>mfw, not worried On Friday, October 10, 2014, Eugen Leitl <[1]eugen@leitl.org> wrote: ----- Forwarded message from Zooko Wilcox-OHearn <[2]zooko@leastauthority.com> ----- Date: Thu, 9 Oct 2014 18:12:39 +0000 From: Zooko Wilcox-OHearn <[3]zooko@leastauthority.com> To: Tahoe-LAFS development <[4]tahoe-dev@tahoe-lafs.org> Subject: Tesla Coils & Corpses, 2014-10-09 — the DOOM and GLOOM Edition Message-ID: .. -*- coding: utf-8-with-signature-unix; fill-column: 73; -*- Tahoe-LAFS Tesla Coils & Corpses, 2014-10-08 ============================================ The DOOM and GLOOM Edition Daira, Zooko (scribe), Nathan, Andrew (lurker), Za (briefly) [Disclaimer: this is pretty much all just Zooko's rant that he typed in during the meeting, and doesn't reflect anyone else's opinions very much.] We all sat around reading [6]http://eprint.iacr.org/2014/452.pdf . Then Nathan and Zooko got distracted by wondering about basic attack incentives in Bitcoin… Zooko used to think that block rewards and transaction fees deterred roll-back attack, thus making transactions safer when the rewards and fees were higher. But, maybe that's actually incorrect. There are (at least) two cases to consider: 1. no actor controls ≥ 51% of the hashpower, and 2. an actor controls ≥ 51% of the hashpower. Here's the surprising fact about case 2: block rewards do not incentivize such an actor to cooperate with the protocol, and transaction fees incentivize that actor to defect (i.e. to attack)! First look at the block rewards. As an actor who controls 51% of the hashpower, you have the choice of either cooperating with the protocol (mining atop the current longest known chain) or defecting (mining atop a secret alternate chain and then later revealing it in order to supplant the shorter public consensus chain). If you cooperate, then over the next 100 blocks on the public consensus change (the next 1000 minutes), you'll get 51 (on average) of the block rewards. If you defect, then over the next 51 blocks on your secret chain, which is simultaneous with the next 49 blocks on the public chain (i.e. the next 1000 minutes), you'll get exactly 51 of the block rewards! So block rewards do not actually incentivize an actor who controls ≥ 51% of the power to cooperate. (Also, if you cooperate then other people will get 49 block rewards, but if you defect then other people will get 0. That's an incentive to defect, but a very small one.) Next look at the transaction fees. If you cooperate, then you'll get (on average) 51% of the transaction fees that get posted over the next 1000 minutes. If you defect you'll get 100% of the transaction fees. So transaction fees incentivize you to defect! In addition to the consequences of reward, and of fees, of course, there is also the benefit of double-spending, which is an additional incentive to defect. What does this mean? Does it mean that Bitcoin is broken? One interpretation of the above in light of the fact that Bitcoin has never yet been rolled-back is that Bitcoin is designed to avoid any one actor gaining ≥ 51% (case 1 above), but that it breaks badly if that fails (case 2 above). Another way to interpret it is to say, well, there's another incentive overlooked in the analysis of case 2, above, which is the value of Bitcoin. If you are an actor who controls ≥ 51% of the power, then one consequence of launching a large attack (such as a 49-block rollback) would be a crash in the price of Bitcoin in terms of other currencies (e.g. US Dollars). Would that disincentivize you from performing the attack? Well, there are two ways that you might be committed to the value of Bitcoin: by holding the currency yourself or by investing in mining capital. The former is probably not a big incentive on you as a would-be attacker, because you can sell your Bitcoin holdings. You have an advantage over all other traders in terms of knowledge here, and your sell orders might even be able to race ahead of the news/realization of what has happened. In addition, if you can effectively short Bitcoin, then the opposite incentive applies — the fact that the price of Bitcoin would crash is an added incentive for you to perform the attack. The other incentive would be if you have invested in Bitcoin mining capital, and the product of that capital will be worth less if the price of Bitcoin goes down. I think this is a real deterrent — the first real incentive that I've found, in this rant, for a 51%-controller to cooperate! One interpretation of that is that Bitcoin says “Oh, you've gained a massive amount of mining power? That means you have the ability to destroy the currency, and you have a monetary incentive to do so. But, we'll give you a steady transfer of value from all current holders of Bitcoin to you (i.e. the block reward) from now on, so that you will choose not to do that because you anticipate future transfers of Bitcoin value from others to you.” That sounds kind of ugly — it sounds more like you've become an effective rent-extractor than that you are providing any ongoing value to anyone in return for the ongoing transfer from the public to you. Another concern I (Zooko) have is: what if the controller of the mining capital isn't the owner of the mining capital? Suppose you've illicitly taken over two large mining operations, so that now you temporarily control ≥ 51% of all of the Bitcoin the mining power. The legitimate owners of the mining operations will probably eventually discover your incursion and retake control of their capital. One option you have is to go ahead and perform a massive rollback attack, earning earning ⓑ from rewards, fees, short-sales, and double-spends, and selling all of your newly acquired ⓑ as fast as possible because you expect a massive price crash. The end P.S. Daira actually appears to have spent the whole meeting reading the paper, so maybe she learned something entirely different from Zooko's doom and gloom rant. -- Regards, Zooko Wilcox-O'Hearn Founder, CEO, and Customer Support Rep [7]https://LeastAuthority.com Freedom matters. _______________________________________________ tahoe-dev mailing list [8]tahoe-dev@tahoe-lafs.org [9]https://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev ----- End forwarded message ----- References 1. mailto:eugen@leitl.org 2. javascript:; 3. javascript:; 4. javascript:; 5. javascript:; 6. http://eprint.iacr.org/2014/452.pdf 7. https://LeastAuthority.com/ 8. javascript:; 9. https://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev