Taking Down Bitcoin

[Kettenmonster]

... We open up a second block chain ...

Who is we?
The block chain knows about ones and zeros but it has no concept of good and bad.

Of cause you can start several btc chains. But this weakens the system.
Each chain can be attacked individually, being smaller drowning it is much easier.

[1713429454]

1713429454

[1713429454]

1713429454

[1713429454]

1713429454

[1713429454]

1713429454

[1713429454]

1713429454

[1713429454]

1713429454

[Forp]

Who is we?

I meant the party which in the above scenario wants to defend Bitcoin against the mentioned attack.

Of cause you can start several btc chains. But this weakens the system.
Each chain can be attacked individually, being smaller drowning it is much easier.

I do not know. Maybe it depends on the exact attack and defense modes and all the remaining assumptions we make on the attacks.

For example: Let us assume we have 100 different chains and a centralized attacker (let's say the Fed) owning 51% of the hash and attempting an attack where he never adds transactions to the chain. Initially, the chains are all exact copies. With 49% of the hash and with 100 different chains there is a non-negligible chance that the good guys might at least in 1 or 2 of these chains win the block earlier than the attacker. So - under these assumptions - I am not sure if this claim is correct. I would agree, if attack modes also comprise double spending attacks (but still, I do not know - for lack of an appropriate model).

AFAIK we do not have the proper abstract models in place yet to be able to calculate and derive all the answers...

[Sukrim]

Just to make sure you got the idea right:

In order to get the difficulty lower (to make a 51% attack easier), you need to make sure it takes longer than 2 weeks for 2016 blocks to be assembled. Difficulty can change max. by a factor of 4 (so it can grow to max. 4 times current diff. and shrink to >=1/4th).

This means you need to DDoS a lot of pools over the course of 1-2 months to manipulate the difficulty and then still DDoS them while 51% attacking the network. It might be cheaper/more feasible to hack them or some people on the pool's staff, upload some evil stuff (depending on your legislation: child porn or music) and call the police. Or simply dig a bit beyond the forum pseudonyms or forum identity - see Bruce Wagner.

The easiest thing to attack is neither the blockchain nor the code itself - it's the people using it.

[Gavin Andresen]

If a 51% attacker stopped including all broadcast transactions in blocks "we" would quickly figure out a rule or rules to reject their blocks.

Something like "ignore a longer chain orphaning the current best chain if the sum(priorities of transactions included in new chain) is much less than sum(priorities of transactions in the part of the current best chain that would be orphaned)" would mean a 51% attacker would have to have both lots of hashing power AND lots of old, high-priority bitcoins to keep up a transaction-denial-of-service attack. And they'd pretty quickly run out of old, high-priority bitcoins and would be forced to either include other people's transactions or have their chain rejected.

I'm tempted to code that up and run some tests on a testnet-in-a-box, but there are much higher priority things on my TODO list; I don't think a 51% attack is likely. You'd spend a lot of time and money on an attack that "we" would neuter within a day or two.

[Sukrim]

Gavin, your solution would need a change in protocol though and would mean every user in the network has to update their (potentially 3rd party) client, right?

[doldgigger]

For my taste, there are way too many "what if"-s in this thread. What if there was a working attack on bitcoin and something to win by doing so, etc...

At this point, many countries' jurisdictions don't even recognize bitcoins as finance, so if anyone would find a solution for all these "what if"-s, it would be rather straightforward (in addition to being interesting and maybe even profitable) to start a venture somewhere with the goal to take down bitcoin.

So, if this thread is to be regarded as more than fiction, it should probably be moved to "Project Development"...

[Forp]

I'm tempted to code that up and run some tests on a testnet-in-a-box, but there are much higher priority things on my TODO list; I don't think a 51% attack is likely. You'd spend a lot of time and money on an attack that "we" would neuter within a day or two.

Gavin, I am sure that there are MANY more important things on the TODO list. My personal understanding of this (and several similar) threads is about theoretical aspects. The block chain is now running for some time...that's the best proof of its success. But until we have better formal and simulation tools for discussing all the if's could's and probably's some of the community will keep trying to work on Bitcoin theory. :-)

[Fuzzy]

Given that the network is ~11 TH, you'll need 12TH to over power it, equivalent to 480 Mini-Rigs. At $16000 each, that's $7,680,000

So as of this writing, an attack on the network would cost as little as $7,680,000

This is assuming you could get 480 MiniRigs delivered (which BFL wont/cant do), and do it before anyone else gets to power theirs up which would raise the "legit" network hashing power.

[Etlase2]

good thing it'll only take you about 3,500 radeons at less than 1 mil

[Skybuck]

1. Study the source code.
2. Find a buffer overrun.
3. Destroy everybodies wallet.
alternatively in case wallet backups were made:
4. Send all bitcoins to non-existing accounts.
for maximum effect do it slowly so the block chain slowly gets corrupted so it cannot be reverted back easily.

Its not that easy. Most *sane* people have wallets both backed up and encrypted, so without the passphrase you cannot send any BTC out.

I have not tried out the encrypted version yet, but I imagine a passphrase must be entered when trying to send something.

So further refinements to attack:

0. Upload modified bitcoin client executable to blockchain. (Could also be a small binary patch/difference to keep size down).
2.5 Exploit for buffer overrun reconstructs client from blockchain.
3.5 Modified client waits patiently for user to send coins and intercepts passphrase and stores it.
5. To avoid early detection the user gets false information, the non existing account number could also be used by the modified client to display fake information from blockchain for other infected users to make them believe all is well.
6. After some set time, this false information is stopped, suddenly showing the true nature of the blockchain to the horrors of all infected

[Hawkix]

If a 51% attacker stopped including all broadcast transactions in blocks "we" would quickly figure out a rule or rules to reject their blocks.

Something like "ignore a longer chain orphaning the current best chain if the sum(priorities of transactions included in new chain) is much less than sum(priorities of transactions in the part of the current best chain that would be orphaned)" would mean a 51% attacker would have to have both lots of hashing power AND lots of old, high-priority bitcoins to keep up a transaction-denial-of-service attack. And they'd pretty quickly run out of old, high-priority bitcoins and would be forced to either include other people's transactions or have their chain rejected.

I'm tempted to code that up and run some tests on a testnet-in-a-box, but there are much higher priority things on my TODO list; I don't think a 51% attack is likely. You'd spend a lot of time and money on an attack that "we" would neuter within a day or two.

Pardon my ignorance, but if the attacker has stable 51%, even if we all change our clients to support the new suggested rules, all our blocks will be still rejected, won't they?

[MoneyIsDebt]

1) Slowly start buying up all the bitcoins
2a) At some point there'll be so little liquidity left because the attacker and everyone else would be hoarding
and / or:
2b) The price would have been pushed so high compared to the size of the market / number of users, it would be folly to buy any.
   (especially considering the risk of the attacker suddenly dumping)
3) The usage of bitcoins outside of speculation would drop to make it virtually dead.
4) Possibly causing a collapse in price, allowing the attacker to get a commanding share of the 21 mill bitcoins.

And no, 21 mill times 5$ or even 10$ or 20$ is not a lot for, say, any government or bank or corporation or billionaire wanting it dead.

[kwukduck]

Why all the effort to take bitcoin down when fear mongering works just fine for 99% of the people.

[kjj]

Gavin, your solution would need a change in protocol though and would mean every user in the network has to update their (potentially 3rd party) client, right?

Not all, no.  Just enough, which is tricky to define.  If the bulk of the exchanges (which really means just Mtgox right now, but that is an accident of history and not a rule) were on the new rules, that fork would be the most useful fork.  Nodes would gravitate to it, as users that wanted to cash out, or pay people that wanted to cash out, or pay people that wanted to pay people that wanted to cash out, etc, etc, would have a strong incentive to get on.

The nice thing about doing it early would be that it would make a whole class of potential 51% attacks pointless.

Perhaps that should be a little bit less far down on the TODO list after all.

Pardon my ignorance, but if the attacker has stable 51%, even if we all change our clients to support the new suggested rules, all our blocks will be still rejected, won't they?

No, because the attack blocks would be invalid, and thus not in competition for the regular blocks, at least with the nodes that have adopted the new rules.

[Hawkix]

Pardon my ignorance, but if the attacker has stable 51%, even if we all change our clients to support the new suggested rules, all our blocks will be still rejected, won't they?

No, because the attack blocks would be invalid, and thus not in competition for the regular blocks, at least with the nodes that have adopted the new rules.

But, if such nodes will be less than half of network, the prevailing (so considered true) blockchain will skip our blocks. As a result, the blockchain will be hard forked with all our "sane" blocks scheduled soon or less to be completely overwritten.

I still suppose that the rules are the same for all, regardless for bad or good boys. There are just majority or minority boys left. (No pun intended).

[kjj]

Pardon my ignorance, but if the attacker has stable 51%, even if we all change our clients to support the new suggested rules, all our blocks will be still rejected, won't they?

No, because the attack blocks would be invalid, and thus not in competition for the regular blocks, at least with the nodes that have adopted the new rules.

But, if such nodes will be less than half of network, the prevailing (so considered true) blockchain will skip our blocks. As a result, the blockchain will be hard forked with all our "sane" blocks scheduled soon or less to be completely overwritten.

I still suppose that the rules are the same for all, regardless for bad or good boys. There are just majority or minority boys left. (No pun intended).

But our fork would never be overwritten by their fork, because we consider their blocks to be invalid regardless of the embedded difficulty.

[realnowhereman]

It's worth remembering that a 51% attack with different rules isn't sufficient to bring down bitcoin.  Miners are not the only bitcoin clients in the network.

The goal of miners is not to get transactions into a block chain, it's to get them into a block chain that bitcoin clients of intended receivers will accept.

Let's say I am a merchant, and you use your nefarious powers to subvert 99% of the mining power.  You still cannot force my client to accept your block with bad rules and therefore my client will never say "received 1000 coins from..." so you can't spend them even if you do get them in a chain.

51% attacks only work if the bitcoin rules that the non-miners look for are still obeyed.

[Forp]

Why all the effort to take bitcoin down when fear mongering works just fine for 99% of the people.

In my understanding of system security, trust in a system is increased with the number of (virtual ie. thought experiment, as well as real) attacks on a system which the system successfully survives (either by a good counterargument or by real life defense). So all this effort is increasing the security of Bitcoin.

[Forp]

Let's say I am a merchant, and you use your nefarious powers to subvert 99% of the mining power.  You still cannot force my client to accept your block with bad rules and therefore my client will never say "received 1000 coins from..." so you can't spend them even if you do get them in a chain.

This is an interesting issue. However, I do not yet fully understand your line of reasoning.

Assume I subvert 99% of the mining power and use it to mine an incompatible block chain. The effect is that the "old" chain speed will drop to 1% (rendering it essentially useless - and staying useless during at least several difficulty adjustment periods) whereas "my" chain will continue mining at more or less full speed.

Now a social effect kicks in. Numerous other users will notice that their clients cannot get any transaction done (since chain speed is too slow). On my website they will read this dossier about the Bitcoin 2.0 protocol. They will checkout Bitcoin 2.0 block explorer and will witness how the new chain is working (remember, I have 99% of hash performance, so I will of course also generate a lot of transactional traffic between all kinds of new bitcoin addresses). Quite soon users will be convinced that Bitcoin 2.0 is the arena where the show goes on and that "old" chain no longer is attractive nor active. So, more and more users will use my Bitcoin 2.0 client and will be happy.

You are, of course, perfectly free to stay with your Bitoin 1.0 client and with a chain, which not only lacks hashing power but also rapidly uses users. You also can fight back by writing forum articles that I am a bad guy and all kinds of stuff - and of course you will be right with that. However: I will claim that you are just trying to ruin Bitcoin 2.0 - and my proof will be a nicely working block chain 2.0 with lots of transactions going on.

Maybe there is a flaw in my thoughts. I would be happy if you pointed it out.

[Etlase2]

Forp, you are making an assumption that is impossible to suspend disbelief. Even if you manage to subvert 99% of the mining power to another chain, there is absolutely no way in hell you will be able to keep that a secret. Miners are going to notice. And they are going to find another pool that isn't subverted, or use P2Pool which isn't possible to subvert. Why would they just stick around?