Topic: Bitcoin's kryptonite: The 51% attack. - page 2. (Read 27668 times)

Nah you're all wrong, turns out bitcoins realkryptonite is a nerd making a post on an internet forum about how the price of bitcoins is crashing and how all the greasy neckbearded libertarians who believe in their currency based on cheeto dust should bail out of it before they're reduced to penniless hobos.

Storage is decentralized.

Mining is centralized. Entry is as well.

Trading is centralized. Decision making is also.

There's your vulnerabilities.

Related topic

Inevitable development into mining elite?
http://forum.bitcoin.org/index.php?topic=15345.0

Napster was not a pure p2p program. It relied on a central server, and thus had a single point of failure. Bitcoin does NOT have a central point of failure. You literally need more hashing power than all of the honest nodes to disrupt the network.

IMO, Seeing this network grow, learning and profiting from it would be better to these groups that attacking it.

The "current" network could only protect itself if these superpower start competing at the same time.

Given the resources available and the small ratio of ASIC/GPU making up the total, I would not expect an attack to be imminent.  We're nowhere near parity with electrical cost on 40 nm ASIC.

https://i.imgur.com/pkMU6.png

The first point would be wonderful if feasible.

Regarding the second point, take into consideration that the whole paradigm of security/honesty of Bitcoin is based on brute hashing power. Reducing hashing power means getting weaker to attacks. What you say would require changing the whole security paradigm of Bitcoin. Not saying its not possible, but would need some of out of the box thinking IMO. But then again, I am just a newbie here.

would it be possible to detect such an attack and "vote the attacker out of the network"?

just random thoughts... like upgrading to a client that limits haspower within a certain region or ip-range...

Ahh, I get your point now.  I haven't given much consideration to a griefer attack.  I will ponder it.

The reason we don’t come to the same conclusion is not because of technical disagreements regarding Bitcoin, but instead because of the assumptions we are making about the nature, the resources, and the goals of the attacker. If you are interested, you can read this thread from the beginning to understand what the scenario I am considering is, and why I think it is a probable scenario. But to summarize, I am considering a very wealthy attacker, for example a banking cartel, one or more central banks, one or more big governments. Add to this lots of organization, and preparation. And finally a strategic, not financial goal.

The people who issue and control the money are the most powerful group in this planet. They are worth trillions. Money is their fundamental power source. You take away that power from them, and they will react. Bitcoin could be a revolution that changes the way the monetary power is distributed in the world. Wars have been fought for the control of Money.

You are assuming the attack is done to gain a direct financial gain in terms of bitcoins. You also assume the attacker would use the installed base of 3D gaming cards. In the scenario I am considering, this is not the case. This attacker could buy or build 10 factories of hashing hardware in China, could design his own hashing hardware and software, could pay the best programmers and engineers on planet earth, spend months, or even a couple of years preparing the attack. More easily, they could end up buying the majority of the miners in the market, or putting them out of business by predatory competition. They could sustain the attacks for days, months, or years. For the attacker in this scenario, the price does not matter, they can operate below cost. For all practical purposes they have unlimited financial resources. If they fall short, the just print more money to buy more things.

One mistake I have read, is saying that Bitcoin is as resilient as Napster, by being p2p. We cannot equate Bitcoin with Napster. Napster has no single point of failure; it is truly decentralized information and decentralized functionality. In Bitcoin, on the other hand, we have a defacto centralization on mining power. You mess with mining power and you render the system useless. It doesn’t mater that the user base is decentralized, if we cannot assure mining stays decentralized and honest. As I am trying to point out, the dependence on miners is the weakest link, and the single point of failure of Bitcoin right now, if we consider the possibility of attack from the establishment.

Anyone else sees the logic in my arguments, or shares my concern for this scenario?

It isn't easy because of the gigantic amount of resources necessary for the attack.  For example, you could not purchase enough hashing power today to do the attack, because it does not exist in the world in purchasable form.  I would even say that there is only one government in the world that would even have the potential ability to confiscate enough hashing power by sending armed troops into peoples houses and stealing their video cards.  Someone would notice that.  It would require months or years of gathering resources, all while the network is growing, and even a slow acquisition would likely be noticed.

And it isn't useful, because your payback for spending all of this time and money gathering hashing power is the ability to turn back a few transactions.  What possible transaction would you reverse that was worth your 50 million dollar investment?  Keep in mind that as the value of future transactions grows, so will the cost of doing the attack.  Right now you would need to own roughly a quarter of all existing bitcoins, and spend all of them within the attack window, to beat the cost of your investment.  That ratio will probably change somewhat in the future, but the attack will never make sense unless you already control a non-trivial fraction of the bitcoins in the world, and can find enough victims to accept all of them in a short period.

And that other thread you link isn't about this sort of attack at all.  It is about difficulty and price manipulation.

And again, exponential difficulty can make these attacks even more costly.

Another ones

50%+ Attack Nodes
http://forum.bitcoin.org/index.php?topic=435.0


Manipulating the mining system via strategic scheduled withholding of CPU power
http://forum.bitcoin.org/index.php?topic=11133.0

Yet another relevant thread.

Is it possible to detect double spending in the > 50% network takeover scenario?
http://forum.bitcoin.org/index.php?topic=1481.0

This thread discusses a different problem that could have implications to this discussion, what happens if the internet partially fails, or different parts of the world become isolated because of some temporal connection failure. Gavin gives an interesting answer.

Bitcoin resitance to network failures
http://forum.bitcoin.org/index.php?topic=4575.0

Another related thread:

What's the plan about the Sybil attack?
http://forum.bitcoin.org/index.php?topic=8051.0

I have seen other people claim that this attack is not easy nor useful, but when asked to explain why their argument crumbles. By the way, I saw this post from kjj in another thread:


Several orders of magnitude more computing power than the rest of the world combined to manipulate the chain? Hmmm. One thing is clear, you only need 50% or less of the total mining capacity (supposedly currently worth 50 million dollar or less) to create lots of problems. And this would be the most expensive attack possible. Obvioulsy you could come up with more cost efficient ways to attack. Clearly, you dont need alien technology.

This thread (and the link inside) covers some problems by too powerful pools. Remember this dosent fix the more fundamental problem of hashing power attack, because as allready discussed in this thread, you dont need to own a pool to attack the network. But is goes in the right direction of reducing the vulnerabilities.

The 50% total hashing power - pooling flaw?
http://forum.bitcoin.org/index.php?topic=11424.0

For those interested, I have been searching previous threads where this issue was specifically covered. I will post them here for convenience. Here is the first one:

Stopping an attacker who has >50% of the hashing power
http://forum.bitcoin.org/index.php?topic=7166.msg105218#msg105218

How I understand this issue

I'm going to intentionally use made up numbers to make the math easier. Concepts should remain the same. Also going to use http://en.wikipedia.org/wiki/Alice_and_Bob terminology.

Imagine combined honest rate is 100. That would mean Eve needs at least a rate of 100+ herself. If she has that, she could announce a bitcoin transaction for buying something from Bob. At the same time she announces a different transaction to her own mining pool. Both the honest pool and Eve's pool start computing their block chain. At some point Bob will accept the transaction as verified. Let's say this occurs at block x.

At this point, three possibilities exist: Eve's block chain could be longer than the honest one, it could be equal, or it could be shorter. Depending on the ratio of Eve's rate vs the honest rate, one of these cases will become more probable, but the chance exists it will either of these.

When Eve's block chain is longer than the honest chain, her attack is complete. She announces the longer chain to the world, the world sees a longer chain and believes this is the correct chain and continues as normal.

When Eve's block chain is shorter than or equal to the honest chain, she can continue to compute until she has a longer chain. If she has more computing power than the honest pool, she will eventually reach such state. If she has not, her attack will fail.

Eve could change all transactions she sends out without an extra cost during the period of the attack.

So what does this mean: this attack is profitable for Eve from the moment the value of all her transactions combined are greater than the cost of running a mining pool. So Bob should wait until the transaction to him is verified by enough blocks so he believes the cost of running an attacking mining rig is greater than the gain from reversing the transaction.

Since the cost of running a mining rig is somewhat expensive, most transactions will not be bothered by this kind of attack. When Alice and Bob do receive transactions from Eve that are worth reversing, that would probably mean Alice and Bob have some huge resources as well. Since they are relying on Bitcoin infrastructure for large transactions, they should be mining themselves to protect their transactions.

Monitoring when such an attack occurs is quite trivial I believe, so we would know when it has happened. We would also know which address(es) were sending the revoked transactions. In a lot of cases, these could possibly be traced back to who owns them. The people who receive the money probably know already. Proving it was them would be relatively simple. That would mean that, should a legal framework exist, it would be quite easy to punish Eve accordingly.

Therefor I believe this hack is very unlikely to happen.

There are two versions of the 51% attack, and I have made proposals that would address both of them.

The first is the live attack, where an attacker starts working on the next block, and publishes it as soon as it is ready, and then keeps doing so even while the honest network finds blocks that reveal the double spend, causing the chain to flap between the two branches.  This is of limited value, as it would be very visible, and the attack window would be very short, like 10 minutes to an hour, depending on the actual hashing power of the attacker.  I proposed chain flap dampening, but I'm not sure any more if there is any point.

The second is the dead attack, where the attacker starts working on a new chain, but doesn't publish it until it is very long.  At this point, the transaction the attacker wants to reverse is deep in the chain, and considered very safe by everyone, but since the new chain is longer, it will reverse everything after the start of the attack.  For this one, I proposed exponential difficulty for a deep block chain reversal.

Oh, and by the way, neither of these attacks are anywhere near as easy, nor as useful as popularly imagined.  And we really have read 100 threads on the topic.