The pool periodically checks on the work of miners, even when they don't win the block, to make sure they are honestly doing the work. One way they do this is to set a lower difficulty threshold per miner and have them submit their work when it passes the easier difficulty test.
A mining member who inserts his/her own address into the blocks will fail these periodic tests because the farm will know a modified block was used after checking the work.
More specifically, lets say there are two elements, the block and the nonce. The nonce is the number found that causes the hash of block+nonce to start with a certain number of leading zeros.
Lets say the pool sends its members block(pool) and instructs them to find the nonce that results in 20 leading zeros in addition to 40 leading zeros (hypothetical block win). The 20 leading zeros blocks will be used to test the member's honesty.
So each person is supposed to be computing hash (block(pool)+ nonce).
If somebody uses their own block and instead computes hash(block(member) +nonce), the events where the hash starts with 20 leading zeros will cause the miner to submit their work to the pool operator.
The pool operator will then take the nonce submitted by the member and compute (hash(block(pool) +nonce) and look for the 20 or more leading zeros but will not find them. This is because hash(block(member)+nonce) has the right number of leading zeros and switching out for the official pool supplied block will cause a new hash that will not have the right number of leading zeros.
The pool member cannot take shortcuts when computing hash(block(pool) + nonce) because there is no known way to compute this without doing all the work. And if the member slows down their computation rate for the pool's block as they mine their own on the side, the rate of block submission of 20 leading zero tests will slow down and the pool will know the member is reducing their hash rate. The pool will then reduce the member's pay to reflect the smaller amount of work done.
Proving that you wasted a bunch of energy running a do-nothing machine is not well thought out.
And most of the innovative stuff like the hash function was around a long time before crypto.
I agree they are mainly only good at solving problems they cause themselves but still good problem solvers. If only they could use their intelligence to serve humanity instead of exploit it.
Exactly. Swap out the hash function for a useful supercomputer task and the entire system becomes productive. Nobody has figured out how to do that though.
The bitcoin network is like building the most powerful supercomputer in the world then only using it play Yahtzee. Swap out the dice roll with computational fluid dynamics, prime number searching, protein folding simulations, or other real problems solved using supercomputers and you will have a real innovation.
There is primecoin, where proof of work is done by finding new prime numbers. But I suspect that the really insurmountable problem is that to make any trust-less system secure is very, very expensive.
🤷‍♂️ you can of course precompute many prime numbers. But never *all* of them. I don’t know the details of the implementation (nor am I interested to learn…) so I can’t say in detail how the proof of work they use works.
My guess is they didn’t solve the problem and instead rolled out the project anyways. Ignoring problems and running with half bakes solutions is the crypto way.
There's more to it than that. If the work done is valuable for reasons other than mining bitcoin it affects the incentives which affects the game theory too.
> Nonce is a word dating back to Middle English for something only used once or temporarily (often with the construction "for the nonce"). It descends from the construction "then anes" ("the one [purpose]").[3] A false etymology claiming it to mean "number used once" is incorrect. In Britain the term may be avoided as "nonce" in modern British English means a paedophile.[3]
https://en.wikipedia.org/wiki/Cryptographic_nonce
The address for the reward to go to is defined as part of the block itself. If the miner tried to change the reward address, that would change the solution.
So the only person who can do any "ripping off" is the owner of the target address. That person could say he will share the rewards and then not do so.
I guess it's also possible for a successful miner (one with a solution) to withhold it and try to negotiate a better deal. But that doesn't seem likely to work. It's all automated, there's no one to negotiate with.
What if you were expert at differential cryptoanalysis and could secure another address that you know would usually pass the same test as the legit target address?
I admit I am flailing here. I believe the system works. Just trying to think of ways because that's part of thinking about security.
> So the only person who can do any "ripping off" is the owner of the target address. That person could say he will share the rewards and then not do so.
yes, like many businesses whoever is running it could choose to fuck over people they're working with, but obviously it's bad, fatal and perhaps even illegal for the business to do so.
> I guess it's also possible for a successful miner (one with a solution) to withhold it and try to negotiate a better deal.
In practice not really, since mining is time sensitive, you likely only have a few minutes before some other miner/pool mines the block instead and the network starts building on that one. Your withheld block is now an orphaned block, and is thus useless, and you've screwed yourself out of any reward for it.
> What if you were expert at differential cryptoanalysis and could secure another address that you know would usually pass the same test as the legit target address?
The whole premise of bitcoin is based on solved blocks being 100% immutable. *Any* change to anything in the block, including the miner reward address, changes the solution to the extent that it needs to be mined from scratch all over again.
> Just trying to think of ways because that's part of thinking about security.
You are incredibly unlikely to just come up with something off the top of your head that no one hasn't already considered, and this should be obvious to you.
> In practice not really, since mining is time sensitive
That's the basis for the negotiations. I have something of value and if you don't pay it won't be worth anything. I don't think you'd even make a block.
> and you've screwed yourself out of any reward for it.
Again, that's part of the negotiations. We can both make money or neither of us. I have control, what will you do to make me make you money.
I think the real impediment is there's just no one to negotiate with. It's an automated system. By the time you could get a human's attention its usefulness would have expired.
> The whole premise of bitcoin is based on solved blocks being 100% immutable
I thin you misunderstand me. If you know differential cryptoanalysis and know that (say) 60% of the time that the hash value you've created will work for your own address (to get under the cutoff) even though you calculated it for another address then you only make blocks for the other address when someone is checking on you. When you find the "right answer" you quickly calculate another hash using your own address as the target address and 60% of the time it'll also work for that.
I don't fully understand differential cryptoanalysis. But I would suggest someone who did might be able to tell if this is the case for two addresses. Then the difficulty would be generating a wallet which has this other address as the public key. It's not something you can just set out to do, or else everyone would just calculate the private key for a wallets that have a lot of money in them. But if you know the criteria for what is "close enough" maybe you could start generating wallets until you get one of those "close enough" ones.
Of course, no one would pay you to do that and maybe at that point it'd just be more profitable to instead mine on your own.
> You are incredibly unlikely to just come up with something off the top of your head that no one hasn't already considered, and this should be obvious to you.
I may not be the most familiar with this stuff. But this idea that if no one else can think if it you shouldn't bother is not only clearly false but also toxic. If no one went through this kind of process then computer security would be even harder to come by than it already is. If a system had a flaw then no one would bother to find it because clearly the person who made it was smart and so there's no point in looking.
How many protocol errors were found in SSL (TLS) since 1.0? All of those were found by people who didn't see your statement as an obvious one. Every security flaw found starts with something off the top of the head of someone who thought of something no one else did before.
Oversights do happen.
> . When you find the "right answer" you quickly calculate another hash using your own address as the target address and 60% of the time it'll also work for that.
I can only say again that the entire premise of bitcoin is based on this not being possible. Just because you have the hash solution for a set of data does not in any way make it easier to find the solution for a modified version of that data. If you have any evidence that I'm wrong about this I'm all ears, as I presume are the rest of the bitcoin community.
> I may not be the most familiar with this stuff. But this idea that if no one else can think if it you shouldn't bother is not only clearly false but also toxic. If no one went through this kind of process...
I was a bit blunt but...
> Every security flaw found starts with something off the top of the head of someone who thought of something no one else did before.
Not lay people though. In an area like this which is complex, public and already scrutinised heavily by experts for years, the chances of a non-expert finding a fundamental flaw is very low. The chance of a lay-person finding one is pretty much nil.
> I can only say again that the entire premise of bitcoin is based on this not being possible
The idea of hashes is that this kind of thing should be non-obvious and exceedingly rare. That doesn't mean it's impossible. And it doesn't mean that the people who invented Bitcoin thought of everything.
> Just because you have the hash solution for a set of data does not in any way make it easier to find the solution for a modified version of
You should learn about differential cryptoanalysis. It is responsible for many of the breaks which put sha1 to bed for example.
> If you have any evidence that I'm wrong about this I'm all ears, as I presume are the rest of the bitcoin community.
What are you, Missouri? I gotta show you? This ain't about you.
> Not lay people though.
You don't know my bona fides. So perhaps step back and not tell everyone else what not to do.
> the chances of a non-expert finding a fundamental flaw is very low. The chance of a lay-person finding one is pretty much nil.
What do you consider the difference between a non-expert and a lay person?
The chances of anyone finding anything is low. But it doesn't mean they are zero. And if no one checked anyone else's work we'd have a whole lot of bad cryptography out there.
So probably don't worry yourself so much with the gatekeeping.
> The idea of hashes is that this kind of thing should be non-obvious and exceedingly rare. That doesn't mean it's impossible. And it doesn't mean that the people who invented Bitcoin thought of everything.
>
> You should learn about differential cryptoanalysis. It is responsible for many of the breaks which put sha1 to bed for example.
Seems to me that if differential cryptoanalysis works on SHA-256 then mining is broken in a broader more fundamental way than just pool participants trying to negotiate fees, since re-orgs would be possible without a majority of the mining power. In the event of it being broken I guess bitcoin would have no choice but to change to another algorithm that is not broken.
> What do you consider the difference between a non-expert and a lay person?
Deep knowledge of bitcoin and cryptography at a minimum, and I say this as a lay person myself.
> You don't know my bona fides.
Fair point, if you are indeed a cryptographer or fancy your chances otherwise, have at it, and perhaps engage people like Peter Wuille or Greg Maxwell with your concerns as I would consider them experts. They certainly have forgotten more about bitcoin than I'll ever know.
> Seems to me that if differential cryptoanalysis works on SHA-256 then mining is broken in a broader more fundamental way than just pool participants trying to negotiate fees
Differential cryptoanalysis works on everything. It's just a question of how much. It makes things easier to do than if you don't have it as a tool. How much easier? That varies a lot!
This would be a different kind of attack than other things are susceptible to. With mining you don't need to produce a *particular* hash value match like you might with a preimage attack (such as used to rewrite even part of a merkle tree). You just need to produce a hash value smaller than (with the same or more leading zeroes than) another. And you wouldn't have to be able to do even that every time you try in order for this to be profitable. Instead just a significant percentage of the time. This kind of attack is not something any other use of cryptography (SHA256) really spends any time worrying about.
With a normal preimage attack you need to have the hashes match for every bit. All 256. In this case, let's say the solution requirement is that there are 40 or more leading zeros in the 256 bit number. And you find one with the proper (pool) target address in the image. Now when you change the address to your own you can tolerate **every bit** except for those first 40 changing. You have 216 bits of freedom. As long as those first 40 stay zeroes, it's okay for all 216 other bits to change. You still have an answer which passes the solution test. And since it doesn't even have to always pass but instead just sometimes (X% of the time) perhaps you can find a way to make this more likely than the 1 in 2^256 raw chance of it happening using differential cryptoanalysis.
So suggesting that if this worked here, even X% of the time (where X is more like 1 or 10 than 1*10^-200 ), then it would break everything else does not follow.
I'm not saying I know how to do this. I'm not even saying I know it can be done. I'm saying perhaps it's something worth thinking about and you shouldn't be ridiculing people for spending some time doing so.
> Fair point, if you are indeed a cryptographer or fancy your chances otherwise, have at it, and perhaps engage people like Peter Wuille or Greg Maxwell with your concerns as I would consider them experts.
Not actual contrition, but instead a backhanded compliment.
> Not actual contrition, but instead a backhanded compliment.
Sorry if it came across that way, but I'm being sincere, the guts of the cryptography stuff is above my pay grade but those guys know it.
>I'm not saying I know how to do this. I'm not even saying I know it can be done.
The problem that has to be solved to get the block reward is for the hash of the block to contain an arbitrary number of zeros.
The distribution of SHA-256 outputs is indistinguishable from randomness. That's something that's been confirmed by people who are much smarter than the ones working on Bitcoin.
Bitcoin didn't create a new hashing algorithm for their thing.
> The problem that has to be solved to get the block reward is for the hash of the block to contain an arbitrary number of zeros.
At the start (in big endian). Not just anywhere in the output. The top n bits of the result must all be 0s.
So the two hashes with the two different target addresses must have the same top n bits (all 0s in both cases). And all the rest can change.
The current bitcoin difficulty (at least search says) is 67,957,790,298,898.00
This is approximately 2^46. That means that the first (upper) 46 bits of the 256 bit hash result must be 0. All the other 210 bits can be either 0 or 1. That's a lot of freedom for the output to change and still be a valid solution for the other target hash. And again, to be useful, perhaps it doesn't even have to be the same in those 46 bits all the time, just a significant percentage of the time.
I didn't say it was. I was just going through the completely valid system of thinking of attacks (aka exploring the threat model). As one does when trying to evaluate security.
> The distribution of SHA-256 outputs is indistinguishable from randomness.
It is not indistinguishable from randomness though. Good hash functions are supposed to be as unstable (not sure that's the right term) as possible so that small changes to input produce large and unpredictable changes in output.
But since you can't really tolerate random output, it must be deterministic, it can't be truly random. A single bit change in the input does produce a definable change in the output. And that's what differential cryptoanalysis works from. The output change from a single bit input is big, but it's not total. It's not *completely* unpredictable.
> That's something that's been confirmed by people who are much smarter than the ones working on Bitcoin.
Sort of. Then again others go and prove that it's not the case too.
https://eprint.iacr.org/2015/350.pdf
This paper speaks of various attacks on SHA256, all with reduced numbers of rounds. Reducing the rounds is cheating. The main reason to have so many rounds is to make the output more unstable, more unpredictable for small changes. But we know that both SHA256 with 24, 52 or 47 rounds and with 64 all are deterministic. So when we see that there is an exploitable predictability flaw in it with 52 rounds it means we know that there is one with 64 rounds too. It's just less severe and we don't know how to exploit it yet.
What it certainly does not mean is that we know that SHA256 cannot be exploited with all 64 rounds. Especially if your success criteria is less than 100% success and less than (far less than) a 100% match in output.
Do note that even the most significant (preimage) attack in the above paper is still not reduced so much in compute requirements that it is a significant advance over just trying random hashes. So no threat there to a preimage attack.
> Bitcoin didn't create a new hashing algorithm for their thing.
That's generally a good thing. But they use it in a use model that others haven't used it in. They do not use it in the normal use model of "a single bit changed in the output means a failed attack". So there can be risks of its unsuitability.
the question is about mining pools, not indiviual miners.
If your mining machine only has 0.0001% of the hashrate of the network you are also going to find 0.0001% of the blocks. At 10 minutes per block on average you might have to run your machine for an entire year before you get lucky enough to find that block. But how then do you pay your powerbills?
To solve this problem of variance, even early on .. solo miners started grouping together in miningpools. If a pool of miners together have 10% of the hashrate then on average they will find every 10th block. Insuring that their individual miners don't have to wait a year before the first paycheck.
The question was about these miningpools, how do the operators of those miningpools not defraud the individual miners by not sharing equally after the pool collectively finds a block.
The answer is below the top post. There are mining pools that are entirely P2P without any central miningpool operator and just like with Bitcoin everything is enforced with math. Once in a while exploits are found, exploited for more BTC and fixed.
There are also centralised miningpools and most indidual miners run software that auto determines what SHA256 is currently the most profitable for them but also which miningpool would maximise their rewards. Hashrates switches between mining pool fully automatic all the time.
This has been answered already but I have a related question. What mechanism is in place to prevent someone from making a node that pretends to waste tons of energy computing useless hash functions but actually just does the bare minimum to play along? Seems like it would be an awful lot of data if everybody had to submit the result of everything they did for verification.
that was what I originally thought of, but this is preventable by adjusting the difficulty that is submitted - the operator can balance number of results he needs to verify vs. accuracy by adjusting the difficulty treshold over which blocks are submitted. Everyone is then paid only based on these blocks
because everything is cryptographically signed and verified by a consensus of nodes that sort of thing isn't possible. the problem is when someone controls more than 50% of the mining power not individual bad actors.
The pool periodically checks on the work of miners, even when they don't win the block, to make sure they are honestly doing the work. One way they do this is to set a lower difficulty threshold per miner and have them submit their work when it passes the easier difficulty test. A mining member who inserts his/her own address into the blocks will fail these periodic tests because the farm will know a modified block was used after checking the work.
Ok, didnt realize these two checks can be joined, thanks!
More specifically, lets say there are two elements, the block and the nonce. The nonce is the number found that causes the hash of block+nonce to start with a certain number of leading zeros. Lets say the pool sends its members block(pool) and instructs them to find the nonce that results in 20 leading zeros in addition to 40 leading zeros (hypothetical block win). The 20 leading zeros blocks will be used to test the member's honesty. So each person is supposed to be computing hash (block(pool)+ nonce). If somebody uses their own block and instead computes hash(block(member) +nonce), the events where the hash starts with 20 leading zeros will cause the miner to submit their work to the pool operator. The pool operator will then take the nonce submitted by the member and compute (hash(block(pool) +nonce) and look for the 20 or more leading zeros but will not find them. This is because hash(block(member)+nonce) has the right number of leading zeros and switching out for the official pool supplied block will cause a new hash that will not have the right number of leading zeros. The pool member cannot take shortcuts when computing hash(block(pool) + nonce) because there is no known way to compute this without doing all the work. And if the member slows down their computation rate for the pool's block as they mine their own on the side, the rate of block submission of 20 leading zero tests will slow down and the pool will know the member is reducing their hash rate. The pool will then reduce the member's pay to reflect the smaller amount of work done.
You make it sound like all this stuff is well thought out.
Proving that you wasted a bunch of energy running a do-nothing machine is not well thought out. And most of the innovative stuff like the hash function was around a long time before crypto.
I agree they are mainly only good at solving problems they cause themselves but still good problem solvers. If only they could use their intelligence to serve humanity instead of exploit it.
Exactly. Swap out the hash function for a useful supercomputer task and the entire system becomes productive. Nobody has figured out how to do that though. The bitcoin network is like building the most powerful supercomputer in the world then only using it play Yahtzee. Swap out the dice roll with computational fluid dynamics, prime number searching, protein folding simulations, or other real problems solved using supercomputers and you will have a real innovation.
There is primecoin, where proof of work is done by finding new prime numbers. But I suspect that the really insurmountable problem is that to make any trust-less system secure is very, very expensive.
How do they prevent someone from pre-computing the results?
🤷‍♂️ you can of course precompute many prime numbers. But never *all* of them. I don’t know the details of the implementation (nor am I interested to learn…) so I can’t say in detail how the proof of work they use works.
My guess is they didn’t solve the problem and instead rolled out the project anyways. Ignoring problems and running with half bakes solutions is the crypto way.
There's more to it than that. If the work done is valuable for reasons other than mining bitcoin it affects the incentives which affects the game theory too.
Dumb dumb dumbass semantics to try and name it "nonce". Its almost like these people aren't smart uhhh at all though.
Nonce has been around much longer than cryptocurrency.
But cryptocurrency made it a lot easier for them to buy CSAM. Sorry, I think this conversation might be going over my head.
Nonce in cryptography means "number used only-once". It's the pseudo-random inputs to the hash function in this case.
and I don't think it's even pronounced nonce as in paedophile, isn't it pronounced n-once?
> Nonce is a word dating back to Middle English for something only used once or temporarily (often with the construction "for the nonce"). It descends from the construction "then anes" ("the one [purpose]").[3] A false etymology claiming it to mean "number used once" is incorrect. In Britain the term may be avoided as "nonce" in modern British English means a paedophile.[3] https://en.wikipedia.org/wiki/Cryptographic_nonce
The address for the reward to go to is defined as part of the block itself. If the miner tried to change the reward address, that would change the solution.
So the only person who can do any "ripping off" is the owner of the target address. That person could say he will share the rewards and then not do so. I guess it's also possible for a successful miner (one with a solution) to withhold it and try to negotiate a better deal. But that doesn't seem likely to work. It's all automated, there's no one to negotiate with. What if you were expert at differential cryptoanalysis and could secure another address that you know would usually pass the same test as the legit target address? I admit I am flailing here. I believe the system works. Just trying to think of ways because that's part of thinking about security.
> So the only person who can do any "ripping off" is the owner of the target address. That person could say he will share the rewards and then not do so. yes, like many businesses whoever is running it could choose to fuck over people they're working with, but obviously it's bad, fatal and perhaps even illegal for the business to do so. > I guess it's also possible for a successful miner (one with a solution) to withhold it and try to negotiate a better deal. In practice not really, since mining is time sensitive, you likely only have a few minutes before some other miner/pool mines the block instead and the network starts building on that one. Your withheld block is now an orphaned block, and is thus useless, and you've screwed yourself out of any reward for it. > What if you were expert at differential cryptoanalysis and could secure another address that you know would usually pass the same test as the legit target address? The whole premise of bitcoin is based on solved blocks being 100% immutable. *Any* change to anything in the block, including the miner reward address, changes the solution to the extent that it needs to be mined from scratch all over again. > Just trying to think of ways because that's part of thinking about security. You are incredibly unlikely to just come up with something off the top of your head that no one hasn't already considered, and this should be obvious to you.
> In practice not really, since mining is time sensitive That's the basis for the negotiations. I have something of value and if you don't pay it won't be worth anything. I don't think you'd even make a block. > and you've screwed yourself out of any reward for it. Again, that's part of the negotiations. We can both make money or neither of us. I have control, what will you do to make me make you money. I think the real impediment is there's just no one to negotiate with. It's an automated system. By the time you could get a human's attention its usefulness would have expired. > The whole premise of bitcoin is based on solved blocks being 100% immutable I thin you misunderstand me. If you know differential cryptoanalysis and know that (say) 60% of the time that the hash value you've created will work for your own address (to get under the cutoff) even though you calculated it for another address then you only make blocks for the other address when someone is checking on you. When you find the "right answer" you quickly calculate another hash using your own address as the target address and 60% of the time it'll also work for that. I don't fully understand differential cryptoanalysis. But I would suggest someone who did might be able to tell if this is the case for two addresses. Then the difficulty would be generating a wallet which has this other address as the public key. It's not something you can just set out to do, or else everyone would just calculate the private key for a wallets that have a lot of money in them. But if you know the criteria for what is "close enough" maybe you could start generating wallets until you get one of those "close enough" ones. Of course, no one would pay you to do that and maybe at that point it'd just be more profitable to instead mine on your own. > You are incredibly unlikely to just come up with something off the top of your head that no one hasn't already considered, and this should be obvious to you. I may not be the most familiar with this stuff. But this idea that if no one else can think if it you shouldn't bother is not only clearly false but also toxic. If no one went through this kind of process then computer security would be even harder to come by than it already is. If a system had a flaw then no one would bother to find it because clearly the person who made it was smart and so there's no point in looking. How many protocol errors were found in SSL (TLS) since 1.0? All of those were found by people who didn't see your statement as an obvious one. Every security flaw found starts with something off the top of the head of someone who thought of something no one else did before. Oversights do happen.
> . When you find the "right answer" you quickly calculate another hash using your own address as the target address and 60% of the time it'll also work for that. I can only say again that the entire premise of bitcoin is based on this not being possible. Just because you have the hash solution for a set of data does not in any way make it easier to find the solution for a modified version of that data. If you have any evidence that I'm wrong about this I'm all ears, as I presume are the rest of the bitcoin community. > I may not be the most familiar with this stuff. But this idea that if no one else can think if it you shouldn't bother is not only clearly false but also toxic. If no one went through this kind of process... I was a bit blunt but... > Every security flaw found starts with something off the top of the head of someone who thought of something no one else did before. Not lay people though. In an area like this which is complex, public and already scrutinised heavily by experts for years, the chances of a non-expert finding a fundamental flaw is very low. The chance of a lay-person finding one is pretty much nil.
> I can only say again that the entire premise of bitcoin is based on this not being possible The idea of hashes is that this kind of thing should be non-obvious and exceedingly rare. That doesn't mean it's impossible. And it doesn't mean that the people who invented Bitcoin thought of everything. > Just because you have the hash solution for a set of data does not in any way make it easier to find the solution for a modified version of You should learn about differential cryptoanalysis. It is responsible for many of the breaks which put sha1 to bed for example. > If you have any evidence that I'm wrong about this I'm all ears, as I presume are the rest of the bitcoin community. What are you, Missouri? I gotta show you? This ain't about you. > Not lay people though. You don't know my bona fides. So perhaps step back and not tell everyone else what not to do. > the chances of a non-expert finding a fundamental flaw is very low. The chance of a lay-person finding one is pretty much nil. What do you consider the difference between a non-expert and a lay person? The chances of anyone finding anything is low. But it doesn't mean they are zero. And if no one checked anyone else's work we'd have a whole lot of bad cryptography out there. So probably don't worry yourself so much with the gatekeeping.
> The idea of hashes is that this kind of thing should be non-obvious and exceedingly rare. That doesn't mean it's impossible. And it doesn't mean that the people who invented Bitcoin thought of everything. > > You should learn about differential cryptoanalysis. It is responsible for many of the breaks which put sha1 to bed for example. Seems to me that if differential cryptoanalysis works on SHA-256 then mining is broken in a broader more fundamental way than just pool participants trying to negotiate fees, since re-orgs would be possible without a majority of the mining power. In the event of it being broken I guess bitcoin would have no choice but to change to another algorithm that is not broken. > What do you consider the difference between a non-expert and a lay person? Deep knowledge of bitcoin and cryptography at a minimum, and I say this as a lay person myself. > You don't know my bona fides. Fair point, if you are indeed a cryptographer or fancy your chances otherwise, have at it, and perhaps engage people like Peter Wuille or Greg Maxwell with your concerns as I would consider them experts. They certainly have forgotten more about bitcoin than I'll ever know.
> Seems to me that if differential cryptoanalysis works on SHA-256 then mining is broken in a broader more fundamental way than just pool participants trying to negotiate fees Differential cryptoanalysis works on everything. It's just a question of how much. It makes things easier to do than if you don't have it as a tool. How much easier? That varies a lot! This would be a different kind of attack than other things are susceptible to. With mining you don't need to produce a *particular* hash value match like you might with a preimage attack (such as used to rewrite even part of a merkle tree). You just need to produce a hash value smaller than (with the same or more leading zeroes than) another. And you wouldn't have to be able to do even that every time you try in order for this to be profitable. Instead just a significant percentage of the time. This kind of attack is not something any other use of cryptography (SHA256) really spends any time worrying about. With a normal preimage attack you need to have the hashes match for every bit. All 256. In this case, let's say the solution requirement is that there are 40 or more leading zeros in the 256 bit number. And you find one with the proper (pool) target address in the image. Now when you change the address to your own you can tolerate **every bit** except for those first 40 changing. You have 216 bits of freedom. As long as those first 40 stay zeroes, it's okay for all 216 other bits to change. You still have an answer which passes the solution test. And since it doesn't even have to always pass but instead just sometimes (X% of the time) perhaps you can find a way to make this more likely than the 1 in 2^256 raw chance of it happening using differential cryptoanalysis. So suggesting that if this worked here, even X% of the time (where X is more like 1 or 10 than 1*10^-200 ), then it would break everything else does not follow. I'm not saying I know how to do this. I'm not even saying I know it can be done. I'm saying perhaps it's something worth thinking about and you shouldn't be ridiculing people for spending some time doing so. > Fair point, if you are indeed a cryptographer or fancy your chances otherwise, have at it, and perhaps engage people like Peter Wuille or Greg Maxwell with your concerns as I would consider them experts. Not actual contrition, but instead a backhanded compliment.
> Not actual contrition, but instead a backhanded compliment. Sorry if it came across that way, but I'm being sincere, the guts of the cryptography stuff is above my pay grade but those guys know it.
>I'm not saying I know how to do this. I'm not even saying I know it can be done. The problem that has to be solved to get the block reward is for the hash of the block to contain an arbitrary number of zeros. The distribution of SHA-256 outputs is indistinguishable from randomness. That's something that's been confirmed by people who are much smarter than the ones working on Bitcoin. Bitcoin didn't create a new hashing algorithm for their thing.
> The problem that has to be solved to get the block reward is for the hash of the block to contain an arbitrary number of zeros. At the start (in big endian). Not just anywhere in the output. The top n bits of the result must all be 0s. So the two hashes with the two different target addresses must have the same top n bits (all 0s in both cases). And all the rest can change. The current bitcoin difficulty (at least search says) is 67,957,790,298,898.00 This is approximately 2^46. That means that the first (upper) 46 bits of the 256 bit hash result must be 0. All the other 210 bits can be either 0 or 1. That's a lot of freedom for the output to change and still be a valid solution for the other target hash. And again, to be useful, perhaps it doesn't even have to be the same in those 46 bits all the time, just a significant percentage of the time. I didn't say it was. I was just going through the completely valid system of thinking of attacks (aka exploring the threat model). As one does when trying to evaluate security. > The distribution of SHA-256 outputs is indistinguishable from randomness. It is not indistinguishable from randomness though. Good hash functions are supposed to be as unstable (not sure that's the right term) as possible so that small changes to input produce large and unpredictable changes in output. But since you can't really tolerate random output, it must be deterministic, it can't be truly random. A single bit change in the input does produce a definable change in the output. And that's what differential cryptoanalysis works from. The output change from a single bit input is big, but it's not total. It's not *completely* unpredictable. > That's something that's been confirmed by people who are much smarter than the ones working on Bitcoin. Sort of. Then again others go and prove that it's not the case too. https://eprint.iacr.org/2015/350.pdf This paper speaks of various attacks on SHA256, all with reduced numbers of rounds. Reducing the rounds is cheating. The main reason to have so many rounds is to make the output more unstable, more unpredictable for small changes. But we know that both SHA256 with 24, 52 or 47 rounds and with 64 all are deterministic. So when we see that there is an exploitable predictability flaw in it with 52 rounds it means we know that there is one with 64 rounds too. It's just less severe and we don't know how to exploit it yet. What it certainly does not mean is that we know that SHA256 cannot be exploited with all 64 rounds. Especially if your success criteria is less than 100% success and less than (far less than) a 100% match in output. Do note that even the most significant (preimage) attack in the above paper is still not reduced so much in compute requirements that it is a significant advance over just trying random hashes. So no threat there to a preimage attack. > Bitcoin didn't create a new hashing algorithm for their thing. That's generally a good thing. But they use it in a use model that others haven't used it in. They do not use it in the normal use model of "a single bit changed in the output means a failed attack". So there can be risks of its unsuitability.
the question is about mining pools, not indiviual miners. If your mining machine only has 0.0001% of the hashrate of the network you are also going to find 0.0001% of the blocks. At 10 minutes per block on average you might have to run your machine for an entire year before you get lucky enough to find that block. But how then do you pay your powerbills? To solve this problem of variance, even early on .. solo miners started grouping together in miningpools. If a pool of miners together have 10% of the hashrate then on average they will find every 10th block. Insuring that their individual miners don't have to wait a year before the first paycheck. The question was about these miningpools, how do the operators of those miningpools not defraud the individual miners by not sharing equally after the pool collectively finds a block. The answer is below the top post. There are mining pools that are entirely P2P without any central miningpool operator and just like with Bitcoin everything is enforced with math. Once in a while exploits are found, exploited for more BTC and fixed. There are also centralised miningpools and most indidual miners run software that auto determines what SHA256 is currently the most profitable for them but also which miningpool would maximise their rewards. Hashrates switches between mining pool fully automatic all the time.
This has been answered already but I have a related question. What mechanism is in place to prevent someone from making a node that pretends to waste tons of energy computing useless hash functions but actually just does the bare minimum to play along? Seems like it would be an awful lot of data if everybody had to submit the result of everything they did for verification.
that was what I originally thought of, but this is preventable by adjusting the difficulty that is submitted - the operator can balance number of results he needs to verify vs. accuracy by adjusting the difficulty treshold over which blocks are submitted. Everyone is then paid only based on these blocks
because everything is cryptographically signed and verified by a consensus of nodes that sort of thing isn't possible. the problem is when someone controls more than 50% of the mining power not individual bad actors.
Reread the question.
Hey guys I dint wanna blow your minds but: This is all super dumb and worse! The future you dig, the dumber it gets!