📅 Original date posted:2012-06-02
📝 Original message:Analysis, comments, constructive criticism, etc welcome for the following:
==Background==
At present, an attacker can harm a pool by intentionally NOT submitting shares
that are also valid blocks. All pools are vulnerable to this attack, whether
centralized or decentralized and regardless of reward system used. The
attack's effectiveness is proportional to ratio of the attacker's hashrate to
the rest of the pool.
There are obvious solutions that can be used to defeat this attack on
centralized pools. For example, including a secret in the coinbase transaction
that is accepted by the network as a partial preimage proof-of-work. All these
solutions require changes to Bitcoin's proof-of-work acceptance terms, and
since centralized pools can be harmful to the network's security, these rule
changes are not likely to gain enough acceptance among the greater Bitcoin
community.
==Proposed Solution==
Please comment on the viability of this new proof-of-work algorithm, which I
think should be viable for even decentralized pools:
Blocks are accepted at a lower difficulty N (choosable by the pool; eg, the
share difficulty) iff they are submitted with a candidate for the next block
and SHA256(SHA256(NewBlockHash + NextBlockCandidateHash)) meets difficulty M.
The relationship between M and N must be comparable to the normal network
difficulty; details on the specifics of this can be figured out later, ideally
by someone more qualified than me. M and N must be chosen prior to searching
for the block: it should be safe to steal some always-zero bytes from the
prevblock header for this.
This algorithm should guarantee that every share has an equal chance of being
a valid block at the time it is found, and that which ones are actually blocks
cannot be known until the subsequent block is found. Thus, attackers have no
way to identify which shares to withhold even while they have full knowledge
of the shares/blocks themselves.
==Backward Compatibility==
Obviously, this change creates a hard-fork in the blockchain. I propose that
if it solves the block withholding risk, the gain is sufficient that the
community may approve a hard-fork to take place 1-2 years from consensus.
Since mining continues to use a double-SHA256 on a fixed 80 byte header,
existing miners, FPGAs, etc should work unmodified. Poolservers will need to
adapt significantly.
Luke-Jr [ARCHIVE] /
npub1dt…u7wrs
2023-06-07 12:11:28
in reply to nevent1q…5l2a
Author Public Key
npub1dtr22xd42nv07un2xq0rmtkqkjylgsmexau0anxxafa9xmmn2ncshu7wrsSeen on
wss://relay.noswhere.comPublished at
2023-06-07 12:11:28Event JSON
{
"id": "d9263c1d030ede35b2de614fbefa122a0e9f5f1083724bd8ae245c879030d012",
"pubkey": "6ac6a519b554d8ff726a301e3daec0b489f443793778feccc6ea7a536f7354f1",
"created_at": 1686132688,
"kind": 1,
"tags": [
[
"e",
"a41c266ea909ede278d0ffa091090bff630df3ebf392d5fdee34cf65c8588463",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "📅 Original date posted:2012-06-02\n📝 Original message:Analysis, comments, constructive criticism, etc welcome for the following:\n\n==Background==\nAt present, an attacker can harm a pool by intentionally NOT submitting shares \nthat are also valid blocks. All pools are vulnerable to this attack, whether \ncentralized or decentralized and regardless of reward system used. The \nattack's effectiveness is proportional to ratio of the attacker's hashrate to \nthe rest of the pool.\n\nThere are obvious solutions that can be used to defeat this attack on \ncentralized pools. For example, including a secret in the coinbase transaction \nthat is accepted by the network as a partial preimage proof-of-work. All these \nsolutions require changes to Bitcoin's proof-of-work acceptance terms, and \nsince centralized pools can be harmful to the network's security, these rule \nchanges are not likely to gain enough acceptance among the greater Bitcoin \ncommunity.\n\n==Proposed Solution==\nPlease comment on the viability of this new proof-of-work algorithm, which I \nthink should be viable for even decentralized pools:\n\nBlocks are accepted at a lower difficulty N (choosable by the pool; eg, the \nshare difficulty) iff they are submitted with a candidate for the next block \nand SHA256(SHA256(NewBlockHash + NextBlockCandidateHash)) meets difficulty M.\nThe relationship between M and N must be comparable to the normal network \ndifficulty; details on the specifics of this can be figured out later, ideally \nby someone more qualified than me. M and N must be chosen prior to searching \nfor the block: it should be safe to steal some always-zero bytes from the \nprevblock header for this.\n\nThis algorithm should guarantee that every share has an equal chance of being \na valid block at the time it is found, and that which ones are actually blocks \ncannot be known until the subsequent block is found. Thus, attackers have no \nway to identify which shares to withhold even while they have full knowledge \nof the shares/blocks themselves.\n\n==Backward Compatibility==\nObviously, this change creates a hard-fork in the blockchain. I propose that \nif it solves the block withholding risk, the gain is sufficient that the \ncommunity may approve a hard-fork to take place 1-2 years from consensus.\n\nSince mining continues to use a double-SHA256 on a fixed 80 byte header, \nexisting miners, FPGAs, etc should work unmodified. Poolservers will need to \nadapt significantly.",
"sig": "e69145be8ebc4c14b9273952be0dbe6cc8c26735244ecbbb69c32168b0bd0c14862588a0d2da9859361e3e7f42f85ec6a37620195eafdbb3adb12fc11be1e70a"
}