THE ECONOMICS OF BITCOIN MINING OR, BITCOIN IN THE PRESENCE OF ADVERSARIES
Joshua A. Kroll, Ian C. Davey, and Edward W. Felten – Princeton University
Disclaimer: unless specifically noted, I neither agree nor disagree with the contents of this paper.
The authors open with an interesting supposition: Bitcoin is fiat currency. At first glance, this would appear incorrect–after all, governance is an essential attribute of fiat currency. An alternative to this perspective is offered: within the Bitcoin ecosystem
“…such governance is already emerging, that it will take the form of the governance of an open source project (in the sense that leaders cannot take actions contrary to the interests and will of the community without naturally losing legitimacy) and that the emergence of formal governance structures will ultimately subject Bitcoin itself (and not merely particular players) to influence by government regulators around the world.”
To validate this claim, Kroll et al. analyze the ‘soundness’ and ‘stability’ of the Bitcoin mining protocol from an economic and technical perspective. The foundation is laid at the feet of consensus:
“Bitcoins have value by consensus and by virtue of the ability to use them to purchase goods and services. But Bitcoin is more than just a currency; it is also a distributed algorithm which must function correctly in order for the currency to operate… The successful operation of these algorithms relies in turn on assumptions that participants in the system will cooperate in certain ways.
…
Ultimately, Bitcoin relies on three types of consensus. Participants must maintain consensus (1) on the rules to determine validity of transactions, (2) on which transactions have occurred in the system, and (3) that the currency has value. The three forms of consensus are connected, in the sense that the failure of any one will unravel the other two.”
What is important to note about this consensus is that:
"Each of these forms of consensus depends mutually on the other two. For example, it is hard to agree on the history without agreeing on the rules. And it is hard to believe in the value of a Bitcoin if participants cannot even agree on who owns which Bitcoin.
…
Consensus about the rules is a social process. Participants must come to a common understanding of what is allowed, so that the rules can be encoded into the software that each participant uses.
…
Consensus about state is a technological problem in distributed systems design. Each player can see part of the state and the players need to cooperate, in large numbers and across a potentially unreliable network, to achieve a consistent understanding of the global state. Technological consensus must be achieved despite the possibility that some players will deviate from the published rules.
…
Finally, consensus that Bitcoins are valuable is the same sort of consensus necessary for any fiat currency. Such value is often modeled as a focal point in a coordination game (because players need something to use as a medium of exchange and a unit of account, they choose a local currency because it is available).”
Modeling the mining process is necessary to uncover the nuances of these assertions. To justify the financial burden of mining, a condition must be satisfied: cost of mining [complex conjugate] equals the rate of new blocks per second multiplied by the value of Bitcoins rewarded. The primary difficulty in upholding this equilibrium is balancing the fixed (cost of equipment, electricity) and marginal (fluctuations in value of Bitcoins) costs of Bitcoin mining:
“…because mining resources must currently be purchased with currencies other than Bitcoin, the value of the mining reward V fluctuates with the exchange price of Bitcoin. Thus, if the Bitcoin price falls substantially, so too does the incentive to mine. This leads to the possibility of a death spiral in which loss of confidence in Bitcoin could cause the Bitcoin price to go down, a falling price lowers the incentive to mine and the equilibrium mining rate, lower mining rate leads to the currency being easier to subvert, and this leads to a further loss of confidence in the currency.
…
Such a death spiral reflects the perceived loss of consensus in the value game; we observe that it can happen even when consensus in the other games is functioning (as in an exchange rate crash) but that loss of consensus for the rules or for the game state contribute directly to the loss of consensus for value.”
To complete the point, the authors mention “…that it would be useful to change the mining process so that it created value that could not be captured by the miner, for example by attacking a problem whose solution would be a pure public good.”
This is a misunderstanding on their part–you can in fact mine feeless transactions (for the public good or some other motive). It seems odd they made such a mistake given the contents of the next (Mining Strategy) section:
“None of the rules of Bitcoin are self-executing; any rule can be ignored by users. Consider, for example, the rule requiring that a transaction carry valid digital signatures from the owner of every input coin. Everyone can use cryptography to detect a violation of the rule. But the rule will only be enforced if players ignore transactions that do not carry a cryptographically valid signature. Cryptographic rules and other technical rules are like all other rules, in that they exist only as words on paper and therefore will be followed only to the extent that players have incentives to follow them.”
Modeling the mining ‘game’ and what incentivizes players to follow the rules can be described as follows:
“Each miner chooses a strategy… A strategy is a function that maps the block chain structure … (up to the current round) to a choice of which branch to mine on (that is, which block will be the parent of the newly-mined block if the player wins).
…
The payoff for each miner is their expected return from the mining reward for the block mined in each round. However, that reward is only valuable if the newly-mined block ends up on the long-term consensus chain.
…
The longest-chain strategy, as specified in the Bitcoin documents, is monotonic [(function between ordered sets that preserves given order)]—if the longest chain is extended by one block, it remains the longest chain. However, there are infinitely many monotonic strategies.”
If S is monotonic, then it would follow that the mining game has a Nash equilibrium, insofar as that no player has an incentive to change their mining strategy. But how does this Nash equlibrium manifest in the Bitcoin ecosystem?
“In this sense, no monotonic strategy is better than any other… We suggest that the choice of strategy is a tacit coordination problem and thus the solution which seems most attractive serves as a focal point. Miners chose the longest-chain strategy initially because it was used in the reference Bitcoin implementation. As new mining capacity has entered the system, that choice has proved stable.”
Herein lies the problem. While the choice has proven stable up until now, the stability of the mining game in the face of adversaries is a real and tangible threat, one the authors would like to discuss in some detail. They begin with the classic 51% attack, carried out by a ‘cartel’ of Bitcoin deviants:
“…we observe that a cartel can change any rules which are enforced by consensus and players who are not in the cartel will likely be obliged to follow. For example, a cartel can choose any strategy in the mining game. Players who continue to use the old strategy risk having their newly-mined blocks ignored as forks of the consensus branch and thereby risk losing the mining reward payments associated to those blocks. Thus, if the cartel announces its mining strategy, it can shift the equilibrium chosen by the non-cartel players.
…
The cartel can choose to ignore any transaction it does not want appended to the log. Further, the cartel can choose to treat any blocks appended by others to the log as forks which it will not attempt to extend. Thus, other players will naturally also abandon these transactions, possibly even consciously if the cartel announces that certain transactions (or transactors) are disfavored.”
We see that this cartel wishes to keep the Bitcoin network operational, but under a different set of rules. Double spending is an issue reserved for the Goldfinger attack section, for it would devalue Bitcoins entirely.
From here the authors briefly mention transaction fees and their limited role in the long-term economics of the Bitcoin network:
“Such an agreement can be modeled as a prisoner’s dilemma: the miners would benefit from cooperation but cannot agree not to defect; users may wish to leave a tiny transaction fee to make sure the miners will process a transaction, but the user gets no benefit from offering a larger fee—doing so simply gives up value without any compensating gain.
…
As a result, we expect an equilibrium in which users leave small, nonzero transaction fees, and miners collect those fees. Indeed, this is what we observe: the expected total mining reward sans fees in a day is 3600 BTC, while the average total daily transaction fee take is only about 50 BTC.”
While the current state of the market follows this truth, I feel it important to note that transaction fees will play a larger role in the mining process as the network grows and coins become harder to mine. This should not be ignored in future models of the Bitcoin economy.
And finally we move to the Goldfinger attack–an attack driven by a malicious third party–with sights set on the destruction of Bitcoin; there are three motives discussed in detail:
“First, a government or institution might want to block Bitcoin transactions, to enforce the law, deter money laundering, or achieve some other institutional goal. Second, a non-state attacker might seek to gain some political or social goal, perhaps as a form of social protest… Third, an attacker might seek an investment gain, for example by taking large short positions in Bitcoins so as to profit if the value of Bitcoins is diminished.”
The model for this the Goldfinger attack is straightforward: If the utility A extracted by a malicious entity is greater then the value of the currency B then the malicious entity will destroy the currency.
Kroll et al. use this attack as a segway into the discussion of an emerging governance in Bitcoin:
“Contrary to claims that Bitcoin is ungovernable and relies on fixed rules laid down at its founding, the rules can be and have been changed by consensus. A governance structure for Bitcoin must inevitably emerge and is already emerging.”
To support this claim a few examples of governance in practice are given, namely the recent change in the minimum transaction size and the bug in version .7 of the Bitcoin client that invalidated a portion of blocks which were both ultimately resolved by consensus.
It is on this basis that the authors make their next claim:
“Other challenges to the system’s health and viability may also emerge, perhaps due to issues of scaling or security. Some sort of governance will have to emerge in order to cope with these. Although it may be informal and not enshrined in any constitution or charter, the Bitcoin community will need to have a way to reach consensus decisions and act on them.”
With that in mind, the authors move to the de-facto governance already emerging in the Bitcoin project:
“Arguably, a governance structure is already emerging through the management of the Bitcoin reference implementation. The lead developers of this software are respected in the community and their opinions tend to carry weight. Because putting into practice any rule changes requires changing the reference software (and because the reference software is widely deployed), the lead developers have their hands on the levers of power, such as they exist. They seem to be the natural leaders of the community.
…
[T]he dynamics of Bitcoin’s rules governance are similar to those of open-source software governance, with an emerging set of leaders who make decisions on behalf of the community and whose power is constrained by the possibility of a fork.”
The Bitcoin system continues to grow, as do the number of players who have increasingly large stakes in Bitcoin’s outcome. The natural progression of such growth is a cascade of opinions about what changes should be made and how they should be implemented; pressure will build and a release valve must be constructed to relieve that pressure–according to the authors this valve has begun to take shape as the semi-formal governance of an open source project championed by Bitcoin’s core developers. How this fully develops is yet to be seen.
That said, I believe this paper reiterates the devestating nature of a 51% attack many seem to think it is no longer a pressing issue given the combined processing power of the Bitcoin mining network. Don’t fool yourselves. An entity with access to chip manufacturing equipment and a decently funded R&D team could put together a few hundred (or thousands of) wafers of ASICs and wreak havoc on Bitcoin with little effort. Until ASICs proliferate (and difficulty surpasses at least 1 billion), I daresay Bitcoin is quite vulnerable.
What about you guys, how do you feel about these claims? Do you not see some of these issues coming to a head soon?
—
Original post:
https://btcgsa.wordpress.com/2013/06/23/government-open-source-0/Source (pdf):
http://weis2013.econinfosec.org/papers/KrollDaveyFeltenWEIS2013.pdf