EDIT: Everywhere I say that we wait 5 blocks/confirmations, that's just a number I picked. I think you could conservatively use fewer confirmations, but there's a bunch of network analysis you'd have to do to calculate what the probability of a transaction not being included in N sequential blocks simply due to network instability. I didn't do that network analysis, so you might need more or fewer confirmations to be reasonably sure that censorship is occurring and not just network instability.
> I assumed you meant manually. This method isn't possible to automate under PoW, because any such actions require global time, but PoW is what provides time itself, creating a contradiction. What this means in practice is network splits.
I don't think you need global time to do this. More on this later in this post.
> as what would happen is nodes that were online and observed the situation would follow one chain, but everyone else that joins later wouldn't be able to confirm that censorship actually happened, and follow another. If you have a solution that solves it, you solved the fundamental problem - absolute order - some other way and PoW becomes completely superfluous.
This situation resolves itself naturally via the mechanism I proposed.
Let's follow the scenario you propose and see how it resolves. The following events happen in this order:
1. The Chinese government decides to censor transactions from a certain address, refusing to accept blocks which include transactions from that address.
2. A transaction from that address is broadcasted.
3. Chinese miners mine 5 blocks that don't contain the transaction. Nodes which have been on the network the whole time notice the censored transaction, and go to the next-longest chain, creating a fork.
4. A new node joins the network. From the new node's perspective, there are two chains, but the Chinese one is longer so you go with that. However, you still have the signed transactions from the shorter chain, and your node notices that the Chinese chain doesn't contain some of those transactions. At the time of joining, as far as you know, that transaction simply hasn't been included in the longest chain yet.
5. Chinese miners mine 5 more blocks that don't contain the transaction. The newly-added node now notices the censored transaction, rendering the current chain invalid, and goes to the longest valid chain, which is the one everyone else was on. Consistency achieved.
The implication of this solution is that when you join the network, you now have to wait for 5 confirmations to ensure none of the transactions you have are being censored in the longest chain (i.e. it takes 5 confirmations to know that the longest chain is valid). Which is certainly an important implication!
Note that absolute order doesn't matter here. We don't have to know the order of the transaction, only that it has existed for some number of blocks without being included in the chain.
> Then there's a problem of: what happens when there are contradictory transactions on two different chains at once? How do you decide which one is valid? This gets complex very fast.
The way you've worded it, that's not really all that complex--that's the same as a double spend, and it's resolved the same way any other contradictory transaction is resolved: follow the longest (valid) chain (where part of the definition is "valid" is "containing all transactions I've had for 5 confirmations").
However, I think you might have left out part of what you meant here, so I'll try to explain what I think you're hinting at. There's a sophisticated way for China to hide their attack. It works like this:
1. The Chinese government decides to censor transactions from a certain address, refusing to accept blocks which include transactions from that address.
2. A transaction from that address is broadcasted. We'll call this the censored transaction.
3. Non-Chinese miners mine a block that includes the censored transaction. This becomes the root of what we'll call the censored branch.
4. Chinese miners ignore the mined block that includes the censored transaction, and mine a block which doesn't contain the transaction. This block becomes the root of a branch we'll call the red herring branch. In that block, they include a transaction which they never broadcasted to the network. We'll call this the red herring transaction.
5. Due to superior Chinese mining capability, the red herring chain quickly becomes longer. However, after 5 confirmations, the network notices the censored transaction isn't being included in the red herring chain. So they invalidate the red herring chain and go to the longest valid chain, which is the censored chain.
6. 4 more blocks are mined on the censored chain.
7. A new node joins the network.
8. At this point, the censored branch doesn't include the red herring transaction, and the red herring branch doesn't include the censored transaction. So our previous resolution strategy doesn't work, because we don't know whether it's the red herring transaction or the censored transaction that's being censored.
First, I want to say, this is a really sophisticated attack and I want to congratulate you for coming up with it.
Second, I think this problem can be solved by sweeping up ALL the transactions in EVERY block you receive, even if they are in blocks which haven't been confirmed, and treat them as if they were broadcast to you on the network. This way, the red herring transaction gets included into the censored branch. This gives us a new resolution:
1. The Chinese government decides to censor transactions from a certain address, refusing to accept blocks which include transactions from that address.
2. A transaction from that address is broadcasted. We'll call this the censored transaction.
3. Non-Chinese miners mine a block that includes the censored transaction. This becomes the root of what we'll call the censored branch.
4. Chinese miners ignore the mined block that includes the censored transaction, and mine a block which doesn't contain the transaction. This block becomes the root of a branch we'll call the red herring branch. In that block, they include a transaction which they never broadcasted to the network. We'll call this the red herring transaction.
5. Due to superior Chinese mining capability, the red herring chain quickly becomes longer. However, after 5 confirmations, the network notices the censored transaction isn't being included in the red herring chain. So they invalidate the red herring chain and go to the longest valid chain, which is the censored chain.
6. A new block is mined on the censored chain. Since we've swept up all the transactions from the red herring chain, this block includes the red herring transaction.
7. A new node joins the network and assumes the red herring chain is the longest valid chain.
8. After 5 blocks, the new node sees the red herring chain does not contain the censored transaction, invalidates the red herring chain, and goes to the longest valid chain, which is the censored chain. Consistency achieved.
Your solution regularly leads to orphans 5 blocks deep, making the network unstable. Now consider this:
- Chinese miners (the network doesn't know that) publish a normal transaction.
- they don't include it for 30 blocks. Western nodes have already switched to a minority uncensored chain after 5 blocks, as they consider the transaction censored.
- Chinese miners include it in 31st block.
A new node joins. It follows the Chinese chain indefinitely.
The core of the problem is lack of objective time (or at least ordering): there's no way to prove to the new node that a transaction was actually censored in the past. From its perspective, the minority chain might have been created after the Chinese block with the transaction was published. As long as there's no external objective time, it's always possible to invent some attack scenario that splits the network for new nodes.
Last but not least, every minority chain is by definition vulnerable to 51% attacks, so even if a solution to censorship could exist in PoW, the minority chain could get intentionally killed this way, constantly generating double spends until people stop using it.
> Your solution regularly leads to orphans 5 blocks deep, making the network unstable.
Only if China decides to hamper the speed of their miners by pointlessly trying unsuccessfully to censor transactions.
> - Chinese miners (the network doesn't know that) publish a normal transaction.
> - they don't include it for 30 blocks. Western nodes have already switched to a minority uncensored chain after 5 blocks, as they consider the transaction censored.
> - Chinese miners include it in 31st block.
> A new node joins. It follows the Chinese chain indefinitely.
Okay, yes. And so does the entire rest of the network, because now the blocks are valid. Yes, this is very bad, because anyone who spent money in the shorter chain can now re-spend their coins.
But critically, nothing was censored here. This is a transaction reordering, not a censorship attack.
China can do the exact same thing with fewer steps. All they have to do is go back 30 blocks, and start mining blocks with the transactions in whatever order they want. Eventually their branch will be ahead and everyone will switch to it.
> I assumed you meant manually. This method isn't possible to automate under PoW, because any such actions require global time, but PoW is what provides time itself, creating a contradiction. What this means in practice is network splits.
I don't think you need global time to do this. More on this later in this post.
> as what would happen is nodes that were online and observed the situation would follow one chain, but everyone else that joins later wouldn't be able to confirm that censorship actually happened, and follow another. If you have a solution that solves it, you solved the fundamental problem - absolute order - some other way and PoW becomes completely superfluous.
This situation resolves itself naturally via the mechanism I proposed.
Let's follow the scenario you propose and see how it resolves. The following events happen in this order:
1. The Chinese government decides to censor transactions from a certain address, refusing to accept blocks which include transactions from that address.
2. A transaction from that address is broadcasted.
3. Chinese miners mine 5 blocks that don't contain the transaction. Nodes which have been on the network the whole time notice the censored transaction, and go to the next-longest chain, creating a fork.
4. A new node joins the network. From the new node's perspective, there are two chains, but the Chinese one is longer so you go with that. However, you still have the signed transactions from the shorter chain, and your node notices that the Chinese chain doesn't contain some of those transactions. At the time of joining, as far as you know, that transaction simply hasn't been included in the longest chain yet.
5. Chinese miners mine 5 more blocks that don't contain the transaction. The newly-added node now notices the censored transaction, rendering the current chain invalid, and goes to the longest valid chain, which is the one everyone else was on. Consistency achieved.
The implication of this solution is that when you join the network, you now have to wait for 5 confirmations to ensure none of the transactions you have are being censored in the longest chain (i.e. it takes 5 confirmations to know that the longest chain is valid). Which is certainly an important implication!
Note that absolute order doesn't matter here. We don't have to know the order of the transaction, only that it has existed for some number of blocks without being included in the chain.
> Then there's a problem of: what happens when there are contradictory transactions on two different chains at once? How do you decide which one is valid? This gets complex very fast.
The way you've worded it, that's not really all that complex--that's the same as a double spend, and it's resolved the same way any other contradictory transaction is resolved: follow the longest (valid) chain (where part of the definition is "valid" is "containing all transactions I've had for 5 confirmations").
However, I think you might have left out part of what you meant here, so I'll try to explain what I think you're hinting at. There's a sophisticated way for China to hide their attack. It works like this:
1. The Chinese government decides to censor transactions from a certain address, refusing to accept blocks which include transactions from that address.
2. A transaction from that address is broadcasted. We'll call this the censored transaction.
3. Non-Chinese miners mine a block that includes the censored transaction. This becomes the root of what we'll call the censored branch.
4. Chinese miners ignore the mined block that includes the censored transaction, and mine a block which doesn't contain the transaction. This block becomes the root of a branch we'll call the red herring branch. In that block, they include a transaction which they never broadcasted to the network. We'll call this the red herring transaction.
5. Due to superior Chinese mining capability, the red herring chain quickly becomes longer. However, after 5 confirmations, the network notices the censored transaction isn't being included in the red herring chain. So they invalidate the red herring chain and go to the longest valid chain, which is the censored chain.
6. 4 more blocks are mined on the censored chain.
7. A new node joins the network.
8. At this point, the censored branch doesn't include the red herring transaction, and the red herring branch doesn't include the censored transaction. So our previous resolution strategy doesn't work, because we don't know whether it's the red herring transaction or the censored transaction that's being censored.
First, I want to say, this is a really sophisticated attack and I want to congratulate you for coming up with it.
Second, I think this problem can be solved by sweeping up ALL the transactions in EVERY block you receive, even if they are in blocks which haven't been confirmed, and treat them as if they were broadcast to you on the network. This way, the red herring transaction gets included into the censored branch. This gives us a new resolution:
1. The Chinese government decides to censor transactions from a certain address, refusing to accept blocks which include transactions from that address.
2. A transaction from that address is broadcasted. We'll call this the censored transaction.
3. Non-Chinese miners mine a block that includes the censored transaction. This becomes the root of what we'll call the censored branch.
4. Chinese miners ignore the mined block that includes the censored transaction, and mine a block which doesn't contain the transaction. This block becomes the root of a branch we'll call the red herring branch. In that block, they include a transaction which they never broadcasted to the network. We'll call this the red herring transaction.
5. Due to superior Chinese mining capability, the red herring chain quickly becomes longer. However, after 5 confirmations, the network notices the censored transaction isn't being included in the red herring chain. So they invalidate the red herring chain and go to the longest valid chain, which is the censored chain.
6. A new block is mined on the censored chain. Since we've swept up all the transactions from the red herring chain, this block includes the red herring transaction.
7. A new node joins the network and assumes the red herring chain is the longest valid chain.
8. After 5 blocks, the new node sees the red herring chain does not contain the censored transaction, invalidates the red herring chain, and goes to the longest valid chain, which is the censored chain. Consistency achieved.