GHash, a mining pool operated by the anonymous, purportedly Russian-owned CEX.io, achieved 55% of the total network mining power for about a 24 hour span. There is much panic, confusion and even denial around what a majority miner can do, may want to do, and will do.
Just as we predicted, some people are trying to shift the narrative to "OK, GHash may have a 51% majority, but they'd be crazy to launch a 51% attack, it would be counter to their interests." This argument is dead, killed by empirical data -- anyone who tries to recycle this argument in a post-51%-GHash world is at best misled. There are lots of attack types that are available to a 51%er, many of them quite subtle, and the participants do not conform to simplistic models.
The Bitcoin community seems to have a limited understanding of the attacks that a 51%er can launch. This is evident from Gavin's official response, which claims that there are "only two" attacks: (1) double-spends, and (2) wholesale denial-of-service. Gavin, who is both a friend and an impeccable engineer, may be trying to downplay the danger to soothe the community's fears [*], but discussions in community forums also show that most people don't understand what a monopoly miner can do. In particular, they seem oblivious of the more subtle attacks that a monopolist can launch.
In this post, we'll go over the possible strategies that miners can adopt as a function of their size. Our central thesis is that 50% is absolutely unacceptable for Bitcoin even when there are no attacks being launched. We propose putting technical measures in place to deter mining pools over 25%. Until such measures are in place, we advocate the poor-man's-alternative-to-protocol-fixes-and-regulation, namely, we advocate putting social pressure on miners to not exceed 25%. A final goal of this post is to caution the community against a toxic mining strategy called transaction differentiation.
Before we go on, let's contextualize and chastise the emerging attempt to minimize the significance of what just happened. As we predicted, some people are trying to advance the narrative that "even though GHash had 51% of the mining power, they did not launch a 51% attack, because they'd be crazy to do so." First of all, these people have a flawed understanding of 51% attacks (hence, the need for this post). There is no such thing as "the 51% attack"; instead, there is a constellation of monopolistic behaviors available to a 51% mining pools, some of which are very difficult to detect. Second, a 51%er damages the Bitcoin ecosystem even when no attack of any kind is launched. And last but not least, the people trying to make this argument right now were making the argument that "GHash may be growing, but they'd be crazy to cross the 50% barrier" just a short while ago, and we know how that turned out. Their reasoning is flawed because they do not understand the miners' incentives or the nature of 51% attacks.
Take a look at how confidently Andreas insists that (1) the only problem posed by a monopolist is a double-spend, (2) 6-confirmations would fix this problem, (3) "if it's not 6-confirmations, it's 12-confirmations," and (4) Gavin will come to our rescue if this happens. First three of these claims are false, and the last one seems like a tall order for any individual besides Superman, and even Supermancoin would be vulnerable to kryptonite.
What the Bitcoin community needs right now is a good dose of acceptance and commitment therapy. Something that Bitcoiners long recognized as a collapse of the currency's value proposition just happened. Many loud people repeatedly claimed that the incentives were such that we'd never reach this point. We reached that point, and went beyond. Only after recognizing external, objective, inescapable reality, can we take action.
Luckily, once we understand the threats, we can fix the root problems.
Here's the definitive table of known strategies mining pools may follow as a function of their hash power. Where fixes are known, we note them:
Selfish mining will yield profits above fair share if Bitcoin remains unpatched and pool is well-connected to the network. Patching Bitcoin's block propagation protocol will rule out selfish mining by 0-25%ers.
Selfish mining will yield profits above fair share even if Bitcoin is patched. If it is not patched, the profits can be higher. No fix known now, but a fix may be possible some day.
Selfish mining will yield profits above fair share even if Bitcoin is patched. Selfish miner need not be well-connected to the network to win; it can unilaterally earn more Bitcoins with selfish mining. No fix possible, ever.
Double-spends against 6-confirmed transactions are feasible but not guaranteed to succeed. N-confirmations for large N will mitigate merchants' risk.
Loss of decentralized trust narrative, inability to differentiate Bitcoin from competing technologies.
Double-spends against 6-confirmed transactions are certain to succeed.
Selected miner targeting: Pool can reject any selected block found by any competing miner.
Selected transaction targeting: Pool can reject any selected transaction and keep it out of the blockchain.
Selected address blocking: Pool can block Bitcoin flows in or out of selected addresses.
Transaction Differentiation: Pool can deprioritize certain transactions and rely on other miners to mine them unless a (hefty) fee is attached.
Fee Extortion: Pool can deny transactions from a particular address unless a (hefty) fee is attached to those transactions.
Complete denial of service: Pool can ignore and orphan every single block found by competitors, thus stop all Bitcoin transactions.
When we have a 51% miner, we've lost our most precious asset even if this miner is completely benign for all time to come; namely, the Bitcoin value proposition and the corresponding Bitcoin narrative.
Bitcoin was different because it did not require full faith and trust in any single entity. The moment there is a 51% miner, the users need to fully trust that miners' intentions. That miner will, of course, claim that they would never launch an attack or engage in any nefarious activity. Whether they do or do not does not matter: the main pillar of the Bitcoin narrative is lost. It will be difficult or impossible to expand the Bitcoin user base.
If users were okay with trusting the good intentions of a single entity, we'd do away with the entire protocol, save all the electricity that goes into mining, and keep all the account balances on a database administered by GHash. We'd make sure to use something like HyperDex so it can handle the high transaction rate and is consistent and fault-tolerant. The resulting system would be cheaper, faster and more convenient for everyone, but all of Bitcoin's unique features would have been lost. We can call this centralized entity the "Verifying International Secure Authority," or, in short, VISA.
For GHashCoin is then essentially indistinguishable from, say, in-game gold in World of Warcraft. I can hear the Bitcoin fringe say "Surely, WoW would be crazy to do anything to upset the in-game gold economy." There is a reason why centralized virtual currencies did not take off, and why the Bitcoin narrative was so captivating. Losing it would deal an unrecoverable blow to the entire community.
A secondary worry is what would happen if a 51% were to engage in attacks. And contrary to commonly-repeated assertions, a monopolist can engage in subtle attacks that are hard to detect.
Transaction Differentiation: A 51% miner can simply render certain Bitcoin addresses (what clients perceive as "wallets") either unspendable or highly-deprioritized unless a high mining fee is paid. This is tantamount to ransom. In effect, the miner would turn to the Winklevii, who have large Bitcoin holdings, and say "my, my, my, nice fat wallet you've got there, you'll have to attach a 1% mining fee if you want to ever spend those coins again" while brandishing the virtual equivalent of a steel pipe.
About that steel pipe: one way of doing this is a draconian "pay a high fee or else we'll not only ignore your transaction, but we'll ignore every block found by anyone else that contains that transaction." This is pretty overt and would invite scrutiny. A smart monopolist will simply keep certain transactions from the blockchain, but accede if other miners add them. Recall that a 51% attacker doesn't just have 51% of the hash power, he may brandish far more. GHash actually had a fairly sustained 55% last weekend, and there is no reason why it couldn't be, say, 80%. So a 1-confirmation transaction would suddenly take 40 minutes instead of 10.
Of course, they would not do this across the board -- if the miner is smart, they will continue to accept everyday payments from Joe Sixpack for pennies a piece, so Sixpack can proselytize on the Internet about Bitcoin's virtues, create memes, and fancy himself as one of the moon-bound early adopters.
If the miner is smarter, they would couch this in technical terms that might even sound reasonable to the uninitiated. For instance, they might hit gambling sites with higher fees, because gambling sites perform many small transactions. They would justify the higher fees "to reduce the size of the blockchain" or "to reduce the resource requirements for embedded clients" or some such. This will divide the community and neutralize an effective social response. Besides, few people would stick up for a gambling site. In short, they'd get away with it.
There is great precedent for this, because the underlying driving force is a universal phenomenon called price differentiation: every entity wants to extract more from people who have the ability to pay [†]. My colleagues Vijay Erramilli and Nikos Laoutaris have documented that online merchants do this often [‡], and everyone knows that airlines charge higher prices based on seemingly random facts (e.g. a Saturday layover) to identify the business travelers.
Perhaps most tellingly, it would be "crazy" for a phone company to drive away customers by stealing their money. But a certain large phone company, one with punctuation in its name, engages in price discrimination by constantly changing their plans: you sign up for the Friends and Family World Plan, and lo and behold, discover that they have silently jacked their prices up after 6 months. You need to call and talk to a helpful agent, who tells you that there was an announcement on some obscure web page, and they'd be happy to move you to their new World Family and Friends Plan, which has the same features as the old Friends and Family World Plan, but you have to make that call to switch. And rinse and repeat, for all variations of those three words every 6 months. They are making you play this game in order to identify the professionals whose time is valuable: if you cannot watch your statements like a hawk and call them every few months, you get hit with exorbitant fees. If you are old, infirm, or easily confused by the various numbers that do not add up properly on your bill, tough. The upshot is that poor old grandmas pay extra, while the phone company makes a bit more money on the side; some middling MBA pads his resume with how he improved the bottom line by a few percent, and conveniently leaves out the fact that he pretty much stole it from your grandparents. Did the large phone company start out their day with "let's shake down the elderly"? No, if you asked them, they'd say "Absolutely not, it'd be against our interests to exploit our older customers!" Except it isn't, because the incentives are far more complicated, and simpleminded models don't capture what's happening.
These companies are riding a differential equation, where they balance unfair profits against money lost by turning people away. There is no reason why GHash will not do the same, if not now, after it has hired a few Wharton MBAs. The backlash can be quantified, the popular effort divided, and the process managed. Why do you think GHash first achieved 51% for just 12 hours, then 12 hours and 30 minutes, then just shy of 24 hours? They were probing the public reaction, carefully treading the line of backlash versus profit. Once the masses are inured to their games, the real fun starts. Did anyone ever see a phone company reform its practices on its own? Why would they? Armchair economists who are dying to claim that a monopolistic mining pool would never do anything "against their interests" really need to think through the complex interests of a monopolist.
Block Races: Recall that miners on occasion get into head-to-head races when they both discover blocks at the same time. It's kind of like two people who scratch off winning lottery tickets, where only the first person whose ticket is seen by the public wins the entire lottery sum. Normally, the packets from the two miners will race through the network, and it's difficult to tell who will win if the two miners are approximately equal-sized. If the world consisted of two 49%ers and a 2%er, each of the two 49%ers would win these races with 50/50 odds. But if one of them usurps the 2% pool to achieve 51%, he can win all of the subsequent races. The fact that the nearest competitor is pretty close in size does not matter. A 51%er never need experience what is called an "orphan block." This will ding the profit margin of competing miners.
Selected Miner Targeting: A 51%er can simply choose to ignore, say, a few percent of the blocks found by its nearest competitor. In effect, it would be entering into a block race even though it did not find a competing block by accident at the same time -- it purposefully ignored the competition's block, and decided to push its own instead. Because block propagation is not instantaneous, it would have plausible deniability. A smart 51% would continue to mine on old blocks for 13 seconds longer, and if it comes up with a competing block in that time frame, it'd simply claim that lady luck was on its side and don't you know that it takes 13 seconds for blocks to propagate? This would reduce the profit margin of the competition.
Discouraging Miner Investment: The mere presence of a monopoly miner creates an ongoing problem for other miners: Seeing that they are in a vulnerable position, they may shift their future investments away from Bitcoin. Perhaps they'd veer towards other profitable currencies where they themselves have a chance of becoming the monopolist. This would further consolidate the Bitcoin monopoly and leave us in a deeper hole than we are currently in. The decentralized trust narrative, having already collapsed down to "we trust a single monopolist but we monitor him diligently," would have to be completely abandoned.
Selfish Mining: This has been discussed previously. It needs to be addressed before a selfish miner emerges.
Double-spends: These have also been discussed extensively. GHash actually engaged in such an attack before it reached the 51% mark, and it could do so again.
Total Denial of Service: A DoS seems counterintuitive on the surface, but it might make sense if and when a monopolist wants to take exclusive advantage of favorable exchange rates. And it can also easily happen as a result of a software error on the part of the monopolist. If the phrase "Bitcoin is down" is ever uttered, something has gone very wrong. This can happen if we allow a monopoly.
There have been a number of purported analyses of what a miner can do. Most of these assume some very heavy-handed attacks, such as the benevolent mining monopoly, double-spends, wholesale DoS and the like. They then conclude that the miner would have to be insane to engage in those attacks. These arguments failed to predict the GHash expansion beyond 51%, because their model of reality is too limited.
We hope that this note showed some alternative attacks that are more subtle. The protocol needs hard incentives to keep mining pools from growing too large. Small but critical changes [§] to the cryptographic techniques used in the mining protocol can fix these problems by making public pools unattractive.
Gavin also wrote about neutralizing the 51% attack. This writeup also suffers from the narrow-minded view that there is only one 51% attack, and that "the 51% attack" is the heavy-handed attack Gavin assumes. There are far more subtle attacks possible, as discussed in this post.
Privacy, Economics, and Price Discrimination on the Internet by Andrew Odlyzko is a paper that everyone needs to read. Odlyzko had incredible forsight, backed by principled reasoning, in foreseeing why price discrimation will come to rule electronic commerce.