1 00:00:01,720 --> 00:00:25,240 [Applause] 2 00:00:07,840 --> 00:00:26,599 [Music] 3 00:00:25,240 --> 00:00:28,920 thanks for having me guys it's been an 4 00:00:26,599 --> 00:00:32,840 awesome conference so far I wish I could 5 00:00:28,920 --> 00:00:35,840 have been there in the flesh but lo and 6 00:00:32,840 --> 00:00:38,840 behold the government requires a fancy 7 00:00:35,840 --> 00:00:43,399 piece of paper to go across imaginary 8 00:00:38,840 --> 00:00:46,280 borders so unfortunately I couldn't be 9 00:00:43,399 --> 00:00:48,320 there so uh today I'm going to talk 10 00:00:46,280 --> 00:00:50,280 about a topic that I've been really 11 00:00:48,320 --> 00:00:53,440 interested in the last couple years I've 12 00:00:50,280 --> 00:00:56,640 been in Bitcoin and the crypto space for 13 00:00:53,440 --> 00:00:59,000 quite a while and 14 00:00:56,640 --> 00:01:03,239 um the most recent years just got a lot 15 00:00:59,000 --> 00:01:05,680 more interested in in threat models and 16 00:01:03,239 --> 00:01:08,360 how these systems can be attacked and 17 00:01:05,680 --> 00:01:10,479 pretty much how to attack them 18 00:01:08,360 --> 00:01:13,159 because best thing to do is to learn how 19 00:01:10,479 --> 00:01:16,400 to attack them before our 20 00:01:13,159 --> 00:01:18,799 adversaries can so we can find out how 21 00:01:16,400 --> 00:01:21,680 to mitigate and how to defend against 22 00:01:18,799 --> 00:01:23,640 any attacks So today we're going to talk 23 00:01:21,680 --> 00:01:25,960 about that and I hope to have a lot of 24 00:01:23,640 --> 00:01:27,799 discussion and kind of make it more of a 25 00:01:25,960 --> 00:01:30,560 Socratic style discussion with questions 26 00:01:27,799 --> 00:01:33,759 at the end to People for People to throw 27 00:01:30,560 --> 00:01:37,720 out ideas and get responses in regards 28 00:01:33,759 --> 00:01:40,240 to different threat models so this kind 29 00:01:37,720 --> 00:01:42,000 of be more of a general talk about proof 30 00:01:40,240 --> 00:01:45,439 of work in general rather than just 31 00:01:42,000 --> 00:01:46,759 Monero but we'll be talking about um 32 00:01:45,439 --> 00:01:49,960 specifics in 33 00:01:46,759 --> 00:01:53,640 Monero in regard 34 00:01:49,960 --> 00:01:56,759 to um certain aspects that Monero has 35 00:01:53,640 --> 00:01:59,560 that guards against 51% attack so let's 36 00:01:56,759 --> 00:02:00,520 get started so the one thing to remember 37 00:01:59,560 --> 00:02:01,759 in 38 00:02:00,520 --> 00:02:03,759 these scenarios is the state should 39 00:02:01,759 --> 00:02:07,000 always be considered the adversary I 40 00:02:03,759 --> 00:02:09,000 mean proof of work is economically 41 00:02:07,000 --> 00:02:11,959 rational incentivized enough to where a 42 00:02:09,000 --> 00:02:14,160 private actor is not incentivized to 43 00:02:11,959 --> 00:02:15,840 really take try and take down the 44 00:02:14,160 --> 00:02:18,519 network there you know if you're going 45 00:02:15,840 --> 00:02:20,680 to amass enough mining power to do 51% 46 00:02:18,519 --> 00:02:23,879 attack you might as well just join the 47 00:02:20,680 --> 00:02:26,680 network rather than try and go against 48 00:02:23,879 --> 00:02:28,480 it and so the state incentive is that 49 00:02:26,680 --> 00:02:30,680 they want to control the flow of money 50 00:02:28,480 --> 00:02:33,000 and they want to control econom activity 51 00:02:30,680 --> 00:02:35,400 and information and they have an 52 00:02:33,000 --> 00:02:39,760 economically rational incentive in 53 00:02:35,400 --> 00:02:41,879 regards to control where a free market 54 00:02:39,760 --> 00:02:43,200 participant doesn't have that incentive 55 00:02:41,879 --> 00:02:45,599 They Don't Really Care to 56 00:02:43,200 --> 00:02:47,840 control you know economic activity they 57 00:02:45,599 --> 00:02:51,159 just want to participate so the state 58 00:02:47,840 --> 00:02:51,159 should always be considered the 59 00:02:51,879 --> 00:02:57,319 adversary so just some Basics what is 60 00:02:54,120 --> 00:03:00,280 51% attack this is kind of the clearest 61 00:02:57,319 --> 00:03:02,159 definition I could come up with an 62 00:03:00,280 --> 00:03:04,480 adversary controlling 51% of the hash 63 00:03:02,159 --> 00:03:06,239 power with the intent to censor or 64 00:03:04,480 --> 00:03:08,799 double spend transactions and damage the 65 00:03:06,239 --> 00:03:11,000 utility of the network so a minor could 66 00:03:08,799 --> 00:03:12,560 have any you know minor could have 51% 67 00:03:11,000 --> 00:03:14,640 of the hash power it's very profitable 68 00:03:12,560 --> 00:03:16,680 to be majority minor but if they're not 69 00:03:14,640 --> 00:03:18,360 censoring or double spending then it's 70 00:03:16,680 --> 00:03:21,040 really not an attack it's you know the 71 00:03:18,360 --> 00:03:23,400 system works fine it's a risk because 72 00:03:21,040 --> 00:03:24,920 it's a centralization of hash power but 73 00:03:23,400 --> 00:03:28,480 if they're not directly attacking it 74 00:03:24,920 --> 00:03:30,080 it's not a big deal so that intent to 75 00:03:28,480 --> 00:03:30,920 damage a network is really what talking 76 00:03:30,080 --> 00:03:35,599 about 77 00:03:30,920 --> 00:03:37,959 here um what could 51% ATT accomplish 78 00:03:35,599 --> 00:03:39,879 again double spending which is sending 79 00:03:37,959 --> 00:03:42,840 the same amount of money twice I send 80 00:03:39,879 --> 00:03:44,959 you know 50 Monero to an exchange I sell 81 00:03:42,840 --> 00:03:48,760 it on the exchange and then I double 82 00:03:44,959 --> 00:03:50,959 spend using 51% of hash power to you 83 00:03:48,760 --> 00:03:52,640 know what you would call reorganize that 84 00:03:50,959 --> 00:03:55,000 block and then the transaction is no 85 00:03:52,640 --> 00:03:58,159 longer on the Chain I have the 50 minut 86 00:03:55,000 --> 00:04:02,680 Aro The Exchange doesn't but I have the 87 00:03:58,159 --> 00:04:05,079 whatever I sold or whatever product they 88 00:04:02,680 --> 00:04:08,720 bought censoring transactions so 89 00:04:05,079 --> 00:04:11,120 therefore be um certain transactions you 90 00:04:08,720 --> 00:04:14,040 don't want to 91 00:04:11,120 --> 00:04:15,879 be processed would not be processed so 92 00:04:14,040 --> 00:04:18,759 this is more likely in a Bitcoin proof 93 00:04:15,879 --> 00:04:21,519 of work scenario where the uh blockchain 94 00:04:18,759 --> 00:04:24,360 is transparent so let's say a state 95 00:04:21,519 --> 00:04:26,040 actor has 51% of the power they say all 96 00:04:24,360 --> 00:04:27,400 right you know these transactions from 97 00:04:26,040 --> 00:04:30,560 North Korea are going to get censored if 98 00:04:27,400 --> 00:04:33,240 you produce a block that has this utxo 99 00:04:30,560 --> 00:04:34,720 in it it's not going to get built on 100 00:04:33,240 --> 00:04:35,800 we're going to reject that block and 101 00:04:34,720 --> 00:04:38,000 ignore 102 00:04:35,800 --> 00:04:40,520 it then the third thing is sensoring 103 00:04:38,000 --> 00:04:43,160 miners so if a state actor has 51% of 104 00:04:40,520 --> 00:04:45,720 the hashing power and a minor a minority 105 00:04:43,160 --> 00:04:48,280 minor produces a valid 106 00:04:45,720 --> 00:04:50,360 block the majority miners can ignore 107 00:04:48,280 --> 00:04:52,919 that block and therefore the minority 108 00:04:50,360 --> 00:04:55,600 miners lose that block subsidy and the 109 00:04:52,919 --> 00:04:57,800 fee reward for that block so if I'm 110 00:04:55,600 --> 00:05:00,600 mining blocks that the state doesn't 111 00:04:57,800 --> 00:05:02,160 like and they have 51% of the power they 112 00:05:00,600 --> 00:05:03,840 could ignore my block and just build 113 00:05:02,160 --> 00:05:05,800 continue building on the heaviest chain 114 00:05:03,840 --> 00:05:09,280 that they create because they have the 115 00:05:05,800 --> 00:05:11,639 most hash power so essentially 51% 116 00:05:09,280 --> 00:05:14,960 attacker chooses who gets paid in that 117 00:05:11,639 --> 00:05:16,840 regard because you can censor uh blocks 118 00:05:14,960 --> 00:05:18,840 if the block contains things that you do 119 00:05:16,840 --> 00:05:20,840 not agree with that the you know 120 00:05:18,840 --> 00:05:24,720 attacker or sensor does not agree 121 00:05:20,840 --> 00:05:26,319 with identifying 51% attack um these are 122 00:05:24,720 --> 00:05:28,600 the few things I'm sure there's more but 123 00:05:26,319 --> 00:05:31,280 these are the ones I were most obvious 124 00:05:28,600 --> 00:05:34,160 to me number of Orphan blocks an orphan 125 00:05:31,280 --> 00:05:36,960 block is a block that's valid but is 126 00:05:34,160 --> 00:05:39,240 later disregarded as being part of the 127 00:05:36,960 --> 00:05:41,280 longest chain and so this can happen 128 00:05:39,240 --> 00:05:44,560 organically in the network with two 129 00:05:41,280 --> 00:05:46,840 blocks being found you know let say two 130 00:05:44,560 --> 00:05:49,080 different sides of the earth and then 131 00:05:46,840 --> 00:05:50,919 another block is found on top of it and 132 00:05:49,080 --> 00:05:53,240 so the first block that was 133 00:05:50,919 --> 00:05:54,800 found gets disregarded and the newer 134 00:05:53,240 --> 00:05:58,560 block with two blocks on it this the 135 00:05:54,800 --> 00:06:00,680 longer chain gets propagated on and then 136 00:05:58,560 --> 00:06:03,160 it could also happen 5 1% attack or 137 00:06:00,680 --> 00:06:04,639 again I was just saying you know a minor 138 00:06:03,160 --> 00:06:07,280 or state actor with 139 00:06:04,639 --> 00:06:09,120 % can ignore certain blocks that have 140 00:06:07,280 --> 00:06:11,319 certain transactions in them where they 141 00:06:09,120 --> 00:06:13,160 don't like and they can just ignore any 142 00:06:11,319 --> 00:06:15,240 block and then continue building because 143 00:06:13,160 --> 00:06:17,319 they have do 100% of the hash power 144 00:06:15,240 --> 00:06:20,560 they're producing the most work nodes 145 00:06:17,319 --> 00:06:21,759 follow the most work it's just how the 146 00:06:20,560 --> 00:06:24,000 system is 147 00:06:21,759 --> 00:06:26,319 designed again valid blocks not being 148 00:06:24,000 --> 00:06:28,120 mined on similar thing to or from blocks 149 00:06:26,319 --> 00:06:29,720 and then deep reorgs of the blockchain 150 00:06:28,120 --> 00:06:31,800 so that's like double spending so let's 151 00:06:29,720 --> 00:06:33,960 say your transaction has like five or 152 00:06:31,800 --> 00:06:34,800 six transactions and then suddenly it 153 00:06:33,960 --> 00:06:37,840 has 154 00:06:34,800 --> 00:06:39,800 zero that means the blockchain has been 155 00:06:37,840 --> 00:06:44,919 reorg 156 00:06:39,800 --> 00:06:44,919 by either an adversary or just a chain 157 00:06:45,400 --> 00:06:49,280 split okay so mitigating this is when it 158 00:06:47,960 --> 00:06:51,720 gets 159 00:06:49,280 --> 00:06:53,720 interesting significant energy usage so 160 00:06:51,720 --> 00:06:55,960 proof of work mining is really the 161 00:06:53,720 --> 00:07:00,000 energy put into it if you have you know 162 00:06:55,960 --> 00:07:02,680 one minor using one computer to secure 163 00:07:00,000 --> 00:07:04,879 blockchain it's it's weak you know it's 164 00:07:02,680 --> 00:07:06,840 not much energy behind it so significant 165 00:07:04,879 --> 00:07:08,800 energy usage is one of the most 166 00:07:06,840 --> 00:07:09,840 important things second most important 167 00:07:08,800 --> 00:07:11,800 is highly 168 00:07:09,840 --> 00:07:14,440 distributed High distribution of that 169 00:07:11,800 --> 00:07:16,120 minor energy and so in regards to 170 00:07:14,440 --> 00:07:19,240 bitcoin you know you have these giant 171 00:07:16,120 --> 00:07:23,199 Data Centers of Mega miners popping up 172 00:07:19,240 --> 00:07:25,560 in Us in Canada and Europe these are a 173 00:07:23,199 --> 00:07:28,680 huge security risk because they're 174 00:07:25,560 --> 00:07:31,280 easily identifiable they're usually 175 00:07:28,680 --> 00:07:32,080 registered with the state State usually 176 00:07:31,280 --> 00:07:35,039 you 177 00:07:32,080 --> 00:07:36,240 know could be licensed in the future 178 00:07:35,039 --> 00:07:38,639 they're already trying to tax them 179 00:07:36,240 --> 00:07:40,919 they're easily taxable and so having 180 00:07:38,639 --> 00:07:46,120 these huge data sending Center miners is 181 00:07:40,919 --> 00:07:46,120 not conducive to security of the 182 00:07:46,199 --> 00:07:52,800 network um accessible mining Hardware so 183 00:07:50,159 --> 00:07:57,199 as6 I mean I understand the argument for 184 00:07:52,800 --> 00:07:58,800 as6 and why they're good and I also 185 00:07:57,199 --> 00:08:02,120 understand this is why they're bad you 186 00:07:58,800 --> 00:08:04,199 know it's hard run as6 you need 240 volt 187 00:08:02,120 --> 00:08:07,240 you can't run onh house current you know 188 00:08:04,199 --> 00:08:10,120 it takes a lot of noise it incentivizes 189 00:08:07,240 --> 00:08:13,360 a more industrial scale mining so you 190 00:08:10,120 --> 00:08:17,039 know the normal person can't just easily 191 00:08:13,360 --> 00:08:20,199 buy an Asic and plug it in and run it 192 00:08:17,039 --> 00:08:22,159 whereas CPU mining you know you just old 193 00:08:20,199 --> 00:08:24,520 CPU hanging around just plug it in start 194 00:08:22,159 --> 00:08:26,759 mining you don't need any special 195 00:08:24,520 --> 00:08:29,680 electricity on any special you know 196 00:08:26,759 --> 00:08:31,319 ventilation any of that 197 00:08:29,680 --> 00:08:33,320 another part people don't think realize 198 00:08:31,319 --> 00:08:35,080 is plausible deniability so if I'm 199 00:08:33,320 --> 00:08:37,800 buying an Asic and importing it from 200 00:08:35,080 --> 00:08:40,560 China the shot 26 ASC they're going to 201 00:08:37,800 --> 00:08:42,159 know exactly what I'm using it for say 202 00:08:40,560 --> 00:08:43,680 why why are you buying this you know are 203 00:08:42,159 --> 00:08:46,279 you licensed with the government to use 204 00:08:43,680 --> 00:08:47,760 this to mine on this uh device and not 205 00:08:46,279 --> 00:08:49,760 process illegal 206 00:08:47,760 --> 00:08:52,480 transactions so they're going to know 207 00:08:49,760 --> 00:08:55,480 anyone who's buying a shot as6 there's 208 00:08:52,480 --> 00:08:57,959 the only one reason to buy that for uh 209 00:08:55,480 --> 00:09:00,160 Asic you know Monero if you're buying a 210 00:08:57,959 --> 00:09:01,640 bunch of CPUs there's 100 reasons why 211 00:09:00,160 --> 00:09:05,399 you're buying a bunch of 212 00:09:01,640 --> 00:09:06,640 CPUs they can't prove or even assume 213 00:09:05,399 --> 00:09:09,839 that you're going to be using it to M 214 00:09:06,640 --> 00:09:13,360 Monero so pulle deniability is a huge uh 215 00:09:09,839 --> 00:09:16,480 point when you're facing a state 216 00:09:13,360 --> 00:09:20,120 adversary in any relation not just in 217 00:09:16,480 --> 00:09:22,800 mining um a uniform utxo set so again 218 00:09:20,120 --> 00:09:25,760 Bitcoin is transparent utxos can be 219 00:09:22,800 --> 00:09:28,880 differentiated Monero on the other hand 220 00:09:25,760 --> 00:09:30,600 it's homogeneous all utxos you can't 221 00:09:28,880 --> 00:09:33,240 differentiate them and so the 222 00:09:30,600 --> 00:09:34,680 fungibility is there um we'll talk about 223 00:09:33,240 --> 00:09:37,000 more of this later when we get into the 224 00:09:34,680 --> 00:09:39,240 fee 225 00:09:37,000 --> 00:09:41,480 incentives and then the last thing with 226 00:09:39,240 --> 00:09:44,440 meating is disregarding laws and 227 00:09:41,480 --> 00:09:47,279 regulations um if you're minors and 228 00:09:44,440 --> 00:09:49,880 nodes are not willing to break the law 229 00:09:47,279 --> 00:09:52,720 they're useless because any moment the 230 00:09:49,880 --> 00:09:53,920 state could say you'll go to jail if you 231 00:09:52,720 --> 00:09:54,959 if you're caught mining Monero or if 232 00:09:53,920 --> 00:09:57,959 you're running a Monero node or if 233 00:09:54,959 --> 00:09:59,800 you're running a Bitcoin node and so the 234 00:09:57,959 --> 00:10:04,320 distinction here white mark and black 235 00:09:59,800 --> 00:10:04,320 market is a crucial one 236 00:10:06,040 --> 00:10:09,959 because um the dis between white market 237 00:10:08,360 --> 00:10:12,760 and black market is crucial because any 238 00:10:09,959 --> 00:10:14,880 white Market participant is by 239 00:10:12,760 --> 00:10:18,480 definition going to adhere to any state 240 00:10:14,880 --> 00:10:20,519 regulation or permitting Black Market by 241 00:10:18,480 --> 00:10:24,040 definition is not going to they're going 242 00:10:20,519 --> 00:10:27,200 to be willing to break the law and do as 243 00:10:24,040 --> 00:10:28,959 they will in a free market and so white 244 00:10:27,200 --> 00:10:30,079 Market is always going to be a security 245 00:10:28,959 --> 00:10:33,000 risk 246 00:10:30,079 --> 00:10:34,959 and I say this on Twitter a lot you know 247 00:10:33,000 --> 00:10:36,920 White Market hash is a security risk and 248 00:10:34,959 --> 00:10:38,760 the only secure hash is Black Market 249 00:10:36,920 --> 00:10:40,920 hash because the black market hash would 250 00:10:38,760 --> 00:10:42,959 be is willing to go against and 251 00:10:40,920 --> 00:10:47,000 disregard laws and regulations 252 00:10:42,959 --> 00:10:47,000 concerning their activity in the free 253 00:10:51,040 --> 00:10:56,399 market do you love coffee and Monera as 254 00:10:53,760 --> 00:10:58,920 much as we do consider making gratuitous 255 00:10:56,399 --> 00:11:01,000 org your daily cup pay with Monera for 256 00:10:58,920 --> 00:11:03,440 premium and fresh beans and if you like 257 00:11:01,000 --> 00:11:06,320 what you taste send a digital cash tip 258 00:11:03,440 --> 00:11:08,680 directly to the farmers that made it 259 00:11:06,320 --> 00:11:11,970 possible proceeds help us grow this 260 00:11:08,680 --> 00:11:15,109 channel gratuitous and 261 00:11:11,970 --> 00:11:15,109 [Music] 262 00:11:18,160 --> 00:11:23,839 Monero this a little meme I made about 263 00:11:20,360 --> 00:11:26,399 it and I think captures it quite 264 00:11:23,839 --> 00:11:28,680 well it just highlights the fact that 265 00:11:26,399 --> 00:11:30,639 white Market miners are a security risk 266 00:11:28,680 --> 00:11:33,240 and white mark 267 00:11:30,639 --> 00:11:35,560 miners more than often than not build 268 00:11:33,240 --> 00:11:39,399 these giant mining Farms that are easily 269 00:11:35,560 --> 00:11:42,279 identifiable easily um seizable easily 270 00:11:39,399 --> 00:11:42,279 exploited 271 00:11:42,399 --> 00:11:48,839 so so let's say a 51% Tech happens you 272 00:11:46,079 --> 00:11:52,160 know it's the state actor has gotten the 273 00:11:48,839 --> 00:11:55,360 percentage and we're Knee Deep and 51% 274 00:11:52,160 --> 00:11:57,720 attack the only solution in a proof of 275 00:11:55,360 --> 00:12:01,399 work system that doesn't require hard 276 00:11:57,720 --> 00:12:05,760 Fork is the V Market pressure of the 277 00:12:01,399 --> 00:12:08,079 network and so let's say State accur 51% 278 00:12:05,760 --> 00:12:09,200 of the network they're orphaning blocks 279 00:12:08,079 --> 00:12:13,279 that they don't 280 00:12:09,200 --> 00:12:16,800 like the only defense Pro of work NE has 281 00:12:13,279 --> 00:12:19,160 is enough transactions from enough fees 282 00:12:16,800 --> 00:12:21,959 from trans sensored transactions that 283 00:12:19,160 --> 00:12:24,959 incentivize Black Market miners to put 284 00:12:21,959 --> 00:12:26,760 new hash online to reap those fees and 285 00:12:24,959 --> 00:12:30,800 out has the 286 00:12:26,760 --> 00:12:33,320 attacker and so in Bitcoin it's a little 287 00:12:30,800 --> 00:12:36,800 more obvious because you have the utxo 288 00:12:33,320 --> 00:12:40,399 set that is transparent and so the state 289 00:12:36,800 --> 00:12:42,959 actor is censoring any transaction that 290 00:12:40,399 --> 00:12:45,240 they don't like and they're allowing 291 00:12:42,959 --> 00:12:46,839 certain transactions to go through and 292 00:12:45,240 --> 00:12:49,320 so the fee pressure from those sensored 293 00:12:46,839 --> 00:12:51,320 transactions needs to get to the point 294 00:12:49,320 --> 00:12:54,560 where black market miners or free market 295 00:12:51,320 --> 00:12:57,399 actors are economically incentivized to 296 00:12:54,560 --> 00:13:01,279 add more hash to the network and out has 297 00:12:57,399 --> 00:13:03,440 a 51% attacker and this is no guarantee 298 00:13:01,279 --> 00:13:04,720 but that's this is the only method other 299 00:13:03,440 --> 00:13:06,519 than a hard 300 00:13:04,720 --> 00:13:09,839 fork and it makes sense it's 301 00:13:06,519 --> 00:13:09,839 economically rational 302 00:13:10,240 --> 00:13:14,320 and And in regards proof of stake also 303 00:13:12,760 --> 00:13:18,680 this is not possible so in a proof of 304 00:13:14,320 --> 00:13:21,600 stake Network when 51% of you know the 305 00:13:18,680 --> 00:13:23,959 stake is obtained by a central actor 306 00:13:21,600 --> 00:13:25,199 there's no way to over out or out stake 307 00:13:23,959 --> 00:13:27,560 them because they're always going to be 308 00:13:25,199 --> 00:13:29,160 getting more stake than everyone else 309 00:13:27,560 --> 00:13:30,760 the reason proof of work works is 310 00:13:29,160 --> 00:13:32,279 because it's an external validation 311 00:13:30,760 --> 00:13:34,440 method where you can actually add more 312 00:13:32,279 --> 00:13:37,079 physical energy to the network a proof 313 00:13:34,440 --> 00:13:38,760 of stake method the consensus is 314 00:13:37,079 --> 00:13:40,199 ingrained within the network the token 315 00:13:38,760 --> 00:13:41,920 is the consensus and the consensus 316 00:13:40,199 --> 00:13:44,199 relies on the token and so proof of 317 00:13:41,920 --> 00:13:46,360 stake is really a non-starter in my 318 00:13:44,199 --> 00:13:49,880 opinion in regards to 51% attacks there 319 00:13:46,360 --> 00:13:52,360 is no way to overcome an attacker 320 00:13:49,880 --> 00:13:53,639 without hard forking on 51% on a proof 321 00:13:52,360 --> 00:13:55,880 of stake 322 00:13:53,639 --> 00:13:58,800 Network proof of work allows you to add 323 00:13:55,880 --> 00:14:00,680 energy out has the attacker and reap the 324 00:13:58,800 --> 00:14:03,240 reward by the sensored 325 00:14:00,680 --> 00:14:05,160 transactions um the hard Fork methods 326 00:14:03,240 --> 00:14:07,160 change the hashing algorithm that 327 00:14:05,160 --> 00:14:11,519 punishes every minor not just the 328 00:14:07,160 --> 00:14:14,120 attacker so you kind of you know npal 329 00:14:11,519 --> 00:14:15,920 you know the whole entire network and 330 00:14:14,120 --> 00:14:18,279 every minor gets destroyed it's not 331 00:14:15,920 --> 00:14:20,279 really a great solution it's kind of a 332 00:14:18,279 --> 00:14:22,680 lastage effort change consensus 333 00:14:20,279 --> 00:14:24,720 mechanism same thing it punishes all 334 00:14:22,680 --> 00:14:27,680 legitimate miners R and black market 335 00:14:24,720 --> 00:14:30,199 miners not just the um adversarial 336 00:14:27,680 --> 00:14:32,360 Miners and then 337 00:14:30,199 --> 00:14:33,759 breaking the heaviest chain in Bitcoin I 338 00:14:32,360 --> 00:14:36,360 don't think this is possible in Monero 339 00:14:33,759 --> 00:14:38,279 but in Bitcoin there's a RPC command 340 00:14:36,360 --> 00:14:41,040 where you could uh called invalidate 341 00:14:38,279 --> 00:14:43,360 block and you can manually go in and 342 00:14:41,040 --> 00:14:46,720 invalidate a certain block even if it's 343 00:14:43,360 --> 00:14:48,959 valid and your node will now follow um 344 00:14:46,720 --> 00:14:51,399 will not follow that chain it'll assume 345 00:14:48,959 --> 00:14:54,360 that block is invalid even if that chain 346 00:14:51,399 --> 00:14:57,800 has the heaviest most work done to it 347 00:14:54,360 --> 00:14:59,680 it'll manually go in and Fork off from 348 00:14:57,800 --> 00:15:01,399 that block which is essentially breaks 349 00:14:59,680 --> 00:15:04,440 the heaviest chain rule in proof of work 350 00:15:01,399 --> 00:15:07,920 which is the fundamental consensus and 351 00:15:04,440 --> 00:15:10,399 coordination method of the system and so 352 00:15:07,920 --> 00:15:12,000 these three methods aren't great and 353 00:15:10,399 --> 00:15:14,519 again Monero I don't I looked I don't 354 00:15:12,000 --> 00:15:16,240 think Monero has a invalidate block type 355 00:15:14,519 --> 00:15:18,720 command 356 00:15:16,240 --> 00:15:21,519 so again hard forking is not the best 357 00:15:18,720 --> 00:15:23,320 method but it's a kind of a lasage 358 00:15:21,519 --> 00:15:26,240 effort you really want to have the 359 00:15:23,320 --> 00:15:26,240 economically rational 360 00:15:26,519 --> 00:15:32,759 method um here's kind of a really simple 361 00:15:29,240 --> 00:15:36,440 graphic that I was inspired by um Eric 362 00:15:32,759 --> 00:15:38,399 Vos who's a great thinker in this um in 363 00:15:36,440 --> 00:15:42,759 this space in regards to adversarial 364 00:15:38,399 --> 00:15:45,519 thinking and um economic incentives and 365 00:15:42,759 --> 00:15:47,480 I'll uh Source one of his his books at 366 00:15:45,519 --> 00:15:49,759 the end but this was based on his 367 00:15:47,480 --> 00:15:51,600 something I saw he presented and this is 368 00:15:49,759 --> 00:15:54,199 the basis of the security model for 369 00:15:51,600 --> 00:15:56,519 proof of work when sooshi put together 370 00:15:54,199 --> 00:15:59,240 Bitcoin he essentially created a free 371 00:15:56,519 --> 00:16:01,680 market for Block space and what miners 372 00:15:59,240 --> 00:16:04,800 are doing is they're selling you 373 00:16:01,680 --> 00:16:07,560 confirmations via block space and users 374 00:16:04,800 --> 00:16:09,680 are purchasing that block space with 375 00:16:07,560 --> 00:16:11,600 transaction fees and this is the free 376 00:16:09,680 --> 00:16:14,040 market miners are selling block space 377 00:16:11,600 --> 00:16:17,160 users are buying block space it's very 378 00:16:14,040 --> 00:16:20,120 simple this is what the security model 379 00:16:17,160 --> 00:16:22,040 is based on if miners are selling block 380 00:16:20,120 --> 00:16:24,199 space and no one wants to buy it the 381 00:16:22,040 --> 00:16:28,040 Network's not secure no 382 00:16:24,199 --> 00:16:29,279 one is using it and vice versa if users 383 00:16:28,040 --> 00:16:31,480 are want to buying blocks space and 384 00:16:29,279 --> 00:16:34,199 there's no one offering it the security 385 00:16:31,480 --> 00:16:36,199 model breaks down as 386 00:16:34,199 --> 00:16:39,319 well these are a few 387 00:16:36,199 --> 00:16:42,279 caveats that I think are 388 00:16:39,319 --> 00:16:44,240 important um that some people might not 389 00:16:42,279 --> 00:16:47,519 agree with but uh the tailing Mission 390 00:16:44,240 --> 00:16:49,759 with Monero you know I don't fully agree 391 00:16:47,519 --> 00:16:52,560 that it's adds to security of the 392 00:16:49,759 --> 00:16:56,240 network especially under 51% attack and 393 00:16:52,560 --> 00:16:58,319 because under 51% attack the attacker is 394 00:16:56,240 --> 00:16:59,880 going to get paid the subsidy anyway 395 00:16:58,319 --> 00:17:01,639 there's no way to prevent the attacker 396 00:16:59,880 --> 00:17:03,279 from getting the subsidy so they're Deep 397 00:17:01,639 --> 00:17:05,360 by default getting paid to attack the 398 00:17:03,279 --> 00:17:06,360 network because there's a tail mission 399 00:17:05,360 --> 00:17:09,120 on a 400 00:17:06,360 --> 00:17:10,600 subsidy and also if you have 51% attack 401 00:17:09,120 --> 00:17:13,720 the attacker chooses who gets the 402 00:17:10,600 --> 00:17:16,839 subsidy so if a minor a minority minor 403 00:17:13,720 --> 00:17:18,959 mines a block and that 51% majority 404 00:17:16,839 --> 00:17:21,199 doesn't want them to have that subsidy 405 00:17:18,959 --> 00:17:23,319 they just ignore that block orphan it 406 00:17:21,199 --> 00:17:25,199 and build on their own chain so the 407 00:17:23,319 --> 00:17:28,559 attacker chooses who gets paid when they 408 00:17:25,199 --> 00:17:29,840 have 51% of the attacker and the 409 00:17:28,559 --> 00:17:32,760 attacker is always going to get paid the 410 00:17:29,840 --> 00:17:33,960 subsidy if they 51% because they choose 411 00:17:32,760 --> 00:17:38,679 who gets 412 00:17:33,960 --> 00:17:38,679 paid and U on bitcoin same 413 00:17:39,120 --> 00:17:45,880 thing and then this is kind of a kind of 414 00:17:42,880 --> 00:17:49,320 far out there but in regards to like the 415 00:17:45,880 --> 00:17:52,320 utxo set where um Bitcoin you can see 416 00:17:49,320 --> 00:17:56,600 what's happening utxo transparent you 417 00:17:52,320 --> 00:17:59,679 can't in some possible way the state 418 00:17:56,600 --> 00:18:01,679 could require you to offer your or 419 00:17:59,679 --> 00:18:04,039 provide your view Keys along with your 420 00:18:01,679 --> 00:18:06,640 transaction for them to process your 421 00:18:04,039 --> 00:18:08,679 transaction and put it in a block in the 422 00:18:06,640 --> 00:18:11,039 scenario where they have 51% of the hash 423 00:18:08,679 --> 00:18:14,159 power and so like using transaction 424 00:18:11,039 --> 00:18:15,520 extra field let's say oh we only process 425 00:18:14,159 --> 00:18:17,799 transactions if there's a vew key 426 00:18:15,520 --> 00:18:20,480 provided in the transaction extra field 427 00:18:17,799 --> 00:18:23,280 so that would feed back into the fee 428 00:18:20,480 --> 00:18:25,039 pressure mechanism where they're not 429 00:18:23,280 --> 00:18:27,400 processing transactions that have the 430 00:18:25,039 --> 00:18:30,200 vew keys or don't have the vew keys I 431 00:18:27,400 --> 00:18:31,919 should say so I don't think it's a a 432 00:18:30,200 --> 00:18:33,840 reality and again 433 00:18:31,919 --> 00:18:37,159 Monero based 434 00:18:33,840 --> 00:18:39,919 on um just having Asic resistance having 435 00:18:37,159 --> 00:18:43,120 more distributed mining not centralized 436 00:18:39,919 --> 00:18:45,679 Mining and having transparent UT or 437 00:18:43,120 --> 00:18:47,400 sorry uniform utxo set and being 438 00:18:45,679 --> 00:18:50,159 completely Anonymous really adds to the 439 00:18:47,400 --> 00:18:52,120 defense against 51% 440 00:18:50,159 --> 00:18:53,960 attack I went kind of quick I hope 441 00:18:52,120 --> 00:18:57,000 there's a lot of questions this is um 442 00:18:53,960 --> 00:18:59,159 you can contact me on Twitter this is 443 00:18:57,000 --> 00:19:00,880 the book I got a lot of this information 444 00:18:59,159 --> 00:19:02,840 was inspired and derived from crypto 445 00:19:00,880 --> 00:19:05,480 economics by Eric boscell who's probably 446 00:19:02,840 --> 00:19:07,559 the foremost thinker in these threat 447 00:19:05,480 --> 00:19:09,320 models and adversarial actors this book 448 00:19:07,559 --> 00:19:12,000 is a must if you're interested in this 449 00:19:09,320 --> 00:19:15,280 kind of thing so I recommend it you can 450 00:19:12,000 --> 00:19:19,280 find it for free on his GitHub and I 451 00:19:15,280 --> 00:19:21,120 think it's free on a as digital PDF as 452 00:19:19,280 --> 00:19:25,360 well 453 00:19:21,120 --> 00:19:25,360 so that's it 454 00:19:44,679 --> 00:19:49,240 there any questions or clarifications 455 00:19:46,280 --> 00:19:52,240 I'm happy to go over 456 00:19:49,240 --> 00:19:52,240 it 457 00:19:56,120 --> 00:20:03,240 yeah I have a question 458 00:19:59,200 --> 00:20:07,039 maybe one are you Satoshi 459 00:20:03,240 --> 00:20:11,000 Nakamoto there's no way for me to prove 460 00:20:07,039 --> 00:20:14,760 it even if I had the keys okay I could 461 00:20:11,000 --> 00:20:19,600 have stolen them yeah sure okay thanks 462 00:20:14,760 --> 00:20:19,600 for your talk man thank you yeah thanks 463 00:20:21,760 --> 00:20:31,509 [Music] 464 00:20:35,320 --> 00:20:41,980 [Music]