Author

Topic: 51%-attack - Why exactly "51 percent"? (Read 776 times)

staff
Activity: 4284
Merit: 8808
April 15, 2014, 10:59:44 AM
#11
Preventing an attacker from replacing the current blockchain with his alternative chain isn't the purpose of the checkpoints.  That's just a side effect of their existence.
Precisely. Checkpoints are there to prevent a number of dos attacks where we'd waste storage or resources on bogus forks which are never going to be better. They also allow for some optimizations, and also ensure that you can't successfully fool a node by isolating it from the start. There are other, better but more complicated, ways to address those issues, so I expect that they will eventually be removed from the reference client.
legendary
Activity: 3472
Merit: 4801
April 15, 2014, 09:45:28 AM
#10
Quote from: TierNolan

In theory, you could reverse all transactions since the last checkpoint.

Nolan, can you explain what you mean by a checkpoint?

https://en.bitcoin.it/wiki/Checkpoint_Lockin

Thanks, that explains it. So in theory even if there were a successful attack couldn't everyone just agree to roll back to the last solid checkpoint?

Checkpoints are intentionally pretty deep in the blockchain.  If I remember correctly, the most recent checkpoint is block height 279000.  That's 2014-01-06. The checkpoint before that was block height 250000 (2013-08-03). An attacker with a majority of the hash power can't roll the blockchain back more than the last checkpoint because any peer will reject their chain if their block doesn't match the checkpoint block hash (and therefore any blocks they build on top of their invalid block).  So it limits how far the attacker can roll things back.  It isn't much protection though.  Replacing a chain that deep would be devastating. Anything that would require us to roll back that far would quite possibly have destroyed faith in bitcoin enough for it to become useless. All coins mined since the last checkpoint would immediately vanish (as would every transaction that includes any fraction of any of those mined coins).

Preventing an attacker from replacing the current blockchain with his alternative chain isn't the purpose of the checkpoints.  That's just a side effect of their existence.
full member
Activity: 182
Merit: 100
April 15, 2014, 09:34:08 AM
#9
Quote from: TierNolan

In theory, you could reverse all transactions since the last checkpoint.

Nolan, can you explain what you mean by a checkpoint?

https://en.bitcoin.it/wiki/Checkpoint_Lockin

Thanks, that explains it. So in theory even if there were a successful attack couldn't everyone just agree to roll back to the last solid checkpoint?
legendary
Activity: 3472
Merit: 4801
April 15, 2014, 09:11:03 AM
#8
Quote from: TierNolan

In theory, you could reverse all transactions since the last checkpoint.

Nolan, can you explain what you mean by a checkpoint?

https://en.bitcoin.it/wiki/Checkpoint_Lockin
legendary
Activity: 3472
Merit: 4801
April 15, 2014, 09:08:40 AM
#7
Thanks for replies.

If I got it correctly an attacker can secretly mine a chain of blocks. If he reveals the chain, and his chain is longer, he will then reverse all transaction back to the first block of his chain. If he has more than 50% he can routinely do this, hence make Bitcoin practically unusable. An attacker with less than 50% can only do this at occasions and cause minor problems. Correct?

Correct, and an attacker with less than 50% does this at great expense to themselves.  Every time that they don't immediately broadcast the block that they've just solved, and instead keep it hidden while trying to keep ahead of the rest of the network, they risk the block reward of that block and the reward of the rest of the chain that they build while they try to catch up if they fail to surpass the honest network.

If they are trying to reverse 6 blocks, and they only manage to stay ahead of the honest chain for 5 blocks, Then they lose out on at least 125 BTC today (plus any transaction fees they could have claimed if they had included fee paying transactions in those 5 blocks).
full member
Activity: 182
Merit: 100
April 15, 2014, 09:04:28 AM
#6
Quote from: TierNolan

In theory, you could reverse all transactions since the last checkpoint.

Nolan, can you explain what you mean by a checkpoint?
newbie
Activity: 42
Merit: 0
April 15, 2014, 08:59:50 AM
#5
Thanks for replies.

If I got it correctly an attacker can secretly mine a chain of blocks. If he reveals the chain, and his chain is longer, he will then reverse all transaction back to the first block of his chain. If he has more than 50% he can routinely do this, hence make Bitcoin practically unusable. An attacker with less than 50% can only do this at occasions and cause minor problems. Correct?
legendary
Activity: 3472
Merit: 4801
April 15, 2014, 08:44:53 AM
#4
As far as I've understood an attacker can destroy the Bitcoin-network if he solves several blocks in a row.

You've understood incorrectly.  All an attacker can do is reverse some of their own transactions, or delay other transactions from being confirmed.  This will not "destroy the Bitcoin-network".  Blocks are orphaned on a daily basis, this does not result in destruction of the Bitcoin network.

Say the attacker needs to solve six blocks in a row to destroy the network.

Why not say that the attacker needs 100 blocks to destroy the network (since they can't even spend any of their newly mined bitcoins until they have 100 confirmations).

What I wonder is
1) Is my premise wrong?

Yes. Your premise is wrong.

Can bitcoin be destroyed if one attacker mines several blocks in a row?

That depends on what they do with those blocks, and how many they mine.

2) Is there something else that makes 51% the threshold for being able to destroy the network?

If an attacker can maintain more than 50% of the total hasing power of the entire network, then they are guaranteed the ability to mine EVERY block.  This means they can prevent ANY transactions from EVER confirming.  It means they are guaranteed the ability to arbitrarily roll back thousands of blocks. It means they are guaranteed the ability to reverse EVERY transaction they send.
legendary
Activity: 1232
Merit: 1094
April 15, 2014, 08:41:13 AM
#3
As far as I've understood an attacker can destroy the Bitcoin-network if he solves several blocks in a row.

No, the attacker could reverse transactions within the last hour or so.  That would lead to double spending, but wouldn't be a complete destruction.

Merchants with high value transactions would be recommended to wait for more than 6 confirms.

Waiting more confirms gives better security, if miners started to reverse transactions.

Quote
What I wonder is
1) Is my premise wrong? Can bitcoin be destroyed if one attacker mines several blocks in a row?
2) Is there something else that makes 51% the threshold for being able to destroy the network?

The point is that with < 50% of the hashing power, you can sometimes reverse a small number of blocks.

51% is a shorthand to mean more than 50%.  With > 50%, you can reverse an unlimited number of blocks.

In theory, you could reverse all transactions since the last checkpoint.  

There is less risk.  An attacker with more than 50% can reverse transactions with certainty, while one with less than 50% has only a probability.

There are attacks that allow a miner with > 50% to break the difficulty system and create an unlimited number of blocks very quickly.  This would allow the miner to take all the remaining minting fees.
hero member
Activity: 728
Merit: 500
April 15, 2014, 08:36:01 AM
#2
Bitcoin is not 'destroyed' if an attacker mines several blocks in a row. The actual damage that an attacker can do in this scenario is rather limited. The attacker could choose to not include certain (or any) transactions in blocks he mines. Additionally an attacker may choose not to broadcast a block he has mined, but instead continue to build on his own version of the chain privately and at some point, if his chain exceeds the main blockchain in length, broadcast the private chain and override the main blockchain, invalidating one or more recent blocks.

The first option (not include transactions) is available to anyone who mines a block. The second option relies on the fact that the attacker has to generate blocks faster than the rest of the network does. With luck, this can and will happen for short periods of time even with smaller amounts of hashing power.

But only when the hashrate of the attacker exceeds that of the legitimate users of the network, will this become a major problem. In this case, if the attacker waits long enough, he should always obtain a privately mined chain that exceeds the length of the public chain and he should always be able to invalidate blocks mined by other miners.

If an attacker has a small amount of hashing power, he may be able to disrupt the network at a random time, for a brief period by orphaning one or more valid blocks. But it'll be a temporary disruption only. 51% (or more) hashrate is required to be able to permanently lock down block generation and prevent other miners from contributing to the blockchain (assuming no external measures are taken to fight the attack).
newbie
Activity: 42
Merit: 0
April 15, 2014, 08:26:45 AM
#1
As far as I've understood an attacker can destroy the Bitcoin-network if he solves several blocks in a row.
Say the attacker needs to solve six blocks in a row to destroy the network.

He can do this even with 10% of the hashing power, although it is unlikely.
Probability of solving six blocks in row is 0.1^6, equals one in a million, or inversely, the probability of not doing so is 999,999 / 1,000,000.
But he only needs to do this once, not necessarily starting at the next block. He can just as well do it 10,000 blocks down the road.

Which leads us to the probability of not doing it any of these 10k times to (999,999/1,000,000)^10,000 = 0.99, or inversely, there is a 1% chance the attacker will succeed within the next 10,000 blocks.

Do the math and see how this increases if the attacker has 15%, 20%, 30% and so on.

What I wonder is
1) Is my premise wrong? Can bitcoin be destroyed if one attacker mines several blocks in a row?
2) Is there something else that makes 51% the threshold for being able to destroy the network?
Jump to: