technical questions about a 51% attack

[lorax2013]

As I understand it, if the US Govt chose to entirely eradicate bitcoin worldwide the most likely way would be through a 51% attack (please correct me if some other software-based attack might be more effective).

I think this makes a few questions extremely important to understand:

Would the US Govt be able to keep a 51% attack secret or shift blame to another entity? 
Would there be signals of a 51% attack or could this occur with no warning?
How much would a 51% attack cost to implement roughly?
Most importantly - Could any responses be developed within the bitcoin framework or do you see another existing or proposed cryptocurrency that would be safe from a 51% attack? (for example I hear something about bitcoins being traded "individually"? after such an attack).

Sorry I know it is a messy bunch of questions, but perhaps also the most important to consider long-term.  Please just start with the premise that such an attack would occur rather than the entirely different question of "if" the govt would ever do such a bad thing.  Thank you.

[DannyHamilton]

As I understand it, if the US Govt chose to entirely eradicate bitcoin worldwide the most likely way would be through a 51% attack (please correct me if some other software-based attack might be more effective).

This would be a very expensive way to attack the network, it is unlikely that this attack vector would be used.

Would the US Govt be able to keep a 51% attack secret

An attack isn't an attack unless its doing something bad.  If it's doing something bad, then what's being done won't be a secret, although it might be possible to keep secret who is doing the bad thing.

or shift blame to another entity? 

Perhaps.  Not sure that it matters.  The attack is the same regardless of who the perpetrator is.

Would there be signals of a 51% attack or could this occur with no warning?

I suspect that the most likely attack would be a sudden large scale blockchain reorganization going back many weeks or months.  You wouldn't know it was being prepared, but the results would be immediately visible once the competing blockchain is broadcast.

How much would a 51% attack cost to implement roughly?

Calculate the total cost to supply enough equipment to be equal to the current total hash power of the entire bitcoin network.  Next calculate the total electricity cost of operating that equipment 24 hours a day for the duration that you want to maintain your own alternative blockchain.  Next calculate the cost of the salaries of the people you've hired to set it up and keep it running and the maintenance costs of all that hardware.  Add it all up, and you've got the total cost.  Not sure how much that is, but it seems there are probably more cost efficient attack vectors.

Most importantly - Could any responses be developed within the bitcoin framework or do you see another existing or proposed cryptocurrency that would be safe from a 51% attack?

Perhaps checkpoints or block rejection could be implemented, but its likely that faith in the currency would be lost faster than such solutions could be rolled out.

(for example I hear something about bitcoins being traded "individually"? after such an attack).

I have no idea what that even means.

[lorax2013]

Thank you for the detailed response Danny. 

I guess a rough cost estimate could be obtained by determining the value of bitcoins mined (around half a billion $ per year?).   The mining operations cost less than this to run per year or it wouldn't be profitable.  Yes perhaps the payback period for the equipment is several years but that is not what I recall hearing.  If the attacking entity decided to sell the coins they mined they might offset most of that cost.  But assuming it is an inefficient govt agency, and they don't even sell the coins mined, it looks like 51% of the network computing power could still be obtained for under $1 billion.  That is less than the average fighter jet costs - to save US dollar hegemony worth trillions.

The question of "could it be blamed on another entity" is very important imo, since public backlash currently makes an overt attack politically unpalatable or perhaps impossible.   However the govt has proven very willing and able historically to engage in secret operations that would otherwise be rejected by the public. 

My main question now is:  If a government agency developed a "mining" operation equal to 51% of the network, could it be brought online to appear as just more private miners - or would there be clues that the operation was concentrated in a few locations with massive computing power in each location?

[DannyHamilton]

I guess a rough cost estimate could be obtained by determining the value of bitcoins mined (around half a billion $ per year?).   The mining operations cost less than this to run per year or it wouldn't be profitable.

Mining increases in cost over time due to the increasing difficulty.  As such, earlier mining operations could be very profitable at a significantly reduced cost compared to current mining. As such, I'm not sure that you can use the current exchange rate to determine what would have been profitable 3 years ago. Nor can you use coins that were mined at a reduced cost 3 years ago to calculate how much it would cost to compete with today's network.

Yes perhaps the payback period for the equipment is several years but that is not what I recall hearing.

Payback period is is based on a lot of guesses at things like future exchange rate and predicted difficulty increases.  If a single entity were to rather suddenly double the difficulty, it might have a significant effect on the payback period.

If the attacking entity decided to sell the coins they mined they might offset most of that cost.

Sell the coins?  After they destroyed the system?  How much do you suppose they'd get for them?  Maybe 1 penny for 100,000 coins?

But assuming it is an inefficient govt agency, and they don't even sell the coins mined, it looks like 51% of the network computing power could still be obtained for under $1 billion. 

Not sure about your estimates, but even if they are accurate the point isn't that a government the size of the U.S. couldn't afford to pay a research team to design a better ASIC, then pay a manufacturing team to build the better ASIC, then pay a attack team to run the better ASIC.  The point is that there are more cost effective attacks, so why bother with such an expensive one.  Perhaps you could pass a law that anyone found running a miner or relay node will be shot on sight.  Anyone found guilty of transacting in bitcoins will be sentenced to death by electrocution.  Anyone found in possession of a blockchain file will be sentenced to 30 years in prison and will be fined $10,000.  Any bank or other financial business found to be transferring USD to any foreign entity that engages in any form of bitcoin transactions will be prosecuted.

The question of "could it be blamed on another entity" is very important imo, since public backlash currently makes an overt attack politically unpalatable or perhaps impossible.   However the govt has proven very willing and able historically to engage in secret operations that would otherwise be rejected by the public. 

Well, if that matters, then they can pay a foreign research team to design a better ASIC, then pay a foreign manufacturing team to build the better ASIC, then pay a foreign attack team to run the better ASIC.  As long as they can keep the source of the payments hidden, then they can keep their actions hidden, right?

My main question now is:  If a government agency developed a "mining" operation equal to 51% of the network, could it be brought online to appear as just more private miners

Yes, but that wouldn't be an attack.  They would be participating in the security of the network.  The blockchain can't determine the reason that someone is mining, and it really doesn't care.

or would there be clues that the operation was concentrated in a few locations with massive computing power in each location?

Not if they were careful about it, but since it would only be helping the network, it would be a good thing.

[razorfishsl]

What is sad.. is the number of people who tie them selves in knots trying to figure out clever ways to attack bitcoin using 51% attacks and other 'clever shit' and working out all the cost that it would entail….

In reality it  only requires an attack on the software.
 
All that money trapped by the FBI… it's only trapped because that is the way the software is written.

[DannyHamilton]

What is sad.. is the number of people who tie them selves in knots trying to figure out clever ways to attack bitcoin using 51% attacks and other 'clever shit' and working out all the cost that it would entail….

In reality it  only requires an attack on the software.
 
All that money trapped by the FBI… it's only trapped because that is the way the software is written.

The hard part isn't changing the software.

The hard part is convincing every single node on the network to run your changed software instead of the original software.

[razorfishsl]

What is sad.. is the number of people who tie them selves in knots trying to figure out clever ways to attack bitcoin using 51% attacks and other 'clever shit' and working out all the cost that it would entail….

In reality it  only requires an attack on the software.
 
All that money trapped by the FBI… it's only trapped because that is the way the software is written.

The hard part isn't changing the software.

The hard part is convincing every single node on the network to run your changed software instead of the original software.

So what is cheaper?
To 'convince'  Two BIG mining pools to change the software or to spend hundreds of millions masterbating about designing a new ASIC?

[DannyHamilton]

What is sad.. is the number of people who tie them selves in knots trying to figure out clever ways to attack bitcoin using 51% attacks and other 'clever shit' and working out all the cost that it would entail….

In reality it  only requires an attack on the software.
 
All that money trapped by the FBI… it's only trapped because that is the way the software is written.

The hard part isn't changing the software.

The hard part is convincing every single node on the network to run your changed software instead of the original software.

So what is cheaper?
To 'convince'  Two BIG mining pools to change the software or to spend hundreds of millions masterbating about designing a new ASIC?

Not "Two BIG mining pools".

"Every single node on the network".

If "two big mining pools" change, they'll be mining something other than bitcoins.  All the other nodes on the network will refuse to relay the blocks created by the "two big mining pools".  The total hash power left on the bitcoin network will drop and the remaining pools and miners will all earn twice as much bitcoins as they previously were.

[oakpacific]

Would there be signals of a 51% attack or could this occur with no warning?

I suspect that the most likely attack would be a sudden large scale blockchain reorganization going back many weeks or months.  You wouldn't know it was being prepared, but the results would be immediately visible once the competing blockchain is broadcast.

As far as I am concerned, most clients implemented checkpointing, so at most you can have a reorganization going back to one/two days ago, correct me if I am wrong.

[DannyHamilton]

As far as I am concerned, most clients implemented checkpointing, so at most you can have a reorganization going back to one/two days ago, correct me if I am wrong.

I'm pretty sure you are wrong.

There are a checkpoints hard coded into the Bitcoin-Qt client, but those have only been updated as of the last time a new release (0.8.5) was built (many weeks ago).  Even so, the intended purpose of the checkpoints are to protect synchronization on the initialization of a new client downloading the full blockchain.  While they have a secondary unintended effect of also preventing reorganizations of the present blockchain from earlier dates, the significant amount of time since the most recent checkpoint leaves plenty of room for a devastating disaster of a reorganization if someone happens to successfully re-mine a forked blockchain from that point.

More details here:
https://bitcointalk.org/index.php?topic=194078.msg3009608#msg3009608

[oakpacific]

As far as I am concerned, most clients implemented checkpointing, so at most you can have a reorganization going back to one/two days ago, correct me if I am wrong.

I'm pretty sure you are wrong.

There are a checkpoints hard coded into the Bitcoin-Qt client, but those have only been updated as of the last time a new release (0.8.5) was built (many weeks ago).  Even so, I'm not sure that those checkpoint prevent a reorganization.  I think I read that they are only used to speed up synchronization on the initialization of a new client downloading the full blockchain.

I am pretty sure the checkpoints can be used to prevent a reorg.

Your first sentence seems to be right.

[DannyHamilton]

I am pretty sure the checkpoints can be used to prevent a reorg.

I went and found the previous message that I was referring to and re-read it.  You are correct, checkpoints do prevent a blockchain reorganization from prior to the checkpoint, and I was not remembering the details of the discussion accurately.

As such, I've edited my post to be more accurate.

[oakpacific]

I am pretty sure the checkpoints can be used to prevent a reorg.

I went and found the previous message that I was referring to and re-read it.  You are correct, checkpoints to prevent a blockchain reorganization from prior to the checkpoint, and I was not remembering the details of the discussion accurately.

As such, I've edited my post to be more accurate.

Thanks. Seems that I misunderstood this post : https://bitcointalk.org/index.php?topic=437.msg3807#msg3807

Satoshi was talking about the one checkpoint 200 blocks before the then most up-to-date block, I took it to mean that every 200 blocks a checkpoint will be added.

[lorax2013]

What is sad.. is the number of people who tie them selves in knots trying to figure out clever ways to attack bitcoin using 51% attacks and other 'clever shit' and working out all the cost that it would entail….

In reality it  only requires an attack on the software.
 
All that money trapped by the FBI… it's only trapped because that is the way the software is written.

The hard part isn't changing the software.

The hard part is convincing every single node on the network to run your changed software instead of the original software.

Sorry I'm not software savvy.  Could you explain in layman's terms how an "attack on the software" could destroy bitcoin?  I have never heard of this.  As I understand it, the best way to eradicate bitcoin would be a 51% attack which can apparently be launched secretly at an insignificant price compared to the monetary benefit for the US Govt/banks. 

As for other methods of attack centering around "make it illegal and start seizing bitcoins and punishing users" - we have countless exmples for how that plays out in the gold market.  It works to an extent but never entirely - and there is currently not even the political will in the US to keep gold illegal, much less bitcoin.  Furthermore the "make it illegal" approach would likely be slower moving and more predictable.  Many of my friends and myself are traders and investors, but it is the uncertainty surrounding an unexpected takedown of bitcoin that is generally our biggest concern and impediment to significant buy-in at this point. 

[JoelKatz]

As I understand it, if the US Govt chose to entirely eradicate bitcoin worldwide the most likely way would be through a 51% attack (please correct me if some other software-based attack might be more effective).

It wouldn't completely eradicate Bitcoin though. It would just shake people's confidence in it and require some very, very ugly solutions.

Mining pools could sign their blocks and could agree not to build onto a block that wasn't signed. Clients could prefer signed blocks to unsigned blocks in reorganizations. One or more distributed, high-speed checkpointing systems run by trusted individuals could be set up. Path dependency could be added to the "longest chain wins" algorithm. The mining algorithm could be changed, forcing the attacker to start over from scratch.

[lorax2013]

As I understand it, if the US Govt chose to entirely eradicate bitcoin worldwide the most likely way would be through a 51% attack (please correct me if some other software-based attack might be more effective).

It wouldn't completely eradicate Bitcoin though. It would just shake people's confidence in it and require some very, very ugly solutions.

Mining pools could sign their blocks and could agree not to build onto a block that wasn't signed. Clients could prefer signed blocks to unsigned blocks in reorganizations. One or more distributed, high-speed checkpointing systems run by trusted individuals could be set up. Path dependency could be added to the "longest chain wins" algorithm. The mining algorithm could be changed, forcing the attacker to start over from scratch.

Thanks, that is encouraging.  However, during the time period while an attacker had control of 51% of the cloud, could they destroy/redirect all records of existing bitcoin ownership - or new ownership going back ___ (please estimate) weeks?  Could an attacker hide within mining pools or is it certain the offending nodes could be detected and removed?

[JoelKatz]

Thanks, that is encouraging.  However, during the time period while an attacker had control of 51% of the cloud, could they destroy/redirect all records of existing bitcoin ownership - or new ownership going back ___ (please estimate) weeks?

The community would have their choice of ways to respond and I can only guess at what would happen. Presumably, stakeholders would agree on the scheme that does the least damage. I would guess that this would be "rewinding" the block chain to the longest public chain just before the first absurdly large reorganization. Thus, people should be able to defend themselves if they stop trusting Bitcoin as soon as they see an absurdly large reorganization. (I'm not 100% sure about this. Don't go ahead and do it just on my say so.)

Actually, this might be a good rule -- if you ever see a block organization of six blocks or more, you should consider the Bitcoin system broken until you personally confirm that it is still safe. (Have we ever had a reorganization of more than six blocks for a reason other than the system being broken?) With reorganizations smaller than that, you are safe if you wait for six confirmations.

Could an attacker hide within mining pools or is it certain the offending nodes could be detected and removed?

If you mine with a pool, the pool controls what block you build on. You can't trick a pool into causing a reorganization.

I don't want to sugar coat things, a 51% attack on Bitcoin would be bad. But I don't think it would be the end of Bitcoin. Too many people have too big an incentive to get the system fixed.

The biggest threat would be to miners because one obvious solution would be to change the mining algorithm and force the attacker to start over from scratch. But I don't think it's likely the community would adopt this solution -- for one thing, miners would oppose it.