andrewdroll.com

Bitcoin woes


Warning: This is a learning blog. I am investigating Bitcoin as I write, and as such these entries may be difficult to follow at times. Once I've achieved a sufficient level of understanding, I intend to write a more coherent and readable account of my interpretation of the currency's potential and vulnerabilities.


***

I have been conflicted about how to focus today's blog.

On the one hand, there has been a major development in the Bitcoin world which has shaken the confidence of some prominent supporters, which I noted briefly yesterday. For example, Bitcoin project core contributor Peter Todd publicly exchanged half of his Bitcoin holdings for traditional currency after the 51% news broke.


On the other hand, I am eager to learn more about the details of the Bitcoin protocol and its implementation. I've started positioning to look at these details - I have forked the Bitcoin GitHub repository to my own account so that I can examine its source code freely, and I've begun digging into more technical, but still qualitative, accounts of the protocol's details. I have learned how Bitcoin's proof-of-work scheme (powered by SHA-256, a common cryptographic hash function) works, and reviewed ECDSA, Bitcoin's signature and authentication algorithm. Finally, I have started to learn about the implementation of Bitcoin network synchronization, and about the phenomenon of block chain forking.

This will be a relatively short blog entry. It will take time to really start understanding Bitcoin's protocols, especially at the source level, and it is good to keep goals realistic.

To focus this entry without delaying my process of learning too much, I have decided to do the following:

  • In this post I will give a brief overview of the 51% mining crisis.
  • In my next post I will outline some deeper protocol details of why >50% mining shares are a problem, and what attacks they make possible. This may appear later today!
  • Over the course of my next few posts I will move my focus gradually to a more fundamental protocol level, with increasing reference to Bitcoin's source and details of its algorithms.
  • In addition I am hoping to perform feasibility estimates for different types of attacks, especially majority mining stake-based attacks, based on understanding I will garner of the Bitcoin protocol's underlying mechanisms.
  • I am also interested in whether a smaller but very significant share of mining power (say, 30-49%) would permit attacks on the wider Bitcoin network, and of what type. This is a question that will remain in my mind as well.


This plan may mutate over its gestation period, but it is an outline to keep in mind for the moment.

My discussion of the Bitcoin protocol and Bitcoin's >50% mining issue over the next few posts will likely mostly comprise information garnered from the Bitcoin Developer Documentation, other information at bitcoin.org, information from blockchain.info (which tracks all Bitcoin transactions and block chain updates), information from the Bitcoin wiki, and information from this enlightening blog on the Bitcoin protocol's details. I will list other sources as needed.

The 51% crisis

The idea that a single Bitcoin miner (or organization, or coordinated pool of miners) might achieve a majority share of the Bitcoin network's computational power is one that has been a concern for the currency's community since its beginnings. It seems to have been assumed by many that achieving a majority of this mining capability (also called hashing power, since effective mining amounts to computing many billions of SHA-256 cryptographic hash function values very quickly until a correct solution to a "proof of work" problem is discovered) would be practically infeasible because of cost prohibitions, or, more idealistically and occasionally, that the "distributive culture" of the Bitcoin community would keep any entity from desiring or attempting to achieve a majority share.

Of course, Bitcoin mining is a financial venture, and as the history of capitalism readily shows us, naive notions of community responsibility are unlikely to keep organizations or individuals from pursuing maximum profitability and growth. And so it happened a few days ago that a Bitcoin mining organization called GHash.IO achieved a 51% share of all Bitcoin hashing for a period of more than 12 hours. Similar >50% periods may have occurred previously, but were always very short-lived by comparison.

The 51% problem has not persisted. For example, over the last 4 days, GHash.IO has maintained only a 32% share of accepted blocks. Moreover, GHash.IO has released a statement claiming that they would never abuse a 51% share. Whether this is to believed is totally subjective, since the organization is not transparent in any way. Additionally, looking at raw data at blockchain.info, we can see that while GHash.IO's overall hashing share no longer exceeds 50%, the organization still has produced worrying long sequences of accepted blocks. Today, for example, blocks 306505 through 306510 were all relayed by GHash. This sort of sequential block completion, even without a long-term majority share of hashing power, permits transaction manipulation within the Bitcoin standard.

The 306505-306510 sequence is remarkable because it consists of 6 consecutive blocks. It is widely accepted that 6 verified blocks (or roughly an hour of time) is enough to completely secure a Bitcoin transaction, and thus with a sequence like this, a malicious organization could completely secure fraudulent transactions to manipulate the market.

The types of fraudulent transactions that may be introduced are controlled substantially by the Bitcoin protocol, but a >50% share holder is potentially capable of significant harm nonetheless. Some of the things this harm could include: Reversing the majority organization's transactions, blocking transactions between any users, double-spending Bitcoins to cheat the system, and monopolizing, amplifying, or denying mining profits by rejecting valid blocks submitted from outside the dominant organization.

I will address some more protocol details that make >50% shares a problem shortly. However, I want to note here that the manifestation of organizations achieving large shares of hashing power, and of long chains of blocks produced by the same organization, represents a potential incentive and market problem within Bitcoin's design. The reasons for these manifestations are market realities, associated with Bitcoin's incentive system for mining. This is a problem whose occurrence appears to have considered practically unlikely by parts of the Bitcoin community, and thus the fact that it has actually manifested may reveal an unwise level of elevated optimism about Bitcoin's future within the community.

There may be fundamental protocol improvements to be had that will alleviate these problems, but protocol issues are not the reason that they have now begun to manifest in the real Bitcoin market. There is already work being done on such protocol improvements (the link is to a blog entry by Cornell University Professor Emin Gün Sirer, and Ittay Eyal, a postdoctoral researcher).

Emin Gün Sirer
Emin Gün Sirer
Emin Gün Sirer

In my next post I will engage in some more specific protocol-based qualitative discussion of the problem. I hope to address questions from "How do we know there may be a problem at all?" (as in, how does Bitcoin keep track of who is submitting blocks), to "Why is >50% mining an issue?," "What attacks are possible with >50% mining share?," "Can a smaller mining share also be threatening?," and hopefully more!

Out for now.