Posts

Proof of Work vs Proof of Stake - Vulnerability to 51% attack

avatar of @apshamilton
25
@apshamilton
·
0 views
·
14 min read

There is a lot of discussion about the energy usage of Bitcoin's Proof of Work (PoW) consensus mechanism these days and suggestions that Proof of Stake is a better option.

Ethereum has been moving slowly towards PoS for years.

I wrote two detailed posts on PoW vs PoS back in May 2018 when I first started on this blockchain. Recently I've found them increasingly relevant and I've pasted them into comments on others posts a couple of times recently.

So I think its time to re-publish edited versions of these posts:

These posts are also somewhat prophetic given the Yuchen Sun attack on Steem and potential Chinese government connections to it.


Debate with Charles Hoskinson

Source: AZ Coin News

I had an interesting debate the other night [in May 2018] in Tel Aviv with Charles Hoskinson regarding Proof of Work vs Proof of Stake. Thanks to Ayeka and Zen Protocol for hosting the event.

Charles is a pretty serious guy in the crypto world, having been one of the founders of Ethereum (ETH), the leader of the Ethereum Classic (ETC) split with Ethereum and CEO of IOHK which has created the largest PoS coin by market cap, Cardano (ADA)

Charles's Chief Scientist at IOHK, Professor Aggelos Kiayias, presented an outline of the recent cryptographic proofs regarding the security of Bitcoin's PoW mechanism and the Ouroboros PoW mechanism.

Both these proofs rely on the assumption that an attacker will control only a minority of the hashing (PoW) or staking power (PoS) of the network - hence the risk of a 51% attack. They also rely on the disincentive of a miner or staker to attack or destroy a crypto network which they had invested huge amounts of money in hardware (PoW) or stake (PoS).

I proposed that PoS networks are inherently far more vulnerable to 51% attacks than PoW networks, particularly from the most likely and dangerous 51% attacker of a major cryptocurrency - a nation state.

The reason that PoS networks are so vulnerable to such attacks is that a 51% cryptocurrency stake can easily be purchased in fiat currency which nation states can create at will with no real cost. Thus, unlike other potential attackers, nation states can never have any real stake in a PoS system and thus are not deterred from undermining it by that stake. In addition, because all activity necessary for a successful 51% attack on a PoS network occurs in the online world, it is relatively easy to hide.

In contrast in PoW networks, at least large ones, it is extremely difficult for anyone, including a nation state, to obtain sufficient quantity of the mining hardware required to mount a 51% attack. This is because of real world constraints on supply and a range of other real world issues.

A lively debate ensued where Charles gave me the the moniker "The Miner".

I have further developed my arguments in a more detailed paper on this very important issue for the Crypto Community.


51% Attack by a Nation State: Vulnerability of PoW vs PoS

Source IEEE

This paper seeks to analyse the possibility of a 51% attack on a cryptocurrency network by a nation state.

It is well known that both Proof of Work (PoW) and Proof of Stake (PoS) networks are vulnerable to 51% attacks. A fundamental assumption of the cryptographic proofs of their security is that an attacker is in the minority of hashing or staking power in the network.

I show below that numerous nation states have both the motivation and the potential capability to conduct such attacks, but that PoS networks are far more vulnerable.

In examining a realistic 51% attack on a major cryptocurrency we need to examine :

  • motivation, and

  • resources & practical capability.

Motivation

The reaction of nations around the world to the rise of crypto-currencies has ranged from outright opposition to encouragement and support. There is a strong correlation between a nation's attitude to cryptocurrency and the freedom or repression of its people. More repressive countries such as Iran, China, Bolivia, Bangladesh, Vietnam have either banned or severely restricted creation, exchange and use of cryptocurrencies while more open, democratic nations such as Switzerland, Australia, Israel and Malta have been encouraging, passing helpful and light-handed regulation.

This reaction is not coincidental, as the decentralised, distributed nature of crypto-currencies inherently reduces government control and provides greater freedom to the people. Indeed this was the vision and promise of Satoshi Nakamoto and the cypherpunk movement.

Thus there a significant number of nation states whose governments see cryptocurrencies as a significant threat to their control over their people. Such actors have sufficient motivation to try to subvert or destroy a major cryptocurrency.

Resources and Practical Capability: PoW (ASIC & GPU) vs PoS

Attack on PoW network

In order to mount a 51% attack on a major PoW network such as Bitcoin or Ethereum an attacker must control more than 50% of the hashing power of the network. This means physically controlling more than 50% of the Bitcoin ASICs or 50% of the GPUs currently mining Ethereum.

Based on my calculations below there are currently over 4 million ASICs mining Bitcoin and over 15 million GPUs mining Ethereum. This means a nation stake attacker would presently need to either:

  • take physical control of 2 million existing Bitcoin ASICs or 7.5 million existing GPUs which are distributed all around the world; or
  • acquire 1.7 million additional high end Bitcoin ASICs or 7.9 million additional high end GPUs.

Note that these are minimum numbers based on today's network hash rates and don't take into account the natural increase in ASIC & GPU numbers over time.

Option 1: Take Physical Control of 51% of Mining Hardware

The essential preconditions for a nation state to attempt to take physical control of millions of pieces of mining hardware for a 51% attack are:

  1. having 51%+ of the relevant mining hardware located in geographic territory it controls;
  2. knowing the locations of all this mining hardware;
  3. having sufficient police/military forces to deploy simultaneously to all such locations with sufficient strength and appropriate weaponry to overcome any resistance and take physical control without the hardware being damaged or destroyed;
  4. being able to achieve surprise and achieve the operation within a short timeframe.

The only nation which comes even remotely close to achieving such pre-conditions is China with regard to Bitcoin ASICs, however it is far from certain that any of these pre-conditions are actually achievable in reality.

Are more than 50% of Bitcoin ASICs in China?

There is little hard evidence of the actual number or percentage of Bitcoin ASICs in China. A 2017 study is often cited as evidence that 60% of Bitcoin ASICs are in China. However what the study actually found is that while China hosted 58% of global mining pools with more than 1% of global hash power, all of these pools included an English language website and attracted miners not based in China.

Thus properly understood this finding does not provide evidence that more than 51% of Bitcoin ASICs are based in China. It is likely that, because of language issues, Chinese miners almost exclusively use Chinese (or at least Chinese language) mining pools, while non-Chinese miners also use Chinese pools (in English) as well as non-Chinese pools. Miners can easily and quickly change pools and would certainly do so in response to any attempts by China to take control of Chinese mining pools or miners.

More recently, miners have been moving out of China. Thus the chances of this first essential precondition being fulfilled are decreasing by the day as a direct result of China's other anti-crypto actions.

Does China know where they all are?

Bitcoin miners in China tend to keep a very low profile and keep their locations secret for fear of both crime and corrupt officials and because some of them are stealing electricity. While large Bitcoin mining facilities can be found by their massive power consumption, medium and smaller facilities can easily be hidden among other energy intensive commercial and industrial activity.

Home Bitcoin miners with 1 - 5 ASICs make up an unknown percentage of total Chinese hashing power but it is notable that Bitmain produced a special silent ASIC miner (the Antminer R4) especially to target this market. The R4 looks like a blow heater and uses less electricity than a heater or air-conditioner. Bitmain must have considered the home market to be at least 5 - 10% of total addressable market to be bothered doing the R&D to create a silent miner.

Each Bitcoin ASIC uses around 1kW of electricity, which is less than many typical home appliances. Thus a small number of them in a home are impossible to find using analysis of electricity bills. It is essentially impossible to take physical control of these devices without conducting invasive searches of almost half a billion households. Not even the PLA or Chinese police have this capacity and attempting it would cause massive social unrest.

Thus at best China might be able to determine where 75% of its Bitcoin ASICs are located, at worst less than 50%.

Does China have sufficient and capable force to take physical control

While China certainly has a very large army and police force, there is a big difference between being able to exercise physical force to take control of a physical location and being able to do so without damaging delicate equipment at that location.

The Chinese are not a docile and compliant people and Bitcoin miners even less so. Attempting to steal valuable equipment from a person naturally creates resistance, which would take many forms. Depending on the time available, miners could remove the ASICs to secret locations, conduct electronic or physical sabotage or even destroy the ASICs.

While the Chinese troops and police would have the advantage of potentially lethal force over the miners, the miners would have the advantage of technical competency and the knowledge that any use of kinetic or explosive weaponry would damage or destroy the ASICs.

Could China achieve surprise?

The massive scale and geographic scope at which such an operation would need to be conducted would make surprise virtually impossible. It would require perhaps 50 - 200 thousand troops and police deployed throughout commercial and industrial areas throughout China especially for this purpose.

Any advance notice to the miners of a planned operation would fatal to its success. Bitcoin ASICs are very portable and valuable equipment. They would disappear into tens of thousands of homes and hiding places within a day of any forewarning of an operation to forcibly seize them.

Thus, even in the case of China, none of the essential preconditions for an operation to seize physical control of 51% of Bitcoin ASICs is fulfilled. No other nation state comes even remotely close to fulfilling even the first pre-condition in relation to Bitcoin ASICs and thus is not even relevant for consideration.

GPU miners are much more broadly spread throughout the world and no nation has anywhere near 50% of GPU miners located in its territory. The same is true for GPUs more generally.

Therefore one can conclude with a high degree of certainty that no nation state can take physical control of 51% the existing mining equipment of a major PoW cryptocurrency.

Option 2: Buy Mining Hardware to get to 51%

Bitcoin ASICs

Its certainly within the financial resources of a large nation state to place a $3.4 Billion order for 1.7 million Antminer S9s @ $2000 each (with government discount) with Bitmain, the largest supplier of Bitcoin ASICs.

However Bitmain's 2017 revenue from chip sales was $2.3 Bn and not all of this comes from Bitcoin ASIC sales. Bitmain also sells other types of ASICs and power supplies. Further, because most of Bitmain's revenue from ASIC sales is in Bitcoin the huge rise in the Bitcoin price in 2017 substantially inflated this figure.

Given the above, a high end estimate of Bitmain's current production capacity of Bitcoin ASICs is 800,000 units per year. This means a 1.7 million unit order by the Chinese government would tie up Bitmain's entire production for over 2 years!

The purpose of such an order would be blindingly obvious to Bitmain. They would be unwilling to fulfil it because the consequences of a successful 51% attack on the Bitcoin network would be devastating for Bitmain's very profitable long term business.

Even if Bitmain could be acquired by the Chinese government or coerced into accepting such an order, the inability of Bitmain to supply new miners to its regular customers would make it obvious that someone had cornered all Bitmain's supply in order to conduct a 51% attack. It would cause an exodus of crypto-believer Bitmain staff to other companies. Suppliers, especially outside China, would likely boycott Bitmain and production would grind to a crawl. R&D would also suffer greatly. It would be impossible to maintain secrecy.

At the same time, other ASIC manufacturers would arise and expand production outside China of more efficient ASICs to meet demand, defend the Bitcoin network and capture that $2.3 Bn of annual revenue that Bitmain had abandoned. This expansion would be funded by the hundred's of billions of dollars of vested interest (Bitcoin market cap) in defeating the Chinese government's 51% attack.

The combined effect of all of this would be to delay China obtaining 51% of Bitcoin hashing power for many years, probably indefinitely.

Thus the massive size of the installed base of Bitcoin ASICs combined with the supply constraints inherent in a mass manufactured computer product make it impossible for the Chinese or any government to acquire enough Bitcoin ASICs secretly and in a reasonable timeframe to pull off successful 51% attack.

Ethereum GPUs

Unlike Bitcoin ASICs, the manufacture of GPUs is not dominated by one China based firm whose main business is in the crypto space. The two main GPU manufacturers are two US companies AMD & Nvidia.

AMD has a large CPU business in addition to its GPU arm while Nvidia is GPU focussed and has a larger share of the GPU market. Despite the popularity of GPU mining, gamers are still the main market for GPUs. GPUs also have demand from Artificial Intelligence and professionals in visual content industries.

While the core graphics processing chips and architecture of a graphics card come from AMD or Nvidia, the crucial memory chips (which provide the ASIC resistance) come from a range of suppliers (Samsung, Elpida & Hynix). Supply of GPUs and the crucial memory chips is already insufficient to meet demand caused by GPU mining.

So a government order for 8 million high end GPUs would simply not be able to be met at the current time. AMD & Nvidia have already made it clear that they do not want to lose their core business of supplying gamers because of crypto mining demand and are restricting sales to 2 units per person.

At some future time demand for GPUs may drop and/or memory supply will increase allowing some spare capacity to meet a large government order. However the number of high end GPUs required for a 51% will likely have increased substantially by then and total high end GPU supply will still be quite limited compared to the size of order required.

In 2015, prior to the current GPU mining boom, high-end or enthusiast GPUs were only 5.9 million units (11% of total discrete GPU sales) compared to the say 10-15 million units that would be required for a 51% attack in a year's time.

Essentially, short of some sort of totalitarian takeover of GPU companies by the US government and the diversion of 90% or more of new high end GPUs to meet government requirements, there is no way any government can acquire a high enough percentage of new GPU supply to overcome the huge installed base of GPUs.

Furthermore, such a large government order would be obvious in its purpose and thus not a basis for long term growth justifying AMD or Nvidia investing in an expansion of manufacturing capacity.

Thus the massive size of and rapid increase in the installed base of high end GPUs used for mining, the US domicile of AMD & Nvidia, the large ongoing demand for GPUs for non-crypto uses and the supply constraints inherent in a mass manufactured computer product make it impossible for any government to acquire enough GPUs to pull off successful 51% attack now or in the foreseeable future.

Attack on PoS network

In contrast, to control 51% of the staking power of a PoS network, the attacker nation state would just need to quietly, via numerous avenues and wallets, buy enough of the cryptocurrency to acquire 51% of the staking and/or voting power.

It doesn't really matter exactly what form of PoS is used. Any mechanism to try to incentivise network positive behaviour can be subverted by a nation state. This can be done via lots of seemingly legitimate stakers, witnesses and/or voters who are actually government hackers. It can be kept completely secret because it does not involve any physical, real world activity.

The actual attack would come out of the blue, without warning and without any time to take defensive action.

Purchasing say 11% of Ethereum (to take a majority in a 20% staked PoS network) would cost US$7.3 Billion, which is well within the capabilities of even relatively small nation states.

However it simply doesn't matter to a nation state how much it costs to purchase enough stake to conduct a 51% attack, because they can just issue more of their fiat currency to cover the costs of purchasing the PoS cryptocurrency.

By using anonymous coins between the fiat conversions and the purchase of the attacked PoS cryptocurrency the nation state can even hide its tracks making in impossible to know who actually conducted the 51% attack. Thus the nation state attacker will suffer no negative reputation consequences. Its only cost is fiat currency which it can easily create more of and the amount required, even for a PoS Ethereum, would be small change on most nation's balance sheets.

Thus on a fundamental level, Proof of Stake simply does not work to defend against nation state attacks. As long as the POS cryptocurrency can be purchased with fiat currency and fiat currency can be conjured out of thin air (which is what nation states do), nation states simply have no real stake, no disincentive for burning what they can easily create.

Thus not only are PoS cryptocurrencies fundamentally vulnerable to 51% attack by nation states in a way that PoW cryptocurrencies are not, their vulnerability arises from the fundamental problem with fiat currency that cryptocurrencies are supposed to solve.

Conclusion

With PoS gaining in popularity and Ethereum planning to move to PoS, it is crucial to properly understand the real world security vulnerability of PoS networks to motivated nation state 51% attacks. It is also important to understand that major PoW networks are really very secure, combining cryptographic proofs of security with the real world impossibility of a 51% attack, even by the most powerful entities on the planet.

This is not to say that PoS has no place in the crypto ecosystem, after all I am posting this paper on Steemit, which runs on the Steem PoS network. However it should not be used for mission critical applications that nation states might be motivated to attack.

Steem itself, is perhaps a good example of a non-mission critical network that nation states would have little motivation to attack. But Ethereum, which is not only the No 2 cryptocurrency, but also provides the foundation for large numbers of important projects running on ERC20 tokens, is a bad choice for PoS.

A successful 51% attack on a PoS Ethereum world be devastating for the entire crypto world.

As I've shown above, under its current PoW model, Ethereum is currently extremely well protected from 51% attack. To move such a valuable and crucial part of the crypto ecosystem to a fundamentally vulnerable PoS model would be extremely foolish.

Endnote: ASIC & GPU number calculations

The current hashing power of the Bitcoin network is 31.5 million TH/s and the most powerful common Bitcoin ASIC miner, the Antminer S9 does 14 TH/s. Thus there are at least 2.25 million Bitcoin ASIC miners currently in operation, and likely significantly more as older ASICs (with hashrates a fraction of the S9) are still profitable with cheap electricity. If just 25% of total hashing power was coming from ASICs equivalent to the Antminer S7, the total number of operational Bitcoin ASICs would be over 4 million. Thus an attacker would need to take control of over 2 million ASIC miners.

The current hashing power of the Ethereum network is 271 million MH/s and the most powerful common GPUs, the AMD RX470,RX480, RX570 & RX580 does between 22 - 30 MH/s (average 26MH/s). Thus there are at least 10.5 million high end GPUs currently mining Ethereum and likely more, as even 6 year old high end old GPUs (eg HD 7970 @ 16MH/s & RX280X @11 MH/s)) and weaker new RX550 & 560s are still profitable in most countries. Thus if 40% total hashing power was from weaker GPUs with average hashing power of 13MH/s then the total number of GPUs mining Ethereum would be 15 million.


Please vote for my Hive witness. (KeyChain or HiveSigner)

Witness Vote using direct Hivesigner