New method of 51% attack?

[DannyHamilton]

this would require way to much power to do , and i mean like way to much and the user would just end up getting blacklisted anyways.

I think it would probably require exactly the same amount of power as any other majority hash power attack.

How exactly would you blacklist them if you don't know who they are?

[dbell]

Yes the 51% miner could attack with two alternating chains as you describe but I am not sure what the advantage is from the attacker's perspective.

Given 51% or greater mining power, the attacker can simply mine it's own chain with whatever transactions it wants to use and it will as a matter of statistics get ahead of any other chain that the remainder of the mining community can produce. 

It is this ability to get ahead on the chain with valid proof of work that allows that attacker to always get long term control of the chain and fork it in the direction the attacker wants to go.

The attacker could choose to include all other transactions (good behavior), double spend (fraud), filter out particular transactions or transactions from particular address(s) (targeted denial of service),  reject all transactions (complete denial of service), long term reject block solutions from any subset of miners  (monopoly)

So the question back to OP is, "What extra advantage does the dual chain attack he describes give to the 51% attacker?" 

[acoindr]

... The disruptive part is that there would be switching back and forth all the time, and the two chains could contain very conflicting data. ...

That wouldn't be Bitcoin, but some other protocol/alt-coin. The Bitcoin protocol isn't only the longest chain; it's the longest chain that everyone agrees follows all the protocol rules, which includes not double spending coins and hash values which match all transactions (switched with malleability or not). A hash power advantage doesn't enable the circumvention of that.

Edit: I just got what you're saying. That would be a bit of a problem if the attacker could maintain 51% for a long period of time. Multiple conflicting transactions would break the attack, though, as there would be multiple orphan chains, but maintaining two chains of approximately equal length with one fork would mean users in the real world would need to wait to see what was the "real version of reality". I think most 51% risk comes from pooled miners, which in a stressful situation (like that of GHash.io) could migrate away, removing the hash power advantage before long.

[StephenMorse]

Yes the 51% miner could attack with two alternating chains as you describe but I am not sure what the advantage is from the attacker's perspective.

Given 51% or greater mining power, the attacker can simply mine it's own chain with whatever transactions it wants to use and it will as a matter of statistics get ahead of any other chain that the remainder of the mining community can produce. 

It is this ability to get ahead on the chain with valid proof of work that allows that attacker to always get long term control of the chain and fork it in the direction the attacker wants to go.

The attacker could choose to include all other transactions (good behavior), double spend (fraud), filter out particular transactions or transactions from particular address(s) (targeted denial of service),  reject all transactions (complete denial of service), long term reject block solutions from any subset of miners  (monopoly)

So the question back to OP is, "What extra advantage does the dual chain attack he describes give to the 51% attacker?" 

I think the difference is that it would be more useful to an attacker who really didn't want to gain anything from the attack other than making bitcoin completely un-useable. The typical example is a government who just wants to shut down bitcoin, doesn't really care if they gain anything in the process. This would make all services built around the bitcoin blockchain very unpredictable and impossible to use.

Another difference is that this attack would not be preventable by Gavin's "chain with more priority" idea (http://gavintech.blogspot.com/2012/05/neutralizing-51-attack.html). The standard 51% DOS attack where you just mine on your own chain and don't include anyone elses transactions would cause the attacker to lose 'priority' (coin age destroyed). But in this attack, the two chains would have roughly the same priority (coin age destroyed), so you couldn't prioritize one chain over the other.

[StephenMorse]

... The disruptive part is that there would be switching back and forth all the time, and the two chains could contain very conflicting data. ...

That wouldn't be Bitcoin, but some other protocol/alt-coin. The Bitcoin protocol isn't only the longest chain; it's the longest chain that everyone agrees follows all the protocol rules, which includes not double spending coins and hash values which match all transactions (switched with malleability or not). A hash power advantage doesn't enable the circumvention of that.

Edit: I just got what you're saying. That would be a bit of a problem if the attacker could maintain 51% for a long period of time. Multiple conflicting transactions would break the attack, though, as there would be multiple orphan chains, but maintaining two chains of approximately equal length with one fork would mean users in the real world would need to wait to see what was the "real version of reality". I think most 51% risk comes from pooled miners, which in a stressful situation (like that of GHash.io) could migrate away, removing the hash power advantage before long.

Yeah, I think you got what I was saying in the second paragraph. The two chains that are kept alive would be completely consistent within the individual chains, but the chain data between the two would be incompatible.

And yeah, I agree that if this were to happen in a pool then everyone would just leave the pool and it wouldn't be a huge problem. I think I was more thinking about some country who hates bitcoin buying up a bunch of hardware and then attacking the system like this to shut it down.

I don't follow when you say that "Multiple conflicting transactions would break the attack, though, as there would be multiple orphan chains". If there were a fork on one of the chains, it must have been on the chain the attacker wasn't working on (because they are always the only ones working on the shorter (less-work) chain). And since it is the chain opposite to the chain the attacker is working on, the attacker will just keep working until it creates a chain with more work than either of the mini-forks on the other side of the chain.

[acoindr]

I think I was more thinking about some country who hates bitcoin buying up a bunch of hardware and then attacking the system like this to shut it down.

I don't think that's very likely. Attacking the system isn't without risk. It would be hard to pull off such a large undertaking without ever being exposed, which then subjects the attackers to whatever backlash there is, political or otherwise, from a growing global community with increasing stakes in the system, all for a risky maneuver which might not amount to more than a temporary network inconvenience.

I don't follow when you say that "Multiple conflicting transactions would break the attack, though, as there would be multiple orphan chains".

I was responding to this:

The miner could even purposefully spread double spends between the two chains. Even transaction malleability could be utilized between the two chains, putting essentially the same transaction on the two chains, but with different hashes. This would make the network very unreliable and hard to use.

There is no need to spread double spends or utilize transaction malleability. It only takes one inconsistent transaction, of any form, to create a fork. Once you have two chains your vision for the attack could commence. Adding further inconsistencies within either of the two extending chains would cause further splits, wasting valuable hashing power for an attacker trying to keep two relatively similar length, but different, chains.

If there were a fork on one of the chains, it must have been on the chain the attacker wasn't working on (because they are always the only ones working on the shorter (less-work) chain). And since it is the chain opposite to the chain the attacker is working on, the attacker will just keep working until it creates a chain with more work than either of the mini-forks on the other side of the chain.

That's a way the network could break out of that attack, actually. Say things were proceeding normally and an attacker gaining 51% forked the chain, then worked to keep each about equal length. If there was some agreement compelling say 25% of the "honest" network to create an inconsequentially inconsistent, but valid third fork the attacker would quickly find it difficult to maintain equal lengths. The distribution of hashing power would meander over the three then gravitate toward the longer, least split chain, breaking the tie.

Remember, a valid chain contains all valid transactions and no double spends. As long as there is a longest valid chain, even if the 51% attacker is the one that forked and extended it, everything still works. Now an attacker could use 51% to block or filter transactions etc., things already discussed, but that's not the attack you're describing.

[ActualUpsurge]

https://duckduckgo.com/?q=site%3Abitcointalk.org+51+attack

[StephenMorse]

I don't think that's very likely.

Yeah, I don't really think it is either. It's an interesting theoretical attack, but would probably never be able to be successfully mounted on Bitcoin. On a fledgling altcoin, though...

There is no need to spread double spends or utilize transaction malleability. It only takes one inconsistent transaction, of any form, to create a fork. Once you have two chains your vision for the attack could commence. Adding further inconsistencies within either of the two extending chains would cause further splits, wasting valuable hashing power for an attacker trying to keep two relatively similar length, but different, chains.

Right, to create the fork you only need one inconsistency. But imagine you are switching back and forth between two chains with nearly identical data in them except that the hash of a single transaction is changed in the first block of the fork. It probably wouldn't be very disruptive to most users of the system if it just switched back and forth, but all your transactions were still confirmed and all still had the same hash. Adding many inconsistencies would make using the two sides of the fork very different experiences. On one side your transactions are all processed and are fine. On the other, your transactions are removed because they depend on transaction IDs that are no longer in the block chain...

I'm not saying that the attacker should try to cause further forks on one side of the dual fork-chain at all. They would just put inconsistencies between the two main growing chains, not cause further forking. When the power is split between three chains, it takes an increasingly long amount of time to make the second strongest chain catch up to the main chain (the strongest chain).

That's a way the network could break out of that attack, actually. Say things were proceeding normally and an attacker gaining 51% forked the chain, then worked to keep each about equal length. If there was some agreement compelling say 25% of the "honest" network to create an inconsequentially inconsistent, but valid third fork the attacker would quickly find it difficult to maintain equal lengths. The distribution of hashing power would meander over the three then gravitate toward the longer, least split chain, breaking the tie.

Remember, a valid chain contains all valid transactions and no double spends. As long as there is a longest valid chain, even if the 51% attacker is the one that forked and extended it, everything still works. Now an attacker could use 51% to block or filter transactions etc., things already discussed, but that's not the attack you're describing.

That's interesting, but I'm not sure I see how it could work just yet. It sounds like you're saying that the network would introduce a third chain to split mining power between. But the network has to accept the chain with the most work as the correct chain. And I don't see how splitting the networks mining power amongst two chains would help things, it basically makes the 51% attack become a 67% attack because the network is splitting its time between two chains.

Maybe you could explain the defense you are proposing a bit more. It seems like if the network did somehow force the attacker to split their time mining on three chains, the attack would still work, it would just take increasingly long before the each chain replacement. In general though, I don't see how it could work, because anyone with less than 50% of the hashing power essentially has to choose the chain with the most work to make sure they stay in consensus with the rest of the network. But anyone with more than 50% of the hashing power (i.e. the attacker) does not have to follow this rule, as they can create valid blocks faster than the rest of the network.