[tangential] Bitcoin: GHash just hit 51%

post by David_Gerard · 2014-06-14T08:31:50.695Z · LW · GW · Legacy · 18 comments

Contents

18 comments

And apparently the sky is falling. From Ittay Eyal and Emin Gün Sirer at Hacking, Distributed:

But the fact is, this is a monumental event. The Bitcoin narrative, based on decentralization and distributed trust, is no more. True, the Bitcoin economy is about as healthy as it was yesterday, and the Bitcoin price will likely remain afloat for quite a while. But the Bitcoin economy and price are trailing indicators. The core pillar of the Bitcoin value equation has collapsed.

They note previous bad behaviour from GHash (which GHash attributed to a rogue employee).

Their proposal is a hard fork, with different parameters (to make huge mining pools no longer an economically rational choice), but respecting the blockchain to date so they can reasonably keep calling it "Bitcoin".

18 comments

Comments sorted by top scores.

comment by [deleted] · 2014-06-16T09:56:30.947Z · LW(p) · GW(p)

I see a fair number of comments talking about how this is an overblown issue. There may be FUD out there, but that doesn't mean this is not a significant issue that demands attention. Large-hashpower entities are an existential threat to bitcoin.

Bitcoin's is revolutionary because it is a permission-less payment network: anyone can use it for direct, peer to peer trade with no middleman or governing body. Nobody has to ask for permission or approval. This is because the mining process acts as a distributed voting mechanism to determine acceptance and ordering of transactions. BUT, if one party controls >50% of the hash power, then it is just like having >50% of the vote in a majority-wins election. There's no longer any point in voting -- this one entity now has the power to unilaterally decide for itself which transactions go through and which do not. If you want your transaction to go through, it will only happen with their approval. Suddenly, we are back to having a middleman and all the advantages of bitcoin are gone.

Update: there's a great new post on hacking distributed covering what I just said in greater detail.

Replies from: passive_fist
comment by passive_fist · 2014-06-17T07:56:59.274Z · LW(p) · GW(p)

Many cryptocurrencies have been destroyed by 51% attacks. Under the hood, those currencies and bitcoin are virtually identical. The only difference is that bitcoin has a lot more riding on it and a lot more people who care. And that's really the only thing that could save it. It may be overblown to say this is the end of bitcoin, but it certainly is the end of the status quo. Something will have to change, either in the bitcoin protocol or community, if bitcoin wishes to remain afloat.

Replies from: David_Gerard
comment by David_Gerard · 2014-06-17T12:49:49.913Z · LW(p) · GW(p)

Many cryptocurrencies have been destroyed by 51% attacks.

Would you have a link to a writeup of these handy? I'd like to read up on this.

(a request for info, not doubting it in the slightest)

comment by gwillen · 2014-06-14T08:38:50.940Z · LW(p) · GW(p)

These guys are known for making ludicrous pronouncements about how the Bitcoin sky is falling. Their previous work on selfish mining made a lot of wild doomsaying claims which have not held up.

A single entity having 51% of the hashing power is annoying but not catastrophic. It would be much worse if they had 51% on their own hardware, which they don't. Any attack they can perform with their mining power would be prominently linked to them, which would cause a massive drop in their hashpower as miners fled to other pools. (Which some of them are already doing.)

So while I think concentration of mining power IS a long-term problem that needs a long-term solution, I think all the ghash wailing right now is significantly overblown.

Replies from: David_Gerard, passive_fist
comment by David_Gerard · 2014-06-14T09:15:21.407Z · LW(p) · GW(p)

GHash has since backed off from >50%, since they're not stupid.

I note that the fact that, despite all rationalisation to the contrary (that no-one would ever let themselves cross 50%), someone actually did cross 50% has in fact upset people: the cultural assumptions seem to be feeling shaky to them. HN discussion is interesting.

comment by passive_fist · 2014-06-17T08:02:02.127Z · LW(p) · GW(p)

Except that an entity with 51% power could conceivably cause damage in ways that would be hard to figure out (say, but obfuscating the blockchain -- obfuscations could easily get lost in the daily chaos of bitcoin trade). The only safe course of action is to assume that once an entity has gained 51% power, all further blocks are 'tainted', and roll back blocks until before the entity had 51% power. But this would be a huge nuisance for miners, users, and exchanges alike.

Replies from: gwillen
comment by gwillen · 2014-06-17T23:35:41.460Z · LW(p) · GW(p)

This is completely false and I can't understand how you could have acquired this impression.

What do you mean by 'obfuscating'?

A 50+% entity cannot cause permanent damage to the blockchain; they cannot steal coins; they cannot generate coins that weren't supposed to exist; the ONLY extra powers they have are

(1) to suppress transactions that would otherwise have occurred, and (2) to prevent other miners from mining.

Neither of these transactions has any permanent effect on the blockchain after the attack stops, except for the omission of transactions that would otherwise have been present (which, assuming they were organic transactions by real users, will be automatically resubmitted until they're included in a subsequent block.)

Replies from: ChristianKl
comment by ChristianKl · 2014-06-18T16:43:13.331Z · LW(p) · GW(p)

While I don't think bitcoin would completely crash, double spending could be an serious issue.

comment by James_Miller · 2014-06-14T16:29:39.161Z · LW(p) · GW(p)

If you control more than 50% of the relevant metric can you secretly take actions that harm other Bitcoin users?

Replies from: ChristianKl, Viliam_Bur
comment by ChristianKl · 2014-06-18T16:30:50.260Z · LW(p) · GW(p)

No, you need to reject blocks that other miners who follow the right protocol put online. >50% is the amount that you need that you can reject their blocks and still have the largest chain and therefore the ability to have the most authoritative chain.

comment by Viliam_Bur · 2014-06-14T17:18:01.143Z · LW(p) · GW(p)

Could government use this to fight Bitcoin? Keep all the seized bitcoins, precommit to never sell any, and destroy the whole network when they have over 50%. The users would not know when the moment comes, because they wouldn't know exactly how many bitcoins the government has currently, only that the number is always increasing...

Replies from: asr
comment by asr · 2014-06-14T18:26:15.501Z · LW(p) · GW(p)

The attack that people are worrying about involves control of a majority of mining power, not control of a majority of mining output. So the seized bitcoins are irrelevant. The way the attack works is that the attacker would generate a forged chain of bitcoin blocks showing nonsense transactions or randomly dropping transactions that already happened. Because they control a majority of mining power, this forged chain would be the longest chain, and therefor a correct bitcoin implementation would try to follow it, with bad effects. This in turn would break the existing bitcoin network.

The government almost certainly has enough compute power to mount this attack if they want.

Replies from: jimrandomh, James_Miller
comment by jimrandomh · 2014-06-14T21:40:24.422Z · LW(p) · GW(p)

51% of hash power only grants the power to roll back recent transactions which you sent. It does not make it possible to enter invalid transactions, to roll back transactions you weren't party to, or to steal coins at rest. The risk is that you could receive coins, do something in response to receiving those coins, and then discover that they were clawed back. But the further back in time the transaction was, the more computationally expensive it is for them to do this.

Replies from: Douglas_Knight
comment by Douglas_Knight · 2014-06-15T00:54:24.013Z · LW(p) · GW(p)

While it doesn't allow invalid transactions, it does enable rolling back other people's transactions, by a combination of rolling back time and rejecting a class of transactions, such as a particular address. In particular, it allows ignoring all other miners and taking all the newly mined coins.

It's true that the further back in time you want to rewind, the more computational resources. In particular, the further back in time you want to go, the more time it takes to accomplish the maneuver. But if you are a consortium of miners, you were going to spend these resources mining, and the total number of blocks is fixed, so does it cost electricity? I'm not sure.

comment by James_Miller · 2014-06-14T20:09:57.629Z · LW(p) · GW(p)

For how long would you have to control the computing power? Would having control of a massive number of computers for a few minutes be enough?

Replies from: Eugine_Nier
comment by Eugine_Nier · 2014-06-15T01:45:07.241Z · LW(p) · GW(p)

The more damage you want to do the longer it takes.

Would having control of a massive number of computers for a few minutes be enough?

Definitely not. To give you a sense of scale, a new bitcoin block comes out every five minutes and it would take control of the block chain for multiple 'ticks' to do serious damage.

Replies from: None
comment by [deleted] · 2014-06-16T09:45:16.339Z · LW(p) · GW(p)

a new bitcoin block comes out every five minutes

Ten minutes, on average.

Replies from: Eugine_Nier
comment by Eugine_Nier · 2014-06-17T00:45:28.977Z · LW(p) · GW(p)

Thanks.