What would it take to make a 51% attack on the whole bitcoin network? - page 2.

Gavin Andresen

legendary

Activity: 1652

Merit: 2300

Chief Scientist

A Radeon 6990 has 4 gigabytes of ram.

If the task is "find a number that bcrypts/scrypts to less than a given hash target," I don't see anything that would stop a GPU programmer from implementing bcrypt/scrypt on the CPU and parallelizing at the try-different-nonces level.

Maybe I'm missing something; I'm probably biased because I worked at SGI from 1988 to 1996 and saw first-hand the evolution of GPUs from very-special-purpose chips with very limited memory to very-general-purpose vector-processing pipelines with very fast access to lots of memory.

kjj

legendary

Activity: 1302

Merit: 1026

Bcrypt isn't magic. It just does the difficulty adjustment internally.

coinfreak

newbie

Activity: 39

Merit: 0

From Reddit

Quote from: avsa

I've read about many units of supercomputer, but not being an expert I couldn't relate to it. If someone wanted to do a 51% attack on the whole bitcoin network, effectively rewriting it's whole credit history, what kind of computing power would be needed? Does a company like Google or IBM, or some military installation has enough computer power at it's disposal to overwrite the current blocks? Is it possible?

Lets do a trivial research:

Current network hashrate is 15 TH/s
My $600 Radeon HD6990 performance is 700 MH/s
Successful 51% attack should involve 21'500 such GPUs
Cost of the attack is about 13 million dollars

As mentioned in the discussion...

Quote from: avsa

There's a very distinct difference between needing more computing power than the world's supercomputers combined and needing around 4-13 million dollar in equipment. Anything in that magnitude is very cheap not only for a government, but for most banks and big corporations - heck it's atainable even for a very rich individual. Honestly I don't see why what would be the motivation, but it's technically a fragile system..

Sad but true...

The cause of such weakness is in the chosen POW method: sha256(sha256(H)). It allows building highly specialized, cost and power efficient mining rigs so shifting the balance from ordinary users having only their general-purpose PCs to governments and corporations with their resources for R&D in mining.

How can we fix this issue?

I propose a main criteria of specializability of POW method - the order of magnitude of the number of processing and storage elements necessary for 1 unit of rig.
In case of sha256(sha256(H)) it's 10 ALUs + 8 RAMs per round and it's relatively simple to trade off processing power to storage and vice versa (I mean pipelining technique) because of high data locality. But we must keep the criteria as close to the general-purpose PC as possible yielding extensive techniques of specialization to be limited by exponential growth of the cost of such optimization.

I haven't any idea better then increasing storage requirements for rig unit thus breaking the data locality.
Say we have N storage units where
S₀=sha256(H);
S_i+1=sha256(S_i+S_j), i=1..N, j=S_i mod i;
And finally POW=sha256(S_N).
We need N to be big enough to outfit processor registers and cache with intermediate i> values and small enough to store whole that data at RAM without swapping.
And also N need to be adjusted to the difficulty somehow.

Any thoughts?

Topic: What would it take to make a 51% attack on the whole bitcoin network? - page 2. (Read 2597 times)