Bitcoin's kryptonite: The 51% attack.

[andes]

andes, the combined hash rate of the top 500 supercomputers can be seen here:

http://forum.bitcoin.org/?topic=7675.0

The total hash rate of bitcoin miners can be seen here:

http://www.bitcoinwatch.com/

Thanks, will check it out.

[1715466859]

1715466859

[1715466859]

1715466859

[andes]

andes, the combined hash rate of the top 500 supercomputers can be seen here:

http://forum.bitcoin.org/?topic=7675.0

The total hash rate of bitcoin miners can be seen here:

http://www.bitcoinwatch.com/

Thanks, will check it out.

Interesting statistics, although to evaluate a well organized attack on cryptocurrencies its not fair to compare supercomputers to Hashing GPUs, as they are made for very different purpouses. GPUs are really cheap dumb simple number crunchers. Supercomputers are much more expensive complex pieces of hardware to manipulate information.

The key point is compare the resources of each side. If the total combined mining infrastructure of the network is 50 million dollars worth, an attack is trivial. Even a country like Lichtenstein could beat our computing power. They would buy the gpus in the market, or sign a contract with China to build the GPUs over a period of months.

Really, there is no point in deluding oneself that a security system like Bitcoin based on brute hasing power is invulnerable. Right now Bitcoin is at the mercy of any small group of wealthy individuals that decided to attack.

Thats not necessary the end of the world. Most companies and groups in the world are in a similar position. But its important to be clear that Bitcoin is not going to change the power balance of the world without the consent of the establishment at this time. It can only survive if the establishment wants to. To me, right now, Bitcoin is just an extra layer of technology for our lives, that can make us early adopters rich, but that wont have any lasting impact in how this world is managed on a global scale.

[AntiVigilante]

Interesting statistics, although to evaluate a well organized attack on cryptocurrencies its not fair to compare supercomputers to Hashing GPUs, as they are made for very different purpouses. GPUs are really cheap dumb simple number crunchers. Supercomputers are much more expensive complex pieces of hardware to manipulate information.

Which means that like CPUs much of their capabilities involve functions inefficient at hashing. This debate is about hashing power. Supercomputers are being outgunned.

The key point is compare the resources of each side. If the total combined mining infrastructure of the network is 50 million dollars worth, an attack is trivial.

Moving the goal posts again. Bitcoins in total are worth 2x that. The amount of capital necessary to create the bitcoin system is [X Tflops / (Tflops / Thash)] * (Cost / Thash).

For $4000 you could get 2Ghash/s using 3 6990s + PSU + cooling. So $8M for 4Thash/s. If a supplier offered GPUs in Bitcoins - the community could create a network 12.5x the size it is right now in a matter of weeks. Hell distributing the coins and GPUs to the BTC militia would be the bottleneck.

With my community modification (bet it's in the 2 digit range of lines of code) the bitcoin network would be back up and running in no time. An attack on the network would result in a major backlash and a huge strengthening of the network. At which point hashing speed would be ridiculous and BTC value would be even more absurd.

It's not a technology problem. It's a community commitment problem.

It can only survive if the establishment wants to.

1 internet is worth 1000. Telecomix and Anonymous revived Egypt's Internet in days. A Bitcoin crash would only be a reboot. Nothing more.

[andes]

It's not a technology problem. It's a community commitment problem.

Couldnt agree more.

But social change is difficult in the current world. Thats why us geeks have so much hope in technology coming to the resucue. But I guess this time technology alone wont cut it. Lets find a hybrid solution. But I see lack of awareness in the bitcoin comunity of this shortcommings. Too much blind enthusiasm.

The final power is in peoples hand, the problem is that they give their power away to the system.

[AntiVigilante]

It's not a technology problem. It's a community commitment problem.

Couldnt agree more.

The problem is that social change is difficult in the current world. The media is powerful. Thats why us geeks have so much hope in technology coming to the resucue. But I guess this time technology alone wont cut it. Lets find a hybrid solution.

The final power is in peoples hand, the problem is that they give their power away to the system.

Tell you what, help me get a draft of my towncoin (forkless because the difficulty / block reward is heavily yoked down) modification as a plugin. I only want to make it optional. The whole machine crumbles if we apply the possibilities. Due to the sharp reward drop the square root is necessary as a stretchy ratio rather than the hard drop.

Three new bitcoind options:
--accept_dynamic_difficulty_blocks
--enable_dynamic_difficulty
--enable_soft_gradient

The links are here:
Proposal: http://forum.bitcoin.org/index.php?topic=11541.msg162881#msg162881
Inception: https://github.com/bitcoin/bitcoin/issues/296

I'll have a pull request in the morning.

[andes]

Tell you what, help me get a draft of my towncoin.

Dude, first of all, I like technology, but I am not precisely a programmer.

Second, you insulted me for nothing a couple of posts ago, and you expect now that I work for you? For starters, you should learn to be polite, and then buy me a couple of beers, or send me the bitcoin amount of those beers, preferably adding the price of a pizza too. Only then could we start taking about business. 

Ok, its late here, I logout for today.

[AntiVigilante]

Tell you what, help me get a draft of my towncoin.

Dude, first of all, I like technology, but I am not precisely a programmer.

Well

Second, you insulted me for nothing a couple of posts ago, and you expect now that I work for you?

I'm a bulldog for Bitcoin. I get a bit suspicious when the topic moves faster than those participating in the discussion. I do apologize. It'll probably happen again. I'm very defensive of this community. They've proven themselves.

And I don't expect people to work for me. I'm putting in drafts for plugins, loans, community building just like everyone else.

For starters, you should learn to be polite

cue Harvey Keitel in Pulp Fiction: Pretty please with sugar on top.

and then buy me a couple of beers, or send me the bitcoin amount of those beers, preferably adding the price of a pizza too. Only then could we start taking about business. 

Ok, its late here, I logout for today.

The future of this network is worth at least a million times that. Cya tomorrow.

[MicroBalrog]

Uh, comrades?

The existing computing power of Bitcoin is 61 PFlops. To execute such an attack, wouldn't someone need ANOTHER 61 PEtaflops?

[kjj]

There are two versions of the 51% attack, and I have made proposals that would address both of them.

The first is the live attack, where an attacker starts working on the next block, and publishes it as soon as it is ready, and then keeps doing so even while the honest network finds blocks that reveal the double spend, causing the chain to flap between the two branches.  This is of limited value, as it would be very visible, and the attack window would be very short, like 10 minutes to an hour, depending on the actual hashing power of the attacker.  I proposed chain flap dampening, but I'm not sure any more if there is any point.

The second is the dead attack, where the attacker starts working on a new chain, but doesn't publish it until it is very long.  At this point, the transaction the attacker wants to reverse is deep in the chain, and considered very safe by everyone, but since the new chain is longer, it will reverse everything after the start of the attack.  For this one, I proposed exponential difficulty for a deep block chain reversal.

Oh, and by the way, neither of these attacks are anywhere near as easy, nor as useful as popularly imagined.  And we really have read 100 threads on the topic.

[LlamaBE]

How I understand this issue

I'm going to intentionally use made up numbers to make the math easier. Concepts should remain the same. Also going to use http://en.wikipedia.org/wiki/Alice_and_Bob terminology.

Imagine combined honest rate is 100. That would mean Eve needs at least a rate of 100+ herself. If she has that, she could announce a bitcoin transaction for buying something from Bob. At the same time she announces a different transaction to her own mining pool. Both the honest pool and Eve's pool start computing their block chain. At some point Bob will accept the transaction as verified. Let's say this occurs at block x.

At this point, three possibilities exist: Eve's block chain could be longer than the honest one, it could be equal, or it could be shorter. Depending on the ratio of Eve's rate vs the honest rate, one of these cases will become more probable, but the chance exists it will either of these.

When Eve's block chain is longer than the honest chain, her attack is complete. She announces the longer chain to the world, the world sees a longer chain and believes this is the correct chain and continues as normal.

When Eve's block chain is shorter than or equal to the honest chain, she can continue to compute until she has a longer chain. If she has more computing power than the honest pool, she will eventually reach such state. If she has not, her attack will fail.

Eve could change all transactions she sends out without an extra cost during the period of the attack.

So what does this mean: this attack is profitable for Eve from the moment the value of all her transactions combined are greater than the cost of running a mining pool. So Bob should wait until the transaction to him is verified by enough blocks so he believes the cost of running an attacking mining rig is greater than the gain from reversing the transaction.

Since the cost of running a mining rig is somewhat expensive, most transactions will not be bothered by this kind of attack. When Alice and Bob do receive transactions from Eve that are worth reversing, that would probably mean Alice and Bob have some huge resources as well. Since they are relying on Bitcoin infrastructure for large transactions, they should be mining themselves to protect their transactions.

Monitoring when such an attack occurs is quite trivial I believe, so we would know when it has happened. We would also know which address(es) were sending the revoked transactions. In a lot of cases, these could possibly be traced back to who owns them. The people who receive the money probably know already. Proving it was them would be relatively simple. That would mean that, should a legal framework exist, it would be quite easy to punish Eve accordingly.

Therefor I believe this hack is very unlikely to happen.

[andes]

For those interested, I have been searching previous threads where this issue was specifically covered. I will post them here for convenience. Here is the first one:

Stopping an attacker who has >50% of the hashing power
http://forum.bitcoin.org/index.php?topic=7166.msg105218#msg105218

[andes]

This thread (and the link inside) covers some problems by too powerful pools. Remember this dosent fix the more fundamental problem of hashing power attack, because as allready discussed in this thread, you dont need to own a pool to attack the network. But is goes in the right direction of reducing the vulnerabilities.

The 50% total hashing power - pooling flaw?
http://forum.bitcoin.org/index.php?topic=11424.0

[andes]

There are two versions of the 51% attack, and I have made proposals that would address both of them.

Oh, and by the way, neither of these attacks are anywhere near as easy, nor as useful as popularly imagined.  And we really have read 100 threads on the topic.

I have seen other people claim that this attack is not easy nor useful, but when asked to explain why their argument crumbles. By the way, I saw this post from kjj in another thread:

No, nothing in this thread is right.
...
The scenarios involving technical manipulation are entirely founded on misconceptions.  The network really doesn't work the way you imagine it does.  Someone would need several orders of magnitude more computing power than the rest of the world combined to pull off a block chain manipulation, and it would gain them very, very little.

Several orders of magnitude more computing power than the rest of the world combined to manipulate the chain? Hmmm. One thing is clear, you only need 50% or less of the total mining capacity (supposedly currently worth 50 million dollar or less) to create lots of problems. And this would be the most expensive attack possible. Obvioulsy you could come up with more cost efficient ways to attack. Clearly, you dont need alien technology.

[andes]

Another related thread:

What's the plan about the Sybil attack?
http://forum.bitcoin.org/index.php?topic=8051.0

[andes]

This thread discusses a different problem that could have implications to this discussion, what happens if the internet partially fails, or different parts of the world become isolated because of some temporal connection failure. Gavin gives an interesting answer.

Bitcoin resitance to network failures
http://forum.bitcoin.org/index.php?topic=4575.0

[andes]

Yet another relevant thread.

Is it possible to detect double spending in the > 50% network takeover scenario?
http://forum.bitcoin.org/index.php?topic=1481.0

[andes]

Another ones

50%+ Attack Nodes
http://forum.bitcoin.org/index.php?topic=435.0


Manipulating the mining system via strategic scheduled withholding of CPU power
http://forum.bitcoin.org/index.php?topic=11133.0

[kjj]

There are two versions of the 51% attack, and I have made proposals that would address both of them.

Oh, and by the way, neither of these attacks are anywhere near as easy, nor as useful as popularly imagined.  And we really have read 100 threads on the topic.

I have seen other people claim that this attack is not easy nor useful, but when asked to explain why their argument crumbles. By the way, I saw this post from kjj in another thread:

No, nothing in this thread is right.
...
The scenarios involving technical manipulation are entirely founded on misconceptions.  The network really doesn't work the way you imagine it does.  Someone would need several orders of magnitude more computing power than the rest of the world combined to pull off a block chain manipulation, and it would gain them very, very little.

Several orders of magnitude more computing power than the rest of the world combined to manipulate the chain? Hmmm. One thing is clear, you only need 50% or less of the total mining capacity (supposedly currently worth 50 million dollar or less) to create lots of problems. And this would be the most expensive attack possible. Obvioulsy you could come up with more cost efficient ways to attack. Clearly, you dont need alien technology.

It isn't easy because of the gigantic amount of resources necessary for the attack.  For example, you could not purchase enough hashing power today to do the attack, because it does not exist in the world in purchasable form.  I would even say that there is only one government in the world that would even have the potential ability to confiscate enough hashing power by sending armed troops into peoples houses and stealing their video cards.  Someone would notice that.  It would require months or years of gathering resources, all while the network is growing, and even a slow acquisition would likely be noticed.

And it isn't useful, because your payback for spending all of this time and money gathering hashing power is the ability to turn back a few transactions.  What possible transaction would you reverse that was worth your 50 million dollar investment?  Keep in mind that as the value of future transactions grows, so will the cost of doing the attack.  Right now you would need to own roughly a quarter of all existing bitcoins, and spend all of them within the attack window, to beat the cost of your investment.  That ratio will probably change somewhat in the future, but the attack will never make sense unless you already control a non-trivial fraction of the bitcoins in the world, and can find enough victims to accept all of them in a short period.

And that other thread you link isn't about this sort of attack at all.  It is about difficulty and price manipulation.

And again, exponential difficulty can make these attacks even more costly.

[andes]

It isn't easy because of the gigantic amount of resources necessary for the attack.  For example, you could not purchase enough hashing power today to do the attack, because it does not exist in the world in purchasable form.  I would even say that there is only one government in the world that would even have the potential ability to confiscate enough hashing power by sending armed troops into peoples houses and stealing their video cards.  Someone would notice that.  It would require months or years of gathering resources, all while the network is growing, and even a slow acquisition would likely be noticed.

And it isn't useful, because your payback for spending all of this time and money gathering hashing power is the ability to turn back a few transactions.  What possible transaction would you reverse that was worth your 50 million dollar investment?  Keep in mind that as the value of future transactions grows, so will the cost of doing the attack.  Right now you would need to own roughly a quarter of all existing bitcoins, and spend all of them within the attack window, to beat the cost of your investment.  That ratio will probably change somewhat in the future, but the attack will never make sense unless you already control a non-trivial fraction of the bitcoins in the world, and can find enough victims to accept all of them in a short period.

The reason we don’t come to the same conclusion is not because of technical disagreements regarding Bitcoin, but instead because of the assumptions we are making about the nature, the resources, and the goals of the attacker. If you are interested, you can read this thread from the beginning to understand what the scenario I am considering is, and why I think it is a probable scenario. But to summarize, I am considering a very wealthy attacker, for example a banking cartel, one or more central banks, one or more big governments. Add to this lots of organization, and preparation. And finally a strategic, not financial goal.

The people who issue and control the money are the most powerful group in this planet. They are worth trillions. Money is their fundamental power source. You take away that power from them, and they will react. Bitcoin could be a revolution that changes the way the monetary power is distributed in the world. Wars have been fought for the control of Money.

You are assuming the attack is done to gain a direct financial gain in terms of bitcoins. You also assume the attacker would use the installed base of 3D gaming cards. In the scenario I am considering, this is not the case. This attacker could buy or build 10 factories of hashing hardware in China, could design his own hashing hardware and software, could pay the best programmers and engineers on planet earth, spend months, or even a couple of years preparing the attack. More easily, they could end up buying the majority of the miners in the market, or putting them out of business by predatory competition. They could sustain the attacks for days, months, or years. For the attacker in this scenario, the price does not matter, they can operate below cost. For all practical purposes they have unlimited financial resources. If they fall short, the just print more money to buy more things.

One mistake I have read, is saying that Bitcoin is as resilient as Napster, by being p2p. We cannot equate Bitcoin with Napster. Napster has no single point of failure; it is truly decentralized information and decentralized functionality. In Bitcoin, on the other hand, we have a defacto centralization on mining power. You mess with mining power and you render the system useless. It doesn’t mater that the user base is decentralized, if we cannot assure mining stays decentralized and honest. As I am trying to point out, the dependence on miners is the weakest link, and the single point of failure of Bitcoin right now, if we consider the possibility of attack from the establishment.

Anyone else sees the logic in my arguments, or shares my concern for this scenario?

[kjj]

Ahh, I get your point now.  I haven't given much consideration to a griefer attack.  I will ponder it.