From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1Vdqxj-0005Fk-S0 for bitcoin-development@lists.sourceforge.net; Wed, 06 Nov 2013 00:27:11 +0000 Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of quinnharris.me designates 67.223.164.214 as permitted sender) client-ip=67.223.164.214; envelope-from=btcdev@quinnharris.me; helo=fza.durangomail.com; Received: from fza.durangomail.com ([67.223.164.214]) by sog-mx-3.v43.ch3.sourceforge.com with esmtp (Exim 4.76) id 1Vdqxi-0001Fz-IR for bitcoin-development@lists.sourceforge.net; Wed, 06 Nov 2013 00:27:11 +0000 Received: from localhost (localhost [127.0.0.1]) by fza.durangomail.com (Postfix) with ESMTP id 7D5311E03F5 for ; Tue, 5 Nov 2013 17:27:04 -0700 (MST) X-Virus-Scanned: amavisd-new at fza.durangomail.com Received: from fza.durangomail.com ([127.0.0.1]) by localhost (fza.durangomail.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pzPxLgfUQ_E8 for ; Tue, 5 Nov 2013 17:27:03 -0700 (MST) Received: from localhost (localhost [127.0.0.1]) by fza.durangomail.com (Postfix) with ESMTP id DC1A21E0403 for ; Tue, 5 Nov 2013 17:27:02 -0700 (MST) DKIM-Filter: OpenDKIM Filter v2.7.1 fza.durangomail.com DC1A21E0403 X-Virus-Scanned: amavisd-new at fza.durangomail.com Received: from fza.durangomail.com ([127.0.0.1]) by localhost (fza.durangomail.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id yYcE9Lb_JiSb for ; Tue, 5 Nov 2013 17:27:02 -0700 (MST) Received: from [192.168.0.109] (pc-149-184-100-190.cm.vtr.net [190.100.184.149]) by fza.durangomail.com (Postfix) with ESMTPSA id 0E8FA1E03F5 for ; Tue, 5 Nov 2013 17:27:01 -0700 (MST) Message-ID: <52798CD3.3060806@quinnharris.me> Date: Tue, 05 Nov 2013 21:26:59 -0300 From: Quinn Harris User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 MIME-Version: 1.0 To: bitcoin-development@lists.sourceforge.net References: <52796C14.5070300@quinnharris.me> In-Reply-To: Content-Type: multipart/alternative; boundary="------------000601080001070909040108" X-Spam-Score: -0.6 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: doubleclick.net] -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1Vdqxi-0001Fz-IR Subject: Re: [Bitcoin-development] Possible Solution To SM Attack X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Nov 2013 00:27:12 -0000 This is a multi-part message in MIME format. --------------000601080001070909040108 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit On 11/05/2013 08:03 PM, Drak wrote: > On 5 November 2013 22:07, Quinn Harris > wrote: > > I don't think choosing the block with the lowest hash is the best > option. The good and bad miners have an equal probability of > finding a > lower hash. But after Alice finds a block she can easily > determine the > probability that someone else will find a lower hash value that meets > the difficulty requirement. This can be used to judge if its best to > start working on the next block or work on finding a lower value > hash to > increase the chance her block is used. > > > Well in that case, you could make it unpredictable by choosing based > on a hash of the blockhash and chose the lowest from two. There is no > way for Alice to know if Bob's resulting hash will be higher or lower > than hers since she does not know Bob's blockhash in advance and > therefore she would be better broadcasting her block immediately. > I don't think that will work but the bit test I suggested won't work either. Alice can calculate the hash of her blockhash and if the block to mine is chosen based on the lowest result she will know the probability Bobs block will be used. This complexity doesn't change anything. If hers is more than 50% likely to be used she should mine the next block otherwise its best to work to find a better current block. But if the block determination takes into account the current difficulty we can prevent Alice from knowing if Bobs or any block she mines is more likely to win. Assuming a = hash of block A b = hash of block B difficulty = current difficulty such that A < difficulty and b < difficulty The following code could be used to determine if the higher or lower block should be chosen uint256 choose_block(uint256 a, uint256 b, uint256 difficulty) { bool choice = false; // false for lower hash, true for greater hash uint256 am = (a + d/4) % difficulty; uint256 bm = (b + d/4) % difficulty if (a + d/4 >= d) choice = b > a || b < am || bm > a || bm < am; else choice = (b > a && b < am) || (bm > a && bm < am); return choice ? (a > b ? a : b) : (a > b ? b : a); } The basic idea is to find a range over 0 to difficulty starting at A and B that is 1/4 of the range of the difficulty. If the two ranges overlap which should be 1/2 of the time pick the greater hash is used otherwise the lower hash. There is likely a cleaner solution but this demonstrates the basic idea. You could use the hash of the blockhash and just set the difficulty to the maximum hash value which would really just end up removing all the modulus stuff and make the code simpler. But that code requires much less computation that any cryptographic hash. I think this is preferable to each node randomly picking a block to mine on as the paper suggests. This should be completely unpredictable but deterministic so all the miners should end up working on the same block. > You could even add another unpredictable factor: deciding the rules of > whether higher or lower wins by hashing both competing blockhashes. If > the leading two hex digits are below 128 lower wins, and if above, > higher wins. > > Drak > > > ------------------------------------------------------------------------------ > November Webinars for C, C++, Fortran Developers > Accelerate application performance with scalable programming models. Explore > techniques for threading, error checking, porting, and tuning. Get the most > from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk > > > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development --------------000601080001070909040108 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
On 11/05/2013 08:03 PM, Drak wrote:
On 5 November 2013 22:07, Quinn Harris <btcdev@quinnharris.me> wrote:
I don't think choosing the block with the lowest hash is the best
option.  The good and bad miners have an equal probability of finding a
lower hash.  But after Alice finds a block she can easily determine the
probability that someone else will find a lower hash value that meets
the difficulty requirement.  This can be used to judge if its best to
start working on the next block or work on finding a lower value hash to
increase the chance her block is used.

Well in that case, you could make it unpredictable by choosing based on a hash of the blockhash and chose the lowest from two. There is no way for Alice to know if Bob's resulting hash will be higher or lower than hers since she does not know Bob's blockhash in advance and therefore she would be better broadcasting her block immediately.

I don't think that will work but the bit test I suggested won't work either.

Alice can calculate the hash of her blockhash and if the block to mine is chosen based on the lowest result she will know the probability Bobs block will be used.  This complexity doesn't change anything.  If hers is more than 50% likely to be used she should mine the next block otherwise its best to work to find a better current block.

But if the block determination takes into account the current difficulty we can prevent Alice from knowing if Bobs or any block she mines is more likely to win.

Assuming
a = hash of block A
b = hash of block B
difficulty = current difficulty such that A < difficulty and b < difficulty

The following code could be used to determine if the higher or lower block should be chosen

uint256 choose_block(uint256 a, uint256 b, uint256 difficulty)
{
  bool choice = false; // false for lower hash, true for greater hash
  uint256 am = (a + d/4) % difficulty;
  uint256 bm = (b + d/4) % difficulty
  if (a + d/4 >= d)
    choice = b > a || b < am || bm > a || bm < am;
  else
    choice = (b > a && b < am) || (bm > a && bm < am);
  return choice ? (a > b ? a : b) : (a > b ? b : a);
}

The basic idea is to find a range over 0 to difficulty starting at A and B that is 1/4 of the range of the difficulty.  If the two ranges overlap which should be 1/2 of the time pick the greater hash is used otherwise the lower hash. 

There is likely a cleaner solution but this demonstrates the basic idea.

You could use the hash of the blockhash and just set the difficulty to the maximum hash value which would really just end up removing all the modulus stuff and make the code simpler.  But that code requires much less computation that any cryptographic hash.

I think this is preferable to each node randomly picking a block to mine on as the paper suggests.  This should be completely unpredictable but deterministic so all the miners should end up working on the same block.

You could even add another unpredictable factor: deciding the rules of whether higher or lower wins by hashing both competing blockhashes. If the leading two hex digits are below 128 lower wins, and if above, higher wins.

Drak


------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk


_______________________________________________
Bitcoin-development mailing list
Bitcoin-development@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-development

--------------000601080001070909040108--