The invulnerabe Bitcoin myth. (Basic math risk analysis)

[DeathAndTaxes]

I was thinking more like a scenario where someone attempts to attack the whole network... as opposed to double spends. If someone scams me, I am just one guy, not quite the whole network, and I would have some idea of who did it (if they had me mail them coins).

If you have 51% of network power you have 100% control over double spends.  The single example involving you was just that an example.  The double spends wouldn't be a single event.  With 51% network control they would be never ending   Actually the most disruptive attack would be to pulse the network with waves of double spends between periods of "normal" economic activity.  The attacker spends "normally" while simultaneously building attack chain in private.  Attacker publishes "attack chain", watches reversals and regains funds.  Attacker waits, possibly even black-flag operators to encourage confidence in network (it was a one time thing, all we need is more hashing power, I still trust Bitcoin, etc).   Then attacker begins the cycle again.

If the intent of the attack is to disrupt the network then there will be no product to trace.  Put a "win a free coin, free PS3, free giftcard, free silver" contest online and collect addresses of winners/patsies.  Create orders with merchants sending products to winners.  Reverse those transactions and there is no trail to the attacker just thousands of clueless & innocent winners.

BTW I believe a 51% attack is very unlikely.  If Bitcoin remains small nobody will care enough to spend the ~$20M to destroy it.  If Bitcoin becomes popular the cost will rise with transaction volumes*.  At Paypal level volumes and average fee of 0.1% it would require roughly $500M to destroy Bitcoin.  At VISA level transaction volumes it would require $20B to mount a 51% attack.  While attackers could "cheat" and use ASICS if Bitcoin becomes successful enough to warrant ASIC research for attackers ... it will warrant ASIC research for honest miners too.  So please don't take this as believing a 51% attack is probable just pointing out you are incorrect in thinking the damage and scope would be contained.


* This requires a more realistic transaction fee system.  The current fee system is unsustainable and won't be able to protect the network.  IIRC the developers have indicated they intent to push for transaction fee changes so I don't think this is an issue.

[1714826683]

1714826683

[1714826683]

1714826683

[Gabi]

Your numbers are wrong.  Not going to waste any more time on them but "the banks" (there is no such single entity) don't have more computing power than Bitcoin.  Bitcoin is larger than 500 largest super computers combined.

Bitcoin can be defined as larger than the top 500 only if you decided to measure power by the amount of one of the most basic form of calculation almost nobody has use for.

For the purposes of attacking bitcoin that is exactly how we can and will define it.  Because if you were to attack bitcoin with standard
super computers you would need more then the entire top 500.  You basically proved deathandtaxes point. 

Ye but why use standard supercomputers?

Standard supercomputers are made out of cpu and have big cache (that's why they use cpu) and memory. Why? Because the problems they tackle, require big cache and memory.

For bitcoin, such things are useless, a gpu is much better. Only an idiot would take 500 supercomputers made out of CPU to attack bitcoin.

[DeathAndTaxes]

Ye but why use standard supercomputers?

Standard supercomputers are made out of cpu and have big cache (that's why they use cpu) and memory. Why? Because the problems they tackle, require big cache and memory.

For bitcoin, such things are useless, a gpu is much better. Only an idiot would take 500 supercomputers made out of CPU to attack bitcoin.

Please keep up. I never said they did or would be used.  

Just pointing out the claim that "the banks" (this single global banking entity) have more computing power than the Bitcoin network is false.  It is SPECIFICALLY because of specialized hardware (like GPU) and the fact that rigs are so efficient (in terms of cost per unit of Bitcoin work) that makes the claim in the OP false.

While "the banks" have hundreds of millions of dollars in general purpose computing hardware that hardware is ill-suited for attacking Bitcoin network.

[Transisto]

I don't know why TOP 500 keep coming-up in the discussion,

It does not matter if Japan is building a 1.3 billion supercomputer, what does matter is the very slim chances a crypto breaking supercomputer would be made public, and that it doesn't cost that much.

Why ? if we knew the CIA had 100 time more powerful cracking powerhouse that expected we could want to use stronger password.

...
While "the banks" have hundreds of millions of dollars in general purpose computing hardware that hardware is ill-suited for attacking Bitcoin network.

If you define general purpose computing hardware as shitloads of FPGA then once reprogramed they may not be that ill-suited to the task.
If we're talking about the CIA having SHA-2 specific ASICs then it may not be that ill-suited to the task either.

It's like saying there is little chance of life in the universe based on what you see with your naked eye.

[DeathAndTaxes]

It does not matter if Japan is building a 1.3 billion supercomputer, what does matter is the very slim chances a crypto breaking supercomputer would be made public, and that it doesn't cost that much. Why ? if we knew the CIA had 100 time more powerful cracking powerhouse that expected we could want to use stronger password.

If you understood cryptography you would understand how foolish that sounds. 

If you define general purpose computing
hardware as shitloads of FPGA then once reprogramed they may not be that ill-suited to the task.

FPGA are quite expensive.  8TH of FPGA would cost in the ballpark of tens of millions of dollars.  No bank is going to spend tens of millions of dollars to attack Bitcoin.  They generally are worried about the bottom line and outside of an episode of Alias nobody justs blows off tens of millions of dollars of hardware to attack a network that 0.000001% of the planet is using.

Your response ... someday Bitcoin may be a threat. My response ... yeah and when Bitcoin is a threat the network will be 100x larger so the cost now won't be tens of millions but billions of dollars.

[btc_artist]

This requires a more realistic transaction fee system.  The current fee system is unsustainable and won't be able to protect the network.  IIRC the developers have indicated they intent to push for transaction fee changes so I don't think this is an issue.

What would you see as being a sustainable fee system?  Something like a minimum fee of 0.5% on all transactions-- no minimum, 1BTC maximum?

[DeathAndTaxes]

What would you see as being a sustainable fee system?  Something like a minimum fee of 0.5% on all transactions-- no minimum, 1BTC maximum?

Well that is difficult to say because the Bitcoin network has no concept of the actual value being spent.  If I use a 100 BTC address to send you 1 BTC (99 BTC change) Bitcoin the network has no idea if that is 1 BTC or 99 BTC transaction.  It only knows 100 BTC total has been transferred.  So fees will likely never be based on transaction amounts however it is useful to consider the "average fee" relative to useful transaction amount.

To get some ballpark ideas.  A 0.1% "average effective fee" with Paypal level volume ($80B annually) that would be ~$80M in annual transaction fees.  Currently block rewards are worth ~$7M and that collectively "buys" us 8TH in network security.  Granted some miners are unprofitable and likely should quit on economic reasons so maybe it is more realistic to say that $1M in fees buys us ~0.5TH to 1TH in sustainable network security (circa 2011 computing power).

Remember Moore's law will make the nominal hashing power of network rise but we won't be any "safer".  If GPU are twice as cheap one would expect us to have 2x the hashing power but attackers can get 2x the hashing power just as cheaply so any analysis is based on computing power at the time.  The level of security is directly related to annual transaction fees and how much hardware/electricity that buys. So $80M in fees would "buy" us a network roughly 11x as secure as we currently have (in whatever the prevailing hardware of the future is).

Some discussion on future fees and how current setup is unsustainable:
http://bitcoin.stackexchange.com/questions/876/how-much-will-transaction-fees-eventually-be

Simple version the current fees structure ensure that one should never pay more than 1 satoshi for every transaction.  Also no miner has no incentive to exclude a paying transaction no matter how little it pays (unless some future network rules prohibited the transaction as invalid).  Given that dynamic almost all transactions will have a 1 satoshi.  It creates a tragedy of the commons where miners can't force higher prices because there is no disincentive to exclude even a transaction w/ a single satoshi as a fee.

To show how that is unsustainable; even if Bitcoin was worth $1,000 each, 1 satoshi is only 1/1000th of a cent.  To achieve just the current level of network security (costing ~$7M annually) would require 22,000 transactions per second (at BTC: $1K USD & 1 satoshi "average effective fee").

[casascius]

A while ago, I mentioned that Bitcoin needed a "poison block" feature.  That is, manually given a hash, the bitcoin client will refuse to accept that block into the block chain.  That came up as a random thought in the thread where MtGox sent 2200+ BTC into oblivion.

In the event of a real sustained 51% attack, we're not powerless.

If enough honest mining power could be persuaded to poison blocks understood by consensus to be bad, the honest mining power could fight back.

Right now, the Satoshi client avoids all kinds of centralized control, which presumably it must as the "reference" client.  But as other clients proliferate, having those clients check in with their respective authors might not be viewed as a bad thing (centralized, yes, but anyone can disable the phone home feature or take their money elsewhere and stop using the client anytime if the author abuses the privilege).  The operators of such clients could also command all installations of their clients to reject certain blocks if necessary.

Bottom line, I suppose my suggestion in a nutshell, is that a certain level of democracy is possible - enemies can cause FUD, but individuals can also be empowered to vote out bogus blocks.  Those who run mining pools or develop bitcoin clients will be the most qualified to decide which blocks are bogus, and these are also people who can exert the greatest influence on what honest miners do.

[DeathAndTaxes]

A while ago, I mentioned that Bitcoin needed a "poison block" feature.  That is, manually given a hash, the bitcoin client will refuse to accept that block into the block chain.  That came up as a random thought in the thread where MtGox sent 2200+ BTC into oblivion.

In the event of a real sustained 51% attack, we're not powerless.

If enough honest mining power could be persuaded to poison blocks understood by consensus to be bad, the honest mining power could fight back.

Right now, the Satoshi client avoids all kinds of centralized control, which presumably it must as the "reference" client.  But as other clients proliferate, having those clients check in with their respective authors might not be viewed as a bad thing (centralized, yes, but anyone can disable the phone home feature or take their money elsewhere and stop using the client anytime if the author abuses the privilege).  The operators of such clients could also command all installations of their clients to reject certain blocks if necessary.

Bottom line, I suppose my suggestion in a nutshell, is that a certain level of democracy is possible - enemies can cause FUD, but individuals can also be empowered to vote out bogus blocks.  Those who run mining pools or develop bitcoin clients will be the most qualified to decide which blocks are bogus, and these are also people who can exert the greatest influence on what honest miners do.

I think that is a dangerous route to go and can lead to forking the blockchain where part of network this X is bad and part think X is good.  Is subnets have "disagreements" on blocks in their fork you can see even more forking.  Also indentifying a double spend block on a global network w/ millions of daily transactions in real time is tough.

[Transisto]

FPGA are quite expensive.  8TH of FPGA would cost in the ballpark of tens of millions of dollars.  No bank is going to spend tens of millions of dollars to attack Bitcoin.  They generally are worried about the bottom line and outside of an episode of Alias nobody justs blows off tens of millions of dollars of hardware to attack a network that 0.000001% of the planet is using.

I'll reply with this : "information technology spending by financial services institutions is expected to reach US$363.8 billion in 2011 (+3.7%)"
Add to that any leftover hardware from the previous years.

It's 0.000001 of their yearly IT spending for 4-5 Ths , yeah, bottom line is that they are evil and have more money than sense.

[jetmine]

A while ago, I mentioned that Bitcoin needed a "poison block" feature.  That is, manually given a hash, the bitcoin client will refuse to accept that block into the block chain.  That came up as a random thought in the thread where MtGox sent 2200+ BTC into oblivion.

That can't be much more than "a random thought" though!

If the community were to include this, it would open the doors for fraud.  I could repeatedly send my coins from one address to another (all controlled by me).  I would do it very often so that my coins appear in many blocks.  They are all over the blockchain.

I would wait for someone to do a "bad thing".  When it happens, and with a bit of luck, my coins would figurate in the same block as the "bad thing".

Now I'm ready to spend my coins.  Quickly, and while the community still discusses about the "bad thing" and whether or not to use your poison block weapon.  With a bit of luck, the decision is yes.

And the bad block is nuked ...
And the link is broken ...
Home sweet home - my coins back in my wallet!

Think about it.

[casascius]

A while ago, I mentioned that Bitcoin needed a "poison block" feature.  That is, manually given a hash, the bitcoin client will refuse to accept that block into the block chain.  That came up as a random thought in the thread where MtGox sent 2200+ BTC into oblivion.

That can't be much more than "a random thought" though!

If the community were to include this, it would open the doors for fraud.  I could repeatedly send my coins from one address to another (all controlled by me).  I would do it very often so that my coins appear in many blocks.  They are all over the blockchain.

I would wait for someone to do a "bad thing".  When it happens, and with a bit of luck, my coins would figurate in the same block as the "bad thing".

Now I'm ready to spend my coins.  Quickly, and while the community still discusses about the "bad thing" and whether or not to use your poison block weapon.  With a bit of luck, the decision is yes.

And the bad block is nuked ...
And the link is broken ...
Home sweet home - my coins back in my wallet!

Except home sweet home didn't work out so well - your transaction never gets relayed, it gets rejected as a double spend because it conflicts with an existing transaction now in the memory pool.

Home sweet home only if you are a miner who happens to mine the block that replaces the poisoned one, before your original transaction makes it back into the block chain.

[tvbcof]

A while ago, I mentioned that Bitcoin needed a "poison block" feature.  That is, manually given a hash, the bitcoin client will refuse to accept that block into the block chain.  That came up as a random thought in the thread where MtGox sent 2200+ BTC into oblivion.

That can't be much more than "a random thought" though!

If the community were to include this, it would open the doors for fraud.  I could repeatedly send my coins from one address to another (all controlled by me).  I would do it very often so that my coins appear in many blocks.  They are all over the blockchain.

I would wait for someone to do a "bad thing".  When it happens, and with a bit of luck, my coins would figurate in the same block as the "bad thing".

Now I'm ready to spend my coins.  Quickly, and while the community still discusses about the "bad thing" and whether or not to use your poison block weapon.  With a bit of luck, the decision is yes.

And the bad block is nuked ...
And the link is broken ...
Home sweet home - my coins back in my wallet!

Think about it.

I think that some mechanism to feasibly include a blacklist or replacement list which could somehow take effect if a majority choose to do it may be worthwhile.  If very carefully considered and implemented that is.  This is effectively the same thing as a 'poison block' feature, I think, but possibly more usable.

The idea would be simply to provide a credible defense against an attacker thinking about amassing a sufficient degree of hashing power to attack the system against the will of the users.  The goal would be just to deter such an attempt since it would likely be futile anyway.

In other words, the expectation is that the list would never need to be used and someone sitting around 'waiting for a bad thing' would become old and grey before realizing any satisfaction.

[enquirer]

Wouldn't it be easier to just 1) seize bitcoin.org, bitcointalk.org and few other domains under money-laundering laws 2) replace bitcoin.exe with the one that sends all of your coins to 1FederalReserveWallet

[Transisto]

Wouldn't it be easier to just 1) seize bitcoin.org, bitcointalk.org and few other domains under money-laundering laws 2) replace bitcoin.exe with the one that sends all of your coins to 1FederalReserveWallet

That would make them look bad and would be good publicity for Bitcoin .