Bitcoin is cracked. And not just superficially so, but fundamentally, at the core protocol level. Wij’re not talking about a elementary buffer overflow here, or even a badly designed API that can be lightly patched, instead, the problem is intrinsic to the entire way Bitcoin works. All other cryptocurrencies and schemes based on the same Bitcoin idea, including Litecoin, Namecoin, and any of the other few dozen Bitcoin-inspired currencies, are violated spil well.
Specifically, te a paper wij placed on arXiv, Ittay Eyal and I outline an attack by which a minority group of miners can obtain revenues ter excess of their fair share, and grow ter number until they reach a majority. When this point is reached, the Bitcoin value-proposition collapses: the currency comes under the control of a single entity, it is no longer decentralized, the controlling entity can determine who participates ter mining and which transactions are committed, and can even roll back transactions at will. This snowball script does not require an ill-intentioned Bond-style villain to launch, it can take place spil the collaborative result of people attempting to earn a bit more money for their mining efforts.
Conventional wisdom has long asserted that Bitcoin is secure against groups of colluding miners spil long spil the majority of the miners are fair (by fair, wij mean that they dutifully obey the protocol spil prescribed by pseudonymous Nakamoto). Our work shows that this assertion is wrong. Wij voorstelling that, at the uur, any group of knots employing our attack will succeed ter earning an income above their fair share. Wij also display a fresh roped that invalidates the fair majority eis: under the best of circumstances, at least Two/3rds of the participating knots have to be fair to protect against our attack. But achieving this Two/Three roped is going to be difficult te practice. Wij outline a practical fix to the protocol that is effortless to deploy and will guard against the attack spil long spil Trio/4ths of the miners are fair.
Wij need the Bitcoin community’s help te deploying this fix so that the Bitcoin ecosystem can be made more sturdy, at least against attackers whose mining power is below the 25% threshold. Even with our fix deployed, however, there is a problem: there are mining pools at the ogenblik that guideline more than 25% of the mining power, and, te the past, there have bot mining pools that commanded more than 33% of the mining power. Wij need the Bitcoin community’s awareness and concerted effort to ensure that no mining pool reaches thesis thresholds. The mere possibility that the system can get into a vulnerable state will be an impediment to greater adoption of Bitcoin.
Those of you who want a precise and total explanation of the attack can cut straight to the research paper, tho’ it may be a bit terse and dry. Te the surplus of this blog entry, wij will outline the attack for the non-hard-core practitioner, such that by the end of the blog entry, anyone should understand the intuition behind our attack, be tooled to earn higher revenues through mining, and wield the devices required to usurp the currency. To get to this point, wij need a little bit of background on how Bitcoin works. If you’re familiar with Bitcoin mining, you can skip to the next section that describes how the attack works. If you are a non-techie Bitcoin user, you can skip straight to the Implications section.
The key idea behind Bitcoin’s success is a decentralized protocol for maintaining a global ledger, called a blockchain. The blockchain records transactions inbetween Bitcoin addresses, tracking the movement of every Bitcoin spil it switches forearms. This tracking ensures that no one can double-spend a coin, spil the ledger makes it all too apparent whether a user sent out more Bitcoins from his account than he earned. The particular way ter which Bitcoin tracking is performed makes sure that the record is also immutable, once a Bitcoin transaction is committed and buried te the blockchain, it is difficult for an attacker to switch roles the transaction, so that a merchant can ship goods ter good conscience, assured that the transaction will zometeen not be reversed.
This protocol works through a process called mining. Ter essence, the ledger is organized into a single, ordered sequence of blocks, each of which records a set of transactions. Each block contains a crypto-puzzle, a computationally difficult challenge akin to a CAPTCHA. Miners organize themselves into a loosely-organized, distributed network, and they all concurrently attempt to add a fresh block to the ledger. To do this, they need to detect the solution to a crypto-puzzle, formed by the contents of the ledger until the point where the fresh block is being added. Solving a crypto-puzzle is hard work, a pc has to cork te many different values and see if they solve the crypto-puzzle posed by the fresh block. The puzzles are such that a huis laptop working alone will take many years to solve a crypto-puzzle. Some people use GPUs to speed up this process, while others have invested te custom-built ASICs designed to solve Bitcoin crypto-puzzles.
Of course, this process is not free, spil the process of solving thesis crypto-puzzles consumes power and requires cooling. For the currency to be viable, the miners need to be compensated for their efforts. Bitcoin miners are compensated through two mechanisms: they collect the transaction fees from the transactions recorded ter the fresh block they contributed to the block chain, and they also collect a lump sum toverfee. This lump sum toverfee creates fresh Bitcoins, according to a time-varying formula. Hence, ",mining", is similar to digging for gold — every now and then, a miner is rewarded with a nugget. The difficulty of crypto-puzzles are automatically adjusted such that a fresh block is added to the ledger approximately every Ten minutes, which ensures a predictable coin generation rate for the system, which stems inflation and makes the currency supply more predictable than it would be otherwise.
The nice thing about having crypto-puzzles that are so difficult is that it is not practical for an attacker to modify the ledger. Someone who wants to, say, buy something from a Bitcoin merchant, get the goods shipped, and then straks switch that block to erase the transfer of money to the merchant, faces a very difficult task: they need to find alternative solutions to cryptopuzzles for that block and every subsequent block. What makes this difficult is that the main bulk of the miners will be working hard on adding fresh blocks at the tail end of the ledger, so an attacker, with limited resources, cannot hope to find alternative solutions for all the past blocks and catch up to the surplus of the miners.
Miners today organize themselves into groups known spil pools. A pool will typically consist of a set of cooperating knots that share their revenues whenever they find blocks. Mining pools are kleintje of like the collective peak jar at a restaurant: on occasion, a miner will kasstuk the potluck, detect a good solution to a cryptopuzzle, and rake ter some revenues, zuigeling of like a waiter who grounds a big table that runs a large tabulator. Since this occurs relatively infrequently from the point of view of any given miner, sharing the proceeds enables the miners to have more predictability ter their lives.
The fair Bitcoin protocol assumes that all miners engage te a benign strategy where they quickly and truthfully share every block they have discovered. Until now, everyone assumed that this wasgoed the vooraanstaande strategy, no other strategy wasgoed known that could result ter higher revenues for miners.
Our work shows that there is an alternative strategy, called Selfish-Mine, that enables a mining pool to make extra money at the risk of hurting the system. Te Selfish-Mining, miners keep their block discoveries private to their own pool, and judiciously expose them to the surplus of the fair miners so spil to force the fair miners to waste their resources on blocks that are ultimately not part of the blockchain.
Here’s how this works te practice. Selfish miners commence out just like regular miners, working on finding a fresh block that goes at the end of the blockchain. On occasion, like every other miner, they will detect a block and get ahead of the surplus of the fair miners. Whereas an fair miner would instantaneously publicize this fresh block and cause the surplus of the fair miners to shift their effort to the freshly established end of the chain, a selfish miner keeps this block private.
From here, two things can toebijten. The selfish miners may get fortunate again, and increase their lead by finding another block. They will now be ahead of the fair crowd by two blocks. They keep their fresh discovery secret spil well, and work on extending their lead. Eventually, the fair miners close the gap. Just before the gap is closed, the selfish pool publishes its longer chain. The result is that all the fair miners’ work is discarded, and the selfish miners love the revenue from their previously secret chain.
The analysis of revenues gets technical from here, and the only way to do it justice is to go after along the algorithm and state machine provided ter our paper. But the outcome is that the selfish mining pool, on the entire, nullifies the work performed by the fair pool through their revelations.
The success of the attack, and the amount of excess revenue it yields, depends on the size of the selfish mining pool. It will not be successful if the pool is below a threshold size. But this threshold is non-existent ter the current implementation — selfish mining is instantly profitable. Our proposed fix raises the threshold to 25% if universally adopted. And, while there may be other fixes, no fix can raise it above 33%. So, at least Two/3rds of the Bitcoin miners have to be fair. All three of thesis findings are a far sob from the 50% previously (and falsely) believed to protect the currency.
The selfish mining strategy has significant implications for the Bitcoin system:
- The members of a selfish mining pool will earn more revenue than fair participants: This means that rational, self-interested miners, who typically invest significant amounts of money te their equipments, will want to join selfish miners instead of go after the fair strategy.
- Once launched and successful, selfish mining pools will grow te size: There are no mechanisms ter place to exert any zuigeling of pressure to pauze up a selfish mining pool.
- Selfish mining is harmful to the Bitcoin community: Selfish miners bring down revenues for everyone. The fact that a selfish mining attack can be launched, and a selfish pool can grow te size until it controls the currency, is a deterrent to people, like the Winklevii, who are drawn to the decentralized nature of Bitcoin.
- This attack is practical right now with any size mining pool: Anyone can launch this attack successfully right now, and make revenues ter excess of what they would otherwise make.
- Under the best theoretical conditions, Bitcoin requires at least Two/3rds of the miners to be fair: It wasgoed previously believed that the Bitcoin ecosystem wasgoed safe spil long spil a majority were fair. Our analysis shows that this is wrong. If a selfish-mining pool were to instruction 1/3rd (33%) of mining power, it’ll always be ter a position to make excess revenues overheen fair miners.
- Wij propose a practical fix that will protect against selfish mining spil long spil pools directive below 25% of the mining power: The fix is plain to apply. It would be a good idea for the Bitcoin community to adopt it.
- There are mining pools te existence that can conceivably launch successful selfish mining attacks: At the uur, any mining pool can launch a successful mining attack. With our proposed fix, only pools above 25% can launch the attack, but there exists a pool of this size right now. And there have even bot pools that commanded more than 33% of the mining power te the past.
Some frequently asked questions:
- What happens when a selfish mining group is formed?
Once a group of selfish miners show up on the horizon, rational miners will preferentially join that mining group to obtain a share of their higher revenues. And their revenues will increase with enhancing group size. This creates a dynamic where the attackers can quickly acquire majority mining power, at which point the decentralized nature of the Bitcoin currency collapses, spil the attackers get to control all transactions.
- When a single pool controls the currency, does the value of a Bitcoin go to $0?
No. It all depends on how the controlling group runs the currency. But the decentralization, which te our view is so critical to Bitcoin’s adoption, is lost. It would not be at all healthy for the Bitcoin ecosystem.
- Does this affect X, where X is another cryptocurrency?
Most likely. It affects every currency system that is inspired by Bitcoin’s blockchain. That includes Litecoin, PPcoin, Novacoin, Namecoin, Primecoin, Terracoin, Worldcoin, and a host of other currencies that share the same global ledger concept.
Wij’re the very first to detect that the Bitcoin protocol is not incentive-compatible. The protocol can be gamed by people with selfish interests. And once the system veers away from the glad mode where everyone is fair, there is no force that opposes the growth of indeed large pools that directive control of the currency.
Wij cannot know for sure, but wij suspect not. Ours is the very first work to publicly investigate an alternative mining strategy.
- What’s with thesis two separate thresholds? Do Two/3rds of the knots have to be fair? Or Trio/4ths? Why is there a gap inbetween the two?
At the ogenblik, the threshold is non-existent. With our proposed fix, which is practical and effortless to deploy, it gets raised to 25%, i.e. Trio/4ths of the network voorwaarde be fair. Perhaps someone can propose a fix that raises this threshold further, but wij have shown that they cannot raise it above Two/3rds.
- Would wij be able to tell a selfish mining pool from any other pool?
Not lightly. A selfish mining pool can hide behind throwaway addresses to mask its identity. And while the timing of block revelations does look different for selfish miners, it’s difficult to tell who wasgoed genuinely very first, spil near-concurrent revelations will arrive te different orders at hosts.
- Is there a danger associated with making this attack public?
The only way to protect the system against selfish mining attacks is to get everyone to switch their implementations. So the only way wij can protect the system is by publicizing the potential attack. Wij have chosen not to launch the attack ourselves, because wij care about the long-term viability of the currency.
Most likely. Wij have shown that spil long spil selfish miners are below a certain threshold, they will not succeed. And while this threshold does not exist yet (i.e. selfish mining will instantaneously yield benefits for any sized pool), wij have a proposed fix that raises the threshold to 25%.
Additief, November 14, 2013
Toevoegsel, February 28, 2014
Haldane says that there are four stages of acceptance to fresh ideas:
- This is worthless nonsense.
- This is an interesting, but perverse, point of view.
- This is true, but fairly unimportant.
- I always said so.
The comments below, coming from ",Bitcoin entrepreneurs",, organized into a brigade, exhibit all four of thesis stages at the same time. I have preserved them spil they are (except for deleting profanity-laced comments), to shame the community. Te some cases, the commenters edited their own comments when proven wrong, so reading the comment chains may seem non-sensical at times spil a result.