Bitcoin Forum
December 10, 2016, 03:05:57 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Did Satoshi Nakamoto leave the door open for a heist?  (Read 1023 times)
KenJackson
Member
**
Offline Offline

Activity: 116



View Profile
July 13, 2011, 02:57:09 AM
 #1

The Nakamoto paper said in the introduction,
Quote
The system is secure as long as honest nodes collectively control more CPU power than any cooperating group of attacker nodes.

So I'm just wondering how much thought has been given to the possibility that some evil-doers are borrowing processing power and ramping it up for a short-timeframe heist of beau coup bitcoins.

"The cloud" has bazillions of terraflops of available computing power.  And who knows how much processing power you could muster for a while by wheeling and dealing and using leverage.

The more bitcoins are worth, the more the attack will be worth it.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481339157
Hero Member
*
Offline Offline

Posts: 1481339157

View Profile Personal Message (Offline)

Ignore
1481339157
Reply with quote  #2

1481339157
Report to moderator
1481339157
Hero Member
*
Offline Offline

Posts: 1481339157

View Profile Personal Message (Offline)

Ignore
1481339157
Reply with quote  #2

1481339157
Report to moderator
jgarzik
Legendary
*
Offline Offline

Activity: 1470


View Profile
July 13, 2011, 02:59:47 AM
 #2

Read the whole paper.

You cannot "steal" existing coins without the proper keys.

With sufficient CPU power you can double-spend, and mine a lot of new coins for yourself.


Jeff Garzik, bitcoin core dev team and BitPay engineer; opinions are my own, not my employer.
Donations / tip jar: 1BrufViLKnSWtuWGkryPsKsxonV2NQ7Tcj
KenJackson
Member
**
Offline Offline

Activity: 116



View Profile
July 13, 2011, 03:08:27 AM
 #3

You cannot "steal" existing coins without the proper keys.

The statement I quoted seems to have been stated with mathematical precision--implying theft is possible with enough processing power to overwhelm the honest nodes.

And only so many bit coins can be mined in a given time, but that raises another issue.  I wonder at what price it will be profitable to hire the cloud to do legitimate bitcoin mining. And if that will happen.  And what effect it will have on the bitcoin economy.
deepceleron
Legendary
*
Offline Offline

Activity: 1470



View Profile WWW
July 13, 2011, 03:12:51 AM
 #4

Read the whole paper.

You cannot "steal" existing coins without the proper keys.

With sufficient CPU power you can double-spend, and mine a lot of new coins for yourself.


With sufficient CPU power I hash my forged block that transfers all the coins to my account. Then with sufficient CPU power I confirm it six times in a row. Your version of history where I don't have all the coins is now an unofficial fork of the blockchain that the clients delete.

jgarzik
Legendary
*
Offline Offline

Activity: 1470


View Profile
July 13, 2011, 03:58:08 AM
 #5

Read the whole paper.

You cannot "steal" existing coins without the proper keys.

With sufficient CPU power you can double-spend, and mine a lot of new coins for yourself.


With sufficient CPU power I hash my forged block that transfers all the coins to my account. Then with sufficient CPU power I confirm it six times in a row. Your version of history where I don't have all the coins is now an unofficial fork of the blockchain that the clients delete.

To repeat, for the cheap seats:  you cannot steal existing coins without the proper keys.


Jeff Garzik, bitcoin core dev team and BitPay engineer; opinions are my own, not my employer.
Donations / tip jar: 1BrufViLKnSWtuWGkryPsKsxonV2NQ7Tcj
deepceleron
Legendary
*
Offline Offline

Activity: 1470



View Profile WWW
July 13, 2011, 04:48:05 AM
 #6

Read the whole paper.

You cannot "steal" existing coins without the proper keys.

With sufficient CPU power you can double-spend, and mine a lot of new coins for yourself.


With sufficient CPU power I hash my forged block that transfers all the coins to my account. Then with sufficient CPU power I confirm it six times in a row. Your version of history where I don't have all the coins is now an unofficial fork of the blockchain that the clients delete.

To repeat, for the cheap seats:  you cannot steal existing coins without the proper keys.


If we suppose "sufficient CPU power" to be arbitrary and overwhelming power greater than the Bitcoin network's existing hash rate, and a greater number of malevolent actor clients on the network than legitimate, can you educate me why this, or even pushing out a new genesis block, cannot be done? The clients can verify the entire blockchain of hashed blocks from the first to the last and know that mine needs to be hashed against the previous, but what is it in the raw block that still requires private keys if I want to craft a block of my evil design and have the network resources to say that the block is legitimate?

JoelKatz
Legendary
*
Offline Offline

Activity: 1386


Democracy is vulnerable to a 51% attack.


View Profile WWW
July 13, 2011, 05:12:09 AM
 #7

With sufficient CPU power I hash my forged block that transfers all the coins to my account. Then with sufficient CPU power I confirm it six times in a row. Your version of history where I don't have all the coins is now an unofficial fork of the blockchain that the clients delete.
That won't work. Forged blocks will not be accepted regardless of how the long the chain containing them is. The length comparison only applies when the client is confronted with multiple *valid* chains.

In order to create a valid block that transfers bitcoins from any source other than mining that very block, you must meet the requirements of the transaction that sent those bitcoins. In the typical case, that will require a signature from the recipient's key.

The paper was talking specifically about security against having transactions 'undone' and possibly replaced with conflicting transactions. Undoing a transaction does little harm, the transaction can just be re-posted. Replacing with a conflicting transaction is only possible if the attacker can get his hands on a conflicting transaction. If I'm sending the coins, only I can generate a conflicting transaction. So he cannot take my coins if they've already been sent to me.

I am an employee of Ripple.
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
Rob P.
Member
**
Offline Offline

Activity: 84



View Profile WWW
July 13, 2011, 03:55:04 PM
 #8

With sufficient CPU power I hash my forged block that transfers all the coins to my account. Then with sufficient CPU power I confirm it six times in a row. Your version of history where I don't have all the coins is now an unofficial fork of the blockchain that the clients delete.
That won't work. Forged blocks will not be accepted regardless of how the long the chain containing them is. The length comparison only applies when the client is confronted with multiple *valid* chains.

In order to create a valid block that transfers bitcoins from any source other than mining that very block, you must meet the requirements of the transaction that sent those bitcoins. In the typical case, that will require a signature from the recipient's key.

The paper was talking specifically about security against having transactions 'undone' and possibly replaced with conflicting transactions. Undoing a transaction does little harm, the transaction can just be re-posted. Replacing with a conflicting transaction is only possible if the attacker can get his hands on a conflicting transaction. If I'm sending the coins, only I can generate a conflicting transaction. So he cannot take my coins if they've already been sent to me.

+1, cannot happen.  Owning > 50% of the hashing power of the entire network only grants you the *ability* to double spend your own coins and/or reverse transactions on your own coins.  Even then, you'd also have to maintain that position in the hashpower hierarchy, or risk having your entire branch reverted to the "correct" one, thus undoing all of your double-spends (and all of their children).

The coins live in the network.  You only have rights to move them around, they cannot be destroyed, only lost.

--

If you like what I've written here, consider tipping the messenger:
1GZu4CtHa6ai8iWoWiVFxV5VVoNte4SkoG

If you don't like what I've written, send me a Tip and I'll stop talking.
KenJackson
Member
**
Offline Offline

Activity: 116



View Profile
July 13, 2011, 05:08:48 PM
 #9

+1, cannot happen.

I hope you guys are right.  But the very words "cannot happen" seem very dangerous--a dare.

The Domain Name System (DNS) was regarded as solid and secure for almost two decades.  Then three years ago somebody found a flaw that allowed an attacker to trivially hijack an arbitrary website, e.g. a bank.

In that case, fortunately, the guy that found it behaved very responsibly and it was fixed before it became public knowledge.  But incidents like that make me nervous when I hear a chorus of people saying "cannot happen".
JoelKatz
Legendary
*
Offline Offline

Activity: 1386


Democracy is vulnerable to a 51% attack.


View Profile WWW
July 13, 2011, 05:14:29 PM
 #10

+1, cannot happen.

I hope you guys are right.  But the very words "cannot happen" seem very dangerous--a dare.
What we mean when we say "cannot happen" is that we know precisely what it would take to make that particular attack work, and know that it is beyond anyone's capability for the foreseeable future.

Quote
The Domain Name System (DNS) was regarded as solid and secure for almost two decades.  Then three years ago somebody found a flaw that allowed an attacker to trivially hijack an arbitrary website, e.g. a bank.
Well that's always the big risk -- that someone will find an attack you didn't think of. That has happened to bitcoin in the past (the overflow attack), and the fact that it was dealt with so well is encouraging.

Quote
In that case, fortunately, the guy that found it behaved very responsibly and it was fixed before it became public knowledge.  But incidents like that make me nervous when I hear a chorus of people saying "cannot happen".
It's easy to judge the possibility of a particular proposed scheme, especially where the design was specifically made with that attack in mind. Bitcoin uses a specific cryptograph algorithm precisely the way it was designed to be used to protect against precisely this attack. We know exactly what it would take to break that scheme, and judge the scheme still reliable.

No only that, but if there were any hints that it could not be relied upon any longer, we know exactly what we would have to do to solve that problem and how to do it. It would take two years or so to do it smoothly, but it could be done even faster in an emergency. The community as a whole has an interest in protecting the value of bitcoins themselves.

I am an employee of Ripple.
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
makomk
Hero Member
*****
Offline Offline

Activity: 686


View Profile
July 14, 2011, 01:31:39 PM
 #11

That won't work. Forged blocks will not be accepted regardless of how the long the chain containing them is. The length comparison only applies when the client is confronted with multiple *valid* chains.
Note that this only applies to the official client. SPV clients - such as the Android one - will accept any longest chain, including ones that spend bitcoins that don't actually exist.

Quad XC6SLX150 Board: 860 MHash/s or so.
SIGS ABOUT BUTTERFLY LABS ARE PAID ADS
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!