Question about computation power for purposeful modification of blockchain data

[BTRIC]

Hi All,

I have a question.  If someone wanted to overwrite a portion of the Bitcoin blockchain with random data and have it still validate in place of a correct block, would this be computationally difficult/impossible?

The reason I am asking this question is the following:

German Researchers: Child Abuse Content Found On Bitcoin Blockchain, Users Must Be Protected
https://cointelegraph.com/news/german-researchers-child-abuse-content-found-on-bitcoin-blockchain-users-must-be-protected

So the question is, "is it practically possible to overwrite those portions of a bitcoin block that currently contain URLs to apparent CP repositories and still have the block validate properly?"

I know to do this to substitute useful data would be practically impossible.  But if one is looking to destroy existing data by overwriting it with any other random string that would compute the same hash (could be completely random in place of these URLs), does that then make the exercise within reach from a computational perspective?

I am in no way suggesting that this should or should not be done, I just want to get an experts view of the feasibility of doing so.

Best regards,
Ben

[HeRetiK]

1) So far no SHA-256 collision has been found and short of either a) an unknown security hole in SHA-256 or b) major improvements in computing (assuming for example quantum computers having an advantage in solving SHA-256 over traditional architectures) it's not going to happen any time soon.

For reference:
https://crypto.stackexchange.com/questions/47809/why-havent-any-sha-256-collisions-been-found-yet


2) Even if you'd overwrite the illegal content with random data that still checks out, there's nothing stopping anyone from adding new illegal content to the blockchain.

[ranochigo]

I have a question.  If someone wanted to overwrite a portion of the Bitcoin blockchain with random data and have it still validate in place of a correct block, would this be computationally difficult/impossible?

Yes. The client have to validate every single thing in the block. Changing any component of the transaction will change the merkle root and in turn the block header. The block hash would be changed completely and as stated above, collisions aren't possible as of now. You can, of course choose to omit that transaction but that would omit the UTXO as well and it would be unspendable.

So the question is, "is it practically possible to overwrite those portions of a bitcoin block that currently contain URLs to apparent CP repositories and still have the block validate properly?"

I know to do this to substitute useful data would be practically impossible.  But if one is looking to destroy existing data by overwriting it with any other random string that would compute the same hash (could be completely random in place of these URLs), does that then make the exercise within reach from a computational perspective?

Not possible. I doubt everyone would be with this, especially given that it would be considered a censorship (though it isn't morally correct to promote such content IMO).

[BTRIC]

Yes. The client have to validate every single thing in the block. Changing any component of the transaction will change the merkle root and in turn the block header. The block hash would be changed completely and as stated above, collisions aren't possible as of now. You can, of course choose to omit that transaction but that would omit the

Not possible. I doubt everyone would be with this, especially given that it would be considered a censorship (though it isn't morally correct to promote such content IMO).

Thank you very much for your response.  I know there are people mining private keys with the LBC, etc.  I wanted to see if the difficulty was on scale with that or less because the data that would replace the "bad data" could be random.  Now that I'm thinking about it, it may actually be more difficult than that.  Often my pre-coffee questions are answerable by me post-coffee, but I am not an expert and wanted to hear from a better source of information.

Yes, I also am not sure that I'd agree with changing the blockchain in any way, even if it were possible.  Just exploring what is or isn't possible.

Best regards,
Ben

[Qoheleth]

A better solution would be a client-side update with some zero-knowledge proof algorithm.

Basic idea: client X downloads the blockchain from client Y. When the "problem data" appears, instead of providing it, client Y says "here's a ZK-SNARK proving that some valid data exists, which hashes to what you expected."

So long as it's not your transaction, you don't need to know exactly what the data is.

And if it is your transaction, you can still spend it so long as you provide the preimage (the original data) to prove that your spend is valid. In which case... welp, you just revealed that you're the one who put it on the blockchain in the first place, which the person you submitted the txn to may be very interested to find out/tell a friendly FBI agent.

[DannyHamilton]

This is not new "news".  This is news from 5 years ago that is just being noticed again.

For more details see comments from developer jgarzik in April 2013 here:
http://garzikrants.blogspot.com/2013/04/on-bitcoin-data-spam-and-evil-data.html

and bitcointalk post here:
https://bitcointalk.org/index.php?topic=191039

Worth being aware of...

Lightweight Wallets and SPV (such as Electrum) that are not nodes do not store any of this information.

Bitcoin Core with pruning turned on does not store this information.

Bitcoin Core with pruning turned off can be modified to avoid downloading and/or storing the transactions that have the undesired data once the data is identified. I'm not aware of anyone that has created such changes yet, but it wouldn't be excessively difficult to do, perhaps it could become an interesting open source project). It won't prevent you from receiving new data that you don't want, and it will continue to be possible for malicious people to encode undesired data into their transactions in the future.

Additionally, it is my understanding that any images encoded in the blockchain are not accessible without manipulating the data. You can't just open up one of the block files with an image viewer and see an image.  You need to process the blockchain with a specific algorithm to generate image data from the blockchain data.

Imagine that there is a famous book.  Imagine that someone discovered that if you:

• Take the first letter of every sentence
• Swap the positions of every 2 letters
• Sort the middle 10 characters in the following order 3, 7, 2, 5, 9, 6, 10, 4, 1, 5, 8
• Convert the letters to a binary representation using ASCII encoding
• Perform an XOR of every binary digit with the binary exactly 9 positions to the right
• Convert the resulting data into a bitmap encoding with 100 rows

Then the result can be opened with an image viewing program, and some objectionable image will result.

Since a process of manipulating the book data can result in an objectionable image, should the book be banned?

If you feel that it should, then we should probably ban every book that has ever existed.  Because, given a small enough image and any book of reasonable length, it is possible to invent an algorithm that will convert the text of that book into that image.  The algorithm will be specific to that one book and that image, but the same is true of each of the images in the blockchain.  The algorithm for converting a subset of blockchain data into an image is specific to the bitcoin blockchain and the reported image.

[BenOnceAgain]

This is not new "news".  This is news from 5 years ago that is just being noticed again.

I agree with your post in full.  I posted the news entry because I saw that it has been recently posted again, but I remember reading in the past about data of various types being embedded in the blockchain.  I certainly didn't intend on creating any FUD, I just wanted to know from a technical perspective what would be involved in mitigation.

I agree that if there's ever a real need to mitigate against this, that selective pruning probably be the best approach to take.  Frankly, it would be ridiculous to have to do that but I try to look at things from the perspective of devil's advocate in order to have ready answers if questions are ever raised.

I appreciate your analogy and agree that extracting a useful image from the blockchain would require work/code.  Any sufficiently long string of text could be arranged in many ways to create all sorts of "bad" data.

I don't think this is a problem worth worrying about.

Best regards,
Ben

[Qoheleth]

Imagine that there is a famous book.  Imagine that someone discovered that if you:

• Take the first letter of every sentence
• Swap the positions of every 2 letters
• Sort the middle 10 characters in the following order 3, 7, 2, 5, 9, 6, 10, 4, 1, 5, 8
• Convert the letters to a binary representation using ASCII encoding
• Perform an XOR of every binary digit with the binary exactly 9 positions to the right
• Convert the resulting data into a bitmap encoding with 100 rows

Then the result can be opened with an image viewing program, and some objectionable image will result.

Since a process of manipulating the book data can result in an objectionable image, should the book be banned?

If you feel that it should, then we should probably ban every book that has ever existed.  Because, given a small enough image and any book of reasonable length, it is possible to invent an algorithm that will convert the text of that book into that image.  The algorithm will be specific to that one book and that image, but the same is true of each of the images in the blockchain.  The algorithm for converting a subset of blockchain data into an image is specific to the bitcoin blockchain and the reported image.

I've seen this argument before, but frankly I find it a little specious - it ignores the distinction between the ciphertext and the key.

The rule you give as an example has... maybe 40 or 50 bits of entropy. That's not enough to store an "objectionable" image, or even one image out of a giant collection of such images; we're talking about 10KB, 20KB images here, even at maximum compression. Thus, the actual carrier mechanism for the data must have been (at least in a large part) the book itself, and so holding the book responsible for distributing the content makes sense.

In contrast, a reverse-engineered algorithm like you propose is going to be much more complex, because info-theoretically, the book is no better than a PRNG that's skewed in a way you can't control. Even the length of the book doesn't matter for more than 20 bits or so (War and Peace is "only" 3.2MB, so "turn to page 100" only gives you 22 bits of entropy). So instead, you need enough moving parts in the "instructions to decode" to carry the signal; those instructions must - as a matter of pure math - be several thousand words long if written in plain English. At which point, it should be clear that it's the instructions - not the book they reference - which carry the objectionable signal.

[Kogs]

Bitcoin Core with pruning turned off can be modified to avoid downloading and/or storing the transactions that have the undesired data once the data is identified. I'm not aware of anyone that has created such changes yet, but it wouldn't be excessively difficult to do, perhaps it could become an interesting open source project). It won't prevent you from receiving new data that you don't want, and it will continue to be possible for malicious people to encode undesired data into their transactions in the future.

Changes to avoid downloading and/or storing such transactions would only be possible for full nodes which are only used privately (with closed port 8333).

Every accessible full node in the network need to provide the correct blocks/transaction to any other node which asks for this blocks, otherwise there is no way for a new node to validate and sync the blockchain correctly.
So, the blocks with those transactions need to be stored by every full node. What could be possible is to disallow the access of those transaction by the local gui and via the RPC interface.

But this would not help at all, there is no way to force anybody to use this "censoring" client.

The only way would be to censor those transactions via a hardfork. But this would require every client to be updated, which will never happen.

Actually the only reason for blockchains is the censorship resistance and immutable property. If we start to implement any way to censor anything (which is actually not possible), we would not need a blockchain anymore.
A side effect of censorship resistance and immutable is unfortunately that there can be also stored illegal data which will be there forever.

In my opinion the advantage of bitcoin outweighs all the possible use cases for illegal purposes (e.g. buying drugs, money laundering, storing of illegal data...). The reason for this is, that all those illegal stuff can be done and is done better without bitcoin or blockchains.

[DannyHamilton]

Changes to avoid downloading and/or storing such transactions would only be possible for full nodes which are only used privately (with closed port 8333).

This is not true.

Every accessible full node in the network need to provide the correct blocks/transaction to any other node which asks for this blocks, otherwise there is no way for a new node to validate and sync the blockchain correctly.
So, the blocks with those transactions need to be stored by every full node.

This is clearly not true.  If it was true, then it would not be possible to run Bitcoin Core with pruning turned on.

What could be possible is to disallow the access of those transaction by the local gui and via the RPC interface.

But this would not help at all, there is no way to force anybody to use this "censoring" client.

Correct.  The idea would be to provide a client that users can optionally run if they want to avoid downloading the objectionable data and still maintain the rest of the blockchain.

The only way would be to censor those transactions via a hardfork.

Not true.

But this would require every client to be updated, which will never happen.

Only the clients that don't want to reeive or store the data.

Actually the only reason for blockchains is the censorship resistance and immutable property. If we start to implement any way to censor anything (which is actually not possible), we would not need a blockchain anymore. A side effect of censorship resistance and immutable is unfortunately that there can be also stored illegal data which will be there forever.

Correct. I'm not saying that the data would be gone from ALL copies of the blockchain.  I'm just saying that it would be gone from the copies of the blockchain that are being maintained by the users with the new software.

It would only disappear from ALL copies of the blockchain if EVERYBODY ran the new software, AND purged ALL old copies of the blockchain.

[Kogs]

Changes to avoid downloading and/or storing such transactions would only be possible for full nodes which are only used privately (with closed port 8333).

This is not true.

Every accessible full node in the network need to provide the correct blocks/transaction to any other node which asks for this blocks, otherwise there is no way for a new node to validate and sync the blockchain correctly.
So, the blocks with those transactions need to be stored by every full node.

This is clearly not true.  If it was true, then it would not be possible to run Bitcoin Core with pruning turned on.

What could be possible is to disallow the access of those transaction by the local gui and via the RPC interface.

But this would not help at all, there is no way to force anybody to use this "censoring" client.

Correct.  The idea would be to provide a client that users can optionally run if they want to avoid downloading the objectionable data and still maintain the rest of the blockchain.

The only way would be to censor those transactions via a hardfork.

Not true.

But this would require every client to be updated, which will never happen.

Only the clients that don't want to reeive or store the data.

Actually the only reason for blockchains is the censorship resistance and immutable property. If we start to implement any way to censor anything (which is actually not possible), we would not need a blockchain anymore. A side effect of censorship resistance and immutable is unfortunately that there can be also stored illegal data which will be there forever.

Correct. I'm not saying that the data would be gone from ALL copies of the blockchain.  I'm just saying that it would be gone from the copies of the blockchain that are being maintained by the users with the new software.

It would only disappear from ALL copies of the blockchain if EVERYBODY ran the new software, AND purged ALL old copies of the blockchain.

I got your point. The specific client which censors these transactions will only be used by people who want it. In this case it would technically work for those people.

But my points you think are wrong are still valid. This client would have some limits and cannot be used as a normal full node any more.

This specific client would only be useful as wallet, as it contains modified blocks which other nodes would reject when it broadcasts them.
If someone install a new orignal full node and ask for blocks to download the blockchain from beginning, this specific client would not be able to serve this as it would get blocked by the other node whenever the cencsored block is transmitted.

The comparison with pruned nodes is not good. First these nodes do not hold any invalid (censored) transactions or blocks. And second, like this specific client, they cannot broadcast all blocks to the network, they only forward new received blocks and can maybe send the blocks which are not pruned. If the whole bitcoin network would only consist of pruned nodes, it would not be possible to install a new full node as no one has a full copy of the blockchain any more. Even for pruned nodes, first the complete blockchain need to be downloaded and validated, only then the already spent transacations will get deleted and only the unspendet transaction will be kept on disk to save space.

I'm just thinking of any reason why anybody would want to install such a specific client which censors some transactions.
Only people who don't want to have those things on their PC would install it. But wouldn't it in this case just be not enough that those people don't look at these transactions?
Nearly no normal user is searching the local copy of the blockchain for transactions like this. Most people just don't know that such transactions exists. And even if they would know it, again most of these people would not be able to find such transactions and extract any image files out of the blockchain.

So you would need someone who know that such transactions with hidden images exists. This one need to investigate which transactions this are (not sure if there are listings of such transactions available in the internet). Then he would need to find out how to extract the information from the blockchain to save it as a picture.
In case you have somebody who really want to do this, then he would not download this specific client but the original one. Or maybe much easier just get the transactions from blockchain.info or something similar.

These are just my thoughs why it would be useless to invest time in creating such a client.
The people who don't like these things will not try to find it even if it is somewhere saved on their local copy of the blockchain, and the other people (I think there will not be much people at all) who want to get those stuff will not use this client.

[DannyHamilton]

This specific client would only be useful as wallet, as it contains modified blocks which other nodes would reject when it broadcasts them.

It would not broadcast them.  It would claim not to have them, just like a pruned node would (it could perhaps share the block as long as it knew that the node it was sharing with was also also not storing this data).

If someone install a new orignal full node and ask for blocks to download the blockchain from beginning, this specific client would not be able to serve this as it would get blocked by the other node whenever the cencsored block is transmitted.

It would be able to supply ALL the OTHER blocks.  It would simply report that it does not have those specific blocks (just like a pruned node would).  Full nodes download from multiple sources, so if someone wanted to run a node that had ALL the blocks, then they would need to get these restricted blocks from some other node.

The comparison with pruned nodes is not good.

True.  A typical pruned node is missing MANY blocks.  This node would only be missing a few.

First these nodes do not hold any invalid (censored) transactions or blocks.

And neither does this special client.

And second, like this specific client, they cannot broadcast all blocks to the network, they only forward new received blocks and can maybe send the blocks which are not pruned.

Exactly.  Which is why I used the analogy.  Think of it as a special form of pruned node where the ONLY data that is pruned is the specifically identified undesired data.

If the whole bitcoin network would only consist of pruned nodes, it would not be possible to install a new full node as no one has a full copy of the blockchain any more.

Which is why this special node is better than normal pruning.  IF the whole network would consist of only these special nodes, then it WOULD still be possible to install a new special node. Nodes that didn't have this special code wouldn't be needed any longer.

Even for pruned nodes, first the complete blockchain need to be downloaded and validated, only then the already spent transacations will get deleted and only the unspendet transaction will be kept on disk to save space.

Pruned nodes purge BOTH spent AND unspent transactions from the blockchain.  They only store the unspent transactions in the UTXO.  This special node would also download and validate the complete blockchain, with the one exception that it would have coded into the software what the "bad blocks" are and to avoid downloading specific data from those blocks.  Then it woudl still validate, it would just validate with code that knows what to expect of the missing data.

I'm just thinking of any reason why anybody would want to install such a specific client which censors some transactions.

To avoid going to jail for storing illegal images on their hard drive or distributing those images to others?

Only people who don't want to have those things on their PC would install it.

Correct.

But wouldn't it in this case just be not enough that those people don't look at these transactions?

That depends on what jurisdiction you live in.  In many jurisdictions simply having the images or distributing the images to others can result in SEVERE penalties (significant fines, jail time, permanent public registration as a sexual offender, limitations on employment and residence, etc).

Nearly no normal user is searching the local copy of the blockchain for transactions like this. Most people just don't know that such transactions exists. And even if they would know it, again most of these people would not be able to find such transactions and extract any image files out of the blockchain.

That may, or may not, matter to your local law enforcement (depending on where you live and what your history is with local law enforcement).

So you would need someone who know that such transactions with hidden images exists.

It's been publicly reported.

In case you have somebody who really want to do this, then he would not download this specific client but the original one.

That means that law enforcement agents can claim that by the very nature of having the original client you "really want to do this". Perhaps it is better to have the special client so you can prove that you have no intention of storing or distributing such data.

Or maybe much easier just get the transactions from blockchain.info or something similar.

Perhaps. Either way, it will be MUCH SAFER for many people to have the special client as an OPTION that they can choose if they want to.

These are just my thoughs why it would be useless to invest time in creating such a client.

Perhaps I will waste my time then.  If I do it as an open source project, I suspect others will be willing to waste their time too.

The people who don't like these things will not try to find it even if it is somewhere saved on their local copy of the blockchain,

But might be concerned about their safety and freedom if they run the original client, and therefore will not run any client at all.

and the other people (I think there will not be much people at all) who want to get those stuff will not use this client.

And perhaps will be prosecuted for that decision.

[Kogs]

That may, or may not, matter to your local law enforcement (depending on where you live and what your history is with local law enforcement).

....

That means that law enforcement agents can claim that by the very nature of having the original client you "really want to do this". Perhaps it is better to have the special client so you can prove that you have no intention of storing or distributing such data.

....

Perhaps. Either way, it will be MUCH SAFER for many people to have the special client as an OPTION that they can choose if they want to.

....

But might be concerned about their safety and freedom if they run the original client, and therefore will not run any client at all.

Have not thought about this stuff. You are right, some stupid governments could really go against people who run full nodes with such an argument.

I just hope this will never happen.