Thought Experiment on Super Computing and Bitcoin Generation Difficulty

[Raulo]

Do we know that this hashing power was under the control of a single entity?  Could a bunch of kids from overclock.net have joined the network temporarily only to get bored and return to gaming when they realized they would not become millionaires overnight? 

Whoever it was, it controlled a single wallet. It could have been a distributed network but under one command.

[1714020848]

1714020848

[Gavin Andresen]

Building the bitcoin chain in parallel and reversing all transactions from, say, last week would, for instance, cripple bitcoin exchanges if they would be required to refund the reversed purchases. And it can be done in a stealth way so the community cannot do any countermeasures until after it happens.

They can only invalidate transactions that they made (or further transactions that spend transactions that they made).  That makes the attack a lot less likely in practice; if they had a lot of bitcoins, and purchased a lot of good or services (or exchanged them for dollars or euros) with a lot of people, then some of those people are likely to know WHO "they" are.  And if they're in the same legal jurisdiction, it seems to me you'd have a pretty good case for suing them for fraud.

Even if 'they' decided to do this just to try to mess up the bitcoin network it might be messy for the exchanges to clean up but I don't think it would cripple them.  The bitcoin client already trys to select "old money" when it creates transactions, so assuming that the exchange has a good cushion of bitcoins on deposit all the attacker is likely to accomplish is to invalidate their own deposits at the exchange.

All that said:  I'm not going to advise people to hold money they can't afford to lose in bitcoins until the network has a lot more hashing power.  There is still some risk while bitcoin is young.

[BitterTea]

Whoever it was, it controlled a single wallet. It could have been a distributed network but under one command.

How did you come to this conclusion? As far as I know there's no in-channel method to determine if two addresses are owned by the same entity.

[Raulo]

How did you come to this conclusion? As far as I know there's no in-channel method to determine if two addresses are owned by the same entity.

He transferred all the bitcoins into a single address.

[BitterTea]

He transferred all the bitcoins into a single address.

That would do it... interesting. Did I miss a prior discussion of Mystery Miner?

[Raulo]

They can only invalidate transactions that they made (or further transactions that spend transactions that they made).  That makes the attack a lot less likely in practice

They can invalidate all their transactions and allow anybody else to double spend. I'm pretty sure there will be quite a few of "regular bitcoiners" who will take advantage of this opportunity.

edit: And of course they will invalidate all the mined coins from the reversed blocks and all transactions originating from the mined blocks. Quite a mess.

[gigabytecoin]

Thanks for all of the replies guys, we have a great discussion going on here! But I think Gavin said is best... and I am paraphrasing this it's still quite risky to invest in bitcoin until the entire world is running near-quantum-computer level super computers and the bitcoin software from their home.

To everybody who says "but they cannot make a supercomputer that powerful..."

Let's just say for simplicity's sake that a 5970 costs $1,000 and that it is too difficult to overclock too many of them at once.

That means 600,000 kHash/sec or 600 MHash/sec costs about $1,000 USD.

With $10,000,000 USD one could place 10,000 x 5970s in parallel. Creating a machine capable of 6,000,000,000 kHash/sec or 6 trillion hashes per second.

According to the bitcoin calculator, that would take an infinitesimally small time to generate a block.

Thus putting us in our doomsday situation that I described above with just a "splash in the pond" to most of the world rich's wallets.

[marcus_of_augustus]

With $10,000,000 USD one could place 10,000 x 5970s in parallel.

That would be a machine on an order of a 4 Megawatt + ancillaries, call it 5 MW ... not beyond realm of possibilities, but you'd have trouble finding that many 5970s right now I think.

[gusti]

what about a massive botnet (zero running costs) ?
any countermeasure possible ?

[jgarzik]

what about a massive botnet (zero running costs) ?
any countermeasure possible ?

Countermeasure is to laugh as their CPUs barely make a dent in our hash rate.

[gigabytecoin]

I'm pretty sure 10 million CPUs running 1,000 kHash/sec could make a significant dent in our hash rate. That's still 10,000,000 * 1,000,000 hashes/sec = 10 trillion hashes/second.

Ok so it seems to be "case closed" then. Any massively funded operation could bring bitcoin to a screeching halt (for at least a few days) at any point in time until we are accepted worldwide.

I guess we will have to come up with reasons to dissuade these massively funded operations we are going to disrupt from crushing us like an ant.

I'm going to go and watch "The Jungle Book" 

[theymos]

If we convince an anti-freedom organization to spend millions of dollars in order to (temporarily) control >50% of the network's CPU, then we will have gained a massive victory. Not only will we have weakened the organization, but we'll get great publicity. Cheaper DoS attacks are the real problem to be worried about.

[gigabytecoin]

This is in itself a DDOS attack. Theoretically the entire networks difficulty can be hijacked in an instant. That can be done for quite "cheaply" given the world's size.

I like your thinking though... if we could get the EFF to create something like their DES cracking board... that would give us substantial publicity, safety and reason for investment.

[ffe]

Guys... whether or not it is "profitable" to generate bitcoins in my ridiculous manner mentioned is beside the point.

If and when a large government entity wishes to destroy bitcoin. Is this one of the ways they could go about it?

The idea was... that they would generate 2016 blocks within a matter of nanoseconds, and then disconnect from the network entirely. Thus setting the generation difficulty bar so high that they "ruin" basically everything.

Even transactions would cease to occur would they not?

A more interesting question is what an entity that controls 1%, 5%, 10% of the processing power devoted to mining could do with such an on - off - on cycle of generating coins. Here's what I think happens:

cycle 1: The entity turns his miners on generating coins at a rate that pushes the difficulty up for the next cycle.
cycle 2: The entity turns his miners off. The difficulty is scheduled to go down next cycle.
cycle 3: The entity turns his miners on again generating coins at a high rate pushing the difficulty up for the next cycle.
cycle 4: Other miners start noticing the pattern and join the on - off - on cycle since it makes sense to only spend electricity during the easy cycles.

cycle n: It becomes obvious to all miners that it is counterproductive to generate coins during the hard cycles and they therefore wait for the easy cycles.

This is a self reinforcing pattern and is unstable as the number of miners remaining in the hard cycles goes to zero the difficulty will flip flop by a factor of 4 (or whatever is the maximum allowed ratio) between the easy and hard cycles. Also the easy cycles will draw more and more newcomers.

More alarmingly, since the difficulty will be slamming against the artificial bounds (the max by 4 factor) it no longer reflects the true difficulty (since it is no longer calculated from the equation that controls block production rate to near one per 10 minutes).

I will give a made up example to show the dynamic: Assume you want to generate 2016 coins per 20160 minute cycle and the available processing power can generate 1000 coins per minute when the difficulty is 1. We set the difficulty to 10000 to get a stable 1000/10000 = 0.1 coins per minute or 2016 coins per cycle.

cycle 1: Entity turns on and adds 10% capacity. Coins produced = 1100/10000 = .11 coins/min (time to produce 2016 = 18327 min) -> difficulty is set to 11000
cycle 2: Entity turns off. Coins produced = 1000/11000 = .091 coins/min (time to produce 2016 = 22176 min)  -> difficulty is set to 10000 again
cycle 3: Entity turns on. Coins produced = 1100/10000 = .11 coins/min (time to produce 2016 = 18327 min) -> difficulty is set to 11000
cycle 4: 10% of the miners notice the pattern and stop mining the difficult cycle. Coins produced = 900/11000 = .082 coins/min (time to produce 2016 = 24640 min) -> difficulty set to 9000
cycle 5: Production = 1100/9000 = .122 coins/min (time to produce 2016 = 16495 min)-> difficulty back to 11000
cycle 6: Now 30% of miners catch on. Production = 700/11000 = .064 coins/min (time to produce 2016 = 31680 min) -> difficulty set to 7000
cycle 7: Now new miners want in on the easy cycle. Base capacity up another 10%. Production = 1200/7000 = .171 coins/min (time to produce 2016 = 11760 min) -> difficulty now to 12000
cycle 8: 90% of original miners are in on the game. Production = 100/12000 = .008 coins/min (time to produce 2016 = 241920 min) -> difficulty should be 1000 but slams into boundary at 12000/4 = 3000
cycle 9: The game has attracted 50% more miners. Production = 1600/3000 = .533 coins/min (time to produce 2016 = 3780 min) -> difficulty should go to 16000 but stops at 12000 (at the 4x3000 limit)
cycle 10: Production near zero and difficulty down to 3000 again

Difficulty will slam between 16000 and 3000 and most coins will be produced during the 3 day easy cycle with long 24 week periods with high difficulty and few miners.

This kind of instability is inherent in systems that have delay such as happens with the calculation of a new "difficulty" after a delay.

I bet someone controlling even 1% of capacity could, through the amplification of other miners joining him once they notice, cause hard/easy cycles where production in the easy cycle is more than twice desired production.

[marcus_of_augustus]

Yes, it seems it would be vulnerable to a destabilising strategy like this.

It could be got around not having discrete jumps in difficulty but varying it "continuously", on a much shorter time step, say daily or 12 hourly, to smooth out the jumps.

[ArtForz]

No it doesn't, unless those other miners are already running very close to break-even.
Less profit > zero profit.

[Anonymous]

erm...couldnt we just create another blockchain and leave the douchebags to their empty value ?

wash rinse repeat


actually I think thats why satoshi wanted competing block chains . maybe they should be decentralized too as creating one central block chain could be vulnerable....

[gigabytecoin]

Guys... whether or not it is "profitable" to generate bitcoins in my ridiculous manner mentioned is beside the point.

If and when a large government entity wishes to destroy bitcoin. Is this one of the ways they could go about it?

The idea was... that they would generate 2016 blocks within a matter of nanoseconds, and then disconnect from the network entirely. Thus setting the generation difficulty bar so high that they "ruin" basically everything.

Even transactions would cease to occur would they not?

A more interesting question is what an entity that controls 1%, 5%, 10% of the processing power devoted to mining could do with such an on - off - on cycle of generating coins. Here's what I think happens:

cycle 1: The entity turns his miners on generating coins at a rate that pushes the difficulty up for the next cycle.
cycle 2: The entity turns his miners off. The difficulty is scheduled to go down next cycle.
cycle 3: The entity turns his miners on again generating coins at a high rate pushing the difficulty up for the next cycle.
cycle 4: Other miners start noticing the pattern and join the on - off - on cycle since it makes sense to only spend electricity during the easy cycles.

cycle n: It becomes obvious to all miners that it is counterproductive to generate coins during the hard cycles and they therefore wait for the easy cycles.

This is a self reinforcing pattern and is unstable as the number of miners remaining in the hard cycles goes to zero the difficulty will flip flop by a factor of 4 (or whatever is the maximum allowed ratio) between the easy and hard cycles. Also the easy cycles will draw more and more newcomers.

More alarmingly, since the difficulty will be slamming against the artificial bounds (the max by 4 factor) it no longer reflects the true difficulty (since it is no longer calculated from the equation that controls block production rate to near one per 10 minutes).

I will give a made up example to show the dynamic: Assume you want to generate 2016 coins per 20160 minute cycle and the available processing power can generate 1000 coins per minute when the difficulty is 1. We set the difficulty to 10000 to get a stable 1000/10000 = 0.1 coins per minute or 2016 coins per cycle.

cycle 1: Entity turns on and adds 10% capacity. Coins produced = 1100/10000 = .11 coins/min (time to produce 2016 = 18327 min) -> difficulty is set to 11000
cycle 2: Entity turns off. Coins produced = 1000/11000 = .091 coins/min (time to produce 2016 = 22176 min)  -> difficulty is set to 10000 again
cycle 3: Entity turns on. Coins produced = 1100/10000 = .11 coins/min (time to produce 2016 = 18327 min) -> difficulty is set to 11000
cycle 4: 10% of the miners notice the pattern and stop mining the difficult cycle. Coins produced = 900/11000 = .082 coins/min (time to produce 2016 = 24640 min) -> difficulty set to 9000
cycle 5: Production = 1100/9000 = .122 coins/min (time to produce 2016 = 16495 min)-> difficulty back to 11000
cycle 6: Now 30% of miners catch on. Production = 700/11000 = .064 coins/min (time to produce 2016 = 31680 min) -> difficulty set to 7000
cycle 7: Now new miners want in on the easy cycle. Base capacity up another 10%. Production = 1200/7000 = .171 coins/min (time to produce 2016 = 11760 min) -> difficulty now to 12000
cycle 8: 90% of original miners are in on the game. Production = 100/12000 = .008 coins/min (time to produce 2016 = 241920 min) -> difficulty should be 1000 but slams into boundary at 12000/4 = 3000
cycle 9: The game has attracted 50% more miners. Production = 1600/3000 = .533 coins/min (time to produce 2016 = 3780 min) -> difficulty should go to 16000 but stops at 12000 (at the 4x3000 limit)
cycle 10: Production near zero and difficulty down to 3000 again

Difficulty will slam between 16000 and 3000 and most coins will be produced during the 3 day easy cycle with long 24 week periods with high difficulty and few miners.

This kind of instability is inherent in systems that have delay such as happens with the calculation of a new "difficulty" after a delay.

I bet someone controlling even 1% of capacity could, through the amplification of other miners joining him once they notice, cause hard/easy cycles where production in the easy cycle is more than twice desired production.

Or what if they increased the strength/stability of the network for a while and encouraged people to invest heavily in bitcoin... then completely disrupted it with their massive power - causing thousands of people to lose their investments in GPU power overnight. This could ruin bitcoin once and for all I think. The animosity generated by such an event would be unquenchable.

erm...couldnt we just create another blockchain and leave the douchebags to their empty value ?

wash rinse repeat


actually I think thats why satoshi wanted competing block chains . maybe they should be decentralized too as creating one central block chain could be vulnerable....

The problem is when the attacker does this and bitcoin has "kind of" taken off... you are not going to convince millions of people that a technical work around is the solution. "The general public" will simply forget about us.

[Cdecker]

actually I think thats why satoshi wanted competing block chains . maybe they should be decentralized too as creating one central block chain could be vulnerable....

Having many smaller chains actually weakens both the bitcoin economy (many incompatible flavours of Bitcoin) and the network as an attacker could just go through them and destabilize each one after another using less computing power than he'd need for a single big one.

[em3rgentOrdr]

I'm just saying with 50% of network hash, one can destroy Bitcoin. Period.

It doesn't "destroy" Bitcoin. It just makes it unsafe for as long as the attacker is in control.

If there is an unusual increase in mining or other strange pattern, an alarm can be sent to tell bitcoiners to temporarily halt transactions...