Well,
this discussion was interesting but it died off about 2 years ago and nowhere I saw discussed the possibilities of Bitcoin destruction which I see for more than 2 years. I saw that almost since I first learned about Bitcoin but I didn't pay too much attention to these worries until about now. Essentially the Bitcoin protocol has a critical design flaw that can be exploited to efficiently kill it and I even suspect that it already started to happen. The design flaw is that "Bitcoin difficulty is adjusted every 2016 blocks so that a block is generated roughly every 10 minutes" (source:
Description of difficulty on BitCoin wiki). To see why this is a critical vulnerability we need to look at the adversary and his goal.
The adversary is somebody who wants the Bitcoin dead and is willing to do anything to kill it. He has sufficiently deep pockets to accumulate any amount of haspower at a rate much larger than an average Joe could muster. And he is not afraid to empty his pockets just to see the Bitcoin shot down from the sky.
If you think nobody would wants that because "it makes little sense", "it would be more reasonable to just play nice and profit" etc, then I want to show you one such adversary: government.
Why the government would want to kill Bitcoin? For the same reason for which they destroyed
eGold and
Liberty Reserve. Now speculations exist that
Bitcoin might be the next target and rumors exist that
"hackers" switch from Liberty Reserve to Bitcoin. Moreover there are analyses about how "anonymous digital currency" is used for money laundering, for example from
McAfee and
Thomson Reuters, even
National Drug Intelligence Center made an analysis on digital currency usage within organized crime circles. The government thus does not like electronic money systems providing anonymous transactions and anonymous accounts and
Bitcoin can provide just that. Yes, they can ban Bitcoin, outlaw the mining hardware, prosecute those who operate exchanges, shut down "Bitcoin mixing services" (those are doing the actual money laundering by breaking the links between the source of the money and the current owner) but now with the coins seized from
Silk Road 1.0 and
Dread Pirate Roberts they have enough resources to destroy Bitcoin without even spending much of taxpayer's money. The attack would be just like this:
1. Buy enough ASIC minig hardware to cover about 25% of the current hash rate using tax payer's money. They have to "borrow" the money from the taxes rather than use the bitcoins directly because they don't want the rest of the world to know what they are doing.
2. Start mining. Use large count of addresses to receive the mined coins so nobody will notice. They even may choose to join one or more pools to further masquerade as "the little guy next door".
3. Use the mined profits and/or more taxpayer's money to purchase more mining hardware.
4. Repeating steps 2 and 3 until you get 99% of the hashing power under your control.
5. Convert as many of your BitCoins as possible to "legal tender".
6. Wait for the next difficulty change and mine a few blocks past it.
7. Switch all your mining equipment off.
During the steps 1-5 the adversary plays according to the BitCoin rules, even participating in the Bitcoin economy. No hacking, no searching for some obscure vulnerabilities somewhere, no overzealous exchanges/mixing services hunting, no seizure of mining equipment. Contrary to that, the adversary tries to hide as much as possible, pretending to be a sizeable bunch of normal people with sizeable bunch of mining equipment. The adversary can even confortably pull its own money off the BitCoin economy before it tanks. The blow of death is dealt at the very last step. To understand why it is the death blow, let's look what happens after the enemy executes the step 7.
So, just before the step 7 the adversary controls 99% of the hashrate and the difficulty is already adjusted to that state (because of the step 6). Now 99% of the hashrate vanishes literally overnight. But the difficulty stays the same because there next adjustment is some 2000 blocks away. Thus a block gets mined in 1000 minutes instead of 10 minutes because only 1% of the hashing power is now left. Transactions take over 16 hours to get into a block and it takes over 4 days to get the recommended 6 confirmations. This is much slower than cashing a check. The Bitcoin is essentially frozen.
The worst hit is dealt to the miners. This is because 120 confirmations are needed to be able to spend a mining reward. This translates into 80 days - almost 3 months. Many miners can't do any mining for so long without getting paid so they quit. This causes the hashrate to be further reduced, leading to even worse situation. Demand for mining hardware quickly abates as the public starts to see it increasingly profitable. People become increasingly disgusted and reluctant as the value of their coins plunders towards zero. Essentially the network will start a downwards spiral to its doom. The coins will become worthless because they cannot be moved at all and the classic fiat money suddenly becomes much more attractive.
And with 2000 blocks to go under these conditions it would take over 3 and a half of year before the network can recover. That is way too much of waiting. Before the next adjustment can happen, the once thriving Bitcoin is nothing but a frozen world at the periphery of Internet. And even if it would survive somehow, the adversary would simply again turn his multi-peta-byte-hashrate mining rig, mine another 2016 blocks and switch it off again, dumping another 3.5+ years of recovery to the poor remnants of Bitcoin economy.
The current design of the difficulty adjustment process is insecure because it trusts the mining nodes to actually want to do the mining and this security hole is exploited by the attack. The malicious "government" node described above is not interested in mining, it is exploiting a loophole in the mining protocol design to achieve its own malicious goal: destruction of the entire network.
I would propose a fix which would be something like "difficulty decay over time". The difficulty adjustment can be left just where it is, but it needs to be fixed a little bit. However the thing that would be (re)adjusted here (and recorded in the blocks) would be something called "baseline difficulty". The actual difficulty would be calculated like this:
1. Immediately after a block is found, the difficulty is "infinite" (a hash of 0 would be the only accepted).
2. In the first X minutes it would gradually decay to the baseline difficulty.
3. The next Y minutes it would stay at the baseline difficulty.
4. The next Z minutes it would gradually decay from the baseline difficulty all the way down to 1.
5. After (X+Y+Z) minutes the difficulty stays 1 until a new block is found.
6. Once a new block is found, the difficulty resets back to "infinity" and starts a new cycle from step 1.
My proposal for the numbers would be X=8, Y=4 and Z=8. So the first 8 minutes the difficulty decays from infinity to the baseline, the baseline stays the same for the next 4 minutes and then it is gradually reduced to 1 in the next 8 minutes. So if no block is found in the next 20 minutes, the difficulty would be reduced to 1.
The baseline difficulty readjustment also needs fixing. First it shall take into account much less than 2016 blocks, maybe only 120 or even 60 blocks. Secondly, it should calculate and account for the real difficulties used to find these blocks. And third, the readjustment shall happen at every block, not just every N-th one (where N is the count of blocks examined during difficulty adjustments).
This would protect the network from both, sudden spikes and sudden blackout in hashing power. A large increase of hashing power will increase the frequency of the blocks but only briefly because of first X minutes when the difficulty is very large (at the beginning it is MUCH larger than the baseline). A sudden blackout would reduce the block frequency to about half of the rate (one block every 20 minutes) due to the difficulty dropping to 1 after the time ellapses. And these transient changes would last only in few hours because on every block the baseline difficulty would get adapted to the new network conditions.
However I have no idea how to realize this fix. The problem here is that this is pretty disruptive change to the protocol and all the older clients would suddenly fail to synchronize to the chain with the new rules (the blocks generated with the lowered difficulty would be considered invalid by them). Essentially everyone would be forced to upgrade his client and "third party" clients would be rendered utterly obsolete. Maybe the best solution would be to prepare the fix in a branch marked as "use in emergency only" and pull it out once the "doomsday" scenario ensues.
I believe that this attack is well underway because of the recent exponential increase in the hashing power caused by the ASIC chips. I suspect that what is really happening here is large amounts of these ASIC chips purchased by some shady "goverment-like" adversary and used to push the difficulty to abnormal height as described in the steps 3 and 4 of the attack. I don't know how much time we have but it seems that not much.
