|
Title: stealth 51% attack Post by: CliffordM on January 30, 2012, 11:47:56 AM If someone had a 51% hashrate, what would stop them from solving blocks but not actually publishing the answers?
In this way, they could create a fork of the blockchain which would be longer than the real published one, and obviously they could publish this fork whenever -- thereby re-writing the existing blockchain, which could be many blocks long. You wouldn't know about this until it happened, and it could be very damaging -- Imagine if the last 200 blocks were suddenly re-written... Is there a way of mitigating against a stealth attack like this ? Title: Re: stealth 51% attack Post by: Bitcoin Oz on January 30, 2012, 11:53:07 AM Thats why they have lock in points so you cant rewrite things.
Title: Re: stealth 51% attack Post by: Costia on January 30, 2012, 11:53:55 AM if anyone can control 51% he will control the bitcoin network
no need to be stealthy about it, they can just not include any transactions in their blocks and reject blocks mined by others but this wont be profitable what they can do is set the transaction fee to whatever they want , since only they can add new transactions to the chain Edit: what lock in points? the longest chain wins. Title: Re: stealth 51% attack Post by: interlagos on January 30, 2012, 12:04:37 PM if anyone can control 51% he will control the bitcoin network no need to be stealthy about it, they can just not include any transactions in their blocks and reject blocks mined by others but this wont be profitable what they can do is set the transaction fee to whatever they want , since only they can add new transactions to the chain Edit: what lock in points? the longest chain wins. I think certain block hashes get hardcoded into the client with every new release. This way if the longer blockchain doesn't satisfy these conditions it will get rejected. Title: Re: stealth 51% attack Post by: CliffordM on January 30, 2012, 12:06:43 PM But my point is that an attacker might CHOOSE to be stealthy -- his motivation may be disruption rather than immediate block rewards. If an attacker is overt about his 51% ability, then everyone will know this by observing that he is solving most of the blocks (but not all of them).
By withholding his solutions, he has the (secret) ability to rewrite the block-chain at any time, and will own ALL of those last blocks. This is a valuable option. He won't be any richer as the blockchain will be shorter than if he shared his hashing power upfront. But he has caused the 49% hashing to be effectively wasted when he dumps his chain. It worries me as waiting for 6 confirmations is only good in the absence of something like this. Is there such a thing as a lock point ? I thought it was longest-chain-wins ? Title: Re: stealth 51% attack Post by: Costia on January 30, 2012, 12:09:42 PM if anyone can control 51% he will control the bitcoin network no need to be stealthy about it, they can just not include any transactions in their blocks and reject blocks mined by others but this wont be profitable what they can do is set the transaction fee to whatever they want , since only they can add new transactions to the chain Edit: what lock in points? the longest chain wins. I think certain block hashes get hardcoded into the client with every new release. This way if the longer blockchain doesn't satisfy these conditions it will get rejected. and it would be kinda strange if this was true, any sources for this? to clifford: if somebody gets 51% he can do (almost) whatever he wants from that point and on. edit: but it would be quite hard to get to 51% without being noticed - he will have to take over deepbit and another pool, or create a larger one himself - which will either take a lot of time or a lot of money (probably more than the net worth of bitcoin) Title: Re: stealth 51% attack Post by: interlagos on January 30, 2012, 12:14:45 PM if anyone can control 51% he will control the bitcoin network no need to be stealthy about it, they can just not include any transactions in their blocks and reject blocks mined by others but this wont be profitable what they can do is set the transaction fee to whatever they want , since only they can add new transactions to the chain Edit: what lock in points? the longest chain wins. I think certain block hashes get hardcoded into the client with every new release. This way if the longer blockchain doesn't satisfy these conditions it will get rejected. and it would be kinda strange if this was true, any sources for this? to clifford: if somebody gets 51% he can do (almost) whatever he wants from that point and on. edit: but it would be quite hard to get to 51% without being noticed - he will have to take over deepbit and another pool, or create a larger one himself - which will either take a lot of time or a lot of money (probably more than the net worth of bitcoin) Yes between releases coins are not protected, only old enough coins are safe. I know for a fact it was done for one of the alt-chains in the beginning, so I think they inherited this behaviour from bitcoin. Title: Re: stealth 51% attack Post by: Costia on January 30, 2012, 12:17:18 PM but old enough coins are safe anyway - you can replace a block from the middle or something
the only non safe ones are from the time somebody got 51% and later Title: Re: stealth 51% attack Post by: interlagos on January 30, 2012, 12:21:58 PM but old enough coins are safe anyway - you can replace a block from the middle or something the only non safe ones are from the time somebody got 51% and later Yes lock-in points is a type of damage control. If it happens that an attacker started to build its own chain a few (dozens of) blocks before recent lock-in he would need to re-start, so it is less convenient for him to do it. Title: Re: stealth 51% attack Post by: rjk on January 30, 2012, 02:39:34 PM A withholding attack may only be marginally successful. My understanding is that the client will refuse to parse so many blocks in such a short space of time. If you try to dump a large pile of blocks on the client, it will probably refuse them.
Title: Re: stealth 51% attack Post by: DeathAndTaxes on January 30, 2012, 02:41:45 PM If someone had a 51% hashrate, what would stop them from solving blocks but not actually publishing the answers? In this way, they could create a fork of the blockchain which would be longer than the real published one, and obviously they could publish this fork whenever -- thereby re-writing the existing blockchain, which could be many blocks long. You wouldn't know about this until it happened, and it could be very damaging -- Imagine if the last 200 blocks were suddenly re-written... Is there a way of mitigating against a stealth attack like this ? You just described the 51% attack. No attacker is going to be overt. They will build a private chain publish it and force a re-org. Then do it again and again and again and again and again and again until Bitcoin is dead. No need to call it a stealth 51% it is a 51%. You should assume any 51% attack will be done in private. Title: Re: stealth 51% attack Post by: DeathAndTaxes on January 30, 2012, 02:42:50 PM A withholding attack may only be marginally successful. My understanding is that the client will refuse to parse so many blocks in such a short space of time. If you try to dump a large pile of blocks on the client, it will probably refuse them. It won't. What do you think happens when you install a new client. It downloads the blockchain. By definition in a distributed network there is no way for a client to know how far ahead the rest of the network might be. It simply asks for new blocks, gets them, and verifies them. Title: Re: stealth 51% attack Post by: hazek on January 30, 2012, 08:29:13 PM I wished people knew statistics and realized that you need far more than 51% in order to pull of what you're suggesting.
Title: Re: stealth 51% attack Post by: DeathAndTaxes on January 30, 2012, 08:54:06 PM I wished people knew statistics and realized that you need far more than 51% in order to pull of what you're suggesting. You don't and yes I know statistics. With 50% + 1 hashes/s of network capacity you will eventually have the longest chain. Given enough time it is an inevitability. Anything greater than that just reduces the avg time before you have a given probability of being ahead.Title: Re: stealth 51% attack Post by: Costia on January 30, 2012, 09:03:24 PM to do what the OP suggested you won't even need 50%, since this is random even with 40% you can be ahead of the main chainblock for a few hours/days
Title: Re: stealth 51% attack Post by: DeathAndTaxes on January 30, 2012, 09:07:34 PM to do what the OP suggested you won't even need 50%, since this is random even with 40% you can be ahead of the main chainblock for a few hours/days True but the problem is your chance is very low. With 40% of hashing power you have a 40% chance of being ahead after 1 block but only a 0.4^6 = 0.4% chance of being ahead after 6 consecutive blocks. Even if you did pull that off miners using a modified bitcoind to mine on the valid chain and eventually they will surpass and orphan your "attack chain". While it could be potentially disruptive there is a counter to it. With 51% hashing power you can hash well past the "official chain" till the point that the "good guys" regaining the longest chain is improbable. Title: Re: stealth 51% attack Post by: hazek on January 30, 2012, 09:10:11 PM to do what the OP suggested you won't even need 50%, since this is random even with 40% you can be ahead of the main chainblock for a few hours/days What? What do you mean ahead for a few hours/days? I thought the 51% attack was carried out by getting lucky with the 51% of hashing power or more to get at the min 6 consecutive blocks found by your miner so that you can insert a fraudulent doubles spent transaction into the block chain and fool someone it is legitimate before you run out of luck and some other miner finds a block invalidating your transaction? I thought all the amount of hashing power you have raises the odds of finding 6 consecutive blocks high enough to make it worthwhile to even attempt such an attack and that 51% was deemed where these odds get high enough? Title: Re: stealth 51% attack Post by: hazek on January 30, 2012, 09:11:31 PM With 51% hashing power you can hash well past the "official chain" till the point that the "good guys" regaining the longest chain is improbable. How does that happen if the blocks you found are fraudulent and will get ignored once the "good guys" find a block? Title: Re: stealth 51% attack Post by: DeathAndTaxes on January 30, 2012, 09:18:46 PM to do what the OP suggested you won't even need 50%, since this is random even with 40% you can be ahead of the main chainblock for a few hours/days What? What do you mean ahead for a few hours/days? I thought the 51% attack was carried out by getting lucky with the 51% of hashing power or more to get at the min 6 consecutive blocks found by your miner so that you can insert a fraudulent doubles spent transaction into the block chain and fool someone it is legitimate before you run out of luck and some other miner finds a block invalidating your transaction? I thought all the amount of hashing power you have raises the odds of finding 6 consecutive blocks high enough to make it worthwhile to even attempt such an attack and that 51% was deemed where these odds get high enough? Well no even @ 51% the odds of getting ahead in 61 blocks is very low. The fact is that even if you aren't ahead you can continue until you are. Each new block is another chance of you pulling ahead. With "only" 51% of hashing power the odds you will be 6+ blocks ahead in 6 blocks is about 1.7% but it is about 8% after 20 blocks and and about 38% after 24 blocks and 72% after 100 blocks.... etc. Having >51% lets you get to those more likely numbers quicker. For example w/ 55% of hashing power to be have a 99.9% chance of being 6+ blocks ahead takes only 340 blocks. With 60% that drops to 90 blocks. With 65% it is only 40 blocks and with 70% a mere 20 blocks. Title: Re: stealth 51% attack Post by: DeathAndTaxes on January 30, 2012, 09:19:41 PM With 51% hashing power you can hash well past the "official chain" till the point that the "good guys" regaining the longest chain is improbable. How does that happen if the blocks you found are fraudulent and will get ignored once the "good guys" find a block? How do you know they are fraudulent. More importantly how does every single client on the distributed network know? Title: Re: stealth 51% attack Post by: Costia on January 30, 2012, 09:20:26 PM the double spend is not inserting 2 transactions in the same block that double spend - this kind of block will be rejected
the idea is that you spend the money on the real chain, and then release your own longer chain that doesn't have this transaction in it. so you end up with having the money in your wallet although you spent it on the real chain. thats why the 6 confirmations - there are chainsplits happening when 2 miners find a new block at about the same time - but this will get sorted out when the next block is found and will choose which split is now the longest http://blockchain.info/orphaned-blocks to be able to do this at will and for a long period of time you will need 51% you can cause shorter splits with less Title: Re: stealth 51% attack Post by: hazek on January 30, 2012, 09:50:09 PM Hmm looks like I really didn't understand what the 51% or more hashing power attack was suppose to look like or do.
I reread this: Quote Attacker has a lot of computing power An attacker that controls more than 50% of the network's computing power can, for the time that he is in control, exclude and modify the ordering of transactions. This allows him to: Reverse transactions that he sends while he's in control Prevent some or all transactions from gaining any confirmations Prevent some or all other miners from mining any valid blocks The attacker can't: Reverse other people's transactions Prevent transactions from being sent at all (they'll show as 0/unconfirmed) Change the number of coins generated per block Create coins out of thin air Send coins that never belonged to him It's much more difficult to change historical blocks, and it becomes exponentially more difficult the further back you go. As above, changing historical blocks only allows you to exclude and change the ordering of transactions. It's impossible to change blocks created before the last checkpoint. Since this attack doesn't permit all that much power over the network, it is expected that no one will attempt it. A profit-seeking person will always gain more by just following the rules, and even someone trying to destroy the system will probably find other attacks more attractive. However, if this attack is successfully executed, it will be difficult or impossible to "untangle" the mess created -- any changes the attacker makes might become permanent. And am now even more confused than before. If I understand this right, then this shouldn't be under the "Probably not a problem" category and am actually surprised we haven't had this type of an attack yet. I still don't understand why the need for 50% or more, why say 30% wouldn't be enough.. Title: Re: stealth 51% attack Post by: Costia on January 30, 2012, 09:57:41 PM because the chances of making it last N blocks is (percent/100)^N
most people wait for 6 confirmations - 0.3^6=0.000729 = 0.07% -> less than 1 out of 1000 and then after 6 blocks it will get reversed (chance to make it stick for 7 blocks is ~1 out of 5000) also you will loose the reward for those blocks, so on average you will loose 6blocks*50BTC*1,000(due to the cahnce of 0.07%) = 300K BTC in legitimate block rewards for a chance to double spend |