Can the Bitcoin crypto-network be taken over by a “majority attack”?
A wealthy attacker could buy a manufacturing facility and produce more special hashing processors than the total number of nodes/miners in Bitcoin (See: coindesk.com/51-attacks-real-threat-bitcoin/ and coindesk.com/ahead-bitcoin-halving-51-attack-risks-reappear/ ).
The cost to produce 100K processors would be about $100Million. The cost of energy plus other logistics costs could be another $100Million. Why is this not an incentive to take over a network which is potentially worth, in capitalization, over $20Billion USD?
Loss of currency value
The intuitive answer to the question is that by the time the attacker has taken over, the network it would be worth very little. The “worth” in capitalization is essentially related to trust. Previous transactions in the blockchain have no intrinsic worth. They cannot be changed to “spend their outputs” to the attacker’s address. There is no mechanism to re-process old transactions from previous blocks in the blockchain.
The value of a currency is related to some real-world value, which itself materialized in the willingness of someone to “buy” Bitcoins with a new, real, current transaction. If users of the network have lost trust (as would happen after the network had been taken over) then exchanges would have trouble finding customers willing to buy Bitcoins. Thus, the value of Bitcoins would collapse.
The money lost by all the people owning the bitcoins would approach the total capitalization value; but this value could not be converted by the attacker into another form of trusted currency. The attacker would essentially steal value from himself. This is why miners, in general, have a low incentive to cheat.
However, as Bitcoin’s capitalization value keeps increasing faster than the number of miners, the potential reward of a malicious majority attack also increases.
The best scenario for an attacker using the “majority” approach (i.e.: gaining over 50% control), to convert his investment of $200M into more than $200M reward, is to steal as many real customer transactions (e.g.: double spend) as quietly and as fast as possible.
The attacker would also need to maintain the network and exchanges running as usual, for as long as possible, before the thefts are discovered and publicized.
Since knowing the addresses of a Bitcoin user does not guarantee to know the actual user, and because there is no limit in the number of blocks in a “fork” this type of attack could remain hidden for a certain amount of time. But would the attacker be able to recover as much or more than his initial investment? The answer is not certain and represents a real risk for the attacker.
Bitcoin’s defense against a majority attack stands on the premise that the attacker knows that such an approach would destroy the value of the stolen but not yet converted currency as soon as the scheme is discovered.
Is it possible that an unknown attacker already owns the majority of Bitcoin processors and is already quietly preparing blocks with “redirected” transaction outputs? That is creating a fork that we do not know about yet?
The Bitcoin defense against a majority attack also relies on openness: the ability of anyone to see all the transactions. The attacker would have to deploy such a large amount of processing capacity without being noticed. The attacker would have to buy or establish its own secret manufacturing operation. Can such an operation already have been established? Be ready to strike? Already be stealing bitcoins? If not, then why not?
Openness also implies that the total number of transactions is known; people can openly calculate the percentage of miners belonging to various mining pools and the percentage of the “leftover” miners. If the percentage of “unknown” miners reaches levels higher than 40%, this would be a sign that a hidden mining operation could be lurking.
Users of Bitcoin, especially those owning a considerable amount of currency, are also interested in monitoring the size of mining pools. Honest miners are also interested in getting out of pools that are becoming too big.
How does anyone know whether an attacker is in the process of secretly assembling a pool of processors larger in number and processing power than the rest of all miners? The attacker could
Distributed responsibility against proliferation of identities
- Selected and verified manufacturers (or Certificate Authorities) can introduce PUDs (Personal Unique Devices - See: gorbyte.com/documents/The%20PUD%20Device.pdf ). These could be hardware USB sticks, SIM cards or software “virtual devices” which can help guarantee the uniqueness of the association between a node address and the PUD bounded to that same PC or iPhone.
- These PUD manufacturers or Certificate Authorities (and implicitly payment companies) can limit the acquisition of PUDs by accepting only one purchase of a PUD per form of payment. The goal here is not to limit one person from buying a few PUDs, but to limit a person from buying the thousands needed for mounting a multiple-identity or DoS attack. Various companies already have procedures set up for accepting and limiting the number of new credit card or bank account applications.
- Crypto-network nodes can then recognize and avoid multiple node addresses associated to the same IP address, thus forcing a potential attacker to acquire multiple IP address. Regional Internet Regystry (RIR) organizations already have policies for the allocation of pools of IP addresses and their maintenance. They can monitor massive acquisitions or transfers of IP addresses.
By using a cooperative, majority agreement process involving all nodes, new unpermissioned crypto-networks will avoid “forking” blocks. This eliminates the period of indecision before a transaction can be confirmed.