Pages:
Author

Topic: New method of 51% attack? (Read 3961 times)

member
Activity: 88
Merit: 12
February 19, 2015, 06:06:07 PM
#28
I don't think that's very likely.

Yeah, I don't really think it is either. It's an interesting theoretical attack, but would probably never be able to be successfully mounted on Bitcoin. On a fledgling altcoin, though...

There is no need to spread double spends or utilize transaction malleability. It only takes one inconsistent transaction, of any form, to create a fork. Once you have two chains your vision for the attack could commence. Adding further inconsistencies within either of the two extending chains would cause further splits, wasting valuable hashing power for an attacker trying to keep two relatively similar length, but different, chains.

Right, to create the fork you only need one inconsistency. But imagine you are switching back and forth between two chains with nearly identical data in them except that the hash of a single transaction is changed in the first block of the fork. It probably wouldn't be very disruptive to most users of the system if it just switched back and forth, but all your transactions were still confirmed and all still had the same hash. Adding many inconsistencies would make using the two sides of the fork very different experiences. On one side your transactions are all processed and are fine. On the other, your transactions are removed because they depend on transaction IDs that are no longer in the block chain...

I'm not saying that the attacker should try to cause further forks on one side of the dual fork-chain at all. They would just put inconsistencies between the two main growing chains, not cause further forking. When the power is split between three chains, it takes an increasingly long amount of time to make the second strongest chain catch up to the main chain (the strongest chain).

That's a way the network could break out of that attack, actually. Say things were proceeding normally and an attacker gaining 51% forked the chain, then worked to keep each about equal length. If there was some agreement compelling say 25% of the "honest" network to create an inconsequentially inconsistent, but valid third fork the attacker would quickly find it difficult to maintain equal lengths. The distribution of hashing power would meander over the three then gravitate toward the longer, least split chain, breaking the tie.

Remember, a valid chain contains all valid transactions and no double spends. As long as there is a longest valid chain, even if the 51% attacker is the one that forked and extended it, everything still works. Now an attacker could use 51% to block or filter transactions etc., things already discussed, but that's not the attack you're describing.

That's interesting, but I'm not sure I see how it could work just yet. It sounds like you're saying that the network would introduce a third chain to split mining power between. But the network has to accept the chain with the most work as the correct chain. And I don't see how splitting the networks mining power amongst two chains would help things, it basically makes the 51% attack become a 67% attack because the network is splitting its time between two chains.

Maybe you could explain the defense you are proposing a bit more. It seems like if the network did somehow force the attacker to split their time mining on three chains, the attack would still work, it would just take increasingly long before the each chain replacement. In general though, I don't see how it could work, because anyone with less than 50% of the hashing power essentially has to choose the chain with the most work to make sure they stay in consensus with the rest of the network. But anyone with more than 50% of the hashing power (i.e. the attacker) does not have to follow this rule, as they can create valid blocks faster than the rest of the network.
member
Activity: 98
Merit: 10
GlideSEC - www.glidesec.com
legendary
Activity: 1050
Merit: 1002
February 17, 2015, 10:21:07 PM
#26
I think I was more thinking about some country who hates bitcoin buying up a bunch of hardware and then attacking the system like this to shut it down.

I don't think that's very likely. Attacking the system isn't without risk. It would be hard to pull off such a large undertaking without ever being exposed, which then subjects the attackers to whatever backlash there is, political or otherwise, from a growing global community with increasing stakes in the system, all for a risky maneuver which might not amount to more than a temporary network inconvenience.

I don't follow when you say that "Multiple conflicting transactions would break the attack, though, as there would be multiple orphan chains".

I was responding to this:

If there were a fork on one of the chains, it must have been on the chain the attacker wasn't working on (because they are always the only ones working on the shorter (less-work) chain). And since it is the chain opposite to the chain the attacker is working on, the attacker will just keep working until it creates a chain with more work than either of the mini-forks on the other side of the chain.

That's a way the network could break out of that attack, actually. Say things were proceeding normally and an attacker gaining 51% forked the chain, then worked to keep each about equal length. If there was some agreement compelling say 25% of the "honest" network to create an inconsequentially inconsistent, but valid third fork the attacker would quickly find it difficult to maintain equal lengths. The distribution of hashing power would meander over the three then gravitate toward the longer, least split chain, breaking the tie.

Remember, a valid chain contains all valid transactions and no double spends. As long as there is a longest valid chain, even if the 51% attacker is the one that forked and extended it, everything still works. Now an attacker could use 51% to block or filter transactions etc., things already discussed, but that's not the attack you're describing.
member
Activity: 88
Merit: 12
February 17, 2015, 09:45:36 AM
#25
... The disruptive part is that there would be switching back and forth all the time, and the two chains could contain very conflicting data. ...

That wouldn't be Bitcoin, but some other protocol/alt-coin. The Bitcoin protocol isn't only the longest chain; it's the longest chain that everyone agrees follows all the protocol rules, which includes not double spending coins and hash values which match all transactions (switched with malleability or not). A hash power advantage doesn't enable the circumvention of that.

Edit: I just got what you're saying. That would be a bit of a problem if the attacker could maintain 51% for a long period of time. Multiple conflicting transactions would break the attack, though, as there would be multiple orphan chains, but maintaining two chains of approximately equal length with one fork would mean users in the real world would need to wait to see what was the "real version of reality". I think most 51% risk comes from pooled miners, which in a stressful situation (like that of GHash.io) could migrate away, removing the hash power advantage before long.

Yeah, I think you got what I was saying in the second paragraph. The two chains that are kept alive would be completely consistent within the individual chains, but the chain data between the two would be incompatible.

And yeah, I agree that if this were to happen in a pool then everyone would just leave the pool and it wouldn't be a huge problem. I think I was more thinking about some country who hates bitcoin buying up a bunch of hardware and then attacking the system like this to shut it down.

I don't follow when you say that "Multiple conflicting transactions would break the attack, though, as there would be multiple orphan chains". If there were a fork on one of the chains, it must have been on the chain the attacker wasn't working on (because they are always the only ones working on the shorter (less-work) chain). And since it is the chain opposite to the chain the attacker is working on, the attacker will just keep working until it creates a chain with more work than either of the mini-forks on the other side of the chain.
member
Activity: 88
Merit: 12
February 17, 2015, 09:42:40 AM
#24
Yes the 51% miner could attack with two alternating chains as you describe but I am not sure what the advantage is from the attacker's perspective.

Given 51% or greater mining power, the attacker can simply mine it's own chain with whatever transactions it wants to use and it will as a matter of statistics get ahead of any other chain that the remainder of the mining community can produce. 

It is this ability to get ahead on the chain with valid proof of work that allows that attacker to always get long term control of the chain and fork it in the direction the attacker wants to go.

The attacker could choose to include all other transactions (good behavior), double spend (fraud), filter out particular transactions or transactions from particular address(s) (targeted denial of service),  reject all transactions (complete denial of service), long term reject block solutions from any subset of miners  (monopoly)

So the question back to OP is, "What extra advantage does the dual chain attack he describes give to the 51% attacker?" 

I think the difference is that it would be more useful to an attacker who really didn't want to gain anything from the attack other than making bitcoin completely un-useable. The typical example is a government who just wants to shut down bitcoin, doesn't really care if they gain anything in the process. This would make all services built around the bitcoin blockchain very unpredictable and impossible to use.

Another difference is that this attack would not be preventable by Gavin's "chain with more priority" idea (http://gavintech.blogspot.com/2012/05/neutralizing-51-attack.html). The standard 51% DOS attack where you just mine on your own chain and don't include anyone elses transactions would cause the attacker to lose 'priority' (coin age destroyed). But in this attack, the two chains would have roughly the same priority (coin age destroyed), so you couldn't prioritize one chain over the other.
legendary
Activity: 1050
Merit: 1002
February 17, 2015, 12:30:06 AM
#23
... The disruptive part is that there would be switching back and forth all the time, and the two chains could contain very conflicting data. ...

That wouldn't be Bitcoin, but some other protocol/alt-coin. The Bitcoin protocol isn't only the longest chain; it's the longest chain that everyone agrees follows all the protocol rules, which includes not double spending coins and hash values which match all transactions (switched with malleability or not). A hash power advantage doesn't enable the circumvention of that.

Edit: I just got what you're saying. That would be a bit of a problem if the attacker could maintain 51% for a long period of time. Multiple conflicting transactions would break the attack, though, as there would be multiple orphan chains, but maintaining two chains of approximately equal length with one fork would mean users in the real world would need to wait to see what was the "real version of reality". I think most 51% risk comes from pooled miners, which in a stressful situation (like that of GHash.io) could migrate away, removing the hash power advantage before long.
newbie
Activity: 59
Merit: 0
February 16, 2015, 11:21:01 PM
#22
Yes the 51% miner could attack with two alternating chains as you describe but I am not sure what the advantage is from the attacker's perspective.

Given 51% or greater mining power, the attacker can simply mine it's own chain with whatever transactions it wants to use and it will as a matter of statistics get ahead of any other chain that the remainder of the mining community can produce. 

It is this ability to get ahead on the chain with valid proof of work that allows that attacker to always get long term control of the chain and fork it in the direction the attacker wants to go.

The attacker could choose to include all other transactions (good behavior), double spend (fraud), filter out particular transactions or transactions from particular address(s) (targeted denial of service),  reject all transactions (complete denial of service), long term reject block solutions from any subset of miners  (monopoly)

So the question back to OP is, "What extra advantage does the dual chain attack he describes give to the 51% attacker?" 
legendary
Activity: 3472
Merit: 4801
February 11, 2015, 10:56:01 AM
#21
this would require way to much power to do , and i mean like way to much and the user would just end up getting blacklisted anyways.

I think it would probably require exactly the same amount of power as any other majority hash power attack.

How exactly would you blacklist them if you don't know who they are?
hero member
Activity: 700
Merit: 500
February 11, 2015, 10:25:46 AM
#20
this would require way to much power to do , and i mean like way to much and the user would just end up getting blacklisted anyways.
member
Activity: 88
Merit: 12
February 10, 2015, 11:33:37 PM
#19
I am not saying it is not possible.  I am saying the people with the funds to buy several 10's millions of USD worth of miners, build a few 100MW Datacenter to house it, and employing the staff to get it up and running has better things to spend their money. Even at half price the SP35's alone would be over $32 Million, after power and facilities and staffing your probably talking about a few $100 Million.

Be easier just to flood all the exchanges with $100 million worth of BTC and crash the prices, if a Billionaire got really pissed off at BTC for some reason.

Where would they buy the BTC from in the first place to dump it on the exchange? Tongue

I agree, though, there are probably more cost effective ways to dis-incentivize using bitcoin than to launch a 51% attack like this one. Regulation is the obvious way (although who knows how much money would be spent paying the policy makers). Regulation only limits bitcoin use in one country, though, and many would likely still use bitcoin covertly. If a government truly wanted to shut bitcoin down, they would have to launch a 51% attack. I doubt it would ever come to this, though.

If I were a regulator and wanted to throw a wrench in the bitcoin ecosystem, I'd put a mining tax on all the energy that is 'wasted' (no, I don't think securing a global digital currency is actually a waste, but many people call it waste) on mining. It could be framed as an environmentally friendly policy. Then, when all the big miners turn their hardware off, the government could more easily launch a 51% attack and good night. Just the policy alone, though, might make the block chain stall with insufficient hashing power and make the system very hard to use. Hope this doesn't happen, just thinking like an attacker.
hero member
Activity: 882
Merit: 500
Where am I?
February 10, 2015, 12:45:42 PM
#18
I think at this point with so many multi PH farms.  It would take a huge investment to even try this, and no sane person would risk $10+ million on this to try and do something that may or may not work.  You would be taking about around 160PH or 160,000 Antminer C1's or 29,091 Spondoolies SP35's.  I want to be the salesman on that sale.

It would be a very impressive Data Center, I would love to see someone try actually.

Oh of course spending this amount to break a billion dollars + market that has been a pain the ass for governments since 2009 is very "insane".  Roll Eyes.

Bitcoin worth much much more but OTR transactions don't really move the price much because there weren't made on a "popular" exchange. Do you know that there are people with such reserves that can sell enormous amounts of bitcoins OTR while maliciously doing the above, Crash the market, Buy way cheaper, resell the mining equipments for a loss, PROFIT!

EDIT: Granted this is not feasible at these prices but consider at $1200!

I am not saying it is not possible.  I am saying the people with the funds to buy several 10's millions of USD worth of miners, build a few 100MW Datacenter to house it, and employing the staff to get it up and running has better things to spend their money. Even at half price the SP35's alone would be over $32 Million, after power and facilities and staffing your probably talking about a few $100 Million.

Be easier just to flood all the exchanges with $100 million worth of BTC and crash the prices, if a Billionaire got really pissed off at BTC for some reason.
member
Activity: 88
Merit: 12
February 10, 2015, 10:59:16 AM
#17
Once the community notice this happening, they will most probably ban the faulty miner (blacklisting their IP or something similar).

Yeah, I'm not saying I think this is going to be a big problem any time soon or anything. IP address/bitcoin address blacklisting probably wouldn't work, though, to anyone even partially committed to launching this attack. It would obviously be very easy to recognize that this attack is happening, at least.
hero member
Activity: 658
Merit: 500
February 10, 2015, 10:56:23 AM
#16
OK, I see where this is going. However, I don't think this would be as easy.

Now everyone in the network switches back to the bottom chain, and the miner switches to mining the top chain. The miner can keep doing this until the fork becomes ridiculously long and the data between the two chains is completely incompatible.

Once the community notice this happening, they will most probably ban the faulty miner (blacklisting their IP or something similar).
member
Activity: 88
Merit: 12
February 10, 2015, 10:40:06 AM
#15
You know what happens when you do work for half the time? You do half the work. So, having 51% of the hashpower half the time means you effectively have only 25.5% of the hashpower.

Also, about letting others mine... Well, you can't just stop them from working (unless you seize their equipment). This has nothing to do with it.

With this, though, you have 51% of the hash power all of the time, it's just that you use that power (all of it) on different chains at different times.

It's just like a miner with 51% making a longer chain that retakes the whole chain by starting one block back to enable a double spend. They can just use this ability to make another chain that stays the same length as the chain the network is working on.

-------------------------------------------

Suppose the chain is at this state (each * is a block)

-- * -- * -- * -- *

Now the miner with 51% decides he is going to launch this attack. The network solves a block:

-- * -- * -- * -- *
                        \ -- *

Now the miner solves blocks on the chains opposite to it until the chain takes over. This might take a few blocks while the network is still working on the main chain.

                        / -- * -- * -- * -- *
-- * -- * -- * -- *
                        \ -- * -- * -- *

At which point the network switches to the top chain and the miner switches to mining on the bottom chain. The same thing happens, the miners chain will eventually overtake the network chain (which is now the top chain), but it might take a few blocks.

                        / -- * -- * -- * -- * -- * -- *
-- * -- * -- * -- *
                        \ -- * -- * -- * -- * -- * -- * -- *

Now everyone in the network switches back to the bottom chain, and the miner switches to mining the top chain. The miner can keep doing this until the fork becomes ridiculously long and the data between the two chains is completely incompatible.
hero member
Activity: 924
Merit: 1001
Unlimited Free Crypto
February 10, 2015, 10:12:57 AM
#14
I think at this point with so many multi PH farms.  It would take a huge investment to even try this, and no sane person would risk $10+ million on this to try and do something that may or may not work.  You would be taking about around 160PH or 160,000 Antminer C1's or 29,091 Spondoolies SP35's.  I want to be the salesman on that sale.

It would be a very impressive Data Center, I would love to see someone try actually.

Oh of course spending this amount to break a billion dollars + market that has been a pain the ass for governments since 2009 is very "insane".  Roll Eyes.

Bitcoin worth much much more but OTR transactions don't really move the price much because there weren't made on a "popular" exchange. Do you know that there are people with such reserves that can sell enormous amounts of bitcoins OTR while maliciously doing the above, Crash the market, Buy way cheaper, resell the mining equipments for a loss, PROFIT!

EDIT: Granted this is not feasible at these prices but consider at $1200!
hero member
Activity: 658
Merit: 500
February 10, 2015, 10:06:05 AM
#13
That's not the way it would work in the attack I'm describing. The malicious miner would still let others mine, it would just alternate which chain they are mining on to help the chain that fell behind catch back up. So instead of splitting 25.5% on two chains, it would be all 51% on chain A half the time and all 51% on chainB half the time. The disruptive part is that there would be switching back and forth all the time, and the two chains could contain very conflicting data.

You know what happens when you do work for half the time? You do half the work. So, having 51% of the hashpower half the time means you effectively have only 25.5% of the hashpower.

Also, about letting others mine... Well, you can't just stop them from working (unless you seize their equipment). This has nothing to do with it.
hero member
Activity: 882
Merit: 500
Where am I?
February 10, 2015, 10:02:39 AM
#12
I think at this point with so many multi PH farms.  It would take a huge investment to even try this, and no sane person would risk $10+ million on this to try and do something that may or may not work.  You would be taking about around 160PH or 160,000 Antminer C1's or 29,091 Spondoolies SP35's.  I want to be the salesman on that sale.

It would be a very impressive Data Center, I would love to see someone try actually.
member
Activity: 88
Merit: 12
February 10, 2015, 09:58:14 AM
#11
To mine two chains you need double the power, so in this scenario the “51%” would actually be 25.5% and 25.5%.

No, you have it backwards. To mine 2 chains you need to split your effort between the two chains, so you got 25.5% for each chain. I said it's “double” the power because the total power is double the power for each chain.

That's not the way it would work in the attack I'm describing. The malicious miner would still let others mine, it would just alternate which chain they are mining on to help the chain that fell behind catch back up. So instead of splitting 25.5% on two chains, it would be all 51% on chain A half the time and all 51% on chainB half the time. The disruptive part is that there would be switching back and forth all the time, and the two chains could contain very conflicting data.

If the miner were to try to create two 'empty' chains and to try to keep them both longer than the main chain, then you would need 2x as much hash power as the rest of the network, meaning you'd need >66.7% of the hashing power. That's not what I'm talking about, though.
hero member
Activity: 658
Merit: 500
February 10, 2015, 09:40:26 AM
#10
Now guys look at another attack vertex. How about not attaining such hash power but highjack just a couple of big pools at the same time. Infiltrate and sleep and pick the worse moment, say when the operators are sleep. And fork this thing real hard or block ALL transactions but just mining empties. Granted the miner will switch but it just needs a little time and a couple of discrediting hate articles and boom. Price down hard!

While theoretically possible, I think a massive infiltration wouldn't go unnoticed.
hero member
Activity: 658
Merit: 500
February 10, 2015, 09:39:19 AM
#9
To mine two chains you need double the power, so in this scenario the “51%” would actually be 25.5% and 25.5%.

Don't you mean 102%?

No, you have it backwards. To mine 2 chains you need to split your effort between the two chains, so you got 25.5% for each chain. I said it's “double” the power because the total power is double the power for each chain.

Just think about it. If you have 51% of the total power, how are you planning to get 102%? It's mathematically impossible.
Pages:
Jump to: