Bitcoin: 51% attack considered harmless
If the core appeal of Bitcoin is it’s decentralized nature then it is fairly intuitive that it would be really bad if one person controlled most of the network.
Specifically, if one person owned 51% of the computational power of the network, we certainly can’t call Bitcoin a decentralized network anymore and it would appear that this ruins everything. Bummer.
However, when you read the official accounts and experts’ statements, the general consensus is that a 51% attack really wouldn’t be that disastrous to Bitcoin. It would simply allow the attacker harm the network for a bit and market forces, code changes and real world repercussions would take care of things. On the surface this is a clear contradiction!
How can someone owning 51% of a decentralized network be OK? How is it that there is any limit at all to what they can do? In fact if you are paranoid like me, the first time you heard of the possibility, you probably also came up with the following chain of questions:
Why isn’t this disastrous? Why can’t attackers just erase all past transactions or create new bitcoins from thin air or reverse all their own previous transactions and send money from everyone to themselves?
Turns out the Bitcoin foundation and the experts are mostly right and it is true that there are very severe limits to what someone with 51% of computational power in the network can do and I’ll try to reason through why in my own way in this write up.
The purpose of this post is not to come up with an exhaustive list of consequences of a 51% attack but to start from a point of confusion about why the attacker can’t just do anything they like and provide a framework for assessing what kind of attacks are possible when a group owns the majority of computing resources.
Mandatory disclaimer: I’ve written this as much to clarify my own thinking as to help others think through the subject. Please correct me!
Assertion 1: Attackers can’t do everything
It would be heartening to first establish things attackers can’t do. If such things existed then we’d have some glimmer of hope that a 51% attack might not be the end of it all.
1a: Attackers cannot impersonate others
First way to understand that attackers can’t do everything is to note that all attacks that require using private keys that the attacker does not own are impossible — i.e. simply owning 51% of the computational resources does not imply that you know my private key.
Since you need my private key to send money as me a.k.a steal money from me, it follows that, in a 51% attack, changing the block chain in ways that involve impersonation of others e.g. wiring money to yourself from other people is not possible.
The attacker cannot impersonate me. Nice!
This rules out a very large class of scenarios so we’re getting somewhere.
1b: Attackers cannot arbitrarily rewrite the block chain
Let’s consider a very extreme attack— the one that bothered me enough to write this post.
As an attacker, why not just make myself a trillionaire or, more specifically, why not just rewrite the entire block chain to say I’m a trillionaire? Since I own 51% of the network, I could make my new blockchain the longest chain and then wouldn’t everyone have to accept it?
Here’s where this goes wrong:
1) Bitcoin has “checkpoints”— trusted blocks in the block chain that can be compared with the attackers blockchain to see if they match up. So a simple sanity check rules this kind of attack out. Simply checking the genesis block (the first block ever created) along with any of these checkpoint blocks tells whether or not one is dealing with an entirely different blockchain. Here’s Satoshi himself announcing them and referencing this exact attack!
2) Even if there were no checkpoints and you wanted to make a fake block chain from scratch you would not merely need to make a block chain that’s longer than the current block chain, you would have to do as much computational work as the entire network has done in order to get the blockchain accepted as the longest one. This is because the network does not simply accept the longest chain, it accepts the longest chain with the most computational effort expended to produce it.
As of Dec. 2013 Bitcoin mining was a $15 million a day enterprise and so it is likely the cost of producing a block chain from scratch exceeds any perceived benefits of acquiring “all the bitcoins” which quickly have zero value once everyone realizes what you have done and loses all trust in Bitcoin because of your dastardly deed.
This last point brings up a central assumption that guides the rest of the post: we are only concerned about a rational attacker whose sole motive is financial profit.
Assertion 2: Rational Bitcoin Attackers want to see Bitcoin succeed
Thus, besides what you can’t do, there are also things you would not do if you were a rational attacker. The first is that you would not want to execute an attack where you owned all bitcoins.
The important insight here is that as an attacker, you absolutely NEED other people to see the value in Bitcoin and because of this you actually would not want to start an entirely new block chain where you owned all the money or where you pissed any significant number of people off. People would stop trusting Bitcoin, they would evacuate the building and all your hard earned “money” is now worthless (as in worth $0).
As an aside Paul Krugman sees the intrinsic worthlessness of a bitcoin as a flaw, but here we see it shine through as a strength. The value of a bitcoin being wrapped up in the network actually makes it more resilient in the face of a 51% attack!
Thus, we see that Bitcoin attacks are, in principle, biased towards isolated and infrequent enough incidents that are unlikely to cause an overall crash of the bitcoin price.
Since we shouldn’t worry about the entire Blockchain being recreated then we mostly just need to worry about a 51%er messing with the blockchain from the end of the current block or a few blocks in the past which maybe aren’t fully confirmed by the network and maybe aren’t before any of our checkpoints.
At this point we have the basis for understanding what a 51%er can and cannot do. So let’s put it all together.
What attackers cannot do:
1.) Attackers cannot impersonate others since they’d actually need to steal your keys and so they can’t fake transactions from you to them. They can’t steal money by impersonation and so the only way they could steal a tonne of money is to fake the blockchain and create coins from thin air…but..
2) Attackers can not fake the blockchain beyond a few blocks earlier than the latest block in the longest chain
What attackers can do
1) Attackers can create fake blocks starting from the tail end of the blockchain which allow them to double spend i.e spend bitcoins claim they never spent them and then spend them again.
To pull this off, an attacker could send bitcoins to an exchange, get dollars back and then just build a longer blockchain that doesn’t contain the transaction they just made so that they ultimately still have the bitcoin they spent.
2) The other class of things they can do is related to the fact that they now essentially control mining on the network. So they can mess with all of the parts of the Bitcoin system that work because of mining. Specifically, they can:
i) make all of the newly mined bitcoins for themselves
ii) refuse to verify arbitrary transactions and cause processing/confirmation delays or even grind the entire network to a halt
iii) crank up average transaction fees on the entire network by deciding not to verify a transaction if a certain amount isn’t sent in fees.
This brings us to the end of our analysis. It’s great that we come to the same conclusions as the experts but it’s nice to be able to think through things from first principles. The conclusion is that 51% attacks could raise mining fees, cause unwanted processing delays and could result in double spending. However, these threats are greatly diminished both by the costs associated with carrying out truly destructive actions and the idea that a profit driven person who owns a majority of the network actually gains nothing from destroying it. Since attackers benefit more if the Bitcoin network flourishes over the long term they are actually incentivized to keep it alive.
I plan to write more frequently. If you enjoyed this, you can follow me on Twitter @levandreessen and send in thoughts about this write up ☺