On Bitcoin’s Fee-Based Security Model — Part 3: Bitcoin vs. The State

Is proof-of-work mining a good security strategy vs. adversarial nation-state actors?

Joe Kelly
13 min readNov 21, 2021

← Part 2: Security vs. What?

Double-spending is the “easy” problem of Bitcoin security. State/military attacks are the hard problem. I’ll try to keep this relatively brief because I’ve written about it before but proof-of-work mining is not a good security strategy vs. the state.

Bitcoin vs. The State: A Short Story

There are two kinds of attack that a nation-state actor (or group) might want to engage in vs. the Bitcoin network which diverge from the strictly profit-maximising behaviour the security model expects:

  1. Censorship of transactions
  2. Denial of service

You need a majority of hash rate for either one. So both are easier to accomplish, logistically, the lower the security budget is. But unless the security budget is something truly astronomical, at the end of the day it doesn’t make that much difference in the grand scheme of things.

In other words, as Lyn Alden correctly points out in her piece on Bitcoin’s security model, the obstacle to a nation-state attack on Bitcoin is the difficulty and cost of getting the majority of hash rate in the first place. But that difficulty and cost is significantly overestimated — it’s nowhere near as costly as it might seem on the face of it.

We’ll look at that first, then the two attacks in order.

1) Getting Majority Hash Rate

Ignore the government’s ability to use force, regulate semiconductor supply chains, seize miners, etc. Those are significant factors, but even without them we can simply look at it in terms of straightforward economic participation in the open network.

i. Cost

The cost of acquiring majority hash rate is paid in time, not money. If someone is willing and able to mine at a slight loss for a few years, they will grow to dominate the network, putting all for-profit miners out of business.

In other words, if you decide to continuously overpay and “overmine” vs. the value of block rewards, your action — your excessive investment — will make mining unprofitable not just for you but for everyone else, so for-profit actors get squeezed out of the market over time.

You only have to marginally outbid the other market participants. For-profit actors aren’t looking for a negative yield: they’re not looking to spend (the equivalent of) 100 BTC on a mining operation to have it return <100 BTC in time when they can simply hold BTC in that same period and be better off. But you are, because incurring that small cost is part of a larger plan.

E.g. Simplified and using round numbers: Say the breakeven price of latest-generation ASICs is $10,000 per unit. If you’re willing to pay $10,005 per unit, then you will get all the ASICs and price out all for-profit actors. In time you recover $10,000 of that cost (via mining) and the net price you paid for each unit is $5.

Realistically, as stated above, miners are operating with a margin, they’re not looking to break even. So you may even end up turning a small profit. Either way, continue doing this over time and you’ll acquire majority hash rate for little-to-no cost. Then from there you can do with it what you want on-chain.

ii. Location

Everything on this page can be done from anywhere on earth, and the above process of deliberate over-investment can be started at any time.

China may have a hash rate of 0 today after its recent mining ban but that doesn’t tell us what their hash rate will be in 2040 — as long as you have the energy, you can go from 0 to majority in a relatively short period of a few years. And on this side of the world, Quebec, Canada is apparently a good spot, going by arguments that Bitcoin advocates themselves use when defending the network’s energy use as insignificant:

Left | Right

Point being, even with the security budget at today’s very high level, when push comes to shove, many larger individual nation states have the capacity (including excess cheap/unused energy) to take the actions listed here on their own — no grand conspiracy or coordinated effort between all nation states around the world is needed.

2) Censoring Transactions

To censor transactions on the Bitcoin network you have to monopolise block production. You have to use your majority of hash rate to mine in a way that means no-one else in the world gets to add their blocks to the chain — only your blocks ever get included.

i. Monopoly Mining

The strategy to mine 100% of blocks (and collect 100% of the mining rewards) is to override everyone else’s blocks as they appear:

  1. Mine 1–3 blocks (or more) ahead of the current chain tip but don’t announce these blocks to the network yet
  2. Wait for another miner to announce a block
  3. As soon as they do, announce 1 of the blocks you’re withholding (this will temporarily create two competing forks of the same length)
  4. Wait for whichever comes first: i) another miner announces a block, or ii) 8 minutes have elapsed (shorter than the expected 10-minute interval)
  5. Announce +1 of your blocks
  6. Repeat

If you have the majority of hash rate (say 60:40), the result of this pattern of activity is that all of the blocks by other miners get continuously reorg’d away a short time after they’re produced, i.e. over-written by yours. All of their work gets discarded and the chain ends up being 100% composed by you.

Note: Strictly speaking, this monopoly strategy is the max-profit strategy within the rules of the protocol regardless of censorship by any nation-state actor(s). I.e. You make the most money if you monopolise block production in this way but construct your blocks completely normally and don’t censor any transactions.

This strategy means the blockchain only moves forwards when other miners mine a block — i.e. new blocks get added to the chain at whatever speed the 40% minority of miners produces them. But at the same time those other miners ultimately have no real incentive to mine blocks, because they never earn any rewards when they do: every time they mine a block, it gets discarded soon after. So…

  • Other miners (unable to obtain any revenue) switch off operations
  • The total minority output shrinks
  • Block production slows dramatically and there’s a big drop in difficulty

At lower difficulty, the pattern of activity is still exactly the same: someone else produces a block and you override it with a heavier chain. The only difference at lower difficulty is that the game costs less to play.

Notice that when you let the difficulty drop to artificially low levels like this — way below the natural price level and much less than what you’re capable of producing at full blast — you increase your profit margin, as you have to output less work to earn the same rewards.

Ultimately it’s up to you to decide how low to let the difficulty fall before you resume adding blocks ‘normally’ (i.e. without waiting for a minority miner to announce a block first).

ii. Transaction Fees

Left to its own devices, the Bitcoin network naturally incentivises non-censorship via transaction fees. I.e. There is always necessarily a greater financial reward available to miners who don’t censor any transactions — they simply earn more in fees. So does that mean Bitcoin is therefore automatically censor-resistant?

No. It’s true that if you choose to censor transactions you are leaving some money on the table. But that’s not the whole picture: the ability to censor transactions has real-world value to the censor which by definition they’ve decided is worth more than the fees (otherwise they wouldn’t be doing it).

Plus with the above strategy, if you’re monopoly mining, you’re already turning a large profit anyway — far larger than the slim margins you get via normal, competitive mining — so your censoring operation isn’t unprofitable, it’s just less profitable than it would be.

iii. Extra Transaction Fees

There’s a potential best-of-both-worlds option here, where instead of simply stopping transactions from your backlisted addresses, you require them to pay a significantly higher fee — a hurdle rate above which you will process them.

This effectively amounts to a tax on those addresses/participants and if successful it would actually increase your fee revenue as the censor.

iv. Accidental Death

But if you can censor transactions, doesn’t that sort of defeat the purpose of the blockchain? Isn’t the whole point of the system that it’s meant to be open and neutral?

Yes. If you take the above actions, you risk destroying the value proposition of Bitcoin and making it not worth participating in. Safe to say that’s probably a risk that an adversarial nation-state actor is willing to take.

3) Denial of Service

Denial of service (where the goal is to prevent the network from functioning) involves using the same monopoly mining strategy as above, only this time you allow the difficulty to keep dropping — the lower the better. You don’t step in and resume mining blocks ‘normally’ again at any point.

Instead, once the difficulty is as low as it will go (and producing blocks is as cheap as it gets) you start disrupting things, creating the maximum of chaos and minimum of usability and assurances to end users:

  • Double-spend relentlessly across any and all available targets
  • ‘Purge’ some % of transactions from the chain at random: I.e. Pop transactions out of the blockchain after they’ve had many confirmations, and then don’t re-confirm those transactions (this is effectively a way of creating a double-spend for other people who you don’t know)
  • Censor addresses at random, or be targeted about it and impose specific sanctions, or both

Obviously this is value-destroying for the network, making it unreliable and practically unusable. And as value stops flowing into what is now a dysfunctional system, it gets cheaper to continue the denial of service attack, creating a vicious cycle. I.e. The lower the price of BTC, the lower the value of mining rewards (measured in $) to incentivise other miners. (Although you’re already in the way of their incentive anyway with your monopoly mining).

Some people imagine that you’d have to “continue with the attack forever at a cost of billions and billions of $” to keep Bitcoin contained, but that’s not the case, because:

  1. You only have to create a situation where the incentives dissuade the other miners in the world from mining
  2. You’re ultimately still earning 100% of the rewards (whatever they’re worth) with the monopoly mining strategy anyway

At the end of the day, as long as other miners know you’re willing to expand your operation and over-spend vs. the value of block rewards if you need to in order to defend your monopoly position and fulfil your objective of preventing the network from functioning, there’s no incentive for any for-profit miner to try and compete with you — they’re not going to be rewarded.

NB: Game Theory = Broken

Notice how the incentive structure identified in Part 2 of this series breaks down in adversarial conditions. I.e. The critical disincentive to attack that usually protects the network vs. double-spending — the risk of a crash in the price of BTC after the attack — is flipped on its head when your goal is sabotage: a crash is precisely what you want to happen.

As the adversary, any cost which you ultimately end up bearing here is similar to firing multi-million-dollar missiles which you don’t expect to get back.

4) Defence

I looked at specific defensive actions in much more detail in Part 3 of my ‘How To Kill Bitcoin’ series (skip to the end of the article) — things like changing the hashing algorithm, etc. (which won’t work by the way).

In short, an attack by the state can in theory be defended against by closing off the network in some way (sacrificing openness, neutrality, immutability, etc.) and essentially introducing an authority of some kind that overrides the heaviest chain rule. But then security in that case clearly isn’t coming from the proof-of-work as intended — that’s not Bitcoin, it’s something else.

Satoshi explains why proof-of-work matters (link)

The goal was to engineer an objectively verifiable digital commodity native to the internet. If instead of that what you want is some sort of conceptual device by which mob-rule can hopefully be coordinated towards the moon, then you don’t need proof-of-work as the source of security — some other mechanism is fine (and probably better/more cost-effective).

But it’s not clear whether such a system will be stable in time. Immutable means immutable — that’s the price of achieving what Szabo calls social scalability. Who knows what happens to a system which isn’t immutable but is really, underneath it all, governed by fork according to the will of the economic majority; a system where rules can in fact be changed arbitrarily but — we must all promise — only When It’s Really Needed™?

Nick Szabo explains why immutability matters (link)

For what it’s worth, I share Nick’s view that this seems fundamentally self-contradictory and that it’s highly likely to be unstable. It will ‘work’ during a gold-rush honeymoon period of course, where everyone is artificially coordinated by the overwhelming gravity of the prospect of becoming very rich in the near future (i.e. what we see today). But it wouldn’t work when subjected to real pressure — to the challenges of real-world, economically meaningful conditions involving life and death decisions.

5) Fallback Value

A final note on another common misperception of cost: the downside of attempting an attack is actually pretty limited.

Worst-case scenario, if it turns out that your attack fails for some reason, it’s not a financial disaster because you can always just give up and go back to mining normally.

6) Regulation

i. AML

An AML-compliant Bitcoin fundamentally makes no sense. The purpose of a blockchain is to remain completely open and neutral and (thereby) to grant individuals the freedom to defy any top-down governance structure, public or private, that might be imposed on their financial activity.

Even if the system isn’t quite there yet technologically, that is the direction in which it’s necessarily heading — that’s its engineering telos. The severe inefficiency of its design simply doesn’t make any engineering sense apart from that goal.

In short, regardless of what people might say, this technology doesn’t really allow any middle ground in which regulation might “find a balance”. If it enables you to evade bad governance, it enables you to evade good governance. That should be obvious. So finding the right balance is more than a tall order for regulators — it’s a nonstarter. In amongst all the lobbying efforts by the crypto pressure group, what’s really happening ultimately boils down to something along the lines of:

“Dear Government,

Can you please provide a clearer regulatory environment for our regulation-circumvention technology?

Enthusiastic Cryptocurrency Guy”

When it’s actually spelled out like that, it’s clearly a farcical request. The picture has become significantly clouded due to individual financial incentives, uncompromising political beliefs about the primacy of individual freedom, and all of the cleverly-worded arguments people make in order to advance the agenda of those two things. But it is what it is.

To put it in more direct terms, if you’re not able to evade your government, then when push comes to shove any financial benefit you might theoretically derive from the currency’s fixed supply of 21m can be taken away. I.e. It can be made arbitrarily disadvantageous to hold BTC, via the tax code, such that it ultimately works out no different (or worse) than if you’d just held $/£/€.

ii. Ban

Realistically, aside from any of the on-chain actions described here, a widespread commercial ban in the major economies of the world would likely be devastating to Bitcoin. Cutting it off from the banking network, disallowing businesses from holding or transacting in it, etc. would prevent Bitcoin from obtaining the scale it needs to survive, putting it on a predictable path to eventual security failure, given its fee-based security model.

We still don’t know whether that’s going to happen or not — governments clearly still haven’t made sense of it all and the crypto pressure group’s self-styled information insurgency means that making sense of it is very difficult.

But either way, ban or no ban, the point of this article series is to dig into the economics of the transaction fee market and how it relates to security, so now that we have an understanding of what is actually being secured against, let’s do that.

Part 4: The Unhampered Fee Market →
(⚠️ Work in progress…)

Thank you for reading. Please clap and share and stuff, and maybe ask your favourite Bitcoiner of Great Name and Standing for an answer to the questions raised here.

Follow me on twitter @joekelly100 for updates.