How To Kill Bitcoin (Part 3): No Can Defend
“But Joe, surely you don’t think Bitcoiners would just sit there and allow the attack described in Part 2 to unfold, do you? They will do something, they will innovate, the swarm of cyberhornets will defend their hive!”
Yes, agreed, true believers in the cause won’t go down without a fight and they will naturally look for a way to defend the network and their economic interests. This article is about what happens when they do.
Previous articles:
← How To Kill Bitcoin (Part 1): Is Bitcoin ‘Unstoppable Code’?
← How To Kill Bitcoin (Part 2): No Can Spend
First we’ll recap what the attack actually is, clearing up a few misconceptions, then we’ll go through some common objections and the defensive actions that are usually put forward as solutions, often by Bitcoiners of Great Name and Standing, and why those solutions aren’t as good as they sound.
Sections of this article:
- A Quick Recap — The goal, the motivation, the big-picture game theory
- So Can Governments Stop Bitcoin? — Acquiring hardware, monopoly mining, censoring transactions
- Attacking The Network — Does 51% matter? The 6 confirmations rule & what the Bitcoin Standard got very wrong, Jimmy Song’s strawman of Part 2, the on-chain game theory
- So The Plan Is — Short step-by-step summary of the attack
- Onto The Defences
— #1 Do nothing (wait it out)
— #2 Change the PoW algorithm
— #3 ASICs that can’t go backwards
— #4 UASF just like the block size war
— #5 Permissioned mining (and/or High Council of Chain Reorganisation)
— #6 Proof-of-stake
— #6½ Import the ledger into Ethereum - Final Thoughts — Does hash rate matter or not? Burying risks under mountains of complexity, Allen Farrington’s 700-IQ brain & awaiting a rebuttal
A Quick Recap
We’re not trying to kill the peer-to-peer networking layer, because that’s stupid. We’re not going after the Bitcoin CEO, because she doesn’t exist.
We’re exploiting the network’s update/reward mechanism (proof-of-work mining), taking over a majority of hash power, and using it to destabilise the game theory, system-wide, so that things fall apart of their own accord, in a decentralised way, via the decisions and actions of the other individuals involved.
The Goal
The goal is sabotage: to act towards the network in a way that causes maximum economic damage and disruption, destroying the value proposition of the Bitcoin system for end users. The goal is to make Bitcoin unreliable and undesirable: to engineer conditions in which both mining and using the currency are losing propositions for other agents, so that normal mining operations (i.e. normal system function) can’t proceed, demand for the currency is critically impaired, and the system can’t be trusted.
The Motivation
The action is costly to the attacker, similar to firing multi-million-dollar missiles which you don’t expect to get back. The economic reasons for executing on this strategy involve exogenous incentives — e.g. a major world government, or coalition of governments, wants to defend its citizens and businesses against the effects of tax fraud, cybercrime, money laundering, terrorist financing, etc.; to preserve its ability to influence the economy via control of the money supply, respond to economic shocks, and maintain financial stability; to ensure the financial readiness of its military, etc.
NB: Whether this is the actual goal or simply the stated objective is ultimately irrelevant.
In short, we are describing an adversarial action taken by one or more nation-state agent(s) on a war footing for reasons of national defence. (Or offence if, for example, your enemy has made themselves significantly dependent on Bitcoin).
The Game Theory
The attack vector is game theoretic in the sense that it involves not only actions but information signalling which intentionally targets the incentives and behaviour of the other participants in the network — a) miners and b) users of / investors in the currency.
The basic idea is that announcing the plan of attack openly, ahead of its actual execution, is a key, impactful step.
If you introduce information into the ecosystem that shows Bitcoin is on a trajectory towards becoming dysfunctional in e.g. 6–12 months’ time because of the course of action you’re going to take, people have to evaluate that information now and take appropriate action to protect their interests long before the attack itself actually manifests.
- Is the threat credible?
- Will the attack succeed from a mechanical point of view and is the outcome predictable?
- Do I want to be invested in Bitcoin right now?
It’s usually said (as we’ll see later) that an adversarial actor would want to conceal their plans, organising and carrying out their attack covertly, so as not to alert the other participants in the network. But we’re saying that the opposite is true: you want to be overt about everything — alerting the other participants in the network is precisely the goal, because the systemic consequences of alerting them are beneficial to the eventual attack itself, making it easier, cheaper, and quicker to execute. (E.g. Lower price → lower value block rewards → lower hash rate → lower attack cost → etc.)
What matters of course, and what the rest of this article is about, is point #2: that the attack itself will ultimately succeed from a mechanical point of view — no can defend.
The General Theory of Destroyment of Interest in Money
The general framework for the attack vector described above (which applies to all blockchains) would be something like this:
If there exists a path to a successful sabotage attack, and an agent (or group of agents) that has the motivation and capacity to execute on that path, then the system is vulnerable to collapse at a moment of that agent’s (or group’s) choosing, regardless of the attack’s timeline.
In the real world, what that means is: If an adversarial government or coalition of governments can credibly demonstrate that it has now entered onto a path towards destroying the system and cratering the currency, via an assault on its operating mechanisms, then — like detecting a missile launch — that signal causes the system to collapse. It falls apart of its own accord, in a decentralised way, via the decisions and actions of the individuals involved, because it’s in each individual’s interest to abandon ship.
There may be some true believers in the cause who stubbornly cling on for ideological reasons, even if it doesn’t make any practical or economic sense, but that doesn’t change the ultimate outcome.
So Can Governments Stop Bitcoin?
If, as the whitepaper puts it, “The system is secure as long as honest [mining] nodes collectively control more [hash] power than any cooperating group of attacker nodes…”
…then the question is: Is there a path to an attacking government or cooperating group of governments controlling more hash power than honest mining nodes?
Spoiler alert: yes.
Seizing and Buying
- You can seize existing hash power from those who have it
- You can buy new hash power from those who produce it
And those two actions aren’t mutually exclusive, they’re complementary. (NB: You can also buy existing hash power from those who have it).
The majority of the existing hash power is in China, geographically concentrated where energy is cheapest. When one coal plant in Xinjiang went down recently, it knocked offline ~25% of Bitcoin’s hash rate. For the purposes of the example in Part 2 we said that 80% of the network’s total hash power was successfully seized by the attacking operation, but this was a) merely illustrative, and b) not actually important.
A strawman argument that’s put forward by Bitcoiners of Great Name and Standing on this point goes, “You couldn’t do that. You’d have to seize all the mining operations at once, otherwise you’ll arouse suspicion and miners will get away! It’s logistically impossible. Thus, governments can’t stop Bitcoin. Q.E.D., stfu, have fun staying poor, etc.”
But this is wrong.
Or rather, while it might be true that it would be logistically difficult to seize all mining operations at once, you don’t need to, so who cares because that wasn’t the question. A path to controlling majority hash rate still exists even if zero seizures are made.
The security of Bitcoin plays out game theoretically in the future supply of hash power, not the existing supply.
Anything successfully seized represents a zero-sum gain vs. the opposition, so it certainly helps, and if the CCP can immediately seize control of a majority of the existing supply, that’s the quickest path to hash power dominance. But it’s not required.
ASICs expire, power plants don’t tend to move very far from where you built them, and semiconductor supply chains are very tightly bottle-necked through a small number of fabs. Those are the conditions of the game.
The US doesn’t have the majority of existing hash power within its borders like China does, but, at the limit, if the US government simply decided it was going to buy up the entire supply of ASICs over the next 12 months and stand up a monopoly mining operation, you can’t really stop that.
I’m old enough to remember when the US gov bought up literally every single dose of Remdesivir in the fight against COVID-19 for $1.5 billion.
Monopoly Mining
It’s worth noting that buying up the entire supply of ASICs for a monopoly mining operation isn’t as expensive as people make it sound, partly because it just isn’t that much money by defence standards, but also because if you use the chips to mine normally, then you recover their cost over time. (That’s the point of mining).
Interesting fact: strictly speaking, the max-profit mining strategy according to the rules of the Bitcoin protocol is to establish a majority-hash-rate operation and aggressively defend a monopoly on block production, overriding everyone else’s blocks, collecting 100% of the rewards, and putting all other miners out of business.
NB: “Overriding everyone else’s blocks” means you purposefully withhold your blocks, only announcing them reactively — i.e. same as in the attack in Part 2, you wait for the other miners to announce a block first before overriding it with 1–2 of yours, and keep repeating. (Except they’re not empty blocks, they’re full of all the normal transactions).
With this strategy you’d go from the very thin (<5%) margins of normal, competitive mining to e.g. 30–50% margins, or even more. We’ll come back to this later with a bit more detail but for now let’s just stick with government actors obtaining majority hash power.
Even if you don’t use that aggressive strategy, and just participate normally in the mining process, if you flood the market with too much new hash rate, mining becomes unprofitable for everyone involved. I.e. You can force other miners into the red, and accelerate them shutting down operations, by simply “over-mining” and over-producing hashes vs. the value of block rewards.
NB: You can potentially buy up these ‘distressed ASICs’ on the secondary market too while you’re at it.
Over-mining would be unprofitable for you, of course, as well as the other miners, but the point is that operating at a slight loss is a small price to pay in the grand scheme of things. Unlike the all the other miners in the world, you’re not doing this for profit — at least not directly. Dipping very slightly into the red on the way to your ultimate goal is just a rounding error.
Example (round numbers)
Say the total value of all block rewards is $10 billion per year. If a government-controlled operation were to produce $10.1 billion worth of hashes per year, that would definitively exclude everyone else from entering the market. So in that scenario the price of guaranteeing a monopoly on block production = just $100 million per year.
Realistically, it wouldn’t take the full $10.1 billion. $6–7 billion per year would probably do the job using the aggressive strategy (maybe even less than that) and the operation would make $3–4 billion profit. Plus you’d be in a position to decide which transactions get processed and which don’t across the whole network.
BUT if you censor transactions like that you’d be undermining the value proposition of the network in the process, since the whole purpose for it existing, and the reason for using a proof-of-work blockchain in the first place, is to ensure neutrality and to make it so that this kind of censoring action isn’t possible…
“But didn’t you just say it is possible?”
‘Yeah.’
“That doesn’t make sense.”
‘Agreed.’
“The price is like $50,000! People have collectively poured billions of dollars into Bitcoin…”
‘Yes.’
“So you’re saying the price can be that high even if in practice it doesn’t deliver on its value proposition?”
‘Exactly.’
“This is all very upsetting, I was hoping to get rich.”
‘Sorry.’
“What if we pretend it’s not really a problem, don’t talk about it, and turn the whole thing into a pseudo-religious movement instead of an engineering project?”
‘You mean so that it continues to grow anyway?’
“Yes!”
‘That could work I suppose. But I mean, that’s not exactl — ’
“Thanks, this has been helpful.”
Attacking The Network
So anyway, censoring transactions isn’t really what we’re talking about. We’re talking about sabotage, and the bottom line from the above was: there is a path to hash power dominance.
Which means the question becomes: Is what Satoshi wrote in the whitepaper wrong? Is the system in fact still secure even if Dr. Evil were to gain control of a majority of the hash power and fire it at the network like a giant “lay-zer”?
Answer: no.
The system is not secure if a malicious actor has majority hash power. You can’t trust the system to perform its intended function. You can’t rely on it to facilitate cash-like transactions in an adversarial, private setting, outside the protections of the law. And if you’re Kim Jong Un, for example, you can’t be sure that you won’t be cut off from the system or have your funds frozen.
You can’t write a program against the Bitcoin blockchain that says, “if 6 confirmations, then release funds|goods” because the malicious actor can exploit that program relentlessly. The proof-of-work your full node sees guarantees almost nothing about the settlement status of any transaction you receive because majority hash power can be used to double-spend over any number of confirmations.
No, 6 confirmations does not mean guaranteed settlement. Academic economist Saifedean Ammous may have written that it does in his book The Bitcoin Standard, misleading lots of people (including some of the biggest all-in Bitcoin megabulls), but this is very wrong.
Side note: Nick Szabo, Elaine Ou, and Nic Carter, have put forward a different model of the economics of Bitcoin’s settlement assurances which, while acknowledging the 6 confirmations rule is very wrong, is also itself very wrong. More on this here.
In short, when a malicious actor or group of actors has majority hash power, the trust-free transactional system we call Bitcoin (a.k.a. ‘the currency of enemies’) is not capable of facilitating trust-free transactions, and not being capable of facilitating trust-free transactions when that’s your most basic reason for existing is quite a big problem.
I thought you said empty blocks?
Yes, for the purposes of the example in Part 2, we said empty blocks — full censorship of all transactions — because that was the most black-and-white way of illustrating how mining can be exploited to target the incentives of all other participants in the system, resulting in an immediate and obvious total loss of functionality where miners earn no rewards and no-one can spend BTC.
But double-spending, purge attacks, monopoly mining, censorship, etc. are all important, even if their system-wide implications aren’t quite as stark. The article did say that a saboteur wasn’t limited to what was written in the empty blocks section, but, as written, it did a good job of getting the fundamental point across (i.e. in a way anyone can understand without getting lost in the weeds).
Unfortunately, despite saying that pretty clearly in two different places, and going on to articulate the bigger-picture game theory (which was meant to be the main point, as described above in the General Theory of Destroyment), this did not prevent some Bitcoiners of Great Name and Standing from strawmanning the article and reducing everything that was said to just the most naive possible conception of ‘the empty blocks attack’ and then knocking that strawman down like so:
“Obviously if there’s only empty blocks everyone will see that their transactions aren’t being processed, and everyone is then economically incentivised to look for a solution. Each node in turn will simply run the invalidateblock command — an old undocumented developer tool — to manually reject the empty chain, which is of no economic value to them, thus another chain gets created, full of transactions.
[And a rule will be written into the client to automatically invalidate empty blocks, because it’s only common sense that the attacker would immediately start attacking this other chain in exactly the same way]. (This part wasn’t included).
So the government’s empty blocks get invalidated (ignored) and a normal chain with all the transactions in it continues building. Problem solved, conspiracy theory debunked, Bitcoin is antifragile, have fun staying poor, etc.”
But this is wrong.
Or rather, while it might be true that you could programmatically identify empty blocks and write a trivial rule into the Bitcoin client that would ignore them automatically, thus thwarting such a simple strategy, that wasn’t really the point so who cares.
There are two ways to move forwards from there:
- Continue the empty blocks dialogue into the weeds — advance the strategy technically to use blocks that are not empty but nonetheless ‘null’ (Step 1: blocks that are filled with transactions which are just the attacker arbitrarily transacting with themselves)
- Discuss the general principle of what was illustrated — the intent to cause systemic disruption and destroy the value proposition for end users (using the full range of actions available, even if the system-wide implications of those actions are not as immediately obvious)
#1 is a question of two competing strategies: the defenders try to program a heuristic for telling apart the attackers’ evil blocks from normal blocks while the attackers try to develop ways of breaking and spoofing that heuristic.
You can play out that game, and the attackers can make automatic chain selection / trust-free coordination of the network as difficult and unreliable as possible for node software, if not outright impossible. It’s technically complex and maybe it would be an interesting piece of research, but it’s too much to discuss in any reasonably succinct way here.
So instead, we should skip all that minutiae and go with #2, and why empty blocks was never the important thing to focus on anyway, starting with:
The part of the attack where you announce your blocks reactively, creating a black hole of expenditure for all other miners (i.e. monopoly mining), works whether you censor all transactions, some transactions, or no transactions at all.
I.e. If, as described in Part 2, you wait for another miner to announce a block before overriding it with two or more of your own, that will starve all other miners of revenue, slow blocks down to a creep, and dramatically lower the difficulty even if you fill up your blocks completely normally.
(Plus you still earn 100% of the block rewards).
The primary target is the other miners’ incentives. You just keep repeatedly rejecting blocks until the rest of the world gets the message that spending their money to try and mine on the Bitcoin blockchain, regardless of the difficulty level, is just setting fire to their money. As the difficulty lowers, the only thing that matters to everyone involved is the knowledge that you can raise your output to higher levels, on demand.
Notice that letting the difficulty drop to these artificially low levels — way below the natural price level and much less than what you’re capable of producing at full blast — lowers your costs (and, so far as bitcoin’s price stays intact, increases your profit margin).
Of course, this action damages the value proposition of the network to end users (the secondary target) as well, because, on top of the fact that as a monopoly miner you’re in a position to censor transactions, at too-low difficulty the system is unreliable and can be double-spend attacked at will, inexpensively.
…
“Ok but tell me this… can I still get rich from it?”
‘I mean, I guess in theory you could. People value things in ways that don’t make sense all the time. But that doesn’t seem like a very good basis fo — ’
“Ahdadadah it’s fine. If there’s even a 1% chance it’s going to become the world reserve currency, the expected value is positive.”
So The Plan Is…
Step 1: Acquire majority hash power
Either immediately or over time, doesn’t matter.
Step 2: Start monopoly mining
Completely take over block production, collecting 100% of block rewards and starving all other miners of revenue. Don’t censor transactions. This step is just about further consolidating your majority position.
Step 2½ (optional): Add incentives for distressed miners
Offer $ to existing miners for their hardware. As a miner, it’s better to get paid something for your gear than nothing. (This is more polite than seizing).
Step 3: Apply the choke
Use the reactive block strategy described in Part 2 (and above just now), i.e. wait for someone else to announce a block (or two) before overriding it with two (or three) of your own. No need for empty blocks, normal is fine.
Now the blockchain only moves forwards when other miners mine a block, but at the same time other miners have no incentive to mine blocks, because they never earn any rewards when they do.
Result: Block production slows right down and there’s a steep drop off in difficulty.
Step 4: Disrupt
At low difficulty, the network is unreliable. 6 confirmations means nothing. 600 confirmations means nothing. You can cause all sorts of disorder using the massive excess of hash power under your control, generating blocks inexpensively and more or less re-writing reality at will. So…
- Double-spend relentlessly across any and all available targets
- ‘Purge’ some % of transactions from the blockchain at random after they’ve had many confirmations, and then don’t re-confirm those transactions. (But do allow the original sender to re-claim the coins and spend them again)
- Censor transactions at random, or be targeted about it and impose specific sanctions, or both — generally just introduce the maximum of chaos and minimum of usability and assurances to end users
Step 5 (optional): Signal end-of-life with empty blocks
All of the above is obviously value-destroying for the network, demolishing any semblance of neutrality and making it practically unusable. The logical result is for all of the value to flow out of (or stop flowing into) what is now a dysfunctional system that doesn’t have any real reason for existing.
Empty blocks can potentially be used as a formal signal of the blockchain’s death — as though its heart monitor has flat-lined. Even if it’s theoretically possible to add a trivial rule to the client to ‘defeat’ the empty blocks, there’s no point because you’d just be back at step 4.
NB: Empty blocks or no empty blocks, the program will have to be left running indefinitely, as described in Part 2, and — like the cost of storing radioactive waste — some nominal level of spending will have to be maintained.
Onto The Defences…
Right, that should’ve cleared up a bunch of misconceptions and answered the first set of common objections — “it’s impossible to seize all miners at once”, “it’s just too expensive”, “the empty blocks attack is easily stopped”.
Hopefully it’s also laid some useful groundwork for recognising the more subtle kind of problems that defensive suggestions often run into — undermining something systemically important about the network in a way that isn’t immediately obvious.
Note that you can overcome pretty much any attack by centralising the network around a trusted actor. BUT you’d be invalidating the most basic reason for using a blockchain in the first place. If you have a trusted authority, you can just use a normal database — going through the motions of proof-of-work mining is a (very expensive) waste of time.
Defence #1: Do Nothing
Eric Voskuil is a Bitcoiner of Great Name and Standing. He has long proposed that Bitcoin achieves censorship resistance as a consequence of transaction fees.
Reasoning: Within the Bitcoin system there is a natural financial incentive, as a miner, to not censor any transactions. A miner that censors transactions necessarily earns less revenue than non-censoring miners, because they forgo the fees from the transactions they censor. The additional fee revenue that’s available, Eric theorises, would therefore be sufficient to incentivise miners to overcome any censorship scenarios.
This doesn’t address anything to do with the strategic steps 1, 2, 3, or 4 above, an attacker’s willingness to overspend based on exogenous incentives, or the asymmetries of attack vs. defence that were explained in Part 2. And the fact that transaction fees are denominated in BTC is also a problem as the price of BTC falls. But more than one person pointed me to Eric’s article (presumably based on the empty blocks thing), and you can’t get much simpler than doing nothing, so I figured it could go first.
Doing nothing is not a solution. You have to do something.
Defence #1½: Wait It Out
A variation on the theme of doing nothing is to simply wait for it to stop because “it’s incredibly expensive to sustain an attack”. The short answer to this one is that it isn’t incredibly expensive to sustain an attack. Firstly because choking the difficulty down means block production gets cheap, and secondly because the attacker is earning all the block rewards.
Defence #2: Change The Proof-of-Work Algorithm
Andreas Antonopolous is a Bitcoiner of Very Great Name and Standing. He has said a number of different (changing) things over the years related to nation-state attacks.
Maybe I’ll take those linked answers apart point-by-point in a separate post (or twitter thread), because fact, fiction, and rhetoric get seamlessly blurred together in them, but the summary is this:
- “It can’t be done because it’s too much computing!” — Wrong.
- “Ok fair enough, it can be done. But they can’t change the rules of the system!” — Strawman. The goal is not to change the rules of the system.
- “Ok it can be done, and they can double-spend, censor transactions, and denial-of-service the whole thing, and that’s bad, but there will be a response!” — Aha, good. What response?
“Ultimately the nuclear option is to change the proof-of-work algorithm, making the attackers’ ASICs useless and costing them hundreds of millions if not billions of dollars.”
Ok… and then what? The network is now more vulnerable. All you’ve done is restart exactly the same game at lower cost. The state will now out-produce you on the new algorithm instead, even faster.
Not to mention you just screwed all the honest miners who were invested in SHA256. So why would anyone invest in new gear to mine the new algorithm if it’s just going to predictably end up in the same place?
Changing the hashing algorithm doesn’t work.
It sounds a bit like it does, and maybe it feels emotionally satisfying to imagine the financial damage being inflicted on the attacker, but — like firing missiles you don’t expect to get back — they were always planning on losing that value anyway.
So you can waste a bit of extra time and money going through the motions of repeating the game on general-purpose hardware (i.e. GPUs instead of ASICs), since that’s the ‘best’ option available, but that itself is really a security downgrade* for the network and ultimately just a sticking plaster. The game theory is the same and the result won’t be any different.
*General-purpose hardware has other valuable uses outside of mining, so an attacker’s downside is reduced. I.e. Attacking the network doesn’t destroy the value of the attacker’s equipment, as it does with ASICs.
Defence #3: “ASICs that can’t go backwards”
Adam Back is another Bitcoiner of Very Great Name and Standing and also one of the top candidates for Satoshi. He has suggested “ASICs that can’t go backwards” (i.e. to a lower block height) as a solution to… something. It’s not clear what, since when you double-spend (or execute any of the above steps 1–5) your ASICs don’t go backwards at any point.
There’s a common misunderstanding (or misleading intuition) around double-spending that you have to go backwards and ‘dig into the past’ to undo a transaction, but that’s not how it works. Double-spending starts from now, the attacking chain moves forwards in parallel (unknown to the world), and then it’s announced any number of blocks you want into the future.
So, unless I’m missing something about what this one actually means, I’m not sure how to address it since it doesn’t appear there’s anything to address.
Defence #4: UASF (Just Like The Blocksize War)
Many Bitcoiners of Great Name and Standing go for the good old, “We already proved that miners don’t control the protocol when they failed to change the rules to increase the block size. This is old FUD.”
As explained at length in Part 2, this is not like when miners wanted to change the protocol rules to increase the block size. The Mexican Standoff game theory is flipped on its head when the attackers’ goal is to destroy.
Defence #5: Permissioned Mining (and/or High Council of Chain Reorganisation)
Now we’re onto things that Bitcoiners of Lesser Name and Standing say without realising that they’re accidentally blaspheming. This is the part that will take a bit of explaining.
“There are bad miners and good miners, so what if we just keep a list of the good miners and only accept their blocks?”
Firstly, there is no ‘we’.
The Bitcoin ‘community’ may sometimes be referred to as a whole, and people may derive a sense of belonging from participation in discussion groups and the shared feeling of achievement when number go up, but Bitcoin is no such thing. It is not a harmonious collective of one mind and purpose, it’s a disorganised body of ruthlessly self-interested and mutually distrustful individual actors, whose actions find a strategic equilibrium which can’t be exploited, though they will surely try.
It must be conceived of that way.
Secondly, a critical characteristic of Bitcoin is that the system is permissionless — anyone can participate in the network and they don’t need to obtain authorisation. The power to exercise discretion over the mining process, and determine rules by which some but not others are excluded from participating, is a problematic thing to have to govern, open to abuse, and not something a disorganised body of mutually distrustful individual actors is suited to.
That’s why you have proof-of-work, which speaks for itself, entirely independent of any human institution, grounding the system in physical reality, not social reality. The authority of proof-of-work within the system is what removes the need for any centre of power involving people and — crucially — the possibility of that power being captured by messy human values and gradually deteriorating into the Same Old Shit™ that always happens.
At least, that’s the idea…
The idea is that Bitcoin is supposed to act like a naturally occurring commodity, as stable in its existence as gold, and as socially and politically neutral as gold, that just happens to be digital. It’s supposed to be an objectively verifiable mathematical object floating around in cyberspace, under nobody’s jurisdiction and inert to human values. If human values can creep in, they will.
What are human values and what does it mean to be inert to them?
In the real world, it’s impossible for anyone to ‘program’ gold or physical cash to ‘stop working’ for Kim Jong Un, for example, even if everyone else agrees it would be good for that to happen because he acquired it by extorting hospitals and producing methamphetamine and he’s going to use it to finance development of nuclear weapons.
If it’s in his hands, he can use it.
The point of Bitcoin and its proof-of-work mining architecture is supposed to be that it achieves the same thing — that same cash-like property of whoever has it can use it, no questions asked.
We’ve already gone over why its ruleset doesn’t really achieve that in practice, and why that represents quite a big problem. But leaving that aside for a moment, censorship resistance and complete neutrality is the design goal. Like we said in Part 1, that is what the enormous technical tradeoffs are being made for and why all the inefficiency and cost is being incurred.
If you introduce a governance mechanism for deciding who gets to be a miner, who doesn’t, and why, or some sort of High Council of Chain Reorganisation with executive powers to override the authority of proof-of-work in order to undo double-spends, it becomes political — the prospect of neutrality is lost, and the question of what values the system should operate according to now has a way to creep in. You’ve opened the door to a vast universe of bad things, as The Blockfather puts it, that the technology was intended specifically to eliminate.
Can’t Be Evil
I know it sounds like I’m repeating myself but I’m going to come at this point from one more angle to make it clear. The Bitcoin architecture is supposed to have achieved ungovernability — meaning not just that governments can’t do anything about its existence but also, as importantly, that no-one is called on to make any kind of human-values-based governmental decisions about it, including you and me as its end users.
Why can’t we freeze (or burn) the funds of people who ransomware hospitals? Why can’t we exclude rogue nuclear dictatorships from the network if virtually everyone agrees it would be a good thing to do? Why can’t we take some of the 1+ million BTC that Satoshi owns from the early days and distribute it among those who need it far more than he does? By the raw numbers, a lot more people — a lot more nodes — would want that to happen than would not…
The answer is supposed to be (as if it were gold) because it’s impossible: no matter how popular an idea might be, there’s no practical way it can be done. There is just a relentlessly neutral ruleset that keeps ticking over every 10 minutes and that’s that. The process can’t be controlled by any group in a way they’d profit from. It can’t be influenced one way or the other according to messy human value judgments. It just is.
There’s no politics of good and bad blocks. No-one is called on to make a choice about whether Kim Jong Un’s or El Mencho’s transactions should be included or excluded, even if lives hang in the balance: it cannot be helped, so there’s no need to think about it. You are freed from that responsibility — it can’t be evil.
But if the power to exercise discretion over the mining process is introduced, there is then a clear way for the politics of good and bad blocks to enter into the equation. Now the question of excluding bad transactions can be asked. Now it can be evil, in the eyes of many, and everyone has to make a choice about it one way or the other. Or about who to delegate the decision to from a professional class of people who decide such things… aaaaand you’ve re-invented financial governance.
Should the atomic financial self-interest of the individual be the only factor? Or do other values matter? The idea of Bitcoin is that it frees us from the burden of that choice: it’s constructed entirely of, by, and for the financial self-interest of the individual, and its unassailable mathematical properties prohibit other values from having any say. For better or worse, as unstoppable code, it makes the decision for us.
At least, it does so far as this little piece of game theory from the whitepaper holds together…
…which it doesn’t.
It’s not unstoppable code. A sufficiently large adversary motivated by exogenous incentives, i.e. other values, can find it more profitable — in the broadest sense of the word — to undermine the system than to ‘play by the rules’.
Summary: Two Problems With Permissioned Mining
Problem #1 is that the permissioning mechanism can be abused for profit: there’s a big incentive to allow as few miners as possible and to keep the difficulty artificially low to increase margins, just like a monopoly miner. (Especially now that a higher hash rate wouldn’t actually make any difference re: security since the High Council of Chain Reorganisation means no-one can attack successfully anyway).
Problem #2, more importantly, is all the other stuff that we just covered at length. Permissioned mining means you lose the system-critical properties of openness and neutrality.
When the decision is who to follow (or what council to elect) rather than what to follow (the most proof-of-work), human values will inevitably creep into the picture. Choosing to make financial self-interest of the individual the only factor, ignoring all other values, is different from having no choice about the matter.
In practical terms, what permissioned mining means for end users of the system is that they lose the mission-critical assurances that Bitcoin is supposed to give them of uncensorable, unfreezable coins and irreversible transactions. They can’t verify for themselves, on their own, with their full node, that the mechanism that preserves those things won’t be captured.
…
“But didn’t you say that Bitcoin’s proof-of-work / what-to-follow mechanism can’t give its end users those assurances either?”
‘Yeah.’
“It seems like none of this makes any sense.”
‘Agreed.’
“Are you 100% sure about all this?”
‘Can’t be 100% sure.’
“Alright then. The quest continues.”
‘Good luck.’
Defence #6: Proof-of-Stake
Last but not least there’s the idea of abandoning proof-of-work and switching to a proof-of-stake mechanism.
Most Bitcoiners of Great Name and Standing don’t make this suggestion, because you can’t remove proof-of-work from the system without losing the quality of it being objectively verifiable. A proof-of-stake system isn’t grounded in physical reality, it’s grounded in social reality. And aside from the security concerns that are usually raised, it seems inevitable that, as above, human values are going to creep into the picture…
…and the human values that do creep in will be those of the richest actors in the system.
So it seems like a pick-your-poison scenario:
- A proof-of-stake system doesn’t appear to have a good way of resisting the inexorable pull of messy human values towards the Same Old Shit™ that always happens
- A proof-of-work system doesn’t appear to have a good way of resisting the (inevitable?) well-resourced push from a large adversarial force
NB: ‘Hybrid’ PoS/PoW is also suggested as a thing, but that ultimately just boils down to PoS.
Defence #6½: Import The Bitcoin Ledger Into Ethereum
Balaji Srinivasan is a Bitcoiner of Good Name and Standing (it would be Very Great Name and Standing but he publicly admits to liking Ethereum which many consider blasphemous). He has suggested, most notably in an appearance on the Hidden Forces Podcast, that you would just ‘import the Bitcoin ledger into another cryptocurrency’, e.g. Ethereum.
It’s not clear why anyone would value the Bitcoin ledger if it turns out the protocol that produced it doesn’t actually work and it’s no longer updating according to the rules. Perhaps because of how much work went into producing it? No wait, that’s Marx.
Anyway, like the labour theory of value it seems to rely on, this idea doesn’t seem to make a lot of sense. The ledger, and everyone’s stash of bitcoin, is ultimately just a bunch of meaningless strings which no-one cares about apart from their place inseparably embedded within the Bitcoin protocol as a whole, even if you can prove those meaningless strings were really hard to produce.
If it somehow turns out Ethereum works and Bitcoin doesn’t, just use Ethereum.
Final Thoughts
Does it matter or not?
Hypothetically, if it were true, as Bitcoin’s promoters claim, that majority hash power attacks like the one described above don’t really matter because they can be easily countered, then that would mean that all of the smaller networks (a.k.a. ‘shitcoins’) — like Litecoin, Dogecoin, Monero, etc. — are in fact just as secure as Bitcoin, despite having a much lower hash rate.
Why? Because exactly the same ease of countering majority hash power attacks applies in all cases: the defence is no different. There’s no point attacking Dogecoin and there’s no point attacking Bitcoin because in both cases you will predictably trigger exactly the same response and fail in exactly the same way. The only difference is scale.
The purpose of having a big security budget and high hash rate is, ostensibly, to prevent attacks. But if it were true that there is no hash-rate-based attack that can actually succeed or cause any lasting harm to the network, then in practice that high hash rate isn’t preventing anything, is it?
All of these networks have a so-called ‘social layer’, capable of the same defensive actions which are put forward for Bitcoin, and if that’s what really provides the security when push comes to shove, then realistically all that’s needed by way of mining rewards is some basic, not-very-high level of spending for anti-spam. Anything beyond that is, technically speaking, a waste — an unnecessary expenditure providing no marginal utility to the network (no marginal security benefit) — because, as an attacker, the cost-benefit of the attack isn’t the disincentive, the futility is: there’s no point attacking for any price if it’s not going to work.
So I’m not sure how to square the laser-eyed Bitcoiners’ claim that its monstrous hash rate makes it ‘literally the most secure thing mankind has ever created (and all those other coins can’t compare)’ with their other claim that, if that hashing defence is breached, it apparently doesn’t matter. You can’t have it both ways.
/fin
Thanks for reading.
Follow me on Twitter @joekelly100 and send any thoughts there. Please direct all insults to Allen Farrington @allenf32. He made me do it. He’s also going to use his 700-IQ brain to rebut this now so stay tuned.