PoW 51% attack vs. BFT 1/3 attack?

So from what I understand, Bitcoin's PoW is prone to 51% attack, but as a distributed system it is also prone to BFT's 1/3 attack right? I think it's mathematically proven that in a distributed system, if you have more than 1/3 bad nodes collaborate together, then you cannot safely reach a correct consensus no matter what?

So for Bitcoin, there are two types of possible attack scenarios, one is if a miner node consistently has more than 51% computing power of the whole network then it can double-spend indefinitely and basically has unlimited cash to spend.

The other is if more than 1/3 of the nodes in the whole network are bad guys working together with modified malicious node code then they can potentially stop the correct block being accepted and make it impossible for others to know which is the correct longest chain, thus prevent valid transactions being processed and recorded.

So are my understandings correct?

hellopeach

Posted 2018-07-26T04:58:49.340

Reputation: 137

How would "the bad guys work together with malicious code"? The bitcoin network doesn't have a concept of nodes (no way to identify them), that's why there is proof of work. – JBaczuk – 2018-07-26T05:19:01.130

JBaczuk, well, maybe they can spread thousands of malicious modified bitcoin client with zombie network or something? It's a P2P network, if you think the term "nodes" are not precise, then maybe "peers"? For example, if currently there are 1 million bitcoin clients running in this world, and 340 thousands of them are running malicious code, that means we will not be able to safely reach a consensus on what's the correct longest chain right? I think the Byzantine General's Problem applies to all distributed systems, bitcoin included, am I correct? – hellopeach – 2018-07-26T06:00:17.230

What would stop the other 660 thousand from accepting the longest chain? – JBaczuk – 2018-07-26T13:54:05.723

Answers

So from what I understand, Bitcoin's PoW is prone to 51% attack, but as a distributed system it is also prone to BFT's 1/3 attack right?

No. Bitcoin is not a "consensus system" by any of the traditional definitions: It never reaches a state from which it can't, at least, theoretically roll back. In theory today's blocks could get undone years from now, but in Bitcoin the computationally difficulty of that increases over time.

As a result the impossibility results for consensus don't generally apply.

The other is if more than 1/3 of the nodes in the whole network are bad guys working together with modified malicious node code then they can potentially stop the correct block being accepted.

Nah. So long as an attacker does not manage to partition the graph of honest nodes, they could control (say) 99% of the nodes and the network would continue to run just fine. There isn't some magic threshold number of nodes where partitioning happens, you need only have a single honest peer to be completely functional.

G. Maxwell

Posted 2018-07-26T04:58:49.340

Reputation: 6 039

The other is if more than 1/3 of the nodes in the whole network are bad guys working together with modified malicious node code then they can potentially stop the correct block being accepted and make it impossible for others to know which is the correct longest chain, thus prevent valid transactions being processed and recorded.

Miners on the network are extremely well connected (see: FIBRE relay network), so any number of malicious nodes will not be able to stop the relay of new blocks between miners.

For regular nodes, there could be a risk iff your node is connected to only malicious nodes. There are a couple of safeguards built in to help mitigate this, but it does remain a possibility nonetheless. See bitcoin.it for a good overview of Sybil attack risks and mitigation strategies.

If you are suspicious that you are being Sybil-attacked, you can force your node to connect to a peer of your choice. As an example a miner or well-trusted and publicly known peer may be a good choice. But this circumstance is rare, I’m actually unaware of any case of a user losing funds due to a Sybil attack.

chytrik

Posted 2018-07-26T04:58:49.340

Reputation: 10 276

I'm sure not what you mean, you seem to suggest that every miner is connected to every other miner? that means if there are 10000 miners, then each miner is connected to at least 9999 peers? I guess that the Byzantine Generals Problem doesn't apply if you can guarantee some sort of trusty connections between the good guys. – hellopeach – 2018-07-30T06:24:00.873

Miners broadcast blocks to each other using the FIBRE fast relay network. In general, individual miners will connect to pools, and those pools will connect to FIBRE. No number of malicious nodes joining this network would affect the already-connected miners. It isn’t a matter of there being enough ‘good guys’, it is simply that the raw number of nodes doesn’t matter, so long as all honest nodes aren’t completely partitioned from eachother.

– chytrik – 2018-07-30T06:57:01.063

I guess that's exactly what I'm saying? If there are trusty connections between the good guys, then Byzantine General Problem doesn't really apply. That's what FIBRE is from what you describe? – hellopeach – 2018-07-30T11:37:14.720

Generally yes, however FIBRE is only used by miners to relay new blocks info, so I just wanted to point out that for mining nodes it provides good connectivity. Non-mining nodes are also important, and don’t use FIBRE. As G. Maxwell answered above, even if 99% of nodes are malicious, having even just 1 honest peer is sufficient. The usual BFT rules that it seems you’re asking about don’t necessarily apply to the bitcoin system. There is no 1/3 threshold, for example. – chytrik – 2018-07-30T17:42:03.427

The Byzantine generals problem states For any m, Algorithm OM(m) reaches consensus if there are more than 3m generals and at most m traitors.

Also, When the majority of the actors which comprise the network decide on a single state, consensus is achieved. See Understanding Blockchain Fundamentals.

Bitcoin solves this with proof of work. The difficulty of the proof of work algorithm is periodically adjusted so that it will take 10 min for the network to finally calculate an acceptable solution. When this solution is found, it propagates thorough the network, and any participating (non malicious) node will always accept the longest chain (the one with the most work done).

So, if more than 1/3 of the nodes are falsifying transactions, and doing the proof of work, on average the other 69% of computing power will outpace the attackers and always be able to generate a longer chain. It is essentially a race to solve the next block, that is why it takes more than 50% to successfully attack.

I strongly recommend reading Satoshis email and the Bitcoin Whitepaper

JBaczuk

Posted 2018-07-26T04:58:49.340

Reputation: 6 172

what if 1/3 of the nodes are malicious and just don't propagate the solution from their own miners, isn't there a risk that some other non-malicious nodes will never get the solution and get "trapped" in the network controlled by the malicious nodes? I mean, isn't the information propagation itself in a distributed system prone to the Byzantium Generals Problem? – hellopeach – 2018-07-30T06:16:06.663

If that happened, then 1/3 of the nodes would not be updated. The other 2/3 would be fine. That doesn't mean the network cannot continue and new nodes would not be able to join. You could still survey the network for the longest chain and find the "accepted truth". I'm not sure if we're talking about the same problem though, I think gmaxwell's answer is helpful, that Bitcoin is not a traditional consensus network. – JBaczuk – 2018-07-30T12:00:16.793

PoW and BFT solve different problems. A couple of differences:

BFT assumes the nodes (aka miners) are known in advance. PoW / Nakamoto Consensus allows anyone to become a node (miner).

BFT assumes nodes do not change over time. PoW / Nakamoto Consensus does not make this assumption.

BFT does not allow forks. PoW/NC allows temporary forks under normal situations (no one suddenly accumulates a lot of hash power). PoW/NC even allows someone to rewrite the entire history of Bitcoin back to block 1 if they could amass enough hash power.

It makes it hard to compare the two algorithms - it's like comparing an algorithm to find a number in a sorted list versus an algorithm for an unsorted list.

Yaoshiang

Posted 2018-07-26T04:58:49.340

Reputation: 46