Author Topic: Potentially weak spots  (Read 4321 times)

0 Members and 1 Guest are viewing this topic.

Offline arhag

  • Hero Member
  • *****
  • Posts: 1214
    • View Profile
    • My posts on Steem
  • BitShares: arhag
  • GitHub: arhag
Furthermore, I do not see how this Economic Clustering completely solves the Nothing-at-Stake problem as you claim in your post. The attacker producing the fake blockchain can simply remove everyone else's transactions from their fake blockchain and include their own transactions between sockpuppets to make it appear that the fake blockchain is valid. If they are able to trick the user onto that chain, they could then carry out the double-spend attack. The only problem for the attacker is if the victim is recovering an existing account where they have already made outgoing transactions to people that they expect to see in their transaction history (that is something that cannot be faked by the attacker). Even incoming transactions can be faked if the fake blockchain starts far enough in the past such that the parties that sent the victim the funds had not yet registered their account names on the blockchain (assuming the victim had not pinned the BTS public keys of their contacts in a wallet backup of course).

The trick is to know accounts of big market players like Walmart. If you don't see transactions made by Walmart then your branch is not legit.

Hmm well that isn't going to be exactly automated into the client code, but it is a smart idea for helping a user determine if the blockchain is fake if they suspect something suspicious (especially if their client warns them using other metrics). Okay, I think there are enough advantages provided by doing this that we absolutely should have transactions include a recent block hash in the transaction digest rather than just the chain ID. It also means that each transaction should specify the block height (simple varint up to 2^32 should sufficient) of the block hash they include in the digest, and the blockchain validation rules needs to require that the specified block in the transaction is older than some block deterministically calculated from the block height the transaction is being considered to be included in (I suggest that it must be older than 16*101 blocks prior to the current block) but also not too old (I suggest not older than 17,280 blocks prior to the current block). I am going to lobby for the developers to include this change.

Offline Come-from-Beyond

  • Full Member
  • ***
  • Posts: 113
    • View Profile
So after 3 weeks the delegated forging power is taken away from the forging pool again and the one that delegated the forging power would have to renew his vote if his forging power should not be "wasted"?

Yes.

Offline santaclause102

  • Hero Member
  • *****
  • Posts: 2486
    • View Profile
Quote
NXT forgers get delegated power expired eventually
I didn't understand this one.

In Nxt there is a way to "delegate" forging/mining power. But max period is limited to 3 weeks.
Ok. I didn't know that. So after 3 weeks the delegated forging power is taken away from the forging pool again and the one that delegated the forging power would have to renew his vote if his forging power should not be "wasted"?

Offline Come-from-Beyond

  • Full Member
  • ***
  • Posts: 113
    • View Profile
Furthermore, I do not see how this Economic Clustering completely solves the Nothing-at-Stake problem as you claim in your post. The attacker producing the fake blockchain can simply remove everyone else's transactions from their fake blockchain and include their own transactions between sockpuppets to make it appear that the fake blockchain is valid. If they are able to trick the user onto that chain, they could then carry out the double-spend attack. The only problem for the attacker is if the victim is recovering an existing account where they have already made outgoing transactions to people that they expect to see in their transaction history (that is something that cannot be faked by the attacker). Even incoming transactions can be faked if the fake blockchain starts far enough in the past such that the parties that sent the victim the funds had not yet registered their account names on the blockchain (assuming the victim had not pinned the BTS public keys of their contacts in a wallet backup of course).

The trick is to know accounts of big market players like Walmart. If you don't see transactions made by Walmart then your branch is not legit.

Offline Come-from-Beyond

  • Full Member
  • ***
  • Posts: 113
    • View Profile
Quote
NXT forgers get delegated power expired eventually
I didn't understand this one.

In Nxt there is a way to "delegate" forging/mining power. But max period is limited to 3 weeks.

Offline arhag

  • Hero Member
  • *****
  • Posts: 1214
    • View Profile
    • My posts on Steem
  • BitShares: arhag
  • GitHub: arhag
1. Delegate election is not very "democratic". The top delegate - market.cn.group101 - got only 16.71% according to https://bitsharesblocks.com/delegates. The issue can be completely or partially solved with another voting approach.

I'm not sure what you are proposing as an alternative here, but I think the issue is simply voter apathy. Ideally we would have all 101 delegates have 100% approval. More realistically, it would be nice if the delegate at rank 101 had at least 50% approval. I don't know if we will ever get to that level, but I think things can be significantly improved when we have lightweight clients with easy-to-use cold storage and restricted_owner features (you keep your BTS wealth in cold storage but can change the votes from the hot client).


2. Delegates control the only mean of communication available to bots and smart contracts. The same problem as in a state that controls all mass media arises. Humans can use other means of communication (e.g. this forum) but DACs don't have this option. The issue can be solved by introducing something leading to "separation of powers".

We already have separation of powers (if I understand what you mean by that correctly). A single honest delegate can introduce true information into the blockchain. I already discussed this back in your previous thread. Yes, if all 101 active delegates are simultaneously corrupted then you cannot get information that the delegates find undesirable into the blockchain, but that is the time when you are forced to do the hard fork. It is inconvenient but it is a measure of last resort that allows the system to recover and the good news is it should be incredibly rare for all 101 active delegates to be simultaneously compromised.


3. Delegates validate blocks one by one. Several branches of the blockchain may exist and compete against each other. Voted-out delegates may generate a fake blockchain to trick newly connected nodes. Something similar to Economic Clustering (Nxt) could solve this issue completely. Validation of every block by 51 delegates may solve the issue of competing branches.

If it helps you can think of each consensus unit not as a block but rather a round of blocks (101 blocks). It just means each unit takes 17 minutes rather than 10 seconds to be confirmed. I do however think that a super majority of delegates should be allowed to generate a signature validating the previous block to speed up the process of confirming new consensus units. I discussed that in this proposal.

3. Fake blockchain is a blockchain where voted-out delegates excluded transactions that pushed them out of top 101. Online nodes will reject such the blockchain but catching up ones may jump on it eventually. Temporary network fragmentation may lead to inability to bound at least 51 delegates to the same branch. Also, it's possible to cause the fragmentation by controlling 33 delegates and having fast connections to honest delegates. Economic Clustering is explained here - https://nxtforum.org/news-and-announcements/economic-clustering/.

From your link I take Economic Clustering to mean the following:
Quote
From technical point of view it means that if someone decides to rewrite the history of the blockchain he won't be able to include transactions of those who don't take part in the attack, because every transaction contains the id of one of the recent blocks.

This seems a lot like Transactions-as-Proof-of-Stake (TaPoS). When BitShares was upgraded to DPOS this feature of binding each transaction not to only the chain ID but to a more recent block of the chain was removed. I think this was a mistake because of attacks like the following discussed in this post. In that post I suggested bringing back the ability/requirement for a transaction to reference a recent block (which seems to be what you mean by Economic Clustering if I understood you correctly):
But if this is not satisfying enough, there is another measure that can be taken to be extra cautious. We can bring back TaPOS on top of DPOS. The transactions do not need to reference the previous block, they can reference a block well enough in the past that is well establish. The point is that TaPOS would make it impossible to even include those unvoting transactions in your fake blockchain.
However, this only makes a very unlikely attack impossible. This hypothetical attack isn't very serious (read the full post to see why).

Furthermore, I do not see how this Economic Clustering completely solves the Nothing-at-Stake problem as you claim in your post. The attacker producing the fake blockchain can simply remove everyone else's transactions from their fake blockchain and include their own transactions between sockpuppets to make it appear that the fake blockchain is valid. If they are able to trick the user onto that chain, they could then carry out the double-spend attack. The only problem for the attacker is if the victim is recovering an existing account where they have already made outgoing transactions to people that they expect to see in their transaction history (that is something that cannot be faked by the attacker). Even incoming transactions can be faked if the fake blockchain starts far enough in the past such that the parties that sent the victim the funds had not yet registered their account names on the blockchain (assuming the victim had not pinned the BTS public keys of their contacts in a wallet backup of course).

« Last Edit: March 01, 2015, 12:29:33 am by arhag »

Offline santaclause102

  • Hero Member
  • *****
  • Posts: 2486
    • View Profile
Looking forward to your reply to the "democracy attack" :)

Quote
No. Because more miners can join Bitcoin
It is not about what would theoretically be possible but what is reality. Reality is that there are 6 mining pools that have as much power combined as all delegates combined. I dont see this changing.

Quote
NXT forgers get delegated power expired eventually
I didn't understand this one.

Offline Come-from-Beyond

  • Full Member
  • ***
  • Posts: 113
    • View Profile
1. The end goal is security. Fairness or representation in my opinion are not of value here. Everyone can participate which is fair enough. In the end, voting participation will depend on how easy it is to vote (client and voting / delegate infrastructure will have to get more user friendly) and on how much stake one has.

Ok, let's put this on hold. When I have time I'll show how this could be used for an attack.


2. Maybe I understand what you mean... Would you agree that in the same sense Bitcoin miners and NXT forgers also have that control over the blockchain (=communication channel)?

No. Because more miners can join Bitcoin and NXT forgers get delegated power expired eventually.


3. User arhag made a great post on that https://bitsharestalk.org/index.php?topic=6638.0
You could challenge him in the above thread.
BM also made a post about such attacks http://bytemaster.bitshares.org/article/2015/01/08/Nothing-at-Stake-Nothing-to-Fear/

Will do.

Offline santaclause102

  • Hero Member
  • *****
  • Posts: 2486
    • View Profile
1. What is your design goal here? Make it more "democratic" (defined as what?)?
2. What do you mean here by "communication" and by "mean(s) of communication"?
3. What would be a situation that would lead to multiple chains/branches? Signing on more than one chain is a no1 reason for a delegate to be voted out. There is a great incentive for any delegate to always sign on the chain where most delegates sign blocks.
For this: "Voted-out delegates may generate a fake blockchain to trick newly connected nodes" -> What would be required to do this successfully?
I never could find quality info on what  Economic Clustering is. Could you explain what its purpose is and what the means to reach this purpose are?

1. More democratic means that a delegate represents as many shareholders as possible (at least 51% would be great). More info is here - https://bitcointalk.org/index.php?topic=940298.msg10388364#msg10388364 - I didn't continue the discussion on BTT because it wasn't the topic of that thread.
2. Mean if communication is the blockchain as a channel for data sharing.
3. Fake blockchain is a blockchain where voted-out delegates excluded transactions that pushed them out of top 101. Online nodes will reject such the blockchain but catching up ones may jump on it eventually. Temporary network fragmentation may lead to inability to bound at least 51 delegates to the same branch. Also, it's possible to cause the fragmentation by controlling 33 delegates and having fast connections to honest delegates. Economic Clustering is explained here - https://nxtforum.org/news-and-announcements/economic-clustering/.
1. The end goal is security. Fairness or representation in my opinion are not of value here. Everyone can participate which is fair enough. In the end, voting participation will depend on how easy it is to vote (client and voting / delegate infrastructure will have to get more user friendly) and on how much stake one has.
2. Maybe I understand what you mean... Would you agree that in the same sense Bitcoin miners and NXT forgers also have that control over the blockchain (=communication channel)?
3. User arhag made a great post on that https://bitsharestalk.org/index.php?topic=6638.0
You could challenge him in the above thread.
BM also made a post about such attacks http://bytemaster.bitshares.org/article/2015/01/08/Nothing-at-Stake-Nothing-to-Fear/

Offline Come-from-Beyond

  • Full Member
  • ***
  • Posts: 113
    • View Profile
I'm curious as to what is coming to your mind when you say "separation of powers". What would you say that would be in your mind?

2 chains running in parallel where delegates of chain A include transactions that are unpleasant for delegates of chain B and vice versa.

Offline Come-from-Beyond

  • Full Member
  • ***
  • Posts: 113
    • View Profile
I'd like to see 1. and 2. elaborated. The third is a weakness that's somewhat inherent in the system.

Look at https://bitcointalk.org/index.php?topic=940298.msg10388364#msg10388364 for #1.
#2 is based on http://en.wikipedia.org/wiki/Falsifiability. This concept is quite sophisticated, but common sense says the same - if delegates censor communications then they can remove what they don't like.

Offline VoR0220

1. What is your design goal here? Make it more "democratic" (defined as what?)?
2. What do you mean here by "communication" and by "mean(s) of communication"?
3. What would be a situation that would lead to multiple chains/branches? Signing on more than one chain is a no1 reason for a delegate to be voted out. There is a great incentive for any delegate to always sign on the chain where most delegates sign blocks.
For this: "Voted-out delegates may generate a fake blockchain to trick newly connected nodes" -> What would be required to do this successfully?
I never could find quality info on what  Economic Clustering is. Could you explain what its purpose is and what the means to reach this purpose are?

1. More democratic means that a delegate represents as many shareholders as possible (at least 51% would be great). More info is here - https://bitcointalk.org/index.php?topic=940298.msg10388364#msg10388364 - I didn't continue the discussion on BTT because it wasn't the topic of that thread.
2. Mean if communication is the blockchain as a channel for data sharing.
3. Fake blockchain is a blockchain where voted-out delegates excluded transactions that pushed them out of top 101. Online nodes will reject such the blockchain but catching up ones may jump on it eventually. Temporary network fragmentation may lead to inability to bound at least 51 delegates to the same branch. Also, it's possible to cause the fragmentation by controlling 33 delegates and having fast connections to honest delegates. Economic Clustering is explained here - https://nxtforum.org/news-and-announcements/economic-clustering/.

I'm curious as to what is coming to your mind when you say "separation of powers". What would you say that would be in your mind?
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline Come-from-Beyond

  • Full Member
  • ***
  • Posts: 113
    • View Profile
1. What is your design goal here? Make it more "democratic" (defined as what?)?
2. What do you mean here by "communication" and by "mean(s) of communication"?
3. What would be a situation that would lead to multiple chains/branches? Signing on more than one chain is a no1 reason for a delegate to be voted out. There is a great incentive for any delegate to always sign on the chain where most delegates sign blocks.
For this: "Voted-out delegates may generate a fake blockchain to trick newly connected nodes" -> What would be required to do this successfully?
I never could find quality info on what  Economic Clustering is. Could you explain what its purpose is and what the means to reach this purpose are?

1. More democratic means that a delegate represents as many shareholders as possible (at least 51% would be great). More info is here - https://bitcointalk.org/index.php?topic=940298.msg10388364#msg10388364 - I didn't continue the discussion on BTT because it wasn't the topic of that thread.
2. Mean if communication is the blockchain as a channel for data sharing.
3. Fake blockchain is a blockchain where voted-out delegates excluded transactions that pushed them out of top 101. Online nodes will reject such the blockchain but catching up ones may jump on it eventually. Temporary network fragmentation may lead to inability to bound at least 51 delegates to the same branch. Also, it's possible to cause the fragmentation by controlling 33 delegates and having fast connections to honest delegates. Economic Clustering is explained here - https://nxtforum.org/news-and-announcements/economic-clustering/.

Offline VoR0220

I'd like to see 1. and 2. elaborated. The third is a weakness that's somewhat inherent in the system.
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline santaclause102

  • Hero Member
  • *****
  • Posts: 2486
    • View Profile
Thanks CFB, always refreshing to have you around here!

1. What is your design goal here? Make it more "democratic" (defined as what?)?
2. What do you mean here by "communication" and by "mean(s) of communication"?
3. What would be a situation that would lead to multiple chains/branches? Signing on more than one chain is a no1 reason for a delegate to be voted out. There is a great incentive for any delegate to always sign on the chain where most delegates sign blocks.
For this: "Voted-out delegates may generate a fake blockchain to trick newly connected nodes" -> What would be required to do this successfully?
I never could find quality info on what  Economic Clustering is. Could you explain what its purpose is and what the means to reach this purpose are?