Bitcoin Forum

I develop a quantum computer super fast computer that generates bitcoins rather quickly.

I solve 2016 blocks in a matter of nanoseconds.

I then disconnect myself from the network and never tell the world about my super fast bitcoin generating technology. My aim is to ruin the bitcoin network. I am a rogue government or central bank with almost unlimited funds.

In theory, would it not take years/decades for us "average computers" to then solve the next sequence of 2016 blocks once I removed myself from the network? Thus "ruining" the bitcoin generation mechanism at least?

EDIT: Not only could they ruin the generating mechanism, but they could cease all transactions from taking place on the bitcoin network for a matter of years/decades because the difficulty level to solve a block would be raised so "artificially" high that we could not generate one for the life of us.

Well, yes, but this is a catastrophic scenario where it would be easy to get all developers of all clients to agree on resetting the difficulty to the last known good value. As long as we can get 50%+ to use a client we can do whatever we want with Bitcoin ^^

I doubt you'll be able to build a quantum computer large enough to do this, before anyone else builds a smaller computer which will convince us we need to upgrade the protocol.

Also, is SHA-256 known to be cracked by QC? QC are notorious for being assumed to solve things they're actually not known to.

Kind of tough to do when the creator of the super fast computer is the Chinese government and China is the largest user of bitcoin. (Which is probably one of the more plausible scenarios for my given example).

Holy-Fire, obviously I cannot build a quantum computer with my knowledge alone.

Feel free to exchange "quantum computer" with "super computer", "super cooled computer", "super fucking fast computer", etc...

Beowulf cluster with real wolves.

Anyway, theoretically if this happens, could it happen again after the difficulty reset? What would stop it from happening again and again, claiming 10 million BTC for itself? What if they did it and then gave every bitcoin address it could 50BTC with a 5,000BTC transfer fee? What would happen if bitcoins inflate from 5.6mil to 21mil over the course of 6 months?

Good eye. My thoughts exactly.

The attacker could easily sit quiet for a few years while we struggled to solve the problem. (Literally).

Or if we ever did manage to convince the entire world to accept our new difficulty rate... the attacker could spring again in an instant. (I'm sure they'd be watching...)

Eventually, the general public would become tired of this "nonsense". And bitcoin would die.

Transaction fees can't come out of a thin air, they come from a previous transaction with an input controlled by the person. Of course the difficulty should be reset only after we've patched the vulnerability. If the person is too disruptive he can collapse the economy and the bitcoins he mines will be worthless, so there's little incentive to do this. A better way for him will be to increase his mining output gradually to camouflage as organic growth of the ecosystem.

Maybe somebody with a little more technical knowledge of the bitcoin generation algorithm can chime in?

I was thinking...

Bitcoin's goal is to have a block generated every ten minutes, correct? So it could wait at least 10 minutes before it created the 2017th (1st) block... That would have the negative effect of slowing down the network transfer speed (to a maximum of 10 minutes)... But at least we could maybe negate the attack this way in an attempt to possibly locate the attacking machine and block it from the network?

But then again... who has the authority to deem one computer "too powerful" for the network...?

I am beginning to become seriously worried by this possible problem.

Re: Holy-Fire's post just above... The attacker's incentive may not be to make bitcoins worth more, or "steal" bitcoins... but to ruin the bitcoin network/authority in general.

Another possibility besides super computing would be a custom-made chip that only generates bitcoins.

Create 10,000 or 100,000 of these (for $25-$50M USD) and cluster them into one board and you could probably pull off a similar effect. (As opposed to a quantum computer).

I assumed transaction fees are given to those who process/confirm the transaction. So 100 confirmations = 100 people getting 1/100th of 5,000BTC.

No, each transaction appears only in one block. Its transaction fees go to the one who found this block. The number of confirmations simply mean the number of blocks found after it - the more there are, the greater the chance that the block, and hence the transaction, are part of the established timeline.

Thanks for the insight guys! But let's not try to stray too far away from the original question/problem at hand here.

Is this a semi-valid doomsday scenario for Bitcoin?

I'm not sure I'm getting the problem right, but if you are talking about the problem that difficulty will stay insanely high, then it seems easy to fix. There could be another condition for difficulty adjustment based on time span rather than block count.

Also, somebody having 100,000 more computing power than anybody else on earth is doomsday scenario not only for the bitcoin. We're living in information age, it's having power over the world.

Well as long as the super computer stays it's all ok because the protocol still works and transactions can be processed, the scenario where he leaves is unlikely because he has an incentive to stay (Bitcoin generation).

Beowulf? Why couldn't Bitcoin have started earlier, I had access to the ETH Zurich/EPFL Beowulf cluster, damn :D

I don't know. Most endeavors only give a logarithmic return or worse on raw computing power, at least after a certain point. It's how you use the computation that matters.

By the way, I'm still interested if anyone knows to answer my earlier question, whether quantum computers are known to solve our hashing problem efficiently.

Guys... whether or not it is "profitable" to generate bitcoins in my ridiculous manner mentioned is beside the point.

If and when a large government entity wishes to destroy bitcoin. Is this one of the ways they could go about it?

The idea was... that they would generate 2016 blocks within a matter of nanoseconds, and then disconnect from the network entirely. Thus setting the generation difficulty bar so high that they "ruin" basically everything.

Even transactions would cease to occur would they not?

The difficulty can't go up or down more than 4x in one adjustment, so it'd take longer than 2016 blocks to become completely out of reach.

If that ever happens, I suppose we'd have to change the difficulty adjustment method to fix it.

One of the Bitcoin developers would publish an updated version of the client where the difficulty has been reset manually @ the affected block.

Most users and miners would accept this change because it's to everyone's benefit.

Remeber that nobody is forced to adhere to the Bitcoin protocol. Anyone can use a modified client if they wish. The hard part is convincing other users to accept transactions.  

True. But the attacker in my scenario doesn't care one bit about accumulating bitcoins. They only care about crushing it's existence.

That was going to be one of the suggestions I just had as a way to stop this attack... but how often do the "adjustments" take place?

Theoretically this is just a bandaid to the attack vector. Even if the bitcoin network forced a new difficultly to be increased by only 4x every 10 minutes... the difficulty could be increased 4^6=4096 times within one hour. Thus ceasing all transactions to a halt (once they backed out of generating).

I doubt the bitcoin core developers will update their software once an hour.

And what if the difficulty adjustment takes place instantaneously? Which I assume it would... the attacker could ramp up a 10,000 factor difficulty in a matter of seconds just as originally described. With a 4x per increment maximum or not.

vladimir, are you talking about 50% network capacity in terms of computer power or networking nodes? I am referring to a single computer capable of generating 2016 blocks within a matter of seconds on a single node/ip address. And then abandoning the network. Thus making it nearly impossible for the rest of us to solve a block... ever.

LOL, such a simple mitigator that I feel dumb not thinking about it while reading this thread.

So why not change this right now while it's still easy to something like a difficulty adjustment every 144 blocks with a maximum increment of 0.5x and unlimited decrease?

This is not an acceptable hypothesis.

By the way, the bitcoin network computing power is already comparable (~50%) to the strongest supercomputer on Earth, according to what I've read in these forums.

Yeah, there are computers that are orders of magnitude faster than other computers, but not that much faster than all the other computers combined (or even all the ones working on bitcoin).

1. I don't get how this could help, we would not be able to solve even one block. It could be maybe something like "adjust difficulty if no block if found for N hours", but:
2. Really, fighting this problem seems like fighting hash collisions to me. Yes it can happen. Yet it would be bad. But what are the odds?

I don't get it, why wouldn't be able to solve even one block? As I see it, lower number of blocks needed per adjustment and lower maximum increment would allow things to go back to normal faster after an attack.

Take the current mystery miner effect for example. If difficulty was adjusted every 144 blocks instead of every 2016 then we would already be generating ~6 blocks an hour like we are supposed to, but with the current setting we still have more than a week to go before we go back to the optimal rate.

Why initiate such a lame attack? Anybody who can generate 2106 quickly can generate an alternative blockchain and inject it into the bitcoin network. Since all the nodes rely on the longest chain, they will accept it as the current one. It will render all the transactions (and hence all the bitcoins owned) from the current blockchain void. Alternatively, it can more slowly, continue with the current blockchain but generate so many blocks that enables the attacker to reverse  transactions at will and make any trust in Bitcoin disappear.

This wouldn't work, as certain block numbers are hard coded into Bitcoin client releases. That block (and thus the previous blocks) must match in order for that client to consider the blockchain valid.

It doesn't matter because it will have almost the same impact. The recent version has hardcoded block 105000 so anything from block 105000 can be voided. It would make a lot of wallets thinner and kill all the trust in the system.

I don't see anyone coming up with such a supercomputer anytime soon.  The fastest computer currently known is the Tianhe-I, which is capable of 2.5 petaFLOPS.  The current Bitcoin network hashing rate is around 500 Ghash/S.  According to ArtForz, one hash/s corresponds to approximately 8000 FLOPS.  Therefore, the Bitcoin network is capable of around 4 petaFLOPS today.  That's pretty amazing if you think about it.  Finding a block in a second, not nanoseconds as you are suggesting, would require a computer capable of something on the order of 2.5 exaFLOPS.  That's a thousand times more powerful than the most powerful supercomputer today.  If someone had such a machine, I suspect the last thing they would be doing with it would be attacking the Bitcoin network.

You're saying that the bitcoin miners altogether already beat the strongest supercomputer of the world? Last time I read about it here it was told that the difficulty should be above 100.000 for that to happen.

If that's truly the case, a few blog posts on it could cause some buzz, maybe even earns us another /.

I got my estimate of network hashing capacity from sipa's graphs here: http://bitcoin.sipa.be/
Then I used the hash-to-FLOPS conversion figures provided by ArtForz here: http://bitcointalk.org/index.php?topic=4408.msg64596#msg64596

So today's approximate FLOPS figure would be (500E9 hash/s) * (4150 intops/hash) * (2 flops/intop) = 4.15E15 FLOPS.  It's definitely a newsworthy development.

Tianhe-1A has 7168 Teslas and with 80 MH/s each, the supercomputer can get 573 GH/s from the GPUs alone. Then, it has 14,336 Xeon X5670 processors, each capable of 19 MH/s=272 GH/s. Total 845 GH/s equivalent to difficulty 140,000.

The quoted 2.5 PFLOPs for Tianhe is with the loss on interconnections. For bitcoin mining, the network is irrelevant and better figure is the peak 4.7 PFLOPs.

Anyway, supercomputers sound sexy and all but you don't need a supercomputer for Bitcoin hashing. The biggest trouble with a supercomputer is to get so much computing power in one place, with fast connections. But you can attack Bitcoin with 10 smaller supercomputers or with a botnet. Mystery Miner achieved 400 GH/s at his peak, and could have reversed transactions.

Currently, the strongest Bitcoin defense is irrelevancy. Nobody cares about destroying Bitcoin, yet. And if Bitcoin becomes relevant, the attack will be more difficult.

Thank you for the numbers.

Raulo, you seem to claim that somebody could "easily destroy" bitcoins in its current stage...

First, to me saying that double-spending by one super-attacker "destroys" bitcoin is way exaggerated. That super-attacker would just become a dangerous criminal, able to "counterfeit" transactions with every unfortunate person which happens to transact with him. That's serious, but it's not a "destruction" of the currency. Such criminal wouldn't manage to go too far, I believe, before being spotted.

And by the way, how easy is that? I mean, how much $$$ would it be necessary to double-spend? Do yo really think that it's a profitable crime? I don't know, but I think the costs largely outcome the potential benefits.

An attacker with more than 50% of the network's CPU can also prevent anyone from ever making a block. It's probably cheaper to maintain 51% continuously than do 2000% or whatever in bursts.

I'm not saying "easily". But it's doable.


It is more profitable just to mine than to double spend but we are discussing destroying Bitcoin, not profiting from that. 


We are discussing in a thread which starts with "Though experiment".  I'm just saying with 50% of network hash, one can destroy Bitcoin. Period. It's in the principles and it is described in the Satoshi's technical paper. One does not need to go into some elaborate "difficulty hiking" to destroy Bitcoin. 500 GH/s of network power is not peanuts but there are a few dozen entities that can pull that.

It doesn't "destroy" Bitcoin. It just makes it unsafe for as long as the attacker is in control.

Do we know that this hashing power was under the control of a single entity?  Could a bunch of kids from overclock.net have joined the network temporarily only to get bored and return to gaming when they realized they would not become millionaires overnight? 

True. But it is equivalent of death of Bitcoin as a currency. A small attack, reversing a few blocks would probably not be fatal for Bitcoin. But a large one? I doubt it. Who would trust it?  Building the bitcoin chain in parallel and reversing all transactions from, say, last week would, for instance, cripple bitcoin exchanges if they would be required to refund the reversed purchases. And it can be done in a stealth way so the community cannot do any countermeasures until after it happens.

Whoever it was, it controlled a single wallet. It could have been a distributed network but under one command.

They can only invalidate transactions that they made (or further transactions that spend transactions that they made).  That makes the attack a lot less likely in practice; if they had a lot of bitcoins, and purchased a lot of good or services (or exchanged them for dollars or euros) with a lot of people, then some of those people are likely to know WHO "they" are.  And if they're in the same legal jurisdiction, it seems to me you'd have a pretty good case for suing them for fraud.

Even if 'they' decided to do this just to try to mess up the bitcoin network it might be messy for the exchanges to clean up but I don't think it would cripple them.  The bitcoin client already trys to select "old money" when it creates transactions, so assuming that the exchange has a good cushion of bitcoins on deposit all the attacker is likely to accomplish is to invalidate their own deposits at the exchange.

All that said:  I'm not going to advise people to hold money they can't afford to lose in bitcoins until the network has a lot more hashing power.  There is still some risk while bitcoin is young.

How did you come to this conclusion? As far as I know there's no in-channel method to determine if two addresses are owned by the same entity.

He transferred all the bitcoins into a single address.

That would do it... interesting. Did I miss a prior discussion of Mystery Miner?

They can invalidate all their transactions and allow anybody else to double spend. I'm pretty sure there will be quite a few of "regular bitcoiners" who will take advantage of this opportunity.

edit: And of course they will invalidate all the mined coins from the reversed blocks and all transactions originating from the mined blocks. Quite a mess.

Thanks for all of the replies guys, we have a great discussion going on here! But I think Gavin said is best... and I am paraphrasing this :P it's still quite risky to invest in bitcoin until the entire world is running near-quantum-computer level super computers and the bitcoin software from their home.

To everybody who says "but they cannot make a supercomputer that powerful..."

Let's just say for simplicity's sake that a 5970 costs $1,000 and that it is too difficult to overclock too many of them at once.

That means 600,000 kHash/sec or 600 MHash/sec costs about $1,000 USD.

With $10,000,000 USD one could place 10,000 x 5970s in parallel. Creating a machine capable of 6,000,000,000 kHash/sec or 6 trillion hashes per second.

According to the bitcoin calculator, that would take an infinitesimally small time to generate a block.

Thus putting us in our doomsday situation that I described above with just a "splash in the pond" to most of the world rich's wallets.

That would be a machine on an order of a 4 Megawatt + ancillaries, call it 5 MW ... not beyond realm of possibilities, but you'd have trouble finding that many 5970s right now I think.

what about a massive botnet (zero running costs) ?
any countermeasure possible ?

Countermeasure is to laugh as their CPUs barely make a dent in our hash rate.

I'm pretty sure 10 million CPUs running 1,000 kHash/sec could make a significant dent in our hash rate. That's still 10,000,000 * 1,000,000 hashes/sec = 10 trillion hashes/second.

Ok so it seems to be "case closed" then. Any massively funded operation could bring bitcoin to a screeching halt (for at least a few days) at any point in time until we are accepted worldwide.

I guess we will have to come up with reasons to dissuade these massively funded operations we are going to disrupt from crushing us like an ant.

I'm going to go and watch "The Jungle Book"  :P

If we convince an anti-freedom organization to spend millions of dollars in order to (temporarily) control >50% of the network's CPU, then we will have gained a massive victory. Not only will we have weakened the organization, but we'll get great publicity. Cheaper DoS attacks are the real problem to be worried about.

This is in itself a DDOS attack. Theoretically the entire networks difficulty can be hijacked in an instant. That can be done for quite "cheaply" given the world's size.

I like your thinking though... if we could get the EFF to create something like their DES cracking board (http://en.wikipedia.org/wiki/EFF_DES_cracker)... that would give us substantial publicity, safety and reason for investment.

A more interesting question is what an entity that controls 1%, 5%, 10% of the processing power devoted to mining could do with such an on - off - on cycle of generating coins. Here's what I think happens:

cycle 1: The entity turns his miners on generating coins at a rate that pushes the difficulty up for the next cycle.
cycle 2: The entity turns his miners off. The difficulty is scheduled to go down next cycle.
cycle 3: The entity turns his miners on again generating coins at a high rate pushing the difficulty up for the next cycle.
cycle 4: Other miners start noticing the pattern and join the on - off - on cycle since it makes sense to only spend electricity during the easy cycles.

cycle n: It becomes obvious to all miners that it is counterproductive to generate coins during the hard cycles and they therefore wait for the easy cycles.

This is a self reinforcing pattern and is unstable as the number of miners remaining in the hard cycles goes to zero the difficulty will flip flop by a factor of 4 (or whatever is the maximum allowed ratio) between the easy and hard cycles. Also the easy cycles will draw more and more newcomers.

More alarmingly, since the difficulty will be slamming against the artificial bounds (the max by 4 factor) it no longer reflects the true difficulty (since it is no longer calculated from the equation that controls block production rate to near one per 10 minutes).

I will give a made up example to show the dynamic: Assume you want to generate 2016 coins per 20160 minute cycle and the available processing power can generate 1000 coins per minute when the difficulty is 1. We set the difficulty to 10000 to get a stable 1000/10000 = 0.1 coins per minute or 2016 coins per cycle.

cycle 1: Entity turns on and adds 10% capacity. Coins produced = 1100/10000 = .11 coins/min (time to produce 2016 = 18327 min) -> difficulty is set to 11000
cycle 2: Entity turns off. Coins produced = 1000/11000 = .091 coins/min (time to produce 2016 = 22176 min)  -> difficulty is set to 10000 again
cycle 3: Entity turns on. Coins produced = 1100/10000 = .11 coins/min (time to produce 2016 = 18327 min) -> difficulty is set to 11000
cycle 4: 10% of the miners notice the pattern and stop mining the difficult cycle. Coins produced = 900/11000 = .082 coins/min (time to produce 2016 = 24640 min) -> difficulty set to 9000
cycle 5: Production = 1100/9000 = .122 coins/min (time to produce 2016 = 16495 min)-> difficulty back to 11000
cycle 6: Now 30% of miners catch on. Production = 700/11000 = .064 coins/min (time to produce 2016 = 31680 min) -> difficulty set to 7000
cycle 7: Now new miners want in on the easy cycle. Base capacity up another 10%. Production = 1200/7000 = .171 coins/min (time to produce 2016 = 11760 min) -> difficulty now to 12000
cycle 8: 90% of original miners are in on the game. Production = 100/12000 = .008 coins/min (time to produce 2016 = 241920 min) -> difficulty should be 1000 but slams into boundary at 12000/4 = 3000
cycle 9: The game has attracted 50% more miners. Production = 1600/3000 = .533 coins/min (time to produce 2016 = 3780 min) -> difficulty should go to 16000 but stops at 12000 (at the 4x3000 limit)
cycle 10: Production near zero and difficulty down to 3000 again

Difficulty will slam between 16000 and 3000 and most coins will be produced during the 3 day easy cycle with long 24 week periods with high difficulty and few miners.

This kind of instability is inherent in systems that have delay such as happens with the calculation of a new "difficulty" after a delay.

I bet someone controlling even 1% of capacity could, through the amplification of other miners joining him once they notice, cause hard/easy cycles where production in the easy cycle is more than twice desired production.

Yes, it seems it would be vulnerable to a destabilising strategy like this.

It could be got around not having discrete jumps in difficulty but varying it "continuously", on a much shorter time step, say daily or 12 hourly, to smooth out the jumps.

No it doesn't, unless those other miners are already running very close to break-even.
Less profit > zero profit.

erm...couldnt we just create another blockchain and leave the douchebags to their empty value ?

wash rinse repeat


actually I think thats why satoshi wanted competing block chains . maybe they should be decentralized too as creating one central block chain could be vulnerable....

Or what if they increased the strength/stability of the network for a while and encouraged people to invest heavily in bitcoin... then completely disrupted it with their massive power - causing thousands of people to lose their investments in GPU power overnight. This could ruin bitcoin once and for all I think. The animosity generated by such an event would be unquenchable.


The problem is when the attacker does this and bitcoin has "kind of" taken off... you are not going to convince millions of people that a technical work around is the solution. "The general public" will simply forget about us.

Having many smaller chains actually weakens both the bitcoin economy (many incompatible flavours of Bitcoin) and the network as an attacker could just go through them and destabilize each one after another using less computing power than he'd need for a single big one.

If there is an unusual increase in mining or other strange pattern, an alarm can be sent to tell bitcoiners to temporarily halt transactions...

what makes u say China is the largest user of btc?

Lol, maybe all those Chinese students.

I bet that China government will adopt bitcoin before US.

Those are Chinese, not China.  The only scenario wherein China recognizes Bitcoin in any positive context is if the US government begins to assault Bitcoin discretely.