

Is Bitcoin Broken? - imd23
https://bitcoinfoundation.org/blog/?p=310

======
tptacek
This is pure innuendo.

The Bitcoin paper at least presented a thorough argument. Andresen, who did
not seem (in his Bitcoin Reddit post) to have grasped that argument, is
obviously unhappy that "Bitcoin" didn't get a preprint or approve its
presentation to the press. But the authors of the paper signed their name to
it; the lead author is a lecturer at a serious university.

Instead of rebutting any technical point the paper makes, Andresen casts
aspersions, alludes to a "peer review" process that would not have prevented
the paper's publication, and then suggests the paper is flawed technically.
Well, how?

Here, instead, is a vastly superior critical response by Ed Felten:

[https://freedom-to-tinker.com/blog/felten/bitcoin-isnt-so-
br...](https://freedom-to-tinker.com/blog/felten/bitcoin-isnt-so-broken-after-
all/)

~~~
deepblueocean
Hi, Author of the referenced blog post [2] here (and one of Felten's grad
students).

Let me lay out the argument from our post in a more technical way: the biggest
problem with the Eyal/Sirer paper is that they don't think about the problem
as an equilibrium problem, but rather argue about what's best from the
perspective of a particular player. This leads them to propose a strategy
which is not even optimal for any player (we prefer to think of Bitcoin as a
kind of consensus game, in the game theoretic sense. See our earlier paper on
the topic [1]).

They argue that Bitcoin is not incentive-compatible by virtue of the strategy
they demonstrate. I think this question needs to be the crux of any Bitcoin
research paper. I'll define "incentive compatible" to mean one of two things

(1) (weakly incentive compatible) If people follow their incentives, rather
than the rules of Bitcoin as written down and understood by the community,
then there _exists_ an equilibrium in which all players follow the rules.

(2) (strongly incentive compatible) The above equilibrium is the only
equilibrium in Bitcoin.

The question of whether the current Bitcoin ruleset is incentive compatible
strikes me as the most important Bitcoin research question: it answers whether
Bitcoin, as a system, will continue to be stable over the long term. A
secondary question is to ask "what rule sets could exist which would be
incentive compatible?" Obviously, if the answer to the first question is "no"
then the second question is more important.

[1]
[https://news.ycombinator.com/item?id=5874786](https://news.ycombinator.com/item?id=5874786)

[2]
[https://news.ycombinator.com/item?id=6689254](https://news.ycombinator.com/item?id=6689254)

~~~
cs702
Gavin's post is not innuendo; he's just trying to be diplomatic in my view.
However, I could not agree more with deepblueocean: figuring out if and under
which conditions the Bitcoin network will tend toward an equilibrium in which
all players follow the rules should be a priority for researchers. It's the
biggest question mark hanging over Bitcoin's future.

I also agree that the Eyal/Sirer paper seems naive about markets.

\--

PS. This thread should be at the top of this page. (Currently, another thread
I started is at the top; I hope this thread shoots up past it.)

~~~
tptacek
If you'd like to cast Andresen's innuendo in the best possible light, I won't
object.

But my assessment of his post is descriptive, not normative. When you respond
to a detailed technical report by criticizing the way it was presented to the
press, then suggest technical flaws without actually explaining what those
flaws are, that is innuendo.

Maybe you feel innuendo is warranted. Whether the mining game in Bitcoin is or
isn't tenable over the long term doesn't much matter to me, because I'm one of
those people who feel Bitcoin has no intrinsic value, and has a spot price
today that represents in part irrational excitement about Bitcoin and in part
a cynical scalping of that excitement by speculators. Bitcoin could be the
most solid imaginable distributed cryptosystem and I'd still have problems
with it.

I was motivated to comment about Andresen's post because I was also struck by
his Reddit comment on the ES paper, where it seemed that random laypeople on
Reddit were better prepared to discuss the technical implications of the paper
than he was.

~~~
cs702
I see your point, but still doubt that Gavin intended his post as innuendo. My
assessment is that he's not yet ready to respond to the paper with carefully
written, fully-thought-out, detailed technical counter-arguments, but wanted
to assuage the Bitcoin community and address all those "sensationalistic
headlines" put forth by "reporters on deadline" with an 'official response' as
soon as possible.

------
cs702
_"...it is unfortunate (but entirely predictable) that the release of a not-
yet-peer-reviewed paper generated so many sensationalistic headlines. Peer
review works best when everybody involved is given time for conversation and
debate without being contacted by reporters on deadline."_

Translation: next time, please send us the paper in advance and get it peer
reviewed before you start talking to reporters.

 _" I’m not going to write about the specific claims in the paper... However,
it is good to note that in my initial review, I believe the paper’s assertion
of a fundamental flaw is based on some over-simplified assumptions about how
the bitcoin mining market works."_

Translation: the paper's claims are probably wrong.

~~~
sillysaurus2
Why do they pander so much? It's hard to imagine pg ever writing something
that tiptoes around like that, yet pg has been in dozens of situations
requiring a public response to a perceived problem. He's never pandered, yet
he's never suffered for it either. So is pg just a better writer than Gavin,
or is this an academic tradition, or...? Just curious.

~~~
jnbiche
They're trying hard not to discourage academic research into Bitcoin, or to
scare off security researchers. They desperately want _more_ security
researchers. I actually think Gavin is handling this very well, and the
response seems well-measured.

That said, the way this whole paper has been released smacks of
sensationalism. I'll take the Eyal at his word that he's concerned with
Bitcoin's future, but failing to adhere to the standards of responsible
disclosure and entitling a blog post "Bitcoin is Broken" really make me wonder
about what they're trying to do, other than self-promote.

Besides, this basic attack is something that has been discussed since 2010.
There may be a few subtle differences in the paper, but based on my reading of
the blog post, this is an attack that mining pools have even accused each
other of doing a year or two ago. It's a potential problem, but definitely not
a "Bitcoin is fundamentally broken" problem as the blog post claims.

------
mcherm
Gavin Andresen writes: > Peer review works best when everybody involved is
given time for conversation and debate without being contacted by reporters on
deadline.

In other words, the entire institution of science (computer science in this
case) is better off if the individual researchers are careful about presenting
things to the press and make sure to review things carefully before
publishing.

But the incentive for individual researchers may not be aligned with this. An
individual researcher might be able to advance their career by going to the
press (particularly about a hot-in-the-news-right-now topic like Bitcoin) and
by making sensational claims ("Bitcoin is 'Broken'!") even if the overall
scientific enterprise suffers. After all, had you ever heard of Ittay Eyal or
Emin Sirer before this? Given these skewed incentives, at least a few people
will "cheat" the system by going to the press, and those people will profit by
it.

Rather like Eyal and Sirer's claim for Bitcoin miners.

\- - - - - - - - - -

To discuss the merits of the paper itself (rather than Gavin's response), if a
mining pool were to utilize the strategy described in the paper it would
result in that pool repeatedly releasing new chains that are longer than the
existing blockchain but which fork one OR MORE of the previously released
chains. While this is allowed under the Bitcoin protocol (this is the way that
forks in the chain get "healed"), it is also rather obviously visible. So if
certain miners were following this protocol then it would quickly become
obvious that they were doing so. The community would then be able to take
actions to redress the problem.

~~~
celticninja
I thunk it misses a fundamental point which is that this would be detrimental
to the network. the assumption is that miners would join the
dishonest/unethical miner to increase their block rewards, however it would be
at the cst of bitcoins overall value and succcess. So you may get 25% more
coins but you have coins that are worth less.

~~~
deepblueocean
I think it's interesting to calculate how much less the BTC/USD exchange rate
would have to be as a function of how much power the ES-adversary has. It's
substantial!

One could even imagine creating "poison pill" derivative instruments where
someone agrees to sell a lot of BTC if some predicate over the blockchain
becomes true (such as a predicate that's only true if ES-mining is happening).

------
afshin
So basically: "I do not have a comment at this time."

That's fine and all. But not very newsworthy.

~~~
gnerd
Except he did make a comment, although not a concrete one:

> However, it is good to note that in my initial review, I believe the paper’s
> assertion of a fundamental flaw is based on some over-simplified assumptions
> about how the bitcoin mining market works.

~~~
hvidgaard
Not playing by the rules as stated in the paper, can result in greater than
expected return. It can also return less than expected, and on average you
gain the most by being a well behaved mining node.

------
3pt14159
The way bitcoin is broken is that there are people with VAST wallets that
could be state actors. If the CIA truly did invent bitcoin then they have
immense power on it and it's stability. The hard part about this risk is that
there is no way to mitigate it.

~~~
nwh
There's absolutely nothing to suggest that any state actor created Bitcoin.

~~~
3pt14159
Actually there is quite a bit to suggest that a state actor created bitcoin.
Satoshi is probably three people and the CIA and NSA don't really screw around
when it comes to this type of thing. Even if they didn't create it, they had
the man/computer power to control large chunks of bitcoin.

~~~
gwern
> Actually there is quite a bit to suggest that a state actor created bitcoin.

Not really. Most of the arguments are based on false premises, like the claim
that the codebase is of high quality or has never had serious breaks. I've
looked pretty deeply into Satoshi, and nothing makes me think it's not exactly
what it looks like: one guy.

~~~
nwh
Every claim like this that says the code base is high quality has me rolling
with laughter. The core developers at still trying to fix some of the crazy
oversights that Satoshi left in the core code.

~~~
GeneralMayhem
And even if it were, in what world does high-quality code imply state actor?

~~~
fragmede
The part of the world where professionals who are able to write high-quality
code are well paid for quality work.

~~~
GeneralMayhem
Sure, but why does that mean government money? There are tons of very, very
good programmers outside of the intelligence-industrial complex. "It's good,
therefore the CIA made it" is unbelievably terrible logic.

~~~
gwern
"It's bad, therefore the CIA probably didn't make it" is fine logic; therefore
the reverse also works fine - probabilisticly. If P(CIA|good) > P(CIA), then
P(CIA|~good) < P(CIA).

~~~
GeneralMayhem
Logically sound but significantly negligible. I'd say P(CIA|~good) is very
small, but P(CIA) is _also_ quite small. P(CIA|good) >= 50% iff the CIA
produces at least 50% of the good security-related code in the world. I don't
see it.

