The big news in the Bitcoin world, is that one entity, called GHash, seems to be in control of more than half of all of the mining power. A part of Bitcoin’s appeal has been its distributed nature: the idea that no one party is in control but the system operates through the cooperative action of a large community. The worry now is that GHash has too much power and that this could destabilize the Bitcoin system. Today I want to explain what has happened, why it provokes worry, and how I see the situation.
Let’s start by reviewing some technical background. Bitcoin relies on a data structure called the “blockchain” which is a kind of digital logbook that records all of the transactions that have occurred within Bitcoin. The blockchain is built by “mining”, a process in which participants (“miners”) compete to find a number that solves a very difficult mathematical equation. Whoever finds a solution first gets to add a block to the blockchain, and they’re rewarded with a payment of 25 Bitcoins, which is currently worth about $15,000. Then a new equation needs to be solved, and the miners race again to make a new block and collect a new 25 Bitcoins. This cycle happens every ten minutes or so.
Mining can be viewed as a kind of voting procedure, in which the miners vote on which transactions should be recognized as valid. But rather than one-miner-one-vote, the system gives each miner a voting power that is proportional to that miner’s computing power—how quickly they can test possible solutions to the equation. If one miner has 51% or more of the mining power, then that miner can always win the election and can simply decree which transactions are to be considered valid. This is called a “51% attack.”
One way to understand the potential power of a 51% attacker is to consider that they can simply change the rules of Bitcoin at any time. And the changes could in principle be drastic: a “pay me a 5% fee on every transaction” rule, or “a million new Bitcoins exist and belong to me” rule. [UPDATE (16 June 2014): I have gotten some Tweets and emails claiming that the class of attacks available to a 51%-er is much smaller, basically only double-spend attacks. I disagree. See the comments below, including the link posted by Anonymous.]
There are two counterarguments that claim that GHash’s 51% control isn’t such a serious problem.
The first, which I’ll call the “golden goose” argument, acknowledges that GHash could steal and cheat, but that that would be an irrational move. As soon as GHash starts stealing, people will notice. The public will lose faith in Bitcoin, and the value of Bitcoins will plummet. So the act of stealing will render the fruits of the theft worthless. Besides, destroying the value of Bitcoin will eliminate the $15,000-per-ten-minutes mining rewards, which GHash can collect half of by mining honestly. In this theory, cheating amounts to killing the golden goose.
The second counterargument, which I’ll call the “coalition argument”, points out that GHash doesn’t control 51% of mining power directly but instead acts as the coordinator for a “mining pool” consisting of many miners who work at the direction of GHash in exchange for GHash paying them a share of its winnings. In other words, GHash is the leader of a coalition, and its power depends on its ability to hold the coalition together.
This isn’t a knockout argument, though, because GHash might try to rake off some Bitcoins from the system, while using some of those coins to pay retention bonuses to coalition members. The economic and social dynamics of this situation are complex and undertheorized, so I don’t think we can say for sure what might happen if GHash goes down that road.
Where does this leave us?
I don’t think it would be rational for GHash to exercise its power immediately through short-term rule changes or confiscation of others’ coins. But that doesn’t mean that GHash’s 51% control is harmless. Bitcoin is governed by consensus, and the system has responded to past problems by building coalitions behind needed changes. That kind of collective governance becomes more difficult when one entity has the power to try to impose the outcome it wants—or to blow up the system entirely. It’s difficult to negotiate with a guy who is holding a doomsday device—and that’s true even if there’s a fair chance that the device will malfunction.
Mao said famously that “Political power grows out of the barrel of a gun.” In Bitcoin politics, power grows out of the exhaust fan of a mining rig. If Bitcoin is going to have stable and functional governance in the long run, it will have to find a way to keep mining power dispersed.
Concentration of mining power might not be a short-term disaster, but it is unhealthy for Bitcoin, and the community needs to address it.
I think the value-preservation arguments against a majority coalition doing Bad Things are, alas, bogus. They might work if the 51% folks were doing their bad actions in good faith — i.e. intending that the Bitcoin ecosystem maintain its value and stability indefinitely — but fail pretty immediately against a looting attack. For two related reasons: 1) the 49% also have a huge stake in the ongoing value of bitcoins, so they’re going to try to maintain belief in the integrity of the currency even when that belief is not entirely warranted; 2) there’s a large and growing ratio between the cash-flow value of bitcoin mining apparatus and the value of bitcoin balances; both are at risk in a crash, but the 51% need only have the first at risk, since they have better information about the timing of any crash.
If I were the shadowy leader of a 51% coalition, in the short run I would try a boil-the-frog approach, making small infractions or minor changes. I would also (advise my coalition partners to) hold as little BTC as possible, preferably converted into other assets through dummies so that the lack of exposure would be less obvious. Eventually there would be either a crash or a captive 49% population who would agree to arbitrary levels of skimming.
If I were particularly foresighted, I would engineer a crash, followed immediately by the acrimonious breakup of the coalition. At that point, “valueless” bitcoins could be snapped up in huge quantities. Eventually, with proper PR and the obvious nonexistence of a 51% coalition, bitcoins might regain some or all of their pre-crash value, yielding a windfall for those who had had the hard-money assets to buy them at a low price.
This cycle could probably be repeated several times.
Note that the 51% threshold has been transiently reached before, by a single pool, before dissolving. And per the “coalition argument”, some “51%” powers aren’t as strong as others, based on whether they’re assembled and contingent on others’ participation.
But further, an entity truly controlling such power could trivially camouflage its strength, by creating Sybyl pools or ‘solo’ mining. And, for most of the era of pooled mining, it would take just a few pools secretly coordinating to form a de facto 51% cartel, not evident in public pool-size estimations. (Pools have small staffs and know how to privately communicate.)
So we shouldn’t obsess over 51% power shown in the headline public pool-size numbers. Rather, the concern is best addressed by watching for any evidence of majoritarian-monopoly abuses. Fortunately, all the abuses (such as those listed in the Eyal-Sirer “How A Mining Monopoly Can Attack Bitcoin” blog post) would leave blatant evidence: in orphaned blocks, or transaction weirdness, or the pool’s necessity of advertising their power in order to enjoy the benefits (like transaction price discrimination).
And we haven’t seen that, either recently, or in prior periods of extreme concentration. For example, despite the ‘selfish mining’ strategy being accurately modeled by forum members no later than December 2010, either it wasn’t ever tried, or it was tried briefly and rapidly detected/ameliorated by the actions of miners.
So a question that’s just as interesting as “what can be done in the future to deter concentration” is: “what’s been working to deter abuses so far?”
I wouldn’t rule out the existence of a tacit, de facto “cartel for fairness”, between a small number of pool operators, each long-on-Bitcoin, able to detect and freeze-out most misbehaving upstarts. Of course a unified 51%+ mining-power entity could override such a cartel… but we’d see the blatant signs and then be in the zone of other extreme, ‘nuclear’ retaliatory options.
For example, if the blockchain was showing evidence of an anonymous entity engaging in malicious 51%-empowered abuses, a significant part of the non-mining community could likely be rallied to support a swift, surprise change of proof-of-work, instantly obsoleting all SHA256-based ASICs. Even if the new algorithm is itself subject to eventual specialization and concentration – that is, there’s still not yet a strong theoretical fix for concentration – the immediate threat will have been neutralized, and a scary precedent set for anyone thinking of building a 51% monopoly in the new technology. And the mere remotest threat of such a change may be enough to deter abuses. (That is, the *credible threat* of a hard fork, rather than an implemented hard fork itself, is what’s most important.)
Well said. You’re making what I think is the best argument for non-panic.
I agree that many of the abuses of mining monopoly power would be evident to the public, and that we haven’t seen them happening yet. But there are other kinds of abuses that rely on back-room threats, which could be less visible.
While I agree that the system seems to have worked so far, I don’t think that is a firm enough foundation on which to build a cryptocurrency. The cost of reacting to abuses by (e.g.) suddenly switching to a new proof-of-work system would be substantial, and it is not a given that the community could agree on a single new PoW system and switch over quickly in practice. It seems better to be looking now for ways to strengthen the system against monopolization, for example by looking for a practical proof of work system based on non-outsourceable puzzles.
I’m hoping to write a longer post about these issues. Stay tuned.
Definitely, work on further fortifications is important. Though, without full appreciation for the behaviors seen so far, some worrisome and some valuable, supposed solutions could backfire.
For example, I’m not certain non-outsourceable proof-of-work helps. Lots of participants in this ecosystem don’t sweat the details: they just do more of what seems to make them more money, and less of what seems to net them less. If a hosted-mining provider seems ‘unlucky’, they’ll only be driven away if some other provider is less unlucky. That reliance on reputation rather than math could ultimately benefit the largest, longest-lived providers – feeding rather than undermining concentration.
Similarly, if a pool participant can steal a solution from the pool operator, only pools with effective enforcement tricks will be able to offer the variance-reduction people want. One such trick might be: feed participants work-units with imminent known solutions, and see if they honestly report the result, or try to ‘steal’. And, if they try to steal, try to race their theft on the network. Who could most reliably win such races? A large pool operator working in secret concert with other large pool operators. Alternatively, a pool operator could require real identities or forfeit-able deposits, so they can retaliate against proven-bad-faith participants. Who can swallow the costs/trust of such enforcement? The largest, oldest operators.
Regarding the cost/difficulty of consensing on a change of proof-of-work: yes, it’d be a massive disruption – a near-death experience for Bitcoin, with acrimony and perhaps an extended, or even eternal, split between camps. (Think, anti-popes and eastern-orthodox offshoots. Even Satoshi himself couldn’t descend from the mountaintop with new tablets to heal the resulting schisms.)
But, I suspect that may be inevitable and even beneficial, in the long run. The whole possibility space needs to be explored, and each enduring chainfork would leave pre-fork Bitcoin holders with a portfolio of balances across each offshoot, allowing them to wait-and-see. That could make such “adaptive-radiation” more thinkable, and survivable, and thus frequent, once it’s more widely understood. Compare also the idea of ‘spinoffs’ as explored at .
…explored at: https://bitcointalk.org/index.php?topic=563972.0 .
> And the changes could in principle be drastic: a “pay me a 5% fee on every transaction” rule,
> or “a million new Bitcoins exist and belong to me” rule.
This is not true. The list of things you can do with a 51% attack is actually quite limited, and creating new coins out of thin air (other than the legitimate 25BTC reward per newly created block) is certainly not among them. Nor can you take bitcoins out of other people’s wallets without their consent.
You could refuse to process transactions from people you dont like, if you can reliably identify them (may be tricky if they use a proxy). Most worryingly, you could do a dual spending attack: pretend to pay somebody for a good or service, then rollback the transaction once they have held up their end of the deal. But if they are smart enough to wait for the recommended six confirmations, that will be a pretty expensive stunt to pull off, even if you are in a 51% position.
In short, the fact that a single party now has majority control of the blockchain is certainly cause for worry, but it is not *that* bad. Every block they create, still has to play by the normal rules of Bitcoin.
I think it’s more complicated that you suggest, because a 51% miner has the power to punish other participants in various ways, to incentivize compliance with a broad category of possible rule changes. I hope to write about that tomorrow. In short, I think a true 51% attack is more serious than people have generally recognized.
Cool link! Please note that I never denied that a 51% miner can get up to various kinds of nasty mischief if they want to, or that even just from a philosophical perspective it would be a bad thing if Bitcoin loses its decentralized nature.
However, the original article could be quite easily misread (in fact that is arguably its most straightforward interpretation) as claiming that a 51% miner could use its power to create transactions that would normally be considered invalid — for example, by creating a million new bitcoins out of thin air.
And that is fortunately not true. Bitcoin is a zero-trust system — every node (not just miners, but also every individual Bitcoin user) will verify each new block for itself, and if it violates any of the rules (such as the one saying you cannot create more than 25 new coins per block) then that block will be rejected. Even if it was created by a miner with 51% or even 100% of the mining power. That still allows for various kinds of blackmail and game theory style tricks, but it’s not as simple as just allocating a million bitcoins to yourself.
Arguably I am guilty of nitpicking a minor part of the article while ignoring its primary message. But looking on fora such as bitcointalk.org, it appears that quite a few people do indeed have the misconception that a 51% miner has the power to make arbitrary changes to the blockchain, create coins out of thin air, take money out of other people’s wallets, etc. So it appears that the severity of the problem gets overestimated as much as it gets underestimated.
Nonetheless, it is indeed a serious problem, and it would be nice if we don’t have to rely on the GHash.io people choosing not to abuse their power out of enlightened self-interest.
(“cool link” refers to the link posted by Anonymous, below the post I’m replying to)
You’re absolutely right that the article is full of scaremongering falsities. You can’t create a million coins out of nothing that’s just not possible within the bitcoin protocol and it shows the author doesn’t really know what he’s talking about in the first place.
You can’t just assume that something is impossible because it is not in the current protocol definition. If you assume that people will step outside the current protocol when it is in their self-interest to do so, then many more things become possible.
If we just assumed that everyone follows the protocol always, even when that is against their self-interest, then there would be no need for mining in the first place. We could just have Dr. Evil publish the blockchain, safe in the knowledge that he would have to follow the protocol honestly.
But as soon as you expand your model to include the possibility that people might deviate from the protocol if that is in their self-interest, then the argument that “X is outside the protocol, therefore X cannot happen” is no longer sufficient.
Not so limited: http://hackingdistributed.com/2014/06/16/how-a-mining-monopoly-can-attack-bitcoin/
See the link in Anonymous’s post just above, for some examples of the kinds of tricks that a 51% miner could play.