Was the time warp attack the only reason it was not safe to compare chains by length?

5

2

One of the weaknesses of bitcoin listed on that wiki is that it was once vulnerable to the time warp attack. This attack lets a miner with >50% of the hash power to solve many more blocks in a short amount of time, essentially gaining a higher than appropriate reward. It can also be used to create a chain that is extremely long very quickly while keeping the difficulty low.

Was the time warp attack the only reason it was not safe to compare chains by length? Asked a different way, if the time warp bug was fixed in bitcoin, would comparing chains by length always produce the same result as comparing by work done?

Relevant: Theymos suggests in this answer:

Satoshi didn't initially realize that choosing the correct chain by just counting blocks allows for some extremely easy attacks. Version 0.1 just counted blocks. That's why the paper just says "longest". The idea of "chain work" was added a little later.

morsecoder

Posted 2015-02-10T04:41:07.527

Reputation: 12 624

1I'm not entirely sure this is correct and I don't have time to research it right now, but I think the answer starts with "No, because difficulty can only increase 4x or decrease 1/4x in a single 2,016-block period. This means an attacker who can start their fork back in time can create more blocks with less total proof of work than the honest chain." Anyone who wants to do the math to verify that should feel free to write the answer. :-)David A. Harding 2015-02-10T17:08:36.513

Answers

3

If the time warp bug was fixed in bitcoin, would comparing chains by length always produce the same result as comparing by work done?

No. It's easy to create a chain with more chainwork but fewer blocks. For example, lets say we have a chain with 2,016 difficulty 1 blocks. This chain is created in 20,160 minutes so the difficulty doesn't change next period, meaning that by block 4,032 we have 4032diff chainwork:

  2016 *  diff1 == 2016diff
+ 2016 *  diff1 == 2016diff
--------------------------
  4032 blocks with 4032diff

Then somebody mines an alternative chain with mining equipment that's 4 times faster, producing the first 2,016 blocks in 5,040 minutes. Difficulty increases to 4 and by block 2,521 this chain has more chain work but less blocks than the first-described chain.

  2016 *  diff1 == 2016diff
+  505 *  diff4 == 2020diff
--------------------------
  2521 blocks with 4036diff

I assume you're more interested in practical attacks against Bitcoin's mainnet chain if that chain still used longest-is-best logic. Here's an easy one:

  • The Genesis Block is dated 3 January 2009. If you mined only difficulty 1 blocks from then until now (144 blocks a day), you'd have about (144*365*6)+(30*144)==319680 blocks.

  • The "real" block chain has 342,908 blocks, a 23,228 block difference.

  • Because difficulty can only increase 4x in a single 2,016-block period, mining 23,228 blocks would only requiring going from difficulty 1 to difficulty 4**(23228 / 2016) == 4194304.

  • Although difficulty 4,194,304 sounds high. Current mainnet difficulty is 44,455,415,962. So, if I did my math right, you can create a chain longer than mainnet with roughly 0.001% of the current network hashrate.

David A. Harding

Posted 2015-02-10T04:41:07.527

Reputation: 10 154

1

Basically, you could mine most of the chain at the min difficulty and then ramp up the difficulty right at the end to get more blocks than there are on the chain. You might end up at the same difficulty, but it would be a lot easier to create the early part of the chain. You could also do something like this: https://gist.github.com/scmorse/ecd204f0a0974270ba90.

morsecoder 2015-02-10T22:30:42.917

@David A. Harding: did you really mean to write "it's easy to create a chain with more chainwork but fewer blocks"? Because then you describe how with 0.001% of the hashpower you can create a longer chain (not one with more chainwork). You also write that "with mining equipment that's 4 times faster" you can create a chain with more chainwork. So if you need more hashrate to create a chain with more chainwork, it's hard, not easy to do right? It's creating a chain with fewer chainwork but more block that is easy (from what I understand of your explanation) no!?Cedric Martin 2016-09-10T00:48:23.100

@StephenM347: regarding ramping up the difficulty right at the end... You'd end up with more blocks, the same (or higher) diff at the end but the honest chain would still have more chainwork no!?Cedric Martin 2016-09-10T00:55:42.663

@CedricMartin that is what could happen if bitcoin had a less intelligent form of chain comparison. It's not actually possible with how bitcoin works.morsecoder 2016-09-10T01:32:30.617

@CedricMartin I apologize for the confusion. I meant that it's 'easy to create a [demonstration] chain with more chainwork but fewer blocks'. You are correct that it takes more proof of work to create a chain with more chainwork.David A. Harding 2016-09-11T15:13:40.553

Asked: 2015-02-10T04:41:07.527

Viewed: 238 times

Active: 2015-02-10T22:00:20.890