Difference between revisions of "Proof of blockchain fair sharing"

From Bitcoin Wiki
Jump to: navigation, search
m (Teaser description: OK, more attention to grammar, now that it's no longer a rushed parenthetical remark at the end of the adaptive difficulty page!)
m (Teaser description: Make reference to double spending be a link to the article.)
Line 7: Line 7:
 
''Iain Stewart writes:'' Proof of blockchain fair sharing is of proof-of-stake flavour (which makes me nervous in some ways, but that's another story), and it relies on the fact that stakeholders are '''pseudonymously trackable''', unlike proof-of-work contributors, and therefore a formula for blockchain height can reward '''closeness to fair-share proportions''' in such a way that a 90% attacker finds they can't stop the honest 10% contributing too-expensive-for-the-attacker-to-reverse blocks which, to the attacker's chagrin, '''incorporate''' the accumulated transactions the attacker has been endlessly reversing and re-excluding in an effort to ruin the credibility of bitcoin. (And any change to the attacker's pseudonymous identity/identities destroys their bitcoin-days' stake and takes them out of the running as a big attacker for a long time.)
 
''Iain Stewart writes:'' Proof of blockchain fair sharing is of proof-of-stake flavour (which makes me nervous in some ways, but that's another story), and it relies on the fact that stakeholders are '''pseudonymously trackable''', unlike proof-of-work contributors, and therefore a formula for blockchain height can reward '''closeness to fair-share proportions''' in such a way that a 90% attacker finds they can't stop the honest 10% contributing too-expensive-for-the-attacker-to-reverse blocks which, to the attacker's chagrin, '''incorporate''' the accumulated transactions the attacker has been endlessly reversing and re-excluding in an effort to ruin the credibility of bitcoin. (And any change to the attacker's pseudonymous identity/identities destroys their bitcoin-days' stake and takes them out of the running as a big attacker for a long time.)
  
To expand a little on the above teaser: One might think that by reductio ad absurdum '''no''' system can protect against a >50% attack, because in a purported proof of immunity of the honest <50% from the malicious >50%, the labels "honest" and "malicious" ultimately have no technical meaning, and so just swapping the labels would, absurdly, give a second proof, saying that the <50% community can't "attack" (i.e. save us all from) the >50% community, in contradiction to the first proof. That reductio argument is false here - '''there is an asymmetry''' between the two communities' goals, as follows. (I'm talking about an attack to destroy the usability of bitcoin. An attack to achieve double spending is a much lower-impact event, the analysis of which I'm therefore postponing, although on general grounds the situation is probably neither especially better nor worse than with other protocols.) The >50% "community" [the attacker(s)] is trying to exclude transactions - perhaps all of them, perhaps those of specific people it wants to harass, perhaps random ones just to create fear that "I could be next" - from entering the winning blockchain. Thus it has to achieve '''total''' exclusion of the would-be blocks originating from the <50% community, who keep including the transactions to try and earn an honest profit from the fees. By contrast, the <50% community [the just-trying-to-earn-a-living honest miners] '''doesn't''' have to achieve exclusion of the attacker's blocks - they're happy with a mixed blockchain where, reasonably often, another honest block gets in and stays in. So long as they can get transactions bedded down into the blockchain, they've avoided the ruining of bitcoin as a usable system. It's this crucial asymmetry between the two communities which lets the honest miners win - a chain height formula which suitably rewards diversity of pseudonymous composition will stop even a 90% attacker "community" from achieving its, tougher, goal. I hope this indicates the general direction I'm headed. [[User:Ids|Iain Stewart]] 11:15, 21 May 2012 (GMT)
+
To expand a little on the above teaser: One might think that by reductio ad absurdum '''no''' system can protect against a >50% attack, because in a purported proof of immunity of the honest <50% from the malicious >50%, the labels "honest" and "malicious" ultimately have no technical meaning, and so just swapping the labels would, absurdly, give a second proof, saying that the <50% community can't "attack" (i.e. save us all from) the >50% community, in contradiction to the first proof. That reductio argument is false here - '''there is an asymmetry''' between the two communities' goals, as follows. (I'm talking about an attack to destroy the usability of bitcoin. An attack to achieve [[double spending]] is a much lower-impact event, the analysis of which I'm therefore postponing, although on general grounds the situation is probably neither especially better nor worse than with other protocols.) The >50% "community" [the attacker(s)] is trying to exclude transactions - perhaps all of them, perhaps those of specific people it wants to harass, perhaps random ones just to create fear that "I could be next" - from entering the winning blockchain. Thus it has to achieve '''total''' exclusion of the would-be blocks originating from the <50% community, who keep including the transactions to try and earn an honest profit from the fees. By contrast, the <50% community [the just-trying-to-earn-a-living honest miners] '''doesn't''' have to achieve exclusion of the attacker's blocks - they're happy with a mixed blockchain where, reasonably often, another honest block gets in and stays in. So long as they can get transactions bedded down into the blockchain, they've avoided the ruining of bitcoin as a usable system. It's this crucial asymmetry between the two communities which lets the honest miners win - a chain height formula which suitably rewards diversity of pseudonymous composition will stop even a 90% attacker "community" from achieving its, tougher, goal. I hope this indicates the general direction I'm headed. [[User:Ids|Iain Stewart]] 11:15, 21 May 2012 (GMT)

Revision as of 17:28, 18 June 2012

Proof of blockchain fair sharing is a draft bitcoin protocol change proposal by Iain Stewart, with the goal of allowing the network to continue to settle on a sensible consensus blockchain even when subject to a considerably-greater-than-50% attack.

The protocol is under construction. The following description is a "teaser", establishing its basic flavour and sketching how it exploits an asymmetry in the goals of the honest (<50%) and malicious (>50%) miners to avoid the usual reductio ad absurdum argument against any protocol surviving a >50% attack.

Teaser description

Iain Stewart writes: Proof of blockchain fair sharing is of proof-of-stake flavour (which makes me nervous in some ways, but that's another story), and it relies on the fact that stakeholders are pseudonymously trackable, unlike proof-of-work contributors, and therefore a formula for blockchain height can reward closeness to fair-share proportions in such a way that a 90% attacker finds they can't stop the honest 10% contributing too-expensive-for-the-attacker-to-reverse blocks which, to the attacker's chagrin, incorporate the accumulated transactions the attacker has been endlessly reversing and re-excluding in an effort to ruin the credibility of bitcoin. (And any change to the attacker's pseudonymous identity/identities destroys their bitcoin-days' stake and takes them out of the running as a big attacker for a long time.)

To expand a little on the above teaser: One might think that by reductio ad absurdum no system can protect against a >50% attack, because in a purported proof of immunity of the honest <50% from the malicious >50%, the labels "honest" and "malicious" ultimately have no technical meaning, and so just swapping the labels would, absurdly, give a second proof, saying that the <50% community can't "attack" (i.e. save us all from) the >50% community, in contradiction to the first proof. That reductio argument is false here - there is an asymmetry between the two communities' goals, as follows. (I'm talking about an attack to destroy the usability of bitcoin. An attack to achieve double spending is a much lower-impact event, the analysis of which I'm therefore postponing, although on general grounds the situation is probably neither especially better nor worse than with other protocols.) The >50% "community" [the attacker(s)] is trying to exclude transactions - perhaps all of them, perhaps those of specific people it wants to harass, perhaps random ones just to create fear that "I could be next" - from entering the winning blockchain. Thus it has to achieve total exclusion of the would-be blocks originating from the <50% community, who keep including the transactions to try and earn an honest profit from the fees. By contrast, the <50% community [the just-trying-to-earn-a-living honest miners] doesn't have to achieve exclusion of the attacker's blocks - they're happy with a mixed blockchain where, reasonably often, another honest block gets in and stays in. So long as they can get transactions bedded down into the blockchain, they've avoided the ruining of bitcoin as a usable system. It's this crucial asymmetry between the two communities which lets the honest miners win - a chain height formula which suitably rewards diversity of pseudonymous composition will stop even a 90% attacker "community" from achieving its, tougher, goal. I hope this indicates the general direction I'm headed. Iain Stewart 11:15, 21 May 2012 (GMT)