Bitcoin Forum

What does that actually mean? Here have been a lot myths around, so I made some calculations.

What are possible attacks? When an attacker has more than 50 % of ressources, he may generate the longest block chain ignoring the other miners.

What does that mean?

If a miner has 50 % of computing power, he could reject transactions in half of the blocks generated. That means that for every good block there is an evil block. Which means that you have to wait for one block that does not include the transaction before your transaction gets included (all numbers mean the average!).

50 percent: transaction wait time doubled

You can calculate the numbers with the following formula for x %: c(x) = log_x (0.5)

Results:
50 % attacker power: wait 1 extra block before you get your transaction included
60 % attacker power: wait 1.36 extra blocks before transaction included
70 %: wait 1.94 extra blocks
80 %: wait 3.11 extra blocks
90 %: wait 6.58 extra blocks


Now we see, that even if you invest tremendous costs in getting a huge majority of computing power, you can't do a lot of harm.

You are thinking so small...

An attacker with over 50% of the hashing power doesn't need to broadcast their blocks. They could very successfully eat a month's worth of transactions if they wanted to. Oh, and if any of those transactions used newly minted coins, they are now permanently reversed.

Yes, reversing is a possibility that I left out here. But you are right, I didn't think about that. If somebody would want to attack the network with a majority of computing power, he will just stay out of the net and generate blocks for a while, and could be showing up weeks later with a way longer block chain.

What if the attacker stay disconnected from the network, generate a longer blockchain (with higher difficulty and what else) and THEN join the network?

His blockchain would be the longer and would instantly replace our, right?

One thing that hasn't been mentioned regarding "If an attacker gets more than 50 % of mining power", is that the attacker could double spend coins.


umm...Fact: blocks are generated at the same average rate of 1 block every 10 minutes regardless of difficulty.  So it wouldn't be possible for a disconnected attacker network to generate a significantly longer blockchain.

But the blockchain "lenght" is based both on number of blocks and difficulty

So if his chain is shorter but has a much higher difficulty?

It's possible. ArtForz once wiped out all of testnet by mining some high-difficulty blocks.

Ahh, yes, I see what you are saying.  But I guess if the attacker is using a higher difficulty, then he would need much much more than %50 of computing power since higher difficulties require significantly more hashing resources.

How realistic(practical) this attack is ?  

Can be easily pulled off if AMD is in on the attack... for now.

Very doable if you can afford to spend 10/15 millions of $

Any rich guy could happily do it without problems...

Yeah, but you can't double spend easily with close to 50 %.

But due to Sathoshi's genius clever design, would-be-attackers are instead incentivised to use their resources as legit miners instead, thus increasing the strength of the main block chain.

You forget the "do it for the lulz" factor

Getting 50% would take a few million dollars, but rewriting many past blocks is much more expensive.

Even if any of this does happen, it can all be manually straightened out after control is regained.

Yes, private attackers could be persuaded by the reward for honest mining. But banks and governments who are willing to invest to just shut down bitcoin are still a danger we should be aware of. I don't see any chance for them to get sabotage done, and it will get harder as bitcoin gets more users and miners. But we should always have the possibility of attackers in mind, who don't care about money but about hurting bitcoin.

Well he should buy the hardware and then run it long enough to have a longer blockchain

Once this happens how can you fix this? The only way would be to organzie a separate network with the old blockchain and telling miners to mine on it until it finally become once more longer than the "bad one"

It can be done but it require 1)a backup of the old blockchain 2)enough miners that know what to do

And what if the Earth explodes ?
And what if the aliens invade ?
And what if I am my own grandfather ?
And what if we're all living in a computer-generated virtual reality while being used as thermal-electrical generators (which would be extremely stupid because humans are extremely unefficient as powerplants but what if) ?
...
(continue as you wish into infinity, with absolutely no purpose)

It is not so hard for a rich guy or organization to spend 15millions to fuck bitcoin...

Personally I mostly fear the following scenario, which anyone can do at home (if he has a billion dollars lying around):
1. Short lots of bitcoins.
2. Build a huge mining cluster and completely mess up the block chain.
3. Watch prices drop as panic ensues.
4. Profit.
5. Lather, rinse, repeat.

If it happends once there will be no secont time bitcoin will be dead.

I think Bitcoin can survive this happening once. The problem is if there is a reasonable expectation of it happening again. That's why the possibility of repeating it scares me.

You have to explain what you mean by 2.

Bitcoin never deletes blocks, so everyone will still have copies. The pools can be updated in no time, and they represent almost all of the network's hashing power.

For starters, he can create a new branch with none of the transactions from the last 1000 blocks. Or he can bypass X% of blocks as per your original post, which is not very dangerous for merchants but will piss off miners who wish to be rewarded for the blocks they find. And so on, he can get creative.

Assuming a consensus can be reached not only about which chain is the real one, but also that discarding the computationally longest chain in some circumstances is desirable.

To reverse a 1000 blocks and to catch up then to make the longest block chain takes way more than 50 %, if you want to get it done in a decade.

Not really. With 67%, you can reverse 1000 past blocks in a week. Reversing 1000 future blocks takes a week with 52%.

If you have more than the rest of the network combined (so more than 50% of total power including you), you can grow the alternative chain indefinitely as long as you are ahead. If you have 1% more than the network, you will be 1.44 block ahead per day. If you have 10% more, you will have 14.4 blocks per day. If you have twice the current Bitcoin network, you will reverse 1000 blocks in less than a week.

If you want to do as much of a mess, grow your chain, and wait until the rest of the network caches up with the speed. And then release the alternative chain.

I don't know.  I tend to be a firm believer in Emergent Order.  I usually assume that everyone is a self-interested bastard by default.  But Cooperation is more preferable to Sabotage in most cases, especially with bitcoin.  If the governments and banks cooperate with us, then they can profit from mining legitimately.  That's a positive sum game.  But spending billions of dollars on a ton of AMD GPUs simply so that you can destroy the bitcoin network is a negative sum game. 

There is a reason why successful governments like US & China don't tax %100 percent of your income, but rather realize that after about %50 then your people aren't incentivized.  And there are reasons why most Nations and Businesses are not engaging in constant battle sabotage against their competing Nations and Businesses (sure, there is some of this going on, but it is not the major component of expenditure).

I suspect that eventually the US government, PayPal, and banks will reluctantly embrace bitcoin.

Governments will still be able to tax, even if they can't arbitrarily inflate.  Sure they will have to tighten their fiscal responsibility belt, but they will be benefited by a robust bitcoin economy, and will simply tax visible transactions.  And I suspect they will be using the resources from government supercomputing labs to mine bitcoins by default when they aren't running more valuable experiments.

PayPal will start accepting payments with bitcoin as just one of many accepted international currencies the moment they realize that they can make more profit by embracing bitcoin instead of attacking it.  PayPal would rather offer secure online storage of your wallet and insurance against loss from scammer transactions as eBay currently does.  I can image some clever paypal employee submitting a bitcoin proposal which eventually reaches the CEO, who then sells it to the rest of the board and shareholders, and then someone might get a raise.

Banks wouldn't completely disappear, but would rather have to refocus on being investment vehicles which facilitate people with long term monetary preferences to loan out their bitcoins to borrowers with short term monetary preferences.  Sure they won't be able to artificially create bitcoins at whim out of thin air, but they would instead form clearing houses with competing banks and try to keep their liabilities as closely matched to their available assets as possible.  The banking sector will be stabilized and return to sanity, not destroyed.


Hmm... Yes I forgot about the lulz factor.  The lulz factor totally throws off anyone's refined security analysis model.  Serious, it's true.  Just look at everyone they hacked.  Totally not expecting it.  Totally were prepared for anything but a lulz attack.  (I'm only being 25% sarcastic those last 3 sentences, since it is true that the lulz factor will definitely screw up anyone who's not prepared for a lulz response.  Maybe it will become standard operating procedure for major internet companies to develop a "lulz response protocol" soon :) .)  But I do suspect that deep down, lulz security was motivated by something more than just the lulz...

Sorry, I'm confusing, because I'm a newbie in Bitcoins world, just two weeks of knowledge about it...

Until today, I believed that miners only do mining... What they do more? Why miners are so important to keep the safety of the Bitcoins network?

If miners cash-out someday, this will leave the network unprotected.. But why?!?

By the way, then it is possible spend the same Bitcoin twice?! Since I have enough computing power for this?

And then it is also possible reverse the payment?!

All depends on the computational power?!

If the U.S. government and Fed tries to do these things today?! We are fucked?!

I'm very curious and concerned!

Thanks!
Thiago

Thiago, a related answer is here


Related thread:

Bitcoin's kryptonite: The 51% attack
http://forum.bitcoin.org/index.php?topic=12435.0

actually it looks to me like the gold/silver bull market is over.

i envision a time when the gov't may use bitcoin as the basis for a digital "gold standard" upon which they could make USD loans which just happens to be an important part of economic growth whether we like it or not.  fractional reserve lending just has to be reasonable.

the problem for precious metals has always been rebalancing the physical stores seamlessly over great distances to reflect countries overleveraging.  with bitcoin, this rebalancing would be instantaneous.  it would be a win/win situation:  keep the USD intact, allow modest leveraging via debt formation, yet have a digital bitcoin backing to keep the system in check.

Thiago, I had similar concerns when I was a noobie as well.  Most of the answers to your questions are well documented in the bitcoin wiki and faq, or have been answersed extensivly in this forum, which you can easily search the achives for answers.  I will give quick incomplete answers below:


The process of mining is essentially verifying the legitimacy of transactions.  The more GPUs mining for bitcoins, then the stronger the legitimate network is, thus making it very difficult for adversaries to overcome the strength of the network by passing off bogus transactions as legitmate.


But when a lot of miners "cashes-out", then the bitcoin client will automatically lower the mining difficultly level based on a hard-coded protocol.  Since it will now be easier to mine, then that means that other people, including noobs like yourself, would be incentivized to mine at the easier difficultly level, since the bitcoin payment for solving a block would remain the same (50 BTC/block solved currently).


As has been discussed many time, it would be REALLY REALLY difficult and expensive.  At this point, only a huge collusion of powerful governments and corporations would be able to do it.  Keep in mind, there are tons of teenagers out there with free GPU & electricity from their parents who can hash for basically zero cost (to them, not to the parent :) ).  Plus all the thousands of businesses out there who deal with bitcoin and thus are incentivized to mine and maintain network security.


Yeah, but again...very hard.  And you couldn't reverse all payments, just a few recent ones if you are sucessful.


pretty much.  And network bandwidth.


Possibly.  They would have to retool all the US government supercomputing research centres in order to mine for bitcoin.  But I almost feel at this point, there is are more legitimate ordinary people mining GPUs that the US government would be incentivized to instead join us legitimate miners! :)


No problem.  Again, I had similar concerns when I was a noob as well.  Anyway you get a gold star in my book for using Ubuntu Linux and for asking simple & clear, but non-trolling questions/concerns.

This is a common misconception. A supercomputer is not efficient for hashing. Its too expensive. Hashing is a very simple computing process that does not requiere a supercomputer.

Any government or organization can pwn bitcoin by building a specialized hashing hardware factory, for a couple of millions of dollars. No actual supercomputer required.

This is certainly wrong, and your other numbers are probably wrong, too. If you control 52% of the network, you must use one of your blocks to negate a legitimate block 48% of the time. So 48% of the network is producing legitimate blocks, 48% of the network is negating those blocks, and only 4% is left producing new blocks. The network would only produce 5.76 blocks per day.

Yes indeed, especially considering that most of the scientific research labs are optimized for floating point computation, not integer code which is what SHA basing uses.


We will have to do the math.  I don't know.

To create 1000 old blocks, you need to do an average of 5923676160960014000 hashes at the current difficulty. Plus, to actually replace them you need to constantly fight against the existing network. To negate all legitimate blocks takes a hash speed equal to the current network hash speed (~12 Thash/s at the moment).

So you need 12 Thash/s plus about 6 billion billion hashes to rewrite 1000 blocks. If you want to replace the blocks within a week, you need a total of ~22 Thash/s.

Let's say a 6870 does 300 Mhash/s (I don't how true this is). You need ~41285 6870s to get 50% of the network plus ~32646 more to create 1000 blocks at current difficulty within a week. That's at the very least $10 million.

And once the attacker gets sick of wasting so much money, everything can be fixed without much loss by blacklisting their chain.

.

So you are essencially admitting that such an attack would render the system useless, as long as the attack is sustained.

Yes, but only for as long as the attack is sustained. It would be a DoS attack, not the End Of Bitcoin.

WOW! Thank you!!


 Reading the wiki page about scalability (https://en.bitcoin.it/wiki/Scalability (https://en.bitcoin.it/wiki/Scalability)), they are talking about a "supernode client", this supernode can assure the safety of the network for themselves without mining? If the miners go away abruptly...

 Or the purpose of the supernode is just to save disk space for regular clients?


 AWESOME! THANKS!!!   ;D

If you want to do that in secret, you will have your own difficulty, which means that the others are twice as fast.

If you don't do that in secret, and you reject blocks of others, they will discover you very early.

You can't do it faster, because the difficulty will increase. If you generate a lot more than 6 blocks an hour nobody would accept that chain because the difficulty does not match.

Forget that, of course you can generate as fast as you like blocks with timestamps from the past.

15 millions of $ aren't "billions"  :D

Only until difficulty is recalculated.

Isn't blacklisting blocks that have been mined per the bitcoin protocol (albeit being fraudulent) kind of like... central banks who don't like people that make counterfeit money? Bitcoin is peer-to-peer, so which central authority in bitcoin would decide what blockchain to blacklist? I really hope there isn't one, because if there is, that central authority could use their power to "blacklist" any blockchain they want, in principle...

Billions of Yen. :)

Well there wouldn't be a centralized authority using violence to enforce the blacklisting.  I'm guessing it would be something like bitcoin.org putting up an alert to block a certain range of questionable ip addresses or if there was a way to identify the questionable blocks then send out a quick patch for miners to voluntarilly install.  Note that you wouldn't need everyone to comply, but instead just enough miners to shift the advantage from the forces of evil to the forces of good.

My numbers are not wrong, they just relate to a different attack from what you have in mind. I was talking about building up an alternative branch starting from the current block, without releasing blocks during construction. After about a week, the honest network will have on average 1000 blocks while the attacker will have on average 1083 blocks, and with high probability he will have more blocks.

What does an attacker get from having the longer blockchain? Waste of energy?

The Bitcoin protocol specifies that the longest branch is the valid one. Thus an attacker having the longer chain can decide which transactions are to be included in it.

And I thought we already said that this allows disrupting Bitcoin commerce, for:
1. Damaging Bitcoin for political reasons.
2. Profiting from shorting.
3. Other stuff.