
Bribery Attacks on Bitcoin Consensus [pdf] - kushti
http://www.jbonneau.com/doc/BFGKN14-bitcoin_bribery.pdf
======
Andrew_Quentin
"Explaining the lack of such attacks in practice requires significant
additional modeling assumptions."

Yes, the main assumption being that burning such huge resources would in any
way be recouped by a simple double spend.

A double spending attack, as the name implies, simply allows you to spend
twice the same amount of bitcoins. Thus, "an attacker [who] can purchase
mining power" needs to be able to do so at a lower cost than the value of the
bitcoins he will spend for the second time. Obviously, considering the
hashrate and the fact that you need around 51% of it, or, 30% of it according
to some calculations, I can't envisage any scenario where such a cost would in
any way be justified by simply spending your own coins twice.

Moreover, one has to consider that if such hashing power was used to simply do
what it is meant to do, then the attacker would be supplied with fresh new
bitcoins, probably to the tune of far more than any amount he can double
spend.

That is why "the Bitcoin protocol is a stable Nash Equilibrium."

~~~
sp332
You can convert BTC to cash. You can cash out all of your bitcoins twice
instead of once. That means at least that everyone who is profitably mining
bitcoins now should have an incentive to be doing this.

~~~
hippich
cashing large amount of bitcoins is slow process. cashing small amount does
not make enough to cover processing power required to double spend.

~~~
schoen
Since individual Bitcoin transactions can be as large as you like, you could
conceivably double-spend tens of thousands of BTC in a single block. It's
possible or even likely that there's nobody who would actually give you cash
equivalents for tens of thousands of BTC without more precautions, but I don't
see a clear limitation in the Bitcoin technology itself to limit how lucrative
an isolated double spending attack could be.

~~~
smokeyj
I think confirmation count does a good job of this, allowing processors to
choose the balance between risk and convenience. No one's going to convert
large fiat to btc without increasing confirmation count, and splitting smaller
transactions will require setting up traceable account. Unless of course the
attacker launders thru alt-coins, but then you might run into liquidity
issues.

~~~
sp332
I think confirmation count isn't so useful when one person or pool owns
something close to 50% of the hashing power. Everyone gets complacent because
they can't launch a 51% attack, but it's possible for someone with 40% of the
power to effectively pull off the exact same attack for a span of six blocks.
It is improbable, but not _that_ improbable.

~~~
smokeyj
Writing six blocks in a row doesn't mean you can double spend a transaction
with six confirmations. Unless you meant something else.

~~~
sp332
That is pretty much what I meant. If you can write your own confirmations, why
not?

~~~
smokeyj
Miners would have to mine valid blocks secretly, risking never receiving a
payout unless x-consecutive blocks have been mined. I mean it's technically
possible, just economically infeasible.

------
oleganza
All the discussed attacks (51%, selfish mining etc) are working under
assumption of a relatively short _time preference_ of a miner (how long he is
willing to wait for ROI). In practice, though, there is no stable condition
when you have miners of varying time preferences.

Miners with longer time preference are willing to tolerate greater difficulty
increases and invest more in mining and generally will go out of business
later than miners with shorter outlook. This creates a feedback loop which
quickly leaves in business only the most hardcore investors doing mining. This
provides a foundation for "rational behaviour", that is decision-making for
long-term value of Bitcoin.

In other words, economics of mining leave among miners only the biggest
believers in bitcoin driving out lesser believers. That's why in practice all
miners are "honest" \- all of them have dug the deepest hole possible, none is
interested in short-term "profit" from double spending that would not return
even a fraction of their investment.

~~~
davidgerard
> In other words, economics of mining leave among miners only the biggest
> believers in bitcoin driving out lesser believers. That's why in practice
> all miners are "honest" \- all of them have dug the deepest hole possible,
> none is interested in short-term "profit" from double spending that would
> not return even a fraction of their investment.

GHash already conducted a 49% attack against a gambling site.
[https://bitcointalk.org/index.php?topic=327767.0](https://bitcointalk.org/index.php?topic=327767.0)
They blamed a rogue employee - but then the claim is no longer "miners would
never do that, it wouldn't be in their self-interest" but "no single person at
any mining concern would do that, it wouldn't be in the mining concern's self-
interest even if it it was in their own". Which of course isn't true. (It
isn't true in the wider financial system either, which is why regulations
exist.)

------
murbard2
Note that all currencies are susceptible to these types of attacks. In
practice, they are prevented by the massive transaction costs involved.

~~~
feybay
Not all. Some cryptocurrencies are Proof of Stake instead of Proof of Work.
This means that in order to try and do a 51% attack, the attacker must have
51% of the staking coins. PoS uses magnitudes less electricity than PoW and
game theory suggests it's just as, if not more, secure.

~~~
RustyRussell
Far less secure you mean?
[https://download.wpsoftware.net/bitcoin/pos.pdf](https://download.wpsoftware.net/bitcoin/pos.pdf)

~~~
kushti
Poelstra's "paper" is pretty controversial:
[https://www.reddit.com/r/Bitcoin/comments/2zpmlj/expanded_re...](https://www.reddit.com/r/Bitcoin/comments/2zpmlj/expanded_rewrite_of_distributed_consensus_from/cplj4ug)

