What it costs to kill Bitcoin: $20 million

[BitterTea]

If you start to decide which chain is right based on some other criteria, you need to accept some external authority. And this is the end of Bitcoin as a decentralized system.

Bitcoin is a system with rules, but no rulers. If it sounds like a contradiction, I'd say you need to think about those words more.

Also, regarding "the end of Bitcoin", extraordinary claims require extraordinary evidence.

[1713405527]

1713405527

[1713405527]

1713405527

[1713405527]

1713405527

[1713405527]

1713405527

[thedrs]

When a government spends $20 million on a project, it needs to classify the project in the financial records and get an OK for that spending from a very high ranking official and get a sanction to it too (probably the president as it involves affect financial systems).

As we know, in this day and age of wikileaks etc... , this info goes out to the public at some time.
Once it goes out to the public, the media get hold of it and make it a headline for a week which is enough to multiply the bitcoin network by a few orders of magnitude in addition to causing bad publicity to the official/party that sanctioned it.

I think that would be enough to stop it, at least in democratic states.

[caveden]

And how do you know which one is honest? Maybe the attacker "invited" you to his chain and you were being fed the evil one. And now you see another chain? How do you know which one is honest? Ask bitcoin developers? Look at blockexplorer?

What? I didn't get it... if I'm an honest miner, the attacker has no gain in "inviting" me.... I'll add honest blocks to his attempt of rewriting, basically I'll undermine his plans.

An overtake attempt must be done entirely in secret by those trying the attack, and then suddenly released, overwriting honest blocks. If this overwrite is too long, it's clear not an honest split but an attempt of exploit the >50% vulnerability.

As Zibbo wrote above, the longest chain is the authority. If you start to decide which chain is right based on some other criteria, you need to accept some external authority. And this is the end of Bitcoin as a decentralized system.

You don't need to accept any particular authority, that can easily be a consensus, particularly if backed by good probability demonstrations. It's as much authority as the inflation control for example.

[Raulo]

Bitcoin is a system with rules, but no rulers. If it sounds like a contradiction, I'd say you need to think about those words more.

Tell me such a rule in case of chain split that does not require authority. OK, caveden says "drop anything that is longer than the current chain by N blocks". Apart from creating a whole lot of problems in normal operation (you will have the very same situation every time you had a network outage and now you client sees much longer chains), there is no guarantee you have the right chain.

And what about "stepping stone attack"? Attacker inject longer chains by one block one at the time denying all transaction confirmations?

Also, regarding "the end of Bitcoin", extraordinary claims require extraordinary evidence.

The core idea of Bitcoin is that it is completely decentralized. If you create a "Bitcoin central bank" that decides which blockchain is right and which is wrong, it's going to be not Bitcoin but something else.

With the overflow bug, it was obviously a bug so it was fixed. In case of 50% network attack, there is no way to decide what is right and what is wrong.

[BitterTea]

The core idea of Bitcoin is that it is completely decentralized. If you create a "Bitcoin central bank" that decides which blockchain is right and which is wrong, it's going to be not Bitcoin but something else.

Nobody is proposing this. If a rule such as "the valid chain is the longest one" is decentralized and not an authority, when why would any other rule be otherwise?

With the overflow bug, it was obviously a bug so it was fixed. In case of 50% network attack, there is no way to decide what is right and what is wrong.

Just because you can't think of a way, and I can't think of a way, doesn't meant there is not a way.

[Raulo]

What? I didn't get it... if I'm an honest miner, the attacker has no gain in "inviting" me.... I'll add honest blocks to his attempt of rewriting, basically I'll undermine his plans.

Have you heard about "mining cartel attack"? All kind of attacks can be performed with innocent participants.

An overtake attempt must be done entirely in secret by those trying the attack, and then suddenly released, overwriting honest blocks. If this overwrite is too long, it's clear not an honest split but an attempt of exploit the >50% vulnerability.

What if you had a network outage and now you see a longer chain. You drop it and your Bitcoin client no longer works.

What about a "stepping stone attack"? The attacker only injects chains slightly longer but frequently thus denying all confirmations.

You don't need to accept any particular authority, that can easily be a consensus, particularly if backed by good probability demonstrations. It's as much authority as the inflation control for example.

Consensus based on what? One person, one vote? Currently Bitcoin operates on consensus: "1 hash/s = one vote".

It is extremely difficult to gain from any >50% network attack. It is much more profitable to be honest. That's why I don't expect we will ever see "criminal double spending" because effort required to play this trick will be larger than any potential short-term gain.  But Bitcoin is completely vulnerable to DoS by a >50% participant. It's in its core. It is the basis of all Bitcoin operations and it is clearly described in the original Satoshi paper. Bitcoin can work only if >50% of the network hashrate is cooperating.

[Hawkix]

I think that 20 000 000 USD is too much money. The bitcoin network can be harmed for much less.

When using large volume orders, for about $500 you can built a rig with 850 MHash/sec. Thus, to get 2*850 = 1700 GHash/sec, you need $1 000 000. And you will own the network (cos have more than half the power).

Moreover, with this computing power, you will earn more than half of all coins generated. That is 3600 BTC, which will soon equal to $36 000 per day. Theoretically, the network would pay-off in just ONE MONTH!!!

And once you earned a bit, you can harm.

[caveden]

Apart from creating a whole lot of problems in normal operation (you will have the very same situation every time you had a network outage and now you client sees much longer chains), there is no guarantee you have the right chain.

Seeing a longer chain is different from seeing a long block reorganization. The lenght that matters in the second case is the backward length, the number of blocks who had to be discarded. Network outages won't cause you this.

And what about "stepping stone attack"? Attacker inject longer chains by one block one at the time denying all transaction confirmations?

Again:

True, but still that could be suspicious. Suddenly, the block chain changes to another one with lots of transactions which have never been seen by anyone? And then that happens again, and again, and again? People will quickly figure out somebody's messing around, particularly if the network is already rejecting "too long" block reorganizations. And once honest miners see the network is under this kind or political attack, they might figure out ways of blocking it.

The core idea of Bitcoin is that it is completely decentralized. If you create a "Bitcoin central bank" that decides which blockchain is right and which is wrong, it's going to be not Bitcoin but something else.

Who's talking about anything remotely closed to a central bank here? All I've said is that it's probably possible to prove with probability calculations that an honest block chain split will not be longer than a certain constant or that it would take several thousands of years for that to happen, so you could easily classify such kind of splits as dishonest.

[Gavin Andresen]

In the future, there will be many more than 4,000 transactions per block.

[crema]

In the future, there will be many more than 4,000 transactions per block.

Thank you ! That is what I wanted to know.

[Raulo]

Seeing a longer chain is different from seeing a long block reorganization. The lenght that matters in the second case is the backward length, the number of blocks who had to be discarded. Network outages won't cause you this.

What if you have an outage when there is a short accidental block reorganization. There is one every day or two. I've looked at reorganizations in my debug.log and had one during network outage and it resulted in 5 block reorganization. 

True, but still that could be suspicious. Suddenly, the block chain changes to another one with lots of transactions which have never been seen by anyone? And then that happens again, and again, and again? People will quickly figure out somebody's messing around, particularly if the network is already rejecting "too long" block reorganizations. And once honest miners see the network is under this kind or political attack, they might figure out ways of blocking it.

And what you plan to do? Whitelist honest nodes? Shutdown the network and hope the attacker goes away?

Who's talking about anything remotely closed to a central bank here? All I've said is that it's probably possible to prove with probability calculations that an honest block chain split will not be longer than a certain constant or that it would take several thousands of years for that to happen, so you could easily classify such kind of splits as dishonest.

If you start to discriminate the chains, you need to have authority. Once again, I claim there is no way to decide which chain is good and which evil if both are valid chains. What if the evil one starts to write on the Forum (with a lot of puppets) that we are under attack and we have to kill the other chain?

Moreover, anything (except the rule: longer chain wins) is going to get the Bitcoin network fragmented sooner or later because there will be accidental chain splits. And then how are you going to mend this mess? Both chains will claim to be "the ones".

Today, deepbit had 5 blocks in a row. If something (accidental) prevented it to broadcast the first one to the network and made it broadcast the last one, you would have a large block reorganization.

There are only two possible successful outcomes for Bitcoin: one is that Bitcoin hashing power is so large, no single organization can match it or that it is so niche nobody will care about killing it. 

[caveden]

What if you have an outage when there is a short accidental block reorganization. There is one every day or two. I've looked at reorganizations in my debug.log and had one during network outage and it resulted in 5 block reorganization. 

Then the short block reorganization will remain short. It's not the number of blocks added to it that counts, it is the number of discarded blocks. While you were offline, you didn't receive any new blocks in the bad chain, and people already started building on the other chain. The number of blocks that will be overwritten is small.

I think you're not clearing understanding what I mean by long block reorganization. I mean the number of blocks that will be overwritten. It's possible to mathematically determine a number for which the probability of it happening is completely insignificant. Honest block chains splits of such length will never occur.

And what you plan to do? Whitelist honest nodes? Shutdown the network and hope the attacker goes away?

I'm not planning into doing anything because I don't even think that will ever be needed. But I believe people would come up with a good plan if such thing happens. A whitelist of "transaction pools" to which every node could send their transactions could be a way to dodge the attack, maybe... If the attacker is only making transactions within his wallet in order to erase everybody else's and pause the network, such whitelist of transaction pools could show people which chain belongs to the attacker and which contain true transactions.

If you start to discriminate the chains, you need to have authority.

No you don't. You just need consensus, as there is consensus today that "the larger chain wins", as there's consensus today in the chosen inflation model etc.

Today, deepbit had 5 blocks in a row. If something (accidental) prevented it to broadcast the first one to the network and made it broadcast the last one, you would have a large block reorganization.

Dude! I'm talking about a length that is impossible to happen honestly! That's surely much more than 5 blocks. In my first post I said of a week. But some good mathematician should do the calculus.

[Zibbo]

What if you have an outage when there is a short accidental block reorganization. There is one every day or two. I've looked at reorganizations in my debug.log and had one during network outage and it resulted in 5 block reorganization. 

Then the short block reorganization will remain short. It's not the number of blocks added to it that counts, it is the number of discarded blocks. While you were offline, you didn't receive any new blocks in the bad chain, and people already started building on the other chain. The number of blocks that will be overwritten is small.

I think you're not clearing understanding what I mean by long block reorganization. I mean the number of blocks that will be overwritten. It's possible to mathematically determine a number for which the probability of it happening is completely insignificant. Honest block chains splits of such length will never occur.

First of all, entire countries can be blocked of from the net for long periods of time during civil unrest, censorship attempts etc., so very long "honest" splits can occur. Second, I don't understand why a long chain split is a requirement for any kind of attack? Attacker can send his block chain to the rest of the network every time it's ahead of the "honest" chain, which is most of the time. A lot of nodes will change to attackers chain (because there is no way of knowing which chain is honest, if both contain only valid transactions), wasting resources trying to add blocks to the attackers chain, which attacker will never accept, taking further resources away from the honest chain.

You need to be able to be able to figure out which valid block is an attack and which isn't, and I don't think you can.

And what you plan to do? Whitelist honest nodes? Shutdown the network and hope the attacker goes away?

I'm not planning into doing anything because I don't even think that will ever be needed. But I believe people would come up with a good plan if such thing happens. A whitelist of "transaction pools" to which every node could send their transactions could be a way to dodge the attack, maybe... If the attacker is only making transactions within his wallet in order to erase everybody else's and pause the network, such whitelist of transaction pools could show people which chain belongs to the attacker and which contain true transactions.

Well that's a move towards centralizing authority. And also, what's stopping attacker first "getting in" the transaction pool, before launching an attack. Making the whitelist really exclusive perhaps?

[Gibybo]

In the future, there will be many more than 4,000 transactions per block.

Why is that?

With a max block size of 1 MB and an average of ~250 bytes per transaction, aren't we stuck with ~4000?

[BitterTea]

In the future, there will be many more than 4,000 transactions per block.

Why is that?

With a max block size of 1 MB and an average of ~250 bytes per transaction, aren't we stuck with ~4000?

The 1MB hard block limit is merely to prevent someone from spamming the blockchain. It will be raised as necessary, though probably won't be for a while.

[yeponlyone]

I want to point out before I say all this, that it is written under the assumption that the code of bitcoin is as pure as it seems to be as a legitimate decentralized currency, and in no way brings to question the techies understanding of the code.

Now, IF the idea of decentralized currency was thought up originally by its ENEMIES who saw its implications, and they invested the necessary money/computers to eventually bring it down, then brought to the public as bitcoin via 'Satoshi Nakamoto'. They wait for the idea to draw in the techy individuals - like it has - who in turn spread the idea around to those who trust them as smart - like they have - this all with the aim of building up the popularity/reputation of decentralized currencies as a whole. Eventually, enough people trust and invest so that when this enemy of decentralized currency(also the creator of bitcoin mind you) pulls the proverbial rug out from under, the trusting collective loses the millions of dollars they have invested and the face of decentralized currency is now very ugly to the them, to the point where even if a new genuinely uncompromisable network were to emerge, we have the boy who cries wolf scenario on our hands (With the techies playing the part of the boy and the townspeople playing, well.. the townspeople. {For this metaphore to be truly accurate you actually have to see satoshi as the boy, and the techies would merely be the first townspeople that the boy gets to whom believe him, then themselves go on and unwittingly spread the boys lie, but potatoes, pototos, since as far as the townspeople are concerned the techies spreading the word are now untrustworthy, b/c to the simple mind, their money is gone, and their trust of the the techies is to blame}. This all having been done by the controllers of the money to keep their control of the money, by premeditating and attacking future honest decentralized currencies before their birth. This doesn't kill the idea obviously(since the idea is in essence the circumvention of gov't/banks, if these are indeed inefficient entities, efficiency (decentralized currency) wins long term, or so says evolution at least, efficiency can't be killed, its all there really is), it simply makes it harder for the future attempts to be able to take hold right away.

I have no idea if this is a valid point, or merely naive drivel which is easily refuted..

[FreeMoney]

I want to point out before I say all this, that it is written under the assumption that the code of bitcoin is as pure as it seems to be as a legitimate decentralized currency, and in no way brings to question the techies understanding of the code.

Now, IF the idea of decentralized currency was thought up originally by its ENEMIES who saw its implications, and they invested the necessary money/computers to eventually bring it down, then brought to the public as bitcoin via 'Satoshi Nakamoto'. They wait for the idea to draw in the techy individuals - like it has - who in turn spread the idea around to those who trust them as smart - like they have - this all with the aim of building up the popularity/reputation of decentralized currencies as a whole. Eventually, enough people trust and invest so that when this enemy of decentralized currency(also the creator of bitcoin mind you) pulls the proverbial rug out from under, the trusting collective loses the millions of dollars they have invested and the face of decentralized currency is now very ugly to the them, to the point where even if a new genuinely uncompromisable network were to emerge, we have the boy who cries wolf scenario on our hands (With the techies playing the part of the boy and the townspeople playing, well.. the townspeople. {For this metaphore to be truly accurate you actually have to see satoshi as the boy, and the techies would merely be the first townspeople that the boy gets to whom believe him, then themselves go on and unwittingly spread the boys lie, but potatoes, pototos, since as far as the townspeople are concerned the techies spreading the word are now untrustworthy, b/c to the simple mind, their money is gone, and their trust of the the techies is to blame}. This all having been done by the controllers of the money to keep their control of the money, by premeditating and attacking future honest decentralized currencies before their birth. This doesn't kill the idea obviously(since the idea is in essence the circumvention of gov't/banks, if these are indeed inefficient entities, efficiency (decentralized currency) wins long term, or so says evolution at least, efficiency can't be killed, its all there really is), it simply makes it harder for the future attempts to be able to take hold right away.

I have no idea if this is a valid point, or merely naive drivel which is easily refuted..

It's open source. People look inside at how it does what it does, it isn't a mystery or anything.

[yeponlyone]

quote freemoney

"It's open source. People look inside at how it does what it does, it isn't a mystery or anything."


I'm aware, however, I was under the impression that both money invested and the earlier the attack began, the worse damage it could do. Is it not the case that those who have viewed and understand the code claim this?


how do you do those quote bubbles? I'm new to this..

[Serge]

I think the way to kill the currency is to own all or most bitcoins in existence and mined in the future.

[ctoon6]

I think the way to kill the currency is to own all or most bitcoins in existence and mined in the future.

BTC can be split down to 8 decimal places, you could have a healthy system with only like 100 BTC in existence.