It's proportional to the amount of money it "burns", in the form of capital costs (miners) and electricity costs (for those miners). If electricity prices would rise tenfold globally, electricity use from crypto miners would drop by about the same factor.

Take the peer-to-peer traffic of the cryptocurrency network of any area, prevent it from getting outside that area (ie., just block it talking to IPs outside some range) -- then to that network, you can trivially control the total hashing power.

So split any cryptocurrency network into small segements, then add your machine to that network with a false history, design the network to be small enough, and your machine will out-hash the rest, and so it's history will win. Rinse-and-repeat.

It's trivial for any state to take down a cryptocurrency. There's nothing magic about it; it's an incredibly fragile system whose 'safety' relies on no one owning the network, and if that's the case, no one being able to russle-up huge amounts of electricity.

In both cases, this is false for states. So any state, if it wishes, can really do anything it likes.

The global bitcoin system is well within rearch of a hostile state 51%'ing it, even at the global level -- though the cost would be non-trivial. It would be trivial to do it in its own borders though.

As any state, of course will, if you can ever go into a shop and buy somehting with it. At that point you're imperilling a state's ability to use monetary policy to manage its economy, and that's an existential security threat. So bye bye your monopoly money tokens.

You cannot forge history, even with 100% of the hash power. Firstly, each transaction is cryptographically signed with the keys of the sender address. Secondly, each full node within the segmented network will have the full history.

The only thing you can do is publish different blocks to the segmented network than the blocks the outside network has. You cannot create arbitrary transactions. You can only censor others’ transactions within the segmented network. Since the mining difficulty will not adjust instantaneously your segmented network will fall behind the outside network in block height unless you control more hashing power than everyone else mining Bitcoin on either network combined. So as soon as anyone in your segmented network re-establishes connection with the outside network (and they will, they could receive a physical hard drive with the blockchain on it and rebroadcast to segmented nodes) all your work is for nothing.

You might say “yeah well I’ll publish an entire fake history that is MUCH longer than the outside network with lower difficulty so I can stay ahead”. Well, actually you can’t, because if you wanted vastly more blocks between Bitcoins inception and the present then the difficulty will necessarily be much higher because that’s how difficulty gets set, by how quickly blocks are produced. You would have to change the difficulty adjustment algorithm, creating a fork between your own malicious node(s) and the other nodes in your segmented network. Oh and by the way, you _still_ can’t create arbitrary transactions.

> The global bitcoin system is well within rearch of a hostile state 51%'ing it

I’ll believe it when I see it. They honestly have a better chance outlawing it and imprisoning anyone who’s ever used it.

> I’ll believe it when I see it. They honestly have a better chance outlawing it and imprisoning anyone who’s ever used it.

First of all I don't think any state is currently motivated to do this. However, if I were a state agency trying to attack Bitcoin, I would start by creating my own mining pool, which of course would purport to be privately run. I would be the most efficient mining pool in the business, offering miners a slightly better cut than other mining pools since while most pool operators are trying to extract a low-margin profit, I'm willing to break even or, if necessary, run at a small loss. It would be ideally to gradually create several sock-puppet pools that appear to be in competition with one another, while in fact I control all of them.

Even with competitive payouts, it may take several years to build up my pools reputation and gain a significant share of miners. And when I start having my pools mine blocks that I'm not actually submitting to the chain (to support my double spend), pretty soon miners will notice and switch. But I only need a couple hours to cause chaos, and I may benefit from miners confusedly switching to other pools that are also under my control. If I look at the regions where I have the most miners and time to the attack to occur overnight in those areas, I may succeed. And unlike trying to 51% the network myself by throwing hardware at the problem, I won't be left with worthless SHA256 hashing machines at the end of the attempt, nor will I have to pay for power. And I don't have to outmine the entire network -- I've enlisted half of it to be on my side. The only cost is the minimal pool operating expenses (not mining, just issuing work to miners, checking their work and arranging payouts), spread over how ever many years it takes me to gain dominance.

If you own the machines and own the network you can do anything you want. Anything at all.

As far as assuming that the state hasnt taken control of the miners (unlikely, this is the easiest thing to do), by dropping communication, delaying it, observing it, etc. much can be done following the protocol, including replaying transactions etc. -- the future can be forged.

There are so many assumptions about the realworld, that do not hold up, behind cryto protocols, they're laughable. Assuming that the system will follow the protocol is itself disconnected from reality, quite literally.

The initial paper's realworld assumptions was that mining would be an at-home affair, ie., decentralised; everyone would run their own. And that networks were not own or controlled by centralised actors.

Neither is true. Mininig is incredibly centralised, as is network control. This makes it trivial for a state to pull an off switch.

Even talking about sophisticated denials of service, transaction replays, forging future transactions... all this takes place in a silly imagined scenario in which the state wants to hide what it's doing. If it didnt care, bang goes the whole thing.

Countries have this neat tool called violence that tends to override all security whenever humans are a linchpin

That doesn’t work with distributed systems. No single country is able to shut the whole Internet down, for example.

(b) "seal the network in their borders" is much easier than that, lots of networks basically act like that already due to either voluntary compliance with local laws, or due to direct government interference with the networks

iii. the miners aren't really all that distributed, they group together for the same reason everyone else groups together instead of being free-range anarchists

[δ] all you need to do to shut down a currency within a country is arrest people using it, which is very easy and has a long history

Countries do this all the time , just yesterday we were talking about internet shutdown during elections and exams , then there are restricted countries like say North Korea.

This only applies to Proof of Work blockchain.

Largest market cap, yes, but also lots of probably lost coin.

One source shows Tether having the most volume, and it's very energy efficient to make coin out of thin air.

Invalid blocks are rejected trivially by any node as soon as it sees them. You can't "force" an invalid block to be accepted by throwing hashrate at it and miners don't need to do anything to make an invalid block be recognized as such.

The issue is on malicious actors trying to rewrite/replace recent blocks (to double spend, usually) which was the core innovation, but that also includes trying to censor txs or generally DoS the network by refusing to allow txs to be accepted.

Out hashing does not give you any extra powers. Maybe you will be able to rollback a few minutes of transactions, that is all.

You mine quietly, outpacing the regular network, creating your own longer chain. Perhaps you do this for an hour, several hours, or a day. The only transactions on this chain are those in which you send your own coins to yourself -- maybe plus some random transactions from the mempool you throw in to help cover your own tracks. Meanwhile you spend those same coins (UTXOs) on the "honest" chain.

Once you are satisfied, you publish your longer chain. By the rules of the network the longest chain is the true one. Honest miners immediately begin building their blocks on top of your dishonest version of events. Since you are now working together with them, blocks are produced quickly. The honest chain dies.

Chaos would ensue.

Anybody who received coins on the dead chain can try to republish the transaction to the mempool and hope it gets mined again, so they get their money again. But if the sender is fast, they might realize they have a double-spend opportunity here, and submit a higher-fee transaction in which they sent those coins to themselves. It's a race. Of course, for your own UTXOs that were already spent in the dishonest chain, the race has already been won. Those double spends are successful.

As for "a few minutes", it depends on which one we're talking about. BTC, yes -- but disrupting the global BTC network requires only a few minutes of time. Just dump everything into unusable addresses, and watch the reaction.

No, you cannot do that. Transactions would still need to be signed by the corresponding owners. All you could do is reorder (and thus invalidate) some transactions, drop some transactions, or add some that weren't originally included.

> Just dump everything into unusable addresses...

Nope; that's not possible. You wouldn't have the signatures to do that even with 51% hashing power.

In the case of a mere 51% at scale, hijinks are still quite possible from replays, reorderings, etc.

I was more preoccupied by the case where the state's acting in its own borders with control over the network, major miners, most machines on the network -- at this point basically no gaurentees remain

Such a change would be treated as a "monopoly money" fork by those wanting to transact, and ignored. "No I don't want your fake money; send me real BTC or GTFO". This is why miners cannot arbitrarily change the protocol in their favour even today.