It has been approximately a week since we made our paper on selfish mining public. In this blog post, we'd like to answer a large number of the quick reactions we've heard en masse. (Previous discussions are here    ).
Before we do that, let's recap what our paper did:
Ed Felten raises issues in a blog post on a game-theoretic treatment of Bitcoin :
This summary of our contributions is incomplete and therefore misleading. And these claims do not appear in our paper; they appear in a distinct and separate blog post. The distinction is important, because the implied assumptions are different in each context.
The fallacy here is thinking that if A wins against B, this implies that A is a better strategy than B. Game theory gets this right, capturing the informal concept of better strategy with a concept of domination that is defined so that A dominates B means that (1) there are situations where A is a better choice than B, and (2) no matter what the other players do, A is never a worse choice than B. Rock does not dominate scissors because although condition (1) is true, condition (2) is not true: when the other player chooses paper, rock is not a better choice than scissors.
The ES authors commit this fallacy when they say “we have shown that selfish mining dominates the honest Bitcoin protocol”... So the first main claim of the ES paper—that “selfish” mining dominates honest Bitcoin mining—is incorrect.
The blog post implicitly assumes that the strategy space is confined to "honest" and "selfish" miners, the topic of the blog post. With the strategy space confined to those two behaviors, selfish mining dominates the honest Bitcoin protocol.
Felten is correct in that there could well be unknown other strategies that could change this relationship. With the strategy space unbounded, we do not know if selfish dominates honest. Felten offers no such strategy, however.
Independent of the blog post, our paper is precise in its claims; it spells out its assumptions and the consequences of its findings clearly. Felten disagrees with the implicit scope of our blog post, and is casting this disagreement as if it were a weakness of our paper.
This is false. For high gamma, a small (low alpha) miner is better off being selfish if everyone is honest. This means that honest mining is not a Nash equilibrium.
The Kroll, Davey and Felten (KDF) paper provides a formalization of the Bitcoin game, but implicitly ignores a class of attacks based on block witholding. It, therefore, erroneously concludes that honest mining is a Nash equilibrium in the real system.
If the system does not function, no one would play. Equilibriums with zero players are not particularly interesting.
Point #2 above addresses dominant strategies and Point #3 addresses incentive incompatibility. It would be interesting to take the framework in the KDF paper, amend that model in light of our findings, and reexamine their result that honest mining is a Nash equilibrium.
The phrase prisoner's dilemma does not appear in our paper, so this claim needs to be further documented before we can evaluate it.
There is no indication at the moment that there would be any punishment for selfish miners. Whether reaching 51% is a punishment for the attacker depends on assumptions about the attacker and the attack aftermath.
Our paper does not address what happens when multiple pools employ the selfish strategy. But if all pools were selfish, the blockchain would not make forward progress for large periods of time, while selfish groups hoard their blocks. Then, perhaps, depending on the profit-taking strategy of the selfish miners and their relative sizes, it would take erratic large steps forward. Such erratic behavior would not bode well for the users who want to transact in the currency.
The 50% line is indeed a drastic event. Once crossed, what happens next depends entirely on one's assumptions about the identities of the actors and their overall goals. Because these scenarios are so dependent on assumptions, we'd rather focus our attention on techniques that will keep the system far away from this point.
We'd love to see properly formulated, comprehensive treatments on this topic.
We'd rather focus on techniques that will keep the system far away from this boundary, but we'd love to see properly formulated, comprehensive treatments on this topic as well.
This assumes that all the participants are vested in the long-term well-being of the currency. A strong currency system cannot rely on the good intentions of its participants. Currencies are attacked all the time by actors with disruptive goals. Such actors may be aided by rational, short-term profiteers. A robust currency would have well-characterized properties, such as a well-defined threshold below which attackers are guaranteed not to succeed, to provide strong assurance to its users.
Perhaps. And that would be nice if it happened. But a robust cryptocurrency would derive its properties from the fundamental protocol, not from operational bandaids or from the actions of a centralized board.
Here are some excerpts from the Bitcoin developers' discussion forums:
From: Gavin Andresen <firstname.lastname@example.org> Date: Thu, 7 Nov 2013 14:56:56 +1000 > P.S: If any large pools want to try this stuff out, give me a shout. You > have my PGP key - confidentiality assured. > If I find out one of the large pools decides to run this 'experiment' on the main network, I will make it my mission to tell people to switch to a more responsible pool.
We applaud Gavin Andresen for his diligent stance against selfish mining.
Date: Wed, 6 Nov 2013 23:33:10 -0500 From: Peter Todd <email@example.com> Anyway, my covert suggestion that pools contact me was more to hopefully strike fear into the people mining at a large pool and get them to switch to a small one. :) If everyone mined solo or on p2pool none of this stuff would matter much... but we can't force them too yet.
This is a very prudent reaction. Smaller mining pools are in regular users' best interests.
Correct (probably, without seeing what's in the ellipsis). The paper addresses only the points it sets out to address, and leaves many interesting questions to future work.
We are Bitcoin supporters and have been working to strengthen the system. We believe that the system can be patched to provide strong guarantees against selfish mining, and we have offered one patch at the protocol level. Overall, we are genuinely thrilled to see the strong buy-in to the system.
We beg to differ on behalf of our discipline. These kinds of remarks are unlikely to yield an interesting discussion.
One of the early research efforts in sentiment analysis was the Smokey system by Ellen Spertus, which discovered that the "you <noun-phrase>!" construct, known as a noun apposition, tended to mark Internet flames. Research results, if incorrect, can be demonstrated to be false without resort to flaming, ad hominems or uttering profanities. We encourage you to point out, and improve on, perceived and/or real flaws in our paper.
This behavior is indistinguishable from spam. Please refrain. Express your rebuttal, if you have one, concisely just once, and we will address the points that bear merit.