May 2018 Pzt, 23:14 tarihinde şunu yazdı:

> Have there been any good papers on the security model of blockchains?
> I'm thinking of stuff like collusion, network partitioning, miners
> losing interest or being bribed, and of course latent software bugs.
> In some cases it's not obvious to me how you'd even tell that an
> attack was happening until much later.

I think the boundary of the blockchain security model is drawn by the
super-rational attack, where it is far from trivial to detect the system is
under attack, and there is no defense mechanism due to the
anchor-to-iceberg problem inherent in the design. I summarize below my
previous post on the subject:



1. The Establishment (Gov+FED+Banks+Corproteuracy) is under the threat of
disruption by Bitcoin.

2. It fights back for survival when this threat becomes serious.

3. It has enough power (money) to get more than 50% hash power.

The attack scenario:

1. The attacker (the Establishment) gains the majority hash-power to rule
the longest chain. Deciding what transactions to select from the mempool,
deciding the next block.

2. The attacker forms sybil agents. This is trivial. Thanks to
permisionlessness:) Bitcoin indeed recommends everyone to create sybil
agents for each transaction (key pairs/addresses).

3. The attacker fuels its sybil agents with a constant (not much) amount of

4. Sybil agents flood the system with valid transaction requests with
transaction fees varying slightly above the average.

5. Sybil miners select these valid sybil transactions filling the entire
block space and denying most if not all of the honest transactions.

6. Sybil miners send the transaction fees back to the sybil agents through
atomic swap, zero knowledge, etc. pathways escaping tracking. Thanks to

7. The feedback loop provides the vicious cycle which helps the attacker
sustain an infinite loop attack with a constant amount of money. We all
know that no one (not even Bitcoin) survives an infinite loop.

Since Bitcoin is censor-proof, your coin equals mine, all valid
transactions are equal, it is legitimate that transaction fees can
determine the choice from the mempool and that the system is based on
dont-trust-the-miners game theoretical approach; there is no solution to
the above attack scenario. Actually, it would be non-trivial to understand
the system is under attack. I could not find a solution in Bitcoin. I
shared it with top technical guys this weekend at the Bitcoin Ethereum
Superconference in Dallas. And none provided an answer. Some said it is
mathematically impossible to find a solution and admitted that it is a
serious problem. One very famous, legendary developer said that this is not
a problem because such an attack will not happen. He was drunk and I did
not take him seriously apart from the observation that people can become
very religious on scientific topics. I forwarded this observation as a
warning to myself.

The above scenario owes its success to the feedback loop from the miners
back to the sybil agents. Otherwise, we would not bother the cost of 51%
hash-power. Just send valid transaction requests involving higher
transaction fees to flood the system. As long as you do not control the
blockchain you may keep spending transaction fees irreversibly and cannot
guarantee to block the entire chain. Miners (pool managers) aware of the
attack may collaborate to deny your transactions not to lose their business
in the long term. That feedback loop is possible because POW is based on a
scheme based on a fair race against the adversary. This makes it easy for
the attacker to acquire the authoritative power on the system. Amazing
design insisted with the assumption that the powerful target to disrupt
will not attack back for survival!

There are other less costly, more effective super-rational attack scenarios
involving speculative approaches and it can easily be shown that the
superrational attacker can get the entire cryptocurrency space down easily
through the vicious-cycle scheme described above together with helper
methods. The attacker can use its Exchange in collusion with its sybil
miners to selectively allow rushes from Bitcoin towards the target currency
(say USD). In this scenario, everybody would run to save their precious
money not giving a damn to Bitcoin.

Long story short: PoW is a bad idea to be used on the processor side. It is
an extremely inefficient way to secure the system. If use PoW (I don’t
recommend at all) use only when you can provide any degree of an unfair
race against the attacker (client side). Even then it has its own issues.

POS and DPOS are also vulnerable to the above attack because the
super-rational attacker can get the majority of the stake and as we learned
from our democracy practice money gets the votes. At DPOS people vote for
candidates they do not know in person. They vote based on incentives,
lotteries advertised in campaigns. The super-rational attacker with more
money (and gain) would propose more, campaign better to attract more votes.
Secret services (like CIA) have such professional spies and entities that
it will be impossible for us to identify their real identities. They span
the entire space of people from selling hotdog on the street to presidents
of countries. It would be naive to guarantee that DPOS will never allow
money to get majority stake. Indeed, this weekend, I challenged Stan
Larimer (the godfather of Bitshares) face to face in a friendly manner
among his fans with the above attack scenario and he could not provide a
solution and said “let’s forward this to Dan” giving me his email.

This is what I call the anchor-to-iceberg problem. If you anchor to an
iceberg, the attacker with enough energy can just melt it down. POW, POS,
DPOS all anchor to things that are convertible to money. This allows the
super-rational attacker to gain control of the system provided that it has
enough money to spare. This combined with the game-theoretical,
permisionless, censor-proof, privacy-seeking system dictates the fact that
any crypto-currency system immune to super-rational attack must anchor to
something that gives the hard promise like the sun rising every morning
from the east and going down every evening on the west. A very simple
promise. But a hard one to break. A hard promise that you cannot break with

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180622/b2e0c39d/attachment.html>

More information about the cryptography mailing list