Tesla Coils & Corpses, 2014-10-09 — the DOOM and GLOOM Edition

[Eugen Leitl]

----- Forwarded message from Zooko Wilcox-OHearn <zooko@leastauthority.com> -----

Date: Thu, 9 Oct 2014 18:12:39 +0000
From: Zooko Wilcox-OHearn <zooko@leastauthority.com>
To: Tahoe-LAFS development <tahoe-dev@tahoe-lafs.org>
Subject: Tesla Coils & Corpses, 2014-10-09 — the DOOM and GLOOM Edition
Message-ID: <CAM_a8Jy=GrtS+d99Z0-QL__r17F_LKbg7xTVv2siv24rOfFGzA@mail.gmail.com>

.. -*- coding: utf-8-with-signature-unix; fill-column: 73; -*-

Tahoe-LAFS Tesla Coils & Corpses, 2014-10-08
============================================

The DOOM and GLOOM Edition

Daira, Zooko (scribe), Nathan, Andrew (lurker), Za (briefly)

[Disclaimer: this is pretty much all just Zooko's rant that he typed
in during the meeting, and doesn't reflect anyone else's opinions very
much.]

We all sat around reading http://eprint.iacr.org/2014/452.pdf .

Then Nathan and Zooko got distracted by wondering about basic attack
incentives in Bitcoin…

Zooko used to think that block rewards and transaction fees deterred
roll-back attack, thus making transactions safer when the rewards and
fees were higher. But, maybe that's actually incorrect.

There are (at least) two cases to consider: 1. no actor controls ≥ 51%
of the hashpower, and 2. an actor controls ≥ 51% of the
hashpower. Here's the surprising fact about case 2: block rewards do
not incentivize such an actor to cooperate with the protocol, and
transaction fees incentivize that actor to defect (i.e. to attack)!

First look at the block rewards. As an actor who controls 51% of the
hashpower, you have the choice of either cooperating with the protocol
(mining atop the current longest known chain) or defecting (mining
atop a secret alternate chain and then later revealing it in order to
supplant the shorter public consensus chain).

If you cooperate, then over the next 100 blocks on the public
consensus change (the next 1000 minutes), you'll get 51 (on average)
of the block rewards. If you defect, then over the next 51 blocks on
your secret chain, which is simultaneous with the next 49 blocks on
the public chain (i.e. the next 1000 minutes), you'll get exactly 51
of the block rewards!

So block rewards do not actually incentivize an actor who controls ≥
51% of the power to cooperate.

(Also, if you cooperate then other people will get 49 block rewards,
but if you defect then other people will get 0. That's an incentive to
defect, but a very small one.)

Next look at the transaction fees. If you cooperate, then you'll get
(on average) 51% of the transaction fees that get posted over the next
1000 minutes. If you defect you'll get 100% of the transaction
fees. So transaction fees incentivize you to defect!

In addition to the consequences of reward, and of fees, of course,
there is also the benefit of double-spending, which is an additional
incentive to defect.

What does this mean? Does it mean that Bitcoin is broken? One
interpretation of the above in light of the fact that Bitcoin has
never yet been rolled-back is that Bitcoin is designed to avoid any
one actor gaining ≥ 51% (case 1 above), but that it breaks badly if
that fails (case 2 above).

Another way to interpret it is to say, well, there's another incentive
overlooked in the analysis of case 2, above, which is the value of
Bitcoin. If you are an actor who controls ≥ 51% of the power, then one
consequence of launching a large attack (such as a 49-block rollback)
would be a crash in the price of Bitcoin in terms of other currencies
(e.g. US Dollars). Would that disincentivize you from performing the
attack?

Well, there are two ways that you might be committed to the value of
Bitcoin: by holding the currency yourself or by investing in mining
capital. The former is probably not a big incentive on you as a
would-be attacker, because you can sell your Bitcoin holdings. You
have an advantage over all other traders in terms of knowledge here,
and your sell orders might even be able to race ahead of the
news/realization of what has happened.

In addition, if you can effectively short Bitcoin, then the opposite
incentive applies — the fact that the price of Bitcoin would crash is
an added incentive for you to perform the attack.

The other incentive would be if you have invested in Bitcoin mining
capital, and the product of that capital will be worth less if the
price of Bitcoin goes down. I think this is a real deterrent — the
first real incentive that I've found, in this rant, for a
51%-controller to cooperate!

One interpretation of that is that Bitcoin says “Oh, you've gained a
massive amount of mining power? That means you have the ability to
destroy the currency, and you have a monetary incentive to do so. But,
we'll give you a steady transfer of value from all current holders of
Bitcoin to you (i.e. the block reward) from now on, so that you will
choose not to do that because you anticipate future transfers of
Bitcoin value from others to you.”

That sounds kind of ugly — it sounds more like you've become an
effective rent-extractor than that you are providing any ongoing value
to anyone in return for the ongoing transfer from the public to you.

Another concern I (Zooko) have is: what if the controller of the
mining capital isn't the owner of the mining capital? Suppose you've
illicitly taken over two large mining operations, so that now you
temporarily control ≥ 51% of all of the Bitcoin the mining power. The
legitimate owners of the mining operations will probably eventually
discover your incursion and retake control of their capital. One
option you have is to go ahead and perform a massive rollback attack,
earning earning ⓑ from rewards, fees, short-sales, and double-spends,
and selling all of your newly acquired ⓑ as fast as possible because
you expect a massive price crash.


The end

P.S. Daira actually appears to have spent the whole meeting reading
the paper, so maybe she learned something entirely different from
Zooko's doom and gloom rant.


-- 
Regards,

Zooko Wilcox-O'Hearn

Founder, CEO, and Customer Support Rep
https://LeastAuthority.com
Freedom matters.
_______________________________________________
tahoe-dev mailing list
tahoe-dev@tahoe-lafs.org
https://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev

----- End forwarded message -----