Topic: Imagine a bitcoin network of 1 computer. (The fake blockchain attack) (Read 1879 times)

Yes, I didn't mean to imply that I believe quantum compute is an "issue", at least not if we define "issue" as "thing which breaks Bitcoin". These are just the things an engineering-minded individual, and some more rational and logical individuals, will inevitably need to hear and understand before accepting Bitcoin. QC would shake up the ecosystem for a few days, tops, as everyone got up to speed on the new aspects, and it wouldn't even be that long if QC doesn't show up on the scene largely unannounced.

Or a "3", because we've already used this forward compatibility once, for P2SH, to make payments to escrows and other complex scripts as easy as regular ones.

Addressing all three of your points at once.  Not only did Satoshi foresee the quantum computing risks concerning bitcoin, he provided a path to deal with such issues.  There is an upgrade path for the primary hashing algo, including "hooks" in the existing code to permit a second algo to be added in series to the current SHA256.  Whatever algo that best deals with the most likely threat, be it quantum computing or private asic farms, cna be chosen to be added to the system without so much as stopping the blockchian.  A similar algo upgrade path was provided for with regard to the address keypair algos.  (the leading charachter is currently always a "1", this tells the bitcoin network what address version is in play, although currently no other choice exists)

It'd take a lot of FPGAs to present an issue, and it would cost far more than contracting to have an ASIC built for you personally. Unless you have access to tens of thousands of recent FPGAs, it's not gonna happen either. And then it would still be more valuable to help the network. For that, FPGAs are valuable if you can get free electricity. We had several hundred Stratix-IIIs that were just sitting in a closet, since we're all using the V and 10 now for development. Me and my brother repurposed them for mining. We have a 300-acre plot of land in Texas and the facilities are powered by a custom solar setup. We used to sell back to the grid but we configured it so that now any excess electricity is used by the mining setup.

The only conceivable attack that I've heard in 5 years is the "wealthy Joker" attack, where the attacker is incredibly well-financed and intends to blow orders of magnitude more money than they could have made, in the process of wreaking havoc. This is why, to me, it was so important that both China and the US have mutual sentiment about Bitcoin, whatever that sentiment was.

There is a much more real threat than CPUs and GPUs: FPGAs. While not as efficient as ASICs, they are far more abundant especially in organizations that run highly specialized code to crack cryptography and they can be repurposed.

The reason this attack from the OP won't work is on one hand that the chain won't even get longer than the current one (it likely has to stay at difficulty 1 for a long time and that means embedding timestamps exactly 10 minutes aparts since Satoshi's genesis block) while the current block chain has been mostly going faster than it should. Also it won't get enough work done to take over unless there is some SERIOUS computing power behind. It might be doable but then again even if the system automatically switches to the fork, most people won't like that (as all balances would be gone for example), so likely people would manually switch back to the existing chain. The person contolling the computing power then could 51% attack this chain, but that's all. it is not very likely that anyone would use a chain from Satoshi genesis for long and once it is published, people will oppose it. You could seriously confuse a few servers of course, but at quite a hefty price tag.

I think, when discussing the possibility of attack with people (even engineers) new to Bitcoin, it is important to mention both. There is the level of security provided by the truly staggering power of the network, in the sense that it is fair to say that even the NSA and world governments could not attack it with their general-purpose supercompute assets; and then follow that up with the caveat that (1) we're all watching quantum compute developments very closely, because they change things, and (2) in the meantime there are ASICs, and then quickly discuss exactly what gmaxwell just stated, and note that while perhaps there is not the necessary supply in existence for an organization to buy enough Avalons etc. to perform an attack, the cost is within some extreme budgets (extreme for people, but not organizations).

I'll add a (3) to that as well, which is that, while estimates based on trying to buy ASIC hashpower at retail may result in a $15M order and a long backorder, it would cost less than that to hire an experienced ASIC design team for a year and to have your own ASICs spun, if you personally wanted that kind of volume. My team could have tapeout in 3 - 6 months, implement a usually-necessary metal revision in another 1 - 2, and I can guarantee it would equal or outperform the best on the market, all for probably $1.5M in total engineers' salaries and another few million (2 -3 maybe) for the silicon. I may be vastly overestimating the complexity of putting these functions on an ASIC, so probably it could cost less, or just be engineered to a T and mop the floor with the current entrants. I haven't looked closely at it because Broadcom and our other two primary contract-employers have never tried to pay us to do it

The US government in particular "owns" a large amount of (mostly rad-hardened) ASIC fab capacity itself, probably more than enough than is necessary, if they wanted to use it. We're safe from all the probable attacks, and most of the improbable ones. There are a couple outlandish scenarios that are possible, like that one. The question is why they would attack the network when more money is to be made in securing it, which is one of the key design principles laid out by Satoshi in the first place. Until someone can demonstrate a method in which this is false, we only need to worry about the Joker showing up ("some people just want to watch the world burn"), with the resources to do it.

That's fine... I am a developer too, so I can read the code. If someone could give me a hint as to which file to look at that would be great, but I'm sure I'll find it eventually...

Close, but you have to understand that the difficulty is a human friendly expression of what is going on, and isn't exactly how the clients handle it.  If you want to know, you really do need to understand how it's done by the client.

Sorry, I thought it might be possible to express as a formula in a forum post.

For example, if a blockchain has two blocks, then the total work T is equal the difficulty of block 1 + the difficulty of block 2

or perhaps if the work, W, is a function of the difficulty, d, then then the total work is:

T = W(d1) + W(d2)

where d1 and d2 are the difficulty of blocks 1 and 2

Then go read the code.

I'm not really the right person to elaborate.

While I agree that direct comparisons to standard computer metrics is fraught with error, I disagree that the metric is irrelevant.  It's an estimate of how fast a conventional computer would have to be to match the bitcoin network as is.  Granted, no one is going to use a conventional computer system to do this, but it also shows the futility of trying to even redirect existing hardware to the task. 

Yes it's literally the arithmetic sum of all of the work of each block, and it's equivalent to the sum of the block difficulties upto rounding (difficulty is a floating point number presented for human friendliness).

uh.  Bitcoin does no "flops" at all. Flop numbers are now bad projections from matching up what a GPU could do when it wasn't mining Bitcoin and they're now irrelevant.

The right metric is the cost of what it would cost you to actually perform the attack.  You can go order 2TH/s miners for $6000. The current network speed is ~5000 TH/s.  Building a farm to outpace the network at that price would cost $15 million. Of course, those are preorders and the network will be faster once they ship, but even if you compute vs hardware available to ship today you end up with numbers under $100m.   I don't think there is really any serious threat— there are cheaper ways to attack bitcoin— but saying "way past the point that it's at risk from a falsified blockchain attack" is a bit of an exaggeration our high hashrate now is the product of extreme improvements in the cost of mining— which benefit attackers too— more that massive increases in mining investment.

Could you elaborate on how it is more complicated?  I am interested in the precise way to calculate the proof of work of the chain.

If I understand the statement correctly, yes.  The "longest" blockchain is the one that required the greatest amount of computational power to create, and that is determined by the client by suming up the difficulty of all the blocks created.  It's just a bit more complicated than that, as most things are, but that is a fine way to think about it.

EDIT:  BTW, the current bitcoin network is running at an estimated total computational power of just over 62,000 petaflops.  It's risen by about a thousand petaflops per day over the past week or so.  The fastest supercomputer on Earth (not classified) was benchmarked at 33 petaflops this past summer.  That computer system took three years to construct and sits on roughly 40 acres of land.  Bitcoin is way past the point that it's at risk from a falsified blockchain attack of any sort.

Is this literally the arithmetic sum of all of the work of each block in the chain? (as opposed to some other function)

(also, is it equivalent to sum up the difficulty associated with each block)

You're confused by the definition of "longer". The chain selection is based on the sum of work, not the number of blocks. (The whitepaper was mostly written from the perspective of constant difficulty, under which the two are the same).

You wrote only 45 seconds apart, so perhaps you hadn't been able to see this:



Sections 4 and 11 of the original Satoshi whitepaper should interest you all in particular. If the details of the whitepaper (and then the relevant code sections if you are so inclined, in order to verify the functions have been properly represented) are beyond your grasp (which, as Bitcoin gains popularity outside the engineering and math community, is destined to be an ever-more-common phenomenon), you will always be somewhat relegated to someone else's assurances that the protocol is safe. For those people, my best advice would be to consider the amount of trust you put in the current banking and money transmission systems, which are more complex and difficult to understand, and opaque besides, meaning you cannot actually do the research in the first place. With Bitcoin, anyone may understand it, which is different from saying anyone can.

And you are rude, which presumably you're cool with 'cuz this is the web and assume our IRL and web identities will never knowingly meet. I dislike such personalities. The way one acts with guaranteed anonymity tells a lot about one's character.

What I assumed you meant, as will many readers I imagine, is the sort of checkpointing used by, say, PPCoin or alternative clients. Because I also assumed you were not so simple as to not have googled your query before asking such a question in the dev forum. Had you simply entered "bitcoin checkpointing" into the magic wizard's box, you would have seen this -- https://en.bitcoin.it/wiki/Checkpoint_Lockin -- which, for my google at least, is the top result.

That, young Skybuck, links you to all the information you could possibly need, in summary and detail, about how the "fake blockchain attack" is no attack at all.

All known vulnerabilities and attacks are listed and discussed inline and at links extensively here: https://en.bitcoin.it/wiki/Weaknesses

Perhaps the closest thing to your proposed attack is the "Rival/malicious client code" (https://en.bitcoin.it/wiki/Weaknesses#Rival.2Fmalicious_client_code) which, again, requires not only (1) that you fork the client to enforce this function of creating and sticking with a fake blockchain, but (2) that you convince people to download it, presumably with the belief that it is the real client.

You may also be thinking of this one, which is, as the wiki classifies it, definitely not a problem: https://en.bitcoin.it/wiki/Weaknesses#Generate_.22valid.22_blocks_with_a_lower_difficulty_than_normal

Could someone explain to me what "longest proof of work" means? I understand "proof of work" and I understand "longest blockchain"... but I'm not sure what these concepts mean when combined....