Wright or Wrong? Let's read Craig Wright's "Selfish Miner Fallacy" paper together and find out

Status
Not open for further replies.

Peter R

Well-Known Member
Aug 28, 2015
1,398
5,595
Wright or Wrong? Let's read Craig Wright's "Selfish Miner Fallacy" paper together and find out

In the fall of 2013, Ittay Eyal and Emin Gün Sirer published a landmark paper titled "Majority is Not Enough: Bitcoin Mining is Vulnerable." In this paper, they showed that by strategically withholding and releasing blocks according to what they named the "Selfish Mine" algorithm, a deviant miner could earn more than his fair share of revenue.

It was well understood since the Satoshi white paper that a miner with at least 51% of the network hash power could earn 100% of the revenue (by performing the so-called 51% attack). However, at the time of Eyal and Sirer's publication, it was generally assumed that a miner who controlled less than half of the hash power would be incentivized to "play by the rules" because it was thought that all deviant strategies would result in a loss of revenue to the deviant miner.

What was important about Eyal and Sirer's work was that it showed this assumption to be false: indeed, a deviant strategy did exist that a miner with less than half of the network hash power could apply and be rewarded with increased revenue.

According to my count, Eyal and Sirer's paper on selfish mining is the second-most highly cited paper in the cryptocurrency literature (second only to the Satoshi white paper), and for good reason: in addition to being well written and clearly argued, the paper reveals a fact so counterintuitive that even those intimately familiar with the Bitcoin protocol overlooked it for five years.

With time to digest the impact of the selfish-mining algorithm, many people have pointed out that -- although certainly real -- its threat as a practical attack may have been overstated. For example, in order for the strategy to turn a profit, the selfish miner must maintain the attack for several weeks to allow network difficulty to reset and hope that during that time other miners don't retaliate by adopting similar strategies.

Recently, however, Craig Wright has made the (vocal) claim that selfish mining is a fallacy -- he argues that the probability calculations that Eyal and Sirer's used to derive their counter-intuitive result were erroneous. In his recent paper titled "The Fallacy of Selfish Mining: A Mathematical Critique," he claimed to "prove that not only is the proposed selfish mining attack economically infeasible for any group size of colluding miners but also that no such attack can be formulated."

The purpose of this thread is to work through his paper line-by-line and determine if there is substance to the claim, or if it is merely hot air.
 
Last edited:

Peter R

Well-Known Member
Aug 28, 2015
1,398
5,595
Review of Section 1

Section 1 of Wright's "Selfish Mining Fallacy" paper contains an introductory paragraph, followed by two subsections titled "The Bitcoin Process Summarized" and "The Binomial Random Walk in Bitcoin." In this post, we examine his introductory paragraph only.

It begins:



The first sentence would be confusing to those unfamiliar with Eyal and Sirer's paper. The variable α represents the fraction of the network hash power controlled by the selfish miner. The remainder of the network is assumed to be composed of "honest miners" who follow the default protocol, and thus their hash power is 1-α (because α + (1-α) = 1). Although not clear from the context, the word "event" refers to a miner finding a block header with a hash that meets the network difficulty target (i.e., a valid proof-of-work (PoW)).

Now let's interpret the quoted phrase. Let's imagine that α = 1/3 (the selfish miner controls 33.3% of the network hash power), and so 1-α = 2/3 (the honest miners control 66.7%). The quoted phrase from Eyal and Sirer is simply stating that the selfish miner finds valid PoWs at an average frequency of 1/3 while the honest miners find valid PoWs at an average frequency of 2/3.

To me this makes a lot of sense: if the selfish miner controls half the hash power of the honest miners, they would find valid proof-of-works at half the rate! When Wright says that "this assertion is unsound," what he means is that he believes the average rate at which the two groups find valid proof-of-works is not proportional to their relative hash power. This seems like a red flag to me, but the author says he will demonstrate why what appears to be true is not true. So let's continue...



The first half of the first sentence is factual (although some readers may wonder what l is [l can be thought of as the number of leading zeros in the block header hash when expressed in binary]), and merely states a well-known fact about Bitcoin mining (the second half of the sentence seems unrelated to the topic of discussion). The next sentence suggests that the author will somehow use this well-known fact about mining to both demonstrate that Eyal and Sirer's work is flawed and also prove that no profitable deviant strategy exists.

If not a red flag, this is at least odd: I feel the author is presenting a well-known fact about Bitcoin as though it is some sort of new insight that will, later in the paper, allow him to demonstrate the purported flaw in selfish mining. But the selfish mining paper is built from the same model of Bitcoin mining. There is still no hint as to what the "fallacy" is or what model Eyal and Sirer got wrong.

OK let's move on. The next sentence reads:



I interpret this to mean that in addition to believing that selfish mining is a fallacy, the author also believes that much of the other cryptocurrency literature is similarly flawed, and that he intends to write similar papers critiquing other topics. This sentence distracts me from the topic at hand (how is it relevant?); I get the feeling that the author has a chip on his shoulder.

The author continues:



I believe the author is no longer referring to flaws he believes exist in the selfish mining paper, but is now criticizing the cryptocurrency literature in general. How is this directly relevant to the paper he's currently critiquing?


My score: 2 / 10. This is an awful introductory paragraph. The author probably loses most readers at the first sentence because he doesn't give enough context for them to understand what it means. He then follows that with an assertion that seems clearly false. Next he claims he will prove that assertion using facts about bitcoin mining that are already well understood (but presents these facts as though they were new insights). Finally, he expands his "critique" beyond Eyal and Sirer's work to cryptocurrency literature in general by saying that the community has been using the wrong models (although the only model he has presented is the one that everyone is using).

We'll move on to Section 1.1 next...
 
Last edited:

cypherblock

Active Member
Nov 18, 2015
163
182
Some more discussion around what Wright means by "this assertion is unsound" is needed. I think what he is saying here is that in the SM paper the line "these events occur at exponential intervals with an average frequency of α and (1−α), respectively." (emphasis added) implies that the events are following a Poisson process, and that he disagrees that block discovery (with regards to sm strategy) follows a Poisson process.

We can see that in the definition of "Exponential Distribution" (closest to "exponential intervals"?) we find from Wikipedia: "In probability theory and statistics, the exponential distribution (also known as negative exponential distribution) is the probability distribution that describes the time between events in a Poisson process" (emphasis added).

So this is what Wright is disagreeing with it seems.
 

cypherblock

Active Member
Nov 18, 2015
163
182
To hone our intuition around bitcoin mining, let's contrast 2 approaches to thinking about the mining process with regards to competing pools (selfish vs. honest).

In one approach we consider that we have one single 12 sided die and we will roll this to determine who wins the next block. If the role comes up 1-8 it will be for the honest miners. If it comes up 9-12 it will be for the selfish miners. So we simply roll the die repeatedly and depending on the outcome we either allocate the block to the selfish or honest miner. Each roll of the die is equal to someone (honest or selfish ) finding a block.

This is how Eyal and Sirer seem to model their block discovery process. For each next block there is a 33% chance it will go to the selfish miner and 66% chance it will go to the honest miner and we can simply iterate this die rolling and allocate accordingly.

Now by contrast let us consider another approach to model block discovery. Here we consider 2 people each flipping say 10 coins (they put the coins in a cup , shake, and then dump them all out at once). They are hoping to get say 7 coins to come up heads and that means they win a block (after 1 dumping of coins if they don't have 7 coins heads, they try again each dumping being independent). However in this case the 2 people do not flip their set of coins at equal rates. 1 person can do it twice as fast the other. The numbers 10 and 7 here are arbitrary but 7 would be like the difficulty in bitcoin.

This second approach (if I've described it well) seems a lot closer to what is happening in bitcoin mining when we consider competition between 2 pools (selfish vs honest). In fact it would be more complex than this if we consider 1 selfish pool and many honest pools, all dumping their coins at different rates.

So I'm curious to know (before we dive further into Wrights paper) what people think of the above. Are these 2 approaches equivalent as far as SM paper goes? Did I describe these 2 approaches well enough or did I get it wrong?
 

bitcartel

Member
Nov 19, 2015
95
93
This recent paper argues that dishonest block distribution is a negative binomial distribution rather than poisson process.

Paper: "Double Spend Races" https://arxiv.org/abs/1702.02867

Article: https://bitcoinmagazine.com/articles/how-satoshi-messed-his-math-and-how-these-academics-just-fixed-it/

From article:
“Satoshi wrongly assumed that honest miners use exactly as much time to find a block as they would on average,” Grunspan told Bitcoin Magazine. “However, this is actually a rough approximation of reality, since the time used by honest miners to mine a block is not deterministic. Therefore, the distribution of the number of blocks mined by the attacker is actually — what is called — a ‘negative binomial distribution.’ Not the assumed ‘Poisson law.’”
...
“In this paper, we show that the probability of double spends drops exponentially to zero as the honest mining majority finds more blocks,” Grunspan said. In other words, it becomes increasingly difficult for minority attackers to catch up and overtake the honest majority."
 

lunar

Well-Known Member
Aug 28, 2015
1,001
4,290
Some of the brain power in the space is a very intimidating so forgive me, but can I ask a dumb question?

The way i'm understanding this, is the selfish miner withholds a block solution for X amount of time in order to begin searching for the next solution (current block +1) that only they know about, thus supposedly giving them a head start in the race.

The bit i'm unclear on: I was of the understanding that the process to find a block solution is purely random? Like a complex version of a coin toss. So to me the idea of withholding a block is basically flawed because the selfish miner is falling for the gamblers fallacy. The odds of finding a block solution at any moment in time are always equal (ignoring difficulty adjustments)

If this understanding is correct, then the error i'm seeing is this quote in the Eyal and Sirer's paper, (also quoted in the csw paper.)

“When the selfish miner pool finds a block, it is in an advantageous position with a single block lead on the public branch on which the honest miners operate."

Error being, the selfish miner is never in an advantageous position to begin with. The odds of finding two, or n solutions in a row are always equal, (similar to multiple coin tosses coming up heads) whether the rest of the network is aware of the first solution or not.

(for simplicity, difficulty adjustments ignored, and miners have proportionally fixed hashrates)
 

Peter R

Well-Known Member
Aug 28, 2015
1,398
5,595
Some more discussion around what Wright means by "this assertion is unsound" is needed. I think what he is saying here is that in the SM paper the line "these events occur at exponential intervals with an average frequency of α and (1−α), respectively." (emphasis added) implies that the events are following a Poisson process, and that he disagrees that block discovery (with regards to sm strategy) follows a Poisson process.

We can see that in the definition of "Exponential Distribution" (closest to "exponential intervals"?) we find from Wikipedia: "In probability theory and statistics, the exponential distribution (also known as negative exponential distribution) is the probability distribution that describes the time between events in a Poisson process" (emphasis added).

So this is what Wright is disagreeing with it seems.
That could very well be the case. Hopefully as we dig through the paper we'll find out for sure. But if that is what Wright means, it would have been vastly more clear to just come out and say "the assertion that PoWs are found at exponential intervals is unsound" and give some insight as to why. Anyways, if that is what he's saying, without further explanation, it too appears wrong.
[doublepost=1501086740,1501085663][/doublepost]
To hone our intuition around bitcoin mining, let's contrast 2 approaches to thinking about the mining process with regards to competing pools (selfish vs. honest).

In one approach we consider that we have one single 12 sided die and we will roll this to determine who wins the next block. If the role comes up 1-8 it will be for the honest miners. If it comes up 9-12 it will be for the selfish miners. So we simply roll the die repeatedly and depending on the outcome we either allocate the block to the selfish or honest miner. Each roll of the die is equal to someone (honest or selfish ) finding a block.

This is how Eyal and Sirer seem to model their block discovery process. For each next block there is a 33% chance it will go to the selfish miner and 66% chance it will go to the honest miner and we can simply iterate this die rolling and allocate accordingly.

Now by contrast let us consider another approach to model block discovery. Here we consider 2 people each flipping say 10 coins (they put the coins in a cup , shake, and then dump them all out at once). They are hoping to get say 7 coins to come up heads and that means they win a block (after 1 dumping of coins if they don't have 7 coins heads, they try again each dumping being independent). However in this case the 2 people do not flip their set of coins at equal rates. 1 person can do it twice as fast the other. The numbers 10 and 7 here are arbitrary but 7 would be like the difficulty in bitcoin.

This second approach (if I've described it well) seems a lot closer to what is happening in bitcoin mining when we consider competition between 2 pools (selfish vs honest). In fact it would be more complex than this if we consider 1 selfish pool and many honest pools, all dumping their coins at different rates.

So I'm curious to know (before we dive further into Wrights paper) what people think of the above. Are these 2 approaches equivalent as far as SM paper goes? Did I describe these 2 approaches well enough or did I get it wrong?
@cypherblock: yeah I think you've highlighted a point of confusion. To me the two situations you describe, in terms of who finds the next block, are equivalent.

For example, in your first case where "God" rolls a 12 sided die and an honest miner finds the next PoW if it comes up 1-8, and a selfish miner finds the next block if it comes up 9 - 12, it is obvious that the probability that the SM miner finds the next block is 1/3 and the probability that an honest miner finds the next block is 2/3.

In your second case, they both need 7 of 10 coins to come up heads, but the honest miners get two chances for every chance the selfish miners get. If p is the probability of the event occurring after one attempt, then 2p is the (approximate) probability after two attempts [1]. Since the honest miners get two attempts per every attempt by the SM, the honest miners are twice as likely to find the next PoW.

So to me it's pretty clear that both ways of thinking about the problem are equivalent in terms of the probability of finding the next block.

[1] This is only exact as p -> 0. Since the probability of any particular nonce solving the puzzle is very very very tiny, this approximation can be considered exact. I'll discuss this in more detail when I go over Section 1.2 from Wright's paper.
 
Last edited:
  • Like
Reactions: CryptoDude9

Peter R

Well-Known Member
Aug 28, 2015
1,398
5,595
This recent paper argues that dishonest block distribution is a negative binomial distribution rather than poisson process.

Paper: "Double Spend Races" https://arxiv.org/abs/1702.02867

Article: https://bitcoinmagazine.com/articles/how-satoshi-messed-his-math-and-how-these-academics-just-fixed-it/

From article:
“Satoshi wrongly assumed that honest miners use exactly as much time to find a block as they would on average,” Grunspan told Bitcoin Magazine. “However, this is actually a rough approximation of reality, since the time used by honest miners to mine a block is not deterministic. Therefore, the distribution of the number of blocks mined by the attacker is actually — what is called — a ‘negative binomial distribution.’ Not the assumed ‘Poisson law.’”
...
“In this paper, we show that the probability of double spends drops exponentially to zero as the honest mining majority finds more blocks,” Grunspan said. In other words, it becomes increasingly difficult for minority attackers to catch up and overtake the honest majority."
Thanks for the link. That's an interesting paper. Digging into Satoshi's math, I see he actually mentioned the assumption that Grunspan pointed out:



(BTW -- I wouldn't say he "wrongly assumed," rather he made a simplifying assumption that he knew may be non exact in order to simplify the mathematics).

But, at least so far, this is all beside the point. We're talking about the selfish mining attack, not the double-spend attack described in Satoshi's white paper.
[doublepost=1501088549][/doublepost]
Some of the brain power in the space is a very intimidating so forgive me, but can I ask a dumb question?

The way i'm understanding this, is the selfish miner withholds a block solution for X amount of time in order to begin searching for the next solution (current block +1) that only they know about, thus supposedly giving them a head start in the race.

The bit i'm unclear on: I was of the understanding that the process to find a block solution is purely random? Like a complex version of a coin toss. So to me the idea of withholding a block is basically flawed because the selfish miner is falling for the gamblers fallacy. The odds of finding a block solution at any moment in time are always equal (ignoring difficulty adjustments)

If this understanding is correct, then the error i'm seeing is this quote in the Eyal and Sirer's paper, (also quoted in the csw paper.)

“When the selfish miner pool finds a block, it is in an advantageous position with a single block lead on the public branch on which the honest miners operate."

Error being, the selfish miner is never in an advantageous position to begin with. The odds of finding two, or n solutions in a row are always equal, (similar to multiple coin tosses coming up heads) whether the rest of the network is aware of the first solution or not.

(for simplicity, difficulty adjustments ignored, and miners have proportionally fixed hashrates)
No not at all. Eyal and Sirer's math takes this into account. It's just that the result is counterintuitive.

Think about it like this: if the SM finds a block and keeps it private, the honest miners need to find two blocks before he finds one in order to be sure to orphan the selfish miner's hidden block. If the SM has more than half the hash power of the honest miners (i.e., more than 1/3rd of the total), he's more likely to find a second block before the honest miners find two blocks. [The full SM algorithm has more states in it, but I think what I just wrote reveals the intuition that large miners may be better off keeping certain blocks secret.]
 
Last edited:

bitcartel

Member
Nov 19, 2015
95
93
Building a longer chain in private is at the core of both selfish-mining and a double-spend attack on a merchant.

So what is the best way to model the attackers progress? The simplified approximation of the Poisson process or the negative binomial?

This comment says there is a "non-negligible difference" between the two.
https://bitcoin.stackexchange.com/a/49618

Referencing page 7 and the chart on page 10 of Meni Rosenfeld's paper:
https://arxiv.org/abs/1402.2009
 

Peter R

Well-Known Member
Aug 28, 2015
1,398
5,595
@bitcartel: Eyal and Sirer's math is different than Nakamoto's (they're analyzing different problems). I'm quite confident they (Eyal and Sirer) dealt with it exactly (i.e., they do assume that both the selfish miners and the honest miners find blocks at a reduced rate).
 
  • Like
Reactions: CryptoDude9

Peter R

Well-Known Member
Aug 28, 2015
1,398
5,595
Review of Section 1.1

In this post, we critique Section 1.1 of Wright's paper. Its subtitle is "the Bitcoin process summarized" and begins with the following three sentences:



The first sentence "If a miner chooses not to publish a block...the remaining miners will complete 2^
l hash puzzles" is confused for two reasons:
  1. The next PoW is indeed expected after an additional 2^l attempts are made, but the PoW may be found sooner or later. There is no guarantee that "the remaining miners will complete 2^l hash puzzles" nor is there a guarantee that if they did they would necessarily find a solution.
  2. The fact that the sentence is prefaced with "if a miner chooses not to publish a block" is misleading because mining is a memoryless process. A solution is always expected 2^l hash attempts from now.
The second and third sentences can be easily combined. A more precise way to write the quoted blurb would be:

Assume the selfish miner finds a solution for block height N at time t=0 and chooses not to publish it. From this point in time forward, the honest miners would, on average, find a competing solution for block height N after performing 2^l hash attempts, while the selfish miner would, on average, find a solution for block height N+1 also after performing 2^l hash attempts.
Although the author's writing is unclear, I'm going to give these first three sentences a pass. The next sentence, however, is nonsensical:



I assume he is referring to the selfish miners when he says "miners," but what is x? He says it's the "total computing power." OK so let's put some numbers to it. Let's first assume x = 1,000,000 hash / sec. Then 1 / (1 - x) = 1 / (-999999) = -0.000 001. Ignoring the fact that we're getting a negative number, what the heck are the units? Clearly, x cannot be the "total computing power."

In order for the equation to be dimensionally consistent, x needs to be a dimensionless number. So maybe x is some sort of fraction. But x is also the "total computing power," so the only reasonable fraction I can think of for x would be 1. In this case, 1 / (1 - 1) = infinity, and the equation still makes no sense.

Alright, I give up. I have no idea what the author means by this equation and this sentence. Moving on...



This statement is true if we assume that by t the author means the block time (10 min) and if we also assume constant network difficulty. However, this is such a well-understood fact that the author could just state it. It simply means is that if the selfish miner controls 1/2 the network hash power, he'd expect to find his second block 20 minutes after his first; if he has 1/3 the network hash power, he'd expect to find his second block 30 minutes after his first. This is basic stuff.

The author's following sentence reads:



This seems plain wrong. If we imagine the case where both the selfish miner and honest miner have 50% of the hash rate (α = 0.5), this equation works out to:

(10 min) * (1 - 0.5) / (0.5) = 10 min.
Why would you expect the remaining miners to find two blocks in 10 minutes? In this example, they have the same hash power as the selfish miner who doesn't expect to find a block for 20 minutes!

If we test out the formula with α = 1/100 (hardly any selfish mining hash power), we get:

(10 min) * (1 - 0.01) / (0.01) = 990 min.
This also seems wrong. If only 1% of the network is selfish mining, why would it take the rest of the network 990 minutes to find two blocks! It's absurd.

Perhaps this equation contains a typo. Moving on...

The next sentence says:



which is equally nonsensical because it implies that the honest miners solve blocks faster if they have less hash power! The correct statement is:

The honest miners will find a competing block on average in (10 min) / (1-α) time.​

Notice that I didn't reference this time to when the last block on the public chain was found? That is because it doesn't matter. Bitcoin mining is a memoryless process. The fact that the author did reference his equation to a prior event is our first piece of evidence that he has a fundamental misunderstanding of Bitcoin mining. It doesn't matter when the last public block was found; the honest miners always expect to find another block (10 min) / (1 - α) from the current moment (of course this is assuming difficulty hasn't reset).

Alright, moving onwards...



The author hasn't even explained what the strategy is; all we know so far is that the selfish miner chooses not to publish the block for some reason. What exactly "seems to work?"

Oh good, there's a diagram next. Maybe that will help explain things.



Actually now I'm more confused. I thought the hidden block event was at t=0? Shouldn't the SM find blocks on average in 30 minutes instead of 20 minutes as shown? We also see that the author is again assuming the mining process has memory. The honest miners do NOT expect to find the next block 5 minutes after the selfish miner finds his. They expect to find the next block 10 min / (1 - 0.333) = 15 minutes after instead.

Assuming that the honest miners find a block on average only 5 minutes after the selfish miner find his is a fundamental error.



The author still hasn't explained what the selfish mining strategy is yet, but has now made numerous errors.

My Score: 1.5 / 10. The author tries to explain some very basic aspects of Bitcoin mining, yet fails due to careless notation, multiple errors in his equations, and a fundamental misunderstanding of what it means for Bitcoin mining to be "memoryless."

READERS: Shall I continue, or are you convinced that the paper is fundamentally broken (the "5 min" error is enough for me to be convinced).
 
Last edited:
  • Like
Reactions: CryptoDude9

bitcartel

Member
Nov 19, 2015
95
93
I assume he is referring to the selfish miners when he says "miners," but what is x? He says it's the "total computing power." OK so let's put some numbers to it. Let's first assume x = 1,000,000 hash / sec. Then 1 / (1 - x) = 1 / (-999999) = -0.000 001. Ignoring the fact that we're getting a negative number, what the heck are the units? Clearly, x cannot be the "total computing power."

Perhaps computing power is on a range between 0..1, so 1/(1-x) can never be negative, and x is the total computing power a miner possesses?
 
Last edited:
  • Like
Reactions: CryptoDude9

Peter R

Well-Known Member
Aug 28, 2015
1,398
5,595
@bitcartel: yes, the formula only makes sense if x is dimensionless (and 0 <= x <= 1). But then if x is the "total computing power," what is its numeric value? How can we make sense of this equation given the context around it? [I don't think it really matters to understanding this section, because the following results are trivial anyways]
 
Last edited:
  • Like
Reactions: CryptoDude9

cypherblock

Active Member
Nov 18, 2015
163
182
We also see that the author is again assuming the mining process has memory. The honest miners do NOT expect to find the next block 5 minutes after the selfish miner finds his.
There are a number of things wrong with his diagram and explanation but I'm not 100% sure he is assuming any memory here. In his write up he assumed that the honest pool found a block at -10 min. So 15 minutes later (66.66% hash power) would be at the t=5 min mark, and they would expect on average to have found a block by then. It just so happens in his explanation that the selfish miner found a block at t=0 (not t=-5 as he shows in the diagram), and so the "a public block is expected to be discovered 5 minutes after the private block." is just another way of stating that scenario.

Anyway there is a lot wrong or just odd in his paper but I'm giving him the benefit of the doubt on the "memory" issue here.

Shouldn't the SM find blocks on average in 30 minutes instead of 20 minutes as shown
Yeah no idea how he got 20min. Maybe he started off thinking of modeling a 50% selfish miner but then switched to 33%? So yeah all sorts of weirdness here.
 
Last edited:

Peter R

Well-Known Member
Aug 28, 2015
1,398
5,595
There are a number of things wrong with his diagram and explanation but I'm not 100% sure he is assuming any memory here. In his write up he assumed that the honest pool found a block at -10 min. So 15 minutes later (66.66% hash power) would be at the t=5 min mark, and they would expect on average to have found a block by then. It just so happens in his explanation that the selfish miner found a block at t=0 (not t=-5 as he shows in the diagram), and so the "a public block is expected to be discovered 5 minutes after the private block." is just because they are due one by then because of their own mining efforts.

Anyway there is a lot wrong or just odd in his paper but I'm giving him the benefit of the doubt on the "memory" issue here.
You mentioned "he assumed the honest pool found a block at -10 min" [really the honest miners and selfish miners were mining together at this point] and so 15 minutes later they would expect to find another block. But this is assuming memory. This is proof that he is making a fundamental mistake.

What matters is that the selfish miner found the next block at t=0. It doesn't matter when the previous block was found. From t=0 forward, we expect the honest miners to solve blocks on average in 15 minutes, and the selfish miner to solve blocks on average in 30 minutes.

See what I mean? The "work" the miners did prior to the selfish miner finding the block at t=0 doesn't count for anything. Because the process has no memory, everything before "now" makes no difference.
 
Last edited:
  • Like
Reactions: CryptoDude9

lunar

Well-Known Member
Aug 28, 2015
1,001
4,290
Think about it like this: if the SM finds a block and keeps it private, the honest miners need to find two blocks before he finds one in order to be sure to orphan the selfish miner's hidden block. If the SM has more than half the hash power of the honest miners (i.e., more than 1/3rd of the total), he's more likely to find a second block before the honest miners find two blocks. [The full SM algorithm has more states in it, but I think what I just wrote reveals the intuition that large miners may be better off keeping certain blocks secret.]
Ok, Maybe i'm misunderstanding because i'm not following the maths, just the logic, but to me this situation you describe, is still falling into a gamblers fallacy.

To make this super simple, lets say there are only 3 miners, SM, HM and UM (unlucky miner). each with a 1/3 of the network.

If SM is keeping their discovered block private, HM doesn't need to find two blocks, like you say above, because it's not about winning the race, (past events have no bearing on future chance, in a purely random distribution) it's about resetting the race, and thus returning to equal footing. Neither SM or HM is aware of the UM who is destined to have a bad day.

In other words you seem to be implying some connection between the SM and the HM that changes the others luck, when in my understanding, the two miners actions are purely independent, so having no impact on who finds the second block. A bit like me walking into a room where you've just thrown 20 heads in a row, and naively making a big bet with me on who will throw tails first, based on your past performance.

Now there might be other things a selfish miner could that have affects on profitability, by withholding a block, like attempt double spends, but that seems off topic for now.
 
  • Like
Reactions: CryptoDude9

go1111111

Active Member
What matters is that the selfish miner found a block at t=0. It doesn't matter when the previous block was found. From t=0 forward, we expect the honest miners to solve blocks on average in 15 minutes, and the selfish miner to solve blocks on average in 30 minutes.

See what I mean? The "work" the miners did prior to the selfish miner finding the block at t=0 doesn't count for anything. Because the process has no memory, everything before "now" makes no difference.
You're clearly right, but I believe a phrase in the first paragraph is causing some confusion in others.

When you say "what matters is that the selfish miner found a block at t=0", this gives people the impression that the 2/3 hashrate group's expected time to find a block depends on whether the 1/3 hashrate group found a block or not. But as we know, nothing about that past (either someone finding or not finding a block) changes the expected time to find the next block for either the 2/3 or 1/3 group. So I wouldn't say "what matters is <something>", I'd say "what matters is... nothing, (because the process is memoryless)."

It might be tough to get non-technical people to understand this, but any halfway technical person will find this screenshot very damning for csw: https://btcchat.slack.com/files/peter_r/F6E9Q933L/screen_shot_2017-07-26_at_10.16.54_pm.png
 

cypherblock

Active Member
Nov 18, 2015
163
182
What matters is that the selfish miner found a block at t=0. It doesn't matter when the previous block was found. From t=0 forward, we expect the honest miners to solve blocks on average in 15 minutes
Yes I think you are right because we are saying at t=0 the honest miner definitely hasn't found a block yet, so their expected next block is on avg. 15 min from that point.
 
Status
Not open for further replies.