Imagine a bitcoin network of 1 computer. (The fake blockchain attack)

[Skybuck]

Hello,

Imagine a bitcoin network of 1 computer for the past years of bitcoin's existence.

Theoretically and practically this 1 computer could calculate a blockchain that was just as long if not even 1 block longer than bitcoin's current blockchain. (By a group of computers recalculating this fake block chain incredibly fast in just a few days or so, perhaps even mere hours or minutes ).

Thus a "fake blockchain" could be constructed re-writing the history of bitcoin.

Currently bitcoin is protected with "checkpoints" against such an "easy" re-write of history.

What securities are in place in bitcoin to protect:

1. Current running nodes ?
2. New nodes ?

New nodes seem to be protected against downloading fake block chains by "checkpoints" hardcoded into the bitcoin source code.

Which other security mechanisms exist in bitcoin to protect against such fake block chains ?

Bye,
  Skybuck.

[1715663320]

1715663320

[1715663320]

1715663320

[FenixRD]

Hello,

Imagine a bitcoin network of 1 computer for the past years of bitcoin's existence.

Theoretically and practically this 1 computer could calculate a blockchain that was just as long if not even 1 block longer than bitcoin's current blockchain. (By a group of computers recalculating this fake block chain incredibly fast in just a few days or so, perhaps even mere hours or minutes ).

Thus a "fake blockchain" could be constructed re-writing the history of bitcoin.

Currently bitcoin is protected with "checkpoints" against such an "easy" re-write of history.

What securities are in place in bitcoin to protect:

1. Current running nodes ?
2. New nodes ?

New nodes seem to be protected against downloading fake block chains by "checkpoints" hardcoded into the bitcoin source code.

Which other security mechanisms exist in bitcoin to protect against such fake block chains ?

Bye,
  Skybuck.

Running the QT client each block is a "checkpoint". There are no centralized checkpoints implemented in Bitcoin, though third-party clients sometimes make use of some form of it. You'll certainly have no one who can send or accept payments from you. And presumably you must have tweaked the client to keep it in this state, so really all you have done is created a fork at the point in time that transactions deviated from the majority network. So you have your own coin, let's call it FauxCoin, which nobody but you uses. Feel free to visit the Alt-coin board to attempt to change this.

[pontiacg5]

If I'm not mistaken the client naturally goes with the chain with the longest proof of work. Seeing as how a single computer chain probably isn't running the same difficulty (or anywhere remotely near it) as the legit chain it should be ignored pretty easily.

[Skybuck]

Hello,

Imagine a bitcoin network of 1 computer for the past years of bitcoin's existence.

Theoretically and practically this 1 computer could calculate a blockchain that was just as long if not even 1 block longer than bitcoin's current blockchain. (By a group of computers recalculating this fake block chain incredibly fast in just a few days or so, perhaps even mere hours or minutes ).

Thus a "fake blockchain" could be constructed re-writing the history of bitcoin.

Currently bitcoin is protected with "checkpoints" against such an "easy" re-write of history.

What securities are in place in bitcoin to protect:

1. Current running nodes ?
2. New nodes ?

New nodes seem to be protected against downloading fake block chains by "checkpoints" hardcoded into the bitcoin source code.

Which other security mechanisms exist in bitcoin to protect against such fake block chains ?

Bye,
  Skybuck.

Running the QT client each block is a "checkpoint". There are no centralized checkpoints implemented in Bitcoin, though third-party clients sometimes make use of some form of it. You'll certainly have no one who can send or accept payments from you. And presumably you must have tweaked the client to keep it in this state, so really all you have done is created a fork at the point in time that transactions deviated from the majority network. So you have your own coin, let's call it FauxCoin, which nobody but you uses. Feel free to visit the Alt-coin board to attempt to change this.

You are a fool.

https://github.com/bitcoin/bitcoin/blob/master/src/checkpoints.cpp

Perhaps all bitcoin users are fools.

[Skybuck]

If I'm not mistaken the client naturally goes with the chain with the longest proof of work. Seeing as how a single computer chain probably isn't running the same difficulty (or anywhere remotely near it) as the legit chain it should be ignored pretty easily.

Which cpp file(s) is/are responsible for this ?  Perhaps this one:

https://github.com/bitcoin/bitcoin/blob/master/src/main.cpp

Examining it now.

SetBestChain looks promising.

Anyway so far as far as I know bitcoin selects the chain with the most blocks ? and not the chain with the thoughest difficulty ? Is what you are suggesting "thoughest difficulty" ? If so I want to see some prove of that in the source code.

[yogi]

If I'm not mistaken the client naturally goes with the chain with the longest proof of work. Seeing as how a single computer chain probably isn't running the same difficulty (or anywhere remotely near it) as the legit chain it should be ignored pretty easily.

The client goes with the chain that took the most computational effort to create, not the longest.

[chriswilmer]

If I'm not mistaken the client naturally goes with the chain with the longest proof of work. Seeing as how a single computer chain probably isn't running the same difficulty (or anywhere remotely near it) as the legit chain it should be ignored pretty easily.

Could someone explain to me what "longest proof of work" means? I understand "proof of work" and I understand "longest blockchain"... but I'm not sure what these concepts mean when combined....

[FenixRD]

Hello,

Imagine a bitcoin network of 1 computer for the past years of bitcoin's existence.

Theoretically and practically this 1 computer could calculate a blockchain that was just as long if not even 1 block longer than bitcoin's current blockchain. (By a group of computers recalculating this fake block chain incredibly fast in just a few days or so, perhaps even mere hours or minutes ).

Thus a "fake blockchain" could be constructed re-writing the history of bitcoin.

Currently bitcoin is protected with "checkpoints" against such an "easy" re-write of history.

What securities are in place in bitcoin to protect:

1. Current running nodes ?
2. New nodes ?

New nodes seem to be protected against downloading fake block chains by "checkpoints" hardcoded into the bitcoin source code.

Which other security mechanisms exist in bitcoin to protect against such fake block chains ?

Bye,
  Skybuck.

Running the QT client each block is a "checkpoint". There are no centralized checkpoints implemented in Bitcoin, though third-party clients sometimes make use of some form of it. You'll certainly have no one who can send or accept payments from you. And presumably you must have tweaked the client to keep it in this state, so really all you have done is created a fork at the point in time that transactions deviated from the majority network. So you have your own coin, let's call it FauxCoin, which nobody but you uses. Feel free to visit the Alt-coin board to attempt to change this.

You are a fool.

https://github.com/bitcoin/bitcoin/blob/master/src/checkpoints.cpp

Perhaps all bitcoin users are fools.

And you are rude, which presumably you're cool with 'cuz this is the web and assume our IRL and web identities will never knowingly meet. I dislike such personalities. The way one acts with guaranteed anonymity tells a lot about one's character.

What I assumed you meant, as will many readers I imagine, is the sort of checkpointing used by, say, PPCoin or alternative clients. Because I also assumed you were not so simple as to not have googled your query before asking such a question in the dev forum. Had you simply entered "bitcoin checkpointing" into the magic wizard's box, you would have seen this -- https://en.bitcoin.it/wiki/Checkpoint_Lockin -- which, for my google at least, is the top result.

That, young Skybuck, links you to all the information you could possibly need, in summary and detail, about how the "fake blockchain attack" is no attack at all.

All known vulnerabilities and attacks are listed and discussed inline and at links extensively here: https://en.bitcoin.it/wiki/Weaknesses

Perhaps the closest thing to your proposed attack is the "Rival/malicious client code" (https://en.bitcoin.it/wiki/Weaknesses#Rival.2Fmalicious_client_code) which, again, requires not only (1) that you fork the client to enforce this function of creating and sticking with a fake blockchain, but (2) that you convince people to download it, presumably with the belief that it is the real client.

You may also be thinking of this one, which is, as the wiki classifies it, definitely not a problem: https://en.bitcoin.it/wiki/Weaknesses#Generate_.22valid.22_blocks_with_a_lower_difficulty_than_normal

[FenixRD]

If I'm not mistaken the client naturally goes with the chain with the longest proof of work. Seeing as how a single computer chain probably isn't running the same difficulty (or anywhere remotely near it) as the legit chain it should be ignored pretty easily.

Could someone explain to me what "longest proof of work" means? I understand "proof of work" and I understand "longest blockchain"... but I'm not sure what these concepts mean when combined....

You wrote only 45 seconds apart, so perhaps you hadn't been able to see this:

If I'm not mistaken the client naturally goes with the chain with the longest proof of work. Seeing as how a single computer chain probably isn't running the same difficulty (or anywhere remotely near it) as the legit chain it should be ignored pretty easily.

The client goes with the chain that took the most computational effort to create, not the longest.

Sections 4 and 11 of the original Satoshi whitepaper should interest you all in particular. If the details of the whitepaper (and then the relevant code sections if you are so inclined, in order to verify the functions have been properly represented) are beyond your grasp (which, as Bitcoin gains popularity outside the engineering and math community, is destined to be an ever-more-common phenomenon), you will always be somewhat relegated to someone else's assurances that the protocol is safe. For those people, my best advice would be to consider the amount of trust you put in the current banking and money transmission systems, which are more complex and difficult to understand, and opaque besides, meaning you cannot actually do the research in the first place. With Bitcoin, anyone may understand it, which is different from saying anyone can.

[gmaxwell]

Imagine a bitcoin network of 1 computer for the past years of bitcoin's existence.
Theoretically and practically this 1 computer could calculate a blockchain that was just as long if not even 1 block longer than bitcoin's current blockchain.

You're confused by the definition of "longer". The chain selection is based on the sum of work, not the number of blocks. (The whitepaper was mostly written from the perspective of constant difficulty, under which the two are the same).

[chriswilmer]

Imagine a bitcoin network of 1 computer for the past years of bitcoin's existence.
Theoretically and practically this 1 computer could calculate a blockchain that was just as long if not even 1 block longer than bitcoin's current blockchain.

You're confused by the definition of "longer". The chain selection is based on the sum of work, not the number of blocks. (The whitepaper was mostly written from the perspective of constant difficulty, under which the two are the same).

Is this literally the arithmetic sum of all of the work of each block in the chain? (as opposed to some other function)

(also, is it equivalent to sum up the difficulty associated with each block)

[MoonShadow]

Imagine a bitcoin network of 1 computer for the past years of bitcoin's existence.
Theoretically and practically this 1 computer could calculate a blockchain that was just as long if not even 1 block longer than bitcoin's current blockchain.

You're confused by the definition of "longer". The chain selection is based on the sum of work, not the number of blocks. (The whitepaper was mostly written from the perspective of constant difficulty, under which the two are the same).

Is this literally the arithmetic sum of all of the work of each block in the chain? (as opposed to some other function)

(also, is it equivalent to sum up the difficulty associated with each block)

If I understand the statement correctly, yes.  The "longest" blockchain is the one that required the greatest amount of computational power to create, and that is determined by the client by suming up the difficulty of all the blocks created.  It's just a bit more complicated than that, as most things are, but that is a fine way to think about it.

EDIT:  BTW, the current bitcoin network is running at an estimated total computational power of just over 62,000 petaflops.  It's risen by about a thousand petaflops per day over the past week or so.  The fastest supercomputer on Earth (not classified) was benchmarked at 33 petaflops this past summer.  That computer system took three years to construct and sits on roughly 40 acres of land.  Bitcoin is way past the point that it's at risk from a falsified blockchain attack of any sort.

[chriswilmer]

Imagine a bitcoin network of 1 computer for the past years of bitcoin's existence.
Theoretically and practically this 1 computer could calculate a blockchain that was just as long if not even 1 block longer than bitcoin's current blockchain.

You're confused by the definition of "longer". The chain selection is based on the sum of work, not the number of blocks. (The whitepaper was mostly written from the perspective of constant difficulty, under which the two are the same).

Is this literally the arithmetic sum of all of the work of each block in the chain? (as opposed to some other function)

(also, is it equivalent to sum up the difficulty associated with each block)

If I understand the statement correctly, yes.  The "longest" blockchain is the one that required the greatest amount of computational power to create, and that is determined by the client by suming up the difficulty of all the blocks created.  It's just a bit more complicated than that, as most things are, but that is a fine way to think about it.

EDIT:  BTW, the current bitcoin network is running at an estimated total computational power of just over 62,000 petaflops.  It's risen by about a thousand petaflops per day over the past week or so.  The fastest supercomputer on Earth (not classified) was benchmarked at 33 petaflops this past summer.  That computer system took three years to construct and sits on roughly 40 acres of land.  Bitcoin is way past the point that it's at risk from a falsified blockchain attack of any sort.

Could you elaborate on how it is more complicated?  I am interested in the precise way to calculate the proof of work of the chain.

[gmaxwell]

Is this literally the arithmetic sum of all of the work of each block in the chain? (as opposed to some other function)
(also, is it equivalent to sum up the difficulty associated with each block)

Yes it's literally the arithmetic sum of all of the work of each block, and it's equivalent to the sum of the block difficulties upto rounding (difficulty is a floating point number presented for human friendliness).

EDIT:  BTW, the current bitcoin network is running at an estimated total computational power of just over 62,000 petaflops.  It's risen by about a thousand petaflops per day over the past week or so.  The fastest supercomputer on Earth (not classified) was benchmarked at 33 petaflops this past summer.  That computer system took three years to construct and sits on roughly 40 acres of land.  Bitcoin is way past the point that it's at risk from a falsified blockchain attack of any sort.

uh.  Bitcoin does no "flops" at all. Flop numbers are now bad projections from matching up what a GPU could do when it wasn't mining Bitcoin and they're now irrelevant.

The right metric is the cost of what it would cost you to actually perform the attack.  You can go order 2TH/s miners for $6000. The current network speed is ~5000 TH/s.  Building a farm to outpace the network at that price would cost $15 million. Of course, those are preorders and the network will be faster once they ship, but even if you compute vs hardware available to ship today you end up with numbers under $100m.   I don't think there is really any serious threat— there are cheaper ways to attack bitcoin— but saying "way past the point that it's at risk from a falsified blockchain attack" is a bit of an exaggeration our high hashrate now is the product of extreme improvements in the cost of mining— which benefit attackers too— more that massive increases in mining investment.

[MoonShadow]

Is this literally the arithmetic sum of all of the work of each block in the chain? (as opposed to some other function)
(also, is it equivalent to sum up the difficulty associated with each block)

Yes it's literally the arithmetic sum of all of the work of each block, and it's equivalent to the sum of the block difficulties upto rounding (difficulty is a floating point number presented for human friendliness).

EDIT:  BTW, the current bitcoin network is running at an estimated total computational power of just over 62,000 petaflops.  It's risen by about a thousand petaflops per day over the past week or so.  The fastest supercomputer on Earth (not classified) was benchmarked at 33 petaflops this past summer.  That computer system took three years to construct and sits on roughly 40 acres of land.  Bitcoin is way past the point that it's at risk from a falsified blockchain attack of any sort.

uh.  Bitcoin does no "flops" at all. Flop numbers are now bad projections from matching up what a GPU could do when it wasn't mining Bitcoin and they're now irrelevant.

While I agree that direct comparisons to standard computer metrics is fraught with error, I disagree that the metric is irrelevant.  It's an estimate of how fast a conventional computer would have to be to match the bitcoin network as is.  Granted, no one is going to use a conventional computer system to do this, but it also shows the futility of trying to even redirect existing hardware to the task. 

[MoonShadow]

Could you elaborate on how it is more complicated?  I am interested in the precise way to calculate the proof of work of the chain.

I'm not really the right person to elaborate.

[gmaxwell]

Could you elaborate on how it is more complicated?  I am interested in the precise way to calculate the proof of work of the chain.

Then go read the code.

[chriswilmer]

Could you elaborate on how it is more complicated?  I am interested in the precise way to calculate the proof of work of the chain.

Then go read the code.

Sorry, I thought it might be possible to express as a formula in a forum post.

For example, if a blockchain has two blocks, then the total work T is equal the difficulty of block 1 + the difficulty of block 2

or perhaps if the work, W, is a function of the difficulty, d, then then the total work is:

T = W(d1) + W(d2)

where d1 and d2 are the difficulty of blocks 1 and 2

[MoonShadow]

Could you elaborate on how it is more complicated?  I am interested in the precise way to calculate the proof of work of the chain.

Then go read the code.

Sorry, I thought it might be possible to express as a formula in a forum post.

For example, if a blockchain has two blocks, then the total work T is equal the difficulty of block 1 + the difficulty of block 2

or perhaps if the work, W, is a function of the difficulty, d, then then the total work is:

T = W(d1) + W(d2)

where d1 and d2 are the difficulty of blocks 1 and 2

Close, but you have to understand that the difficulty is a human friendly expression of what is going on, and isn't exactly how the clients handle it.  If you want to know, you really do need to understand how it's done by the client.

[chriswilmer]

Could you elaborate on how it is more complicated?  I am interested in the precise way to calculate the proof of work of the chain.

Then go read the code.

Sorry, I thought it might be possible to express as a formula in a forum post.

For example, if a blockchain has two blocks, then the total work T is equal the difficulty of block 1 + the difficulty of block 2

or perhaps if the work, W, is a function of the difficulty, d, then then the total work is:

T = W(d1) + W(d2)

where d1 and d2 are the difficulty of blocks 1 and 2

Close, but you have to understand that the difficulty is a human friendly expression of what is going on, and isn't exactly how the clients handle it.  If you want to know, you really do need to understand how it's done by the client.

That's fine... I am a developer too, so I can read the code. If someone could give me a hint as to which file to look at that would be great, but I'm sure I'll find it eventually...

[FenixRD]

Is this literally the arithmetic sum of all of the work of each block in the chain? (as opposed to some other function)
(also, is it equivalent to sum up the difficulty associated with each block)

Yes it's literally the arithmetic sum of all of the work of each block, and it's equivalent to the sum of the block difficulties upto rounding (difficulty is a floating point number presented for human friendliness).

EDIT:  BTW, the current bitcoin network is running at an estimated total computational power of just over 62,000 petaflops.  It's risen by about a thousand petaflops per day over the past week or so.  The fastest supercomputer on Earth (not classified) was benchmarked at 33 petaflops this past summer.  That computer system took three years to construct and sits on roughly 40 acres of land.  Bitcoin is way past the point that it's at risk from a falsified blockchain attack of any sort.

uh.  Bitcoin does no "flops" at all. Flop numbers are now bad projections from matching up what a GPU could do when it wasn't mining Bitcoin and they're now irrelevant.

While I agree that direct comparisons to standard computer metrics is fraught with error, I disagree that the metric is irrelevant.  It's an estimate of how fast a conventional computer would have to be to match the bitcoin network as is.  Granted, no one is going to use a conventional computer system to do this, but it also shows the futility of trying to even redirect existing hardware to the task.  

I think, when discussing the possibility of attack with people (even engineers) new to Bitcoin, it is important to mention both. There is the level of security provided by the truly staggering power of the network, in the sense that it is fair to say that even the NSA and world governments could not attack it with their general-purpose supercompute assets; and then follow that up with the caveat that (1) we're all watching quantum compute developments very closely, because they change things, and (2) in the meantime there are ASICs, and then quickly discuss exactly what gmaxwell just stated, and note that while perhaps there is not the necessary supply in existence for an organization to buy enough Avalons etc. to perform an attack, the cost is within some extreme budgets (extreme for people, but not organizations).

I'll add a (3) to that as well, which is that, while estimates based on trying to buy ASIC hashpower at retail may result in a $15M order and a long backorder, it would cost less than that to hire an experienced ASIC design team for a year and to have your own ASICs spun, if you personally wanted that kind of volume. My team could have tapeout in 3 - 6 months, implement a usually-necessary metal revision in another 1 - 2, and I can guarantee it would equal or outperform the best on the market, all for probably $1.5M in total engineers' salaries and another few million (2 -3 maybe) for the silicon. I may be vastly overestimating the complexity of putting these functions on an ASIC, so probably it could cost less, or just be engineered to a T and mop the floor with the current entrants. I haven't looked closely at it because Broadcom and our other two primary contract-employers have never tried to pay us to do it

The US government in particular "owns" a large amount of (mostly rad-hardened) ASIC fab capacity itself, probably more than enough than is necessary, if they wanted to use it. We're safe from all the probable attacks, and most of the improbable ones. There are a couple outlandish scenarios that are possible, like that one. The question is why they would attack the network when more money is to be made in securing it, which is one of the key design principles laid out by Satoshi in the first place. Until someone can demonstrate a method in which this is false, we only need to worry about the Joker showing up ("some people just want to watch the world burn"), with the resources to do it.

[Sukrim]

There is a much more real threat than CPUs and GPUs: FPGAs. While not as efficient as ASICs, they are far more abundant especially in organizations that run highly specialized code to crack cryptography and they can be repurposed.

The reason this attack from the OP won't work is on one hand that the chain won't even get longer than the current one (it likely has to stay at difficulty 1 for a long time and that means embedding timestamps exactly 10 minutes aparts since Satoshi's genesis block) while the current block chain has been mostly going faster than it should. Also it won't get enough work done to take over unless there is some SERIOUS computing power behind. It might be doable but then again even if the system automatically switches to the fork, most people won't like that (as all balances would be gone for example), so likely people would manually switch back to the existing chain. The person contolling the computing power then could 51% attack this chain, but that's all. it is not very likely that anyone would use a chain from Satoshi genesis for long and once it is published, people will oppose it. You could seriously confuse a few servers of course, but at quite a hefty price tag.

[FenixRD]

There is a much more real threat than CPUs and GPUs: FPGAs. While not as efficient as ASICs, they are far more abundant especially in organizations that run highly specialized code to crack cryptography and they can be repurposed.

The reason this attack from the OP won't work is on one hand that the chain won't even get longer than the current one (it likely has to stay at difficulty 1 for a long time and that means embedding timestamps exactly 10 minutes aparts since Satoshi's genesis block) while the current block chain has been mostly going faster than it should. Also it won't get enough work done to take over unless there is some SERIOUS computing power behind. It might be doable but then again even if the system automatically switches to the fork, most people won't like that (as all balances would be gone for example), so likely people would manually switch back to the existing chain. The person contolling the computing power then could 51% attack this chain, but that's all. it is not very likely that anyone would use a chain from Satoshi genesis for long and once it is published, people will oppose it. You could seriously confuse a few servers of course, but at quite a hefty price tag.

It'd take a lot of FPGAs to present an issue, and it would cost far more than contracting to have an ASIC built for you personally. Unless you have access to tens of thousands of recent FPGAs, it's not gonna happen either. And then it would still be more valuable to help the network. For that, FPGAs are valuable if you can get free electricity. We had several hundred Stratix-IIIs that were just sitting in a closet, since we're all using the V and 10 now for development. Me and my brother repurposed them for mining. We have a 300-acre plot of land in Texas and the facilities are powered by a custom solar setup. We used to sell back to the grid but we configured it so that now any excess electricity is used by the mining setup.

The only conceivable attack that I've heard in 5 years is the "wealthy Joker" attack, where the attacker is incredibly well-financed and intends to blow orders of magnitude more money than they could have made, in the process of wreaking havoc. This is why, to me, it was so important that both China and the US have mutual sentiment about Bitcoin, whatever that sentiment was.

[MoonShadow]

I think, when discussing the possibility of attack with people (even engineers) new to Bitcoin, it is important to mention both. There is the level of security provided by the truly staggering power of the network, in the sense that it is fair to say that even the NSA and world governments could not attack it with their general-purpose supercompute assets; and then follow that up with the caveat that (1) we're all watching quantum compute developments very closely, because they change things, and (2) in the meantime there are ASICs, and then quickly discuss exactly what gmaxwell just stated, and note that while perhaps there is not the necessary supply in existence for an organization to buy enough Avalons etc. to perform an attack, the cost is within some extreme budgets (extreme for people, but not organizations).


I'll add a (3) to that as well, which is that, while estimates based on trying to buy ASIC hashpower at retail may result in a $15M order and a long backorder, it would cost less than that to hire an experienced ASIC design team for a year and to have your own ASICs spun, if you personally wanted that kind of volume. My team could have tapeout in 3 - 6 months, implement a usually-necessary metal revision in another 1 - 2, and I can guarantee it would equal or outperform the best on the market, all for probably $1.5M in total engineers' salaries and another few million (2 -3 maybe) for the silicon. I may be vastly overestimating the complexity of putting these functions on an ASIC, so probably it could cost less, or just be engineered to a T and mop the floor with the current entrants. I haven't looked closely at it because Broadcom and our other two primary contract-employers have never tried to pay us to do it

The US government in particular "owns" a large amount of (mostly rad-hardened) ASIC fab capacity itself, probably more than enough than is necessary, if they wanted to use it. We're safe from all the probable attacks, and most of the improbable ones. There are a couple outlandish scenarios that are possible, like that one. The question is why they would attack the network when more money is to be made in securinghashing algoit, which is one of the key design principles laid out by Satoshi in the first place. Until someone can demonstrate a method in which this is false, we only need to worry about the Joker showing up ("some people just want to watch the world burn"), with the resources to do it.

Addressing all three of your points at once.  Not only did Satoshi foresee the quantum computing risks concerning bitcoin, he provided a path to deal with such issues.  There is an upgrade path for the primary hashing algo, including "hooks" in the existing code to permit a second algo to be added in series to the current SHA256.  Whatever algo that best deals with the most likely threat, be it quantum computing or private asic farms, cna be chosen to be added to the system without so much as stopping the blockchian.  A similar algo upgrade path was provided for with regard to the address keypair algos.  (the leading charachter is currently always a "1", this tells the bitcoin network what address version is in play, although currently no other choice exists)

[gmaxwell]

the leading charachter is currently always a "1"

Or a "3", because we've already used this forward compatibility once, for P2SH, to make payments to escrows and other complex scripts as easy as regular ones.

[FenixRD]

I think, when discussing the possibility of attack with people (even engineers) new to Bitcoin, it is important to mention both. There is the level of security provided by the truly staggering power of the network, in the sense that it is fair to say that even the NSA and world governments could not attack it with their general-purpose supercompute assets; and then follow that up with the caveat that (1) we're all watching quantum compute developments very closely, because they change things, and (2) in the meantime there are ASICs, and then quickly discuss exactly what gmaxwell just stated, and note that while perhaps there is not the necessary supply in existence for an organization to buy enough Avalons etc. to perform an attack, the cost is within some extreme budgets (extreme for people, but not organizations).


I'll add a (3) to that as well, which is that, while estimates based on trying to buy ASIC hashpower at retail may result in a $15M order and a long backorder, it would cost less than that to hire an experienced ASIC design team for a year and to have your own ASICs spun, if you personally wanted that kind of volume. My team could have tapeout in 3 - 6 months, implement a usually-necessary metal revision in another 1 - 2, and I can guarantee it would equal or outperform the best on the market, all for probably $1.5M in total engineers' salaries and another few million (2 -3 maybe) for the silicon. I may be vastly overestimating the complexity of putting these functions on an ASIC, so probably it could cost less, or just be engineered to a T and mop the floor with the current entrants. I haven't looked closely at it because Broadcom and our other two primary contract-employers have never tried to pay us to do it

The US government in particular "owns" a large amount of (mostly rad-hardened) ASIC fab capacity itself, probably more than enough than is necessary, if they wanted to use it. We're safe from all the probable attacks, and most of the improbable ones. There are a couple outlandish scenarios that are possible, like that one. The question is why they would attack the network when more money is to be made in securinghashing algoit, which is one of the key design principles laid out by Satoshi in the first place. Until someone can demonstrate a method in which this is false, we only need to worry about the Joker showing up ("some people just want to watch the world burn"), with the resources to do it.

Addressing all three of your points at once.  Not only did Satoshi foresee the quantum computing risks concerning bitcoin, he provided a path to deal with such issues.  There is an upgrade path for the primary hashing algo, including "hooks" in the existing code to permit a second algo to be added in series to the current SHA256.  Whatever algo that best deals with the most likely threat, be it quantum computing or private asic farms, cna be chosen to be added to the system without so much as stopping the blockchian.  A similar algo upgrade path was provided for with regard to the address keypair algos.  (the leading charachter is currently always a "1", this tells the bitcoin network what address version is in play, although currently no other choice exists)

Yes, I didn't mean to imply that I believe quantum compute is an "issue", at least not if we define "issue" as "thing which breaks Bitcoin". These are just the things an engineering-minded individual, and some more rational and logical individuals, will inevitably need to hear and understand before accepting Bitcoin. QC would shake up the ecosystem for a few days, tops, as everyone got up to speed on the new aspects, and it wouldn't even be that long if QC doesn't show up on the scene largely unannounced.