What would it take to make a 51% attack on the whole bitcoin network?

[coinfreak]

I worked for 5 years for a company that creates ASIC chips, and I understand the process well enough. My estimation is that it is possible to create such an ASIC that will feed the same power as Radeon 5870 (for example), and calculate 20-100 times more hashes. It is not surprising because the chip is special-purpose, and GPU is universal. I suppose that it is possible to create such an ASIC in 6-12 months. The power of network now is approximately 12 Thash, that is equivalent to ~ 20000-40000 GPUs. That means that 2000 such chips would be enough to attain more than 50% of the computing power. I think, the cost of creating such a number of chips is approximately 5 million dollars. Indeed, the major part of this money would be spent on designing the chip, not on manufacture. Therefore, to create 10,000 chips like this, one would need approximately 10 million dollars. And 10,000 chips is 80% of the nets computing power.

So, I think that ASIC is the most possible way to accomplish 51% attack.

Agree.

What can we invent to prevent net destruction? I have thought about it but I have not found any decision. IMHO, change POW method is useful only for the first time, because we can change our miners quickly, but it is not possible to change an ASIC chip. They would need to make another one (+3-6 months). Adding memory requirements in POW method is good idea, but it changes not much. Let us say, not 10 but 20 million dollars per 80% of the nets computing power.

Not agree. Idea isn't in just adding memory requirements to the POW but making the POW seriously memory-constrained. Say 1 POW needs 1 million sequential computations and 32M of RAM at a whole for each computation and that 32M can't be shared between POWs because there are different data. So the only way to implement such POW in ASIC is to add 32M of RAM to the chip wasting its area and dramatically increasing its cost and reducing its efficiency. And you can't make 32M of on-ASIC RAM cheaper than 32M of DDR module RAM.

I think the better way to find the decision is to think about changing a way of cooperation of nodes. For example it is possible to create a system of trust between nodes. If one node makes some suspicious actions (destributes a new block that not contains a majority part of transactions or new block chain that removes the last 10 blocks), its "rank" decreases. If a node destribute good information, its "rank" increased. Information from nodes with too low "rank" is skipped. Its only a raw idea, I know. I just want to show the direction of how else it could be.

Bad idea. No one can prevent me from making millions of nodes each of which trusts to each other. Newly connected nodes have to trust my malicious sub-network with high probability only because of its size.
If you propose to dedicate one bootstrap node and make it trusted by default (hard-coding certificate into client for example) you just invent PKI in its traditional form and that trusted-by-default node would become a central authority and would perform central-bank like functions. That's not we're all want to happen with Bitcoin.

Anyway, what we can do just now (except finding decision) is to recognize the problem. And change in wiki the status of this vulnerability from "Probably not a problem" to "Might be a problem".

You damn right. It's "Might be a problem".

[1715130179]

1715130179

[1715130179]

1715130179

[1715130179]

1715130179

[storr]

Not agree. Idea isn't in just adding memory requirements to the POW but making the POW seriously memory-constrained. Say 1 POW needs 1 million sequential computations and 32M of RAM at a whole for each computation and that 32M can't be shared between POWs because there are different data. So the only way to implement such POW in ASIC is to add 32M of RAM to the chip wasting its area and dramatically increasing its cost and reducing its efficiency. And you can't make 32M of on-ASIC RAM cheaper than 32M of DDR module RAM.

1) OK, it is usefull to make ASIC less effective. But it is not enough. At least, they can use 20,000-40,000 GPUs to make the 51% attack. We need one more solution for this case.

2) What new POW do you suggest? Your scheme with N=32M/32=1M ? IMHO, it is not good because calculation of 2^20 sha256 is too time-consuming. Each node (not only miners) needs to calculate POW each time when recieves a new block. Do you have another one idea? We can remember results of intermediate steps 0,8,16,24,32,40,48,63 of sha256 calculation, for example. It is 8 times more information,
but 2^17 calculations of sha256 is very time-consuming too.

Bad idea. No one can prevent me from making millions of nodes each of which trusts to each other. Newly connected nodes have to trust my malicious sub-network with high probability only because of its size.
If you propose to dedicate one bootstrap node and make it trusted by default (hard-coding certificate into client for example) you just invent PKI in its traditional form and that trusted-by-default node would become a central authority and would perform central-bank like functions. That's not we're all want to happen with Bitcoin.

Yes, if we will make "net of trust", then an attacker with more then 50% of computational power can create "alternative reality" in bitcoin, i mean alternative block chain, that will begin with the same generic block but then diverses with the "real" block chain. In fact, in this case can exist more then two block chains. And for a node that connects to the net, there will be impossible understand wich of them to connect and belief. IMHO, this problem can be solved only by out-of-bitcoin methods. All sites that work with bitcoin may\have to publish in what reality\block chain they work. I belief that they can detect which block chain is real. And usual users will check from time to time that they live in the same reality. It is not excellent, but I don't see any better solution. At least, by this approach it is possible to eliminate other problems of 50%+ attack:

Reverse transactions that the atacker sends while he's in control
Prevent some or all transactions from gaining any confirmations
Prevent some or all other generators from getting any generations

[coinfreak]

1) OK, it is usefull to make ASIC less effective. But it is not enough. At least, they can use 20,000-40,000 GPUs to make the 51% attack. We need one more solution for this case.

Modern GPUs are memory-limited too. My HD6990 has >3000 cores and only 4GB RAM. This is ~1M per core. And this is only a good starting point for further thoughts.
Also I mentioned earlier: if Bitcoin ever reach popularity comparable to Bittorrent that 51% attack should take much more GPUs, especially when POW is memory-bounded.
But there is one more issue. Favoring GPUs or any other highly-specialized solution for minig doesn't encourage wider Bitcoin popularization. We should keep the doors open for newcomers. And in average they don't have top-level GPUs.

2) What new POW do you suggest? Your scheme with N=32M/32=1M ? IMHO, it is not good because calculation of 2^20 sha256 is too time-consuming. Each node (not only miners) needs to calculate POW each time when recieves a new block. Do you have another one idea? We can remember results of intermediate steps 0,8,16,24,32,40,48,63 of sha256 calculation, for example. It is 8 times more information,
but 2^17 calculations of sha256 is very time-consuming too.

2^20 sha256 computations over 32-byte vectors is equal to 1 sha256 computation over 32M file. It takes less than a second on my box. So I considering this to be acceptable.
Moreover I don't insist on hashing something million times. That was only an example. Digging a little I've found interesting paper: Exponential Memory-Bound Functions for Proof of Work Protocols. Scheme that described in the paper is also two-dimensional (by memory amount and successive POW criteria). And I don't have any idea how to adjust memory requirements and "leading-zeros count" together with difficulty.

Yes, if we will make "net of trust", then an attacker with more then 50% of computational power can create "alternative reality" in bitcoin, i mean alternative block chain, that will begin with the same generic block but then diverses with the "real" block chain. In fact, in this case can exist more then two block chains. And for a node that connects to the net, there will be impossible understand wich of them to connect and belief. IMHO, this problem can be solved only by out-of-bitcoin methods. All sites that work with bitcoin may\have to publish in what reality\block chain they work. I belief that they can detect which block chain is real. And usual users will check from time to time that they live in the same reality. It is not excellent, but I don't see any better solution. At least, by this approach it is possible to eliminate other problems of 50%+ attack:

Reverse transactions that the atacker sends while he's in control
Prevent some or all transactions from gaining any confirmations
Prevent some or all other generators from getting any generations

That would be something like Reeple, not like Bitcoin.