Horizen now penalises delayed block submissions, for 51% resistance
It might be a much-needed addition for many of the smaller cap PoW coins.
Horizen is introducing a clever new feature to help protect it against 51% attacks going forward. This is a very real concern, because Horizen (known as ZenCash at the time) was one of many cryptocurrencies to suffer a 51% attack this year.
There are a few different ways to resist these attacks, but they all turn into a confusing mesh of pros and cons. And whether something is a pro or a con might depend on the situation at the time.
Staving off majority control
One common solution is ASIC resistance. ASIC resistance can simultaneously be a great way of avoiding and succumbing to 51% attacks, depending on the coin at hand and the rest of the market.
On the one hand, it prevents secret ASICs from taking majority hashrate without anyone knowing (secret ASICs are thought to have been behind the Bitcoin Gold 51% attack). On the other hand, ASIC resistance greatly reduces total network hashpower, which can make it easier to assault through rented hashing power and similar.
Large cap coins like Monero might become more resistant to 51% attacks through ASIC resistance, while smaller cap PoW coins are probably damned if they do, and damned if they don't.
If the smaller coins aren't ASIC-resistant they can easily be overwhelmed by the first ASIC miners to take an interest. Plus, almost any non-ASIC-resistant PoW coin, except maybe bitcoin and Ethereum, will quickly become highly centralised, at which point its primary miners can probably knock over the network with a 51% attack any time they want.
If the smaller cap coins are ASIC-resistant, they're still at risk of secret ASICS while also being at risk of attacks through rented hashpower. This is a relatively intractable but widely-experienced problem, so new ways of minimising the chances of a 51% attack would probably be of great interest to a great many coins.
51% attacks are, as the name suggests, carried out by someone who controls 51% of the network's hashrate.
In a blockchain network, the "truth" is whatever the majority of nodes agree on. So with majority control, an attacker has the power to single-handedly determine their own version of the truth, within certain constraints.
In practice, this can be done by using one's enormous hashrate to mine blocks faster than all the other miners combined, then at the right moment, overtaking the main chain.
The basic effect is that an entity can single-handedly fork the blockchain, run their fork in parallel, and then later have the other miners keep building on top of their fork to cement it as the truth.
It's not that a 51% attacker can just lay down the law of the network. Rather, it's that they can mine blocks fast enough to overtake the rest of the network and create the new truth. If the attacker's chain is longer than the other chain, other miners will start building on top of it, which cements it as the new truth.
A typical attack might involve:
- Forking the Coin A network and mining blocks in parallel, faster than they're being mined on the real chain.
- Selling Coin A for Coin B.
- Waiting until the transaction is confirmed, and pocketing Coin B.
- Announcing that their fork is longer, which invalidates transactions – including their trade – from the time they forked to the time they made the announcement.
Challenges and confirmations
There are a few things that make this attack easier said than done.
Firstly, they have to privately mine blocks fast enough. This means having at least 51% hashrate and involves a potentially large upfront cost, depending on how long their new chain needs to be.
Secondly, they need to wait for enough "confirmations" from the exchange before they can create their fork. This is because unintentional mini forks are normal, such as if two people mine a block and try to add it at the same time, or different miners unintentionally start building on different chains.
Systems need to accommodate for this and can't just go on sending money everywhere on the say-so of a single block. This is why they require a certain number of confirmations.
A confirmation is essentially when another block is built on the same chain that holds the block that holds a certain transaction.
So if an exchange requires five confirmations before sending over Coin A, the attacker will need to build in parallel for at least five more blocks. Only then will the exchange confidently say "yep, that's the real thing" and complete the trade.
So, the more transactions required, the more secret blocks need to be mined, the more cost is involved in a 51% attack. This is why the first thing people do when there's a 51% attack going around is increase the number of confirmations required.
Naturally, the attacker will also have to keep their fork-building secret and avoid broadcasting it to the network if they want the attack to succeed. Otherwise, exchanges and everyone else can pre-emptively increase confirmation requirements to prevent the attack.
The Horizen solution
Horizen's contribution to protection against 51% attacks is called "the delayed block submission penalty approach" (PDF).
It works by imposing a penalty on side chains that are being privately mined and then connected to the main chain. This penalty takes the form of a delay before the side chain can be permanently cemented and a requirement that the attacker continue mining on the new chain after their attack is complete.
The size of the delay penalty increases based on how far behind a miner is when they propose a secret block. So in a way, it multiplies the effectiveness of waiting for confirmations without forcing a network to actually wait for more confirmations.
This offers a much wider window for exchanges and other participants to respond to a 51% attack, while simultaneously drastically increasing the cost of an attack.
The exact conditions of the penalty delay can be fine-tuned based on current network difficulty and confirmation times to ensure it's a more flexible potential solution for different PoW coins. It also doesn't penalise "honest" forks that mine openly.
If it all works as intended, it might be a significant and much-needed development for the wide range of smaller cap PoW coins roaming the market.
"The operating environment for cryptocurrency systems has changed significantly since 2009 when mining power was more decentralised," notes Horizen chief engineer Alberto Garoffolo. "It's now imperative for public blockchains to upgrade their consensus rules to protect against bad actors and we believe the release of our update will act as a resource to vastly improve security across the industry."
Horizen co-founder and president Rob Viglione agrees: "Our open-source contribution enhances protection against advanced attack methods and helps improve the security of the entire industry."
Disclosure: At the time of writing the author holds ETH, IOTA, ICX, VET, XLM, BTC, ADA