If the longest chain is considered the valid blockchain by nodes, what happens if a future supercomputer alters the entire blockchain?

Question

Let's say that the computational power from the genesis block to the current block becomes a trivial computation in the future by some supercomputer using a new technology exclusive to it. Perhaps this is a government funded secret project using a niche quantum computing algorithm or some other esoteric technology at the time that the rest of the world is oblivious to.

At this point, couldn't this supercomputer simply create a longer "fake" chain from the genesis block than the current Bitcoin blockchain, and broadcast this to all nodes as the valid chain to accept since it's the longest, thus invaliding all transaction since the genesis block?

The PoW Equivalent Days graph from here might be relevant to this question: https://bitcoin.sipa.be/. — Antoine Poinsot, Feb 01 '22 at 15:34

Murch · Accepted Answer · 2022-02-01T23:46:43.130

3

Yes, it is a fundamental security assumption that the majority of the hashrate on the network is honest, where honest means "not collaborating to attack".

Assuming an antagonist with overwhelming hashrate appeared out of nowhere, this antagonist would be able to perform majority attacks at will against the Bitcoin network. The attacker could for example be able to censor transactions, prevent other miners from earning revenue, doublespend own funds by replacing already confirmed transactions, or drive up the difficulty and stop mining to slow down the network for everyone else. Replacing the whole blockchain from the genesis block would not be possible, because there are a few checkpoints protecting the first few years of the blockchain against changes. However, it would be possible to replace all blocks after last checkpoint at height 295 000. Either way, that would be more of a sledgehammer approach, which may be less attractive depending on the goals of the attacker.

Under the existing consensus rules, there is no effective defense against this, because the attacker could simply restart their attack at a different height if people rallied to reject the attacker blocks. The Bitcoin project would probably be considered failed, or devolve into some construct where the best chain is selected per social consensus, which could be argued to also be a failed state, but sounds plausible.

However, this sort of scenario is unlikely to come to pass. Bitcoin's proof-of-work is based on the SHA-256 hashing algorithm. Today, mining uses dedicated hardware, so called Application Specific Integrated Circuits or ASICs which have the hashing operations implemented directly on the silicon and can only perform SHA-256d hashes. Regular computing power is many magnitudes less performant and energy-efficient, so all supercomputers and general computers taken together wouldn't hold a candle against the existing hashrate on the Bitcoin network. Hashing is also quantum resistant, so this frequent boogieman also doesn't perturb us. This seems to leave the attacker only with the option to design their own designated hardware, get one or more silicon foundries to secretly produce it, and then to end up with enough chips to overwhelm the whole network. Such a massive majority attack would more likely than not fundamentally undermine trust in Bitcoin, tanking its value, at which point the attacker is sitting on hundreds of million dollars worth of very expensive paperweights.—It seems non-trivial to come up with these sort of funds just to essentially burn them or to make enough money off shorting Bitcoin to make such an attack worth it, beside the challenging logistics of pulling it off in the first place.

edited Feb 01 '22 at 23:46

answered Feb 01 '22 at 15:26

Murch

71,155
33
180
600

There's a major error of logic in the leap from "at which point their investment becomes worthless" to "The logistics and economics of such an attack sound prohibitive". One expects the value of an investment to be zero after cashing out, that is no proof that cashing out is unprofitable. – Ben Voigt Feb 01 '22 at 22:37
1

@BenVoigt: You're sitting on hundreds of millions worth of dedicated hardware built for the sole usecase that you just completely devalued. That's some really expensive paperweights. – Murch Feb 01 '22 at 23:41
Yes, but how much money did you squeeze out of the network in the process of subverting it? – Ben Voigt Feb 01 '22 at 23:46
My napkin math suggests that even when assuming all hashrate were produced by S19 Pros, the hardware cost producing sufficient hashrate for a majority attack would be more than $5 B, today. Not really my area of expertise, but that seems a bit much to recoup by shorting Bitcoin. – Murch Feb 02 '22 at 00:01
@Murch That assumes that you can close out the shorts while your attack holds. More likely, nobody moves any bitcoin until the mining algorithm is changed and the chain rolled back. There's no guarantee the price will be significantly lower at the point where you can again purchase bitcoin and settle the shorts. There may not be many sellers. – David Schwartz Feb 02 '22 at 08:54
@DavidSchwartz: "the mining algorithm is changed and the chain rolled back" would likely create a new fork of the coin, leaving the short contracts payable in the old subverted coin. – Ben Voigt Feb 02 '22 at 15:59
@BenVoigt I strongly doubt that. If you were writing the short contracts, would you write them that way? – David Schwartz Feb 02 '22 at 23:12
@DavidSchwartz: Of course, why would anyone write a contract for future delivery of a coin that does not yet exist derived using an algorithm that has not yet been deployed (and may not yet exist)? One would have to go to considerable effort to define the deliverable using the future meaning of certain terms, and that would put the contract at risk of having its meaning significantly changed by a third party (with or without intent). If you are short 1000 shares of GOOG you have to deliver 1000 pre-split shares, you don't get to use the redefinition of "1 share" from the upcoming split. – Ben Voigt Feb 02 '22 at 23:18
@BenVoigt The argument cuts the opposite way for BTC though. For GOOG, it's very clear what the pre-split shares are and it's anything else that's vague. With BTC, it's very clear what the working dominant future fork is after the period of chaos (in which payments would be impossible anyway) and not likely to be clear which broken minor fork is somehow the "rightful continuation" of the original one. These contracts always need third party arbitration to make a fair outcome if something weird happens anyway -- that's what courts are for. – David Schwartz Feb 02 '22 at 23:50
@BenVoigt Actually, it really doesn't matter. Even if you treat the fork like a dividend or split, the person who shorted bitcoin would have to somehow manage to pay back *both* assets. The broken one would be very difficult to pay back and the working one would be expensive to pay back. So the attacker doubly loses. – David Schwartz Feb 02 '22 at 23:53
@DavidSchwartz: So the attacker doesn't necessarily want to short bitcoin, he could choose to squeeze those who have shorted, demanding back payment of the original unforked coin and using his control over the network to prevent the borrowers from being able to transact and close their short positions. No matter which party is winner and which is loser, the attacker has foreknowledge of the attack and can choose to be the winning party. – Ben Voigt Feb 03 '22 at 15:54
@BenVoigt I think both parties lose. The position would not be cancellable because the bitcoin could not be paid back. Reputable platforms would freeze markets. – David Schwartz Feb 03 '22 at 22:14

If the longest chain is considered the valid blockchain by nodes, what happens if a future supercomputer alters the entire blockchain?

1 Answers1