CS代写 FIT5214: Blockchain

FIT5214: Blockchain
Lecture 5: Attacks on Blockchain Lecturer:

https://dowsley.net

Copyright By PowCoder代写 加微信 powcoder

Unit Structure
• Lecture 1: Introduction to Blockchain
• Lecture 2: Bitcoin
• Lecture 3: Ethereum and Smart Contracts
• Lecture 4: Proof-of-Work (PoW)
• Lecture 5: Attacks on Blockchains
• Lecture 6: Class Test/Alternatives to PoW
• Lecture 7: Proof-of-Stake (PoS)
• Lecture 8: Privacy
• Lecture 9: Byzantine Agreement
• Lecture 10: Blockchain Network
• Lecture 11: Payment Channels
• Lecture 12: Guest Lecture

Unit Structure
• Lecture 1: Introduction to Blockchain
• Lecture 2: Bitcoin
• Lecture 3: Ethereum and Smart Contracts
• Lecture 4: Proof-of-Work (PoW)
• Lecture 5: Attacks on Blockchains
• Lecture 6: Class Test/Alternatives to PoW
• Lecture 7: Proof-of-Stake (PoS)
• Lecture 8: Privacy
• Lecture 9: Byzantine Agreement
• Lecture 10: Blockchain Network
• Lecture 11: Payment Channels
• Lecture 12: Guest Lecture

In-Semester Class Test
• Next Wednesday (31st of August 2022), 10am-11am using eAssessment.
• The test will assess the contents that were covered until Week 5.
• Regarding the labs, you are not required to know Unix commands by heart, but the concepts that were covered in the labs’ discussions are examinable (the part about Atomic Cross-Chain Trading from this week’s lab will not be examined this semester).
• After the test, a shorter lecture from 11am until 11:50pm.

In-Semester Class Test
• In the first section, there will be 7 multiple choice questions with multiple right answers (each question is worth 2 marks). Select all right answers.
• Every right answer that is selected will give positive marks, every wrong answer that is selected will deduct marks (overall the grade of each question is between 0.0 and 2.0).
• E.g., Which of the following are cities in Australia? • Sydney
• Melbourne • Paris

In-Semester Class Test
• In the second section, there will be 2 multiple choice questions with a single right answer (1 mark each). Just select the single right answer for each question.
• E.g., What is the capital of Australia? • Sydney
• Canberra
• Melbourne • Brisbane

In-Semester Class Test
• In the last section, there will be 2 short answers questions (each worth two marks). Just type the numerical answer.
• Howmuchis10x5? • 50

• Preliminary Unit Design and Delivery Feedback (iSETU)
• https://lms.monash.edu/mod/feedback/view.php?id=10523428
• Your feedback is very important so that we can keep improving this unit

Recap: 51% attacks
c_1 to Chris
c_1 to an attacker has >50% CPU power, it can spend a coin more than once.

Recap: 51% attack

Recap: Chain Quality
Adversarial contribution = 2/8 = 25%
Ideal Chain Quality

Non-majority attacks
I can create >25% blocks

Selfish mining attack
Basic idea: find a smart strategy to release blocks, to get extra advantage
Read more: https://arxiv.org/pdf/1311.0243.pdf

Selfish mining attack
Key Idea: adversary keeps the blocks he discovers private in most situations, thereby intentionally forking the chain.
• If both public and private branches have length 1 and the adversary mines a block, he reveals both blocks of his private branch, making that the longest chain.
• In all other cases that the adversary mines a new block, he keeps it private.
• If any honest miner mines a new block and that makes both branches have length 1, then the adversary reveals his private block and tries his luck.
• If any honest miner mines a new block and that makes the public branch exactly one block smaller than the private branch, then the adversary reveals his whole private branch, making it part of the longest chain.
Read more: https://arxiv.org/pdf/1311.0243.pdf

Selfish mining attack
Attacker’s mining power: α Honest mining power: 1-α
The attacker may have better network connectivity Read more: https://arxiv.org/pdf/1311.0243.pdf

Selfish mining attack
Attacker’s mining power: α Honest mining power: 1-α
Pr=(1-γ)(1-α)
γ: the ratio of honest miners choosing attacker’s branch
2’ A node only accepts and forwards the first valid block it learnt!
The attacker may have better network connectivity Read more: https://arxiv.org/pdf/1311.0243.pdf

Selfish mining attack
State machine with transition frequencies
ACK: Thanks to for agreeing to use his figures in these slides.
Read more: https://arxiv.org/pdf/1311.0243.pdf

P1 = αP0 P0′ = ? P0 = ?
Read more: https://arxiv.org/pdf/1311.0243.pdf

P0′ = (1 − α)P1
P0 =P0′+(1−α)P0+(1−α)P2
Read more: https://arxiv.org/pdf/1311.0243.pdf

P0′ = (1 − α)P1
P0 =P0′+(1−α)P0+(1−α)P2
Is the following equation true?
αP0 = (1 − α)P1 + (1 − α)P2
Read more: https://arxiv.org/pdf/1311.0243.pdf

P0′ = (1 − α)P1
P0 =P0′+(1−α)P0+(1−α)P2
Is the following equation true?
αP0 = (1 − α)P1 + (1 − α)P2
Read more: https://arxiv.org/pdf/1311.0243.pdf
P0 =P0′+(1−α)P0+(1−α)P2
→ =(1−α)P1+(1−α)P0+(1−α)P2
αP0 =(1−α)P1+(1−α)P2

P0′ = (1 − α)P1
P0 =P0′+(1−α)P0+(1−α)P2
αP0 = (1−α)P1 +(1−α)P2
Read more: https://arxiv.org/pdf/1311.0243.pdf
P0 =P0′+(1−α)P0+(1−α)P2
→ =(1−α)P1+(1−α)P0+(1−α)P2
αP0 = (1 − α)P1 + (1 − α)P2 Given only α, what is P0?

Read more: https://arxiv.org/pdf/1311.0243.pdf

Different cases
1. Any state but two branches of length 1, attacker finds a block.
The attacker appends one block to its private branch, increasing its lead on the public branch by one.
The revenue from this block will be determined later.
Read more: https://arxiv.org/pdf/1311.0243.pdf

Different cases
2. Two branches of length 1, attacker finds a block
The attacker publishes its secret branch of length two, thus obtaining a revenue of two.
r(Attacker)=P0′ ·α·2
Read more: https://arxiv.org/pdf/1311.0243.pdf

Different cases
3. Two branches of length 1, honest miner finds a block on the attacker’s branch
Attacker and honest miner each obtain a revenue of one. r(honest)=r(Attacker)=P0′ · γ(1−α) · 1
Read more: https://arxiv.org/pdf/1311.0243.pdf

Different cases
4. Two branches of length 1, honest miner finds a block on honest branch
Honest miner obtains a revenue of two.
r(honest)=P0’′ · (1−γ)(1−α) · 2
Read more: https://arxiv.org/pdf/1311.0243.pdf

Different cases
5. No private branch, honest miners find a block
r(honest)=P0′ · (1−α) · 1
The honest miner obtains a revenue of one, all miners start from the new block.
Read more: https://arxiv.org/pdf/1311.0243.pdf

Different cases
6. Lead was 1, honest miners find a block
The revenue from this block cannot be determined yet.
From P1 to P0’
Read more: https://arxiv.org/pdf/1311.0243.pdf

Different cases
7. Lead was 2, honest miners find a block
The attacker reveal its secret blocks and obtains a revenue of 2.

Different cases
8. Lead was more than 2, honest miners find a block
The lead of the attacker decreases by 1, but remains at least two. The new block will end outside the canonical chain once the attacker eventually reveals his entire secret branch. Therefore the honest miners do not get any revenue, and the attacker gets a revenue of 1.

If an attacker has good network connectivity, the attacker needs ___% mining power to launch selfish mining attacks to gain extra profit.

Selfish mining attack
To launch attack with extra profit:
1. Limited network connectivity: > 1/3 mining power
2. With good network connectivity: any percent of mining power Once learnt someone else’s block, the attacker sends its block
(faster) than the other block
* The problem: A node only accepts and forwards the first valid block it learnt!
What if we choose conflict blocks randomly?
>25% mining power is required to launch selfish mining attack, with any network connectivity
Read more: https://arxiv.org/pdf/1311.0243.pdf

Selfish mining attack
Two strategies:
1. Choosing the first valid block
2. Choosing a valid block randomly
Which proposal is better, why?

Selfish mining attack
If choosing the first valid block, then successful launching this attack requires 1. >1/3 mining power with limited network connectivity; or
2. any percent of mining power with perfect network connectivity
Advantage:
If the network connectivity is not perfect, then the attacker may need more than 25% to successfully launch the attack.

Selfish mining attack
If choosing a valid block randomly, then successful launching this attack requires >25% mining power
Advantage:
An attacker cannot launch a successful attack with less than 25% mining power.

Take home message:
By launching selfish mining attack, an attacker can obtain a ratio of revenue that is larger than its ratio of mining power.

Selfish mining attack
The larger the selfish mining power is,
the more extra revenue per mining power unit the attacker will gain.
More power, more gain!
pool server
This encourages a mining pool to get more mining power, which may potentially be over 50%.
Read more: https://arxiv.org/pdf/1311.0243.pdf

Quiz (multiple choice):
Which of the following properties does the selfish mining attack potentially break?
A. Consensus liveness B. Consensus safety C. Chain quality
D. Chain growth
E. T-consistency

Which of the following properties does the selfish mining attack potentially break?
A. Consensus liveness
B. Consensus safety C. Chain quality
D. Chain growth
E. T-consistency

Recap: Chain Quality
Adversarial contribution = 2/8 = 25%
Ideal Chain Quality

Non-majority attacks
I can create >25% blocks

Peer-to-peer network
1. Each peer has at most 125 connections
1. At most 8 outgoing TCP connections by default 2. At most 117 incoming connections by default
2. Outgoing connections are used to sent out messages to the P2P network 3. Incoming connections are used to receive messages form the P2P network 4. All information about peers are maintained in a peer table locally

Eclipse attack
network isolated by an attacker

Eclipse attack

Eclipse attack
32% mining power 35% mining power 33% mining power
Group discussion:
Can you attack this system to double spend?

Eclipse attack
32% mining power 35% mining power
Attacker is the majority: 35%>32% Attacker’s power: 35/(35+32)≈52.5%
33% mining power
Both worlds accept the attacker’s chain!
With less than 50% mining power, the attacker is able to launch majority (51%) attack!!!
Attacker is the majority: 35%>33% Attacker’s power: 35/(35+33)≈51.5%

Eclipse attack
15% mining power 0% mining power 85% mining power
Can you get free coffee?

Eclipse attack
15% mining power 0% mining power Coin to B
Coin to myself
85% mining power
World B will win!
With no miming power, I double spent a coin and got free coffee!

Eclipse attack
Attacking strategy:
1. Create a lot of IPs
2. Fill the peer table of a victim by flooding IP tables
3. Wait/Force the victim to drop its current
connections due to
1. Rebooting the system due to system update 2. Network failures
3. Power failures
4. DoS attacks
4. The victim will need to connect to new nodes selected from the peer table
As all peers in the peer table is controlled by the attacker, the victim is isolated.

Eclipse attack
This vulnerability is patched by Bitcoin!
Real-world attack is much more complicated and application specific:
1. How the peer table works 2. How to select new peers

Possible fixes:
1. Anchor connections
2. Randomly select peers from the network

51% attack
How difficult is it to launch 51% attack?

Ethereum Classic
Yay! No pool has >50% mining power!
https://miningpoolstats.stream/ethereumclassic

Can a pool of blockchain B has 51% mining power equivalent in
blockchain A?
What about mining pools of other blockchains?

Conditions:
1. Mining power in blockchain B is compatible in blockchain A e.g. blockchain A and B share the same mining algorithm
2. Mining power in blockchain B might be less than 50%, but it will be more than 50% in blockchain A.
A mining pool in blockchain B has X unit of mining power, and the total mining power in blockchain A is Y unit.
The mining power of this mining pool in A will be:

51% attack: migrating mining power Summary of the blockchains sharing the same hash algorithm
19/Feb/2019

Marketplace for mining power
Miners sell their hashing power; buyers purchase hashing power.
It’s like eBay for blockchain mining!

Marketplace for mining power

Some 51% attacks
April 4, 2018: Verge (XVG) 51% attacked for a loss of ~$1.1 Million.
May 14, 2018: Monacoin (MONA) 51% attacked for a loss of ~$90,000.
May 22, 2018: Verge (XVG) 51% attacked again for a loss of ~$1.75 Million. May 29, 2018: Bitcoin Gold (BTG) 51% attacked for a loss of ~$18 Million. June 2, 2018: ZenCash (ZEN) 51% attacked for a loss of ~$550,000.
June 4, 2018: Litecoin Cash (LCC) 51% attacked for unknown losses. September 8, 2018: FLO Blockchain (FLO) 51% attacked for a loss of ~$27,500. November 8, 2018: Aurum Coin (AU) 51% attacked for a loss of ~$500,000. December 2, 2018: Vertcoin (VTC) 51% attacked for a loss of ~$100,000. January 7, 2019: Ethereum Classic 51% attacked for a loss of ~$1.1 Million.
Total loss: >$23 Million
Average loss: $2.5 Million/attack.
• • • • • • • • • • •

ETC Jan. 2019 attack
Ethereum Classic (ETC) is the first Ethereum still using the original blockchain, after hard forks.

ETC Jan. 2019 attack
What happened?
❖ 51% attacks on Ethereum Classic (ETC) in January 2019
❖ The attack lasted 4 hours
(0:40am – 4:20am UTC, Jan. 7th, 2019)
❖ News reported that more than 1.1 million dollars were stolen
❖ $100,000 USD was returned

ETC Jan. 2019 attack
Attack detail:
❖ 12 transactions were successfully double-spent
❖ The source of the mining power for this attack remains uncertain,
but NiceHash cloud mining platform is highly suspected;
One day before the attack, an anonymous person rents all available Ethash (the hash algorithm used by ETH and ETC) mining power from NiceHash

Renting mining power attack?
https://breakermag.com/the-ethereum-classic-51-attack-is-the-height-of-crypto-irony/

Next week: Class Test/Alternatives to PoW

程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com