Mining, a flawed concept coming home to roost?

[Gabi]

If you can verify, you can do whatever you want. If you want a million coins just transfer other coins to your own addresses. When the transactions come up for vote, all your machines approve the transactions. If you want to delete coins, transfer them to an invalid address and approve the transactions.

doesn't work that way. 51% doesn't allow you to transfer other people's coins; you still need their signatures. and your avatar tells us what you really are: a troll.

Are you sure?
The 51% attacker could make a blockchain wich start like from 6 months ago block and build on it, so all transactions happened from like 6 months ago to today would not exist. Ppl who mined that 6 months would see their btc disappear cause someone else (the attacker) actually mined them.

[DeathAndTaxes]

Well they certainly couldn't start today and cause a re-org that deep with only 51% control.  Sure they could have started 6 months ago but that means the 51% attack occurred 6 months ago not today.  Still that wasn't Blinken's understanding or post.  He seemed to indicate miners "vote" on tx and can choose to alter them.  Taking a tx from A->B and making it A->C where the attacker does not control the private key for A. 

TL/DR:
"If you can verify, you can do whatever you want. " is a 100% false statement.

Still if are really worried about a 25,000 block re-org then don't accept coins unless the unspent output is prior to the last checkpoint.  Speaking of that what is the last checkpoint.

[Gabi]

Maybe not with 51%

But what if they do have more, like 80 or 90% or more? After all it only take like 10 millions $ to do a 51%, an entity wich has billions can surely spend a bit more and do that.

[DeathAndTaxes]

Sure but that substantially increases the cost.  True cost is much higher than $1M per TH/s when you consider infrastructure, labor, security, insurance, electricity, etc.  Lets say $2M per TH/s. A 90% attack today would cost ~$200M take almost 20 days to hash a re-org that deep (plus setup time) and the attacker risks ASIC being released skyrocketing the "good difficulty" in the meantime.  A massive amount of money to risk for the tiny economy that is Bitcoin.  

In the future when attacking Bitcoin may be worth $100M it couldn't be done with $100M it would require billions. It creates an interesting risk vs reward dynamic.   The cost rises as Bitcoin gets larger but it may not get larger so spending a huge sum now to avoid an even larger sum in the future may be a poor bet.  A bet that costs millions.  

[gmaxwell]

take almost 20 days to hash a re-org that deep (plus setup time) and the attacker risks ASIC being

And during that time newer software _might_ be deployed that happens to move a checkpoint past the point where they decided to fork, even if we don't know about the impending attack.  When that happens the attack would be pointless and all those resources wasted— a very risky gamble.   And even if it didn't happen, a 6-month dee out-of-the-blue reorg would be obviously rejected by the Bitcoin using community; even after the fact people would gladly accept a checkpoint that killed it. This would reduce the damage from the reorganization to a dramafest, some moderate denial of service, and some small window of theft for transactions which get double spent on the tip of the reorged chain and accepted by people who haven't heard the news.

Personally I don't lose even a moment of sleep worrying about deep reorganizations, and I don't think you should either.

Why are we still responding to this explicitly trolling thread?

[hashman]

Maybe not with 51%

But what if they do have more, like 80 or 90% or more? After all it only take like 10 millions $ to do a 51%, an entity wich has billions can surely spend a bit more and do that.

Think about it.  If you have some large hash at your disposal you could generate a new chain with a fork further back in time and thus take other recent miner's income as you point out.  However in doing so you are applying your hash to making this new chain and could simply be raking in current blocks which would generate more profit for you.  As you have spent so much on your hash you will have incentive to make the network stronger and thus increase the value of your coins.  The only possible exception to this is right after a block reward drop, though I still imagine it would be more profitable to simply mine new blocks (anybody want to model this for me?).  I imagine Satoshi considered this possibility along with the resolution of a more gently falling reward rate, and realized it didn't matter much and thats why we have the 50% reward drops.     

You make an estimate of US$ 10 large to make a 51% double spend attack.  Do you think there are enough instant large-withdrawl-enabled services out there that anybody could recoup this kind of investment by doing some double spending?  I don't.  Careful planning and you could get the maximum withdraws from all the top exchanges, and some serious loot from gambling operators and a few online wallets.  I don't think this will approach $10 mil.  Coin service operators are (hopefully) aware that a double spend possibility exists and can simply put a hard cap on withdraws.

In my mind this vulnerability just means that BTC is not an appropriate vehicle for transactions, lets be conservative and take 10% of your figure, which are valued at US$ 1mil.  If you need to accept a million dollar payment from somebody you don't trust, you might want to start to worry about a double spend attack, especially if you think there are 10 other folks out there also accepting million dollar payments from this non-trusted entity.  A suitcase of swiss francs or gold bars is probably a better solution for you.   

As the network hash rate grows, the cost of a double spend 51% attack increases as well, and the maximum that people are willing to accept in coin payment from non-trusted entities will go up as well. 

In a related topic, can anybody tell me why this idea of "checkpointing" gives me a bad feeling?         

[gmaxwell]

In a related topic, can anybody tell me why this idea of "checkpointing" gives me a bad feeling?          

Because they are generally a terrible thing. Terribleness of checkpoints is mitigated by the fact that we never place a checkpoint except in the far past where there is no chance of a legitimate competing fork existing (legitimate meaning the product of the honest community of bitcoin participants, rather than attackers trying to rewrite history in order to commit fraud). If any client developers try to push a recent checkpoint the community better insist on a double darn good reason; because when checkpoints are used to decide between competing legit chains they're a violation of the decentralized design.

Why have them at all?  They cheaply mitigate a number of stupid DOS attacks (including, probably, some yet undiscovered DOS attacks), and they reduce some new node bootstrapping isolation attacks to the problem of getting a good copy of the software.  These justify having them.  That they also add additional uncertainty/risk to someone trying to make a deep fork in secret is just a bonus.

[TYDIRocks]

if you could control about 10 Thash/s currently you would have voting power and could you not obtain that by gaining control of Deepbit, 50BTC, Ozcoin and BTCGuild?

Let's say you could.  Then what would you do with this voting power?

Well, what I would do is muster a DDOS attack on www.sesamestreet.org, but that's just me.

The more important question is what would a group of professional Russian hackers do? The answer to that is forge a million BTC and use the proceeds to underwrite an expansion of their criminal enterprises.

An even more scary possibility is that the Schumerites would take over the network and deploy armageddon: delete half the coins and quadruple spend the other half, or just transfer everyone's coins randomly between different addresses. Now, THAT would be FUD.

Methinks you should learn how Bitcoin works.