Bitcoin's kryptonite: The 51% attack.

[amincd]

I don't see it as a significant threat because:

The 51% attack is very costly to pull off.

It is easy to detect.

There is a huge amount of global computing power that can be brought to bear to defend against such an attack if it happens.

I also think economically, distributed control of network power is more efficient than concentrated control, for the reason already mentioned by dude655: regular people have existing hardware that can be used for mining at no extra cost. There are also many places in the world with surplus electricity being generated during certain times of the day where hashing could become very cheap or even free. This is especially the case with people who have access to electricity from renewable energy sources, as it is often very intermittent.

[1714173370]

1714173370

[1714173370]

1714173370

[1714173370]

1714173370

[AntiVigilante]

Moving on. Having isolated the problem and starting to explore lines of solution.

I'm gonna say it again. That attitude only labels you a cranky reckless authoritarian technocrat who would have precisely the moral malfunction to do the attack.

Sorry, but you just sound creepy, and I'd like to believe you're not. "Moving on." Who you?

If we could come up with some new paradigm that is based exclusively in trust between parties, without having to rely on third parties. Of course if most users would become miners, and the total mining power would be greater than any external threat, this could be solved, but I see a much more difficult adoption curve in this case. The other option would be local mining trust comunities, but that would be also subjected to control sooner or later from larger entities. If thats not the case, we will allways end up with dangerous concentration of power in mining.

Lets keep thinking...

While you were working on that I've already proposed one that discourages the accumulation of power and prevents others from raping the smaller mining pools.

[andes]

AntiVigilante, again, your "10 minute breach" theory was proven wrong in this thread. There is no limit to how long an attacker could stop the network from working. It solely depends on the attacker wishes. If he wants to stop Bitcoin for 1 month, and he has the resources, he can.

Um no actually he can't. He has to keep up as the probability of success implodes with each confirmation.

Hmm.. I dont understand this, but if true, would be fantastic. Could you elaborate for a newbie to understand?  

No person in the world will ever have 51% of network power. Jesus. That's impossible. Only a rogue pool can do that. And that would require convincing half the GPU miners to raid the whole network. And then convince them to split up the winnings.

Here you clearly dont get it. The attacker organization dosent need to convince any miner. He only needs to beat a bunch of amateur people with 3D gaming cards. Any one or two decent supercomputers in the world could do that. And there are thousands.

In fact I would love to see a statistic on total computer power in the world vs Bitcoin mining total computing power. I would guess it is in the order of magnitude of 1:10000.

[andes]

Moving on. Having isolated the problem and starting to explore lines of solution.

I'm gonna say it again. That attitude only labels you a cranky reckless authoritarian technocrat who would have precisely the moral malfunction to do the attack.

Sorry, but you just sound creepy, and I'd like to believe you're not. "Moving on." Who you?

No need for personal attacks dude. If you feel frustrated kick your computer instead.

[amincd]

Any one or two decent supercomputers in the world could do that. And there are thousands.

Bitcoin miners already have more hashing power than all of the top 500 supercomputers combined.

[andes]

I don't see it as a significant threat because:

There is a huge amount of global computing power that can be brought to bear to defend against such an attack if it happens.

This is an excelent point!

[andes]

Any one or two decent supercomputers in the world could do that. And there are thousands.

Bitcoin miners already have more hashing power than all of the top 500 supercomputers combined.

Man thats an incredible statistic, it prooves my estimation wrong. Which sources are you using? Thanks.

[unk]

this is still an unresolved concern, and the community does not take it seriously enough. in any other open-source cryptographic project, these sorts of concerns drive everyone's enthusiasm for solutions; here, they're met with obstinacy. my conjecture is that the same financial motivations that helped drive bitcoin's adoption tend to discourage critique and lead people to fear change, which is unfortunate and potentially devastating for the technology (and incidentally for the value in the currently prominent block chain). many good analysts have repeatedly issued this warning and given sophisticated critiques, but the response is almost a kind of cultural conservatism, which is odd in a community like this.

in any event:

1. as has been pointed out many times, the attack is not expensive, nor does the fact that mining is profitable mean that a strategic attack on a valuable block chain won't be far more profitable. this neglect of the strategic value of an attack is the only well-known significant mistake in satoshi's original paper, one that the analyst going by the name 'computerscientist' in various online forums has pointed out in detail.

2. the attack is not easy to detect. please outline a mechanism for detection in the general case if you think you have one. the general problem is that the only response to a proof-of-work attack is greater work; it's very difficult in practice to distinguish 'good' work from 'bad' work.

3. the probability of success does not 'implode with each confirmation'; you're misapplying satoshi's proof of the difficulty of rewriting the past block chain starting in the present. it does not apply to the probability of continuing to generate blocks in the present.

4. two or three types of attack in the same vein may be practical without even 51% of the hashing power, as bytecoin and "s" have pointed out.

5. andes is correct that cuddlefish's response to cartel power by pools is inapplicable to the general case of this attack.

6. the attack has implications broader than denial-of-service, both in terms of direct double-spending (defeating the only purpose of the block chain other than as a way of distributing initial allocation of coins) and in terms of second-order economic effects on the marketplace. the latter aren't a direct threat to the technology, but they are indeed a direct threat to the value in the currently prominent block chain.

what's unfortunate is that there are potential solutions to these problems, but there seems to be no will to explore them because they require minor changes to bitcoin. for example, one potentially robust solution to the double-spending problem is to develop redundant mechanisms for invalidating the ability of one private key to spend coins. the block chain is one, but any other mechanism that provides the equivalent of certificate revocations in a distributed pki could be another. alternatively, a protocol could prevent control of the network unless an attacker was able to demonstrate proof of work along multiple vectors at once (e.g., by multiplexing several styles of proof of work at once in the same block chain), which would likely make an attack significantly more expensive.

[unk]

i think your concessions, andes, were premature.

the oft-repeated statistic about bitcoin being the largest supercomputer or exceeding 500 others is silly and almost intentionally misleading. many 3d-intensive games are much larger 'supercomputers' on the same metric, as probably is the global dns system or smtp. it's a laughably bad piece of marketing that should be stopped because it makes bitcoin look foolish to anyone willing to see past the initial gleam of the claim. in the world of uncritical bloggers, it may not make much difference, but any legitimate journalist would research that claim and end up calling an academic computer scientist who would explain how misleading it is to call a group of a few thousand gpus 'the world's largest supercomputer'.

as to reserve hashing power, it's unlikely that there's a significant amount of it that could easily be deployed. and it works both ways: what stops an anti-bitcoin lobbying group (say, one that opposes some illegal site that uses bitcoin) from distributing an attack? there are relatively few people who stand to make fortunes from bitcoin, and there are many more who potentially benefit from an attack. i wouldn't want to play those odds; instead, i'd want to develop alternative mechanisms for proof of work that make cpus impossible to use as an attack vector. (gpus do this already to some extent, fortuitously. but they have other problems.)

for the record, i say all this as a strong supporter of the technology, albeit one consistently disappointed by the extremism in this forum and the unthinking defenses of bitcoin often offered. like anything or anyone we like, bitcoin has problems and is not perfect.

[amincd]

1. as has been pointed out many times, the attack is not expensive,

Tens of millions of dollars for hardware, and millions more for manpower is expensive for most groups in the world.

the oft-repeated statistic about bitcoin being the largest supercomputer or exceeding 500 others is silly and almost intentionally misleading. many 3d-intensive games are much larger 'supercomputers' on the same metric, as probably is the global dns system or smtp.

What do you mean many 3d-games have more hashing power than the top 500 supercomputers? You mean 3d MMOG server farms? Do you have any statistics on this? I'd like to learn more.

as to reserve hashing power, it's unlikely that there's a significant amount of it that could easily be deployed.

What's unlikely about there being 10s of millions of computers that can contribute to the network by simply visiting a web-based miner using WebCL?

and it works both ways: what stops an anti-bitcoin lobbying group (say, one that opposes some illegal site that uses bitcoin) from distributing an attack?

I think that's highly unlikely but it's difficult to provide any solid evidence for why. I think that an attack would be far more likely to come from a closed organization than a grassroots movement, especially a web-savvy grassroots movement who are the most likely group of people to share in bitcoin's ideals of allowing p2p monetary transfers without the need of going through large banking intermediaries.

1. as has been pointed out many times, the attack is not expensive, nor does the fact that mining is profitable mean that a strategic attack on a valuable block chain won't be far more profitable.

A strategic attack would not be profitable because it would benefit not only the attacker, but the attacker and all competing currencies. If an attack is done by someone with a stake in a bitcoin variant, it would undermine the very concept and be unprofitable.

this neglect of the strategic value of an attack is the only well-known significant mistake in satoshi's original paper, one that the analyst going by the name 'computerscientist' in various online forums has pointed out in detail.

A strategic attack could certainly be valuable to someone for ideological/non-monetary reasons, I just don't see any reason to think it could be profitable.

2. the attack is not easy to detect. please outline a mechanism for detection in the general case if you think you have one. the general problem is that the only response to a proof-of-work attack is greater work; it's very difficult in practice to distinguish 'good' work from 'bad' work.

People start complaining about bitcoins they received suddenly being unconfirmed.

[andes]

Unk, thanks for your extensive, clear and organized information. It was the most comprehensive answer so far to my questions.

Could you point to other groups of discussion / forums / websites where I can find people discussing this issues, and/or developing sound bitcoin alternatives? I would love to learn more about this fascinating area. The nicknames you mention are mostly found in this forum?

[unk]

1. as has been pointed out many times, the attack is not expensive,

Tens of millions of dollars for hardware, and millions more for manpower is expensive for most groups in the world.

by all the calculations given in other discussions, it's not nearly that expensive. i'm pretty sure i have the resources to do it myself, if i were of such a mind. many small corporations could easily do it.

the oft-repeated statistic about bitcoin being the largest supercomputer or exceeding 500 others is silly and almost intentionally misleading. many 3d-intensive games are much larger 'supercomputers' on the same metric, as probably is the global dns system or smtp.

What do you mean many 3d-games have more hashing power than the top 500 supercomputers? You mean 3d MMOG server farms? Do you have any statistics on this? I'd like to learn more.

than bitcoin. many games are likely running the equivalent of more than a few thousand gpus at any given moment.

A strategic attack would not be profitable because it would benefit not only the attacker, but the attacker and all competing currencies. If an attack is done by someone with a stake in a bitcoin variant, it would undermine the very concept and be unprofitable.

this is too glib an objection. what if the variant is not subject to that particular attack vector?

you seem to want a 'magic bullet' response to all my points, but there isn't one, and the search is in vain. instead, what matters are overall likelihoods. you can respond with a better theoretical threat assessment, but mere dismissal of attacks by this community is not going to serve the technology well.

this neglect of the strategic value of an attack is the only well-known significant mistake in satoshi's
original paper, one that the analyst going by the name 'computerscientist' in various online forums has pointed out in detail.

A strategic attack could certainly be valuable to someone for ideological/non-monetary reasons, I just don't see any reason to think it could be profitable.

pump-and-dump spam for a penny stock may cost a lot, but it can have significant gains from market manipulation if it escapes regulation. the same is true of many attacks on bitcoin.

2. the attack is not easy to detect. please outline a mechanism for detection in the general case if you think you have one. the general problem is that the only response to a proof-of-work attack is greater work; it's very difficult in practice to distinguish 'good' work from 'bad' work.

People start complaining about bitcoins they received suddenly being unconfirmed.

and among the several possibilities, which of the complainers are 'honest' and which are part of the attack? by what (non-bitcoin, non-proof-of-work) procedure is meta-consensus reached? do we go by reputation in the forum? (if so, is that for sale, and at what price?) an attack like the overflow bug in october(?) would, if it happened today, practically be irreversible unless we want to give up a significant part of bitcoin's decentralisation. and a bug like that, if timed strategically by an intelligent market manipulator, could divest the currently prominent block chain of almost all its value.

[unk]

Unk, thanks for your extensive, clear and organized information. It was the most comprehensive answer so far to my questions.

Could you point to other groups of discussion / forums / websites where I can find people discussing this issues, and/or developing sound bitcoin alternatives? I would love to learn more about this fascinating area. The nicknames you mention are mostly found in this forum?

yes. i recommend looking up the posting history of the user 'bytecoin' and, though i don't want to flatter myself, you can look up mine as well if you'd like. it may also be worthwhile, if you have time, to read all satoshi's old posts; they exhibit more perspective and nuance than the way they're commonly echoed in this forum.

ben laurie's discussion and the comments to it at his blog at http://www.links.org may also be helpful in general.

[AntiVigilante]

for the record, i say all this as a strong supporter of the technology, albeit one consistently disappointed by the extremism in this forum and the unthinking defenses of bitcoin often offered. like anything or anyone we like, bitcoin has problems and is not perfect.

So far only an ideological attack is really a concern. Supercomputers would have to dump whatever they were doing and stick to hashing. Amazon won't do that. Google might and blame Anonymous for slow search speed.

And yes it is easy to detect. Sometimes a canary (a victim) is better detection than whatever gas sniffing nanobots (some scheme or other) we could put in the mine.

The web of trust on #bitcoin-otc is pretty good.

Maybe my forkless towncoin idea can be applied here.

[andes]

1. as has been pointed out many times, the attack is not expensive,

Tens of millions of dollars for hardware, and millions more for manpower is expensive for most groups in the world.

Man you cant be serious.   As said, the game here is the allocation of worlds resources via the control of the monetary system. And you say that tens of millions of dollars is a lot of money?

To put that in perspective:
Do you know how many people have a net worth of 1 million or more in the US? 10 million people.
Do you know how many people have a net worth of 5 million or more in the US? 1 million people. A handfull of these could finance tens of millions of dollar.
Do you know how much one single F22 Raptor plane costs? 350 Million. Just one.  Source http://www.time.com/time/photogallery/0,29307,1912203,00.html
Or think about how much money drug dealing makes.
Or illegal arms trading.
And the list goes on...

cmon!

[amincd]

by all the calculations given in other discussions, it's not nearly that expensive. i'm pretty sure i have the resources to do it myself, if i were of such a mind. many small corporations could easily do it.

Any links to these discussions?

Quote
Quote
the oft-repeated statistic about bitcoin being the largest supercomputer or exceeding 500 others is silly and almost intentionally misleading. many 3d-intensive games are much larger 'supercomputers' on the same metric, as probably is the global dns system or smtp.

What do you mean many 3d-games have more hashing power than the top 500 supercomputers? You mean 3d MMOG server farms? Do you have any statistics on this? I'd like to learn more.

than bitcoin. many games are likely running the equivalent of more than a few thousand gpus at any given moment.

You mean the people running the games? That wouldn't surprise me given there are millions of people playing 3d games. I don't see how it invalidates the point about the amount of hashing power that bitcoin miners have relative to supercomputers. Yes, cumulatively, gamers have a lot of hashing power too..

Quote
A strategic attack would not be profitable because it would benefit not only the attacker, but the attacker and all competing currencies. If an attack is done by someone with a stake in a bitcoin variant, it would undermine the very concept and be unprofitable.

this is too glib an objection. what if the variant is not subject to that particular attack vector?

That's a good point, but it would have to be a variant not-dependent on proof-of-work, which leaves only one based on a decentralized PKI, which IMO is not feasible.

you seem to want a 'magic bullet' response to all my points, but there isn't one, and the search is in vain. instead, what matters are overall likelihoods. you can respond with a better theoretical threat assessment, but mere dismissal of attacks by this community is not going to serve the technology well.

An attack is of course possible I just think unlikely. Point taken that dismissal of the threat doesn't serve the technology well. I'll also add that worrying about an unlikely threat could also be counter-productive by scaring people whose participation could help bitcoin's security.

Quote
2. the attack is not easy to detect. please outline a mechanism for detection in the general case if you think you have one. the general problem is that the only response to a proof-of-work attack is greater work; it's very difficult in practice to distinguish 'good' work from 'bad' work.

People start complaining about bitcoins they received suddenly being unconfirmed.

and among the several possibilities, which of the complainers are 'honest' and which are part of the attack?

It'll become readily apparent when people that the bitcoin community trusts say their transactions are not going through. There is a social element that is more important to bitcoin's security than the hashing power being contributed to it.

by what (non-bitcoin, non-proof-of-work) procedure is meta-consensus reached? do we go by reputation in the forum? (if so, is that for sale, and at what price?)

I'm not trying to cavalierly dismiss your concerns, I just don't think it's likely that the community can or will be corrupted by any likely attacker through bribery or other means.

[andes]

by all the calculations given in other discussions, it's not nearly that expensive. i'm pretty sure i have the resources to do it myself, if i were of such a mind. many small corporations could easily do it.

Any links to these discussions?

And where are your statistics amincd? You did not answer my question regarding computing power. I am really interested in them.

[andes]

Unk, thanks for your extensive, clear and organized information. It was the most comprehensive answer so far to my questions.

Could you point to other groups of discussion / forums / websites where I can find people discussing this issues, and/or developing sound bitcoin alternatives? I would love to learn more about this fascinating area. The nicknames you mention are mostly found in this forum?

yes. i recommend looking up the posting history of the user 'bytecoin' and, though i don't want to flatter myself, you can look up mine as well if you'd like. it may also be worthwhile, if you have time, to read all satoshi's old posts; they exhibit more perspective and nuance than the way they're commonly echoed in this forum.

ben laurie's discussion and the comments to it at his blog at http://www.links.org may also be helpful in general.

Thanks man! Will spend some time reading your suggestions.

[AntiVigilante]

Do you know how much one single F22 Raptor plane costs? 350 Million. Just one.
Or think about how much money drug dealing makes.
Or illegal arms trading.
And the list goes on...

cmon!

Satoshi must have been trembling when he typed bitcoind getwork for the first time.

This thread is surreal. But hey if Bitcoin can survive an attack by the Minbari Empire, please go ahead. Check out my signature: first two links point to a quick and easy change that would allow millions to enter the network.

[amincd]

andes, the combined hash rate of the top 500 supercomputers can be seen here:

http://forum.bitcoin.org/?topic=7675.0

The total hash rate of bitcoin miners can be seen here:

http://www.bitcoinwatch.com/