[kerkeslager]

Well, first, "censorship-resistant" doesn't imply "censorship-proof".

Second, I don't think we can conclude what would happen if China tried to censor.

China certainly has 51% attack capability against Bitcoin, but the only implication that of that which is clear to me is that they could potentially execute double-spends. Using 51% attack capability to orphan transactions is different.

With a double spend, there's two transactions, both signed with the same key, and no way to determine which is valid (which came first). There's no source of truth for that information.

With an orphaned block, there's only one transaction signed with the key, so you have a single source of truth. You know the transaction exists, and at some point (i.e. after a certain number of blocks), if the transaction isn't included in the chain, you can conclude with reasonable certainty that the transaction is being intentionally orphaned. This allows you to reject the chain that doesn't include the transaction as invalid, and choose the longest chain that does include it. We already don't blindly follow the longest chain: for example, blocks that are improperly formatted are already rejected.

This would, of course, having different criteria for what is considered a valid block would cause fork in the currency. There would be the Chinese censored branch and the uncensored branch everyone else is using. But for a lot of reasons, I think people would be unwilling to trade as much traditional currency for the Chinese censored currency as they would for uncensored Bitcoin.

[nootropicat]

>There would be the Chinese censored branch and the uncensored branch everyone else is using

Every fork is vulnerable to the same attack, which is why such a switch doesn't make sense. There's no way to prevent Chinese miners from mining on the "Western" bitcoin if it's the more profitable option. The censorship can be easily made reactive: first, all Chinese miners have to register and report their hash power. If the total hash power for any specific network is below X (eg. 65%) they don't have to censor. The moment they do, they start orphaning blocks that don't comply with the Chinese law. Note it also increases their profits!

The same forces (lots of cheap electricity) that resulted in the concentration of sha256 hashing in China also work for any other PoW; switching to a GPU-based PoW would at best only prolong the inevitable. Most likely GPU PoW is also China-dominated.

Proof of work has infinite economies of scale and the winner can take all property. The second property makes it profitable for the majority of hash power to cartelize and exclude others. If the cartel was smartly set by the Chinese government - allowing access to all Chinese miners and making it illegal to create smaller cartels - everyone in China would join and after a while it would be enough to mine with only ~20% of the available hash power. That's a 5x increase in revenue per watt hour!

Why? Initially, Chinese miners can mine with >65% of global power, excluding competitors. They do it until everyone else goes bankrupt, giving them 100%. Then, each individual miner can start mining with only 20% of their total power. To prevent fraud, it's enough to make everyone mine with 100% for one hour every week, all at once, to prove their total individual hash power. If some foolish foreign competitor arrives with more than 20% of the Chinese hash power, every Chinese miner turns everything on. This monopoly would be almost impossible to defeat.

However, even if you assume someone defeats it somehow - the only way to defeat it is to have an even bigger centralized entity! All that happened is a new monopoly, not decentralization.

All of this means bitcoin can never become "refuge from the growing foreign and domestic militarization of money. [..] an indispensable weapon against civil asset forfeiture, international sanctions, deplatforming, and mass surveillance" to any noticeable degree. It's currently left alone only because it's irrelevant except as a speculative toy.

[thebean11]

Reusing the same attack would just result in a never-ending series of offshoots from the "western" chain. If anything that would guarantee that the uncensored chain stays dominant, as all of the forks would be quicky abandoned for the next

[nootropicat]

You can't expect people to fork every week to a new network. This is at best a one time deal, and if it doesn't work, that's it.

[kerkeslager]

People wouldn't do it manually--the entire point is to automate it.

But you corrected your assumption in the other comment thread, so I'll continue the conversation there.

[kerkeslager]

> Every fork is vulnerable to the same attack, which is why such a switch doesn't make sense.

No, it wouldn't. I don't think you're understanding the solution I'm proposing. There isn't an amount of computing power that allows you to submit invalid blocks.

[nootropicat]

I assumed you meant manually. This method isn't possible to automate under PoW, because any such actions require global time, but PoW is what provides time itself, creating a contradiction. What this means in practice is network splits.

>you know the transaction exists, and at some point (i.e. after a certain number of blocks), if the transaction isn't included in the chain, you can conclude with reasonable certainty that the transaction is being intentionally orphaned. This allows you to reject the chain that doesn't include the transaction as invalid

as what would happen is nodes that were online and observed the situation would follow one chain, but everyone else that joins later wouldn't be able to confirm that censorship actually happened, and follow another. If you have a solution that solves it, you solved the fundamental problem - absolute order - some other way and PoW becomes completely superfluous.

Then there's a problem of: what happens when there are contradictory transactions on two different chains at once? How do you decide which one is valid? This gets complex very fast.

If you want to try tackling the censorship issue in an automated way, you have to move away from PoW to a more typical consensus algorithm with online identities. In the simplest case, if all (ever - no new ones) network participants are online all the time, the problem becomes trivial and something close to your solution would work.

[kerkeslager]

EDIT: Everywhere I say that we wait 5 blocks/confirmations, that's just a number I picked. I think you could conservatively use fewer confirmations, but there's a bunch of network analysis you'd have to do to calculate what the probability of a transaction not being included in N sequential blocks simply due to network instability. I didn't do that network analysis, so you might need more or fewer confirmations to be reasonably sure that censorship is occurring and not just network instability.

> I assumed you meant manually. This method isn't possible to automate under PoW, because any such actions require global time, but PoW is what provides time itself, creating a contradiction. What this means in practice is network splits.

I don't think you need global time to do this. More on this later in this post.

> as what would happen is nodes that were online and observed the situation would follow one chain, but everyone else that joins later wouldn't be able to confirm that censorship actually happened, and follow another. If you have a solution that solves it, you solved the fundamental problem - absolute order - some other way and PoW becomes completely superfluous.

This situation resolves itself naturally via the mechanism I proposed.

Let's follow the scenario you propose and see how it resolves. The following events happen in this order:

1. The Chinese government decides to censor transactions from a certain address, refusing to accept blocks which include transactions from that address.

2. A transaction from that address is broadcasted.

3. Chinese miners mine 5 blocks that don't contain the transaction. Nodes which have been on the network the whole time notice the censored transaction, and go to the next-longest chain, creating a fork.

4. A new node joins the network. From the new node's perspective, there are two chains, but the Chinese one is longer so you go with that. However, you still have the signed transactions from the shorter chain, and your node notices that the Chinese chain doesn't contain some of those transactions. At the time of joining, as far as you know, that transaction simply hasn't been included in the longest chain yet.

5. Chinese miners mine 5 more blocks that don't contain the transaction. The newly-added node now notices the censored transaction, rendering the current chain invalid, and goes to the longest valid chain, which is the one everyone else was on. Consistency achieved.

The implication of this solution is that when you join the network, you now have to wait for 5 confirmations to ensure none of the transactions you have are being censored in the longest chain (i.e. it takes 5 confirmations to know that the longest chain is valid). Which is certainly an important implication!

Note that absolute order doesn't matter here. We don't have to know the order of the transaction, only that it has existed for some number of blocks without being included in the chain.

> Then there's a problem of: what happens when there are contradictory transactions on two different chains at once? How do you decide which one is valid? This gets complex very fast.

The way you've worded it, that's not really all that complex--that's the same as a double spend, and it's resolved the same way any other contradictory transaction is resolved: follow the longest (valid) chain (where part of the definition is "valid" is "containing all transactions I've had for 5 confirmations").

However, I think you might have left out part of what you meant here, so I'll try to explain what I think you're hinting at. There's a sophisticated way for China to hide their attack. It works like this:

1. The Chinese government decides to censor transactions from a certain address, refusing to accept blocks which include transactions from that address.

2. A transaction from that address is broadcasted. We'll call this the censored transaction.

3. Non-Chinese miners mine a block that includes the censored transaction. This becomes the root of what we'll call the censored branch.

4. Chinese miners ignore the mined block that includes the censored transaction, and mine a block which doesn't contain the transaction. This block becomes the root of a branch we'll call the red herring branch. In that block, they include a transaction which they never broadcasted to the network. We'll call this the red herring transaction.

5. Due to superior Chinese mining capability, the red herring chain quickly becomes longer. However, after 5 confirmations, the network notices the censored transaction isn't being included in the red herring chain. So they invalidate the red herring chain and go to the longest valid chain, which is the censored chain.

6. 4 more blocks are mined on the censored chain.

7. A new node joins the network.

8. At this point, the censored branch doesn't include the red herring transaction, and the red herring branch doesn't include the censored transaction. So our previous resolution strategy doesn't work, because we don't know whether it's the red herring transaction or the censored transaction that's being censored.

First, I want to say, this is a really sophisticated attack and I want to congratulate you for coming up with it.

Second, I think this problem can be solved by sweeping up ALL the transactions in EVERY block you receive, even if they are in blocks which haven't been confirmed, and treat them as if they were broadcast to you on the network. This way, the red herring transaction gets included into the censored branch. This gives us a new resolution:

1. The Chinese government decides to censor transactions from a certain address, refusing to accept blocks which include transactions from that address.

2. A transaction from that address is broadcasted. We'll call this the censored transaction.

3. Non-Chinese miners mine a block that includes the censored transaction. This becomes the root of what we'll call the censored branch.

4. Chinese miners ignore the mined block that includes the censored transaction, and mine a block which doesn't contain the transaction. This block becomes the root of a branch we'll call the red herring branch. In that block, they include a transaction which they never broadcasted to the network. We'll call this the red herring transaction.

5. Due to superior Chinese mining capability, the red herring chain quickly becomes longer. However, after 5 confirmations, the network notices the censored transaction isn't being included in the red herring chain. So they invalidate the red herring chain and go to the longest valid chain, which is the censored chain.

6. A new block is mined on the censored chain. Since we've swept up all the transactions from the red herring chain, this block includes the red herring transaction.

7. A new node joins the network and assumes the red herring chain is the longest valid chain.

8. After 5 blocks, the new node sees the red herring chain does not contain the censored transaction, invalidates the red herring chain, and goes to the longest valid chain, which is the censored chain. Consistency achieved.

[nootropicat]

Your solution regularly leads to orphans 5 blocks deep, making the network unstable. Now consider this:

- Chinese miners (the network doesn't know that) publish a normal transaction.

- they don't include it for 30 blocks. Western nodes have already switched to a minority uncensored chain after 5 blocks, as they consider the transaction censored.

- Chinese miners include it in 31st block.

A new node joins. It follows the Chinese chain indefinitely.

The core of the problem is lack of objective time (or at least ordering): there's no way to prove to the new node that a transaction was actually censored in the past. From its perspective, the minority chain might have been created after the Chinese block with the transaction was published. As long as there's no external objective time, it's always possible to invent some attack scenario that splits the network for new nodes.

Last but not least, every minority chain is by definition vulnerable to 51% attacks, so even if a solution to censorship could exist in PoW, the minority chain could get intentionally killed this way, constantly generating double spends until people stop using it.

[kerkeslager]

> Your solution regularly leads to orphans 5 blocks deep, making the network unstable.

Only if China decides to hamper the speed of their miners by pointlessly trying unsuccessfully to censor transactions.

> - Chinese miners (the network doesn't know that) publish a normal transaction.

> - they don't include it for 30 blocks. Western nodes have already switched to a minority uncensored chain after 5 blocks, as they consider the transaction censored.

> - Chinese miners include it in 31st block.

> A new node joins. It follows the Chinese chain indefinitely.

Okay, yes. And so does the entire rest of the network, because now the blocks are valid. Yes, this is very bad, because anyone who spent money in the shorter chain can now re-spend their coins.

But critically, nothing was censored here. This is a transaction reordering, not a censorship attack.

China can do the exact same thing with fewer steps. All they have to do is go back 30 blocks, and start mining blocks with the transactions in whatever order they want. Eventually their branch will be ahead and everyone will switch to it.

[heptathorp]

>You know the transaction exists, and at some point (i.e. after a certain number of blocks), if the transaction isn't included in the chain, you can conclude with reasonable certainty that the transaction is being intentionally orphaned. This allows you to reject the chain that doesn't include the transaction as invalid, and choose the longest chain that does include it.

So you are going to reorg after many blocks (enough to be sure a transaction is being censored). This sounds extremely undesirable as it kills finality. Today you can very reasonably be sure that after say, 6 blocks, a transaction is irreversible. That's not the case with this new rule.

[kerkeslager]

It delays finality, but it doesn't kill it. Reorgs are already possible, this is why we currently wait for some number of confirmations (6 last time I checked) to say a transaction is complete. Adding the condition of requiring all transactions you've received to be included in a chain means that you need to wait for more confirmations to reach the same level of confidence that the chain is final, but it doesn't mean finality will never happen.

With a perfect network where everyone receives all transactions immediately, and where transactions are prioritizes for inclusion by transaction fee first, and order received second, we can conclude after ONE block whether a transaction with a high enough transaction fee is being excluded. But the network isn't perfect. There's some network analysis to be done here to gather probabilities, but for the sake of simplicity, let's say the network is reliable enough that we can reasonably conclude whether a transaction is being excluded in 5 blocks (I think the number is actually lower, but let's go with 5 to be safe).

So basically, what we're saying here is that if we reject the fifth block that doesn't contain a transaction after we see it, then we're forcing a reorg.

The attack you're describing happens when someone waits for China to start ignoring a transaction, then attempts to use the resulting reorg to execute a double spend.

Last time I checked, the recommendation was to wait for 6 confirmations to prevent double spends, because it would be unreasonable for an attacker to attempt to catch up to the main block chain when the main blockchain has a 6-block head start. But if China forces a reorg after 5 blocks, then the attacker attempting to execute the double spend only needs to catch up 1 block.

Trivially, all this means is that we have to wait for 5+6 = 11 confirmations to achieve the same level of confidence that we got from 6 confirmations when China couldn't force a reorg.

But wait: China actually can't force a reorg that quickly with 100% probability. In order to force this reorg, China has to mine 5 blocks in a row. China only has 66% of hashing power, so the probability of China mining a given block is P=0.66. The chances of China mining N blocks in a row is P=0.66^N. So the probability of China even being able to force this reorg is P=0.66^5=0.13.

That's not nothing, but that's a lot of effort for China to put in just for a 13% chance of delaying a transaction. Given China can't actually censor the transaction, only delay it, why would they spend all those hashing cycles to do this? The incentives don't line up.

[heptathorp]

Good points, thanks.

Followup question: how does a node coming online know not to trust China's (longer, censoring) chain? It wasn't online to have the transaction in its mempool, so it doesn't know to check for it in the longest chain.

I think it would need to check all candidate blocks with lower heights to see if their chains contain any transactions that aren't in a longer chain.

What happens if I mine off of a very old block and include my own transaction in it, and present it to you... how do you distinguish between what I just did vs the longer chain having censored the transaction this whole time?

[kerkeslager]

> Followup question: how does a node coming online know not to trust China's (longer, censoring) chain? It wasn't online to have the transaction in its mempool, so it doesn't know to check for it in the longest chain.

> I think it would need to check all candidate blocks with lower heights to see if their chains contain any transactions that aren't in a longer chain.

Yes. You wouldn't need to store all these, though, you just sweep them up once you find the transactions included in the longest chain.

> What happens if I mine off of a very old block and include my own transaction in it, and present it to you... how do you distinguish between what I just did vs the longer chain having censored the transaction this whole time?

Broadcast all transactions you have which aren't already in the longest chain to the network, and wait for them to include them.

I'm not 100% sure, but I think transactions get rebroadcast automatically already until they're included.