Hacker News new | ask | show | jobs
by betterunix 4822 days ago
https://en.bitcoin.it/wiki/Weaknesses#Attacker_has_a_lot_of_...

Basically, someone who has the computing resources needed to do the same work as the rest of the network combined could create malicious forks of the block chain. They could then "reverse" transactions they had made, prevent other transactions from being confirmed, and interfere with "mining."

This is polynomial time in the parameters of the system: it is just the sum of the work done by the honest parties. The constant factor is small, and the attack is not at all impractical; even if we generously assume that it would take $100 million of ASICs to carry out the attack, the US government spent 10 times as much on one NSA datacenter in Utah.
2 comments
moe 4822 days ago
even if we generously assume that it would take $100 million of ASICs

You always conveniently ignore the fact that legitimate mining is at the verge of shifting to ASICs, too.

Perhaps your $100mio figure is accurate today, but it won't be long before you have to apply quite a significant multiplier to that.

link
betterunix 4822 days ago
In fact, $100 million is much larger than the situation today. I have seen estimates as low as $1 million and as high as $30 million.
link
moe 4822 days ago
And you seriously assume an attacker with that kind of resources (be it millions or billions) would be dumb enough not to realize that a crash of bitcoin would merely spawn the next, more resilient crypto currency?

That would have to be quite a large irrational player because this isn't compatible with today's corporate and government firmware (game theory) at all.

link
dragonwriter 4822 days ago
> And you seriously assume an attacker with that kind of resources (be it millions or billions) would be dumb enough not to realize that a crash of bitcoin would merely spawn the next, more resilient crypto currency?

That could actually be what the attacker wants.

> That would have to be quite a large irrational player because this isn't compatible with today's corporate and government firmware (game theory) at all.

While governments may be against cryptocurrency gaining traction, if it seemed inevitable that cryptocurrencies were going to gain widespread traction, assuring that any that had wide open attack vectors were crushed before they became economically significant would be a gain from most government's points of view, even if it just meant encouraging a more stable cryptocurrency.

An unstable cryptocurrency is a ticking time bomb whose yield increases as it gains transaction.

link
betterunix 4822 days ago
Is there some reason to think a more "resilient" protocol is even possible? Can you even give a rigorous definition of the security properties these protocols are trying to achieve?

That aside, do you really think the government would not try to destroy Bitcoin even if it meant a new system replaced it? Have you not been paying attention to what happened with Megaupload? Governments are perfectly willing to attack systems even when they know the systems will be replaced, just to disrupt the users of the system and pressure people to avoid them.

link
moe 4822 days ago
Is there some reason to think a more "resilient" protocol is even possible?

I'm not a bitcoin researcher but the first thing I'd have to note is that so far it's holding up not bad at all. At non-trivial scale and under permanent attack. Not a small feat for the first impl of a global, cross-platform P2P crypto money system, don't you think? Just consider the history of infinitely simpler systems (e.g. twitter).

Furthermore there are various efforts underway (e.g. SolidCoin) to address the known weaknesses, even before we know whether any of them turns out to be a bigger problem than the issues that we take for granted in our current banking system (e.g. "too big to fail" or the perpetual banking crisis that has been going on for the past 10 years).

That aside, do you really think the government would not try to destroy Bitcoin even if it meant a new system replaced it?

Personally yes, I doubt any half-sane government will equate bitcoin with software piracy.

Bitcoin addresses one of the core mechanics of society (money exchange). That's not even in the same ballpark as people downloading vampire movies without paying for them.

just to disrupt the users of the system and pressure people to avoid them.

This is where I think the average government would be smarter than you.

You can't kill demand for something so useful unless you utterly convince a majority that it can not possibly work - here your piracy-analogy holds water again.

They may indeed pull a Napster (we've seen how that played out) but I think it's much more likely they would try a very long-term, elaborate stealth attack to erode trust in p2p money systems as a whole.

But just as with piracy this seems like a losing proposition. Unless a truly insurmountable flaw is discovered that renders any system with the features of bitcoin infeasible.

link
betterunix 4822 days ago
"Unless a truly insurmountable flaw is discovered that renders any system with the features of bitcoin infeasible."

Be careful with words like "infeasible." That has a meaning in cryptography and in complexity theory, and it is not quite what you mean there. I think what you are trying say is, "There might be no protocol like Bitcoin that is secure against polynomial time attacks."

That is not such an outlandish scenario. It has been proved that Merkle's Puzzles cannot be secure no matter how they are instantiated; in fact, Merkle's original system is optimal. I would not be surprised if the a similar statement were true of digital cash systems without central authorities: that there will always be a polynomial time attack, no matter how you instantiate them.

Of course, before such a statement could be proved, you would first need a rigorous security definition for Bitcoin. What does it even mean for Bitcoin to be secure? "Double spending" is not even well-defined for Bitcoin; the existing rigorous definitions of double spending in digital cash systems invoke a central authority. Without good security definitions, it is hard to say whether or not Bitcoin is secure or could be secure.

I doubt that even a minority of Bitcoin users are terribly concerned with the lack of rigorous definitions or analysis. If they were, the system would never have gained any traction. As you say, it would take a sustained attack on these systems to really erode the trust in them (although by the second or third system that was attacked, I think most people would just give up).

It is also worth pointing out that the end game might not even be to destroy the system, but just to use it to cut off organizations like Wikileaks. The same attack that can be used to double-spend in Bitcoin can be used to prevent transactions from being confirmed; the government might just stop select targets from using Bitcoin. This would probably shake people's trust in the system, but perhaps not -- maybe the government would be very judicious, or would try to frame the target and make it look like they are trying to cheat.

We could sit here coming up with possible motives for an attack all day long, of course. That is yet another reason that rigorous definitions and formal analysis are valuable: if we can show that no feasible attacks exist, then we do not need to try to guess what the attacker's purpose might be.

link
Xcelerate 4822 days ago
Ah, okay. I thought you were implying there was a polynomial attack on ECSDA, SHA-256, or RIPE-MD.
link
betterunix 4822 days ago
It is important to remember that Bitcoin is not a hash function or a signature system. Unfortunately, there seems to be no rigorous definition of "security" for Bitcoin, so it is somewhat difficult to understand what it means to "attack" Bitcoin. I suspect that any rigorous definition of Bitcoin's security would require a definition of money that lacks both authority and intrinsic value.
link