On 51% attacks
The recent 51% attack on Ethereum Classic (ETC) has once again raised attention to block chain’s inherent soft spot. In this article we will take a closer look and gain a deeper understanding of this problem.
An attack where a malevolent actor is required to exercise a majority of hash power in order to execute the attack is commonly referred to as a 51% attack. This can be further classified into:
- double spend attack
- censorship.
While for the double spend attack it’s sufficient to temporarily exercise a majority of hash power, censorship requires a continuous maintenance of hash power majority.
Double Spend Attack
An attacker can use majority of hash power to rewrite existing blocks. The majority of hash power is required in order to outpace the blocks mined by honest miners and effectively establishing the valid chain to which all nodes will eventually switch to. The attacker is limited to revert transactions by removing them as explained in Satoshi’s whitepaper:
We consider the scenario of an attacker trying to generate an alternate chain faster than the honest chain. Even if this is accomplished, it does not throw the system open to arbitrary changes, such as creating value out of thin air or taking money that never belonged to the attacker. Nodes are not going to accept an invalid transaction as payment, and honest nodes will never accept a block containing them. An attacker can only try to change one of his own transactions to take back money he recently spent.
Censorship
Censorship is executed by rejecting transactions that do not meet the censor’s criteria. Because honest miners will still include these transactions in their blocks the censor is required to maintain majority of hashing power indefinitely.
The most likely censorship scenario would be a state actor willing to impose certain policies on transactions. Further elaborations of this topic can be found in libbitcoin’s Cryptoeconomics write up, such as the Other Means Principle or in the recording of Eric Voskuil’s talk.
Counter measures
The higher the total hash power a given coin’s network exhibits the more expensive becomes a 51% attack and consequently is less likely to be conducted. Bitcoin exhibits the largest hash power and a 51% attack is hence considered to be nearly impossible. It’s the vast majority of altcoins that is very vulnerable to a 51% attack due to the altcoin’s relatively low total hash power. The single most significant protection an altcoin can incorporate is to grow its mining community which increases its total hash power. But this is difficult to achieve in a short period of time. Some altcoin communities have come up with new techniques to overcome their exposure to 51% attacks. We will now take a brief look at them and underline their trade-offs.
Merged Mining
Merged mining refers to the process of reusing (partial) PoW solutions from a parent cryptocurrency as valid proofs-of-work for one or more child cryptocurrencies. This technique allows a weak coin to inherit an established coin’s high hash power given that both use the same hash algorithm. Consequently, it raises the cost to conduct a 51% attack. It was first proposed by Satoshi Nakamoto and is specified in the Bitcoin wiki. The first coin being merge mined is Namecoin.
Although at first sight merged mining seems to be an excellent solution for coins with insufficient hash power it violates the Dedicated Cost Principle. In short, the mining award of the parent coin can basically be seen as a subsidy for 51% attacks on the merge mined coin. Hence, merge mined coins can be attacked with a very low cost. The communities advocating merged mining believe that collecting block rewards from multiple coins rather than just from the parent coin is a large enough incentive for miners to stay honest.
Advanced Checkpointing
Feathercoin has experienced 51% attacks since its introduction in 2013. In the same year a new technique called “Advanced CheckPointing” (ACP) has been introduced to mitigate 51% attacks. The concept is simple and therefore reliable: a dedicated node, the ACP master node, is signing every Nth block’s header and releasing it to the network while all remaining nodes are receiving and verifying these signatures. Nodes verifying ACP signatures would never switch to an alternate chain that is lacking these signatures which effectively prevents a double spend attack for up to N blocks. However, ACP doesn’t prevent censorship. If an attacker manages to gain 51% hash power then she can reject transactions in her blocks which will always be signed by the ACP master node.
Also, the word master node seems out of place for a decentralized network. Indeed, the master node is a single place of failure. Once the ACP master node’s private key is compromised a hard fork is required to recover the damage. In a sufficiently small network the master node can be identified quickly. Note, that the master node’s private key is not sufficient for a double spend attack but a majority in hash power is required, too. ACP increases the bar for double spend attacks but it lowers the attack for censorship: once an attacker gains control of the master node’s private key it can refuse to sign blocks that contain transactions she wants to reject.
Overall, ACP seems to be a pragmatic trade-off to protect the users from double spend attacks while lowering the bar for censorship.
Proof of Stake
Proof of stake (PoS) is sometimes regarded as a valuable alternative to Proof of Work-based block verification. While it admittedly might mitigate 51% attacks and reduce power consumption, it inhibits a major flaw. Once an attacker becomes the biggest stakeholder of a PoS-system there is no means to recover from that situation. This scenario is comparable to an attacker getting hold of an ACP master node’s private key and likely only recoverable using a hard fork.
Conclusion
We have taken a look at the 51% attack which is inherent to every block chain and can conclude that mitigations always compromise some of the core properties a block chain is supposed to guarantee. This is also one of the reasons why some advocate Bitcoin as the only proper cryptocurrency because Bitcoin’s enormous hash power deems 51% attacks nearly impossible.
In closing words, it’s important to emphasize that by far not all problems need all properties of a block chain as a solution. Sometimes only a subset of these properties is sufficient and sometimes a centralized system is the correct approach. Our team at inacta AG can help you to properly analyze the problem and identify the requirements for your implementation specification. Moreover, we can also take care of the implementation itself with a focus on security and reliability.
