51% attack

[CliffordM]

Having for a while thought I understood a 51% attack -- it struck me that maybe I have the wrong idea.

What is wrong with the following :

An entity acquires say 150% of the existing hashing power, but rather than use this to mine blocks in the current chain, starts a forked chain. 

This forked chain is not announced however until say 500 blocks have passed in the original chain, and roughly 750 blocks will have passed in the fork.

The fork is then announced -- causing mayhem as the last 500 blocks are now no longer valid, and replaced by the 750 new.

I'm not worried about whether the attacker makes money out of this, but whether it causes disruption.

What worries me is that (if this is possible), there would be no warning (looking at mining %s would be pointless) until the dirty deed is done.

[1713243859]

1713243859

[1713243859]

1713243859

[1713243859]

1713243859

[hazek]

I'm guessing just because how Bitcoin works miners would probably spot this after 10 blocks.

[DannyHamilton]

An entity acquires say 150% of the existing hashing power . . . This forked chain is not announced however until say 500 blocks have passed in the original chain, and roughly 750 blocks will have passed in the fork . . .

There is no need for 150% of the existing hashing power.  The attack you describe would work equally well if the entity acquires 101% of the existing hashing power.

In this case, when 500 blocks have passed in the original chain, roughly 505 blocks will have passed in the fork.

The fork can then be announced -- causing mayhem as the last 500 blocks are no longer valid, and replaced by the 505 new.

[DannyHamilton]

I'm guessing just because how Bitcoin works miners would probably spot this after 10 blocks.

How would they spot a chain that hasn't been announced to the network yet?

Once it was announced, what would/could they do about it?

[justusranvier]

The only defence against this is to get so much distributed hashing power working on the main chain that it's implausible for a malicious entity to accumulate 51%, much less 100% or more.

[marcus_of_augustus]

An entity acquires say 150% of the existing hashing power

... elaborate on this step, technical details if you would, and I'm sure you will get the feedback you need on how well you "understand" the 51% attack.

NB: post it also in the "Mining" sub-forum to see what the experts think instead of merely just spooking the noobs in here.

[Sukrim]

What is wrong with the following :

An entity acquires say 150% of the existing hashing power

Bitcoin builds on the premise that it's REALLY hard to do this.

Your suspicions are correct in the sense that this could theoretically be done, just like theoretically someone could counterfeit perfect dollar notes that are in total worth more than all other "real" dollar notes. In practice this is very hard to achieve.

If you just want to cause a disturbance in the bitcoin community, just re-mine the whole block chain with difficulty 1 blocks (and increase towards the end) - might still be quite hard to catch up, but everytime the difficulty goes down, you save on hashing power. There are still quite a few old clients out there that have no checkpoints compiled in besides the genesis block, so you can still cause some problems.

[DannyHamilton]

. . . If you just want to cause a disturbance in the bitcoin community, just re-mine the whole block chain with difficulty 1 blocks (and increase towards the end) - might still be quite hard to catch up, . . .

Hard to catch up?  If you could acquire (and continually maintain) twice as much hashing power as the entire combined honest network, it would take you years to catch up.

[Sukrim]

I can stay on difficulty 1 far longer than mainnet, then towards the end quadruple the difficulty each 2016 blocks. Also every time mainnet goes down in difficulty, a second chain actually doesn't have to follow that bump and can gladly ignore it.

Just calculate "bitcoin time" with 2016 blocks = exactly 2 weeks since genesis and then calculate how far ahead the bitcoin clock is - that's the difficulty you have to beat.

Anyways, it might forever stay academic, since satoshi fixed this issue already in 2010 by including checkpoints of the then current chain into the main (and back then: only) client. It might be possible to attack other cryptocurrencies or weaker Bitcoin implementations though.

[CliffordM]

how far back do checkpoints go then ?

So it would be possible to fork from just-after-a-checkpoint , and then suddenly announce this to the world when it's a few hundred blocks further on ?

[Meni Rosenfeld]

I can stay on difficulty 1 far longer than mainnet, then towards the end quadruple the difficulty each 2016 blocks. Also every time mainnet goes down in difficulty, a second chain actually doesn't have to follow that bump and can gladly ignore it.

Just calculate "bitcoin time" with 2016 blocks = exactly 2 weeks since genesis and then calculate how far ahead the bitcoin clock is - that's the difficulty you have to beat.

Anyways, it might forever stay academic, since satoshi fixed this issue already in 2010 by including checkpoints of the then current chain into the main (and back then: only) client. It might be possible to attack other cryptocurrencies or weaker Bitcoin implementations though.

Branch selection is based on total difficulty, not number of blocks. Making the difficulty artificially low does not help in building a longer branch.

What is wrong with the following :

An entity acquires say 150% of the existing hashing power, but rather than use this to mine blocks in the current chain, starts a forked chain.

This forked chain is not announced however until say 500 blocks have passed in the original chain, and roughly 750 blocks will have passed in the fork.

The fork is then announced -- causing mayhem as the last 500 blocks are now no longer valid, and replaced by the 750 new.

Nothing "wrong" with it, this is the >50% attack. There's plenty of discussion about what can be done with such an attack, how likely it is, how to prevent it, etc.

Note that people need to clearly distinguish "percentage of honest network" and "percentage of total network". An attacker with 150% of the honest network has 60% of the total network. To carry out an effective attack, you need >50% of the total network, which is >100% of the honest network.

[Sukrim]

Check the code of bitcoind for that...
https://github.com/bitcoin/bitcoin/blob/master/src/checkpoints.cpp

The latest one currently is block #210000

Actually I searched a bit (on the wiki, not the code) and didn't find a clear answer to how the "best" branch is selected, other than that it has to be the longest, it's difficulty has to make sense and the timestamps probably also shouldn't be more than 1(?) hour in the future compared to the local clock on the PC.

Making the difficulty low and recalculating from genesis makes it very easy to build a _longer_ branch, it won't be recognized as the "main" branch though, as Meni said it seems to be based on total difficulty as well.

Edit:
I thought the thing "enforcing" the higher difficulty would be that a higher difficulty produces a higher block height, since there are more than 2016 blocks in 2 weeks. This would mean that a longer blockchain with valid timestamps + matching difficulty calculations was more difficult than one that is shorter but still makes sense difficulty wise. I didn't know there were explicit calculations towards this as well.

[CliffordM]

ok, so a 51% attack can come from nowhere (i.e. there is no warning available by looking at mining pools) and suddenly re-write the blockchain back to the last checkpoint.

I had formerly had in my mind that a 51% attack would always be a visible tussle between the forces of good and evil, and also that it would re-write just a few blocks, not hundreds.

Satoshi's paper shows that it's geometrically harder to re-write the past blockchain.  What he doesn't point out is that a suitably equipped agency can gradually build up a competing chain (from the present going forward)  and then suddenly deliver this.  The length of this alternative chain can go back to the last checkpoint.

Presumably all the wallet-clients would go into a back-tracking mode as they called for and checked all the historical blocks ?  If you did this repeatedly (letting the other chain come past, then overtaking again) it strikes me you could seriously DOS attack the network.

To make bitcoin strong we need to understand these things , before they happen. 

[Meni Rosenfeld]

I had formerly had in my mind that a 51% attack would always be a visible tussle between the forces of good and evil, and also that it would re-write just a few blocks, not hundreds.

Attacker blocks don't have the "evil" bit set. If it was easy to know which blocks belong to an attacker it would be easy to ignore them. The crux of the problem is that it is not, in general, possible to know which chain is the real one.

Satoshi's paper shows that it's geometrically harder to re-write the past blockchain.  What he doesn't point out is that a suitably equipped agency can gradually build up a competing chain (from the present going forward)  and then suddenly deliver this.  The length of this alternative chain can go back to the last checkpoint.

Not exactly. Satoshi's paper shows that if the attacker has less than 50% hashrate, the probability of double-spending success decreases geometrically with the number of confirmations. In this situation rewriting a large number of blocks is virtually impossible. With sustained >50% hashrate, the attacker always has 100% chance of eventual success in rewriting as many blocks as he wants, and this is addressed in the paper (even if implicitly).

[marcus_of_augustus]

a suitably equipped agency can gradually build up a competing chain

... here's the flaw (again) in your argument.

Describe technically how an "agency" would go about amassing the hashing power you are dreaming of, use real numbers and technical estimates of the equipment/labour/energy involved.

To be realistic use something like the peak power we saw on halving day when a large portion of latent hashing power was on display ... e.g. 32 THash/sec.

The answer to your question is much more gritty and mundane than you think.

[wscott]

Well right now is the time when it isn't _that_ hard to imagine some entity obtaining a significant portion of the hashing power of the network.

ASICs are starting to appear that dramatically change the economics of mining, but they haven't yet come online for the network in general.

I was part of a small consulting group in discussions to build a custom ASIC for doing real time trading.  (sadly being a couple microseconds faster is a big deal) We were a couple engineers and they were a small Chicago trading firm.  Developing an ASIC is not limited to large organizations or deep pockets.  It isn't that hard to imagine more bitcoin mining asics in the world then just the ones that are trying to sell systems commercially.

Right now at the retail price of the BFL's systems it would take $500k to buy enough hardware to exceed the current network rate.  If you were developing things internally and already setup for this type of work then the price might be lower.  And it might be online already.  Hmm actually the cost might not be lower, most of that would just be paying the engineers. ;-)  But still this is only 0.2% of the value of all coins in circulation.

However I am having a hard time seeing this as profitable. That is still a lot of money, and if you did take over the chain and get yourself a pile of ill gotten bitcoins, then what?  Who is going to buy them from you? You just tanked the economy.

And currently bitcoin is just not that important for a government (or evil bank) to bother spending the money to destroy.(*)

Soon mining ASICs will come online and bitcoin will be much stronger as a result and as time goes on this becomes harder and harder.  Probably the cost to attack the network will always be a constant fraction value of all coins in circulation.  We just need that fraction to be more like 10% than 0.2%.

*) As I write this and look at the numbers I start to wonder if someone wouldn't consider $1M to be a pretty deal to remove bitcoins as a valid alternative. Hmmm.  That said I hate encouraging the conspiracy people.

-Wayne

[MaxLAMF]

BTW: If I was a billionaire or a big Company, I mean take Zuckerberg or maybe IBM or Intel as examples, why not investing a 100million or something like that, and overtake Bitcoin?
What can be done against it or could make such deals uninteresting?

One theory in this thread is, that you´re sitting then on your coins and nobody´s gonna buy ém or at least the price for 1BTC would be almost 0. BUT, to me this doesn´t sound to conclusive?

To mention, I don´t really understand the Mathematics or in fact he Algorythms behind it all too well (I´m pretty new in this topic).

Anyone with REAL knowledge and insight please point out some piece of information or better advice!