> Even if the attacker could find a strategy to generate an alternative chain with valid leader selection data, presenting this chain and its blocks generated at slots that are far ahead
of time would not result in a successful attack since those blocks far ahead of time would be rejected by the honest stakeholders and the final alternative chain would be shorter than the main chain.
At first glance, the attacker then needs to gain the keys for almost all of the bonded stake at some point in the past. This is obviously a stricter requirement than holding keys for 2/3+ of the stake at some point in the past, but still seems remotely plausible when targeting the small set of validators in the early bootstrapping period. Remember also that these early validators could be totally cashed out of the system and thus have actually have no disincentive not to sell their keys.
Actually, even controlling only 2/3+ of some past stake, the attacker can likely grind on the randomness beacon outputs (since they control all the shares) to ensure his controlled keys have near 100% of the slots in the next epoch. Then the long range fork would be of a similar or possibly even greater length than the honest fork.
From the Cardano paper [1] p. 47,
> Even if the attacker could find a strategy to generate an alternative chain with valid leader selection data, presenting this chain and its blocks generated at slots that are far ahead of time would not result in a successful attack since those blocks far ahead of time would be rejected by the honest stakeholders and the final alternative chain would be shorter than the main chain.
At first glance, the attacker then needs to gain the keys for almost all of the bonded stake at some point in the past. This is obviously a stricter requirement than holding keys for 2/3+ of the stake at some point in the past, but still seems remotely plausible when targeting the small set of validators in the early bootstrapping period. Remember also that these early validators could be totally cashed out of the system and thus have actually have no disincentive not to sell their keys.
Actually, even controlling only 2/3+ of some past stake, the attacker can likely grind on the randomness beacon outputs (since they control all the shares) to ensure his controlled keys have near 100% of the slots in the next epoch. Then the long range fork would be of a similar or possibly even greater length than the honest fork.
[1] https://eprint.iacr.org/2016/889.pdf