Can the Bitcoin crypto-network be taken over by a “majority attack”?
A wealthy attacker could buy a manufacturing facility and produce more special hashing processors than the total number of nodes/miners in Bitcoin (See: coindesk.com/51-attacks-real-threat-bitcoin/ and coindesk.com/ahead-bitcoin-halving-51-attack-risks-reappear/ ).
The cost to produce 100K processors would be about $100Million. The cost of energy plus other logistics costs could be another $100Million. Why is this not an incentive to take over a network which is potentially worth, in capitalization, over $20Billion USD?
Loss of currency value
The intuitive answer to the question is that by the time the attacker has taken over, the network it would be worth very little. The “worth” in capitalization is essentially related to trust. Previous transactions in the blockchain have no intrinsic worth. They cannot be changed to “spend their outputs” to the attacker’s address. There is no mechanism to re-process old transactions from previous blocks in the blockchain.
The value of a currency is related to some real-world value, which itself materialized in the willingness of someone to “buy” Bitcoins with a new, real, current transaction. If users of the network have lost trust (as would happen after the network had been taken over) then exchanges would have trouble finding customers willing to buy Bitcoins. Thus, the value of Bitcoins would collapse.
The money lost by all the people owning the bitcoins would approach the total capitalization value; but this value could not be converted by the attacker into another form of trusted currency. The attacker would essentially steal value from himself. This is why miners, in general, have a low incentive to cheat.
However, as Bitcoin’s capitalization value keeps increasing faster than the number of miners, the potential reward of a malicious majority attack also increases.
Best scenario
The best scenario for an attacker using the “majority” approach (i.e.: gaining over 50% control), to convert his investment of $200M into more than $200M reward, is to steal as many real customer transactions (e.g.: double spend) as quietly and as fast as possible.
The attacker would also need to maintain the network and exchanges running as usual, for as long as possible, before the thefts are discovered and publicized.
Since knowing the addresses of a Bitcoin user does not guarantee to know the actual user, and because there is no limit in the number of blocks in a “fork” this type of attack could remain hidden for a certain amount of time. But would the attacker be able to recover as much or more than his initial investment? The answer is not certain and represents a real risk for the attacker.
Bitcoin’s defense against a majority attack stands on the premise that the attacker knows that such an approach would destroy the value of the stolen but not yet converted currency as soon as the scheme is discovered.
Is it possible that an unknown attacker already owns the majority of Bitcoin processors and is already quietly preparing blocks with “redirected” transaction outputs? That is creating a fork that we do not know about yet?
Openness
The Bitcoin defense against a majority attack also relies on openness: the ability of anyone to see all the transactions. The attacker would have to deploy such a large amount of processing capacity without being noticed. The attacker would have to buy or establish its own secret manufacturing operation. Can such an operation already have been established? Be ready to strike? Already be stealing bitcoins? If not, then why not?
Openness also implies that the total number of transactions is known; people can openly calculate the percentage of miners belonging to various mining pools and the percentage of the “leftover” miners. If the percentage of “unknown” miners reaches levels higher than 40%, this would be a sign that a hidden mining operation could be lurking.
Monitoring
Users of Bitcoin, especially those owning a considerable amount of currency, are also interested in monitoring the size of mining pools. Honest miners are also interested in getting out of pools that are becoming too big.
How does anyone know whether an attacker is in the process of secretly assembling a pool of processors larger in number and processing power than the rest of all miners? The attacker could have “real processors” in multiple pools (those pools that allow miners to have their own processors), covertly building up its processing power to a total greater than the majority of all other miners in the network.
A collaboration among multiple miners nodes independently of the pool they are part of is possible, provided that they are privately owned and controlled. By the time the attackers had achieved majority, they could easily pull out from all pools and “directly mine” with their processors. In this scenario, within a reasonable time, the collaborating attackers could take over the network.
Is Bitcoin secure just because most people think it is?
Better solutions
Better solutions are needed for new crypto-networks. A malicious attacker must be discovered much earlier than when it approaches majority ownership and control of the nodes.
Majority attacks are made possible by hacking, controlling, simulating or acquiring a large number of network nodes. We need solutions that drastically reduce the number of nodes that can be controlled by a malicious attacker.
One way to achieve this is to limit the number of nodes anyone can own or control.
Distributed responsibility against proliferation of identities
Denial of Service attacks are based on the proliferation of transactions. Limiting such intentional flooding by on issuer is currently not possible, as one person/entity can generate multiple anonymous addresses at will.
Majority attacks can be based on proliferation of node identities by one person/entity, so that the ownership of a lot of processing power by one miner can be disguised.
The defenses against these threats need to be achieved without infringing on user privacy.
Such defenses are possible by distributing the responsibility for securing the integrity of the crypto-network and by limiting the number of identities one person can create.
For example:
- Selected and verified manufacturers (or Certificate Authorities) can introduce PUDs (Personal Unique Devices - See: gorbyte.com/documents/The%20PUD%20Device.pdf ). These could be hardware USB sticks, SIM cards or software “virtual devices” which can help guarantee the uniqueness of the association between a node address and the PUD bounded to that same PC or iPhone.
- These PUD manufacturers or Certificate Authorities (and implicitly payment companies) can limit the acquisition of PUDs by accepting only one purchase of a PUD per form of payment. The goal here is not to limit one person from buying a few PUDs, but to limit a person from buying the thousands needed for mounting a multiple-identity or DoS attack. Various companies already have procedures set up for accepting and limiting the number of new credit card or bank account applications.
- Crypto-network nodes can then recognize and avoid multiple node addresses associated to the same IP address, thus forcing a potential attacker to acquire multiple IP address. Regional Internet Regystry (RIR) organizations already have policies for the allocation of pools of IP addresses and their maintenance. They can monitor massive acquisitions or transfers of IP addresses.
Distributed control of personal identity
The next decentralization improvement will be the decentralization of control of identity. Instead of a person’s identity being authorized and verified by some central or trusted authority, the identity of each person will be controlled by the person himself.
For example, further improvements in biometrics and recognition of unique human traits will allow the development of new models of PUDs, which not only will verify the uniqueness of a node-addtress-to-device association, but will verify the uniqueness of a person. Such PUDs will only be accessible by the owner. They will be tamper proof and valueless if lost or stolen.
These new PUDs will form the basis for a crypto-network identity framework. Such framework, coupled with crypto-network security, will allow for a simpler and secure development of distributed applications.
Distributed consensus
In addition to the above, new crypto-networks will distribute the consensus process, from competitive, randomly centralized mining, to cooperative agreement, so that all user nodes can participate in the agreement process (See: gorbyte.com/documents/About%20Gorbyte.pdf ).
By using a cooperative, majority agreement process involving all nodes, new unpermissioned crypto-networks will avoid “forking” blocks. This eliminates the period of indecision before a transaction can be confirmed.
More importantly, from the security point of view, this approach eliminates the possibility of covert majority attacks. This is because each block is immediately confirmed and becomes unchangeable, thus eliminating the window of opportunity for a possible attack based on replacing the last few blocks in the blockchain through the forking mechanism.
Avoiding forks also means avoiding a possible split of the crypto-network and consequent loss of currency value (E.g.: the ETC/ETH split and BTC/BTU split). Such splits also create indecision about which currency is safer to use.
Conclusion
The current leading crypto-networks have remarkably contributed to the decentralization of financial transactions and applications; however, crypto-networks will have to be more scalable and even more decentralized.
New crypto-network designs will include solutions that limit the number of transactions per address per block (to avoid DoS attacks), and node addresses per person (to avoid multiple-identity attacks), to a number that is certainly far smaller than the thousands needed for these types of attacks.
These improvements will allow users to implement full crypto-network nodes in their personal devices, enjoying secure distributed applications, and using financial services without the fear of losing their currency holdings.
No comments:
Post a Comment