kjj
Legendary
Offline
Activity: 1302
Merit: 1026
|
|
May 27, 2011, 09:40:51 PM |
|
You would need not just 50% of the world's hashing power, but closer to 95%+ of it if you wanted to pull off any meaningful BTC scam. I don't think so. You can steal the vast majority of blocks from then on by storing up blocks you generate and release them only when someone else also solves one. Not sure if you consider that meaningful or not. (There was some long ago thread about this that I can't find now) You could double spend by getting one block ahead of the good network and then just stay ahead until you are ready to drop your one block longer chain. The time to find a block is not a linear function of your hashing speed, it is a probabilistic process. Having 10% more power than the other guy doesn't mean you find blocks 10% faster, it means that you have a ~5% chance of finding it before him. Say that you fraction of the global networking power is X, where 0 <= X <= 1; The probability that you will be able to do this for one block is X The probability that you will be able to do this for two blocks is X^2 The probability that you will be able to do this for three blocks is X^3 The probability that you will be able to do this for four blocks is X^4 Etc... Actually, those are the high end estimates. In reality, you will need another factor, Y, to correct for the portion of the network that believes in the attack chain. Over time, Y will get smaller and smaller. Since this topic keeps coming up over and over again, I'm going to propose a potential solution: every time a node reshuffles, they should make a note of which peer it came from. More than three reshuffles from the same peer in like 24 hours, and that node is dropped.
|
17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8 I routinely ignore posters with paid advertising in their sigs. You should too.
|
|
|
MoonShadow
Legendary
Offline
Activity: 1708
Merit: 1010
|
|
May 27, 2011, 10:26:16 PM |
|
Since this topic keeps coming up over and over again, I'm going to propose a potential solution: every time a node reshuffles, they should make a note of which peer it came from. More than three reshuffles from the same peer in like 24 hours, and that node is dropped.
Interesting proposal. I think that this requires it's own thread, to discuss how to do this.
|
"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."
- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
|
|
|
kjj
Legendary
Offline
Activity: 1302
Merit: 1026
|
|
May 27, 2011, 10:29:56 PM |
|
Agreed.
|
17Np17BSrpnHCZ2pgtiMNnhjnsWJ2TMqq8 I routinely ignore posters with paid advertising in their sigs. You should too.
|
|
|
jed (OP)
Full Member
Offline
Activity: 182
Merit: 107
Jed McCaleb
|
|
May 27, 2011, 11:03:53 PM |
|
kjj: So let's assume an attacker controls 60% of the network. He makes a big transaction that is sent to the whole network. He stops generating blocks on the legit network. He now starts generating a new chain without the large transaction but not sending it to the rest of the network. His fake chain will eventually grow longer than the real chain. At some point of his choosing he publishes his longer chain to the real network. The fake chain is now accepted as real since it is longer. Since this topic keeps coming up over and over again, I'm going to propose a potential solution: every time a node reshuffles, they should make a note of which peer it came from. More than three reshuffles from the same peer in like 24 hours, and that node is dropped. This doesn't help. It is trivial to just send from a new peer.
|
|
|
|
MoonShadow
Legendary
Offline
Activity: 1708
Merit: 1010
|
|
May 27, 2011, 11:11:25 PM |
|
kjj: So let's assume an attacker controls 60% of the network. He makes a big transaction that is sent to the whole network. He stops generating blocks on the legit network. He now starts generating a new chain without the large transaction but not sending it to the rest of the network. His fake chain will eventually grow longer than the real chain. At some point of his choosing he publishes his longer chain to the real network. The fake chain is now accepted as real since it is longer.
The (non-existant, we really need a programmer to develop this) 'blockchain watchdog' process would ringing alarm bells after the 60% miner had left the network. Whether that mattered would depend upon what the rest of the network does once the watchdogs are barking.
|
"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."
- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
|
|
|
billyjoeallen
Legendary
Offline
Activity: 1106
Merit: 1007
Hide your women
|
|
May 29, 2011, 06:50:47 AM |
|
So I've been thinking... bitcoin mining seems like such an unfortunate side effect of the system since it is so wasteful. )
I stopped reading right here. Bitcoin is not wasteful, even now. It's several orders of magnitude more energy efficient than the fiat currency systems in use around the world. only if you count the number of guns necessary to force us to act as if fiat is a good store of value, and the salaries necessary to pay the thugs and pump out the propaganda, etc.
|
insert coin here: Dash XfXZL8WL18zzNhaAqWqEziX2bUvyJbrC8s
1Ctd7Na8qE7btyueEshAJF5C7ZqFWH11Wc
|
|
|
FreeMoney
Legendary
Offline
Activity: 1246
Merit: 1016
Strength in numbers
|
|
May 29, 2011, 07:40:14 AM |
|
I stopped reading right here. Bitcoin is not wasteful, even now. It's several orders of magnitude more energy efficient than the fiat currency systems in use around the world.
I would like to see numbers that prove it. The current network consumes 2MW of power constantly assuming (on average) 2MH/s/W. It's about 2 million USD per year. Of course that's not much compared to the money used for fiat money flow but for a 45 million USD money supply it's a lot. And then you have a few million of USD in equipment that based on Moore law will be worth a fraction of the current value in 12-18 months. When you add human work (building and maintaining miners), you have a lot of cost for the amount of money supply that is handled by a small bank. At the very best, Bitcoin is as efficient as the fiat currency system dollar per dollar and likely less efficient. P.S I know about the cost of bailouts but Bitcoin is yet to start handling loans. And it were loans not money transfers and money flow that needed a bailout. Are you spying on me? (wait, I guess not since you don't know what I'm doing). I give loans. Loans don't cause bailouts anymore than shoes cause dancing.
|
Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
|
|
|
Zibbo
Newbie
Offline
Activity: 59
Merit: 0
|
|
May 29, 2011, 03:40:08 PM |
|
kjj: So let's assume an attacker controls 60% of the network. He makes a big transaction that is sent to the whole network. He stops generating blocks on the legit network. He now starts generating a new chain without the large transaction but not sending it to the rest of the network. His fake chain will eventually grow longer than the real chain. At some point of his choosing he publishes his longer chain to the real network. The fake chain is now accepted as real since it is longer.
The (non-existant, we really need a programmer to develop this) 'blockchain watchdog' process would ringing alarm bells after the 60% miner had left the network. Whether that mattered would depend upon what the rest of the network does once the watchdogs are barking. The attacker doesn't need to be part of the honest network before launching an attack at all, so you would not see a sudden drop in hashing power. A longer chain would just appear out of nowhere. Once some group controls more hashing power that rest of the miners combined, bitcoin reality is exactly what they want and nothing else (can't do anything that would invalidate blocks in the eyes of honest nodes, like change block reward etc). If they are honest, then no problem, but if they want to attack the network, they can just grow their own chain, refuse the blocks generated by honest nodes, but force honest nodes to accept attackers block. Honest nodes can't differentiate between attackers blocks and honest blocks (because they are decentralized), while attacker knows which blocks are which. It doesn't matter if honest nodes get ahead for a while. Attacker will always catch up, and all the work honest nodes have done would be replaced with the attackers "reality". This idea of a watchdog system is nice, but I'm not entirely sure how much it would help if someone truly has a majority of the hashing power. I mean, even if you knew with 100% certainty, that someone is attacking the network with a majority hashing power, and maybe even how and when it's going to happen, what is the mechanism that would be used to prevent the attack in a decentralized system like bitcoin? Like you said "Whether that mattered would depend upon what the rest of the network does once the watchdogs are barking". I'm not sure there is anything they can do, without giving up the decentralized nature of bitcoin. Bitcoin is secure "As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network", but not a second longer.
|
|
|
|
MoonShadow
Legendary
Offline
Activity: 1708
Merit: 1010
|
|
May 30, 2011, 01:46:29 AM |
|
kjj: So let's assume an attacker controls 60% of the network. He makes a big transaction that is sent to the whole network. He stops generating blocks on the legit network. He now starts generating a new chain without the large transaction but not sending it to the rest of the network. His fake chain will eventually grow longer than the real chain. At some point of his choosing he publishes his longer chain to the real network. The fake chain is now accepted as real since it is longer.
The (non-existant, we really need a programmer to develop this) 'blockchain watchdog' process would ringing alarm bells after the 60% miner had left the network. Whether that mattered would depend upon what the rest of the network does once the watchdogs are barking. The attacker doesn't need to be part of the honest network before launching an attack at all, so you would not see a sudden drop in hashing power. A longer chain would just appear out of nowhere. Once some group controls more hashing power that rest of the miners combined, bitcoin reality is exactly what they want and nothing else (can't do anything that would invalidate blocks in the eyes of honest nodes, like change block reward etc). If they are honest, then no problem, but if they want to attack the network, they can just grow their own chain, refuse the blocks generated by honest nodes, but force honest nodes to accept attackers block. Honest nodes can't differentiate between attackers blocks and honest blocks (because they are decentralized), while attacker knows which blocks are which. It doesn't matter if honest nodes get ahead for a while. Attacker will always catch up, and all the work honest nodes have done would be replaced with the attackers "reality". This idea of a watchdog system is nice, but I'm not entirely sure how much it would help if someone truly has a majority of the hashing power. I mean, even if you knew with 100% certainty, that someone is attacking the network with a majority hashing power, and maybe even how and when it's going to happen, what is the mechanism that would be used to prevent the attack in a decentralized system like bitcoin? Like you said "Whether that mattered would depend upon what the rest of the network does once the watchdogs are barking". I'm not sure there is anything they can do, without giving up the decentralized nature of bitcoin. Bitcoin is secure "As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network", but not a second longer. There are a number of things that live operators can do to inhibit an attack under way, not the least of which is to bring more hashing power to bear. An attacker coming in unannounced with blocks would cause a significant revision on the blockchain, not something that can be stopped, but it's a huge red flag. A watchdog process could alert users to an attack underway, and any commerce site using bitcoin in any automatic fashion should immediately suspend trade to protect themselves. Also, nodes are not anonymous to each other. It's not trivial, but it is possible to determine from where the new blocks came from. Also, and attacker coming in from outside the network needs at least as much hashing power as the whole honest network, not just 50%. Just having a simple majority of the hashing power is only enough to make the attack possible, it doesn't make it easy. To build a chain in the dark, the attacker must have significantly more than the whole of the honest network in order to build his dark chain fast enough to get back far enough to overwrite his intended target block.
|
"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."
- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
|
|
|
Zibbo
Newbie
Offline
Activity: 59
Merit: 0
|
|
May 30, 2011, 06:08:35 AM |
|
The attacker doesn't need to be part of the honest network before launching an attack at all, so you would not see a sudden drop in hashing power. A longer chain would just appear out of nowhere.
Once some group controls more hashing power that rest of the miners combined, bitcoin reality is exactly what they want and nothing else (can't do anything that would invalidate blocks in the eyes of honest nodes, like change block reward etc). If they are honest, then no problem, but if they want to attack the network, they can just grow their own chain, refuse the blocks generated by honest nodes, but force honest nodes to accept attackers block. Honest nodes can't differentiate between attackers blocks and honest blocks (because they are decentralized), while attacker knows which blocks are which. It doesn't matter if honest nodes get ahead for a while. Attacker will always catch up, and all the work honest nodes have done would be replaced with the attackers "reality".
This idea of a watchdog system is nice, but I'm not entirely sure how much it would help if someone truly has a majority of the hashing power. I mean, even if you knew with 100% certainty, that someone is attacking the network with a majority hashing power, and maybe even how and when it's going to happen, what is the mechanism that would be used to prevent the attack in a decentralized system like bitcoin? Like you said "Whether that mattered would depend upon what the rest of the network does once the watchdogs are barking". I'm not sure there is anything they can do, without giving up the decentralized nature of bitcoin.
Bitcoin is secure "As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network", but not a second longer.
There are a number of things that live operators can do to inhibit an attack under way, not the least of which is to bring more hashing power to bear. An attacker coming in unannounced with blocks would cause a significant revision on the blockchain, not something that can be stopped, but it's a huge red flag. A watchdog process could alert users to an attack underway, and any commerce site using bitcoin in any automatic fashion should immediately suspend trade to protect themselves. Who has that kind of hashing power just waiting to be used with a push of a button? Perhaps in future someone with vested interest in protecting bitcoin and hardware that is regularly used for something else? Ok, I can see that happening, but almost any other action you can take when the watchdogs are barking requires choosing the valid block chain with some other criteria than which one is the longest. Also, nodes are not anonymous to each other. It's not trivial, but it is possible to determine from where the new blocks came from.
Really? How? Also, and attacker coming in from outside the network needs at least as much hashing power as the whole honest network, not just 50%. Just having a simple majority of the hashing power is only enough to make the attack possible, it doesn't make it easy. To build a chain in the dark, the attacker must have significantly more than the whole of the honest network in order to build his dark chain fast enough to get back far enough to overwrite his intended target block.
That's true if the attacker retroactively decides to rewrite some past block. What I was talking about was, when double spend (or some other attack) is planned in advance, and the attacker starts hashing the dark chain from the same block as honest nodes.
|
|
|
|
MoonShadow
Legendary
Offline
Activity: 1708
Merit: 1010
|
|
May 30, 2011, 06:31:57 AM |
|
Who has that kind of hashing power just waiting to be used with a push of a button?
I'm not at liberty... Also, and attacker coming in from outside the network needs at least as much hashing power as the whole honest network, not just 50%. Just having a simple majority of the hashing power is only enough to make the attack possible, it doesn't make it easy. To build a chain in the dark, the attacker must have significantly more than the whole of the honest network in order to build his dark chain fast enough to get back far enough to overwrite his intended target block.
That's true if the attacker retroactively decides to rewrite some past block. What I was talking about was, when double spend (or some other attack) is planned in advance, and the attacker starts hashing the dark chain from the same block as honest nodes. It's generally true. It's not so straight forward.
|
"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."
- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
|
|
|
jed (OP)
Full Member
Offline
Activity: 182
Merit: 107
Jed McCaleb
|
|
May 30, 2011, 02:28:38 PM |
|
creighto: Even if you are correct that there is some hidden pool of mining waiting to be put online it doesn't change my original point that bitcoin as it is now depends on everyone trusting a few random people. We are implicitly trusting a couple large miners and a couple pools and your secret hasher. My argument is that we might as well make this trust explicit. It will be much more efficient, and way more secure.
|
|
|
|
ene
Newbie
Offline
Activity: 42
Merit: 0
|
|
May 30, 2011, 06:39:58 PM |
|
creighto: Even if you are correct that there is some hidden pool of mining waiting to be put online it doesn't change my original point that bitcoin as it is now depends on everyone trusting a few random people. We are implicitly trusting a couple large miners and a couple pools and your secret hasher. My argument is that we might as well make this trust explicit. It will be much more efficient, and way more secure.
There's no way this would be more secure. Under your system, somebody needs to (1) somehow find out who your "friends" are (who you trust) and (2) make 50% of them dishonest. Under bitcoin, somebody needs to make 50% of everybody dishonest.
|
|
|
|
jed (OP)
Full Member
Offline
Activity: 182
Merit: 107
Jed McCaleb
|
|
May 30, 2011, 07:34:08 PM |
|
trippy: If you follow the thread you see that in bitcoin you don't need to make 50% of the bitcoin users dishonest. There are maybe 3 people that need to colude to break bitcoin or more likely 1 government. In this proposal you could pick 100 or 1000 random forum users and you would be *way* safer. If you bothered to be more discriminating and actually picked people you knew you would be even safer still.
Also there isn't a way for someone to figure out who you have chosen to trust. (Trust is the wrong word. These are people you don't think are working together. You can actually choose all people taht you know are corrupt as long as they aren't colluding)
|
|
|
|
ene
Newbie
Offline
Activity: 42
Merit: 0
|
|
May 30, 2011, 07:48:41 PM |
|
trippy: If you follow the thread you see that in bitcoin you don't need to make 50% of the bitcoin users dishonest. There are maybe 3 people that need to colude to break bitcoin or more likely 1 government. In this proposal you could pick 100 or 1000 random forum users and you would be *way* safer. If you bothered to be more discriminating and actually picked people you knew you would be even safer still.
Also there isn't a way for someone to figure out who you have chosen to trust. (Trust is the wrong word. These are people you don't think are working together. You can actually choose all people taht you know are corrupt as long as they aren't colluding)
OK 50% of the computers. But the mining difficulty continues to go up all the time. Nobody wants to go through the forum and select random users, and yet as soon as you program a computer to do it, people will figure out a way to game it and make it choose untrustworthy users. You seem to require ordinary users to use trust systems, but these have never yet caught on. I largely agree with Mike Hearn here. Maybe you should have a look at Ripple. PS Good luck figuring out how the money is initially distributed and later minted.
|
|
|
|
Meni Rosenfeld
Donator
Legendary
Offline
Activity: 2058
Merit: 1054
|
|
May 31, 2011, 08:24:23 AM |
|
You would need not just 50% of the world's hashing power, but closer to 95%+ of it if you wanted to pull off any meaningful BTC scam. I don't think so. You can steal the vast majority of blocks from then on by storing up blocks you generate and release them only when someone else also solves one. Not sure if you consider that meaningful or not. (There was some long ago thread about this that I can't find now) You could double spend by getting one block ahead of the good network and then just stay ahead until you are ready to drop your one block longer chain. The time to find a block is not a linear function of your hashing speed, it is a probabilistic process. Having 10% more power than the other guy doesn't mean you find blocks 10% faster, it means that you have a ~5% chance of finding it before him. Say that you fraction of the global networking power is X, where 0 <= X <= 1; The probability that you will be able to do this for one block is X The probability that you will be able to do this for two blocks is X^2 The probability that you will be able to do this for three blocks is X^3 The probability that you will be able to do this for four blocks is X^4 Etc... Actually, those are the high end estimates. In reality, you will need another factor, Y, to correct for the portion of the network that believes in the attack chain. Over time, Y will get smaller and smaller. Since this topic keeps coming up over and over again, I'm going to propose a potential solution: every time a node reshuffles, they should make a note of which peer it came from. More than three reshuffles from the same peer in like 24 hours, and that node is dropped. These probabilities mistakenly assume that the attacker always builds on the last block. However, the attack is, as satoshi discusses in his paper, to pick some block to build on and stick to it. If X>0.5 you can cut a branch however long you want, given enough time. For example, if X=0.6 and you want to cut 10 blocks, after some time period the attacker will find 33 new blocks while the honest network only finds 22, making the attacker's branch win.
|
|
|
|
vaisajne
|
|
August 22, 2014, 08:30:12 AM |
|
Bumped in to this old thread. This was probably the starting point for Jed's projects Ripple and now Stellar.
|
|
|
|
JoelKatz
Legendary
Offline
Activity: 1596
Merit: 1012
Democracy is vulnerable to a 51% attack.
|
|
June 16, 2019, 09:42:44 AM |
|
Bumped in to this old thread. This was probably the starting point for Jed's projects Ripple and now Stellar.
Yes. This is a valuable piece of history now!
|
I am an employee of Ripple. Follow me on Twitter @JoelKatz 1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
|
|
|
Last of the V8s
Legendary
Offline
Activity: 1652
Merit: 4392
Be a bank
|
|
June 16, 2019, 09:53:01 AM |
|
Bumped in to this old thread. This was probably the starting point for Jed's projects Ripple and now Stellar.
Yes. This is a valuable piece of history now! Agreed. Now stop scamming people with that Ripple and XRP nonsense.
|
|
|
|
philipma1957
Legendary
Offline
Activity: 4298
Merit: 8837
'The right to privacy matters'
|
|
June 16, 2019, 12:06:29 PM Last edit: June 18, 2019, 05:57:31 PM by philipma1957 |
|
Bumped in to this old thread. This was probably the starting point for Jed's projects Ripple and now Stellar.
Yes. This is a valuable piece of history now! If Democracy is subject to a 51% attack how did Donald Trump win with 62.7m vs 65.3m for Clinton? The answer is: hint I know the answer All POS coins are simply unlicensed banks issuing coins backed by nothing. At least POW coins are back by hard 'iron' machines that serve a useful purpose they convert electrical power to coins. The world wide grid needs the ability to shunt excess power. Rainy season next to a hydropower plant is one example. ie you do not shut the river off so what do you do with 1000MegaWatts of excess power. The answer is sell it cheap to a bigass mining farm so the power is not wasted. Due to Pow coins ability to stablize the power grid world wide they will continue to exist for years to come.
|
|
|
|
|