CliffordM (OP)
Member
Offline
Activity: 95
Merit: 10
|
|
January 30, 2012, 11:47:56 AM |
|
If someone had a 51% hashrate, what would stop them from solving blocks but not actually publishing the answers?
In this way, they could create a fork of the blockchain which would be longer than the real published one, and obviously they could publish this fork whenever -- thereby re-writing the existing blockchain, which could be many blocks long.
You wouldn't know about this until it happened, and it could be very damaging -- Imagine if the last 200 blocks were suddenly re-written...
Is there a way of mitigating against a stealth attack like this ?
|
|
|
|
Bitcoin Oz
|
|
January 30, 2012, 11:53:07 AM |
|
Thats why they have lock in points so you cant rewrite things.
|
|
|
|
Costia
Newbie
Offline
Activity: 28
Merit: 0
|
|
January 30, 2012, 11:53:55 AM |
|
if anyone can control 51% he will control the bitcoin network no need to be stealthy about it, they can just not include any transactions in their blocks and reject blocks mined by others but this wont be profitable what they can do is set the transaction fee to whatever they want , since only they can add new transactions to the chain
Edit: what lock in points? the longest chain wins.
|
|
|
|
interlagos
|
|
January 30, 2012, 12:04:37 PM |
|
if anyone can control 51% he will control the bitcoin network no need to be stealthy about it, they can just not include any transactions in their blocks and reject blocks mined by others but this wont be profitable what they can do is set the transaction fee to whatever they want , since only they can add new transactions to the chain
Edit: what lock in points? the longest chain wins.
I think certain block hashes get hardcoded into the client with every new release. This way if the longer blockchain doesn't satisfy these conditions it will get rejected.
|
|
|
|
CliffordM (OP)
Member
Offline
Activity: 95
Merit: 10
|
|
January 30, 2012, 12:06:43 PM |
|
But my point is that an attacker might CHOOSE to be stealthy -- his motivation may be disruption rather than immediate block rewards. If an attacker is overt about his 51% ability, then everyone will know this by observing that he is solving most of the blocks (but not all of them).
By withholding his solutions, he has the (secret) ability to rewrite the block-chain at any time, and will own ALL of those last blocks. This is a valuable option.
He won't be any richer as the blockchain will be shorter than if he shared his hashing power upfront. But he has caused the 49% hashing to be effectively wasted when he dumps his chain.
It worries me as waiting for 6 confirmations is only good in the absence of something like this.
Is there such a thing as a lock point ? I thought it was longest-chain-wins ?
|
|
|
|
Costia
Newbie
Offline
Activity: 28
Merit: 0
|
|
January 30, 2012, 12:09:42 PM |
|
if anyone can control 51% he will control the bitcoin network no need to be stealthy about it, they can just not include any transactions in their blocks and reject blocks mined by others but this wont be profitable what they can do is set the transaction fee to whatever they want , since only they can add new transactions to the chain
Edit: what lock in points? the longest chain wins.
I think certain block hashes get hardcoded into the client with every new release. This way if the longer blockchain doesn't satisfy these conditions it will get rejected. is till means an attacker can do watever he wants between releases and it would be kinda strange if this was true, any sources for this? to clifford: if somebody gets 51% he can do (almost) whatever he wants from that point and on. edit: but it would be quite hard to get to 51% without being noticed - he will have to take over deepbit and another pool, or create a larger one himself - which will either take a lot of time or a lot of money (probably more than the net worth of bitcoin)
|
|
|
|
interlagos
|
|
January 30, 2012, 12:14:45 PM |
|
if anyone can control 51% he will control the bitcoin network no need to be stealthy about it, they can just not include any transactions in their blocks and reject blocks mined by others but this wont be profitable what they can do is set the transaction fee to whatever they want , since only they can add new transactions to the chain
Edit: what lock in points? the longest chain wins.
I think certain block hashes get hardcoded into the client with every new release. This way if the longer blockchain doesn't satisfy these conditions it will get rejected. is till means an attacker can do watever he wants between releases and it would be kinda strange if this was true, any sources for this? to clifford: if somebody gets 51% he can do (almost) whatever he wants from that point and on. edit: but it would be quite hard to get to 51% without being noticed - he will have to take over deepbit and another pool, or create a larger one himself - which will either take a lot of time or a lot of money (probably more than the net worth of bitcoin) Yes between releases coins are not protected, only old enough coins are safe. I know for a fact it was done for one of the alt-chains in the beginning, so I think they inherited this behaviour from bitcoin.
|
|
|
|
Costia
Newbie
Offline
Activity: 28
Merit: 0
|
|
January 30, 2012, 12:17:18 PM |
|
but old enough coins are safe anyway - you can replace a block from the middle or something the only non safe ones are from the time somebody got 51% and later
|
|
|
|
interlagos
|
|
January 30, 2012, 12:21:58 PM |
|
but old enough coins are safe anyway - you can replace a block from the middle or something the only non safe ones are from the time somebody got 51% and later
Yes lock-in points is a type of damage control. If it happens that an attacker started to build its own chain a few (dozens of) blocks before recent lock-in he would need to re-start, so it is less convenient for him to do it.
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
January 30, 2012, 02:39:34 PM |
|
A withholding attack may only be marginally successful. My understanding is that the client will refuse to parse so many blocks in such a short space of time. If you try to dump a large pile of blocks on the client, it will probably refuse them.
|
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
January 30, 2012, 02:41:45 PM |
|
If someone had a 51% hashrate, what would stop them from solving blocks but not actually publishing the answers?
In this way, they could create a fork of the blockchain which would be longer than the real published one, and obviously they could publish this fork whenever -- thereby re-writing the existing blockchain, which could be many blocks long.
You wouldn't know about this until it happened, and it could be very damaging -- Imagine if the last 200 blocks were suddenly re-written...
Is there a way of mitigating against a stealth attack like this ?
You just described the 51% attack. No attacker is going to be overt. They will build a private chain publish it and force a re-org. Then do it again and again and again and again and again and again until Bitcoin is dead. No need to call it a stealth 51% it is a 51%. You should assume any 51% attack will be done in private.
|
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
January 30, 2012, 02:42:50 PM |
|
A withholding attack may only be marginally successful. My understanding is that the client will refuse to parse so many blocks in such a short space of time. If you try to dump a large pile of blocks on the client, it will probably refuse them.
It won't. What do you think happens when you install a new client. It downloads the blockchain. By definition in a distributed network there is no way for a client to know how far ahead the rest of the network might be. It simply asks for new blocks, gets them, and verifies them.
|
|
|
|
hazek
Legendary
Offline
Activity: 1078
Merit: 1003
|
|
January 30, 2012, 08:29:13 PM |
|
I wished people knew statistics and realized that you need far more than 51% in order to pull of what you're suggesting.
|
My personality type: INTJ - please forgive my weaknesses (Not naturally in tune with others feelings; may be insensitive at times, tend to respond to conflict with logic and reason, tend to believe I'm always right)
If however you enjoyed my post: 15j781DjuJeVsZgYbDVt2NZsGrWKRWFHpp
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
January 30, 2012, 08:54:06 PM Last edit: January 30, 2012, 09:05:31 PM by DeathAndTaxes |
|
I wished people knew statistics and realized that you need far more than 51% in order to pull of what you're suggesting.
You don't and yes I know statistics. With 50% + 1 hashes/s of network capacity you will eventually have the longest chain. Given enough time it is an inevitability. Anything greater than that just reduces the avg time before you have a given probability of being ahead.
|
|
|
|
Costia
Newbie
Offline
Activity: 28
Merit: 0
|
|
January 30, 2012, 09:03:24 PM |
|
to do what the OP suggested you won't even need 50%, since this is random even with 40% you can be ahead of the main chainblock for a few hours/days
|
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
January 30, 2012, 09:07:34 PM Last edit: January 30, 2012, 09:21:53 PM by DeathAndTaxes |
|
to do what the OP suggested you won't even need 50%, since this is random even with 40% you can be ahead of the main chainblock for a few hours/days
True but the problem is your chance is very low. With 40% of hashing power you have a 40% chance of being ahead after 1 block but only a 0.4^6 = 0.4% chance of being ahead after 6 consecutive blocks. Even if you did pull that off miners using a modified bitcoind to mine on the valid chain and eventually they will surpass and orphan your "attack chain". While it could be potentially disruptive there is a counter to it. With 51% hashing power you can hash well past the "official chain" till the point that the "good guys" regaining the longest chain is improbable.
|
|
|
|
hazek
Legendary
Offline
Activity: 1078
Merit: 1003
|
|
January 30, 2012, 09:10:11 PM |
|
to do what the OP suggested you won't even need 50%, since this is random even with 40% you can be ahead of the main chainblock for a few hours/days
What? What do you mean ahead for a few hours/days? I thought the 51% attack was carried out by getting lucky with the 51% of hashing power or more to get at the min 6 consecutive blocks found by your miner so that you can insert a fraudulent doubles spent transaction into the block chain and fool someone it is legitimate before you run out of luck and some other miner finds a block invalidating your transaction? I thought all the amount of hashing power you have raises the odds of finding 6 consecutive blocks high enough to make it worthwhile to even attempt such an attack and that 51% was deemed where these odds get high enough?
|
My personality type: INTJ - please forgive my weaknesses (Not naturally in tune with others feelings; may be insensitive at times, tend to respond to conflict with logic and reason, tend to believe I'm always right)
If however you enjoyed my post: 15j781DjuJeVsZgYbDVt2NZsGrWKRWFHpp
|
|
|
hazek
Legendary
Offline
Activity: 1078
Merit: 1003
|
|
January 30, 2012, 09:11:31 PM |
|
With 51% hashing power you can hash well past the "official chain" till the point that the "good guys" regaining the longest chain is improbable.
How does that happen if the blocks you found are fraudulent and will get ignored once the "good guys" find a block?
|
My personality type: INTJ - please forgive my weaknesses (Not naturally in tune with others feelings; may be insensitive at times, tend to respond to conflict with logic and reason, tend to believe I'm always right)
If however you enjoyed my post: 15j781DjuJeVsZgYbDVt2NZsGrWKRWFHpp
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
January 30, 2012, 09:18:46 PM |
|
to do what the OP suggested you won't even need 50%, since this is random even with 40% you can be ahead of the main chainblock for a few hours/days
What? What do you mean ahead for a few hours/days? I thought the 51% attack was carried out by getting lucky with the 51% of hashing power or more to get at the min 6 consecutive blocks found by your miner so that you can insert a fraudulent doubles spent transaction into the block chain and fool someone it is legitimate before you run out of luck and some other miner finds a block invalidating your transaction? I thought all the amount of hashing power you have raises the odds of finding 6 consecutive blocks high enough to make it worthwhile to even attempt such an attack and that 51% was deemed where these odds get high enough? Well no even @ 51% the odds of getting ahead in 61 blocks is very low. The fact is that even if you aren't ahead you can continue until you are. Each new block is another chance of you pulling ahead. With "only" 51% of hashing power the odds you will be 6+ blocks ahead in 6 blocks is about 1.7% but it is about 8% after 20 blocks and and about 38% after 24 blocks and 72% after 100 blocks.... etc. Having >51% lets you get to those more likely numbers quicker. For example w/ 55% of hashing power to be have a 99.9% chance of being 6+ blocks ahead takes only 340 blocks. With 60% that drops to 90 blocks. With 65% it is only 40 blocks and with 70% a mere 20 blocks.
|
|
|
|
DeathAndTaxes
Donator
Legendary
Offline
Activity: 1218
Merit: 1079
Gerald Davis
|
|
January 30, 2012, 09:19:41 PM |
|
With 51% hashing power you can hash well past the "official chain" till the point that the "good guys" regaining the longest chain is improbable.
How does that happen if the blocks you found are fraudulent and will get ignored once the "good guys" find a block? How do you know they are fraudulent. More importantly how does every single client on the distributed network know?
|
|
|
|
|