Bitcoin 51PercentAttack - Ripple Wiki
51% Attacks on Bitcoin
The Bitcoin system is based on a chain of blocks that contain transactions that spend Bitcoins. Potentially, there could be a number of such chains in existence at the same time. Some might have a transaction in them and some might not have that same transaction. Bitcoin uses a simple rule to determine which chain to go by -- the longest one.
Miners solve a computation challenge (finding a particular hash) to produce new blocks. When a miner produces a block, they can include any valid transactions in that block that they wish. When a block is produced, the chain with that block is longer than the chain without that block, so that block chain becomes the one to go by since it's the longest one.
Now consider if one person or coordinated group controlled more than half the hashing power in the world. Such a person or group could pick any chain they wanted and work exclusively on extending that chain. Even with every other honest miner extending the longest chain, the chain the group picked would eventually become the longest. Thus, a person controlling 51% of the mining power can choose any block chain and, eventually, make it the longest one.
About the only defense Bitcoin has against this attack is block chain checkpoints. A client will not accept a chain that does not include specific blocks that have been selected as checkpoints. This prevents an ancient chain from being resurrected. However, this only protects transactions that are weeks old.
Why is Bitcoin vulnerable to a 51% attack?
The design of Bitcoin is inherently vulnerable to a 51% attack. Using chain length to resolve competing block chains is a core characteristic of Bitcoin and it is the fundamental reason Bitcoin is vulnerable to a 51% attack.
This inherent problem, however, is exacerbated by the particular mathematical operations required to produce a Bitcoin block. The algorithm used by Bitcoin requires a large number of computations, but it does not require a significant amount of memory or decision making. The computational path is entirely linear. While general-purpose CPUs are good at performing such computations, specialized hardware can be thousands of times better.
It was quite a surprise to the Bitcoin community when it was first discovered that existing GPUs (the processors on graphics cards) could actually perform these computations many times faster than CPUs could -- a high-end graphics card can generate Bitcoin blocks 200 times faster than a high-end CPU.
This means that a well-funded attacker who constructs hardware specifically designed for a 51% attack has a huge computational advantage over others who do not cooperate to develop custom hardware.
What could an attacker do?
A group that controlled 51% of the available hashing power could:
- Undo their own transactions after others had relied upon them being irreversible.
- Prevent anyone else from extending the hash chain.
- Completely control which transactions are applied and which transactions are not.
- Take all of the remaining unmined Bitcoins.
Note that an attacker cannot empty other people's accounts or create Bitcoins beyond the 21 million coin limit.
What would it take to execute a 51% attack?
To execute a 51% attack, a coordinated group of people would need to control at least 51% of the hashing power applied to the Bitcoin network. Or, put another way, they'd have to have at least as much hashing power as everyone else combined.
Bitcoin miners typically mine because they expect a profit. They will purchase mining hardware if the expected return justifies it. As the price of Bitcoins goes up, so does hashing power because mining becomes more profitable. However, more hashes mean a higher difficulty because the Bitcoin block generation algorithm regulates itself to around one block every ten minutes. This regulates the amount of mining power.
A group attempting a 51% attack could use the most cost-effective way to obtain that hashing power. This would mean a significant up-front investment in efficient hashing hardware. This would likely give the attacker at least a factor of 10 advantage over the other miners who acquired their hardware in an un-coordinated fashion.
As of August 2012, the block reward is 50 Bitcoins and Bitcoins are worth approximately $10 each. Because miners expect the rate at which they generate Bitcoins with the same hardware to drop as hardware improves and because the value of Bitcoins is uncertain, calculations suggest miners effectively use a fairly narrow time horizon of approximately two years. This translates to a total present value of Bitcoin mining of $52 million. Figuring in an attacker's factor of 10 hardware efficiency advantage, we get an estimated hardware cost to launch such an attack of around $5 million. Note that this is a back of the envelope, order of magnitude calculation.
Is this something Bitcoin users should worry about?
It does not appear that one could execute a 51% attack against Bitcoin and generate sufficient income from the attack to make a profit. Even if one made various financial bets against Bitcoin and staged things to make the maximum profit from the attack, it would still almost certainly be a money losing proposition.
While the money moving through the Bitcoin economy is increasing and thus the potential value of such an attack is increasing, the price of Bitcoins goes up with it, rendering the attack more expensive. However, the forthcoming decreases in the block reward will discourage mining. So it's possible that a 51% attack will, at some point, become profitable.
However, the bigger concern is a well-funded entity that found Bitcoins to be an existential threat. For example, if Bitcoins were an existential threat to the NSA, a $5 million price tag would not be a problem. Bitcoins could become an existential threat to financial organizations or governments.