Imagine a bitcoin network of 1 computer. (The fake blockchain attack)

[FenixRD]

Is this literally the arithmetic sum of all of the work of each block in the chain? (as opposed to some other function)
(also, is it equivalent to sum up the difficulty associated with each block)

Yes it's literally the arithmetic sum of all of the work of each block, and it's equivalent to the sum of the block difficulties upto rounding (difficulty is a floating point number presented for human friendliness).

EDIT:  BTW, the current bitcoin network is running at an estimated total computational power of just over 62,000 petaflops.  It's risen by about a thousand petaflops per day over the past week or so.  The fastest supercomputer on Earth (not classified) was benchmarked at 33 petaflops this past summer.  That computer system took three years to construct and sits on roughly 40 acres of land.  Bitcoin is way past the point that it's at risk from a falsified blockchain attack of any sort.

uh.  Bitcoin does no "flops" at all. Flop numbers are now bad projections from matching up what a GPU could do when it wasn't mining Bitcoin and they're now irrelevant.

While I agree that direct comparisons to standard computer metrics is fraught with error, I disagree that the metric is irrelevant.  It's an estimate of how fast a conventional computer would have to be to match the bitcoin network as is.  Granted, no one is going to use a conventional computer system to do this, but it also shows the futility of trying to even redirect existing hardware to the task.  

I think, when discussing the possibility of attack with people (even engineers) new to Bitcoin, it is important to mention both. There is the level of security provided by the truly staggering power of the network, in the sense that it is fair to say that even the NSA and world governments could not attack it with their general-purpose supercompute assets; and then follow that up with the caveat that (1) we're all watching quantum compute developments very closely, because they change things, and (2) in the meantime there are ASICs, and then quickly discuss exactly what gmaxwell just stated, and note that while perhaps there is not the necessary supply in existence for an organization to buy enough Avalons etc. to perform an attack, the cost is within some extreme budgets (extreme for people, but not organizations).

I'll add a (3) to that as well, which is that, while estimates based on trying to buy ASIC hashpower at retail may result in a $15M order and a long backorder, it would cost less than that to hire an experienced ASIC design team for a year and to have your own ASICs spun, if you personally wanted that kind of volume. My team could have tapeout in 3 - 6 months, implement a usually-necessary metal revision in another 1 - 2, and I can guarantee it would equal or outperform the best on the market, all for probably $1.5M in total engineers' salaries and another few million (2 -3 maybe) for the silicon. I may be vastly overestimating the complexity of putting these functions on an ASIC, so probably it could cost less, or just be engineered to a T and mop the floor with the current entrants. I haven't looked closely at it because Broadcom and our other two primary contract-employers have never tried to pay us to do it

The US government in particular "owns" a large amount of (mostly rad-hardened) ASIC fab capacity itself, probably more than enough than is necessary, if they wanted to use it. We're safe from all the probable attacks, and most of the improbable ones. There are a couple outlandish scenarios that are possible, like that one. The question is why they would attack the network when more money is to be made in securing it, which is one of the key design principles laid out by Satoshi in the first place. Until someone can demonstrate a method in which this is false, we only need to worry about the Joker showing up ("some people just want to watch the world burn"), with the resources to do it.

[1715286684]

1715286684

[1715286684]

1715286684

[1715286684]

1715286684

[1715286684]

1715286684

[1715286684]

1715286684

[Sukrim]

There is a much more real threat than CPUs and GPUs: FPGAs. While not as efficient as ASICs, they are far more abundant especially in organizations that run highly specialized code to crack cryptography and they can be repurposed.

The reason this attack from the OP won't work is on one hand that the chain won't even get longer than the current one (it likely has to stay at difficulty 1 for a long time and that means embedding timestamps exactly 10 minutes aparts since Satoshi's genesis block) while the current block chain has been mostly going faster than it should. Also it won't get enough work done to take over unless there is some SERIOUS computing power behind. It might be doable but then again even if the system automatically switches to the fork, most people won't like that (as all balances would be gone for example), so likely people would manually switch back to the existing chain. The person contolling the computing power then could 51% attack this chain, but that's all. it is not very likely that anyone would use a chain from Satoshi genesis for long and once it is published, people will oppose it. You could seriously confuse a few servers of course, but at quite a hefty price tag.

[FenixRD]

There is a much more real threat than CPUs and GPUs: FPGAs. While not as efficient as ASICs, they are far more abundant especially in organizations that run highly specialized code to crack cryptography and they can be repurposed.

The reason this attack from the OP won't work is on one hand that the chain won't even get longer than the current one (it likely has to stay at difficulty 1 for a long time and that means embedding timestamps exactly 10 minutes aparts since Satoshi's genesis block) while the current block chain has been mostly going faster than it should. Also it won't get enough work done to take over unless there is some SERIOUS computing power behind. It might be doable but then again even if the system automatically switches to the fork, most people won't like that (as all balances would be gone for example), so likely people would manually switch back to the existing chain. The person contolling the computing power then could 51% attack this chain, but that's all. it is not very likely that anyone would use a chain from Satoshi genesis for long and once it is published, people will oppose it. You could seriously confuse a few servers of course, but at quite a hefty price tag.

It'd take a lot of FPGAs to present an issue, and it would cost far more than contracting to have an ASIC built for you personally. Unless you have access to tens of thousands of recent FPGAs, it's not gonna happen either. And then it would still be more valuable to help the network. For that, FPGAs are valuable if you can get free electricity. We had several hundred Stratix-IIIs that were just sitting in a closet, since we're all using the V and 10 now for development. Me and my brother repurposed them for mining. We have a 300-acre plot of land in Texas and the facilities are powered by a custom solar setup. We used to sell back to the grid but we configured it so that now any excess electricity is used by the mining setup.

The only conceivable attack that I've heard in 5 years is the "wealthy Joker" attack, where the attacker is incredibly well-financed and intends to blow orders of magnitude more money than they could have made, in the process of wreaking havoc. This is why, to me, it was so important that both China and the US have mutual sentiment about Bitcoin, whatever that sentiment was.

[MoonShadow]

I think, when discussing the possibility of attack with people (even engineers) new to Bitcoin, it is important to mention both. There is the level of security provided by the truly staggering power of the network, in the sense that it is fair to say that even the NSA and world governments could not attack it with their general-purpose supercompute assets; and then follow that up with the caveat that (1) we're all watching quantum compute developments very closely, because they change things, and (2) in the meantime there are ASICs, and then quickly discuss exactly what gmaxwell just stated, and note that while perhaps there is not the necessary supply in existence for an organization to buy enough Avalons etc. to perform an attack, the cost is within some extreme budgets (extreme for people, but not organizations).


I'll add a (3) to that as well, which is that, while estimates based on trying to buy ASIC hashpower at retail may result in a $15M order and a long backorder, it would cost less than that to hire an experienced ASIC design team for a year and to have your own ASICs spun, if you personally wanted that kind of volume. My team could have tapeout in 3 - 6 months, implement a usually-necessary metal revision in another 1 - 2, and I can guarantee it would equal or outperform the best on the market, all for probably $1.5M in total engineers' salaries and another few million (2 -3 maybe) for the silicon. I may be vastly overestimating the complexity of putting these functions on an ASIC, so probably it could cost less, or just be engineered to a T and mop the floor with the current entrants. I haven't looked closely at it because Broadcom and our other two primary contract-employers have never tried to pay us to do it

The US government in particular "owns" a large amount of (mostly rad-hardened) ASIC fab capacity itself, probably more than enough than is necessary, if they wanted to use it. We're safe from all the probable attacks, and most of the improbable ones. There are a couple outlandish scenarios that are possible, like that one. The question is why they would attack the network when more money is to be made in securinghashing algoit, which is one of the key design principles laid out by Satoshi in the first place. Until someone can demonstrate a method in which this is false, we only need to worry about the Joker showing up ("some people just want to watch the world burn"), with the resources to do it.

Addressing all three of your points at once.  Not only did Satoshi foresee the quantum computing risks concerning bitcoin, he provided a path to deal with such issues.  There is an upgrade path for the primary hashing algo, including "hooks" in the existing code to permit a second algo to be added in series to the current SHA256.  Whatever algo that best deals with the most likely threat, be it quantum computing or private asic farms, cna be chosen to be added to the system without so much as stopping the blockchian.  A similar algo upgrade path was provided for with regard to the address keypair algos.  (the leading charachter is currently always a "1", this tells the bitcoin network what address version is in play, although currently no other choice exists)

[gmaxwell]

the leading charachter is currently always a "1"

Or a "3", because we've already used this forward compatibility once, for P2SH, to make payments to escrows and other complex scripts as easy as regular ones.

[FenixRD]

I think, when discussing the possibility of attack with people (even engineers) new to Bitcoin, it is important to mention both. There is the level of security provided by the truly staggering power of the network, in the sense that it is fair to say that even the NSA and world governments could not attack it with their general-purpose supercompute assets; and then follow that up with the caveat that (1) we're all watching quantum compute developments very closely, because they change things, and (2) in the meantime there are ASICs, and then quickly discuss exactly what gmaxwell just stated, and note that while perhaps there is not the necessary supply in existence for an organization to buy enough Avalons etc. to perform an attack, the cost is within some extreme budgets (extreme for people, but not organizations).


I'll add a (3) to that as well, which is that, while estimates based on trying to buy ASIC hashpower at retail may result in a $15M order and a long backorder, it would cost less than that to hire an experienced ASIC design team for a year and to have your own ASICs spun, if you personally wanted that kind of volume. My team could have tapeout in 3 - 6 months, implement a usually-necessary metal revision in another 1 - 2, and I can guarantee it would equal or outperform the best on the market, all for probably $1.5M in total engineers' salaries and another few million (2 -3 maybe) for the silicon. I may be vastly overestimating the complexity of putting these functions on an ASIC, so probably it could cost less, or just be engineered to a T and mop the floor with the current entrants. I haven't looked closely at it because Broadcom and our other two primary contract-employers have never tried to pay us to do it

The US government in particular "owns" a large amount of (mostly rad-hardened) ASIC fab capacity itself, probably more than enough than is necessary, if they wanted to use it. We're safe from all the probable attacks, and most of the improbable ones. There are a couple outlandish scenarios that are possible, like that one. The question is why they would attack the network when more money is to be made in securinghashing algoit, which is one of the key design principles laid out by Satoshi in the first place. Until someone can demonstrate a method in which this is false, we only need to worry about the Joker showing up ("some people just want to watch the world burn"), with the resources to do it.

Addressing all three of your points at once.  Not only did Satoshi foresee the quantum computing risks concerning bitcoin, he provided a path to deal with such issues.  There is an upgrade path for the primary hashing algo, including "hooks" in the existing code to permit a second algo to be added in series to the current SHA256.  Whatever algo that best deals with the most likely threat, be it quantum computing or private asic farms, cna be chosen to be added to the system without so much as stopping the blockchian.  A similar algo upgrade path was provided for with regard to the address keypair algos.  (the leading charachter is currently always a "1", this tells the bitcoin network what address version is in play, although currently no other choice exists)

Yes, I didn't mean to imply that I believe quantum compute is an "issue", at least not if we define "issue" as "thing which breaks Bitcoin". These are just the things an engineering-minded individual, and some more rational and logical individuals, will inevitably need to hear and understand before accepting Bitcoin. QC would shake up the ecosystem for a few days, tops, as everyone got up to speed on the new aspects, and it wouldn't even be that long if QC doesn't show up on the scene largely unannounced.