Re: [Cryptography] Security model of blockchains ?

On Fri, Jun 22, 2018 at 3:44 AM, Ersin Taskin wrote:

John Levine , 28 May 2018 Pzt, 23:14 tarihinde şunu yazdı:

...

Have there been any good papers on the security model of blockchains? I'm thinking of stuff like collusion, network partitioning, miners losing interest or being bribed, and of course latent software bugs. In some cases it's not obvious to me how you'd even tell that an attack was happening until much later.

I think the boundary of the blockchain security model is drawn by the super-rational attack, where it is far from trivial to detect the system is under attack, and there is no defense mechanism due to the anchor-to-iceberg problem inherent in the design. I summarize below my previous post on the subject:

QUOTE

Assumptions:

1. The Establishment (Gov+FED+Banks+Corproteuracy) is under the threat of disruption by Bitcoin.

2. It fights back for survival when this threat becomes serious.

3. It has enough power (money) to get more than 50% hash power.

The attack scenario:

1. The attacker (the Establishment) gains the majority hash-power to rule the longest chain. Deciding what transactions to select from the mempool, deciding the next block.

2. The attacker forms sybil agents. This is trivial. Thanks to permisionlessness:) Bitcoin indeed recommends everyone to create sybil agents for each transaction (key pairs/addresses).

3. The attacker fuels its sybil agents with a constant (not much) amount of bitcoins.

4. Sybil agents flood the system with valid transaction requests with transaction fees varying slightly above the average.

5. Sybil miners select these valid sybil transactions filling the entire block space and denying most if not all of the honest transactions.

6. Sybil miners send the transaction fees back to the sybil agents through atomic swap, zero knowledge, etc. pathways escaping tracking. Thanks to privacy:)

7. The feedback loop provides the vicious cycle which helps the attacker sustain an infinite loop attack with a constant amount of money. We all know that no one (not even Bitcoin) survives an infinite loop.

Since Bitcoin is censor-proof, your coin equals mine, all valid transactions are equal, it is legitimate that transaction fees can determine the choice from the mempool and that the system is based on dont-trust-the-miners game theoretical approach; there is no solution to the above attack scenario. Actually, it would be non-trivial to understand the system is under attack. I could not find a solution in Bitcoin. I shared it with top technical guys this weekend at the Bitcoin Ethereum Superconference in Dallas. And none provided an answer. Some said it is mathematically impossible to find a solution and admitted that it is a serious problem. One very famous, legendary developer said that this is not a problem because such an attack will not happen. He was drunk and I did not take him seriously apart from the observation that people can become very religious on scientific topics. I forwarded this observation as a warning to myself.

The above scenario owes its success to the feedback loop from the miners back to the sybil agents. Otherwise, we would not bother the cost of 51% hash-power. Just send valid transaction requests involving higher transaction fees to flood the system. As long as you do not control the blockchain you may keep spending transaction fees irreversibly and cannot guarantee to block the entire chain. Miners (pool managers) aware of the attack may collaborate to deny your transactions not to lose their business in the long term. That feedback loop is possible because POW is based on a scheme based on a fair race against the adversary. This makes it easy for the attacker to acquire the authoritative power on the system. Amazing design insisted with the assumption that the powerful target to disrupt will not attack back for survival!

There are other less costly, more effective super-rational attack scenarios involving speculative approaches and it can easily be shown that the superrational attacker can get the entire cryptocurrency space down easily through the vicious-cycle scheme described above together with helper methods. The attacker can use its Exchange in collusion with its sybil miners to selectively allow rushes from Bitcoin towards the target currency (say USD). In this scenario, everybody would run to save their precious money not giving a damn to Bitcoin.

Long story short: PoW is a bad idea to be used on the processor side. It is an extremely inefficient way to secure the system. If use PoW (I don’t recommend at all) use only when you can provide any degree of an unfair race against the attacker (client side). Even then it has its own issues.

POS and DPOS are also vulnerable to the above attack because the super-rational attacker can get the majority of the stake and as we learned from our democracy practice money gets the votes. At DPOS people vote for candidates they do not know in person. They vote based on incentives, lotteries advertised in campaigns. The super-rational attacker with more money (and gain) would propose more, campaign better to attract more votes. Secret services (like CIA) have such professional spies and entities that it will be impossible for us to identify their real identities. They span the entire space of people from selling hotdog on the street to presidents of countries. It would be naive to guarantee that DPOS will never allow money to get majority stake. Indeed, this weekend, I challenged Stan Larimer (the godfather of Bitshares) face to face in a friendly manner among his fans with the above attack scenario and he could not provide a solution and said “let’s forward this to Dan” giving me his email.

This is what I call the anchor-to-iceberg problem. If you anchor to an iceberg, the attacker with enough energy can just melt it down. POW, POS, DPOS all anchor to things that are convertible to money. This allows the super-rational attacker to gain control of the system provided that it has enough money to spare. This combined with the game-theoretical, permisionless, censor-proof, privacy-seeking system dictates the fact that any crypto-currency system immune to super-rational attack must anchor to something that gives the hard promise like the sun rising every morning from the east and going down every evening on the west. A very simple promise. But a hard one to break. A hard promise that you cannot break with money.

UNQUOTE

Legit users might statistical detect which miners are not mining their lower fee tx and conspire to filter out their tx and node traffic thus forking away from them. Such attackers will have massive non recyclable energy cost, typically required to appear on their public sheets. Attackers will therein also resort to FUD plays easily proven false. And their ASICs broken by nonce changes in algos. Legit p2p webs of in person validated global trust nets will also develop creating new handshake agreements in mining / nodes defense, sybils will not be able to pass inspection up to and including SSBI style, large operations will be suspected and derated in metrics accordingly. Attackers are ultimately frail and cannot continue to forever inflate and sink their fiat into such attacks, citizens will revolt against that. Users will simply migrate and exchange away to more advanced and resistant usable cryptocurrency nets if attackers tx fees and etc begin making make the old unusable. ie: What has happened with downfall of BTC... Cryptocurrency, once established globally in trio of... philosophical mind, enough mechanical knowledge to use confidently, and then used routinely as desired... is wonderfully adaptive to attacks. Each of those three are inevitable and unstoppable, and they continue to increase, leading to eventual victory of cryptocurrency. The "established" will make more by accepting and servicing it than they will by burning resources trying to fight it. bcc cypherpunks because metz list is proven censored, resident anti cryptocurrency established friends / devs / etc of state, etc. Cryptocurrency.... what if....