Longest Parallel Chain Attack Idea

[Gr.Green]

I imagine this situation:
An adversary does nothing but generate new blocks without including any network transactions for 50BTC reward block after block in an effort to outrun the main block chain. They could take their time because unnecessarily increasing block output would only increase their complexity and they don't need to make it harder than they have to. They do it long enough to collect sizeable booty.
They don't participate in the rest of the network and don't announce their chain. They increase their network capacity without letting the network know. In one 2 week window when they are certain that their chain is longer than the official chain they release it out to the public and it is adopted as the main chain (invalidating lots of legit transactions along the way). They then try to quickly cash this out like it was done on MtGox. Even if they didn't want to cash out, kids like LulzSec may decide to do this just for fun.

Are there any mechanisms in place that stop clients blindly adopting the longer chain if the differences are too great? Would some damage control algorithm kick in? Is there a way to detect a "bastard" chain that sprung out of nowhere?

I know this sounds unrealistic, and nobody would compromise their investment into economy in this way. But what if someone had a reason to do this anyway.

Hopefully by the time BTC becomes mainstream it would require a google-size mob to do this kind of damage and they wouldn't be interested in any of that. What's stopping "The Fed" from doing it now?

Would such an attack be possible today?
I would imagine that something like this has been discussed already.

[1715538328]

1715538328

[kjj]

The only mechanism for it so far is the scarcity of ATI cards.  I don't believe that enough computing power exists in a purchasable state right now for anyone to pull off this attack.

But many have proposed suggestions to prevent the attack.  My personal suggestion was exponential difficulty requirements for a long chain reversal.  Pick a number that is slightly higher than the longest likely legitimate chain battle, like 6 maybe.  A node will do a straight difficulty comparison if a new chain appears that is 6 or less blocks long.  A reversal longer than 6 blocks will require not just more difficulty than the existing chain, but 2^(num_blocks - 6) times as much difficulty as the current chain.

It has many advantages, and only one gotcha, that being that a legitimate network partition could get into a state where it is not possible to reconcile the two halves manually.

[Gr.Green]

I'm not talking about going back in time to replace a block that existed in the past to cover up the tracks, then having to catch up with the legit chain. The attack chain would start as just a fork of the existing chain and proceed forward without any handicap. Because it would be a shadow chain, it would not affect the difficulty of the overall network.

I think I understand your solution: The node compares the hash difficulties of blocks in each chain and chooses the one where difficulty sum is higher as that would be a sign that it's a chain from the real world where competition is high. Counting the overall transaction volume and diversity of origin bitcoins would help identify a fake as well.

Legitimate network partition problem will have to be solved. If bitcoin depends on uninterrupted internet, then it could be considered a weakness and may bring a new meaning to words "economic blockade" or "trade embargo".

I wish there was an easy way to find all the past discussions grouped by topic: complexity, block chain, attack, etc.

[gmaxwell]

It has many advantages, and only one gotcha, that being that a legitimate network partition could get into a state where it is not possible to reconcile the two halves manually.

Er. More than one.  You end up with a byzantine generals problem in determining that a situation exists which requires the higher difficulty.  Normally we solve the byzantine generals problem  by using the blockchain, but in this case we'd need to secure the blockchain a blockchain and we'd have infinite recursion.

[kjj]

It has many advantages, and only one gotcha, that being that a legitimate network partition could get into a state where it is not possible to reconcile the two halves manually.

Er. More than one.  You end up with a byzantine generals problem in determining that a situation exists which requires the higher difficulty.  Normally we solve the byzantine generals problem  by using the blockchain, but in this case we'd need to secure the blockchain a blockchain and we'd have infinite recursion.

Nah.  It is just counting, and the decision happens on each node.

For what it's worth, I think that a permanent fork would be close enough to impossible not to worry about.  I can't think of any way to divide a large fraction of the world's hashing power from the remainder for more than a couple of hours.  Well, I can think of a one way, but if alien spaceships shoot down all of our satellites, jam all radio and microwave transmissions, and cut the earth in half, we'll have bigger things to worry about that day.