Pages:
Author

Topic: Bitcoin Killswitch (Read 3269 times)

legendary
Activity: 1722
Merit: 1000
August 05, 2014, 07:37:57 AM
#65
As this is open source, any kill switch would be publicly visible.  It's not there.  Now then, within a closed source implementation, such as any proprietary "coin" invented by J.P. Morgan for example, a kill switch could easily be hidden.
I said "by design", not "by code". That might sound like a splitting hairs, but its actually really a very different thing.

No
member
Activity: 97
Merit: 10
August 05, 2014, 03:48:43 AM
#64
Here is a possible scenario: A Sybil https://en.bitcoin.it/wiki/Weaknesses attack by an OS vendor that controls 91.68% of the desktop OS market. http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=8&qpcustomd=0. The operating system vendor uses the DRM built into the OS to patch the Bitcoin clients and turn them into malicious clients controlled by it. If the ratio of Bitcoin nodes running on the attacker's OS to the total number of Bitcoin nodes corresponds to the attacker's OS market share, that attacker would control 91.68% of the nodes.

Edit: A variant of this attack is where the attacker manages to create malware that infects the above mentioned OS. If the infraction rate is high enough it could approach the OS market share. If the DRM in the OS is used to spread the malware the attacker could use anti-circumvention laws as a deterrent against anti-malware software.
Good point, but I believe that market of bitcoin nodes is dominated by linux.

On the other hand, MS or other entity could attempt to steal or delete wallets stored on Windows desktops and Windows Phone Clients. If 91% of wallets is suddenly deleted, that could slow down the adoption, or even halt it completely (users would be scared to buy bitcoins again).
sr. member
Activity: 269
Merit: 250
August 05, 2014, 02:02:17 AM
#63

[snip]

Even assuming that "the most difficult to recreate" implies total hashrate and not length thats fairly ambigous.
But anyway, piramida had it right. The comparator on line 80 (starting at line 76) is used by FindMostWorkChain, which in turn is called by ActivateBestChain. And there is no arguing with the code there.

The reason for the argumenting is fairly simple. If total cumulative hashing power is the deciding factor an attacking entity merely needs overwhelming hashing power to revert all transactions since any given point after the last checkpoint. In other words if any an event such as a sudden advance in technology, a majority if mining gear being sold after a reward halving etc ..., allows for a sudden shift in hashing distribution it is fairly easy to create a more difficult chain. To roll back time by time by n blocks within a timeframe with m further blocks you only need to beat the current chain (simplyfying here with a constant hashrate, principle stands one way or another though) (n+m)/m times the hash rate of the official network. E.g. a competing chain running at twice the hashing power of the official chain could roll back 1 day of transactions per passing day.

Using the length of the block chain, while being being having other disadvantages, is not susceptile to such a sudden increase in hashing power. To roll back n blocks within the next n blocks you need (again assuming the real chain stays at constant difficulty c) to exponentially grow the hashing power to catch up. Even assuming someone where to double the initial power c with every difficulty adjustment (and thus halving the time needed to create his own blocks) he would need 2^(2*no. of difficulty switches) the hasing power to catch up. In other words 4* the power to reverse 2016 blocks, spending the first week recreating the last 2016 blocks at double rate and spending the next week to create the 2016 new blocks at quadrouple rate. Trying to reverse 4032 blocks would require 16x current hashrate etc ...


While it is nice to argue about actual numbers I'm not sure what you are trying to get at here.
This type of consensus requires a majority so by definition the majority decides (eventually), regardless if they are the "attacker" or the "regular" chain.
As has been pointed out this actually also applies to the protocol software itself (let us consider abstract functionality and not a concrete implementation) and not just for the blockchain.

Unless you make very strong assumptions that are unrealistic and unwanted for the goals set out by bitcoin there is no circumventing the requirement for a majority of "correct" processes.

Of course one can always hypothetically "destroy" the protocol by assuming that the attacker owns a majority (and also maintains it, because probabilistic consensus means they have to infinitely often outnumber other participants or their "agreed upon" version can still change. This is one difference to deterministic consensus where the result does not just converge towards a probability of 1 but actually is 1).


As for the assumption of an ominous "kill switch". Effectively this is a majority attack on the (perceived) protocol functionality.
To me the only reasonable assumption where such a scenario could occur is if the ECDSA implementation of bitcoin was fundamentally flawed, allowing an attacker to spend from arbitrary addresses.
One could still try to migrate to another signing implementation but if there is no confidence in the validity of the current distribution of funds it makes little sense to try and salvage it as you cannot reasonably distinguish between rightfully owned addresses and those with stolen funds.


donator
Activity: 1218
Merit: 1079
Gerald Davis
August 04, 2014, 11:26:37 PM
#62
Control over a certain % of nodes doesn't give you any special power over the network.   As long as nodes can connect to at least one honest node they can distinguish the longest chain.
legendary
Activity: 2282
Merit: 1050
Monero Core Team
August 04, 2014, 10:50:43 PM
#61
Here is a possible scenario: A Sybil https://en.bitcoin.it/wiki/Weaknesses attack by an OS vendor that controls 91.68% of the desktop OS market. http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=8&qpcustomd=0. The operating system vendor uses the DRM built into the OS to patch the Bitcoin clients and turn them into malicious clients controlled by it. If the ratio of Bitcoin nodes running on the attacker's OS to the total number of Bitcoin nodes corresponds to the attacker's OS market share, that attacker would control 91.68% of the nodes.

Edit: A variant of this attack is where the attacker manages to create malware that infects the above mentioned OS. If the infraction rate is high enough it could approach the OS market share. If the DRM in the OS is used to spread the malware the attacker could use anti-circumvention laws as a deterrent against anti-malware software.
legendary
Activity: 1862
Merit: 1009
August 04, 2014, 08:41:11 PM
#60
There is the 51% attack, but anyone in position to do that would be gaining tons of money with mining.

So it would be more like suicide bomb switch.


If it happens, goodbye to descentralized currencies
legendary
Activity: 1904
Merit: 1037
Trusted Bitcoiner
August 04, 2014, 08:03:35 PM
#59
sr. member
Activity: 322
Merit: 250
August 02, 2014, 01:30:07 PM
#58
No, the developer documentation says "the most difficult chain to recreate", but I really don't know why we're arguing about this.
Well, to be precise it says
Quote
Assuming a fork only contains valid blocks, normal peers always follow the longest fork (the most difficult chain to recreate) and throw away (orphan) blocks belonging to shorter forks.
and
Quote
For a client to be fooled, an adversary would need to give a complete alternative block chain history that is of greater difficulty than the current “true” chain, which is impossible due to the fact that the longest chain is by definition the true chain.
Even assuming that "the most difficult to recreate" implies total hashrate and not length thats fairly ambigous.
But anyway, piramida had it right. The comparator on line 80 (starting at line 76) is used by FindMostWorkChain, which in turn is called by ActivateBestChain. And there is no arguing with the code there.

The reason for the argumenting is fairly simple. If total cumulative hashing power is the deciding factor an attacking entity merely needs overwhelming hashing power to revert all transactions since any given point after the last checkpoint. In other words if any an event such as a sudden advance in technology, a majority if mining gear being sold after a reward halving etc ..., allows for a sudden shift in hashing distribution it is fairly easy to create a more difficult chain. To roll back time by time by n blocks within a timeframe with m further blocks you only need to beat the current chain (simplyfying here with a constant hashrate, principle stands one way or another though) (n+m)/m times the hash rate of the official network. E.g. a competing chain running at twice the hashing power of the official chain could roll back 1 day of transactions per passing day.

Using the length of the block chain, while being being having other disadvantages, is not susceptile to such a sudden increase in hashing power. To roll back n blocks within the next n blocks you need (again assuming the real chain stays at constant difficulty c) to exponentially grow the hashing power to catch up. Even assuming someone where to double the initial power c with every difficulty adjustment (and thus halving the time needed to create his own blocks) he would need 2^(2*no. of difficulty switches) the hasing power to catch up. In other words 4* the power to reverse 2016 blocks, spending the first week recreating the last 2016 blocks at double rate and spending the next week to create the 2016 new blocks at quadrouple rate. Trying to reverse 4032 blocks would require 16x current hashrate etc ...
hero member
Activity: 563
Merit: 500
August 02, 2014, 12:05:08 PM
#57
No, the developer documentation says "the most difficult chain to recreate", but I really don't know why we're arguing about this.
legendary
Activity: 1148
Merit: 1018
It's about time -- All merrit accepted !!!
August 02, 2014, 10:41:12 AM
#56
keep dreaming go back to sleep
legendary
Activity: 1596
Merit: 1030
Sine secretum non libertas
August 02, 2014, 10:40:09 AM
#55
By the way, this topic has nothing to do with this speculation section.

Risk is always central to speculation, so I disagree.  It's silly, but it's not irrelevant.

Now my Eva Air grab, that was irrelevant.

legendary
Activity: 1596
Merit: 1030
Sine secretum non libertas
August 02, 2014, 10:34:28 AM
#54
in this most ridiculous sanrio it would fly.

In this most ridiculous Sanrio it would fly:

sr. member
Activity: 322
Merit: 250
August 02, 2014, 09:59:43 AM
#53
The code you are looking for is comparison between blockchain difficulties. The parameter is nChainWork which is a sum of work of all found blocks on the chain. This parameter decides which chain lives (main.cpp line 80 for example)
Ok, finally a decent answer, gonna check it.
sr. member
Activity: 322
Merit: 250
August 02, 2014, 09:59:22 AM
#52
Let me turn this around.  Everyone is telling you it is done this way - why are you somehow convinced it isn't?
Simply because your link says the opposite of what you said.
Quote
... due to the fact that the longest chain is by definition the true chain.
legendary
Activity: 1176
Merit: 1010
Borsche
August 02, 2014, 08:18:33 AM
#51
The code you are looking for is comparison between blockchain difficulties. The parameter is nChainWork which is a sum of work of all found blocks on the chain. This parameter decides which chain lives (main.cpp line 80 for example)
hero member
Activity: 563
Merit: 500
August 02, 2014, 08:08:14 AM
#50
The purpose wasn't to demonstrate a real attack scenario - it was to try and help motivate why this is a better way to define the longest chain.
Do you mean "why you would think this would be a better way" or that "its actually being done this way"?


It is actually being done this way.  Why do you think otherwise?

Not a link to the code, I know, but the developer documentation says "Assuming a fork only contains valid blocks, normal peers always follow the longest fork (the most difficult chain to recreate) and throw away (orphan) blocks belonging to shorter forks." https://bitcoin.org/en/developer-guide#block-height-and-forking

Let me turn this around.  Everyone is telling you it is done this way - why are you somehow convinced it isn't?

legendary
Activity: 1792
Merit: 1111
August 02, 2014, 08:06:21 AM
#49
Quote
What would be the consequences?

orphaned block, not a shit was given.
And if the block was several blocks longer than the "valid" block chain?
I mean, if the "attacking" blockchain was longer?

The attacking blockchain will be considered as invalid by other people, and will be ignored. It's length is irrelevant

By the way, this topic has nothing to do with this speculation section.
sr. member
Activity: 322
Merit: 250
August 02, 2014, 07:39:40 AM
#48
The purpose wasn't to demonstrate a real attack scenario - it was to try and help motivate why this is a better way to define the longest chain.
Do you mean "why you would think this would be a better way" or that "its actually being done this way"?
hero member
Activity: 563
Merit: 500
August 02, 2014, 07:14:28 AM
#47
Because what you are saying is very naive. I dont believe Satoshi was that naive.

It's a thought experiment, so by definition it's naive.  The purpose wasn't to demonstrate a real attack scenario - it was to try and help motivate why this is a better way to define the longest chain.

sr. member
Activity: 322
Merit: 250
August 02, 2014, 06:34:26 AM
#46
Citation required (preferably a link to the source file).

Yes.
I really would prefer a link to the source. Found those for checkpoints, but a quick google didnt find anything corresponding to a "cumulative difficulty".

Here's a thought experiment for you.  Imagine that the day Satoshi launched Bitcoin someone forked the blockchain, right from the Genesis block.  He's been mining, on a tiny computer, since that day.  On his chain, the difficulty never went much above 1, because he's the only miner - but his chain still produces one block every ten minutes.   He's been doing this since day 1, and his blockchain is about the same length as the real one.  It varies from time to time - sometimes his chain is a couple of blocks longer, sometimes a couple of blocks shorter.
I already played that thought experiment. Given the average increase of ~7% per difficulty switch this hypothetical chain would have a difficulty of 1.07^155 or roughly 36k.


Today, his chain is a couple of blocks longer than the public chain.  Today, he broadcasts all his blocks to the world.

In a naive world, his 313631 blocks would be considered longer than the official chain of 313629 blocks, and every client on the planet would immediately have a block reorganisation, and accept his chain as valid.

But Satoshi wasn't naive.  In the real world, his chain is worthless, because a block mined at difficulty 18 billion is considered to be 18 billion times more work than a block mined at difficulty 1.
As i said i still want to see that in code.
Because what you are saying is very naive. I dont believe Satoshi was that naive.
Given the exponentially decrease in network security (due to block reward halvings) relative to the worth of the network the attack would just get cheaper relative to potential disruption. As soon as undoing a transaction (even if its more than 6 blocks old) is a lot cheaper than actually loosing the money you spent, hey whats to stop someone. Well, except for the central bitcoin authority adding more checkpoints.
Pages:
Jump to: