Pages:
Author

Topic: Potential bug in bitcoin: long-range attacks. - page 2. (Read 2320 times)

staff
Activity: 4242
Merit: 8672
I think it's more interesting than you make it out to be. Consider the fact that if you try to reorg the entire blockchain, you have 100% chance to eventually succeed, no matter how low your hashrate (assuming that the ratio between your hashrate and the network's has a positive lower bound).
Indeed, while I was well aware of growth making the historical hashing inconsequential (http://bitcoin.sipa.be/powdays-50k.png) and playing the reorg lottery I hadn't considered that particular possibility before reading that paper (thanks for the link). Though it does require also exponential growth, which is physically senseless in some sufficiently long run. It would probably be interesting to explore the probability distribution with a relaxed form of that assumption.
donator
Activity: 2058
Merit: 1054
In any case, no this isn't actually interesting either— because you have to do as much work as the whole network to get ahead of it in terms of expectation. So you might as well say "you could go mine as much as the network until you get ahead of it"— something you can't do without more computing power than it (much more, in the case that you start far behind it) since the expected required computing power would be equal. The only change is the variance. (and indeed, you can construct some kind of not very interesting very low probability example out of the difference in variance, but like your fraudulent ECDSA cracker, its not very interesting in practice)
I think it's more interesting than you make it out to be. Consider the fact that if you try to reorg the entire blockchain, you have 100% chance to eventually succeed, no matter how low your hashrate (assuming that the ratio between your hashrate and the network's has a positive lower bound).
legendary
Activity: 1792
Merit: 1111
This isn't a bug because chains are selected in terms of cumulative difficulty not length of chain. Very quickly a node can distinguish the real chain from the fakes.

Then it is even easier to perform this attack, in theory.
All you would have to do is create a whole bunch of low-difficulty blocks with nearly the same timestamp, then after the "difficulty adjustment" in your branch of the blockchain would result in a super large difficulty. Solve that one block and the blockchain is broken.

Note cumulative, not last.

He's talking about cumulative, but that's irrelevant. The expected work required for that "super large difficulty block*" equals to the cumulative work of all blocks in the past 5 years

(*ignoring the 4x adjustment rule)
legendary
Activity: 4130
Merit: 1307
This isn't a bug because chains are selected in terms of cumulative difficulty not length of chain. Very quickly a node can distinguish the real chain from the fakes.

Then it is even easier to perform this attack, in theory.
All you would have to do is create a whole bunch of low-difficulty blocks with nearly the same timestamp, then after the "difficulty adjustment" in your branch of the blockchain would result in a super large difficulty. Solve that one block and the blockchain is broken.

Note cumulative, not last.
newbie
Activity: 42
Merit: 0
I am not so sure, given that bitcoin has been around for quite some time already .. if there is a vulnerability ... someone would have exploited it.  I bet it is not easy.
staff
Activity: 4242
Merit: 8672
The fact that such an obvious and simple attack has never happened suggests it can't happen. Shouldn't you realize that?
Well, take care there— lots of things are busted without ever being noticed.
Then it is even easier to perform this attack, in theory.
All you would have to do is create a whole bunch of low-difficulty blocks with nearly the same timestamp, then after the "difficulty adjustment" in your branch of the blockchain would result in a super large difficulty. Solve that one block and the blockchain is broken.
This from the guy who was going around claiming to sell a bogus magical ECDSA cracker. I guess the deadline has passed for my challenge, no keys broken? So sad for you.

In any case, no this isn't actually interesting either— because you have to do as much work as the whole network to get ahead of it in terms of expectation. So you might as well say "you could go mine as much as the network until you get ahead of it"— something you can't do without more computing power than it (much more, in the case that you start far behind it) since the expected required computing power would be equal. The only change is the variance. (and indeed, you can construct some kind of not very interesting very low probability example out of the difference in variance, but like your fraudulent ECDSA cracker, its not very interesting in practice)

(And— since you don't seem to understand any of the technical details about the system at all— I guess I also need to point out that the difficulty can only increase by a factor of four per retarget, though thats not really necessary for what what you're talking about to not bay a concern, though it does frustrate an attempt at a lucky roll).

donator
Activity: 2058
Merit: 1054
This isn't a bug because chains are selected in terms of cumulative difficulty not length of chain. Very quickly a node can distinguish the real chain from the fakes.
Then it is even easier to perform this attack, in theory.
All you would have to do is create a whole bunch of low-difficulty blocks with nearly the same timestamp, then after the "difficulty adjustment" in your branch of the blockchain would result in a super large difficulty. Solve that one block and the blockchain is broken.
This is a bit harder than you describe but it is indeed possible. See Section 4 ("The Difficulty Raising Attack") of Lear's paper. It's towards the end of the paper, the first half is about a different attack.
legendary
Activity: 1260
Merit: 1168
This message was too old and has been purged
legendary
Activity: 1792
Merit: 1111
Where can one get a terrahashcomputer
https://products.butterflylabs.com/homepage-new-products/1-th-bitcoin-miner.html

This isn't a bug because chains are selected in terms of cumulative difficulty not length of chain. Very quickly a node can distinguish the real chain from the fakes.
Aha! This was the information that I wanted. Thank you.

The fact that such an obvious and simple attack has never happened suggests it can't happen. Shouldn't you realize that?
staff
Activity: 4242
Merit: 8672
checkpoints.
Have nothing to do with this.  A general tip: if you are commenting on the security of Bitcoin and the word "checkpoint" comes to mind, you are probably confused. Smiley

This thread was answered completely and correctly in the very first response. This attack does not exist because Bitcoin chooses the chain with the most work, not the most blocks.
sr. member
Activity: 280
Merit: 257
bluemeanie
checkpoints.
newbie
Activity: 45
Merit: 0
Where can one get a terrahashcomputer
https://products.butterflylabs.com/homepage-new-products/1-th-bitcoin-miner.html

This isn't a bug because chains are selected in terms of cumulative difficulty not length of chain. Very quickly a node can distinguish the real chain from the fakes.
Aha! This was the information that I wanted. Thank you.
donator
Activity: 1736
Merit: 1014
Let's talk governance, lipstick, and pigs.
Potential bug in fiat:
Someone invents a 3D printer that can make perfect copies of any fiat currency.
hero member
Activity: 518
Merit: 500
Where can one get a terrahashcomputer
donator
Activity: 1736
Merit: 1014
Let's talk governance, lipstick, and pigs.
Hashes are slow to create and fast to verify.
jr. member
Activity: 56
Merit: 1
This isn't a bug because chains are selected in terms of cumulative difficulty not length of chain. Very quickly a node can distinguish the real chain from the fakes.
newbie
Activity: 45
Merit: 0
It is possible to build a new chain from the genesis to 300,000 in just 5 minutes with a terahash computer. When new nodes join the network, it is not possible for them to distinguish the real chain from fake chains. terahash computers only cost $3000

Minimum difficulty to mine blocks is 00000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff or so.
When building your own chain, you can carefully select the time to write on the block so that difficulty stays at a minimum.

If someone created thousands of chains like this, would bitcoin survive?
Pages:
Jump to: