That means: For SHA256^2-specific hardware, Bitcoin (the real one, not Cash, Gold, or SV), for scrypt, Litecoin, and for anything mined on GPUs, Ethereum (not Classic).
 or migrate from to another coin, such as the coin that the attackers left to fill their void?
Basically, you spend your coins today, while controlling a 51% share. When everyone else's 49% hash-power creates 98 blocks, your 51% share will create 102 blocks.
But secretly. That's the key. Now that your chain is +4 ahead (or wait even longer and become +10 ahead), you can spend your coins on the public chain. Then, you publish your 102 alternative blocks (which barely adds any hash power to the chain), and spend your coins again on the 2nd chain.
A 51% is the end-all-be-all for a cryptocoin. If you're vulnerable to the 51% attack, the coin is effectively worthless.
The only way to beat a 51% attack is to build more hash power than the attackers. IE: Prevent the attackers from getting to 51%.
The only problem here is that PoW only knows one cost: hashing, and due to macro shifts in mining hardware this can sometimes go down a lot more than the value of a coin (which makes the cost of this attack worth it).
As soon as you start introducing measures to subvert this attack you are subverting either decentralization or stability. If you for example program clients to not accept reorgs deeper than 10 blocks (for example) you simply introduce new attack vectors that can split the network (into following different chains - which is even scarier than 51% attacks).
If every x blocks you snapshot the chain and force everyone to follow that snapshot you just centralized the chain, etc.
> The Milky Way could crash into another galaxy way sooner than we thought
You'd be better off simply placing big bets at a casino
Private entities still practice consensus. Just because one can't inspect or participate in the consensus doesn't mean it doesn't exist.
It doesn’t matter who Satoshi is, I don’t need to know to opine on their ideas. That private entities practice consensus is fine (after all isn’t that just any human interaction?) and further I have no problem with consensus just the sheer wastefulness and intentional anti-efficiency of bitcoin as-is, the fact it’s waste isn’t sufficient to prevent an attack, it’s fiscal policy (inflation is fine, you’re not supposed to hold currencies) and the idea that somehow bitcoins dreadful wealth inequality will save us from the present dreadful wealth inequality. Not to mention the idea we should just defer monetary policy to a bunch of developers who hack on protocol instead of a group of trained economists. Or the idea of scarcity when anyone can and does fork coins to double the number outstanding every few weeks. Or it’s user hostility. Or it’s defenselessness to market manipulation. History won’t look kindly on this mess in a few years.
If you wait for 1008 confirms (for a transaction of $1 Million USD), then that doesn't stop the attack at all. After all, the attacker simply has to perform $2 Million USD worth of double-spends during that timeframe to make a profit. (Not necessarily with you, but across the entire blockchain).
After waiting 1008 confirms (1-week for a 10 minute/block coin), the attacker simply replaces those 1008 blocks with his 1049 secret-blocks and makes his chain the longest. That means that ALL spends for the past week are nullified, allowing the attacker to double-spend his coins on the new blockchain.
In effect, waiting for 1000-confirms (or whatever) is closing the barn door after the horse has bolted. It doesn't protect your transaction... it protects the NEXT GUY's transaction.
In any case, the attacker gets to double-spend his money, which probably includes a large exchange (where you can turn coins into US Dollars easily).
However it the attacker has less than 50% they can still wage an attack. With 10% of mining power I’ve got a 1% chance of mining consecutive blocks. It dwindles quickly even for larger percentages and a large number of confirms makes that angle impractical.
ETC's blockchain just had over 100+ blocks change, according to the tweet.
Even with 40% of the mining power, the probability of such an event (40% mining power, 100 consecutive blocks) is 0.000000000000000000000000000000000000016%. That's a very unlikely hypothesis you're presenting.
Only at the expense of leaving their coin more vulnerable to a similar attack.
Now imagine Dinkycoin comes along and releases their cryptocurrency that uses the same hashing mechanism for the block reward. Initially they have the block difficulty level pretty low as there aren't that many people participating in it yet.
Dinkycoin hopes that eventually enough people will join the network so that the total hashing power will be something approaching Bitcoin's. Great. But atm their total hashing power is a very small fraction of Bitcoin's total hashing power. I don't care enough to go find out how infinitesimal it would be-- enough to say very small.
Now suppose one of the Bitcoin ASIC miners gets bored one day and decides they don't like Dinkycoin. If they devote their ASIC to mining Dinkycoin they will immediately have more hashing power that the rest of the Dinkycoin network. That would virtually guarantee they solve every block of Dinkycoin and reap every reward. They'd easily have 100% control of the network at that point.
For example-- suppose Dinkycoin says you need 20 confirmations before accepting that a transaction "went through." Well, the Bitcoin miner can use their enormous hashing power to go back 20/30/whatever blocks and build a competing branch from that historical point. And since the miner has 1000% more hashing power (or whatever the number is) than the entire Dinkycoin network, they can build a competing branch from that historical point that will eventually have solved more/more difficult block rewards than the branch the rest of the network builds off the current branch. Once the Bitcoin miner has a competing branch with greater total difficulty than the rest of the network, the network must accept that branch as the winner. Well, the devs can decide to do otherwise for whatever professed reason and roll back/hard fork/whatever. But that kind of "do over" would degrade trust in the cryptocurrency itself. Users would be afraid of another future attack. After all, they were initially told 20 confirmations was enough. How do they know 40 confirmations is any safer? (And again, if the attacker has superior hashing power to the rest of the network it isn't meaningfully safer.)
Of course such a miner would be wasting all of their hashing power to screw with Dinkycoin's network. But to screw up most PoW cryptocurrencies you only really need 51% of the total hashing power. Even with that the attacker will eventually always beat the rest of the network to produce the "longest" chain. (Also, I think you can still cause problems for many cryptocurrencies with even less than 51% control.) Anyhow, do the math with the real numbers and you'll see that a real Bitcoin miner could devote a tiny percentage of their mining power and still own fledgling cryptocurrencies like the Dinkycoin example.
Moreover, they can trivially collude with the other 99 Bitcoin miners to devote an even smaller part of their hashing power to owning Dinkycoin, or even automate the process of smashing any coin that uses their same hashing scheme, based on any criteria whatsoever.
And it gets worse because in the 51% percent attacks I've read about in the real world, it isn't a big time miner with a grudge. Rather, it's someone who saw a weak point in a combination of a dinkycoin, an exchange, and several other moving parts and just rented a hashing rig to pull off an attack. Most PoW cryptocurrencies naively assume miners will choose greed over destructive tendencies without ever investigating whether those two paths are really mutually exclusive.
Edit: what happened to the web site that compares hashing power of the various SHA256-based coins, scrypt, etc.? Those orders-of-magnitude differences are quite instructive. But I can't find a site that lays it out nicely.
Origin of the term shitcoin would most likely be unable to defend the 51% attack
Good write-up op
Monero plans to do that indefinitely, by constantly changing to a new hashing algorithm that doesn’t have dedicated ASIC chips for it.
Could this attack be addressed by changing the "total difficulty" function to value chains published earlier more than competing chains published later? Say a block published today is considered twice as difficult to achieve as a block starting from the same point published in 48 hours. Blocks don't need to be available in real time, but there should be enough communication between the miners to get some consensus on roughly when each block was published.
Intuitively, it seems like there is absolute agreement on the fact that a 51% attack happened (and which chain was mined by the attacker), nobody is saying "we can't be sure, this can sometimes just happen by mistake due to the distributed nature of mining". So if that can be trivially detected, why not build the detection into the mining algorithm in the first place?
> Once the Bitcoin miner has a competing branch with greater total difficulty than the rest of the network, the network must accept that branch as the winner.
These statements directly contradict each other. The very, very obvious solution is to say that, if 20 confirmations validate that a transaction happened, then validated transactions can't be rolled back. (They're validated!) Once block 26 comes online, block 6 is a permanent feature of the blockchain. That's the only possible meaning of "accepting that a transaction went through". And, note, that is the definition being used now to label this an "attack" rather than "huh, look what happened".
They don't contradict each other at all.
> Once block 26 comes online, block 6 is a permanent feature of the blockchain.
What defines the 'blockchain'? It's the chain with the most work. Outside of a centralized checkpointing mechanism, the only definition of the valid blockchain is the one with the most work behind it.
> They don't contradict each other at all.
They do; for a transaction to be revocable means you haven't accepted that it went through. If every block is revocable indefinitely, then you can't say that 20 confirmations confirm a block, because they don't.
> What defines the 'blockchain'? It's the chain with the most work.
No, it's the chain accepted by a group of miners. Miners are the sole authority of a bitcoin-style blockchain. Work is not.
> Outside of a centralized checkpointing mechanism, the only definition of the valid blockchain is the one with the most work behind it.
Centralization is not necessary for this. As a miner, you're free, in your individual capacity, to reject blockchain candidates that invalidate blocks you consider permanent. Centralization would mean that a block could require only 0 following blocks before being considered permanent. With a consensus of decentralized, less-than-perfectly-synchronized miners, you'd want a fuzzier boundary -- which is what "wait for 20 following transactions" provides.
From the blockchain perspective a block with a confirmation is confirmed. But everyone else can make new rules on top regarding payments: Do you consider most crypto exchanges to not support "Bitcoin" since they require 6 confirmations per transaction before they credit it?
> With a consensus of decentralized, less-than-perfectly-synchronized miners, you'd want a fuzzier boundary -- which is what "wait for 20 following transactions" provides.
This is done to raise the cost of reversing the transaction (the more confirmations deep, the more expensive your attack needs to be).
> This is done to raise the cost of reversing the transaction (the more confirmations deep, the more expensive your attack needs to be).
No, it isn't done at all. You state as much:
> From the blockchain perspective a block with a confirmation is confirmed.
As far as I can see, this is just a design mistake. (And equivocating over the meaning of "confirmed".) The current system never treats any block as confirmed. The only statuses a block can have are "invalid" and "provisionally accepted". There is no "accepted" status, and a valid block may be revoked at any time, no matter how long it may have been valid for.
But there's also no reason not to have an "accepted" status, and to reject candidate blockchains which alter accepted blocks. This should be part of the mining protocol. Treating it as non-binding advice to merchants misses the point.
What the paper doesn't say is that the formula doesn't work if there is more than one chain. Since an ETH miner can easily switch to ETC at any time, proof-of-work isn't really protecting ETC at all. There is another chain that was a lot harder to calculate, which means the ETC chain stands on thin ice.
Why not freeze the blockchain at certain points, then? Well, it cannot be easily done. There is the problem of choosing which blocks should be frozen, and when. How do you calculate that? What if there's a network split at that time? What happens if the protocol results in an unwanted fork? What happens if malicious actors try to settle on a wrong chain? This is the very problem that Bitcoin solved. Forgetting the idea of a final truth, and making the blocks work like a wave of consensus that eventually reaches everyone. Clever and simple, but with some drawbacks that have to be understood.
Of course, there are lots of people working on new ways of establishing decentralized consensus. The Ethereum devs have been working hard on this for a few years.
How does a new entrant to the network know which is the valid chain?
They didn't see the previous 20 confirmations, so the only rule they can use is picking the longest chain.
Another way to do it is to have a separate voting system to attest to the "valid" chain, but then you could use an ordinary botnet to outvote the real chain.
In short, confirmations are there for vendors to be sure a few blocks weren't mined at the same time, but they do nothing against a 51% attack.
A new entrant to the network knows which is the valid chain because the chain the network uses defines "the network". Consider the case of Ethereum Classic (ETC) versus Ethereum (ETH). They are exactly the same, except for the chain each group of miners follows. The ETC blockchain is a valid ETH blockchain and the ETH blockchain is a valid ETC blockchain, but miners adhere to one or the other for political reasons. As a new entrant to the ETC network, how do you know which blockchain to use? Well, you use the ETC blockchain, because that's the network you're entering.
 I'm describing my understanding of the ETH/ETC split. If they've diverged more than I was aware of, that doesn't affect the argument; just substitute other names for ETH and ETC.
If you propose an addition that is one block long, and I propose an addition that's 2 blocks long, then my chain wins. (These all have to be valid blocks that solve the mining challenge). Miners select the chain with the most work. That's the consensus mechanism by which the blockchain is established (among nodes operating all with the same rule sets).
At any given instantaneous point in time, there may be multiple instantaneous forks of the main blockchain - people who have mined out valid next blocks and are fighting to get them accepted as the primary chain. Imagine that two different miners by coincidence mine out the next block. One of those chains has to win. The chain that wins is the one that propagates through the network most quickly such that other miners begin building upon it and extending the chain - the one with the most work wins. The other chain(s) die and the transactions on it have to be resubmitted.
When multiple branches exist on the blockchain, some consensus process has to reconcile which of them wins. That process is that miners select the longest chain. Don't act as if one single block is magically appended to the chain and everyone knows which block that is; a consensus process operates to select that block (or sequence of blocks), and it operates by selecting the longest chain. When two or more blocks are mined out simultaneously by different miners, the one that wins is likely to be the chain that propagates more quickly to other miners. Since miners build on the longest chain, then the miner who distributes their chain more widely among other miners is likely to win, since those miners will begin building upon it (seeing it as the longest chain thus far).
To continue the story, let's say that you and I both simultaneously mine out the next block of Bitcoin. You don't tell anyone about your block, and keep it to yourself. I distribute my block to the entire network. Thus, other miners start building on my block, and it becomes part of the main bitcoin blockchain. Once that happens, it doesn't matter if you start telling other people about your block -- it's not part of bitcoin any more because my chain exists which is much longer (my block + whatever other blocks people have mined out on top of it).
I've been arguing that this is a design mistake, and that the following selection algorithm would be superior:
- Instead of selecting the longest chain, select the longest chain which does not alter any blocks which I, personally, consider permanent.
Robin_Message correctly identifies that this algorithm doesn't do anything for a new entrant, because a new entrant doesn't have the exposure to history that an established miner has. But I don't see why this is an issue, as to enter a particular network, you must already copy that network's existing blockchain, and this step -- which you already have to take -- will give you the same exposure to history as the miner you copy it from.
Imagine that two blockchains, ETH and ETC, diverge for political reasons. The ETH blockchain is more beloved among the people (the laity, not the miners), and for this reason a greater number of transactions occur in ETH than ETC over time. This guarantees that the ETH blockchain will be longer than the ETC blockchain. By the selection algorithm you identify, the ETC blockchain will be wiped out, because the ETH blockchain can always be re-proposed and will always dominate it. But in reality, the ETC miners will reject the ETH blockchain, because rejecting the ETH blockchain is the whole point of ETC.
Chain length is number of blocks, which is controlled by miners, not "laity".
I think your system might prevent double spends; unfortunately it would do so by rendering the network unusable for any new users, who wouldn't have a way to know which is the good network to join. I suppose a central authority could be used to identify the good chain, but most coins prefer not to have one of those.
The advantage of the simple chain length rule is that it is simple, requires no central authority, is self-correcting and the only weakness is a 51% attack.
This is an important distinction, because by fudging timestamps you can generate a valid chain of arbitrarily long length where each block has very low difficulty, but said chain would still not be preferred over a chain with fewer blocks of much higher difficulties (i.e. the real chain).
A block is a set of transactions, transfers of currency from one address to another address. Miners don't just add blocks because they're bored. They add blocks when someone submits a transaction.
So the number of transactions that occur is closely related to the number of blocks in the chain.
Of course miners are always adding blocks, even when the blocks are empty; they do so because there is a block reward. Even empty blocks, when mined by honest miners, are serving a purpose, because they are increasing the cost of a 51% attack. Look through the histories of many different blockchains and you'll see empty (or nearly empty) blocks that exist for a variety of reasons.
Also, transaction sizes differ drastically depending on what a transaction does, and blocks max out at a given size, not a given number of transactions. So when blocks are full (which they aren't most of the time except for the very highest used cryptocurrencies) the number of transactions per block still varies quite a bit.
Let's also say for the sake of argument that 10% of the BTC mining capacity is in that region.
The network self-adjusts so that every hour 6 blocks get confirmations, but over this short time period you wouldn't expect this to happen. This means that every hour the Australia split would confirm 0.6 blocks and the non-Australia split would confirm 5.4 blocks.
After 36 hours Australia would have confirmed ~21 blocks, and according to your proposal, the first of these is now 'accepted' and can't be rolled back.
In the same time the remainder of the network would have confirmed ~194 blocks, many of which are now accepted.
What would actually happen according to the consensus protocol is that RestOfWorldBTC is the longer chain and therefore "is" BTC, and AustraliaBTC would get thrown away. Any BTC transactions made in Australia during that time would get rolled back.
But if blocks become permanently accepted then these 2 chains are fundamentally incompatible; they are no longer the same coin. Your proposal says that the network should fork into 2 coins here -- AustraliaBTC and RestOfWorldBTC. This would be a pretty disruptive event. People who traded BTC for services in Australia would claim that they paid their obligation (after all, it's in an 'accepted' block) and therefore don't owe their counterparty any RestOfWorldBTC. But AustraliaBTC would likely become worthless very quickly, given that most of the transactions in those 36 hours were confirmed on the RestOfWorldBTC chain. Australian counterparties would get stiffed pretty hard.
OTOH, if you roll back those transactions and accept the mainline, those counterparties can more easily argue that you still need to pay them. Note that the network can't enforce you paying these obligations, but the legal system still exists! And assuming the actors were acting in good faith and didn't attempt to double-spend their coins, their transaction would get re-propogated automatically and get included in a future RestOfWorld BTC block once the network split ended.
And then everyone else on the network would say, "Crap, who should we believe? Let's go with the majority." And the attack would win.
Sure, it's less centralization than just trusting one party to determine the latest block , but it's a matter of degree.
 The further you go back in time/blocks, the less disagreement and resistance there will be to locking in a history.