What actually prevents the substitution of old blocks?

[bitcoinfuturefiction]

I feel like this is a newbie question, but I've got a technical background and have been following Bitcoin for years. Perhaps I'm just forgetting something.

We ordinarily speak of each block as secured, or confirmed, by the subsequent blocks. We say this because each block contains the prior block's hash - which is why it's a "chain."

But the blocks themselves are found just by (effectively) brute-forcing SHA2. What prevents someone from doing that to an arbitrary old block to (say) remove a transaction and thus double spend? (Or just massively confuse the network.) In other words, shouldn't it be as easy, if we're currently at block 231375, for me to find a replacement for block 200000 as to find the next block? The replacement would, by design, have the same hash but different content - content that, for whatever reason, favors me as the attacker. Why couldn't it fit right into the "authentic" chain?

Satoshi's paper addresses a similar problem, but it doesn't seem to be the same. He shows that it becomes exponentially more difficult to dictate a new chain (whose blocks have different hashes from the "real" chain) against the "honest" hashing power. But does something other than the hash stored in block 200001 authenticate block 200000? And if not, how do we distinguish in any distributed way among any candidates for block 200000 that have the same hash and are otherwise valid blocks?

(Obviously, we could checkpoint, or go by which block a majority of nodes think came first, but that isn't really "distributed" in the way we say Bitcoin is. If a majority of hashing power is the only thing that decides which version of the old block to trust, that would make a 51% attack worse than people say it is, because it would allow the arbitrary rewriting even of ancient history.)

I'm sure I'm forgetting or misunderstanding something, but I don't know what it is. Thanks!

[1714742661]

1714742661

[1714742661]

1714742661

[1714742661]

1714742661

[dree12]

Block 200001 contains a hash of block 200000. This verifies that the block 200000 has not been changed. A replacement for block 200000 would stop at that block, and not be a part of block 200001's chain.

The Bitcoin client will accept the "longest chain", which is the chain with the most work behind it. Because the replacement block's chain ends at 200000, it is shorter than the original block 200000's chain and it will be rejected.

[kwukduck]

because you would have to find the exact same hash...? extremely unlikely to happen...

[DeathAndTaxes]

Each block has in its blockheader the hash of the prior block.  If you replace a block you would also have to replace all blocks after it plus an additional block for your modified chain to to be the longest.
So to change a block 10 blocks deep in the blockchain would require solving 11 blocks before the "good miners" collectively solve 1 otherwise your modified chain is still shorter and falling behind.

On edit: missed this ...

The replacement would, by design, have the same hash but different content - content that, for whatever reason, favors me as the attacker.

The odds of your producing a block with different content and the same hash is 1 in 2^256.    There isn't sufficient energy left in our star to accomplish that even given a planetary sized super computer operating at the thermodynamic limit for the next four billion years.

[Walter Rothbard]

What prevents this is the subsequent blocks.

If you mine a replacement block for block #199999, you change its hash.  Because that hash is stored in block #200000, you'll change the content of that block and have to remine it.  Then you'll have to do the next block and so on, all the way to the end of the chain.  As of this writing, that's another 31375 blocks.  Nontrivial no matter how much brute force you throw at it!

Solving a block doesn't mean brute forcing for a specific hash.  It means brute forcing for a hash in a particular range; many valid hashes would be possible, so it's a much easier problem than looking for a specific hash.  So you can't simply try to solve a modified block #199999 for the same hash as the real #199999; that would be a much more difficult problem.

[teknomunk]

But the blocks themselves are found just by (effectively) brute-forcing SHA2.

Not quite, but very close.  A block is found when the resulting SHA2 hash is below a certain value dictated by the current difficutly.

But the blocks themselves are found just by (effectively) brute-forcing SHA2. What prevents someone from doing that to an arbitrary old block to (say) remove a transaction and thus double spend?

Instead of just being less than the value the difficulty, to replace a block, the value has to be exactly identical to the existing block hash.  This is equivalent to finding a block with the absolute highest difficulty that bitcoin could possibly ever have.

The odds of your producing a block with different content and the same hash is 1 in 2^256.    There isn't sufficient energy left in our star to accomplish that even given a planetary sized super computer operating at the thermodynamic limit for the next four billion years.

That sounds about right.

What prevents this is the subsequent blocks.

If you mine a replacement block for block #199999, you change its hash.  Because that hash is stored in block #200000, you'll change the content of that block and have to remine it.  Then you'll have to do the next block and so on, all the way to the end of the chain.  As of this writing, that's another 31375 blocks.  Nontrivial no matter how much brute force you throw at it!

Solving a block doesn't mean brute forcing for a specific hash.  It means brute forcing for a hash in a particular range; many valid hashes would be possible, so it's a much easier problem than looking for a specific hash.  So you can't simply try to solve a modified block #199999 for the same hash as the real #199999; that would be a much more difficult problem.

To replace a block without having to recompute the entire chain afterwords, you would have to find a hash collision with the existing block.  Brute forcing this hash is basically impossible.

[bitcoinfuturefiction]

Ah, I see. Stupid mistake. Sorry.

[teknomunk]

Don't be too upset with yourself over this.  Bitcoin requires some specialized technical knowledge to fully understand how it works.  It took me the good part of a year to get the understanding I have, and that doesn't include the several years of learing how to program that made the time shorter.  Granted this information is probably written down somewhere already, but it is as likely as not in a hard to understand format and possibly incomplete.

[Walter Rothbard]

Don't be too upset with yourself over this.  Bitcoin requires some specialized technical knowledge to fully understand how it works.  It took me the good part of a year to get the understanding I have, and that doesn't include the several years of learing how to program that made the time shorter.  Granted this information is probably written down somewhere already, but it is as likely as not in a hard to understand format and possibly incomplete.

I agree!  There's a lot of this that you have to go over and over again many times until you see how it works.  And even then, occasionally you'll spot holes like this, and then educate yourself by learning how bitcoin defends against what looked like a vulnerability.