Re: [bitcoin-dev] Selfish Mining Prevention
>This "reserve" part of the fee will be paid to miners if the hashrate rises. Anticipating ongoing hashrate rise shows that you have not yet thought about moving outside of the current greed model, a model wherein mining will consume all available resources within the colony's objective just to spread as far as possible with each new miner bringing diminishing individual returns and shortening the life of Earth for no additional gain. Greed model := bacteria. From: bitcoin-dev-boun...@lists.linuxfoundation.org on behalf of Andrew via bitcoin-dev Sent: Friday, 14 September 2018 9:19:37 AM To: Bitcoin Dev Subject: Re: [bitcoin-dev] Selfish Mining Prevention I discussed this more at bitcointalk: https://bitcointalk.org/index.php?topic=4998410.0 The attacks I'm interested in preventing are not only selfish mining and collusion, but also more subtle attacks like block withholding, and in general anything that aims to drive out the competition in order to increase hashrate fraction. I also scrapped the idea of changing the block subsidies, and I am only focuses on fees. You can read more about the motivation and details in the bitcointalk thread, but my proposal in short would be to add the concept of "reserve fees". When a user makes a transaction, for each txout script, they can add parameters that specify the fraction of the total fee that is held in "reserve" and the time it is held in "reserve" (can set a limit of 2016 blocks). This "reserve" part of the fee will be paid to miners if the hashrate rises. So if hashrate is currently h and peak hashrate (from past year) is p, then for each period (1 day), a new hashrate is calculated h1, and if h1 > h, then the fraction (h1-h)/p from the reserve fees created in the past 2016 blocks will be released to miners for that period (spread out over the 144 blocks in that period). And this will keep happening as long as hashrate keeps rising, until the "contract" expires, and the leftover part can be used by the owner of the unspent output, but it can only be used for paying fees, not as inputs for future transactions (to save on block space). This should incentivize miners to not drive out the competition, since if they do, there will be less of these reserve fees given to miners. Yes in the end the miners will get all the fees, but with rising hashrate they get an unconditional subsidy that does not require transactions, thus more space for transactions with fees. I can make a formal BIP and pull request, but I need to know if there is interest in this. Now fees don't play such a large part of the block reward, but they will get more important, and this change wouldn't force anything (would be voluntary by each user), just miners have to agree to it with a soft fork (so they don't spend from the anyone-can-spend outputs used for reserve fees). Resource requirements for validation are quite small I believe. On Sat, Sep 1, 2018 at 12:11 AM, Andrew wrote: > As I understand, selfish mining is an attack where miners collude to > mine at a lower hashrate then with all miners working independently. > What are the current strategies used to prevent this and what are the > future plans? > > One idea I have is to let the block reward get "modulated" according > to peak hashrate. Say p is the peak hashrate for 365 periods (1 year) > consisting of 144 blocks, h is the hashrate of the last 144 block (1 > day) period, and r is the base subsidy (12.5 BTC currently). You can > then make the max block reward 0.5 r (1 + h/p). So if hashrate is at > peak you get the full reward. Otherwise you get less, down to a min of > 0.5 r. > > If miners were to collude to mine at a lower than peak hashrate, then > they may be able to do it profitably for 144 blocks, but after that, > the reward would get modulated and it wouldn't be so much in their > interest to continue mining at the lower hashrate. > > What flaws are there with this? I know it could be controversial due > to easier mining present for early miners, so maybe it would have to > be done in combination with a new more dynamic difficulty adjustment > algorithm. But I don't see how hashrate can continue rising > indefinitely, so a solution should be made for selfish mining. > > Also when subsidies stop and a fee market is needed, I guess a portion > of the fees can be withheld for later if hashrate is not at peak. > > > -- > PGP: B6AC 822C 451D 6304 6A28 49E9 7DB7 011C D53B 5647 -- PGP: B6AC 822C 451D 6304 6A28 49E9 7DB7 011C D53B 5647 ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] Selfish Mining Prevention
(reposting to whole list instead of just him) @Moral Agent: Interesting proposal though it introduces some elements of proof of stake so it would be more controversial in my view. Also, something needs to be explained about how this would not create an attack where difficulty is frequently dropping by 25%, and suddenly we find ourselves with a very low difficulty and PoW attacks can easily happen. I need to analyse your proposal more, but I prefer to discuss it on your blog instead of here just to limit the side topics and focus only on my proposal. No one has yet given me a good reason for why not to support my proposal... On Fri, Sep 14, 2018 at 2:49 PM, Moral Agent wrote: > You might be interested in an idea I wrote about that is in a similar spirit > here: > > https://medium.com/coinmonks/taming-large-miners-with-helper-blocks-6ae67ac242f6 > > From the article: > > When a block is solved, it randomly selects one satoshi from the utxo set > and gives whomever controls that satoshi the power to generate a “Helper > Block”. The Helper Block commits to a subset of transactions for inclusion > in the next block. A miner can accept the Helper Block by including the > suggested transactions and giving the associated transaction fees to a > payment address specified in the Helper Block. Miners who do not use a > Helper Block must satisfy a 25% higher difficulty. > > On Fri, Sep 14, 2018 at 9:56 AM Andrew via bitcoin-dev > wrote: >> >> I discussed this more at bitcointalk: >> https://bitcointalk.org/index.php?topic=4998410.0 >> >> The attacks I'm interested in preventing are not only selfish mining >> and collusion, but also more subtle attacks like block withholding, >> and in general anything that aims to drive out the competition in >> order to increase hashrate fraction. I also scrapped the idea of >> changing the block subsidies, and I am only focuses on fees. >> >> You can read more about the motivation and details in the bitcointalk >> thread, but my proposal in short would be to add the concept of >> "reserve fees". When a user makes a transaction, for each txout >> script, they can add parameters that specify the fraction of the total >> fee that is held in "reserve" and the time it is held in "reserve" >> (can set a limit of 2016 blocks). This "reserve" part of the fee will >> be paid to miners if the hashrate rises. So if hashrate is currently h >> and peak hashrate (from past year) is p, then for each period (1 day), >> a new hashrate is calculated h1, and if h1 > h, then the fraction >> (h1-h)/p from the reserve fees created in the past 2016 blocks will be >> released to miners for that period (spread out over the 144 blocks in >> that period). And this will keep happening as long as hashrate keeps >> rising, until the "contract" expires, and the leftover part can be >> used by the owner of the unspent output, but it can only be used for >> paying fees, not as inputs for future transactions (to save on block >> space). >> >> This should incentivize miners to not drive out the competition, since >> if they do, there will be less of these reserve fees given to miners. >> Yes in the end the miners will get all the fees, but with rising >> hashrate they get an unconditional subsidy that does not require >> transactions, thus more space for transactions with fees. >> >> I can make a formal BIP and pull request, but I need to know if there >> is interest in this. Now fees don't play such a large part of the >> block reward, but they will get more important, and this change >> wouldn't force anything (would be voluntary by each user), just miners >> have to agree to it with a soft fork (so they don't spend from the >> anyone-can-spend outputs used for reserve fees). Resource requirements >> for validation are quite small I believe. >> >> On Sat, Sep 1, 2018 at 12:11 AM, Andrew wrote: >> > As I understand, selfish mining is an attack where miners collude to >> > mine at a lower hashrate then with all miners working independently. >> > What are the current strategies used to prevent this and what are the >> > future plans? >> > >> > One idea I have is to let the block reward get "modulated" according >> > to peak hashrate. Say p is the peak hashrate for 365 periods (1 year) >> > consisting of 144 blocks, h is the hashrate of the last 144 block (1 >> > day) period, and r is the base subsidy (12.5 BTC currently). You can >> > then make the max block reward 0.5 r (1 + h/p). So if hashrate is at >> > peak you get the full reward. Otherwise you get less, down to a min of >> > 0.5 r. >> > >> > If miners were to collude to mine at a lower than peak hashrate, then >> > they may be able to do it profitably for 144 blocks, but after that, >> > the reward would get modulated and it wouldn't be so much in their >> > interest to continue mining at the lower hashrate. >> > >> > What flaws are there with this? I know it could be controversial due >> > to easier mining present for early miners, so maybe it would have
Re: [bitcoin-dev] Selfish Mining Prevention
Thank you, and my apologies. I should have sent that link just to you and not put everyone on cc. On Fri, Sep 14, 2018 at 1:30 PM Andrew wrote: > (reposting to whole list instead of just him) @Moral Agent: > Interesting proposal though it introduces some elements > of proof of stake so it would be more controversial in my view. Also, > something needs to be explained about how this would not create an > attack where difficulty is frequently dropping by 25%, and suddenly we > find ourselves with a very low difficulty and PoW attacks can easily > happen. I need to analyse your proposal more, but I prefer to discuss > it on your blog instead of here just to limit the side topics and > focus only on my proposal. > > No one has yet given me a good reason for why not to support my proposal... > > On Fri, Sep 14, 2018 at 2:49 PM, Moral Agent > wrote: > > You might be interested in an idea I wrote about that is in a similar > spirit > > here: > > > > > https://medium.com/coinmonks/taming-large-miners-with-helper-blocks-6ae67ac242f6 > > > > From the article: > > > > When a block is solved, it randomly selects one satoshi from the utxo set > > and gives whomever controls that satoshi the power to generate a “Helper > > Block”. The Helper Block commits to a subset of transactions for > inclusion > > in the next block. A miner can accept the Helper Block by including the > > suggested transactions and giving the associated transaction fees to a > > payment address specified in the Helper Block. Miners who do not use a > > Helper Block must satisfy a 25% higher difficulty. > > > > On Fri, Sep 14, 2018 at 9:56 AM Andrew via bitcoin-dev > > wrote: > >> > >> I discussed this more at bitcointalk: > >> https://bitcointalk.org/index.php?topic=4998410.0 > >> > >> The attacks I'm interested in preventing are not only selfish mining > >> and collusion, but also more subtle attacks like block withholding, > >> and in general anything that aims to drive out the competition in > >> order to increase hashrate fraction. I also scrapped the idea of > >> changing the block subsidies, and I am only focuses on fees. > >> > >> You can read more about the motivation and details in the bitcointalk > >> thread, but my proposal in short would be to add the concept of > >> "reserve fees". When a user makes a transaction, for each txout > >> script, they can add parameters that specify the fraction of the total > >> fee that is held in "reserve" and the time it is held in "reserve" > >> (can set a limit of 2016 blocks). This "reserve" part of the fee will > >> be paid to miners if the hashrate rises. So if hashrate is currently h > >> and peak hashrate (from past year) is p, then for each period (1 day), > >> a new hashrate is calculated h1, and if h1 > h, then the fraction > >> (h1-h)/p from the reserve fees created in the past 2016 blocks will be > >> released to miners for that period (spread out over the 144 blocks in > >> that period). And this will keep happening as long as hashrate keeps > >> rising, until the "contract" expires, and the leftover part can be > >> used by the owner of the unspent output, but it can only be used for > >> paying fees, not as inputs for future transactions (to save on block > >> space). > >> > >> This should incentivize miners to not drive out the competition, since > >> if they do, there will be less of these reserve fees given to miners. > >> Yes in the end the miners will get all the fees, but with rising > >> hashrate they get an unconditional subsidy that does not require > >> transactions, thus more space for transactions with fees. > >> > >> I can make a formal BIP and pull request, but I need to know if there > >> is interest in this. Now fees don't play such a large part of the > >> block reward, but they will get more important, and this change > >> wouldn't force anything (would be voluntary by each user), just miners > >> have to agree to it with a soft fork (so they don't spend from the > >> anyone-can-spend outputs used for reserve fees). Resource requirements > >> for validation are quite small I believe. > >> > >> On Sat, Sep 1, 2018 at 12:11 AM, Andrew wrote: > >> > As I understand, selfish mining is an attack where miners collude to > >> > mine at a lower hashrate then with all miners working independently. > >> > What are the current strategies used to prevent this and what are the > >> > future plans? > >> > > >> > One idea I have is to let the block reward get "modulated" according > >> > to peak hashrate. Say p is the peak hashrate for 365 periods (1 year) > >> > consisting of 144 blocks, h is the hashrate of the last 144 block (1 > >> > day) period, and r is the base subsidy (12.5 BTC currently). You can > >> > then make the max block reward 0.5 r (1 + h/p). So if hashrate is at > >> > peak you get the full reward. Otherwise you get less, down to a min of > >> > 0.5 r. > >> > > >> > If miners were to collude to mine at a lower than peak hashrate, then > >> > they may be able to
Re: [bitcoin-dev] Selfish Mining Prevention
You might be interested in an idea I wrote about that is in a similar spirit here: https://medium.com/coinmonks/taming-large-miners-with-helper-blocks-6ae67ac242f6 >From the article: When a block is solved, it randomly selects one satoshi from the utxo set and gives whomever controls that satoshi the power to generate a “Helper Block”. The Helper Block commits to a subset of transactions for inclusion in the next block. A miner can accept the Helper Block by including the suggested transactions and giving the associated transaction fees to a payment address specified in the Helper Block. Miners who do not use a Helper Block must satisfy a 25% higher difficulty. On Fri, Sep 14, 2018 at 9:56 AM Andrew via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > I discussed this more at bitcointalk: > https://bitcointalk.org/index.php?topic=4998410.0 > > The attacks I'm interested in preventing are not only selfish mining > and collusion, but also more subtle attacks like block withholding, > and in general anything that aims to drive out the competition in > order to increase hashrate fraction. I also scrapped the idea of > changing the block subsidies, and I am only focuses on fees. > > You can read more about the motivation and details in the bitcointalk > thread, but my proposal in short would be to add the concept of > "reserve fees". When a user makes a transaction, for each txout > script, they can add parameters that specify the fraction of the total > fee that is held in "reserve" and the time it is held in "reserve" > (can set a limit of 2016 blocks). This "reserve" part of the fee will > be paid to miners if the hashrate rises. So if hashrate is currently h > and peak hashrate (from past year) is p, then for each period (1 day), > a new hashrate is calculated h1, and if h1 > h, then the fraction > (h1-h)/p from the reserve fees created in the past 2016 blocks will be > released to miners for that period (spread out over the 144 blocks in > that period). And this will keep happening as long as hashrate keeps > rising, until the "contract" expires, and the leftover part can be > used by the owner of the unspent output, but it can only be used for > paying fees, not as inputs for future transactions (to save on block > space). > > This should incentivize miners to not drive out the competition, since > if they do, there will be less of these reserve fees given to miners. > Yes in the end the miners will get all the fees, but with rising > hashrate they get an unconditional subsidy that does not require > transactions, thus more space for transactions with fees. > > I can make a formal BIP and pull request, but I need to know if there > is interest in this. Now fees don't play such a large part of the > block reward, but they will get more important, and this change > wouldn't force anything (would be voluntary by each user), just miners > have to agree to it with a soft fork (so they don't spend from the > anyone-can-spend outputs used for reserve fees). Resource requirements > for validation are quite small I believe. > > On Sat, Sep 1, 2018 at 12:11 AM, Andrew wrote: > > As I understand, selfish mining is an attack where miners collude to > > mine at a lower hashrate then with all miners working independently. > > What are the current strategies used to prevent this and what are the > > future plans? > > > > One idea I have is to let the block reward get "modulated" according > > to peak hashrate. Say p is the peak hashrate for 365 periods (1 year) > > consisting of 144 blocks, h is the hashrate of the last 144 block (1 > > day) period, and r is the base subsidy (12.5 BTC currently). You can > > then make the max block reward 0.5 r (1 + h/p). So if hashrate is at > > peak you get the full reward. Otherwise you get less, down to a min of > > 0.5 r. > > > > If miners were to collude to mine at a lower than peak hashrate, then > > they may be able to do it profitably for 144 blocks, but after that, > > the reward would get modulated and it wouldn't be so much in their > > interest to continue mining at the lower hashrate. > > > > What flaws are there with this? I know it could be controversial due > > to easier mining present for early miners, so maybe it would have to > > be done in combination with a new more dynamic difficulty adjustment > > algorithm. But I don't see how hashrate can continue rising > > indefinitely, so a solution should be made for selfish mining. > > > > Also when subsidies stop and a fee market is needed, I guess a portion > > of the fees can be withheld for later if hashrate is not at peak. > > > > > > -- > > PGP: B6AC 822C 451D 6304 6A28 49E9 7DB7 011C D53B 5647 > > > > -- > PGP: B6AC 822C 451D 6304 6A28 49E9 7DB7 011C D53B 5647 > ___ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > ___
Re: [bitcoin-dev] Selfish Mining Prevention
I discussed this more at bitcointalk: https://bitcointalk.org/index.php?topic=4998410.0 The attacks I'm interested in preventing are not only selfish mining and collusion, but also more subtle attacks like block withholding, and in general anything that aims to drive out the competition in order to increase hashrate fraction. I also scrapped the idea of changing the block subsidies, and I am only focuses on fees. You can read more about the motivation and details in the bitcointalk thread, but my proposal in short would be to add the concept of "reserve fees". When a user makes a transaction, for each txout script, they can add parameters that specify the fraction of the total fee that is held in "reserve" and the time it is held in "reserve" (can set a limit of 2016 blocks). This "reserve" part of the fee will be paid to miners if the hashrate rises. So if hashrate is currently h and peak hashrate (from past year) is p, then for each period (1 day), a new hashrate is calculated h1, and if h1 > h, then the fraction (h1-h)/p from the reserve fees created in the past 2016 blocks will be released to miners for that period (spread out over the 144 blocks in that period). And this will keep happening as long as hashrate keeps rising, until the "contract" expires, and the leftover part can be used by the owner of the unspent output, but it can only be used for paying fees, not as inputs for future transactions (to save on block space). This should incentivize miners to not drive out the competition, since if they do, there will be less of these reserve fees given to miners. Yes in the end the miners will get all the fees, but with rising hashrate they get an unconditional subsidy that does not require transactions, thus more space for transactions with fees. I can make a formal BIP and pull request, but I need to know if there is interest in this. Now fees don't play such a large part of the block reward, but they will get more important, and this change wouldn't force anything (would be voluntary by each user), just miners have to agree to it with a soft fork (so they don't spend from the anyone-can-spend outputs used for reserve fees). Resource requirements for validation are quite small I believe. On Sat, Sep 1, 2018 at 12:11 AM, Andrew wrote: > As I understand, selfish mining is an attack where miners collude to > mine at a lower hashrate then with all miners working independently. > What are the current strategies used to prevent this and what are the > future plans? > > One idea I have is to let the block reward get "modulated" according > to peak hashrate. Say p is the peak hashrate for 365 periods (1 year) > consisting of 144 blocks, h is the hashrate of the last 144 block (1 > day) period, and r is the base subsidy (12.5 BTC currently). You can > then make the max block reward 0.5 r (1 + h/p). So if hashrate is at > peak you get the full reward. Otherwise you get less, down to a min of > 0.5 r. > > If miners were to collude to mine at a lower than peak hashrate, then > they may be able to do it profitably for 144 blocks, but after that, > the reward would get modulated and it wouldn't be so much in their > interest to continue mining at the lower hashrate. > > What flaws are there with this? I know it could be controversial due > to easier mining present for early miners, so maybe it would have to > be done in combination with a new more dynamic difficulty adjustment > algorithm. But I don't see how hashrate can continue rising > indefinitely, so a solution should be made for selfish mining. > > Also when subsidies stop and a fee market is needed, I guess a portion > of the fees can be withheld for later if hashrate is not at peak. > > > -- > PGP: B6AC 822C 451D 6304 6A28 49E9 7DB7 011C D53B 5647 -- PGP: B6AC 822C 451D 6304 6A28 49E9 7DB7 011C D53B 5647 ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] Schnorr signatures BIP
On Tue, Sep 11, 2018 at 01:37:59PM -0400, Erik Aronesty via bitcoin-dev wrote: > - Musig, by being M of M, is inherently prone to loss. > It has always been possible to create M-of-N threshold MuSig signatures for any M, N with 0 < M ≤ N. This is (a) obvious, (b) in our paper, (c) implemented at https://github.com/apoelstra/secp256k1/blob/2018-04-taproot/src/modules/musig/main_impl.h -- Andrew Poelstra Research Director, Mathematics Department, Blockstream Email: apoelstra at wpsoftware.net Web: https://www.wpsoftware.net/andrew "Make it stop, my love; we were wrong to try Never saw what we could unravel in traveling light Nor how the trip debrides like a stack of slides All we saw was that time is taller than space is wide" --Joanna Newsom signature.asc Description: PGP signature ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
