The big news in the Bitcoin world, is that one entity, called GHash, seems to be in control of more than half of all of the mining power. A part of Bitcoin’s appeal has been its distributed nature: the idea that no one party is in control but the system operates through the cooperative action of a large community. The worry now is that GHash has too much power and that this could destabilize the Bitcoin system. Today I want to explain what has happened, why it provokes worry, and how I see the situation.
Let’s start by reviewing some technical background. Bitcoin relies on a data structure called the “blockchain” which is a kind of digital logbook that records all of the transactions that have occurred within Bitcoin. The blockchain is built by “mining”, a process in which participants (“miners”) compete to find a number that solves a very difficult mathematical equation. Whoever finds a solution first gets to add a block to the blockchain, and they’re rewarded with a payment of 25 Bitcoins, which is currently worth about $15,000. Then a new equation needs to be solved, and the miners race again to make a new block and collect a new 25 Bitcoins. This cycle happens every ten minutes or so.
Mining can be viewed as a kind of voting procedure, in which the miners vote on which transactions should be recognized as valid. But rather than one-miner-one-vote, the system gives each miner a voting power that is proportional to that miner’s computing power—how quickly they can test possible solutions to the equation. If one miner has 51% or more of the mining power, then that miner can always win the election and can simply decree which transactions are to be considered valid. This is called a “51% attack.”
One way to understand the potential power of a 51% attacker is to consider that they can simply change the rules of Bitcoin at any time. And the changes could in principle be drastic: a “pay me a 5% fee on every transaction” rule, or “a million new Bitcoins exist and belong to me” rule. [UPDATE (16 June 2014): I have gotten some Tweets and emails claiming that the class of attacks available to a 51%-er is much smaller, basically only double-spend attacks. I disagree. See the comments below, including the link posted by Anonymous.]
There are two counterarguments that claim that GHash’s 51% control isn’t such a serious problem.
The first, which I’ll call the “golden goose” argument, acknowledges that GHash could steal and cheat, but that that would be an irrational move. As soon as GHash starts stealing, people will notice. The public will lose faith in Bitcoin, and the value of Bitcoins will plummet. So the act of stealing will render the fruits of the theft worthless. Besides, destroying the value of Bitcoin will eliminate the $15,000-per-ten-minutes mining rewards, which GHash can collect half of by mining honestly. In this theory, cheating amounts to killing the golden goose.
The second counterargument, which I’ll call the “coalition argument”, points out that GHash doesn’t control 51% of mining power directly but instead acts as the coordinator for a “mining pool” consisting of many miners who work at the direction of GHash in exchange for GHash paying them a share of its winnings. In other words, GHash is the leader of a coalition, and its power depends on its ability to hold the coalition together.
This isn’t a knockout argument, though, because GHash might try to rake off some Bitcoins from the system, while using some of those coins to pay retention bonuses to coalition members. The economic and social dynamics of this situation are complex and undertheorized, so I don’t think we can say for sure what might happen if GHash goes down that road.
Where does this leave us?
I don’t think it would be rational for GHash to exercise its power immediately through short-term rule changes or confiscation of others’ coins. But that doesn’t mean that GHash’s 51% control is harmless. Bitcoin is governed by consensus, and the system has responded to past problems by building coalitions behind needed changes. That kind of collective governance becomes more difficult when one entity has the power to try to impose the outcome it wants—or to blow up the system entirely. It’s difficult to negotiate with a guy who is holding a doomsday device—and that’s true even if there’s a fair chance that the device will malfunction.
Mao said famously that “Political power grows out of the barrel of a gun.” In Bitcoin politics, power grows out of the exhaust fan of a mining rig. If Bitcoin is going to have stable and functional governance in the long run, it will have to find a way to keep mining power dispersed.
Concentration of mining power might not be a short-term disaster, but it is unhealthy for Bitcoin, and the community needs to address it.
I think the value-preservation arguments against a majority coalition doing Bad Things are, alas, bogus. They might work if the 51% folks were doing their bad actions in good faith — i.e. intending that the Bitcoin ecosystem maintain its value and stability indefinitely — but fail pretty immediately against a looting attack. For two related reasons: 1) the 49% also have a huge stake in the ongoing value of bitcoins, so they’re going to try to maintain belief in the integrity of the currency even when that belief is not entirely warranted; 2) there’s a large and growing ratio between the cash-flow value of bitcoin mining apparatus and the value of bitcoin balances; both are at risk in a crash, but the 51% need only have the first at risk, since they have better information about the timing of any crash.
If I were the shadowy leader of a 51% coalition, in the short run I would try a boil-the-frog approach, making small infractions or minor changes. I would also (advise my coalition partners to) hold as little BTC as possible, preferably converted into other assets through dummies so that the lack of exposure would be less obvious. Eventually there would be either a crash or a captive 49% population who would agree to arbitrary levels of skimming.
If I were particularly foresighted, I would engineer a crash, followed immediately by the acrimonious breakup of the coalition. At that point, “valueless” bitcoins could be snapped up in huge quantities. Eventually, with proper PR and the obvious nonexistence of a 51% coalition, bitcoins might regain some or all of their pre-crash value, yielding a windfall for those who had had the hard-money assets to buy them at a low price.
This cycle could probably be repeated several times.
Note that the 51% threshold has been transiently reached before, by a single pool, before dissolving. And per the “coalition argument”, some “51%” powers aren’t as strong as others, based on whether they’re assembled and contingent on others’ participation.
But further, an entity truly controlling such power could trivially camouflage its strength, by creating Sybyl pools or ‘solo’ mining. And, for most of the era of pooled mining, it would take just a few pools secretly coordinating to form a de facto 51% cartel, not evident in public pool-size estimations. (Pools have small staffs and know how to privately communicate.)
So we shouldn’t obsess over 51% power shown in the headline public pool-size numbers. Rather, the concern is best addressed by watching for any evidence of majoritarian-monopoly abuses. Fortunately, all the abuses (such as those listed in the Eyal-Sirer “How A Mining Monopoly Can Attack Bitcoin” blog post) would leave blatant evidence: in orphaned blocks, or transaction weirdness, or the pool’s necessity of advertising their power in order to enjoy the benefits (like transaction price discrimination).
And we haven’t seen that, either recently, or in prior periods of extreme concentration. For example, despite the ‘selfish mining’ strategy being accurately modeled by forum members no later than December 2010, either it wasn’t ever tried, or it was tried briefly and rapidly detected/ameliorated by the actions of miners.
So a question that’s just as interesting as “what can be done in the future to deter concentration” is: “what’s been working to deter abuses so far?”
I wouldn’t rule out the existence of a tacit, de facto “cartel for fairness”, between a small number of pool operators, each long-on-Bitcoin, able to detect and freeze-out most misbehaving upstarts. Of course a unified 51%+ mining-power entity could override such a cartel… but we’d see the blatant signs and then be in the zone of other extreme, ‘nuclear’ retaliatory options.
For example, if the blockchain was showing evidence of an anonymous entity engaging in malicious 51%-empowered abuses, a significant part of the non-mining community could likely be rallied to support a swift, surprise change of proof-of-work, instantly obsoleting all SHA256-based ASICs. Even if the new algorithm is itself subject to eventual specialization and concentration – that is, there’s still not yet a strong theoretical fix for concentration – the immediate threat will have been neutralized, and a scary precedent set for anyone thinking of building a 51% monopoly in the new technology. And the mere remotest threat of such a change may be enough to deter abuses. (That is, the *credible threat* of a hard fork, rather than an implemented hard fork itself, is what’s most important.)
> And the changes could in principle be drastic: a “pay me a 5% fee on every transaction” rule,
> or “a million new Bitcoins exist and belong to me” rule.
This is not true. The list of things you can do with a 51% attack is actually quite limited, and creating new coins out of thin air (other than the legitimate 25BTC reward per newly created block) is certainly not among them. Nor can you take bitcoins out of other people’s wallets without their consent.
You could refuse to process transactions from people you dont like, if you can reliably identify them (may be tricky if they use a proxy). Most worryingly, you could do a dual spending attack: pretend to pay somebody for a good or service, then rollback the transaction once they have held up their end of the deal. But if they are smart enough to wait for the recommended six confirmations, that will be a pretty expensive stunt to pull off, even if you are in a 51% position.
In short, the fact that a single party now has majority control of the blockchain is certainly cause for worry, but it is not *that* bad. Every block they create, still has to play by the normal rules of Bitcoin.