zbingledack

7:57 PM

joined selfish-mining

zbingledack

7:57 PM

cleared the channel purpose

vlad2vlad

7:57 PM

joined selfish-mining by invitation from @zbingledack, along with @cryptorebel, @freetrader, @kyuupichan, @elliotolds, @tomtomtom7, @iang, @deadalnix, @gregnie and some others.

zbingledack

8:02 PM

Would like to understand @csw's point here in more detail, as well as the connection to the article about block consistency and how it relates to selfish mining.

zbingledack

8:04 PM

zbingledack

8:04 PM

https://web.archive.org/web/20160502203749/http://www.drcraigwright.net/consistency-distribution-transactions/

Dr. Craig Wright Blog

Bitcoin mining: consistency and the distribution of transactions - Dr. Craig Wright Blog

Misunderstandings in the bitcoin community have caused confusion about how bitcoin works. The bitcoin mining process is fundamentally competitive.

April 28th, 2016 at 10:30 AM

cryptorebel

8:06 PM

was looking for that

zbingledack

8:10 PM

If the selfish mining attack paper made an error in probability measurement (failing to use conditional probabilities when needed), it seems like it should be straightforward to dismantle the paper or at least show that the viability of the attack is different than assumed. I'm not yet able to contextualize CSW's comments in the screenshot above.Also the article seems to say many people mistakenly think blocks are fixed before they are solved, but as far as I can tell that isn't a widespread belief. Perhaps he means that people don't take this fact seriously in terms of thinking through all the implications, such as on selfish mining. Here, too, I don't see the connection.

1 reply

3 days ago View thread

zbingledack

8:15 PM

Here's the Selfish Mining paper: http://arxiv.org/pdf/1311.0243v2.pdf

zbingledack

8:21 PM

I'm guessing the probability calculations in this section of the Selfish Mining are where the error is claimed to occur:

zbingledack

8:22 PM

zbingledack

8:22 PM

zbingledack

8:22 PM

zbingledack

8:26 PM

And just in case, here's the Appendix A with the details of the probability calculation:

zbingledack

8:27 PM

zbingledack

8:33 PM

@all

Feel free to invite anyone who may be interested and won't be disruptive

cypherblock

8:45 PM

someone in the past wrote a python program to simulate this https://www.reddit.com/r/Bitcoin/comments/1vxszh/selfish_mine_simulation_in_python/

reddit

Selfish Mine simulation in python • r/Bitcoin

Hi All, I made a little code to simulate a selfish mine according to the paper of Eyal and Gün Sirer : "Majority is not Enough : Bitcoin Mining...

elliotolds

8:49 PM

CSW's initial message about conditional probabilities makes no sense to me. The probability of finding the next block is independent of who found the last one. CSW's blog post about selfish mining is extremely bizarre, in that it doesn't address any of the important issues in selfish mining, and instead focuses on weird things that no one believes, like the content of blocks being fixed before they're mined

8:50

I wrote my own python program to simulate selfish mining after the paper came out. Selfish mining is legit and Sirer & Eyal's calculations are right, CSW is wrong.

elliotolds

8:58 PM

An outside-view argument: Note that Sirer and Greg / other Core devs dislike each other almost as much as Core and BU folks hate each other, and are always criticizing each other's work. How likely is it that the Core folks would let a basic probability error in that paper go unnoticed?

zbingledack

9:00 PM

I'm guessing CSW is saying it is a Monty Hall style counterintuitive situation that many people get wrong. Need a bit more details/context on P(SS|H)

cypherblock

9:01 PM

I also do not see the connection of the content of blocks being fixed thing. @elliotolds what have people concluded about this paper? What refutations or other conclusions exist?

zbingledack

9:01 PM

Even Paul Erdős apparently didn't believe switching in the Monty Haul problem was profitable until shown a simulation.

9:02

And it's a very simple conditional probability problem.

elliotolds

9:05 PM

@zbingledack that may be the claim, and even brilliant individual people can have weird mental blind spots, but the selfish mining paper has gotten lots of review from lots of smart people. I don't know anyone other than CSW who thinks he found this type of flaw. @cypherblock the paper is widely accepted as legit. Core devs all accept it but they just claim that the paper isn't novel because everyone already knew about the attack. People mostly disagree about the seriousness of the practical consequences / whether social factors will make the attack less likely.

9:06

the attack is detectable, for instance, so if a big mining pool were to use selfish mining, everyone else would notice when they started releasing long strings of blocks at the same time, and presumably they'd get bad PR

deadalnix

9:36 PM

High. Core folk are far from infallible, and take criticism as an attack.Try saying to Peter Todd that you can remove RBF from the node with breaking a single test and see how it goes.

Try saying to blockstream folks that their implementation of schnorr in element alpha is broken (related key attacks).Shall I continue ? Nobody think fixing a proba in a freaking paper is worth being the target of a smear campaign.

elliotolds

An outside-view argument: Note that Sirer and Greg / other Core devs dislike each other almost as much as Core and BU folks hate each other, and are always criticizing each other's work. How likely is it that the Core folks would let a basic probability error in that paper go unnoticed?

Posted in #selfish-miningMay 11th at 8:58 PM

elliotolds

9:52 PM

you're saying Core devs would be reluctant to point in an error in someone else's paper, because Core devs are afraid of being smeared? Maybe you're thinking of different Core devs? The ones I know take the typical geek delight in smacking down anyone else any chance they get to show how smart they are, and don't shy away from intellectual fights. The fact that Peter Todd will attack you if you criticize RBF strengthens my point. Core devs took the selfish mining paper as an attack on them, because Sirer was essentially claiming to have discovered something that they missed, which was a threat to their ego. We should expect Core to have been especially motivated to find any flaws in that paper. Anyway, this is just the outside-view argument. If you know math and want to verify CSW is wrong for yourself, it's easy to read the paper.

9:53

CSW hasn't actually clarified what exactly his claim is. If someone here actually think's he's right, can you post a clear description of what the claimed probability error is,?

peter_r

10:04 PM

I was speaking with CSW about this too, and I still can't make heads-or-tails about his conditional probability argument. As far as I can tell, the work in Eyal and Sirer's paper is correct given their assumptions. I'm open-minded to being proven wrong, but I really need to see a clear presentation of the arguments and a simulation.

deadalnix

11:20 PM

@elliotolds I meant that core devs aren't as good as one might think they are. They are aggressively defneding a high priesthood status so they won't risk it going out of their confort zone.

11:21

@peter_r I think csw argument is that the assumption are not correct, which may well be true. Or not. Not sure.

elliotolds

11:23 PM

I am amazed at the amount of deference some people give to CSW's argument, without anyone understanding what argument CSW is actually making.

cryptorebel

11:33 PM

yeah I don't think he is saying there is a probability error in the math of the paper, but more he is saying there is a problem with the initial assumptions

11:35

He seemed to be saying that as a result of the random ordering of txs in blocks, and latency in the network, it causes extra processing time for the selfish miner making it less economically feasible. He was analyzing the game theory of it I think, and trying to show the incentives dont align. But would be nice if he could clarify more what he is getting at

elliotolds

1:36 AM

@cryptorebel, the screenshotted message makes it look like he think's the probability math is wrong. Why would the ordering of transactions in a block make selfish mining less feasible? I don't see any mechanism there that makes sense.

cryptorebel

1:38 AM

I was getting it from this part: "What seems to be misunderstood here is that separate miners can mine transactional data in any order. The addition of a nonce to seek a solution provides miners with the ability to add verified transactions in any order while they equally and fairly compete using their levels of computational power. As a consequence, miners do not benefit by pruning transactions in blocks or by seeking a common ordering of transactions. If a miner were to seek to align a transactional order with other miners, the likely result would be a scenario in which any miner seeking to align transactional positions would be economically disadvantaged due to the extra cost of this pre-processing."

1:40

I think the screen shotted thing is not about the existing probability math in the selfish mining paper, but additional math that Craig is introducing to help explain the true incentives and game theory, something to do with competition between miners, I am not smart enough to understand it though

elliotolds

1:42 AM

what would a miner gain exactly by aligning transaction positions with other miners? I don't see why he's even talking about this

22 replies

Last reply 2 days ago View thread

bitsko

1:42 AM

https://btcchat.slack.com/archives/G583BUJ7J/p1494494570144806 does this link work here ?

elliotolds

1:42 AM

@bitsko yep

travin

2:06 AM

Keeping a pastebin here - https://pastebin.com/U6X62eXN Please note that image uploads are not included. Links are though.

zbingledack

4:31 AM

@elliotolds It's not deference, just interest in establishing priors for how seriously to investigate his other claims. This seems like it could be a more straightforward case than the Segwit critique, so I thought it worth delving into.

csw

6:22 AM

All wrong sorry. The SM needs to wait until after the H miner has released.There are issues with the gamma and the lack of a model based on k-shell network graphs and the issue of thinking nodes are the same as vertices.The paper will come out in a matter of weeks.

6:23

I will discuss in a couple weeks. Sorry, but I have zero time today.

6:24

Please have a read of:

"Standard Deviations Flawed Assumptions Tortured Data and other ways to lie with Statistics"

Gary Smith

6:25

And no, it is not independent.

6:26

The argument that a SM waits and then releases following the HM means that they are always conditional.

Conditional probability seems to really by counter intuitive to most people.

zbingledack

7:26 AM

Could you (or someone) just explain in words what probability is being referred to by P(SS|H)? Or what condition "|H" refers to?Is it, "The probability that the selfish miner mines two blocks in a row, starting at a time when the honest mining contingent has just mined a block"?

cypherblock

10:31 AM

zbingledack

3:26 PM

Yeah I looked up the notation beforehand. Just need the context of what specific events are being referred to in what scenario. (edited)

3:29

That is, what precisely do we mean by SS and H in "P(SS|H)" and when exactly is this claimed to apply within the selfish mining scenarios?

freetrader

8:10 PM

@zbingledack : why not invite Emin to discuss? (edited)

2 replies

Last reply 2 days ago View thread

freetrader

8:11 PM

or Ittay ?

elliotolds

9:20 PM

I suggest figuring out what the argument actually is before inviting anyone else to discuss

freetrader

9:37 PM

that is probably a good idea.

davids

12:02 AM

joined selfish-mining by invitation from @bitsko

csw

8:33 AM

There are many flawed assumptions in the SM paper.There are around 4 papers in peer review at the moment. The nature of how the network works, the assumptions and more are incorrect. Theory is fine, as long as it is tested post the theory with data.

deadalnix

8:37 AM

@csw That'd be simpler if you would point out what assumption is flawed and how specifically.

csw

8:40 AM

Most of what people think about Bitcoin, nodes etc

8:41

https://books.google.co.uk/books/about/Complex_Social_Networks.html?id=CEVSnW-cPnsC&source=kp_cover&redir_esc=y

Google Books

Complex Social Networks

This 2007 book provides a systematic and self-contained account of the fast-developing theory of complex social networks. Social networks are central to the understanding of most socio-economic phenomena in the modern world. The classical approach to studying them relies on a methodology that abstracts from their size and complexity. In contrast, the approach taken in this book keeps complexity at the core, whilst integrating it with the incentive considerations that are preeminent in traditional Show more…

8:41

That book is a good start.

8:41

The Kappa of Bitcoin connectivity is not what people see.

zbingledack

4:45 PM

@freetrader Certainly fine to invite them in but yeah it seems like it may be a waste until we have the argument nailed down

csw

8:07 PM

Let me help you slowly on this.I will pull it all apart axiom by axiom. It seems my expectations are never clear enough for people.

8:08

Let use start with 6.1 on the topic of Gamma

https://www.cs.cornell.edu/~ie53/publications/btcProcFC.pdf

8:09

"Because selfish mining is reactive, and it springs into action only after the

honest nodes have discovered a block X, it may seem to be at a disadvantage.

But a savvy pool operator can perform a sybil attack on honest miners by adding

a significant number of zero-power miners to the Bitcoin miner network. These

virtual miners act as advance sensors by participating in data dissemination,

but do not mine new blocks"

We call these nodes, they are wallets, but leave that for now.

8:11

Gamma is set and modeled using using a low kappa Power Distribution network. Bitcoin is an extremely high kappa Poisson distributed network.

8:13

To see this:

Model the node connectivity.

1. Use a Kamada-Kawai algorithm for the layout.

2. Model distance and the spreading conditions

8:14

If you make the wrong assumption about a network, you get horribly wrong results.

If you make the assumption that shares trade using a Gaussian distribution in place of a power law, then we see large hedge traders (Long Term Capital) get into trouble.

8:15

The maths can be "good" but if it is the wrong maths modeling the wrong system, what does it matter?

csw

8:21 PM

Let me start you with a little foundational reading

https://arxiv.org/pdf/cond-mat/9903357.pdf

8:23

Key assumption 1 - Selfish Miners

_"The virtual miners are managed by the pool, and once they hear of block X, they ignore it and start propagating block P. The random

peer-to-peer structure of the Bitcoin overlay network will eventually propagate X to all miners, but the propagation of X under these conditions will be strictly slower than that of block P."_

Here the addition of a small number of nodes we start to impact the network."By adding enough virtual nodes, the pool operator can thus increase γ".What is enough?

csw

8:31 PM

In the SM Model, these are pool members that do not mine. They are a Babaioff et al (2012) Sybil. Babaioff, M., Dobzinski, S., Oren, S., Zohar, A.: On Bitcoin and red balloons. In: ACM Conference

on Electronic Commerce. pp. 56–73 (2012)

http://delivery.acm.org/10.1145/2230000/2229022/p56-babaioff.pdf?ip=81.148.139.225&id=2229022&acc=ACTIVE%20SERVICE&key=4D4702B0C3E38B35%2E4D4702B0C3E38B35%2E5020CFA9523E86D4%2E4D4702B0C3E38B35&CFID=622263&CFTOKEN=98972933&__acm__=1494707443_903c80bb8dc201ee247ff83f4331a5f9Does everyone follow thus far?The SM authors have used depth and gamma that is incorrect, but at least (on p 61) Babaioff et al (2012) "There is no Sybil-proof reward scheme in which information propagation and no duplication are dominant strategy for all nodes at depth 3 or less." Babaioff et al (2012) have considered the effect of distinct depths in the system.For some depths, the network was demonstrated to be Sybil proof. The statement is that "Notice that this scheme exhibits in equilibrium low overhead, Sybil proofness, and provides the nodes with an incentive to propagate information." (edited)

8:32

So, can be see that it is extremely important first of all to have a correct model of the network?

8:33

Modeling the wrong network means little - this is a paper on the Bitcoin network, not a separate and distinct free scale network graph.

8:34

@freetrader @zbingledack @peter_r @elliotolds et...

This is a start

8:37

So, to make this blindingly clear and to help you see the first of MANY flawed assumptions and models, can we agree that the mathematics of the wrong model does not matter, correct or not, I am unconcerned. If you chose the wrong model, you will be wrong.

csw

8:45 PM

Questions to see if any of you know:

1. What is the condition for "unbounded spread" in Bitcoin?

2. How many Giant components does Bitcoin exhibit?

3. How many edges / vertices are there in the Bitcoin network? Is this directed or undirected?

4. What is the Eigenvector of the network and nodes?These questions are critical, if you cannot answer these, you cannot start to understand the system in Bitcoin.PS - I know all these answers and have empirically validated the theory AFTER the theory and not mined to find data that suits my point.Centrality is good in network propagation, it is not the same as centralisation. I suggest that people read up on this. Now, what is the Normailised Closeness Centrality of Bitcoin?

Between-ness centrality?

Eigen Vector Centrality?

8:45

@vlad2vlad @satoshi @mwilcox

satoshi

8:45 PM

joined selfish-mining by invitation from @csw, along with @mwilcox

csw

8:47 PM

So.... you are supporting a paper that has NOT even noted the nature of the network. That has not defined why the increase of node count increases Gamma and I have not even gotten to conditional probability and the various real and deep issues in this paper.

vlad2vlad

8:51 PM

This is really in-depth!!! Wonder if we have any miners in here.

csw

8:51 PM

To work, the addition of these gamma altering Sibyls needs to alter Gamma.We are adding nodes that in their introduction are acting in a manner analogous to the deletion of a random node. This is a consequence of vertices reconnecting to this new Sibyl node and redefining the network. Even in a low connectivity Barabási form network would we see a dramatic increase in mean-shortest path length (or a dramatic decrease in the clustering coefficient). It is rare for this and Bitcoin is far more robust than a Small world model

8:52

This is one of the minor points that in itself invalidates the entirety of this (Selfish Miner) paper.

8:52

As you get each of these points, I will have you go deeper into the rabbit hole that is Bitcoin and you can learn why this for of attack is not feasible.

8:53

That is all for now....

Your turn to look at and answer those questions I posited and see why they are crucial for this discussion and why this paper needed to have done this.

xhiggy

8:53 PM

Thanks

csw

8:54 PM

Also, please let me know if this is suitably referenced... I can add far more, but it is enough for me.

vlad2vlad

8:57 PM

Oh I think it's enough! :). Thanks!!!

cryptorebel

9:29 PM

this is amazingly fascinating

btcalbin

1:26 AM

joined selfish-mining by invitation from @bitsko

zbingledack

3:51 AM

Thanks, Craig. That is a lot to consider and - for me at least - a lot of new topics to study before I can make any judgments.

3:53

Perhaps some who are more familiar with the base concepts can help bring the group up to speed, piece by piece, perhaps starting with the basics of network morphology, explaining kappa and gamma, etc. ("Gamma is set and modeled using using a low kappa Power Distribution network. Bitcoin is an extremely high kappa Poisson distributed network.") (edited)

csw

7:14 AM

This is only one of the issues. People are making assumptions and models with no relation to the system.They could make a hypothesis of the system and test that, but where is the sensation in it?

elliotolds

9:35 AM

csw's description does not make sense to me. csw says "Gamma is set and modeled using using a low kappa Power Distribution network. Bitcoin is an extremely high kappa Poisson distributed network." The selfish mining paper doesn't model the network topology. Gamma is just the fraction of honest miners who mine on the selfish miner's block. csw seems to think that in practice gamma will be low, but the selfish mining paper still shows selfish mining is profitable when gamma is 0.

csw

9:59 AM

And that is also wrong, but I am doing one point at a time.

9:59

Seeing as you keep jumping, it just means nothing is sorted.

10:00

Start looking at each area.

10:00

Lets work on the first assumption. Then we will work on what the inconsistencies with the rest of the model.

10:01

At no point have I said, this is it - now it is all wrong. I am TRYING to step people through an extremely complex area and have them learn step by step.

10:03

And again, the model is wrong, but until you start to actially understand the nature of the network, then it is no good starting to debate the maths.

If you have the wrong model, it does not matter how good the maths is... And it is also flawed, but one thing at a time.

10:03

IFF Bitcoin was a low kappa power law system, then they would have some argument. It is not.

csw

10:17 AM

@elliotolds

What is the effect of changing from a Poisson to a Power law network?

What is the distance and how does this change centrality measurements?

In Babaioff (2012) what was the study of Gamma referring to?

How were these findings used in the Selfish Miner paper?

If Bitcoin was degraded to a Small World system, what would change?Babaioff, M., Dobzinski, S., Oren, S., Zohar, A.: On Bitcoin and red balloons. In: ACM Conference

on Electronic Commerce. pp. 56–73 (2012)

10:18

If you cannot answer those questions, you cannot even start to answer the assumptions used in SM.

10:23

Let's think on Percolation theory...

It the propagation of blocks and Transactions Subcritical or supercritical or something in between?

10:23

What is the Sharp threshold for Bitcoin's Percolation model?

10:24

A little more reading:

Smirnov, Stanislav (2001). "Critical percolation in the plane: conformal invariance, Cardy's formula, scaling limits". Comptes Rendus de l'Académie des Sciences - Series I - Mathematics. 333 (3): 239–244.

10:28

Next, to go back to why this matters...

The first transaction released is on an open network with large inter-connectivity. It is an SEIR-C model and SIR as a simplification. The nodes that have received a block are not.Once you have recieved a TX, that node is now immunised from a competing block. Node response:

1 Receive a valid TX or Block

2 Reject an equal but competing block that comes even a second laterAs the nodes reject the new block, they do not forward itThis means that the distance and centrality values for the first node to release are NOT the same as the later ones.You cannot model the transmission using the same formula and data... Bad assumptions lead to bad models. It is simpler, but wrong.

csw

10:32 AM

csw

10:34 AM

As the SM reacts, they are on the "pruned" network graph. The nodes the SM can send to are the ones who have not received the initial release of the TX or Block.

10:35

So, you cannot use the same probability for each. Conditional probability needs to incorporate the Bayesian prior.

mwilcox

11:12 AM

Hmm a bit to catch up on in here

csw

11:12 AM

Oh and it seems to work, but in the same way that a Martingale strategy does,

https://www.forebet.com/en/betting-systems/88-the-martingale-fallacyhttps://en.wikipedia.org/wiki/Martingale_(betting_system)

forebet.com

The Martingale fallacy

Considered by many a good and successful betting strategy, the Martingale has put a lot of people into a rather uncomfortable position. The forebet team believes that the Martingale strategy is misunderstood and it is not advisable to use it. If you follow this strategy you will have to double your bet after every loss so that the first win would recover all previous losses plus win a profit equal to the original stake. After the first winning bet you continue with bets equal to the last one. We Show more… (49kB)

Wikipedia

Martingale (betting system)

A martingale is any of a class of betting strategies that originated from and were popular in 18th century France. The simplest of these strategies was designed for a game in which the gambler wins his stake if a coin comes up heads and loses it if the coin comes up tails. The strategy had the gambler double his bet after every loss, so that the first win would recover all previous losses plus win a profit equal to the original stake. The martingale strategy has been applied to roulette as well, Show more…

11:12

SM is a poor Martingale...

mwilcox

11:13 AM

What is the condition for "unbounded spread" in Bitcoin?

That nodes have an economic incentive to both receive and to broadcast transaction data, that there is no limit to the number of nodes that can join the network

Is this directed or undirected?

Undirected. Each node can send or receive transactions, forward or receive blocks, replace or remove, and can both validate or invalidate blocks by choosing which head they mine on

csw

11:13 AM

SM is known as a limited response system anti-martingale.

11:14

Now, you are correct and also NOT>

Bitcoin is undirected.

The Selfish Miner is directed.

mwilcox

11:15 AM

Yes

csw

11:15 AM

Think why and if you need to, re read the paper.

11:15

:slightly_smiling_face:

mwilcox

11:15 AM

Because they do not forward tx.

csw

11:15 AM

So, you cannot use the same maths and assumptions there either. The authors have modeled the SM response as the same undirected network....

11:15

:slightly_smiling_face:

mwilcox

11:16 AM

Got it

csw

11:16 AM

And they hold and also block blocks

11:16

As I said, you need to have the assumptions right or a model is just a pretty example that you can do undergrad maths

mwilcox

11:17 AM

the SM is a giant component? they stay constant because they always publish empties?

11:17

or all SMs and their nodes?

csw

11:17 AM

The SM network is an overlay power law distribution

11:17

The SM would need to have at least 50 % to be the giant network

mwilcox

11:17 AM

right that makes sense

11:17

hmm

csw

11:18 AM

So, we are again back to, if you get more than 50% you can attack the system

11:18

Not 33%

11:18

I can see why people do not understand this, and I have benn a little lax. I had too many other things to complete.

11:19

But I am back to teaching how all this works and I am TRYING to move past analogy...

11:19

But I am terrible at just answering as the answers require that you have knowledge of the system

11:20

This is also an issue with SegWit, They have moved to a system that changes the network incentives and it changes the connection graph

11:21

Bitcoin is very carefully strung together. It is to as easy as people think to just play with the system and have it work long term.

mwilcox

11:22 AM

Yes people think of 'Bitcoin' as just some software that they can update / add features to, as opposed to a set of continuously applied rules with very carefully balanced game theory at the core of its design

mwilcox

11:41 AM

Ok so I'm just reading the SM paper again (been a while..)

11:41

things that jump out to me

11:42

"incentivizing rational miners to join the selfish mining pool"

(edited)

mwilcox

11:42 AM

does that not make the 'selfish pool' simply share their blocks with those who join

1 reply

about 14 hours ago View thread

mwilcox

11:43 AM

"In this experiment, we use the simulator to simulate 1000 miners mining at identical rates"

"We assume block propagation time is negligible"

not the best way to simulate a heterogeneous network (edited)

11:44

"In the first scenario where the honest nodes succeed in finding a block on the

public branch, nullifying the selfish pool’s lead, the pool immediately publishes

its private branch (of length 1). This yields a toss-up where either branch may

win."

Er, how could it be a toss-up, when the selfish-mining pool already received the block

csw

11:46 AM

"does that not make the 'selfish pool' simply share their blocks with those who join"

Yes.It is a secret strategy that is told to one and all.One person can have a secret.... Two, three...

11:47

Starting to see the flaws and the incorrect assumptions? (edited)

11:51

_"In the first scenario where the honest nodes succeed in finding a block on the

public branch, nullifying the selfish pool’s lead, the pool immediately publishes

its private branch (of length 1). This yields a toss-up where either branch may

win."_

But,it s not a toss up. It is not instant. The Selfish miner needs to wait and validate a block from the Honest Miners. The Selfish miner has a response that is conditional to seeing the block.And they assume the same node connectivity, not seening that the release of the block from the Honest nodes starts to innoculate the system against a second block (no time stamps).

11:51

They also need to ensure that no pool member defects.

11:52

Remember, a pool member finding a block needs to be paid.

So, they are "in" on this or they are not and want money now...

mwilcox

11:52 AM

exactly

11:52

also what if all pools are selfish mining ?

11:52

it just self balances

csw

11:52 AM

This is a further cost.

11:52

Now, if ALL pools selfish mine, then it ends as a cluster fuck

11:53

But the model is different again

11:53

The economics of all miners doing this are the same if they do not. That is, it is no more profitable than not selfish mining

11:54

But, a pool member can start to earn by defecting...

11:54

So, a dishonest selfish miner can make more profit collapsing the system...

11:54

And the SM loses money...

11:54

Which leaves them to stop Selfish mining :slightly_smiling_face:

mwilcox

11:54 AM

it's just batching. its too risky since if you aren't getting a proper share for your hashpower (because the pool owner messed up its publication pattern) then you're gonna go to the place with the more reliable hashpower

csw

11:54 AM

:slightly_smiling_face:

mwilcox

11:55 AM

if a pool owner is selfish mining, they'd take any extra profit for themselves anyway

csw

11:55 AM

Starting to see it now :slightly_smiling_face:

mwilcox

11:55 AM

either way, if you wait 20 minutes and you are mining some other block, why wouldn't you just switch pool.

csw

11:55 AM

Then, Gun does not believe the economics benefits of risk and thinks that ONLY crypto matters.

11:55

:slightly_smiling_face:

mwilcox

11:58 AM

you can't expect him to model heterogeneous networks when intel are paying the bills

12:00

he assumed they all have the same hashing power...

csw

12:01 PM

Yes....

12:01

And the assumption is incorrect.

12:02

Pretty maths and a model of the wrong system.

He did not model Bitcoin.

12:04

If anyone is interested, I have a rather large model of the Bitcoin network, not the nodes alone, the vertices.

A complete map... The fun of years of data and a system that is said not to exist :wink:

mwilcox

12:06 PM

would love to see that

csw

12:13 PM

I will propose that we publish it free

12:13

I think it will be of value

mwilcox

12:13 PM

no selfish data mining here!

csw

12:13 PM

:slightly_smiling_face:

mwilcox

12:32 PM

If you want a good laugh, read this one too. http://randomwalker.info/publications/mining_CCS.pdf

csw

12:51 PM

I know

iang

4:16 PM

We need a professional cite for that. I’ve been saying that for years and people don’t get it.

csw

Bitcoin is very carefully strung together. It is to as easy as people think to just play with the system and have it work long term.

Posted in #selfish-miningYesterday at 11:21 AM

4:21

https://btcchat.slack.com/archives/G5C87RC11/p1494763112111789

mwilcox

you can't expect him to model heterogeneous networks when intel are paying the bills

Posted in #selfish-miningYesterday at 11:58 AM

4:22

So, if he is assuming SGX which is what Intel are currently securing lots of academic work for, this assumes that CPUs are a lot more homogeneous. I think he’s done several SGX projects if memory serves. (idle speculation, just throwing it out there)

iang

4:23 PM

Is anyone collecting these thoughts and melding them into lesson?

1 reply

about 7 hours ago View thread

iang

4:27 PM

pedagogical question @csw what are the disciplines one needs to understand Bitcoin?

4:28

So far I see in CS: protocols, databases, state machines, stack-based languages (script)

4:28

in Crypto: hashes, elliptic curve

4:29

in Math: distributions (power, poisson, etc), graph theory, stats including bayesian, probablility theory (edited)

iang

4:34 PM

in Economics: game theory, incentives, mechanism design

csw

5:26 PM

Risk, finance, economics (Austrian)

Perturbation theory

Percolation theory

Game theory

Network graph analysis

Epidemology (for SIR/SEIR/SIS propagation)

Bayesian Statistics

Code Theory

Law

iang

6:33 PM

Why Law ? to avoid its constrictions?

csw

6:57 PM

Contract law - many other forms

6:57

Code is not law.

Code is evidence

6:57

The guys with guns - never forget them...

6:57

Even smart contracts can be overturned.

6:58

There are contracts that are illegal, do you think making them using a smart contract will make them legal? (edited)

tomz

7:07 PM

joined selfish-mining by invitation from @zbingledack

elliotolds

8:16 PM

another part of the reasoning above that seems mistaken: a selfish mining pool would not share its secret blocks with the pool members

csw

8:17 PM

No, they expect pool members to join

elliotolds

8:18 PM

also, can you clarify exactly what this means: "Gamma is set and modeled using using a low kappa Power Distribution network"? they expect miners to join, but that doesn't mean the pool sends everyone the hidden blocks before they're revealed

csw

8:20 PM

As a pool member, you solve and know when you solve...

8:20

You can analyse solutions

8:20

@elliotolds did you read anything I referenced?

elliotolds

8:21 PM

you know when you solve a block, but that's only one of the potentially many hidden blocks, and you're only one member. the other pool members don't know your solution

csw

8:21 PM

Yes and members solving and not seeing a solution ...

8:22

And I am not even on that... We are talking about the distribution network.

elliotolds

8:22 PM

csw, I read what you've written in this channel. it didn't inspire me to read the papers. if you have a legitimate point you should be able to state it clearly and let the paper be background material

8:22

"Yes and members solving and not seeing a solution ..." what does this mean?

csw

8:22 PM

Pool members may not know what the block is (they would not or they could take the full reward) but they do know that they have solved.

elliotolds

8:23 PM

yes, the pool member that solves a block will know he solved it. so what?

csw

8:23 PM

@elliotolds Basically, you expect without any knowledge of the topic to see why the assumptions are wrong.

8:24

And in the same vien, I should be able to explain string theory without maths...

elliotolds

8:25 PM

@csw I would say the same thing about you :slightly_smiling_face:. It doesn't seem like you understand selfish mining, yet your attitude prevents you from learning from me

csw

8:26 PM

Nothing to learn

8:27

You have no idea about network structures and the differences of graph forms and yet you expect to have an explaination that does not require this.

cryptorebel

8:27 PM

elliotolds you have to zoom out a bit, you are focusing too much on the math in SM paper instead of zooming out and looking at the assumptions

elliotolds

8:27 PM

csw refuses to state his assumptions clearly, and more specifically he can't explain why network topology matters given that the original selfish mining paper doesn't assume anything about the topology.

8:28

in the original paper, Gamma is just the fraction of miners who mine on top of selfish mining blocks

8:28

there is no topology assumed in the model.

csw

8:28 PM

The simple matter is that I have linked all you need to know to understand the problem. If you don't believe it or don't get it, I don't have the time to try to convince you.That is the best I can offer sorry.

8:29

Yes, there is no detail of the model. They use Babaioff, M., Dobzinski, S., Oren, S., Zohar, A.: On Bitcoin and red balloons. In: ACM Conference on Electronic Commerce. pp. 56–73 (2012) and yet fail to set the parameters

8:30

And it this is simple, you need to state the topology. The maths for each varies. No, you do not get to say what the system is and assume. Sorry, but science does not work this way. (edited)

8:31

And @elliotolds I have stated it all extremely clearly. It simply seems that you do not either understand nor desire to learn.

elliotolds

8:32 PM

@csw, all details of the model are rolled up into the gamma parameter. that's all they need.

2 replies

Last reply today at 12:00 AM View thread

csw

8:32 PM

Lol

8:32

No, not how it works.

elliotolds

8:32 PM

@csw, why do no technical people actually understand what you're talking about?

csw

8:32 PM

Some do.

elliotolds

8:32 PM

which ones?

csw

8:32 PM

These are people who understand the maths :slightly_smiling_face:

cryptorebel

8:32 PM

a lot of technical people get bogged down on the details, the miss the forest for the trees

csw

8:32 PM

And the need to have the correct assumptions in a model.

elliotolds

8:33 PM

@peter_r also can't make sense of what you say. Name one technical person who thinks you're making sense.

csw

8:34 PM

Oh, this is as you have people without a background in graph theory... But, that is common for coders not to have

8:34

And @peter_r IS starting to see

elliotolds

8:34 PM

name one person who already sees?

csw

8:35 PM

I believe that @mwilcox is starting to.

8:35

Then, your lack of understanding does not change it.

8:35

Show it working - in practice.

elliotolds

8:36 PM

but no one actually understands and agrees with your argument? just a few who are 'starting to'? (even though last time I saw peter_r talk about it, he said he couldn't make sense of it)

csw

8:36 PM

Show how nodes are connecting in Bitcoin...

elliotolds

8:36 PM

@csw I believe I understand graph theory better than you. you've not demonstrated any special understanding of it (or anything else)

csw

8:36 PM

No, but you do not even seem to understand the references I have linked to...

8:36

So explain

8:37

You understand so well, explain the form Bitcoin takes as a network.

What is the network distance in Bitcoin?

8:37

@elliotolds You want to show how much you know. Answer that one question.

elliotolds

8:38 PM

I haven't looked at them because they appear to be part of some deception attempt where you convince a bunch of non-technical people that you have good arguments, by making overly complex references that you're unable to clearly summarize.

csw

8:38 PM

Basically, you have no idea

iang

8:38 PM

In the absence of information, any speculation can be truth

elliotolds

8:38 PM

@csw, you're talking about details of a specific network, not graph theory.

csw

8:39 PM

You have no idea and thus simply state you can dick wave and say all you profess to understand and yet cannot answer what is a simple question for a person who knows. And yes, it is a sepciafic answer for this network that you profess to be discussing

8:39

And one you do not have the foggiest knowledge of.

8:40

And yet...

ignore and say is not important

elliotolds

8:40 PM

@csw, it's a detail of the bitcoin network. I'm not doubting that you have put more effort into studying the particular properties of the bitcoin network. Your failure is being unable to simply state why this matters for your argument.

csw

8:40 PM

When you can answer that, I will bother to respond.

elliotolds

8:41 PM

instead you just act like it's important and too complex to explain, in an effort to escape criticism

csw

8:41 PM

I actually did explain it.

8:41

You did not understand, that is not the same thing

8:42

Again...

Questions to see if any of you know:

1. What is the condition for "unbounded spread" in Bitcoin?

2. How many Giant components does Bitcoin exhibit?

3. How many edges / vertices are there in the Bitcoin network? Is this directed or undirected?

4. What is the Eigenvector of the network and nodes?These questions are critical, if you cannot answer these, you cannot start to understand the system in Bitcoin.PS - I know all these answers and have empirically validated the theory AFTER the theory and not mined to find data that suits my point.Centrality is good in network propagation, it is not the same as centralisation. I suggest that people read up on this. Now, what is the Normailised Closeness Centrality of Bitcoin?

Between-ness centrality?

Eigen Vector Centrality?

elliotolds

8:42 PM

Link? The "explanations" I saw were gibberish meant to confuse the non-technical, or shut them up by referring to irrelevant papers

csw

8:43 PM

All of those are relevant.LOL

Some of those "irrelivent papers" are used by the authors of SM...

8:44

Basically, you know all about network graph theory and you think the terms are gibberish

elliotolds

8:45 PM

it should be possible for you to explain your argument to someone who hasn't studied Bitcoin's network topology specifically

csw

8:45 PM

Why?

8:45

I cannot explain String theory to somebody without knowledge of Physics

elliotolds

8:45 PM

you can just state your assumptions about the topology

8:46

and why it matters

csw

8:46 PM

And the argument needs to take the network into account.

tomz

8:46 PM

maybe the question @elliotolds it struggling with is how topology is relevant to a paper that doesn't talk about topology.

elliotolds

8:46 PM

you haven't explained why

8:46

yes @tomz

csw

8:46 PM

It matters as different systems react and behave very differently

elliotolds

8:46 PM

@csw that different behavior is rolled up into the gamma parameter

tomz

8:46 PM

But, maybe we can wait until csw's paper is out? I recall him saying he will publish something like that.

8:46

Proof pudding and all that

elliotolds

8:47 PM

different topologies will result in different gamma

8:47

but they start from gamma

8:47

so their topology assumptions are baked into that

8:47

but what you haven't addressed is why this matters, because their paper works even with gamma as 0

csw

8:47 PM

And this is what you fail to see, they are not the same. A pruned network is not the same as a full network

elliotolds

8:47 PM

i.e., even with a topology that is more unfavorable for selfish mining, it will works

csw

8:47 PM

No, I will get to Gamma 0 later

8:48

I am breaking this down one part at a time

8:48

And, no, it does not

8:49

But, I am not jumping back and forward and further, you do not seem interested in understanding.

I have linked the material. If you want to learn, great, if not, I have no time to teach you.

elliotolds

8:49 PM

@csw, if you want to actually understand the selfish mining paper sometime, let me know and I'll go over it with you.

csw

8:50 PM

LOL

tomz

8:50 PM

maybe the point here is that csw found an extra variable. The network topology, which has not been taken into account by Gün, and it may be relevant to show how it affects the paper.

I'd looking forward to such research.

Topology in Bitcoin is still very much an under-developed subject. (i.e. the code sucks)

csw

8:51 PM

The SM paper is a web of false assumptions and errors :slightly_smiling_face:

elliotolds

8:51 PM

@tomz it would only affect gamma though, no? and the paper works no matter what gamma is

csw

8:51 PM

I used to see this form of work from undergrads when I was teaching stats

8:51

No, it does not

elliotolds

8:51 PM

anyway, i gotta go. csw let me know if you ever decide you're interested in the selfish mining lesson :slightly_smiling_face:

csw

8:51 PM

Again, you should spend some time on conditional priors.

8:52

Let me know if you are open to truth @elliotolds - maybe science and maths?

iang

9:02 PM

@csw on law - agreed. I had to unravel my assumptions :slightly_smiling_face:

9:07

https://docs.google.com/document/d/1UiMS4Br7LkTIRdEOPjCukOxG6gIdCJTOgXbeOPBHrcE/edit#

9:11

hmmm that should be sharable / openable by world.

cypherblock

9:47 PM

@iang if you are logged into a google account while viewing that page it might reveal your email address. Not sure. but something to be careful of.

iang

9:48 PM

ah ok. Yes, it was created with my email address which is iang@iang.org… which is pretty much public domain now.

cypherblock

9:57 PM

right I meant for other people following that link. I’m not really sure how it works ,but people could end up revealing their email to others viewing the document at the same time. Maybe test with someone you know.

mwilcox

10:44 PM

usually it'll leave you as anon. unless you interact / comment

peter_r

11:54 PM

@csw, @elliotolds: To clarify, I do agree with csw that miners have less incentive to collect witness data under segwit. I still do not understand csw's argument about selfish mining.

elliotolds

11:56 PM

yes, I agree with the 'less incentive' thing. still think they have plenty of incentive though. plan to reply to your bitcoi.in post with the graphs later today

11:57

@mwilcox , are you mwilcox on twitter? any relation to Zooko?

mwilcox

11:58 PM

That's me but no relation.

elliotolds

12:00 AM

replied to a thread: @csw, all details of the model are rolled up into the gamma parameter. that's all they need.

2 replies from newliberty and elliotolds

@newliberty "Paper uses gamma for a low kappa power distribution network" .. can you clarify? The papers shows how the selfish mining strategy changes for any value of gamma. no matter what the network topology is, it will correspond to some gamma value in a real life selfish mining situation. Since the paper tells you how things vary as gamma varies, the results don't depend on the topology. (edited)

klee 7:36 AM

How did you manage to pull this out? Research, design, developing & testing are very different from the real thing, yet it runned until now (at least up to previous year when block limit kicked in) perfectly.

csw

7:36 AM

There are always limits, but these are past anything we need to care about

xhiggy

7:37 AM

This seems ambiguous to me

csw

7:37 AM

@klee it is not perfect

People are calling paid transactions spam

7:38

And we are limiting uptake

7:38

For slack, it is

7:39

I cannot demonstrate so discuss things well on this format

7:39

So, there are papers to come

xhiggy

7:39 AM

I certainly have a hard time myself following all the threads and conversations

klee

7:39 AM

If you had to rate the system, from 1 to 100

7:39

how satisfied are you?

7:39

80+ ?

csw

7:39 AM

Right now....

7:40

Or with the cap gone?

klee

7:40 AM

before 1 year

7:40

and now

7:40

yes

csw

7:40 AM

75+

30

klee

7:40 AM

thx

7:40

much room for improvements

csw

7:40 AM

Inducing artificial scarcity is what governments do to control

7:40

Thank you Core

Pinned by thatwildcard

travin

8:09 AM

Sorry for my absence. Here's the pastebin of the new challenge - https://pastebin.com/aU8Dx4Wm

zillionaire

9:02 AM

left selfish-mining

cypherblock

11:11 AM

Before I attempt what @csw is suggesting (spinning up lots of vms, etc) I’m doing a basic test to replicate the papers results (or not) using a much more simplistic setup. Depending on the outcome of that, maybe I’ll try with vms. It would be great to setup as Docker containers really. This makes it easy to deploy, run, configure, control network and cpu, etc. Sadly my docker skills are fairly new but seems like a great approach for this kind of thing.

csw

11:15 AM

Not all CDFs are uniform :slightly_smiling_face:

csw

11:16 AM

csw

11:26 AM

csw

11:31 AM

csw

11:43 AM

So, do we start to see anything

csw

11:44 AM

cypherblock

11:48 AM

what are we looking at there?

csw

11:48 AM

Poisson plots

11:48

Probability

11:48

Discovery distributions

11:49

These are not Uniform as was assumed in the SM paper

11:49

I suggest that people have a read of the i.i.d assumptions for Poisson distributions and where they hold

11:49

And where they do not.

11:50

Look up what is ment by a "memory-less distribution"

cypherblock

11:51 AM

so time axis is like Time to find a block? Or?

csw

11:52 AM

Yes

11:52

The probability of discovery in a time

11:52

Independently

cypherblock

11:52 AM

:thumbsup:

csw

11:53 AM

So, combined, they form the top distribution

11:53

Separately, they are the HM and SM (lower) respectively

mwilcox

11:53 AM

:+1:

csw

11:54 AM

Notice how the probability that the HM will discover a block when the SM is hidden is around 1000 seconds for a 40% SM

11:57

So, if the SM finds a block around 10 mins in a combined sense (from T=0), and then does not publish, we have the state that the HM will discover around T=16.7 mins.

The next block by the SM is expected at T=35. (This is T=10 + T(SM2)=25)

11:57

At T=16.7, the Honest miner releases a block.

Just after this, the SM releases a block (this was hidden).

The Sm has a 40% chance of winning in this form. They have a block at risk that was close to 100% taht they try to gain on

11:59

The HM has a 60% chance where if the SM did not hide would have been a 100% chance

11:59

With me so far?

cypherblock

11:59 AM

pretty much

csw

11:59 AM

Starting to see any issues :slightly_smiling_face:

12:00

Question... What is the probability that the 40% miner will have a second block BEFORE the 60% honest miners... It is not the proability in the paper

12:01

For this, we have the Probability that the SM gets two blocks before the HM gets one

12:01

P(SS|not.H)

12:02

And P(SS|Not.H) =/= P(SS)

12:03

The distributions are exponential, so, it is far lower than the authors of that paper have assumed

cypherblock

12:04 PM

well decent simulation will show this hopefully.

csw

12:05 PM

Yes, and so does the maths

12:05

:slightly_smiling_face:

cypherblock

12:05 PM

yes but my maths not so great.

csw

12:05 PM

A REAL test and empirical evidence would have saved the authors what is going to be a lot of trouble

12:05

Mine is REALLY gd

cypherblock

12:05 PM

they did claim I think in the paper to run some simulations.

csw

12:06 PM

No, they simulate their model

12:06

A simulation of a model is not a test

12:06

It is a test that the model is the one you have written :slightly_smiling_face:

12:07

Not that the model is the model of reality :wink:

12:10

0.1 BTC for anyone who gets the CORRECT formulas:

What is the probability formula for an event A occurring AFTER an event B?

And

What is the probability formula for an event A occurring twice without event B occurring?This is a standard Poisson (the same as the SM and Bitcoin).This would be the probability P(H|S) and P(SS|Not.H) (edited)

12:11

.

Hint

It is not in the SM paper

12:12

Did I forget to mention that I used to teach Poisson processes at a Post grad level :wink:

Masters and up..

12:13

Maybe I forgot to mention that.....

12:16

Unknown (it seems) Craig Wright history.

I coded Poisson equations and formula in the late 80s and 90s using C and Forth.My first project of any size was the Parts database for the F1-11C's (Aardvarks)

I did well enough there that I was "promoted" (bastards) to writing code for Pavetak.

12:17

http://www.f-111.net/

12:18

For those who do not know, PaveTak is the smart bombing system used on the ordinace of the F111C

12:19

9 nine reliability

12:19

And accurate to under 90cm from a distance when dropped in a bomb run.

12:22

So, now you know why it is not easy to find samples of my code to compare.

cypherblock

12:27 PM

in your above questions are you assuming independent or dependent?

csw

12:28 PM

Explain to me how it is independent....

Remember that you build on a prior start, that is not independent. Look up the conditions for memoryless

cypherblock

12:31 PM

well I will make more progress working on my simulations I think. But someone should be able to grab a quick .1btc.

csw

12:31 PM

cypherblock

12:32 PM

definitely the combined distribution is surprising I would say. but simulation will show it. I don’t doubt it.

csw

12:32 PM

:slightly_smiling_face:

12:33

Assumptions are a bitch

csw

12:36 PM

csw

12:41 PM

No labels... you can have a guess which is which :wink:

csw

12:53 PM

macsga

12:55 PM

ELI5: https://media.giphy.com/media/l2Sq9gmNr5impSPxm/giphy.gif (2MB)

csw

12:55 PM

LOL

macsga

12:55 PM

:stuck_out_tongue:

tomothy

1:26 PM

fyi...

1:26

https://twitter.com/el33th4xor/status/865555154761687040

Emin Gün Sirer @el33th4xor

Giving a plenary keynote on "New New Blockchains" at NYCE at NYU's Stern School today. Come say hello if you're in the area.

TwitterMay 19th at 1:10 PM

csw

1:27 PM

Oh well, soon, how to design a failed system by Gun

csw

2:01 PM

Gambler's Fallacy

A fair coin is flipped five times and comes up heads each time. What is the probability that it will come up heads on the sixth flip? The correct answer is, of course, 1/2. But many people believe that a tail is more likely to occur after throwing five heads. Their faulty reasoning may go something like this: "In the long run, the number of heads and tails will be the same, so the tails have some catching up to do."

csw

2:18 PM

The probability of a particular miner finding two blocks in a row is not the same as one miner finding two blocks before another finds one

cypherblock

2:58 PM

the whole selfish mining thing though depends really on the difficulty adjustments doesn’t it? This is the part that seems less obvious and the paper barely discusses. But others have mentioned earlier. I’m working on a simulation now that has difficulty adjustments so I can compare number of blocks rewarded in a given time frame using honest vs selfish strategy.

csw

3:00 PM

After the initial assumption, we are already there....

3:00

Add the conditionals....

3:00

And you are further behind

3:03

What is the probability of 2 Selfish Blocks BEFORE 1 Honest block?

cypherblock

3:27 PM

selfish mining is a delayed publication of an occasional mining lead. You will orphan some honest blocks because of this when you finally get rewarded for publishing those blocks. However because of delay total # blocks rewarded over a given time period (ignoring difficulty changes) will be smaller than you could otherwise obtain mining honestly. The key thing is how (if at all) does difficulty change play into this?

csw

3:34 PM

That is ONE small part

3:34

What is the probability of 2 Selfish Blocks BEFORE 1 Honest block?

3:34

It is NOT a uniform distribution.

cypherblock

3:49 PM

I will have to brush up on my probability theory :slightly_smiling_face: I don’t like being wrong, so not going to try naive attempts. If you want to give answer and explanation that is fine. I will stick to my simulations for now.

megalodon

4:05 PM

joined selfish-mining by invitation from @tomothy

csw

5:12 PM

Typo fixed....

csw

5:12 PM

May 20th

cypherblock

12:24 AM

I’m running some simulations that include difficulty adjustments now.

12:24

It is a simplistic setup but may yield enough info.

xhiggy

1:10 AM

All I have for p(h|s) is 2/3 given 33% selfish mining

xhiggy

1:49 AM

Ok first estimate has an error. Using 2C2 (x1/(x1+x2))^2 = 1/9 If x1 is (1/30), selfish mining rate. x2 is (2/30) honest mining rate

xhiggy

1:57 AM

Whereas p(h|s) is just p(h) as the two events are independent

elliotolds

3:35 AM

p(h|x) is always equal to p(h) no matter what x is, if it refers to a past event and if h refers to an honest miner mining the next block. Same thing when you replace 'h' with 's'.If you have p proportion of the hash power, your odds of finding the next block are always p. Doesn't matter what happened before. Just like if you buy 10% of the lottery tickets (at random) and there's exactly one winning ticket, you have a 10% chance of winning. Doesn't matter who won the lottery before.

xhiggy

3:45 AM

Unless it's one of those lotteries where you remove the winning ticket from a rotating drum and there are multiple draws

peter_r

4:31 AM

The longer I read this channel the more convinced I become that this is bringing nothing new to our understanding of selfish mining. The facts are:1. Eyal and Sirer's paper is correct2. Selfish mining is still not a serious concern because (a) it requires that there be only 1 selfish mining cartel, (b) that the rest of the network just sits there and lets the attack happen, (c) that the attack is maintained through several difficulty periods, (d) that members of the selfish mining cartel don't "sell out" and release blocks when it's profitable to them but hurtful to the selfish-mining strategy.

xhiggy

4:42 AM

I do not understand why he chose to analyze this algorithm as a state machine and not a split poisson process, not saying it is wrong but it is a question I have.

4:43

The probabilities are not the same

xhiggy

4:58 AM

http://www.rle.mit.edu/rgallager/documents/Poisson.pdfSection 2.3.1Equation (2.22)This is a very specific example, why does the author of the SM paper not use this? (edited)

peter_r

5:03 AM

It simplifies the math considerably. All that matters (unless I'm mistaken [along with a lot of other people too]) is who finds the next PoW. The answer is that who finds the next PoW just depends on hash rate. That's what Eyal and Sirer's model is based on. It removes "time" from the analysis. (edited)

xhiggy

5:06 AM

It removes "time" from the analysis.

This is specific enough to have meaning. Why is that the right thing to do?

5:06

Split poisson is super simple

peter_r

5:08 AM

The point is that it's not the wrong thing to do. They show that the selfish miner will mine more than his fair share of blocks. As far as "time" is concerned, all that matters is that difficulty will readjust so that 1 block every 10 minutes will be mined into the longest chain.

xhiggy

5:10 AM

They show that the selfish miner will mine more than his fair share of blocks.

yes, in fact the poisson probabilities are higher than the ones he calculated.

xhiggy

5:10 AM

Tell me this is not the situation at hand

peter_r

5:11 AM

Yes, that's right.

xhiggy

5:11 AM

ah I think I get your argument now

5:12

Then there are gaps in his paper, at the very least

5:12

or maybe I'm wrong, either way I'm glad I dug into it a bit and learned

peter_r

5:12 AM

I suppose he could explain the difficult-readjustment bit in more detail.

5:12

But really, I think that paper was very well written.

5:13

I'm an editor with Ledger journal so I see lots of academic papers related to bitcoin. The Eyal and Sirer paper is top tier.

xhiggy 5:13 AM

I agree it's top tier for Bitcoin

xhiggy

6:15 AM

Here's something from someone who simulated it in 2013

This is really cool. I've been watching it run on a couple of computers here.

I'm getting consistent results here, showing that the selfish mining strategy is a really good way to lose 20-30% of your mining revenue. I'll note that this is roughly what I was expecting. In every other context, the whole world considers it obvious that getting your blocks out as fast as possible is a good thing. Still, science is the art of not fooling yourself, and getting the result you expect is not the same as showing that a model has skill.

As fun as this is, it needs to be much faster to be really useful. We need hundreds or thousands of runs, covering hundreds or thousands of blocks. We also need to verify that model parameters are realistic, and that the simulation isn't adding or causing un-real effects. We should also invite the authors to verify that the attack behavior is implemented correctly.*

(edited)

6:16

https://bitcointalk.org/index.php?topic=326559.0 (edited)

6:19

recreate this in a new paper

6:19

could be done

peter_r

6:19 AM

Yes, you lose revenue until the difficulty adjustment.

xhiggy

6:19 AM

yes

6:19

but there was an effort and it didn't get completed

xhiggy

6:29 AM

The bounty didn't get paid because

In short, I'm looking for a simulator of the real network, not an implementation of the nonsense model they used in their paper.

xhiggy

6:42 AM

Pretty much every paper I find follows the model in the paper to explore and build on. Maybe there is a an equivalent number of papers that can be redone on a simulation of the real network.

xhiggy

7:01 AM

283 papers have cited the original paper. The few that I have read advocate for code changes based on their simulations. Is this proper?

peter_r

7:03 AM

I don't think we need to change the protocol. Like I said earlier: I don't think selfish mining is a serious concern.

xhiggy

7:04 AM

Of course, is everyone so rational? I guess is my point

csw

8:14 AM

Oh well, iid @peter_r

8:14

You are going to learn some maths soon

8:14

See, the issue is that you are not subdividing the same Poisson problem.

8:15

You guys really need to start reading the assumptions in that Poisson sub division

8:15

iid - what is iid?

8:17

Funny how none of you seem to think actually testing it is valid.

csw

8:30 AM

@xhiggy That assumes i.i.d

That diagram is a split function when both mine the same.IID is independent and identically distributed.

8:30

In the conditional, this does not hold. You need to integrate the time basis for the underlying equation

8:31

You cannot use the approximation in their case.

8:33

Are you so afraid to take my money?

8:34

If I am so wrong....

8:34

10,000 USD right now.... 5 BTC

csw

8:43 AM

1 BTC for the first CORRECT proof ofP( SS | Not.H)

&

P(H | S)This is, the probability that a selfish miner generates 2 blocks before the honest miner and

the probability that an honest miner solves a block given the selfish miner mined a hidden block before them.

elliotolds

10:22 AM

CSW if you appoint a neutral judge I'd be happy to take your BTC.

csw

10:39 AM

@vlad2vlad and two others already have it

10:40

The money

10:40

And it will be reviewed by a mathematician

10:40

Not me

10:40

A neutral professional

10:41

The time is not started from 0 in each branch... there is a clue

cypherblock

11:07 AM

My simulations so far do not show any benefit to selfish mining in terms of reward blocks/minute but I’m still working through the kinks. Could have some bugs in my algo somewhere. Edit: found a bug so re running (edited)

csw

11:09 AM

You could also be actually simulating it correctly :wink:

11:09

Are you simulating using a VM?

cypherblock

11:10 AM

@elliotolds @peter_r did you run any simulations that have both difficulty adjustments, and have multiple threads simulating mining activity? This is what I am doing. First I did the approach I’ve seen elsewhere, then I added difficulty adjustments and independent mining. (edited)

11:10

@csw no not yet, that might be next step.

csw

11:14 AM

You are simulating and not simply running their calculation I hope :slightly_smiling_face: (edited)

11:17

Figure H

They have - P(More than 2 S)

It needs to be

P(More than 2S | At most 1 H)

cypherblock

11:19 AM

I am using their state machine to allocate blocks and determine rewards. But mining and difficulty adjustments are separate.

11:22

right now I just have 3 pools mining. 2 honest, 1 selfish. As blocks are found by the miners they are published to the state machine which determines if the block gets added to the public chain or to the selfish branch, and if other blocks from selfish branch will get published to the public branch.

11:24

After the allocation step (state machine), if the public length has changed, then we check to see if retargeting (difficulty adjustment) is needed and do that and pass the new difficulty to the miners.

11:27

my “mining” is very crude random number generation that must be < than target, and just sleeping the threads for a certain amount of time based on their hash power. This is quite crude so it could be introducing errors.

11:31

I am going to rejigger some stuff with my miners and try again. Results are very preliminary at the moment and should not be trusted yet.

csw

11:49 AM

@cypherblock I am happy to see you acting as a scientist :slightly_smiling_face:

csw

12:26 PM

Next reading - Negative Binomial

cypherblock

12:52 PM

Found a copy/paste bug in my code. :disappointed: so re-running

12:56

one of my miners was not getting the difficulty change. Fortunately I had some sanity checks to catch this. New results coming soon I hope.

csw

12:58 PM

Well, I am looking forward to when you move to VMs

csw

1:43 PM

Easy weekend questionWhat is the probability of a Selfish miner with 40% of the hash rate getting 4 or more blocks in a row before the Honest miner solves a single one?

Pinned

1:43

I will add 0.1 BTC for the correct solution if it is in the next 36 hours.

1:43

@vlad2vlad @satoshi @thatwildcard

thatwildcard

1:43 PM

joined selfish-mining by invitation from @csw

csw

1:44 PM

Please note that

1:44

And if there is a valid answer I instruct you to pay from the MS wallet

1:46

And please - it is NOT Eq 15 in the SM paper.

And half pay (marks) for not doing the working for others :stuck_out_tongue: (edited)

cypherblock

3:24 PM

Ok, latest results from my fixed simulations are showing benefit for selfish mining. I am still reviewing and checking though. I am seeing a larger number of rewarded blocks per minute using selfish approach.

digitsu

3:34 PM

joined selfish-mining by invitation from @klee

csw

4:05 PM

Now, look at the formula.

4:06

https://en.wikipedia.org/wiki/Negative_binomial_distribution

Wikipedia

Negative binomial distribution

In probability theory and statistics, the negative binomial distribution is a discrete probability distribution of the number of successes in a sequence of independent and identically distributed Bernoulli trials before a specified (non-random) number of failures (denoted r) occurs. For example, if we define a 1 as failure, all non-1s as successes, and we throw a die repeatedly until the third time 1 appears (r = three failures), then the probability distribution of the number of non-1s that had Show more… (26kB)

4:06

k successes, before r failures

csw

4:07 PM

csw

4:07 PM

csw

4:08 PM

Equation 7 - Case (h)

4:10

This is why running a model based on experiment is important.

4:11

The equation for the function is a Negative Binomial.

This is not what they have used

csw

4:28 PM

Probability using

Negative Binomial ?

The equation in the SM ?

(Paper - P15)

csw

5:03 PM

Let us take it a little further...What is the probability that a SM in state (H) will find a block before the HM finds 2?

csw

5:23 PM

There is an important reason I am trying to have people test the real system with real data.

5:23

When you have the data you can start to see why

cypherblock

10:23 PM

Still preliminary and yes there are simplifications here, BUT->My simulations continue to show some advantage to selfish mining strategy. I’m trying some different gamma values now to see how that affects things. Basically I think this works as a “difficulty attack”. Selfish miners are able to hide their hash power a bit. They only emit blocks when the honest miners do. So this effectively slows down how often blocks get added to the public chain. When difficulty adjusts to account for this, it makes it easier for everyone to generate blocks. Because enough of the selfish miners blocks still get rewarded, and because they are generating more per unit time (lower difficulty), it turns out better than honest mining. Not sure if that is really how it was presented in the SM paper, but that is my initial analysis. (edited)

10:26

Of course my initial runs had a bug, so it would be great to compare to someone else who has similar setup.

tomothy

11:00 PM

Would it change if you scale up the simulation? I.e. 100 machines vs 10?

May 21st

cypherblock

12:35 AM

not sure how that would effect anything. I do only have 3 mining pools right now. If I had 100 would it change anything?

satoshi

12:54 AM

@csw There's a 2.56% chance that a selfish miner with 40% of the hashrate would find 4 blocks in a row before the honest miner found a block. I'm guessing I'm actually wrong though and it's even lower.

brian_openbazaar

1:24 AM

joined selfish-mining by invitation from @bitsko

csw

5:36 AM

@cypherblock

If you have done this correctly. Explain the data pre and post 2016 blocks.

csw

5:38 AM

@satoshi

That is the correct value.Where is the working :wink:

3 replies

Last reply 4 days ago View thread

csw

5:39 AM

@cypherblock

The maximum Gamma based on the actual Bitcoin network is 0.002That will come later. Without Gamma, what are the results?

elliotolds

10:04 AM

@cypherblock sounds correct to me. props for going through the effort and proving it to yourself

csw

10:08 AM

Now, the issue is that the State diagram is wrong :slightly_smiling_face:

10:08

But we will get to that.

10:09

First, @cypherblock

What is the distribution without gamma of the discovery over the first week of blocks?How many are discovered by your 1/3 SM in a day?

csw

10:16 AM

Fig 1 - State diagram.State 3 goes to state 2Explain how this is the case from the State diagram.... (G) when the pool wins from 1 -2 goes to state 0....

Not state 3- state 2...Did you not see the contradiction?

10:19

Let us take Gamma at zero and ask what is the state table that results?

10:20

0.1 BTC for the first person (not you sorry @joeldalais ) to the person who posts it... Ending today

joeldalais

10:20 AM

:stuck_out_tongue:

csw

10:20 AM

If 12 hours pass, you can do one @joeldalais

joeldalais

10:21 AM

i can try :slightly_smiling_face:

thatwildcard

12:01 PM

it is, and now I know what a MOOC is - great idea :slightly_smiling_face:

iang

https://docs.google.com/document/d/1UiMS4Br7LkTIRdEOPjCukOxG6gIdCJTOgXbeOPBHrcE/edit#

Posted in #selfish-miningMay 14th at 9:07 PM

cypherblock

12:29 PM

I’m doing some trials now with low gamma.

csw

12:38 PM

Please track the solutions a day :slightly_smiling_face:

cypherblock 12:55 PM

Low gamma drastically reduces (or eliminates??) the selfish mining advantage in terms of rewarded-blocks per unit time. Right now my simulations are doing more retargeting than real bitcoin network. But I can see if I can normalize it.

csw

12:56 PM

As stated... Gamma is an assumption.

12:57

The max you can in theory get for Gamma is 0.002 and closer to 0.00098

And this is expensive

12:58

To gain a 0.00098 Gamma right now will cost more than adding 10% Hash power to the network...

12:58

Hence why I was saying that a test of the network is essential and that experiment is needed :wink:

1:01

The network distance is so small and the density of vertices so high, that you will need 2.1x10^4 Sybil nodes for each Gamma gain of 0.00001

1:02

To obtain a Gamma that radically alters the network will require 2x10^6 nodes.

1:05

Amazon gave me a discounted monthly cost for this. $29,280,000.00 USD

1:07

Does anyone argue that I could not obtain 10% of the network hash rate for less than the Amazon fees?

cypherblock

1:08 PM

Sybil nodes would not be the most effective way to do this. Probably do something like this describes: https://arxiv.org/abs/1605.07524

csw

1:08 PM

True, but the SM paper uses a Sybil node.

1:09

That method is also wrong - for a completely different reason, but one thing at a time :slightly_smiling_face: (edited)

1:11

The mapping of Bitcoin to the AS system is interesting. I will present this towards the end of the year.... too much to do

1:12

The attack would slow transactions, but not blocks. So it is not the same as a SM attack and still does not help

1:14

Quotes from SM:

"These virtual miners act as advance sensors by participating in data dissemination, but do not mine new blocks."

"By adding enough virtual nodes, the pool operator can thus increase γ""The virtual miners are managed by the pool, and once they hear of block X, they ignore it and start propagating block P"

1:15

So, we have:

"But a savvy pool operator can perform a sybil attack on honest miners by adding a significant number of zero-power miners to the Bitcoin miner network"_

1:17

This is a logical Fallacy.

http://rationalwiki.org/wiki/Appeal_to_probability

This is an extended for of the logical fallacy, Appeal to probabilityThis is the alternate form of the fallacy known as "the appeal to possibility. This flawed logic states in effect "it is possible, therefore it is certain".

1:20

Next

We come to the CORE of the argument.... What the authors NEED to address and fail miserably on._*"Because the protocol was believed to reward miners strictly in proportion to the ratio of the overall mining power they control, a miner in a large pool was believed to earn the same revenue as it would in a small pool."_*Most critically,

"We show that, above a certain threshold size, the revenue of a selfish pool rises superlinearly with pool size above its revenue with the honest strategy."This is the thesis. The hypothesis.

1:21

So, if you make more orphan blocks and even if you are close to 50%... you still gain under the revenue you would have gained.

1:21

50% of 144 blocks a day = 72 blocks

1:22

At best, SM can make many orphans and increase the loss to the other party, but at what cost :slightly_smiling_face:

1:22

Remember this is a hypothesis on:

"We show that, above a certain threshold size, the revenue of a selfish pool rises superlinearly with pool size above its revenue with the honest strategy."

1:25

A rational business thinks differently to an academic.

You think in terms of absolute returns.

Above ITS (the selfish miners' revenue with the honest strategy." (edited)

1:27

Next

The authors say this is difficult to detect and stop....Clearly they have no idea of statistical detection methods.

1:28

In 2008, I wrote a paper and a tool to detect the use of Hydan, a stegonographic tool designed to hide information in code by flipping (ADD A) to (Sub -A) in the binary compiled code

1:28

https://uk.sans.org/reading-room/whitepapers/stenganography/detecting-hydan-statistical-methods-classifying-hydan-based-stegonagraphy-execut-32839

1:28

That was easy and it was 10,000,000,000,000 times harder than checking the release of blocks in the SM strategy (edited)

1:32

Think on it...

For a place where the SM has a lead:

HM releases, SM orphans it in seconds

HM releases, SM orphans it in seconds

HM releases, SM orphans it in seconds

HM releases, SM orphans it in secondsHM has lead...HM finds a block after a long period...

SM releases two and HM is orphanedThis is the simplest - PUBLICLY most simple to check real time attack to stop....

1:33

Oh... and the state table is wrong....

If you actually check the processes, the state table never releases 2 or more blocks, but the strategy does...

cypherblock

1:34 PM

yes, detection seems like it would not be that difficult.

csw

1:34 PM

And this is not even a third of the way into the problems :wink:

1:35

@cypherblock

You detect this - it has been 2 days....

Will Honest miners allow it?Or will they simply block the Selfish pool (and reject all its blocks (and this does not need code changes...

1:35

They could fork the defecting pool...

1:36

The pool could (at expense) reorg and try again, but at what gain and what costs?

1:38

I will dig up and link the paper later, but it was myself who created and wrote the tool to detect Hidden TruCrypt volumes....

The process was used by law enforcement - hence TC is not used now.

cypherblock

1:38 PM

ok, have to eat now. First thing was to validate that IF gamma of say 50% is used, AND ignoring all other problems, does selfish strategy work? Seems like answer is yes. Next, sure we can show that achieving high gamma is difficult/expensive and detection not so hard.

csw

1:38 PM

THAT. That was difficultTC hidden volumes, small entropy changes. Hard

1:39

I have a paper and data that will kill Gamma

1:39

:slightly_smiling_face:

1:39

I have a complete node map of the bitcoin network from 2009 to well this year.

1:40

We need to anonymise it prior to releasing the data

csw

1:40 PM

csw

1:41 PM

Oh, we could detect Hydan at an encoding level of 1/15,000

1:43

The SM can be detected at the rate of a SM with 0.000,067% of the overall network and up doing it....

And for a small SM, there is a loss :wink:

1:43

I am off for now as well... Enough procrastination. I have a Risk paper for my MSc to get submitted :slightly_smiling_face:

tomothy

3:23 PM

Gonna invite linzheming if that's ok? Im assuming it is?

csw

3:24 PM

It is ok

tomothy

3:24 PM

Oh, he's already here.

linzheming

3:25 PM

I’m not quite follow the concept sorry.

3:26

Is there any definition or theory I can read first?

tomothy

3:26 PM

It's well above me. From my understanding, emir started from a flawed assumptions and therefore study is flawed.

csw

3:49 PM

Has anyone thought what happens to the "extra hidden blocks" when the difficulty changes?

3:49

The ones at a difficulty that is LOWER than the main honest chain...

3:50

They do not need to be far ahead...

3:50

Try adding it next :slightly_smiling_face:

david

4:01 PM

joined selfish-mining by invitation from @onchainscaling

cypherblock

4:46 PM

@csw yes this is an issue, but I don’t think it is a major flaw in SM algo. I can see if I can account for that in my model (reset private branch to 0 on difficulty change or something).

csw

4:48 PM

@cypherblock If the SM has a lead, they will have a small difficulty adjustment...

4:48

Small is still rejected :slightly_smiling_face:

cypherblock

4:49 PM

the most number of blocks published at once in SM algo is 2.

csw

4:49 PM

Yes Published

4:50

But Difficulty is calculated by them on their hidden blocks (edited)

4:50

And this can differ from the main chain

cypherblock

4:51 PM

presumably SM miner uses main chain difficulty.

csw

4:51 PM

They do not know it

4:51

Remember, they have hidden blocks

cypherblock

4:51 PM

They can run ‘border’ node or something to get this. Or multiple listener nodes around the world.

csw

4:52 PM

Again, they have blocks that are ahead of the change

4:52

And they are not able to see the future are they?

4:53

Block 2016 for the Honest miner is not the same as Block 2016 for the SM

4:53

So, 2017 is not the same when it is republished

cypherblock

4:53 PM

It is a reasonable issue. I have been thinking about it as well. I’m not sure if the impact will be huge though. Yes they could predict the future, but that is probably unwise.

csw

4:53 PM

Each small issue erodes it.

4:54

It was always a small gain. And each incorrect assumption makes it smaller and smaller

4:54

:slightly_smiling_face:

4:54

AND

4:54

People are slowly learning how a few things may actually work

jpjp

4:56 PM

joined selfish-mining by invitation from @tomothy

iang

6:05 PM

:slightly_smiling_face:

csw

6:25 PM

Also remember this is off revenue. Each point on revenue makes a massive change in profit.

6:25

:slightly_smiling_face:

6:26

I guess we forgot that

6:26

And non profitable = losses

elliotolds

7:16 PM

@ cypherblock , note that nothing bad happens to the selfish miners private blocks during a difficulty adjustment, because when he releases his own private blocks, the public chain will adopt the difficulty adjustment in the private chain

7:17

@cypherblock

csw

7:30 PM

Will they now...

7:30

Maybe you should test it and not assume.

7:31

As the majority calls for a higher difficulty, you will find your statement is not the case

7:31

The SM releases and is rejected

7:31

And needs to align back to the chain.

7:32

Even 2 blocks of 2016 can make a small difference.

7:33

The SM can mine on a higher difficultly to ensure that this does not occur, but -

1. This is not a part of the strategy

2. It lowers returns at the end.

elliotolds

7:42 PM

csw you should try to give a concrete example of the difficulty adjustment causing problems for the SM, and you should see your mistake.the public chain's difficulty adjustment will be roughly equal to the private chain's adjustment, fyi

csw

7:43 PM

If you have (HM +2), (SM +4)SM changes at a lower difficulty than the HM.Roughly is not the same as equal

7:44

Have you tested it :slightly_smiling_face:

elliotolds

7:46 PM

you mean the chain split is at block X, and HM is 2 blocks ahead and SM is 4 blocks ahead? the SM's chain's difficulty will end up slightly higher in this case. you seem to have the order backwards. but the main point is that this doesn't matter, because the HM will publish their blocks, the public chain will start using the HM's difficulty, but then the SM will reveal hidden blocks and the public chain will switch over to the SM's difficulty adjustment

7:46

give a concrete example, and you'll see your mistake :slightly_smiling_face:. gotta go for a bit

csw

7:47 PM

@elliotolds

You seem extremely vested in a flawed model...I wonder why?

:slightly_smiling_face:

6:16

I like suspense

macsga

6:16 PM

@csw did you write that faq (organofcorti)? (edited)

csw

6:16 PM

No, not I

macsga

6:16 PM

he's a very bright man

csw

6:16 PM

But it is by a maths geek :slightly_smiling_face:

macsga

6:16 PM

:slightly_smiling_face:

csw

6:16 PM

I do recomend the page

macsga

6:17 PM

I do too :slightly_smiling_face:

csw

6:17 PM

So, as I said... wrong math

6:18

https://bitcoinwisdom.com/bitcoin/difficulty

bitcoinwisdom.com

Bitcoin Difficulty and Hashrate Chart - BitcoinWisdom

Bitcoin Difficulty hashrate chart and accurate estimated next difficulty.

6:18

This is next

csw 7:47 PM

And very much not interested in actually testing it,

7:47

Real systems, real data :wink:

7:48

And you may want to look up and real on the Negative Binomial distribution.

bitcoinsteffen

8:58 PM

joined selfish-mining by invitation from @bitsko

May 22nd

cypherblock

1:31 AM

I will see if I can improve my difficulty calcs a bit more. I am using one simplification which could affect outcome. I think @elliotolds is probably right though, but a couple of things I’m going to check.

travin

4:55 AM

https://pastebin.com/9s1VF16Z

csw

5:18 AM

Here is a big clue. Revenue is a time based and not block based function.

cypherblock

10:38 AM

my simulations calculate reward-blocks/hour, which should be a good indicator if a strategy has a revenue benefit or not.

csw

10:52 AM

What do you get in the first week for a 40% SM @cypherblock ?

10:53

They will normally get 403.2 blocks

And how many orphans?

10:54

Here is a little secret. In this time frame, the SM can still not mine faster than alpha.

cypherblock

10:55 AM

Yes there may be a ‘transition cost’ when switching initially from honest to selfish, is that what you mean?

csw

10:56 AM

In part.

10:56

But, remember that even if the HM gives up in the first week leaving ONLY the SM, the SM still only gets alpha of the total

10:57

So, at best, they can get as much as they would have received.

10:57

AT BEST

10:57

Forget this notion of relative pools and other lies used in graphs to mislead.

10:58

Some SM blocks are orphaned. Some HM blocks. It may be more HM than SM, BUT and here is the kicker...

10:59

If the SM can at alpha = 0.4 earn at most 1 block every 25 mins (and that is the rate)

10:59

Then, even if the Honest miners leave, the SM does not gain more.

csw

11:00 AM

csw

11:01 AM

The funny thing is that at 50% the SM earns less than a standard attackAt 50%, the SM earns 71.94 BlocksA standard 50% plus attack gets them 72 (edited)

csw

11:54 AM

https://en.wikipedia.org/wiki/Base_rate_fallacy

Wikipedia

Base rate fallacy

The base rate fallacy, also called base rate neglect or base rate bias, is a formal fallacy. If presented with related base rate information (i.e. generic, general information) and specific information (information only pertaining to a certain case), the mind tends to ignore the former and focus on the latter.

Base rate neglect is a specific form of the more general extension neglect. (62kB)

11:57

https://www.logicallyfallacious.com/tools/lp/Bo/LogicalFallacies/55/Base_Rate_Fallacy

https://www.logicallyfallacious.com

Base Rate Fallacy

Ignoring statistical information in favor of using irrelevant information, that one incorrectly believes to be relevant, to make a judgment. This usually stems from the irrational belief that statistics don’t apply in a situation, for one reason or another when, in fact, they do. (226kB)

11:57

Bar-Hillel, M. (1977). The Base-Rate Fallacy in Probability Judgments. Defense Technical Information Center.

csw

12:19 PM

Oh.... Did we consider what happens to transactions?

csw

12:19 PM

csw

12:21 PM

The result over time is that you add a queue load factor rho which becomes much larger than 0.5 then the average queue length (Transaction wait time) and response time for messages in the queue get large very quickly. When rho becomes 1.0, the queue will no longer reach a steady state, but will, in fact, grow in length as long as messages continue to arrive.There are reasons Bitcoin holds a copy of the forked chain and what occurs when you try and hide this...

12:24

AT 33.33% the SM will stop earning profit as the chain degrades exponentially

Do we believe that the other miners will just stop and give up?They can stop this in seconds.

12:24

1. An introduction to Probability Theory and its Applications, Volume 1, William Feller, Wiley, 1957

phoenix

12:24 PM

@antanst

antanst

12:25 PM

joined selfish-mining by invitation from @phoenix

csw

12:25 PM

Oh and did you know that there is a very simple code fix for a SM attack (not for revenue, but to try and break the system)?

pesa

12:25 PM

lol! i can't make out what CSW says, but seems he knows what he talking about ! :grinning:can't wait for the super secret release

csw

12:26 PM

It is so very simple.You are going to kick yourself when it all comes out :slightly_smiling_face:

12:27

And I will incorporate a code patch as an IF this ever occurs (as well as how to just use firewalls and a tool to detect it)

12:29

The patch is simple.

Include the recorded blocks in the chain tree as a marker of orphansUse these with the difficulty increase and the orphans that are a part of the SM "attack" are then included meaning the SM attack even if allowed to go on for years can NEVER make a small increase in revenue let alone a profit

12:30

@pesa

I am smart enough to have others working with me who can change Craig Speak into Standard English :slightly_smiling_face:

csw

12:34 PM

csw

12:37 PM

Poisson is simpler to calculate and a fair approximation in certain circumstances...That is why it is used.However, when you are making time dependent calculations and testing hypothesis'... you need to be more exact.Simple approximations do not suffice.

csw

12:37 PM

csw

12:38 PM

These differences seem minor.

The use of the standard Lambda equation certainly saves time... But, small errors magnify.

csw

12:38 PM

csw

12:39 PM

These small differences from the Poisson approximation to the Binomial (and later the negative binomial all add up.

12:39

Each roll is compounded. It is not one roll and move on the queue, but one after another after another...

12:40

Error, multiplied by error, , multiplied by error, , multiplied by error, , multiplied by error, , multiplied by error,

12:40

Small at first....

12:42

See “An Introduction to Probability Theory and its Applications”, 2nd Edition, William Feller, Wiley, 1957

12:43

Question

What does a 2-3% difference do to the model?

tomothy

12:48 PM

Make the error much much more worse?

csw

12:51 PM

Yes

12:51

Small differences add up when run 1000s of times

tomothy

12:54 PM

Like a manufacturing imperfection which wears over time due to the defect, exacerbates, and ultimately breaks

csw

12:55 PM

I am releasing a few papers.1. A very easy one with a fix and lots of diagrams.

This shows the revenue flaws. Very easy to understand and a simple fix that kills SM even without the error.

Also helps with some Time Warp attacks etc2. A more complex paper and model

Based on real systems and hosts - incorporating the 3. An SEIR system that defines how the Blocks propagate in detail.4. The maths. As done from the integrated values (on time censored data)

Sorry, but this one is not easy and will be ignored for the simple stuff by most people5. The network models. All the data on how the Bitcoin network looks and reacts.

tomothy

12:58 PM

Anything soon, like a press release, regarding dangers of segwit? Would be timely in light of consensus news. Need a counter narrative starting

cryptorebel

1:18 PM

segbleed

csw

1:34 PM

LOL

1:34

Soon yes.

pesa

1:37 PM

segboost

checksum0

1:38 PM

asicbleed...

1:38

Oh wait...

erik.beijnoff

3:31 PM

joined selfish-mining by invitation from @bitsko, along with @mengerian

satoshi

4:34 PM

Looking forward to the release of those papers csw

macsga

4:36 PM

just caught up with -most of- the news

4:36

they don't know the significance of btc protocol

phoenix

7:05 PM

@dimitrist

dimitrist

7:05 PM

joined selfish-mining by invitation from @phoenix

May 23rd

satoshi

10:15 AM

@adamselene

adamselene

10:16 AM

joined selfish-mining by invitation from @satoshi

adamselene

10:19 AM

@csw the odds of a selfish miner with 30% hashrate finding 3 blocks before honest miners found 1 block works out to 2.7%?

csw

10:44 AM

Yes

foorbarbaz

11:00 AM

left selfish-mining

csw

12:33 PM

csw

12:34 PM

On pseudo profound bullshit. | Selfish Mining :slightly_smiling_face:

bitalien

7:40 PM

joined selfish-mining by invitation from @cryptorebel

May 25th

csw

4:41 PM

Here you go... a Little reading...

https://bitcoil.co.il/Doublespend.pdf

csw

4:41 PM

csw

4:42 PM

I have been telling you that the maths is an approximation....

csw

5:08 PM

http://organofcorti.blogspot.co.uk/2015/07/faq-bitcoin-mining-and-luck-statistic.html

organofcorti.blogspot.co.uk

FAQ: Bitcoin mining and the luck statistic

"Bitcoin mining pool, network and exchange analysis" (73kB)

5:08

Also got it...

5:09

And here is a detailed model

5:09

https://arxiv.org/pdf/1702.02867.pdf

zbingledack

6:15 PM

Oh wow

6:15

This seems clearer

csw

6:15 PM

csw 6:19 PM

https://bitcoinwisdom.com/assets/difficulty/bitcoin-difficulty.png?1495736104 (41kB)

6:19

As difficulty is not static, it radically alters the distrbution

macsga

6:20 PM

this is correct

6:20

more complex calc is needed

6:20

may I suggest a FFT?

zbingledack

6:21 PM

So I gather that the probability of a selfish miner with 40% of the hashpower finding the next block starting from a given time t is indeed 40%But the probability of the SM finding a certain number of blocks before the HM finds a certain other number of blocks involves binomialsThis was not in the SM paper? They used the simplified math?

csw

6:21 PM

Yes

6:21

The simple 10 min exact (Only) approximation

6:21

And yes, they did not use the Neg Binomial

zbingledack

6:22 PM

Oops :)

csw

6:22 PM

Starting to see what I was trying to get others to see?

zbingledack

6:22 PM

It at least seems quite plausible that there is something there

csw

6:22 PM

Sorry I have dragged this on, but I was hoping people would see it without my slapping them in the face with it

zbingledack

6:23 PM

Funny how you always seem to be keenly aware of what was written in the whitepaper.....

csw

6:23 PM

Moore's law and increasing competition harm the selfish miner as well

6:23

Yes, funny :stuck_out_tongue:

6:24

I tried to tell Gun, but he told me how much smarter he was than me... so his loss

6:26

If you just model using their model, you fail to test the system

6:26

You do not do science, you validate what you are given.

csw

6:29 PM

csw

6:29 PM

csw

6:29 PM

csw

6:30 PM

Sorry... messy - the edited version is in the office

csw

6:30 PM

csw

6:31 PM

AND....This is where I lose people:

csw

6:31 PM

macsga

6:32 PM

lol

6:32

you actually found one to peer review it ?

csw

6:33 PM

Yes, it is going into a maths journal (edited)

6:33

I could find nobody in the Bitcoin world

csw

6:34 PM

zbingledack

6:36 PM

Is the "differentiation on a net" stuff necessary to destroy the SM argument, or just icing?

elliotolds

6:36 PM

What makes this seem plausible to you? You saw how cypherblock's simulations made him think me and peter_r were right, no? Isn't it still the case that no technical person who has looked into this agrees with csw?

zbingledack

It at least seems quite plausible that there is something there

Posted in #selfish-miningMay 25th at 6:22 PM

csw

6:36 PM

csw

6:36 PM

Oh @elliotolds

You still try and protect Gun's model

macsga

6:37 PM

My mind is fried; been on a continuous 6h lecture on Bioinformatics & Bioethics

6:37

I think I'll pass out

csw

6:37 PM

CYRIL GRUNSPAN AND RICARDO PEREZ-MARCO ´

6:37

They proved it IS a Negative Binomial :wink:

6:37

Independantly

6:38

They did not then go on to apply it to all the cases I used

zbingledack

6:39 PM

@elliotolds Seems an easy error to make, especially since the approximation is so close.

csw

6:39 PM

Oh @elliotoldsYou believe that as I cannot simplify this sufficiently for you it makes it wrong..

6:40

https://arxiv.org/pdf/1702.02867.pdf

6:40

Have a read

elliotolds

6:41 PM

What specific error do you think is being made, @zbingledack? The only assumption in the paper about mining probabilities is that the probability of finding the next block equals your proportion of the hash power

6:41

which you seem to accept

csw

6:41 PM

And it is wrong

6:42

It is an approximate for 10 mins exactly AND only for a following block (edited)

6:43

A percent or two here and there, multiplied (edited)

6:43

All goes to making it more and more error bound

elliotolds

6:43 PM

It has nothing to do with the time to find a block. It applies no matter how long it takes. If you buy 10% of lottery tickets randomly and there's one winner, you have a 10% chance of winning. Same concept

csw

6:44 PM

Then just assume a 1.0 Gamma for the network

6:44

You DO understand that it is NOT possible to EVER get a gamma of 1.0 or even be close with pool mining going on?

6:44

@elliotolds

You believe that

6:45

Try and selfish mine

elliotolds

6:45 PM

No matter how long finding the next block takes, if you have x% of hash power you're buying x% of the lottery tickets...

csw

6:45 PM

And - it is the EASIEST thing to detect and stop

6:45

Yes @elliotolds

You know best. Ignore all that nasty maths

6:46

http://organofcorti.blogspot.co.uk/2015/07/faq-bitcoin-mining-and-luck-statistic.html

organofcorti.blogspot.co.uk

FAQ: Bitcoin mining and the luck statistic

"Bitcoin mining pool, network and exchange analysis" (73kB)

6:46

Ignore these nasty difficult to use Erlang distributions.

6:46

Why use the actual thing when you can approximate

cypherblock

6:47 PM

@csw do you agree that with SM approach, the SM releases blocks more slowly than they would otherwise?

csw

6:47 PM

They create far more orphans

6:47

They cause all miners to lose

6:48

And they can NEVER gain more than the amount they could have gained if they did not selfish mine

6:48

Here is a web page to try see if you can play with compounding error

http://statpages.info/erpropgt.html

6:49

And

6:49

http://ipl.physics.harvard.edu/wp-uploads/2013/03/PS3_Error_Propagation_sp13.pdf

6:50

And

6:50

https://www.lhup.edu/~dsimanek/scenario/errorman/propagat.htm

6:50

The best a SM can do id screw all miners (including themselves) up

cypherblock

6:51 PM

The main flaw with SM is the assumption that high gamma can be achieved, and that other miners can’t do things in defense of it. But I’m not sure @csw you have a case against it if you accept those premises.

csw

6:52 PM

They can never earn more than the daily revinue, they can earn less but screw up all miners

6:52

@cypherblock

Gamma for bitcoin can never be more than 0.0002

6:52

And it is costly to make it more than 0.0001

cypherblock

6:52 PM

my simulations show otherwise. I admit my sims could be wrong. Assume gamma of .5 !!! .5 I tell you :slightly_smiling_face:

csw

6:53 PM

You are not modeling the network

cypherblock

6:53 PM

SM miner releases blocks only when honest miners do and at most 1 or 2.

6:53

what does this do to difficulty?

6:53

assume gamma of .5

csw

6:53 PM

https://bitcoinwisdom.com/bitcoin/difficulty

6:54

https: // bitcoinwisdom.com/bitcoin/difficulty

cypherblock

6:54 PM

50% of honest miners will receive and mine on top of a selfish block when it is published immediately after an honest block. This is the assumption.

csw

6:54 PM

The network distance is under 1.32

6:54

You CANNOT send to 50% of miners

6:54

in a single hop

cypherblock

6:55 PM

fine but IF you COULD.

csw

6:55 PM

Then it is NOT Bitcoin

6:55

That will be what they make with Seg Wit

6:55

In ordere to do that, you need to add hops

6:56

The network is far too densely connected.

cypherblock

6:56 PM

Whatever, but IF gamma is .5 or other suitably high number, then SM strategy might work, don’t you think? Can we not speak in hypotheticals?

6:56

if gamma is 0 SM strategy does not work.

csw

6:56 PM

That will require that you go back to 21 machines and slow networks and even that will only get you a distrance of 3-4

6:56

Ok. Are we talking SegWit

6:57

That CAN have a high Gamma

cypherblock

6:57 PM

it is a hypothetical. Assume gamma is .5, what is the result of SM strategy? (edited)

csw

6:57 PM

SegWit can have a gamma as high as 0.8 (edited)

6:58

People are confusing centrality with being centralised

csw 6:58 PM

IFF Gamma was to be altered in this way

6:58

The SM does not benifit still (edited)

6:59

The network collapses

6:59

All lose

7:00

Over 50% of all mined Transactions are orphaned

7:01

Wallets in SegWit can pretend to be nodes, so in SegWit coin. Gamma can be 0.8 and nobody wins

cypherblock

7:01 PM

Assume single mining pool is using SM strategy and they are at like 33% hash power. Assume high gamma like .5. Assume other pools don’t detect the SM. This is what I ran my simulations with. It is fine to say those assumptions are completely unrealistic. But given these completely unrealistic assumptions, does SM strategy work? What other unrealistic assumptions must be added?

csw

7:02 PM

Block Tree

7:02

Remember nodes are not JUST a store of the main chain, they also hold memory of orphans and create a tree map

7:03

At 33%. What is the most blocks that a miner can create in a day?

7:03

Selfish or even Gamma =1

7:03

The absolute most blocks?

7:04

Averaged :slightly_smiling_face:

7:04

And assume 10 mins for now

7:04

Average

cypherblock

7:04 PM

144*.33

7:04

if you assume their hashpower is accounted for in difficulty

csw

7:05 PM

So, if 20% of those blocks are orphaned.