Analysis of Bitcoin Pooled Mining Reward Systems

My name is Meni Rosenfeld and I support Bitcoin Core.

Just wanted to say it. Seems important.
I am not a Bitcoin Core developer or any kind of developer. I am also not affiliated with Blockstream or received any sort of payment or incentive from them.
I did meet several of the people from Blockstream (before it existed) in various conferences, such as Pieter Wuille, Gregory Maxwell and Adam Back, and I think they're all very nice people (earliest was Pieter, whom I've met in Prague in November 2011). For reference, I've met Roger Ver in New York in August 2011, and he also seemed nice.
Lest I be suspected of being a random troll paid to feign support for Core... Look me up. I've been involved with Bitcoin since March 2011, most of that time in full capacity. I'm best known for my work on mining pool reward methods, and for my work on promoting Bitcoin in Israel. During this time I've also occasionally posted about how I believe Bitcoin should face its challenges going forward, and notably, my views haven't changed considerably over the years. For example, I support Core's position that scalability should be derived primarily from micropayment-channel-based solutions, and have since 2012 (see https://bitcointalk.org/index.php?topic=91732.0). So I cannot be accused of promoting that view out of some vested interest.
I do not condone the moderation policy of /bitcoin which rejects discussions about alternative protocols.
I do not believe the conspiracy theory which suggests that Bitcoin Core is interchangeable with Blockstream.
I do believe there's room for a modest block size increase, perhaps more so than most of my fellow Core supporters. But I also believe it is important to respect the analysis of technical people who have been with Bitcoin since the beginning - in particular, with respect to the potential danger of hard forks.
Despite the drama regarding blocks being full, I have not yet been personally severely affected by the phenomenon. I believe that with the immediate effective block size increase that SegWit offers, coupled with the eventual advent of micropayment-channel-based solutions, I may never have to be. I also believe that if for some reason these solutions fail, we can always reopen the issue and find solutions as the problems become relevant. As such, I cannot understand why anyone in their right minds would oppose Segwit.
I believe that Bitcoin Unlimited is dangerous. I believe that even if it works as planned, it gives way too much power to miners, at the expense of other participants in the Bitcoin network. I also believe that it will not work as planned, that it is buggy and exploitable, and that it has not been thoroughly researched and tested, as should fit a change of this magnitude.
I believe that the power to change the Bitcoin protocol should, and does, rest in the hands of the economic majority of people who use Bitcoin and give it value. I believe that miners should not and do not have the power to dictate protocol changes unilaterally.
I believe that in case of disagreement about changes, the default should be sticking with the current protocol until agreement is reached, rather than rushing into making changes.
I believe that if all else fails and the disagreement cannot be reconciled, there should be a responsible split of the network into two, with both sides working to ensure a clean, uneventful split, and both sides respecting each other's right to coexist.
I have written a series of blog posts about that last point:
How I learned to stop worrying and love the fork
I disapprove of Bitcoin splitting, but I’ll defend to the death its right to do it
And God said, “Let there be a split!” and there was a split.
EDIT: Ok, there have been a lot of comments. Thanks for the lively discussion. But its 3:10 AM here now, I need to sleep and tomorrow I'll probably need to work. I'll try address as much as possible.
EDIT 2: Please see my followup comment.
submitted by MeniRosenfeld to btc [link] [comments]

Most alt-coins are NOT secure enough, they exist only for entertainment and speculation

(I believe this needs to be posted to /bitcoin as Bitcoin users/enthusiasts need to know the difference between Bitcoin and other cryptocurrencies. About author: I'm subscribed to /bitcoin since 2011, and have been involved in cryptocurrency security research for several years.)
Let's talk about security aspect of cryptocurrencies. I'm afraid an average user knows very little about this topic: he might know that hashrate is needed to protect the blockchain, and that higher hashrate is better, as it implies that attacker needs to spend more to get control of the blockchain.
But there is a plenty of other kinds of attacks (or, rather, economic models of attacks), some of which have much higher practical significance.
Let's start with something simple: there is a straightforward and rigorous model of double-spending attack under condition that attacker has a fraction of total network's hashrate. I highly recommend Meni Rosenfeld's Analysis of hashrate-based double-spending paper (PDF).
The main takeaway from this paper is that "maximal safe transaction value" is directly proportional to block reward (i.e. amount of coins miners get for each block). It is easy to understand this intuitively: bigger reward means that miners get more money from normal mining, so they will be reluctant to try double-spending attacks. On the other hand, if block reward was negligible, double-spending could be a lucrative source of revenue.
Let's look at numbers: if attacker controls 26% of hashrate and number of confirmations is 6, maximal safe transaction value is 1113 BTC when block reward is 25 BTC. This is pretty cool: you only need to wait 1 hour to make sure you irreversibly received half million USD worth of bitcoins (I assume exchange rate of $450 for 1 Bitcoin).
However, situation is pretty different for alt-coins which have much less valuable block rewards. For example, imagine there is a Foocoin with exchange rate of $1 for 1 Foocoin. If Foocoin's block reward is also 25 foocoins, then max save transaction value for 6 confirmations is only $1113 USD worth of Foocoins. It doesn't look like Foocoin is suitable for commerce, does it?
One could say that Foocoin simply requires larger number of confirmations for larger transactions. But that's wrong: higher number of confirmations helps only under condition that attacker is unable to obtain more than 50% of total hashrate, but for most alt-coins it isn't true.
First of all, let's note that so-called miners simply rent their equipment to "mining pool operators" and are paid in crypto-currency for it. In many cases they don't even care what cryptocurrency they mine as long as they are being paid. See Middlecoin:
This pool automatically mines the most profitable scrypt coin, automatically exchanges those coins for bitcoins, and pays out entirely in bitcoins.
So, miners who mine using Middlecoin do not know if their equipment is being used to mine Litecoins or Dogecoins or something else. And they wouldn't care if it is used for attacks on alt-coins, as they are being paid in bitcoins.
Let's consider a scenario where Middlecoin-like pool has higher hashrate than Foocoin, e.g. Middlecoin (not Middlecoin specifically, but any pool like that) has 20 GH/s, while Foocoin has 10 GH/s. Here's how one can profit from it:
  1. Buy $1M worth of Foocoins, get them into your wallet.
  2. Make an agreement with Middlecoin: you rent they hashrate for a couple of hours, paying them in bitcoin, slightly above what most profitable alt-coin yields.
  3. Send your foocoins to exchange Bar.
  4. Start mining a private chain which has a double-spend transaction which sends coins to exchange Baz.
  5. After your transaction gets 10 confirmations on the normal chain, convert foocoins to bitcoins on Bar and withdraw them immediately.
  6. After withdrawal transaction is confirmed on Bitcoin network (and thus cannot be reversed), you release the private chain you have mined, causing reorganization. You should have mined 20 blocks by then under if Middlecoin has hashrate which is twice higher than normal Foocoin's hashrate.
  7. Your deposit to exchange Baz is now confirmed, converl your foocoins to bitcoins again, and withdraw immediately.
  8. A day later 20 blocks you have mined will get mature, and you'll be able to sell them too.
If Foocoin price doesn't change in process, you can get approximately $1M profit on this attack, as cost of renting a mining pool is approximately equal to value of mined blocks.
In practice, you'll lose some money due to lack of liquidity on exchanges, so profit will be less than $1M.
The conclusion we get from this analysis is that alt-coins which have only a small fraction of total hashrate for a certain mining algorithm are extremely non-secure. And they cannot grow big: as soon as exchanges will have enough liquidity, it will be possible to perform the attack I described, which will result in the price drop.
So almost all alt-coins are simply not suitable for any kind of "real economy" applications. They are doomed to have high volatility, shallow markets, low "max safe transaction value".
One can't deny the fact that it is possible to make money on alt-coins. But that's just gambling. And people who create new alt-coins are in same position as people who build casinos. It is a business, but it is the entertainment sector, not in 'real economy' or 'financial' sectors as some people are trying to pretend.
Bitcoin is one of few cryptocurrencies which are actually serious. It isn't perfect, but attacking Bitcoin is very hard, so transactions worth millions of dollars can be confirmed in matter of hours. Same cannot be said about alt-coins, and this situation won't change unless new cryptocurrency designs will be found.
If there is an alt-coin which is more-or-less secure, it is probably Litecoin. Its hashrate is a significant fraction of total scrypt hashrate, so attacking Litecoin is hard. Interestingly, at some point Dogecoin's hashrate was higher than Litecoin's but it dropped after block reward have dropped. So, again, block reward is important for security.
This has dire implications for alt-coins which have short block reward schedules. If all coins will be mined in two years, this mean that alt-coin will be dead in two years.
(It's worth noting that same problem might affect Bitcoin in future, like in 10 years or so.)
Now there is a question: Is there a way to make multiple currencies all of which will be secure?
Probably. There are several approaches:
  1. Merged mining: The idea is that Bitcoin's proof-of-work can be re-used to mine alt-chains. This makes attacks harder, but hashrate-based double-spending considerations are still applicable, so safety can't be guaranteed... They will be safe only if miners are benevolent.
  2. Side-chains: This needs more research, but it looks like high degree of security is possible as long as you don't care about SPV.
  3. Proof-of-stake and PoW/PoS hybrid: Needs more research, there is some hope. Note that Peercoin's PoS is pretty bad.
  4. Multiple cryptocurrencies in the same blockchain (e.g. colored coins, Mastercoin, Counterparty, Ethereum, Ripple, etc.) will all be equally secure, so I believe this is what we should do instead of spawning a shitload of alt-coins.
submitted by killerstorm to Bitcoin [link] [comments]

A bribe attack is ongoing

First of all, I should note it's not a big deal and there are no reasons to panic or anything, but it's just remarkable that the thing we knew is theoretically possible is happening now.
To provide background on this kind of attack I need to start from fundamentals. Here's the security assumption from the Bitcoin paper:
The system is secure as long as honest nodes collectively control more CPU power than any cooperating group of attacker nodes.
Originally mining was done by users themselves, it was a part of node/wallet software. However, later it became more specialized.
Hashing, running nodes and using Bitcoin are completely separate things nowadays when pooled mining is commonplace. That is, somebody can "mine" bitcoins using his hashing hardware without running a node. (And, perhaps, without even being a Bitcoin user, as a "miner" can auto-convert his revenue to dollars.)
Calling this "mining" isn't quite accurate. More precisely it can be described as renting (that is, mining pools rent hashing hardware of so-called "miners") or paying for a service (mining pools pays a "miner" for the efforts he's performed).
Some "miners" believe that they receive bitcoins they created, but it's not true in a general case. One thing is that more often then not, individual miners fail to solve the block, but are still compensated for their efforts (not for results). Also pools generally have reserves which they use to smooth out reward payments, thus rewards miners receive do not necessarily come from freshly mined bitcoins.
Now let's recall that hashpower is intimately linked to the security of the network. Attacker who controls a significant portion of total hashpower might be able to perform double-spend attacks (e.g. see Meni Rosenfeld's Analysis of Hashrate-Based Double Spending) or denial-of-service attacks (he might mine empty blocks).
It is usually understood that these attacks are practically unfeasible, as overpowering the honest network would require enormous amounts of hardware, energy, etc. However, there are several different attack model.
The most primitive one was relevant back when mining was done on CPUs: an attacker could rent CPU power from a cloud provider such as Amazon and try to do a double-spend reorganization or a 51% attack. It's fairly easy to do calculations within this model as the cost of an attack is known (for a certain difficulty) and one just needs to compare it to potential profits attacker might get.
But CPU mining is irrelevant now, attacker would need specialized hardware to have a chance. This makes attack much more complex, as attacker needs to buy hardware, deploy it, start mining... And once attack is complete, he needs to do something with that hardware. It's generally understood that parties who own hashing hardware will be reluctant to perform attack because a successful attack can drastically decrease the value of the hardware they own. Thus it can be said that ASICs made Bitcoin much more secure due to this stickiness.
But wait... what if an attacker rents hardware instead of buying it? It's much simpler than buying hardware: no complex logistics, little overhead, no concerns about how an attack would affect hardware price. Attacker would need to pay slightly above the market price to make sure he gets more than a half of total hashpower to make sure that it's statistically certain his attack can succeed.
This can be describe as a sort of a bribe. Normally miners get block rewards (subsidy + fees). Attacker adds a bribe to it, making it subsidy + fees + bribe. This is attractive to miners as it pays more. Once attack is successful, attacker receives subsidy + fees + attack profit. Thus his cost is
(subsidy + fees + attack profit) - (subsidy + fees + bribe) = attack profit - bribe 
Note that bribe can be arbitrarily small, it should be just enough to get miners interested. It can be 1% of a subsidy, for example. E.g. suppose attacker wants to earn 1000 BTC by double-spending, he gives a 10 BTC bribe to miners to orphan some of the recent blocks and pockets 990 BTC.
The cost of this attack can be arbitrarily small, but it requires a lot of a capital and is also quite risky. And also it's not possible right now because miners do not just rent their hashpower to the highest bidder, they use mining pools they trust. Thus there's no way for the attacker go get more than 50% of total hashpower to be successful with this attack.
There are, however, pools which allow people to rent hashpower. For example, NiceHash. It currently has 16 PH/s of SHA256 hashpower (according to the stats they publish), thus controlling around 1% of total hashpower. NiceHash allocates hashpower to highest bidder, and thus it can be potentially used for attacks I described above. But currently it's too small to have any effect.
So this is just something to keep in mind. Pools like NiceHash are evil, they can potentially destabilize Bitcoin if more than a half of total Bitcoin's hashpower will be rented out on pools like this. It is important for miners to choose legitimate pools.
So until now I thought that a bribe attack is just a curiosity in context of Bitcoin (it might be more relevant for alt-coins with much weaker hashpower), but today I was surprised with the fact that somebody tries to pull it off right now.
There's a post on /btc: Someone just donated 16 BTC towards Classic Hashpower. We are now at 2 Petahash/sec on Slush pool. Thank you, donator. The fund is at 30 BTC and recycling the mining rewards over and over..
This is exactly the bribe attack, but they aren't using for double-spending or DoS, but on an attempt to hard-fork Bitcoin. Basically it's an attempt to artificially prop up Classic hashpower a little, and is good only for PR. But still it's something we should be aware of, I think.
NodeCounter site the link points to is absolutely hilarious, BTW, totally recommend:
Bitcoin development has been bought out by a private company called "Blockstream". Blockstream has directed the crippling of Bitcoin in order to provide the solution, for their own future, financial gain.
(I hope moderators won't remove my post. /btc is currently being advertised in the sidebar of this subreddit, so every visitor is already one click away from learning information about "Classic Hashpower". I see absolutely no point in censoring this information.)
On topic of brigading: when I posted it initially the post was 100% upvoted, that is regular /bitcoin subscribers found it good and relevant. However a bit later upvote rate dropped to 65% and at the same time several comments defending Classic and /btc appeared. Brigading much? I don't really care what you do with hashpower (attack is just a technical term FYI, it's not necessarily morally wrong), but brigading is despicable.
submitted by killerstorm to Bitcoin [link] [comments]

Estimation of Miner Hash Rates and Consensus on Blockchains

arXiv:1707.00082
Date: 2017-07-01
Author(s): A. Pinar Ozisik, George Bissias, Brian Levine

Link to Paper


Abstract
We make several contributions that quantify the real-time hash rate and therefore the consensus of a blockchain. We show that by using only the hash value of blocks, we can estimate and measure the hash rate of all miners or individual miners, with quanti able accuracy. We apply our techniques to the Ethereum and Bitcoin blockchains; our solution applies to any proof-of-work-based blockchain that relies on a numeric target for the validation of blocks. We also show that if miners regularly broadcast status reports of their partial proof-of- work, the hash rate estimates are signi cantly more accurate at a cost of slightly higher bandwidth. Whether using only the blockchain, or the additional information in status reports, merchants can use our techniques to quantify in real-time the threat of double-spend attacks.

References
[1] 2015. The Bitcoin Lightning Network: Scalable Off-Chain Instant Payments. https://lightning.network/lightning-network-paper.pdf. (July 2015).
[2] 2016. Gnosis. https://www.gnosis.pm. (November 2016).
[3] Asaph Azaria, Ariel Ekblaw, Thiago Vieira, and Andrew Lippman. 2016. "MedRec: Using Blockchain for Medical Data Access and Permission Management. In Proc. Intl. Conf. on Open and Big Data. 25–30.
[4] Adam Back, Matt Corallo, Luke Dashjr, Mark Friedenbach, Gregory Maxwell, Andrew Miller, Andrew Poelstra, Jorge Timón, and Pieter Wuille. 2014. Enabling Blockchain Innovations with Pegged Sidechains. Technical report. (Oct 22 2014).
[5] Simon Barber, Xavier Boyen, Elaine Shi, and Ersin Uzun. 2012. Bitter to better—how to make bitcoin a better currency. In International Conference on Financial Cryptography and Data Security. Springer, 399–414.
[6] Bryan Bishop. 2015. bitcoin-dev mailling list: Weak block thoughts... https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-Septembe011158.html. (Sep 2015).
[7] bitcoin 2015. Confirmation. https://en.bitcoin.it/wiki/Confirmation. (February 2015).
[8] Joseph Bonneau. 2015. How long does it take for a Bitcoin transaction to be confirmed? https://coincenter.org/2015/11/what-does-it-meanfor-a-bitcoin-transaction-to-be-confirmed/. (November 2015).
[9] J. Bonneau, A. Miller, J. Clark, A. Narayanan, J.A. Kroll, and E.W. Felten. 2015. SoK: Research Perspectives and Challenges for Bitcoin and Cryptocurrencies. In IEEE S&P. 104–121. http://doi.org/10.1109/ SP.2015.14
[10] George Casella and Roger L. Berger. 2002. Statistical inference. Brooks Cole, Pacific Grove, CA. http://opac.inria.frecord=b1134456
[11] Kyle Croman et al. 2016. On Scaling Decentralized Blockchains . In Workshop on Bitcoin and Blockchain Research.
[12] Digix. 2017. https://www.dgx.io/. (Last retrieved June 2017).
[13] DigixDAO. 2017. https://www.dgx.io/dgd/. (Last retrieved June 2017).
[14] J. Douceur. 2002. The Sybil Attack. In Proc. Intl Wkshp on Peer-to-Peer Systems (IPTPS).
[15] Bradley Efron. 1982. The jackknife, the bootstrap and other resampling plans. Society for industrial and applied mathematics (SIAM).
[16] Ethash. 2017. https://github.com/ethereum/wiki/wiki/Ethash. (Last retrieved June 2017).
[17] ethereum. Ethereum Homestead Documentation. http://ethdocs.org/en/latest/. (????).
[18] Etheria. 2017. http://etheria.world. (Last retrieved June 2017).
[19] Ittay Eyal and Emin Gün Sirer. 2014. Majority is not enough: Bitcoin mining is vulnerable. Financial Cryptography (2014), 436–454. http://doi.org/10.1007/978-3-662-45472-5_28
[20] William Feller. 1968. An Introduction to Probability Theory and its Applications: Volume I. Vol. 3. John Wiley & Sons London-New YorkSydney-Toronto.
[21] Juan Garay, Aggelos Kiayias, and Nikos Leonardos. 2015. The bitcoin backbone protocol: Analysis and applications. In Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 281–310.
[22] Arthur Gervais, Ghassan O. Karame, Karl Wust, Vasileios Glykantzis, Hubert Ritzdorf, and Srdjan Capkun. 2016. On the Security and Performance of Proof of Work Blockchains. https://eprint.iacr.org/2016/555. (2016).
[23] Hashcash. 2017. https://en.bitcoin.it/wiki/Hashcash. (Last retrieved June 2017).
[24] Ethan Heilman, Leen Alshenibr, Foteini Baldimtsi, Alessandra Scafuro, and Sharon Goldberg. 2017. TumbleBit: An untrusted Bitcoincompatible anonymous payment hub. In Proc. ISOC Network and Distributed System Security Symposium (NDSS).
[25] Svante Janson. 2014. Tail Bounds for Sums of Geometric and Exponential Variable. Technical Report. Uppsala University.
[26] Litecoin. 2017. https://litecoin.org. (Last retrieved June 2017).
[27] Satoshi Nakamoto. 2009. Bitcoin: A Peer-to-Peer Electronic Cash System. https://bitcoin.org/bitcoin.pdf. (May 2009).
[28] A. Pinar Ozisik, Gavin Andresen, George Bissias, Amir Houmansadr, and Brian Neil Levine. 2016. A Secure, Efficient, and Transparent Network Architecture for Bitcoin. Technical Report UM-CS-2016-006. University of Massachusetts, Amherst, MA. https://web.cs.umass.edu/publication/details.php?id=2417
[29] Meni Rosenfeld. 2012. Analysis of hashrate-based double-spending. https://bitcoil.co.il/Doublespend.pdf. (December 2012).
[30] Ayelet Sapirshtein, Yonatan Sompolinsky, and Aviv Zohar. 2015. Optimal Selfish Mining Strategies in Bitcoin. https://arxiv.org/pdf/1507.06183.pdf. (July 2015).
[31] Eli Ben Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars Virza. 2014. Zerocash: Decentralized Anonymous Payments from Bitcoin. In IEEE S&P. 459–474. http://dx.doi.org/10.1109/SP.2014.36
[32] Yonatan Sompolinsky and Aviv Zohar. 2015. Secure high-rate transaction processing in Bitcoin. Financial Cryptography and Data Security (2015). http://doi.org/10.1007/978-3-662-47854-7_32
[33] Yonatan Sompolinsky and Aviv Zohar. 2016. Bitcoin’s Security Model Revisited. https://arxiv.org/abs/1605.09193. (May 2016).
[34] F. Tschorsch and B. Scheuermann. 2016. Bitcoin and Beyond: A Technical Survey on Decentralized Digital Currencies. IEEE Communications Surveys Tutorials PP, 99 (2016), 1–1. https://doi.org/10.1109/COMST. 2016.2535718
[35] Marko Vukolić. 2015. The quest for scalable blockchain fabric: Proof-ofwork vs. BFT replication. In International Workshop on Open Problems in Network Security. Springer, 112–125.
submitted by dj-gutz to myrXiv [link] [comments]

Reflections on Bitcoin's problems over the years (can we get a sticky or sidebar link with some Lightning Network content?)

In the days before we had the luxury of worrying about Bitcoin's scaling, we focused endlessly on other problems and imperfections of the protocol. Back then, we'd talk about confirmation times. Ten minutes was far too long for much of commerce and as Meni Rosenfeld showed, the oft-repeated "I'd rather have one 10 minute block's security than five 2-minute blocks" was exactly wrong.
You learn a little more, and you realize that bitcoin's security is really all-or-nothing. Unconfirmed transactions, properly understood, are not transactions at all. Miners have no obligation to "drop" them after a few days, so the coins can disappear from your wallet even if your node has forgotten. Furthermore, the "safety" of 0-conf was widely misunderstood--the policy of honoring the first-seen transaction wasn't a consensus one, so miners have always been able to collude with double-spenders if they wanted to.
Fungibility and anonymity were other major concerns. Every single coin has a unique history and is "tainted" by it. If governments want, they can easily blacklist particular Bitcoins, be they stolen, used in the drug trade, or simply suspect. We worried about Mike Hearn's possible connections to similar "redlisting" of coins and had endless discussions about the anti-anonymous nature of the bitcoin network.
Personally, I've followed threads and topics such as this which relate to the equilibrium transaction fee when the block reward ends or reduces in value. In short, if there's no transaction backlog (and assuming competitive markets, etc), users have no incentive to pay anything more than 1 Satoshi per transaction, because larger blocks don't take more work to mine. Zero marginal cost means zero price. The Bitcoin Cash community denies this. I can provide more references if people are curious.
Over time, it's become clear to us who have been following bitcoin closely for years, and even to many of you newbies, that blockchains cannot scale through on-chain transactions (without sacrificing decentralization, which is the point: e.g. if you can't run your own node, you simply can't know if there are still only 21,000,000 bitcoins, or that you have any of them).
It turns out, all of these problems are addressed or hugely mitigated by the LN. It is such a remarkable fact that it suggests that Bitcoin is meant to be used as a fundamental settlement layer for LN transactions. Luke Dashjr seems to think so. With a little thought, it makes some sense: scaling Bitcoin is hard because you're telling the entire world to perpetually store and propagate your transactions--this also creates a public graph that can be analyzed by hackers, governments, or snoops. Almost all LN transactions are not stored, are only communicated between sender and receiver, and are onion-routed so traffic analysis is impossible. That they are communicated only between sender and receiver also means that Bitcoin's blockchain isn't needed to synchronize their transaction--thus, instant "confirmation" with no chance of double spends.
Lastly, this isn't vaporware. Right now, The (yes, The) Lightning Network is a protocol with multiple fully interoperable implementations (so all LN nodes can participate in a single network). This is the fully-realized version of what had been theorized for at least 5 years and is the solution to problems we've been complaining about for almost all of Bitcoin's existence.
For a basic intro to the LN, please read What is the Lightning Network and how can it help Bitcoin scale? and the links inside, check out Lightning Protocol 1.0: Compatibility Achieved and other info suggested by the commenters below.
submitted by joseph_miller to Bitcoin [link] [comments]

Most alt-coins are NOT secure enough, they exist only for entertainment and speculation (Taken from /r/Bitcoin)

TL;DR IMO this guy hates alt-coins.
OP: http://www.reddit.com/Bitcoin/comments/22aw8c/most_altcoins_are_not_secure_enough_they_exist/
(I believe this needs to be posted to /bitcoin[1] as Bitcoin users/enthusiasts need to know the difference between Bitcoin and other cryptocurrencies. About author: I'm subscribed to /bitcoin[2] since 2011, and have been involved in cryptocurrency security research for several years.)
Let's talk about security aspect of cryptocurrencies. I'm afraid an average user knows very little about this topic: he might know that hashrate is needed to protect the blockchain, and that higher hashrate is better, as it implies that attacker needs to spend more to get control of the blockchain.
But there is a plenty of other kinds of attacks (or, rather, economic models of attacks), some of which have much higher practical significance.
Let's start with something simple: there is a straightforward and rigorous model of double-spending attack under condition that attacker has a fraction of total network's hashrate. I highly recommend Meni Rosenfeld's Analysis of hashrate-based double-spending paper (PDF[3] ).
The main takeaway from this paper is that "maximal safe transaction value" is directly proportional to block reward (i.e. amount of coins miners get for each block). It is easy to understand this intuitively: bigger reward means that miners get more money from normal mining, so they will be reluctant to try double-spending attacks. On the other hand, if block reward was negligible, double-spending could be a lucrative source of revenue.
Let's look at numbers: if attacker controls 26% of hashrate and number of confirmations is 6, maximal safe transaction value is 1113 BTC when block reward is 25 BTC. This is pretty cool: you only need to wait 1 hour to make sure you irreversibly received half million USD worth of bitcoins (I assume exchange rate of $450 (Ɖ960k) for 1 Bitcoin).
However, situation is pretty different for alt-coins which have much less valuable block rewards. For example, imagine there is a Foocoin with exchange rate of $1 (Ɖ2.1k) for 1 Foocoin. If Foocoin's block reward is also 25 foocoins, then max save transaction value for 6 confirmations is only $1113 (Ɖ2.4M) USD worth of Foocoins. It doesn't look like Foocoin is suitable for commerce, does it? One could say that Foocoin simply requires larger number of confirmations for larger transactions. But that's wrong: higher number of confirmations helps only under condition that attacker is unable to obtain more than 50% of total hashrate, but for most alt-coins it isn't true.
First of all, let's note that so-called miners simply rent their equipment to "mining pool operators" and are paid in crypto-currency for it. In many cases they don't even care what cryptocurrency they mine as long as they are being paid. See Middlecoin[4] : This pool automatically mines the most profitable scrypt coin, automatically exchanges those coins for bitcoins, and pays out entirely in bitcoins.
So, miners who mine using Middlecoin do not know if their equipment is being used to mine Litecoins or Dogecoins or something else. And they wouldn't care if it is used for attacks on alt-coins, as they are being paid in bitcoins. Let's consider a scenario where Middlecoin-like pool has higher hashrate than Foocoin, e.g. Middlecoin (not Middlecoin specifically, but any pool like that) has 20 GH/s, while Foocoin has 10 GH/s. Here's how one can profit from it:
  1. Buy $1M worth of Foocoins, get them into your wallet.
  2. Make an agreement with Middlecoin: you rent they hashrate for a couple of hours, paying them in bitcoin, slightly above what most profitable alt-coin yields.
  3. Send your foocoins to exchange Bar.
  4. Start mining a private chain which has a double-spend transaction which sends coins to exchange Baz.
  5. After your transaction gets 10 confirmations on the normal chain, convert foocoins to bitcoins on Bar and withdraw them immediately.
  6. After withdrawal transaction is confirmed on Bitcoin network (and thus cannot be reversed), you release the private chain you have mined, causing reorganization. You should have mined 20 blocks by then under if Middlecoin has hashrate which is twice higher than normal Foocoin's hashrate.
  7. Your deposit to exchange Baz is now confirmed, converl your foocoins to bitcoins again, and withdraw immediately. A day later 20 blocks you have mined will get mature, and you'll be able to sell them too.
If Foocoin price doesn't change in process, you can get approximately $1M profit on this attack, as cost of renting a mining pool is approximately equal to value of mined blocks.
In practice, you'll lose some money due to lack of liquidity on exchanges, so profit will be less than $1M.
The conclusion we get from this analysis is that alt-coins which have only a small fraction of total hashrate for a certain mining algorithm are extremely non-secure. And they cannot grow big: as soon as exchanges will have enough liquidity, it will be possible to perform the attack I described, which will result in the price drop.
So almost all alt-coins are simply not suitable for any kind of "real economy" applications. They are doomed to have high volatility, shallow markets, low "max safe transaction value".
One can't deny the fact that it is possible to make money on alt-coins. But that's just gambling. And people who create new alt-coins are in same position as people who build casinos. It is a business, but it is the entertainment sector, not in 'real economy' or 'financial' sectors as some people are trying to pretend.
Bitcoin is one of few cryptocurrencies which are actually serious. It isn't perfect, but attacking Bitcoin is very hard, so transactions worth millions of dollars can be confirmed in matter of hours. Same cannot be said about alt-coins, and this situation won't change unless new cryptocurrency designs will be found.
If there is an alt-coin which is more-or-less secure, it is probably Litecoin. Its hashrate is a significant fraction of total scrypt hashrate, so attacking Litecoin is hard. Interestingly, at some point Dogecoin's hashrate was higher than Litecoin's but it dropped after block reward have dropped. So, again, block reward is important for security.
This has dire implications for alt-coins which have short block reward schedules. If all coins will be mined in two years, this mean that alt-coin will be dead in two years.
(It's worth noting that same problem might affect Bitcoin in future, like in 10 years or so.) Now there is a question: Is there a way to make multiple currencies all of which will be secure? Probably. There are several approaches:
submitted by ijmolder93 to dogecoin [link] [comments]

EB49 – Meni Rosenfeld: Mining Pool Reward Systems, Bitcoin Economics, Bitcoin in Israel Bitcoin TLV `14, #33 - Meni Rosenfeld - Multi-PPS Meni Rosenfeld - Early Days of Bitcoin Mining LessWrong - Bitcoin, Chess AI and the Solstice (Hebrew, 19.12.2017) Mining Pool Reward Methods Meni Rosenfeld Technion Cyber and Computer Security Summer School

Chairman of the Israeli Bitcoin Association (IBA) Meni Rosenfeld said that “Bitcoin has matured ” during an interview at the Blockchain & Bitcoin Conference in Israel. He discussed the progress of bitcoin in Israel, and his role in its progression. Meni’s role in the IBA. Meni was questioned on his role as chair of the IBA, and the goals the association hopes to achieve. He described his ... Meni Rosenfeld December 11, 2012 Latest version: February 12, 2014 Abstract Bitcoin ([?]) is the world’s rst decentralized digital currency. Its main technical innovation is the use of a blockchain and hash-based proof of work to synchronize transactions and prevent double-spending the currency. While the qualitative nature of this system is well understood, there is widespread confusion ... Meni Rosenfeld. Follow. Mar 13, 2018 · 18 min read (Cross-post from my blog) I invented the Lightning Network. Well, not really. But to the best of my knowledge, I was the first person to write a ... The theory that the power to control the Bitcoin protocol is held by those able and willing to offer things of value for bitcoins (be it goods, services or other currencies). As long as mining is conducted for economic gain, then any change adopted by the miners needs to be supported by the economic majority for it to be successfully implemented. If there are changes to the protocol that are ... arXiv:1112.4980v1 [cs.DC] 21 Dec 2011 Analysis of Bitcoin Pooled Mining Reward Systems Meni Rosenfeld December 22, 2011

[index] [31485] [46139] [23856] [50008] [50082] [1882] [29512] [19109] [49465] [7937]

EB49 – Meni Rosenfeld: Mining Pool Reward Systems, Bitcoin Economics, Bitcoin in Israel

00:00 - Opening words and intro to LessWrong (Joshua Fox) 02:40 - Prehistory and governance of Bitcoin (Meni Rosenfeld) 37:07 - How traditional Chess engines work (Meni Rosenfeld) 1:33:39 - Notes ... 1) If you enjoyed this, I'd welcome a tip here: 185By4a1Lt2HnKLAKR5EmidZMYgp5DDSaj 2) Mining Pool Reward Methods, lecture by: Meni Rosenfeld of Bitcoil.co.il... This video is unavailable. Watch Queue Queue. Watch Queue Queue Meni Rosenfeld - Early Days of Bitcoin Mining Tel Aviv Nov 2016. Meni Rosenfeld is Founder of Bitcoil and Chairman of the Israeli Bitcoin Association. Having organized several meetups and conferences in Israel, he is a very active member of the Israeli Bitcoin ...

#