public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Quinn Harris <btcdev@quinnharris.me>
To: bitcoin-development@lists.sourceforge.net
Subject: Re: [Bitcoin-development] Possible Solution To SM Attack
Date: Tue, 05 Nov 2013 21:26:59 -0300	[thread overview]
Message-ID: <52798CD3.3060806@quinnharris.me> (raw)
In-Reply-To: <CANAnSg19N6Ri9vVkKqP2VB14KgLN6=whAbtzV9EBcLUfDs_dJQ@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 3929 bytes --]

On 11/05/2013 08:03 PM, Drak wrote:
> On 5 November 2013 22:07, Quinn Harris <btcdev@quinnharris.me 
> <mailto:btcdev@quinnharris.me>> wrote:
>
>     I don't think choosing the block with the lowest hash is the best
>     option.  The good and bad miners have an equal probability of
>     finding a
>     lower hash.  But after Alice finds a block she can easily
>     determine the
>     probability that someone else will find a lower hash value that meets
>     the difficulty requirement.  This can be used to judge if its best to
>     start working on the next block or work on finding a lower value
>     hash to
>     increase the chance her block is used.
>
>
> Well in that case, you could make it unpredictable by choosing based 
> on a hash of the blockhash and chose the lowest from two. There is no 
> way for Alice to know if Bob's resulting hash will be higher or lower 
> than hers since she does not know Bob's blockhash in advance and 
> therefore she would be better broadcasting her block immediately.
>
I don't think that will work but the bit test I suggested won't work either.

Alice can calculate the hash of her blockhash and if the block to mine 
is chosen based on the lowest result she will know the probability Bobs 
block will be used.  This complexity doesn't change anything.  If hers 
is more than 50% likely to be used she should mine the next block 
otherwise its best to work to find a better current block.

But if the block determination takes into account the current difficulty 
we can prevent Alice from knowing if Bobs or any block she mines is more 
likely to win.

Assuming
a = hash of block A
b = hash of block B
difficulty = current difficulty such that A < difficulty and b < difficulty

The following code could be used to determine if the higher or lower 
block should be chosen

uint256 choose_block(uint256 a, uint256 b, uint256 difficulty)
{
   bool choice = false; // false for lower hash, true for greater hash
   uint256 am = (a + d/4) % difficulty;
   uint256 bm = (b + d/4) % difficulty
   if (a + d/4 >= d)
     choice = b > a || b < am || bm > a || bm < am;
   else
     choice = (b > a && b < am) || (bm > a && bm < am);
   return choice ? (a > b ? a : b) : (a > b ? b : a);
}

The basic idea is to find a range over 0 to difficulty starting at A and 
B that is 1/4 of the range of the difficulty.  If the two ranges overlap 
which should be 1/2 of the time pick the greater hash is used otherwise 
the lower hash.

There is likely a cleaner solution but this demonstrates the basic idea.

You could use the hash of the blockhash and just set the difficulty to 
the maximum hash value which would really just end up removing all the 
modulus stuff and make the code simpler.  But that code requires much 
less computation that any cryptographic hash.

I think this is preferable to each node randomly picking a block to mine 
on as the paper suggests.  This should be completely unpredictable but 
deterministic so all the miners should end up working on the same block.

> You could even add another unpredictable factor: deciding the rules of 
> whether higher or lower wins by hashing both competing blockhashes. If 
> the leading two hex digits are below 128 lower wins, and if above, 
> higher wins.
>
> Drak
>
>
> ------------------------------------------------------------------------------
> November Webinars for C, C++, Fortran Developers
> Accelerate application performance with scalable programming models. Explore
> techniques for threading, error checking, porting, and tuning. Get the most
> from the latest Intel processors and coprocessors. See abstracts and register
> http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
>
>
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development


[-- Attachment #2: Type: text/html, Size: 6372 bytes --]

  reply	other threads:[~2013-11-06  0:27 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-11-05 20:51 [Bitcoin-development] Possible Solution To SM Attack colj
2013-11-05 22:07 ` Quinn Harris
2013-11-05 23:03   ` Drak
2013-11-06  0:26     ` Quinn Harris [this message]
2013-11-05 22:15 ` Drak
2013-11-05 23:06   ` Gregory Maxwell
2013-11-05 23:44     ` Drak
2013-11-06  0:00       ` Gavin Andresen
2013-11-06  0:37 ` rob.golding

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=52798CD3.3060806@quinnharris.me \
    --to=btcdev@quinnharris.me \
    --cc=bitcoin-development@lists.sourceforge.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox