Pages:
Author

Topic: Pools With a Significant Hashrate: A Realistic Double Spend Attack Taking 2 Hr - page 3. (Read 11677 times)

mrb
legendary
Activity: 1512
Merit: 1027
Then the real network has just as much chance to take it back on the next block. My understanding is you have to maintain the forgery sequentially. Other wise I could just put my commodore 64C to work eventually it will find a solution thru sheer luck and collapse the whole shebang.

Point being no matter how many times you flip a coin the odds are always 50/50 but to see a run you have to multiply the odds so 50 percent of 50 percent. To attack bit coin you actual need a factor more hashing power to increase your odds to the point you can. Why else do you think the 6 confirmations were designed in. If cracking one block is all it took why wait for 6 confirms. The reason is the odds of maintaining your run of blocks goes in the toilet.

You don't have to maintain the forgery sequentially.

You misunderstand the math that explains why this specific number of confirmations was chosen by some exchanges/merchants.

Read the original Bitcoin whitepaper http://bitcoin.org/bitcoin.pdf (section 11). If an attacker possesses 10% of the global hashrate (q = 0.1), in order to reduce the probability of a double spend to less than 0.1%, you should wait for 6 confirmation, ie. force the attacker to fork the chains from 5 blocks behind, that's the z=5 quoted in this section. These are the design parameters that the 6 confirmations are supposed to protect against.

If an attacker has 50% of the hashrate (q = 0.5), then the math is completely off. No amount of confirmations is going to protect you against that.

As a side node, I think there is an approximation error, or rounding error when running the sample code with q = 0.5, because it shows the attacker would have a 100% success rate (it should be 50%).
kjj
legendary
Activity: 1302
Merit: 1025
It is still a double spend, and it is even more obvious if you spend on the main chain first and then try to reverse it.  Check your debug log.  The node already flags chain reversions and double spends.  Sites that wait for multiple confirmations can (should) be watching.

Yes, but the evil pool would not release the "bad" block chain until the first spend already had 6 confirmations, got sold, and sent to dwolla. Then the new block chain would roll it all back.

In that case:

Step 10: A few minutes later, the legitimate block chain becomes longer than my forked chain, which invalidates the 500 BTC I transferred to TradeHill/Bitcoin7/MtGox. The 500 BTC automatically "reappears" in my original wallet. The exchange is short on BTC and is screwed. An investigation later in the day reveal that Tycho's pool was compromised. Tycho's reputation is ruined. People switch to another pool, which gains 50% of the hashrate. The attacker repeats the same attack on this other pool Smiley

This step won't work for two reasons.

First, if the exchange sees your chain as legitimate, you need to assume that every miner also sees it that way.  They will be working on the next block to extend your chain, not the old reverted chain.  Your 500 BTC spend to the exchange will not be overturned on those grounds.

Second, if you manage to somehow time your chain transmission so that it forces a race and gives the other chain a chance to get back on top, if it does take back over, every node on the network will instantly put your 500 BTC spend in their transaction list.  Your recovery attempt will be seen as a double spend.

So, you've spent 2 hours to get an instant transfer into an exchange when you could have just waited an hour.
full member
Activity: 168
Merit: 103
I don't think that you have 2 hours before anybody notices. The blocks will be generated at half the speed after you split off. And the miners themselves will see that their blocks are not in the legit chain.

You have to make sure that the miners know the illegitimate blockchain only, that's way harder than getting 50 % of mining power. This is the internet. Everybody connects to anybody.

But even if it worked, it looks like way too costly for the risk. Besides the risk of detection there is the thing that MtGox will know that your address with the 10k BTC has reverted a transaction. They won't take any more coins associated with that address.
mrb
legendary
Activity: 1512
Merit: 1027
Also if you crack the pool server it would be more profitable to rob it and send the bitcoins to yourself.

Be creative: you could double your gains by robbing the pool and performing a double spend on this money!
mrb
legendary
Activity: 1512
Merit: 1027
No. The probability of outpacing the legitimate chain after N blocks, no matter what N is, is always 50%.

Think about it. You don't need to outpace every single block. Only the last one matters.
mrb
legendary
Activity: 1512
Merit: 1027
No. The probability of outpacing the legitimate chain with exactly 50% of the hashrate is 50%.
hero member
Activity: 630
Merit: 500
Posts: 69
POOLS ARE BAD!  They make a system that has demonstrable cryptographic security into a "I don't think that guy is cheating, why would he".  FAIL!
What is worse is the pool within the pool things going on.  I think people will see there is no benefit for themselves to keep mining in a pool overall.  I mean, I can only understand if you think in short term goals with Bitcoin, and especially if you don't give a crap about the other benefits of this specific digital currency.
jr. member
Activity: 56
Merit: 1
Look guys, you are thinking about this all wrong.  Security is about how to protect yourself.  The best way to protect yourself is to find that part of your protection that is weakest and fix it.  

Arguments such as "why would anyone want to break bitcoin", or "you still only have 50/50 chance of double spending" are meaningless in this debate.  These are not factors to what your weakest vector of attack is.  

This is only a simple example, but what if state actor wished to see the devaluation of bitcoin?  What would they do?  The easiest thing I can think of is a rubber hose attack against the operators of the top n pools.  Now with control of 75% or more of the hash rate the design of bitcoin IS COMPROMISED.  Creative people *will* figure out what the best way to take advantage of that compromise is.  Double spend, ruin the credibility of bitcoin, buy WMD, whatever is the most value to that actor.  Never argue "why would...", "how" is the only argument and if there is a how you ARE vulnerable in that direction.

POOLS ARE BAD!  They make a system that has demonstrable cryptographic security into a "I don't think that guy is cheating, why would he".  FAIL!

STOP USING POOLS, or use one of the systems that make pools safe.  If you argue that pools are safe then you are uninformed, or an NSA/CIA shill.

If you truly want bitcoin to succeed, then this is a fundamental issue that should be addressed.

I agree with you on many points, but I can't stop using a pool. Statistically, I'm never going to hit a block (assuming continued 30% difficulty increases). A pool is the only way I get paid. As difficulty continues to increase, this will be true for more and more people.

The solution is: fix the way pools work so that this attack doesn't exist. People are working on that.

See this thread for more info:

http://forum.bitcoin.org/index.php?topic=9137.0;topicseen
member
Activity: 76
Merit: 10
Look guys, you are thinking about this all wrong.  Security is about how to protect yourself.  The best way to protect yourself is to find that part of your protection that is most at risk and fix it.  

Arguments such as "why would anyone want to break bitcoin", or "you still only have 50/50 chance of double spending" are meaningless in this debate.  These are not factors to what your weakest vector of attack is.  

This is only a simple example, but what if a state actor wished to see the devaluation of bitcoin?  What would they do?  The easiest thing I can think of is a rubber hose attack against the operators of the top n pools.  Now with control of 75% or more of the hash rate the design of bitcoin IS COMPROMISED.  Creative people *will* figure out what the best way to take advantage of that compromise is.  Double spend, ruin the credibility of bitcoin, buy WMD, whatever is the most value to that actor.  Never argue "why would...", "how" is the only argument and if there is a how you ARE vulnerable in that direction.

POOLS ARE BAD!  They make a system that has demonstrable cryptographic security into a "I don't think that guy is cheating, why would he" security.  FAIL!

STOP USING POOLS, or use one of the systems that make pools safe.  If you argue that pools are safe then you are uninformed, or an NSA/CIA/North Korean/Al Qaeda/mobster shill.

If you truly want bitcoin to succeed, then this is a fundamental issue that should be addressed. Risk factors of bitcoin should be evaluated analytically and solved, not justified.
jr. member
Activity: 56
Merit: 1
It is still a double spend, and it is even more obvious if you spend on the main chain first and then try to reverse it.  Check your debug log.  The node already flags chain reversions and double spends.  Sites that wait for multiple confirmations can (should) be watching.

Yes, but the evil pool would not release the "bad" block chain until the first spend already had 6 confirmations, got sold, and sent to dwolla. Then the new block chain would roll it all back.
jr. member
Activity: 56
Merit: 1
I doubt Tycho keeps tens of thousands of BTC on his online infrastructure. His pool profits (~3% fee) only amount to ~100 BTC per day. But my counter example was also to illustrate that Deepbit, with its size, is now a valuable target to any attacker out there. The fact a pool owns ~50% of the hashrate is bad not only for Bitcoin, but also because it concentrates risk. My advice to users is to not keep any significant amounts of BTC in their Deepbit account.

Yes, but deepbit mines about 3,600 a day total, all of which has to be available if his users withdraw. I bet at least some uses don't withdraw everyday (although I do). It could easily have 5,000 in it.
hero member
Activity: 630
Merit: 500
Posts: 69
I wonder what exchange would allow for such a mass transaction of funds to cash if it were sourced from this way, it would cause the exchanges to no longer exist, I don't think there would be a person to give the cash over for this Bitcoin.  Whoever controlled it would have to make sure it has value.
kjj
legendary
Activity: 1302
Merit: 1025
Step 10: A few minutes later, the legitimate block chain becomes longer than my forked chain, which invalidates the 500 BTC I transferred to TradeHill/Bitcoin7/MtGox. The 500 BTC automatically "reappears" in my original wallet. The exchange is short on BTC and is screwed. An investigation later in the day reveal that Tycho's pool was compromised. Tycho's reputation is ruined. People switch to another pool, which gains 50% of the hashrate. The attacker repeats the same attack on this other pool Smiley

This step won't work for two reasons.

First, if the exchange sees your chain as legitimate, you need to assume that every miner also sees it that way.  They will be working on the next block to extend your chain, not the old reverted chain.  Your 500 BTC spend to the exchange will not be overturned on those grounds.

Second, if you manage to somehow time your chain transmission so that it forces a race and gives the other chain a chance to get back on top, if it does take back over, every node on the network will instantly put your 500 BTC spend in their transaction list.  Your recovery attempt will be seen as a double spend.

So, you've spent 2 hours to get an instant transfer into an exchange when you could have just waited an hour.

He has the order backwards, but it could still be done. You would spend on the "legit" original chain, and create a longer chain without that spend, then everyone works on that. It is two hours because that is how long it would take half the network to make six blocks, that is how long the attack would take, done correctly.

It is still a double spend, and it is even more obvious if you spend on the main chain first and then try to reverse it.  Check your debug log.  The node already flags chain reversions and double spends.  Sites that wait for multiple confirmations can (should) be watching.
mrb
legendary
Activity: 1512
Merit: 1027
Step 10: A few minutes later, the legitimate block chain becomes longer than my forked chain, which invalidates the 500 BTC I transferred to TradeHill/Bitcoin7/MtGox. The 500 BTC automatically "reappears" in my original wallet. The exchange is short on BTC and is screwed. An investigation later in the day reveal that Tycho's pool was compromised. Tycho's reputation is ruined. People switch to another pool, which gains 50% of the hashrate. The attacker repeats the same attack on this other pool Smiley

This step won't work for two reasons.

First, if the exchange sees your chain as legitimate, you need to assume that every miner also sees it that way.  They will be working on the next block to extend your chain, not the old reverted chain.  Your 500 BTC spend to the exchange will not be overturned on those grounds.

Second, if you manage to somehow time your chain transmission so that it forces a race and gives the other chain a chance to get back on top, if it does take back over, every node on the network will instantly put your 500 BTC spend in their transaction list.  Your recovery attempt will be seen as a double spend.

So, you've spent 2 hours to get an instant transfer into an exchange when you could have just waited an hour.

He has the order backwards, but it could still be done. You would spend on the "legit" original chain, and create a longer chain without that spend, then everyone works on that. It is two hours because that is how long it would take half the network to make six blocks, that is how long the attack would take, done correctly.

Correct. The 500 BTC txfer to the exchange would need to be in the "legit" chain. I fixed my original post.
jr. member
Activity: 56
Merit: 1
DamienBlack: I wrote this as a counter-example to your comment in another thread that a 50% attack would be statistically noticed in the global hashrate.

Yes you have a point. You are correct. A double spend attack could be done quickly. Quickly enough that no one would notice. But honestly, I don't think a double spent is that big a deal, and it can happen below 50%, there is no magic number there. Other people pointed out that at > 50% you can begin moving backward through the whole block chain with statistical confidence. That is true, and a more dire attack. But a pool wouldn't be able to pull that off because people would leave the poll in a day or two, and you wouldn't be able to get that far back in that time since you also have to keep up with the rest of the network while moving backward.

You can never move backwards through the chain.  The best you can do is pick a spot in the past and try to catch up.

Yes, you are correct. My mistake. Thank you for pointing out that misconception.
kjj
legendary
Activity: 1302
Merit: 1025
DamienBlack: I wrote this as a counter-example to your comment in another thread that a 50% attack would be statistically noticed in the global hashrate.

Yes you have a point. You are correct. A double spend attack could be done quickly. Quickly enough that no one would notice. But honestly, I don't think a double spent is that big a deal, and it can happen below 50%, there is no magic number there. Other people pointed out that at > 50% you can begin moving backward through the whole block chain with statistical confidence. That is true, and a more dire attack. But a pool wouldn't be able to pull that off because people would leave the poll in a day or two, and you wouldn't be able to get that far back in that time since you also have to keep up with the rest of the network while moving backward.

You can never move backwards through the chain.  The best you can do is pick a spot in the past and try to catch up.
jr. member
Activity: 56
Merit: 1
Step 10: A few minutes later, the legitimate block chain becomes longer than my forked chain, which invalidates the 500 BTC I transferred to TradeHill/Bitcoin7/MtGox. The 500 BTC automatically "reappears" in my original wallet. The exchange is short on BTC and is screwed. An investigation later in the day reveal that Tycho's pool was compromised. Tycho's reputation is ruined. People switch to another pool, which gains 50% of the hashrate. The attacker repeats the same attack on this other pool Smiley

This step won't work for two reasons.

First, if the exchange sees your chain as legitimate, you need to assume that every miner also sees it that way.  They will be working on the next block to extend your chain, not the old reverted chain.  Your 500 BTC spend to the exchange will not be overturned on those grounds.

Second, if you manage to somehow time your chain transmission so that it forces a race and gives the other chain a chance to get back on top, if it does take back over, every node on the network will instantly put your 500 BTC spend in their transaction list.  Your recovery attempt will be seen as a double spend.

So, you've spent 2 hours to get an instant transfer into an exchange when you could have just waited an hour.

He has the order backwards, but it could still be done. You would spend on the "legit" original chain, and create a longer chain without that spend, then everyone works on that. It is two hours because that is how long it would take half the network to make six blocks, that is how long the attack would take, done correctly.
kjj
legendary
Activity: 1302
Merit: 1025
Step 10: A few minutes later, the legitimate block chain becomes longer than my forked chain, which invalidates the 500 BTC I transferred to TradeHill/Bitcoin7/MtGox. The 500 BTC automatically "reappears" in my original wallet. The exchange is short on BTC and is screwed. An investigation later in the day reveal that Tycho's pool was compromised. Tycho's reputation is ruined. People switch to another pool, which gains 50% of the hashrate. The attacker repeats the same attack on this other pool Smiley

This step won't work for two reasons.

First, if the exchange sees your chain as legitimate, you need to assume that every miner also sees it that way.  They will be working on the next block to extend your chain, not the old reverted chain.  Your 500 BTC spend to the exchange will not be overturned on those grounds.

Second, if you manage to somehow time your chain transmission so that it forces a race and gives the other chain a chance to get back on top, if it does take back over, every node on the network will instantly put your 500 BTC spend in their transaction list.  Your recovery attempt will be seen as a double spend.

So, you've spent 2 hours to get an instant transfer into an exchange when you could have just waited an hour.
jr. member
Activity: 56
Merit: 1
How easy is it to look at what you are mining? Won't people see that they are working on a different block number than the current one? And shouldn't some people notice that they found blocks that don't show?

The block data is actually pre-hashed when given to miners in a pool. We have no idea what we are working on. This is the main problem, and various solution have been floated / are being worked on.

You could check your successful blocks, but I don't think many people do. I don't even know of any mining programs that inform you.
jr. member
Activity: 56
Merit: 1
DamienBlack: I wrote this as a counter-example to your comment in another thread that a 50% attack would be statistically noticed in the global hashrate.

Yes you have a point. You are correct. A double spend attack could be done quickly. Quickly enough that no one would notice. But honestly, I don't think a double spent is that big a deal, and it can happen below 50%, there is no magic number there. Other people pointed out that at > 50% you can begin moving backward through the whole block chain with statistical confidence. That is true, and a more dire attack. But a pool wouldn't be able to pull that off because people would leave the poll in a day or two, and you wouldn't be able to get that far back in that time since you also have to keep up with the rest of the network while moving backward.
Pages:
Jump to: