>mfw, not worried On Friday, October 10, 2014, Eugen Leitl <[email protected]> wrote:
> ----- Forwarded message from Zooko Wilcox-OHearn <[email protected] > <javascript:;>> ----- > > Date: Thu, 9 Oct 2014 18:12:39 +0000 > From: Zooko Wilcox-OHearn <[email protected] <javascript:;>> > To: Tahoe-LAFS development <[email protected] <javascript:;>> > Subject: Tesla Coils & Corpses, 2014-10-09 — the DOOM and GLOOM Edition > Message-ID: <CAM_a8Jy= > [email protected] <javascript:;>> > > .. -*- coding: utf-8-with-signature-unix; fill-column: 73; -*- > > Tahoe-LAFS Tesla Coils & Corpses, 2014-10-08 > ============================================ > > The DOOM and GLOOM Edition > > Daira, Zooko (scribe), Nathan, Andrew (lurker), Za (briefly) > > [Disclaimer: this is pretty much all just Zooko's rant that he typed > in during the meeting, and doesn't reflect anyone else's opinions very > much.] > > We all sat around reading http://eprint.iacr.org/2014/452.pdf . > > Then Nathan and Zooko got distracted by wondering about basic attack > incentives in Bitcoin… > > Zooko used to think that block rewards and transaction fees deterred > roll-back attack, thus making transactions safer when the rewards and > fees were higher. But, maybe that's actually incorrect. > > There are (at least) two cases to consider: 1. no actor controls ≥ 51% > of the hashpower, and 2. an actor controls ≥ 51% of the > hashpower. Here's the surprising fact about case 2: block rewards do > not incentivize such an actor to cooperate with the protocol, and > transaction fees incentivize that actor to defect (i.e. to attack)! > > First look at the block rewards. As an actor who controls 51% of the > hashpower, you have the choice of either cooperating with the protocol > (mining atop the current longest known chain) or defecting (mining > atop a secret alternate chain and then later revealing it in order to > supplant the shorter public consensus chain). > > If you cooperate, then over the next 100 blocks on the public > consensus change (the next 1000 minutes), you'll get 51 (on average) > of the block rewards. If you defect, then over the next 51 blocks on > your secret chain, which is simultaneous with the next 49 blocks on > the public chain (i.e. the next 1000 minutes), you'll get exactly 51 > of the block rewards! > > So block rewards do not actually incentivize an actor who controls ≥ > 51% of the power to cooperate. > > (Also, if you cooperate then other people will get 49 block rewards, > but if you defect then other people will get 0. That's an incentive to > defect, but a very small one.) > > Next look at the transaction fees. If you cooperate, then you'll get > (on average) 51% of the transaction fees that get posted over the next > 1000 minutes. If you defect you'll get 100% of the transaction > fees. So transaction fees incentivize you to defect! > > In addition to the consequences of reward, and of fees, of course, > there is also the benefit of double-spending, which is an additional > incentive to defect. > > What does this mean? Does it mean that Bitcoin is broken? One > interpretation of the above in light of the fact that Bitcoin has > never yet been rolled-back is that Bitcoin is designed to avoid any > one actor gaining ≥ 51% (case 1 above), but that it breaks badly if > that fails (case 2 above). > > Another way to interpret it is to say, well, there's another incentive > overlooked in the analysis of case 2, above, which is the value of > Bitcoin. If you are an actor who controls ≥ 51% of the power, then one > consequence of launching a large attack (such as a 49-block rollback) > would be a crash in the price of Bitcoin in terms of other currencies > (e.g. US Dollars). Would that disincentivize you from performing the > attack? > > Well, there are two ways that you might be committed to the value of > Bitcoin: by holding the currency yourself or by investing in mining > capital. The former is probably not a big incentive on you as a > would-be attacker, because you can sell your Bitcoin holdings. You > have an advantage over all other traders in terms of knowledge here, > and your sell orders might even be able to race ahead of the > news/realization of what has happened. > > In addition, if you can effectively short Bitcoin, then the opposite > incentive applies — the fact that the price of Bitcoin would crash is > an added incentive for you to perform the attack. > > The other incentive would be if you have invested in Bitcoin mining > capital, and the product of that capital will be worth less if the > price of Bitcoin goes down. I think this is a real deterrent — the > first real incentive that I've found, in this rant, for a > 51%-controller to cooperate! > > One interpretation of that is that Bitcoin says “Oh, you've gained a > massive amount of mining power? That means you have the ability to > destroy the currency, and you have a monetary incentive to do so. But, > we'll give you a steady transfer of value from all current holders of > Bitcoin to you (i.e. the block reward) from now on, so that you will > choose not to do that because you anticipate future transfers of > Bitcoin value from others to you.” > > That sounds kind of ugly — it sounds more like you've become an > effective rent-extractor than that you are providing any ongoing value > to anyone in return for the ongoing transfer from the public to you. > > Another concern I (Zooko) have is: what if the controller of the > mining capital isn't the owner of the mining capital? Suppose you've > illicitly taken over two large mining operations, so that now you > temporarily control ≥ 51% of all of the Bitcoin the mining power. The > legitimate owners of the mining operations will probably eventually > discover your incursion and retake control of their capital. One > option you have is to go ahead and perform a massive rollback attack, > earning earning ⓑ from rewards, fees, short-sales, and double-spends, > and selling all of your newly acquired ⓑ as fast as possible because > you expect a massive price crash. > > > The end > > P.S. Daira actually appears to have spent the whole meeting reading > the paper, so maybe she learned something entirely different from > Zooko's doom and gloom rant. > > > -- > Regards, > > Zooko Wilcox-O'Hearn > > Founder, CEO, and Customer Support Rep > https://LeastAuthority.com > Freedom matters. > _______________________________________________ > tahoe-dev mailing list > [email protected] <javascript:;> > https://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev > > ----- End forwarded message ----- >
