Category Archives: Bitcoin

Hashrate amplification attacks

1 Reply

A lot of people asked me about the recent paper by Ittay Eyal and Emin Gun Sirer, titled Majority is not Enough: Bitcoin Mining is Vulnerable.

In this paper they describe a hashrate amplification attack – a way to find a greater percentage of the total valid blocks in the network than an attacker’s portion of the hashrate would indicate, potentially leading to dire consequences.

I really wish I had the time right now to examine this paper thoroughly. It’s a topic that interests me, I want to be up to date on Bitcoin research, and I’d be able to comment much more intelligently if I did. Unfortunately, as is often the case with me, I am wholly occupied right now with previous commitments and barely have a minute to spare.

But precisely because of this, I want to save some time by writing down a single response I can direct people to. And I believe I have enough understanding of the issue to say this:

  1. The basic idea of the attack is not new; it can be traced at least 3 years back. Nobody seemed to panic about it back then, and no reason we should start now. I did not participate in the original discussion but have read it with interest, and mentioned it whenever the topic came up. I had half a mind to conduct a more thorough research of it myself, but could never allocate the time.
  2. They’re not the only ones to perform a detailed analysis of the attack. Over the past few months, a young Israeli researcher called Lear Bahack has independently studied the same issues. As it happened, one day before Eyal’s and Sirer’s paper was published, I sat down with Lear to discuss his results. My impression is that his research is more detailed, accurate, and thought out. He unfortunately was beat to publishing the results, but we will soon see him write about his innovations.
  3. According to Lear, the attack is not nearly as easy to carry out as Eyal and Sirer would have us believe, in particular due to unrealistic assumptions about the network topology and the operation of mining pools. There is no real danger in the near future.
  4. He also suggested a protocol change that could remove this vulnerability, which we should hear about soon.
  5. The paper title and the way they write about it elsewhere is alarmist and self-centered. They give the impression they feel they’re the first ever to find a vulnerability with Bitcoin, and try to sow panic with talks about how Bitcoin is broken. I’ll take their word for them honestly being motivated by the desire to get the potential attack thwarted before any damage is done (EDIT: I did until I saw this), but it certainly looks like they’re just after the publicity, maybe even seeking profit from price manipulation.
    It’s not the first time we see alarmist headlines inspired by academic papers. It happened with the transaction graph work of Adi Shamir et al., and with the red balloons work of Aviv Zohar et al. But in those cases the researcher gave a neutral description and the media blew it out of all proportion. It is unfortunate that in this case, the sensationalism comes from the researchers themselves.

All this notwithstanding, we should thank Ittay Eyal and Emin Gun Sirer for their work on this interesting and potentially important topic. Stay tuned for further developments.

Updates:

Lear has published a sample of his results in this forum post, and also put up his paper (work in progress) at http://arxiv.org/pdf/1312.7013.pdf.

ASIC will not centralize Bitcoin mining

5 Replies

Some claim that Bitcoin mining is doomed to be concentrated in the hands of a few large mining corporations, and that the advent of ASIC mining is the culprit.

I disagree.

Well, I don’t know for a fact that this will not happen. However there are several factors in play that could prevent this scenario – a scenario which is undesirable, because the more centralized mining is, the more likely it is that a majority of hashrate would collude in an attack against the Bitcoin network.

 

The cited reason for centralization is that large companies enjoy economies of scale in mining. These companies, combined, will scale up their operation until the difficulty has risen so much that mining is only marginally profitable. Since hobbyist miners are presumably less efficient, at that point mining will be a loss to hobbyist miners, so they will be forced out of the market.

An analogy is sometime given with gold mining. Unlike the old days of the California gold rush, it is no longer possible for individuals to mine gold. Gold is only abundant in specific locations, and requires a complex mining operation to extract. The barrier of entry to obtaining suitable land and setting up a mine is just too high.

However, the situation with Bitcoin is much different, because of its extremely parallel nature. A gold mine will no longer work if you build a miniature version of it, so a person cannot run a small gold mine at home. In contrast, a Bitcoin mining farm is basically a huge number of copies of a single unit doing a very simple computation. Even a small chip measuring an inch across would be composed of many such units. So mining can definitely be scaled down to a level where everyone can run a Bitcoin miner at home. My first contention is that, since a large farm is basically multiple instances of a basic unit, the economies of scale that can be obtained are fairly limited.

This refers to the operation of the devices. There is still a big barrier of entry to actually manufacturing the devices; however, I do not see this as much cause for concern. Because Bitcoin mining requires a single, simple computation, designing ASIC to carry it out will require relatively little R&D costs, when compared with more complex circuits such as CPUs and GPUs. Because of this we should expect many manufacturers of such chips, enough to ensure one would cater to the hobbyist market – if they are willing to pay for it.

Assuming an equilibrium where the potential mining revenue is mostly known, what anyone – whether a professional entity or a profit-seeking hobbyist – would pay for a device, is the profit he expects to receive from it in its lifetime. And since the revenue is essentially the same for all, what differs is the cost of operation. For there to be a significant hobbyist market, there just need to be enough hobbyist with cost of operation lower than that of the large corporations.

 

One thing going for the hobbyists is that they may have existing, underutilized infrastructure that can be leveraged into supporting a mining operation. A large-scale company would need to set up an infrastructure specifically for its operation, while a hobbyist may have unused physical space in his residence, a power grid connection with spare capacity, or a computing device he could use to assign work to the mining devices. For example, if he is using a desktop computer (unlike some, I don’t foresee the death of those anytime soon), he may have a spare PCI express slot to which he could plug a card, feeding off the spare capacity of the PSU (it may be also possible to design it to run only when the other power-hungry components are idle, which is most of the time).

But much more importantly, It can be expected that in the long term, the major cost of mining will not be capital expenditure, but power. Therefore, anyone who can get cheaper power will have a huge advantage. A hobbyist might have an arrangement of getting free electricity from his host, effectively “leeching” power from someone else – this practice may be frowned upon, but it will happen, and only at small scale. But the crux is hobbyists living in colder countries, who would otherwise use a resistive space heater to warm up (less so, those who would use heat pumps or furnaces). Any power spent on a mining device is exactly deducted from what they would have to spend on their space heater, so for them the power really is free.

Many other factors are in play – mining is inherently risky, and hobbyists might be less averse to this risk than professionals, or maybe some of them will have a relatively higher estimation of expected profit. Hobbyists might have reasons to mine other than direct profit, which could also tip the scale in their favor.

Even if there are not enough hobbyists with favorable conditions, we should also consider professional companies large enough to enjoy some economy of scale, yet small enough to be more lean and efficient than the large companies. And again, if these companies are in the market for mining devices, some manufacturer will take their money. Many such companies can fit in the global Bitcoin mining market, and while this is not the same as the ideal decentralized vision, it is still a good approximation.

 

In light of all of this, I do not worry that the economics of obtaining and operating mining equipment will be a cause for harmful centralization of mining.