There seems to be a collection of programmers and Bitcoin enthusiasts out there who avoid math at all costs. This makes sane conversations very difficult.
Regardless, here are some questions we have been asked, and our best attempt to provide some intuitive answers, without delving into math:
Isn't a selfish miner taking a risk? What if the honest miners discover a block and nullify his work?
Absolutely. There are no rewards to be had without risk. By giving up on a sure 1-unit win right now, the attacker positions himself to take advantage of a large number of outcomes where he makes more revenue later.
But the honest miners command a majority! The attacker would always be behind.
No, that's not right. If it helps pedagogically, think about a 49% attacker. He is essentially neck-and-neck with the honest crowd, and, at times, can develop a substantial lead. If he manages to get ahead by two or more blocks, he can reveal those two blocks at any time he feels threatened by the public closing in on his lead, and consolidate his winnings. When he is behind, he just follows as usual, no worse off. The same situation is true for a 48% attacker, with a lower likelihood of establishing that lead. And so on, all the way down, for even a 1% attacker.
At this point, we really have to break out the math, and start computing probabilities. Economists have a saying called "model please?" If someone does not have a mathematical model, they're wasting everyone's time and just add to the noise component of the discourse. Our math is in the paper, it stands analytical scrutiny as well as numerical simulation. And it shows that the attacker will earn revenues in excess of his resource contributions.
We realize that our findings are counterintuitive. That's why any reasonable counterargument has to invoke mathematics. If there is no math, if it fits in a tweet, it is just noise, no matter how much it might appeal to one's gut feelings.
I thought about a 49% attacker, and I see your point. But only for an attacker near 50%. There is no way that the attack would work at lower thresholds.
You didn't think about it hard enough.
Does an attacker have to establish a comfortable 2-or-more block lead to profit?
No. Even if an attacker is ahead by just a single block, he can gain excess revenues, depending on what happens after he reveals his block. With some (small) likelihood, he will be able to mine on his own block for a 2-unit win. With some likelihood, he will be able to influence an honest node, who then extends his revealed block, for a 1-unit win for both. And with some other likelihood, the honest nodes will build on their own block, and the attacker will gain nothing. This is all explained in the Revenue discussion of our paper.
Once again, we have to break out the math right at this point, go through these likelihoods and compute when they pay off. We did this, and the results are in our paper.
This attack requires an attacker have good network position to get its blocks accepted.
This attack relies on a Sybil attack for its success.
Not at all. The most pessimal assumption is to imagine that the attacker's proposed blocks are never adopted by any honest node when there are alternatives. Every single time he proposes a block, the honest nodes drop the block he proposed. This corresponds to a gamma value of 0 in our analysis, a scenario we fully modeled.
Even under this pessimal assumption, selfish mining pays dividends when the attacker commands more than 33% of the network. The wins have everything to do with controlling the timing of information release and getting the honest nodes to work on blocks that are ultimately discarded. Our attack does not rely on network position or well-connectedness. It does not require Sybils. It does not require a fast connection to other miners. Anyone who claims otherwise does not understand the attack.
Are you trying to take down Bitcoin?
No. We're Bitcoin supporters and are working to make the currency stronger against a broader set of possible misbehaviors than what has been considered so far.
Why didn't you launch this attack?
Because we're nice people. We want Bitcoin to succeed. And we have day jobs that pay well enough (also, see answer to last question).
I actually didn't read the paper, and will never read anything that is longer than a tweet, but I think your attack can't possibly work.
You are part of an "academic conspiracy" and/or a "beaurocratic establishment" aiming to take down Bitcoin and prop up a worthless fiat currency.
We have no words. All we have are our secret Illuminati handshakes. And each night, we sing this song: