Open zawy12 opened 4 years ago
Hmm, regarding the last graph, negative stolen seems fundamentally wrong to me ... by definition, a switch miner should only direct their hashrate at this chain when it is profitable, i.e., when the target they have to hit is strictly higher than some threshold. Since for TSA there is the distinction between actual target and the fake blockheader target, I wonder if your calculation might not be using the correct target?
I mentioned that indirectly in the 2nd to last sentence. Attacking for a loss does not make sense, so they will do something else like not attack. To clarify TSA, the attack trigger is if the N=80 baseline difficulty is below their threshold not the actual difficulty. Doing it this way implies they can't switch on and off quickly, losing less than about 10 seconds of mining time between two coin choices. If they can, then I'm missing is an important case that could harm the results enough to be more like the others. If large hashrate sources can switch so easily, they can wait until after T to get the lower-than avg difficulty, which will occur in < 1/e = 36% of the blocks. This will make post T solves very fast and drive up pre-T difficulty for everyone else. In studying optimal attacks for normal DAs, I noticed a very large miner could always get up to 1/3 of the blocks at zero cost without regard to the DA so 1/e =~ 1.3 of the blocks coming in at > T could indicate the rule still applies. The rule comes from the very large miner mining 2/3 of the blocks getting (effectively) 1/3 of the block at an average D cost, the other 1/3 at zero cost, and the remaining 1/3 that he's not mining would equal to 2x the average D.
You asked for data on the time-weighted avg difficulties for the above. 1374 SMA 1367 EMA 2-block delay 1355 EMA 1331 Mark RTT 1358 LWMA 1207 TSA
Constant HR: if there are no 6x attackers, avg D is 1000 in this simulation (at dedicated miners hashrate). The avg time-weighted D's for the regular DAs was 1000. The RTTs had 1.5% lower for Mark1 and 8% lower for TSA.
I've updated the beginning of this article to facilitate discussion.
There are a few practical things I wonder:
Finally, there are four rule changes proposed: 1) DAA, 2) Timestamp monotonicity, 3) FTL, 4) Clock. Even if they are simple changes and the final state is robust, the transition needs to be handled carefully and consider the interaction between all these changes happening around the same time.
I have not heard of any theory or observation that timestamps limits even as low as a few seconds have caused a problem.
Only 1 rule change needed. Keep current timestamp limits?
3 of the 4 rule changes can be avoided: Monotonicity can be done within the DA code (see bottom). FTL and clock can also be left alone. The potential damage from leaving FTL=7200 is a forwarded timestamp at that limit that would lower the next block's difficulty.
1/( 1+t/T/N-1/N) => 1/(1 + 7200/600/N - 1/N) = 13% easier difficulty.
The full 13% drop can be achieved only once per 2 hours, or spread out over it, benefiting the next block (not necessarily the "cheaters" difficulty) and penalizing others. The forced monotonicity (either by protocol of the DA) will make the next 10 or so honest solvetimes 1 second, increasing difficulty 1/(1-1/N) = 1.4% per block, bringing difficulty and avg solvetime back to the correct values. So the risk is mild. BTW if you clip the difficulty to not drop too much, say 5%, then the avg solvetime will be lower. I believe it means block emission will be 600 * (0.13-0.05) = 48 seconds behind, costing all of today's miners that much coin (8% of one reward).
N > 72 is probably a good idea The 72 gives about the same std dev in difficulty under constant hashrate condition as the current SMA N=144 which is about 9%. See charts below. Given that miners are reacting to 5% changes with strong sensitivity I believe you are right that a longer window would be better. A problem is that the reduction in random variation is a function of SQRT(N) while the slowness to respond to HR changes is a function of N, so with higher N we get slower faster than we get stable.
Clipping drops in difficulty with limit on solvetime Concerning the need for limited drops in difficulty, the method I've used in many coins is to limit the solvetime as used in the difficulty to 6xT which is very infrequent from random variation. This would allow a max drop in difficulty in a block of (6-1)/N = 7% for N=72. A longer window will reduce this. 5xT is possible, but not lower. This type of clipping can lead to larger-than-expected solvetimes if on-off mining triggers it a lot.
Currently, single block difficulty can rise or fall 10% due to long solvetimes coming into and out of the averaging window. With EMA, rises are limited to 1/N, so it gives miners more time to decide to leave, which reduces the chances that they all leave at once, preventing the long solve time if the DA reacts fast enough to drop as they leave. 1/72 = 1.4% and since they are sensitive to 5% changes, a larger N is again reasonable.
Code to prevent negative solvetimes
// We do not want to use MTP because of the 6-block delay, so we do this
// My source of the idea is T Harding who cites kyuupichan
// Catastrophic exploits result from attempting if (st<1) { st=1;}
// Attacker simply assigns old timestamp. Next honest stamp lower difficulty.
// Repeating this with 20% attacking HR if MTP(11)=6 quickly leads to a difficulty of 1.
previous_timestamp = timestamps[0];
for ( uint64_t i = 1; i <= 11; i++) { // 11 is most recent block
if (timestamps[i] > previous_timestamp ) {
this_timestamp = timestamps[i];
} else { this_timestamp = previous_timestamp+1 ; } // +1 sort of a safety measure
solvetimes[i] = this_timestamp - previous_timestamp;
previous_timestamp = this_timestamp;
}
// clip, if desired:
solvetime[11] = min[6*T, solvetime[11]);
// EMA would use solvetime[11]
Begin update: This article is long and complicated because I wanted to cover every possibility, such as RTT which I'm sure no one is going to push. To make this long story short, this is all I think a dev needs to know to implement it.
1) See Mengerian or Mark L for the actual core code to do the EMA that uses bit shifting to prevent integer divisions. The math is
2) Use the code in wt-144 to prevent st < 0. Do not use if st < 0 then st=0 because it allows an easy & disastrous explopit. 3) Clip solvetimes to 7xT max, no min to prevent spam attacks [see addendum to this list] 4) Use previous solvetime and previous target. No median of 3. 5) Reduce FTL from 7200 to N*T/40 = 1000 seconds or less. FTL = 300 or less is working fine without any reported problem on 50 alt coins with my LWMA. FTL should be > 2x "typical" block propagation delay. In consensus theory that wants to know the "voting population" (hashes) in each block it is supposed to be << block target solvetime so that miners can't falsely affect next difficulty much. This also means consensus theory indicates it should be an RTT. 6) Reduce "revert to local time" from 70 minutes to FTL/2 or less to prevent Sybil attack on time. Best is to remove it. 7) Use N=72 to have the same random variation as SMA with N=144.
Clipping: An attacker with say 10% hashrate could set large forward times to lower difficulty to where he could get a lot of blocks and then submit them when that time arrives. He can't win a chain work race, but Mark L in a comment below was concerned this could enable spam if there is no clipping. Clipping could be done with max solvetime allowed like 7xT. This is the same as a max drop in difficulty. It should be a bit more than you normally expect to see if HR is constant. It can reduce the motivation for constant on-off attacks at a cost in slightly more delays depending on the size of HR changes but I was not been able to see a clear benefit from 6xT clipping after recommending it to a lot of alt coins. I recommended it because LWMA has a bigger problem of dropping too much when on-off mining leaves. There should not be any clipping on how much difficulty rises unless it is many multiples of the max drop. Otherwise a timespan limit attack is possible. To give an example of how clipping makes it harder to spam, a 10% HR miner could send a timestamp 333xT into the future and immediately drop an N=72 EMA to 1% of it's former difficulty. It would take 55 blocks if clipping is limited to 7xT and have a net cost of 12.4 blocks at the initial difficulty instead of just 1 block. So clipping in this example makes a spam attack 12x harder.
End update
A good difficulty algorithm can allow more time to consider a POW change. If BCH switches DAs, the best options seems to be the EMA (@dgenr8's improvement to @jacob-eliosoff's) such as the one @Mengerian is doing with bit-shifting is pretty much the same as @markblundeberg's re-invention of the perfect algorithm that Jacob once briefly considered (but not in the Real Time Target (RTT) form).
The following are all the things I know of that need to be considered in implementing an EMA.
The following are testing results on the various options. The attack models BCH's current situation which is a fairly rigorous test compared to other possible settings. Other settings result in similar relative results. The target solvetimes were tweaked to give the same avg solvetime so to prevent an unfair advantage. All the algos except the RTT have an N setting that gives the same Std Dev in difficulty as SMA N=144 under constant hashrate.
The best way to a judge a good algorithm from these charts is to see if the blue lines (avg of 11 solvetimes) are not going up and down too much, and also for thin green bars which is how many blocks (not time) the attacker is getting before difficulty has risen above his "stop mining" point. The stolen metric is the time-weighted target the attacker faced verses the average. If it's 3% then his target was 3% higher than a dedicated miner (his difficulty was 3% lower). The delay metric is the sum of solvetimes in terms of target solvetimes that took 6xT, minus 2xT, expressed as a percentage of the total number of blocks.
SMA_ Target ST/avgST= 599/600.357 N= 144 attack_size: 600 start/start: 130/135, StdDev STs: 1.283 delays: 9.6% stolen: 5.4%![image](https://user-images.githubusercontent.com/18004719/68530970-57a8e000-02db-11ea-9e70-9f9829cc3c57.png)
EMA with 2-block delay on timestamps Target ST/avgST= 594/599.769 N= 80 attack_size: 600 start/start: 130/135, StdDev STs: 1.270 delays: 6.3% stolen: 4.4%![image](https://user-images.githubusercontent.com/18004719/68530975-642d3880-02db-11ea-84d3-71aa0f0e9f55.png)
EMA (normal) Target ST/avgST= 594/599.721 N= 80 attack_size: 600 start/start: 130/135, StdDev STs: 1.265 delays: 5.5% stolen: 3.3%![image](https://user-images.githubusercontent.com/18004719/68530984-7c04bc80-02db-11ea-87ab-2a3c36996ecc.png)
Marks RTT "EMA" This is identical in results to a normal EMA using current block's solvetime instead of previous block's. Target ST/avgST= 602/600.094 N= 80 attack_size: 600 start/start: 130/135, StdDev STs: 1.130 delays: 1.4% stolen: 0.7%![image](https://user-images.githubusercontent.com/18004719/68530988-8cb53280-02db-11ea-9bea-ff4a6ef5ae45.png)
LWMA (looks same as normal EMA) Target ST/avgST= 598/600.321 N= 144 attack_size: 600 start/start: 130/135, StdDev STs: 1.270 delays: 5.7% stolen: 3.4%![image](https://user-images.githubusercontent.com/18004719/68531013-c1c18500-02db-11ea-8d4e-98d097b97818.png)
TSA (A slow normal EMA N=80 with a fast EMA N=11 RTT riding on top) The negative stolen metric indicates it's costly to try to pick a low difficulty to being mining with a high hashrate. The blue + symbols are the target the miner actually had to solve. The purple solid line is the difficulty that goes on the chain. If you look closely, almost no + marks in the green areas (attacks) are below the average difficulty. This is because the big hashrate is doing a fast solve which causes difficulty to be higher. Notice the delays and blue line swings are not any better, but in practice they will a lot better because big miners will be much less likely to participate if a 2% loss like this is the outcome as opposed to the current 5.4% gain in SMA. I discuss this more in my TSA article. Target ST/avgST= 595/599.93 N= 80 and M=11 attack_size: 600 start/start: 130/135 StdDev STs: 1.13 delays: 2.13% stolen: -1.23%![image](https://user-images.githubusercontent.com/18004719/68536837-54d3dc80-0327-11ea-9c03-0f068474174f.png)
This shows the difference between an EMA with a 2-block solvetime delay (like the chart above) WITH a 1 block delay in targets. It's a disaster.