Hacker News new | comments | show | ask | jobs | submit login
It's Time For a Hard Bitcoin Fork (hackingdistributed.com)
243 points by AaronFriel 1278 days ago | hide | past | web | favorite | 146 comments

The article makes a pretty interesting point: Bitcoin's version of proof of work can be delegated, which makes mining pools possible. An alternative design could ensure that the task to solve is designed so that miners and pool could not trust each other, thus ensuring that pools do not exist.

It seems like this is a pretty big flaw in how Bitcoin is designed, as its security relies on miners remaining independent.

It's pretty easy to break delegation, but the cure is worse than the illness— to reduce mining variance there you must use hosted mining, where miners have even less control (absent more fixes…). GHash.IO is substantially hosted mining in any case.

Really the more important point to note is that pooling for variance reduction has absolutely nothing to do with delegating control. Running a outbound only bitcoin full node, past initial syncup uses less than 20kbit/sec bandwith and a fraction of a percent of cpu... it's not costly to do, purposefully so.

It's perfectly possible to individually run your own consensus decisions but agree with others to, in a provable way, pool your payments. This is what P2Pool does.

Unfortunately many Bitcoin miners don't have a rigorous mathematical understanding of how mining works— they erroneously believe it to be a race where the fastest wins disproportionally— something entirely untrue (absent some proposed attacks which are not happening in practice)... just keeping yourself from getting scammed by the many scammy hardware companies is basically a full time job itself. Then you have various technically unsophisticated Bitcoin pundits claiming that hashpower consolidations in pools isn't something to worry about... not a great mix.

Fortunately, the reasons for the current behavior are mostly inertia— if P2Pool had been invented first the symmetry would have broken differently. It's still possible that there might be a massive swing (say if GHash.io decides to steal a bunch of coins from their miners and makes a runner).

The non-outsourceable puzzle discourages hosted mining as well as pools (though if users are trusting, then hosted mining might persist anyway).

The non-outsourceable puzzle would have to be adopted at the same time as another change, which would allow solo-miners to enjoy the low variance they get in a pool.

Essentially you would need to allow miners to choose a lower difficulty, for proportionally lower block reward. This opens up DoS concerns if it can go arbitrarily low, and might generally require more bandwidth. This would essentially be Bitcoin internalizing p2pool.

> It's pretty easy to break delegation

I'd be interested to learn how mining delegation could (in theory) be avoided. It seems to me that as long as you have a proof-of-work designed around something that can be solved with distributed computing power, there may always be incentives for delegation and cooperation (especially to reduce variance). I'm genuinely curious to hear what other approaches can be used to "break delegation."

The basic idea for a delegation-breaking puzzle is outlined here: https://bitcointalk.org/index.php?topic=309073.0

The intuition (which is described in the original article, by the way) is that in this puzzle, whoever actually finds the solution can take the entire reward for themselves.

We've expanded this idea into a rigorous research paper that's currently undergoing peer review, but we may release a preprint soon.

After reading the post, I would rather phrase the key insight as: in the proposed protocol you don't have to reveal the nonce that hashes to the low value; rather, you prove you have it, thus destroying the connection between the nonce and the pool, so a solution can go out without any pool member being able to say "hey -- that was ours!"

This destroys the ability of pool members to trust that their nonces, where valid, will actually be used to claim a reward for the pool.

I'm not familiar with the work, but I assume there are validated zero knowledge proof protocols that prove you know a partial hash inversion of a particular quality, like the Pinocchio one referred to.

Edit: with that said, I don't agree that eliminating mining pools is a good thing; that just rewards those who can enforce cooperation by some other means (say, having the capital to personally run the farm), which has a far more unequal distribution than mining pools.

> Edit: with that said, I don't agree that eliminating mining pools is a good thing; that just rewards those who can enforce cooperation by some other means (say, having the capital to personally run the farm), which has a far more unequal distribution than mining pools.

In order for Bitcoin to work, in the sense that you don't have to trust anyone for it to be fair, then no group can ever have 51% of the hashing power of the network. It has now been proven that a mining pool can reach that threshold. It has NOT been proven that it is practically possible to buy that much hashing power. We should get rid of mining pools because they are the current cause of this crisis. We can cross the other bridge when we come to it (which it seems unlikely we ever will).

>to reduce mining variance there you must use hosted mining

Why should people [miners] be able to reduce variance at all? That's not a necessary feature of the system, and it doesn't seem like a goal worth pursuing. Security is paramount; mining variance is "first-world-problems".

>say if GHash.io decides to steal a bunch of coins from their miners

It seems far more likely that GHash would try to be sneaky about theft, rather than overt. This would allow them to keep getting away with it (that "long term revenue stream").

I know this sounds sort of unlikely, but consider e.g. GHash functionality to identify and subtly interfere with the operation of automated tools (e.g. ZeroCoin) that make lots of bitcoin transactions. The less likely that human eyes will see a transaction, the easier it will probably be to subvert.

Reducing variance of a return allows the entry of smaller-scale and more risk-averse participants into the market.

>Security is paramount; mining variance is "first-world-problems".

100% agree. If people who can't tolerate variance don't mind, then those who can tolerate it will.

This is the same panic-prone author (@el33th4xor) who, in early November 2013 with Bitcoin at about $220, wrote "@el33th4xor: You heard it here first: now is a good time to sell your Bitcoins" (https://twitter.com/el33th4xor/status/397219415025934336)

This was just before releasing some research that he thought would cause a confidence collapse. (That is, his prediction was almost self-consciously attempting market-manipulation.) In fact, the paper just formalized some concerns discussed in the mining community for years.

So then, rather than collapsing, Bitcoin went on an epic rally, and hasn't been below $339 since the same week of that doomsaying prediction.

There is certainly danger in one entity controlling 51% of the hashing power. But everyone's known this risk, as one of the design assumptions of the system, from the beginning... and also seen the tipping point approach/recede/approach repeatedly. And also, the "Bitcoin lunatic fringe", who this author mocks, has so far been right about the pool(s) attaining such power refraining from taking destructive (and self-bankrupting) next steps.

So: focused concern, yes. But @el33th4xor-style panic, no.

Further, any 'hard fork' (or forks) that were to remedy pool issues, using the "well-known" techniques referenced, would almost certainly retain some continuity with prior key balances. That is: imagine the most destructive transition possible. A total civil war between mining pools. Irreconcilable dissension in the core team (or offshoots thereof). Collapse of the Bitcoin price to values of 1-2 years ago. Still, at the end of that process, there are one or more "offshoot" chains, adopting the Bitcoin history as their own, patched and stronger than before, with pre-crisis Bitcoin balances intact.

(That is: a 51% cartel may not be actually "good" news... but it is survivable and perhaps even necessary.)

So if you like to try to trade in and out of predicted market panics, like @el33th4xor, maybe there are some trading plays here. But if you just like cryptocurrency for the long haul, keep your Bitcoin private keys (end eyes) safe & dry, and trust evolution. There are enough smart, well-funded, and relatively cool heads involved that @el33th4xor's predictions are just a car alarm going off in the night, whether the car is actually at risk or not.

Nice ad hominems you've got there.

>In fact, the paper just formalized some concerns discussed in the mining community for years.

This is false. Discussed here: http://hackingdistributed.com/2013/11/09/no-you-dint/

>the "Bitcoin lunatic fringe" this author mocks has been right about the pool(s) having such power refraining from destructive (and self-bankrupting) next steps.

No. The Bitcoin lunatic fringe was adamant that no pool would willingly cross the 50% boundary.

That just happened. Models and reasoning based on "no rational miner would do X" are clearly flawed, partly because the miners may not be rational, or partly because they are rational within a time-frame not modeled. In any case, people who reasoned like you have now been shown conclusively to have the model wrong.

This is an opportunity to fix the protocol, not shill for the price, and certainly not to engage in ad hominems.


I think your track record of alarmism and disrespect to non-academics is relevant, but even if you classify it 'ad hominem', you've earned it with your own prolific slurs of critics.

I've addressed your continued "no-you-dint" willful-blindness about earlier analysis elsewhere... including on your own blog at (http://hackingdistributed.com/2013/11/14/response-to-feedbac...). You failed to discover (and thus footnote) prior community work, from years earlier, that did everything except for your more-rigorous boundary formalizations. So again, nice write-up, but exaggerated novelty. The interested can follow the links and decide for themselves.

I'm sure someone said no pool would ever even try to get 51%. Others simply said a pool in such a position wouldn't self-destruct the entire ecosystem, against their own interests. (Instead, they behave like the 'stationary bandit' of Mancur Olson's political-economy. Not ideal, and not what Bitcoin intended, and worthy of attempted-fixes... but also not an instant and unsurvivable crisis.) It's this latter prediction, of stability even in the presence of explicit (or secret) 51% cartels, that is still, so far, outperforming your own. For now they have the same claim to "I told you so!" as you do.

"I'm sure someone said no pool would ever even try to get 51%."

Yeah, the 'lunatic fringe' like Sam Altman.


To the contrary, we've been far more respectful and accommodating to the Bitcoin fringe than merited, and certainly far more than the other way around. After all, we took a fair amount of abuse for simply pointing out an objective weakness that is part of the protocol. This, despite the fact that we proposed a fix for it.

Perhaps you've not read our final paper. It doesn't just footnote, but actually cites the prior discussion.

And anyone who reads the previous discussion can see that our paper:

* shows a more extensive attack than the one described there, one that works,

* performs a full analysis of the revenue to be obtained from that attack, and characterizes that revenue as a function of attacking pool size and attacking pool's ability to control information flow in the network,

* shows that Bitcoin is not incentive-compatible,

* shows that, even under the best of circumstances (i.e. the attacker has terrible network connectivity, no Sybils, no control over information propagation and loses to the honest miners every single time), defending against the attacker requires at least 2/3rds of the network to be honest.

Perhaps the biggest giveaway that we did something differently is that THE BITCOIN TALK FORUMS CONCLUDED THAT THEIR ATTACK WOULD NOT WORK, WHEREAS WE SHOWED THAT OURS WOULD.

You're making things up when you imply that we're claiming that 51% is an "unsurvivable crisis." To the contrary, the article very clearly says that the Bitcoin economy remains unaffected, and that the Bitcoin price is also unaffected.

We have been trying to improve the Bitcoin system since day 1. I realize that you're part of the original brigade, and that also explains your ad hominems here. I urge you to elevate the discussion.

It's nice to hear that in your final paper you acknowledge the earlier discussions. You should link that final version from your author homepages. (The latest versions linked from you and your coauthors' pages, at arXiv [1] and Cornell [2], still have no mention of the earlier discussion.) If the FC14 version [3] is final, it's better, but I still think you're unfairly summarizing the key thread [4].

Every key aspect of selfish strategy is described there, from manipulating 'gamma' via network-tricks, to releasing the minimum number of 'secret' blocks, after each external-block, to maximize the cartel's expected return. ByteCoin's simulations show advantages, and breakeven thresholds with regard to 'override success' ('gamma'), very similar to your paper's calculations. That's why I credit your paper for rigorously describing the situation, under your specific assumptions, but not with the discovery of a previously-unknown less-than-51% attack.

Also, your final paper is simply lying when it says the thread "does not suggest a solution to the problem". It's almost as if your disdain of these 'fringe' Bitcoin fanatics has blinded you to the actual words of the thread.

Two commenters in the December 2010 thread (btchris and RHorning) suggest that preferencing accurate-seeming timestamps can disadvantage cartel-delayed blocks. That countermeasure is likely stronger than your paper's proposed random-choice-between-ties. (Randomization, by pushing gamma to 1/2, could make things worse if, on the real network, the effective gamma for late-releasers was already closer to 0. Preferring realistic timestamps, meanwhile, almost always helps 'honest' blocks, which don't have to guess a future time when they'll be released.)

Note that the last bullet of supposed novelty in your paper – "defending against the attacker requires at least 2/3rds of the network to be honest" – is the exact same best-case threshold as reported by ByteCoin in thread message #36, 2010-12-14. He states: "a cartel with no preferential network access can be profitable with 33% of the generating power"[5]. Same result, 3 years earlier. How can you allege ByteCoin was simulating some other strategy? Wouldn't the slightest difference in block-release-rules result in a different best-case threshold?

Finally, the Bitcoin Talk forums hadn't "CONCLUDED" anything. They're not a deliberative body. Some people were convinced, others weren't. The relevant actors – mining insiders – knew what they needed to know, to either try the attack, or detect it in orphan rates and weird timestamps... and to try countermeasures based on disadvantaging cartel blocks if ever necessary. Meni Rosenfeld also referred back to the matter as a known concern, in an answer on the Bitcoin StackExchange, in October 2011 [6]. So he knew it was an issue, and lots of people trust him about mining matters.

There's no "brigade" out to trash you led by some "failed academic" "Singaporean" "ringleader". Your critics are not the heads of some unified hydra, that you can disregard altogether as the "Bitcoin lunatic fringe" based on a few quotes from particular yahoos. You've made specific claims of novelty, or doom, that were either never true, or disproven by later events. These will be pointed out when you claim to enjoy a "we told you so" record of authoritative insights.

[1] http://arxiv.org/pdf/1311.0243v5.pdf

[2] http://www.cs.cornell.edu/~ie53/publications/btcProcArXiv.pd...

[3] http://fc14.ifca.ai/papers/fc14_submission_82.pdf

[4] https://bitcointalk.org/index.php?topic=2227.0;all

[5] https://bitcointalk.org/index.php?topic=2227.msg30138#msg301...

[6] http://bitcoin.stackexchange.com/questions/1475/can-someone-...

> Nice ad hominems you've got there.

That's seriously rich coming from the dude who just wrote

> The main ringleader of this brigade was a failed academic from Singapore, someone who had a superficial knowledge of game theory and sufficient familiarity with Latex to create the look & feel of research papers, but someone whose own academic work never went beyond repackaging well-known results in game theory.

I don't disagree with you, but just FYI, 'ad hominem' has a pretty specific meaning and I don't think it applies in this case.

Simply calling someone 'panic-prone' isn't in itself ad hominem. If the argument were that because the author is panic-prone he cannot possibly be right, then it would be ad hominem. But if there isn't an explicit causality implied (i.e. being panic-prone makes you wrong), it's more just name-calling. (name-calling != ad hominem)

There may be other fallacies that apply here, but there is actually an argument backing up the commenter's claim that the author is being too panicky, and that this is less of an issue than it is being made out to be.

In particular, if emin-gun-sirer had gotten his 2013-Nov-03 prediction right, and that was a good time to sell your Bitcoins, don't you think he'd be shouting it from the rooftops, ever since?

He took a gamble: that the bold tweeted prediction would increase attention for his paper (which it did), and then come true, improving his credibility about such matters (which it didn't).

He's now saying "I told you so", literally, in a gambit for more credibility – but eliding mention of his prior bad predictions. (In addition to the "good time to sell" prediction, I would point out that (a) orphan rates since his paper was published have not shown the predicted wide self-interested adoption of "selfish mining"; (b) the pool that's achieved 51% does not appear to have used "selfish mining" to get there - just the same economies-of-scale and small-miner-superstitions that have been known threats since the beginning of pooled-mining. In other words, even if this is a disaster, it's not the same one, by the same path, as he predicted – but an older potential doom, prophesied by others long before his work.)

When facing such a claim of earned authority, it's entirely appropriate, and not at all ad hominem, to highlight the full record. To "shout from the rooftops" exactly the same early calls he himself would be bragging about – if he'd been right.

If you really want to scare some people you should point out that this is happening as we get ready for the US Marshal BTC auction, and could be related. I would be very reluctant to put 1.5M into BTC right now.

Like IPv4, the "experiment" has grown so large that it may be impossible to get consensus on any non-backwards-compatible change.

> Like IPv4, the "experiment" has grown so large that it may be impossible to get consensus on any non-backwards-compatible change.

How is that an accurate description of IPv4 at all? IPv6 has made monumental progress[0] in a relatively short time (yes, for what we're talking about, it's only been a short amount of time).

[0] https://www.google.com/intl/en/ipv6/statistics.html

Is 3% in three years really "monumental" progress? I honestly don't know much about the issue, but those numbers hardly seem monumental to me.

It's been on an exponential growth curve for a number of years, and the doubling time recently decreased to about 8 months. Whether that continues is of course anyone's guess, but if it does, after another three years it would be at 20-40% (depending on whether you take the recent trend (http://docs.google.com/spreadsheets/d/1V1MLaAEiuNI99s7NO2ZgQ...) or the longer term trend (http://docs.google.com/spreadsheets/d/1V1MLaAEiuNI99s7NO2ZgQ...)

I can't access either of those documents. But looking at the original graph in the parent, I wouldn't be so quick to call it exponential growth. It certainly looks like it could be, but it's easy to confuse exponential growth with slightly increasing, but still fundamentally linear growth when you're only going from 0.5% to 3.5% over three years. There's no way I would look at that graph and confidently say it's going to be 20-40% in another three years when the last three have been, well, disappointing.

I'm not sure this is true, regardless of how large Bitcoin grows to be. If a significant enough problem were discovered, wouldn't it be in everyone's best interest to protect the value of their wallets by accepting a forked blockchain?

Tinfoil hat time: But not everyone will automatically comprehend the situation properly. There will be a possibility that media can be manipulated to keep the subvertible network alive and dominant through its network effect, while it is subtly manipulated from behind the scenes. Perhaps this happened before, and will happen again. (I'm talking about pre-Internet financial networks, as well as making a BSG reference. In BSG, if the Cylons were really smart, wouldn't they have taken over the financial and media networks instead of the defense computers? They would have had far more to gain from subtly controlling the wealth of the colonies instead of destroying it. Over time, they could have taken over society from the inside and just replaced everyone with attractive flashy sexbots.)

Wouldn't GHash be able to pivot their existing mining power to take 51% of that new blockchain?

Yes, the extrapolation being missed by the article, is that the rich will control bitcoin, and nothing can ever stop that from happening. It goes to the very core of how bitcoin is designed that allows for it to be dominated by a large rich entity with enough processing power. Inherently the 'little guy' will be priced out of bitcoin, it was always going to be that way. Whether it's one or ten entities in question doesn't matter, bitcoin will be dominated by rich, powerful companies or persons, and that powerful position will only increase in fortification with time.

This principle pops the utopian fantasy of bitcoin that some cling to, but only a different approach to digital currencies will get you around the issue.

Money & power always consolidates down to the hands of a few that will possess dramatic influence compared to the rest of the market participants. See: JP Morgan, pre-Fed.

the rich will control bitcoin, and nothing can ever stop that from happening.

But should the rich have control in proportion to their richness or out of proportion to it? That's the key issue that I see behind this article (and the previous selfish mining work).

That's a grim reality if true. I don't have any information that would refute this claim, so I can't disagree, and it actually makes a lot of sense.

The proposed change would allow any GHash member to essentially steal mining profits from GHash (by taking the full reward for any blocks found, while still sharing in the reward for blocks found by other members). Since some participants will certainly selfishly take advantage of this opportunity, there would be a disincentive for honest members to belong to the pool, and it would therefore quickly lose its dominance.

Edit: And more generally, for the same reason, pools of this sort should cease to exist.

An older discussion thread worth considering: https://bitcointalk.org/index.php?topic=327767.0

Depends on what changes to the algorithm are involved.

I was under the impression that the mining percentage would give you the same percentage chance to cook the books. 51% means you are more likely to succeed than fail in an attempt. Much like buying 51 percent of lottery tickets gives you a slightly better than even chance of winning the big prize.

in that respect, wouldn't 51% be only marginally different to 49%. Both would be a bit of a concern, but neither would be the "position to exercise complete control over which transactions appear on the blockchain" that this article refers to.

Is there some mechanism I'm missing that makes 51% be vastly more powerful than 49%?

No, 51% is vastly more powerful than 49%. With 51%, you essentially control the entire Blockchain because you can always create a new Blockchain that would be accepted by the network, given enough time. Always. With 49%, you can only get away with it a few times, and it's less likely you will mine the next 6 blocks.

Essentially, as time progresses, with 49% you lose out, with 51%, you keep winning.

I think I understand now. That would still be a bit of a tricky position because it isn't so much 51% when you commit the fraud that is important it is the period following the fraud.

How detectable would such an action be? Wouldn't other systems be able look at the block and say "it's verified, but it don't look right to me"

Not really. There are always lots of 'versions' of the blockchain floating around. The network only keeps track of the longest chain (broadly speaking). This means the network with 51% can determine which transactions get into the blockchain. For example, if the pool owner doesn't like you, he can essentially 'blacklist' your account, which means your Bitcoins can become unspendable, basically. The longer they have the 51% power, the more damage they can do. GHash already performed what you describe as your '49% attack' against a gambling site that accepted 0 confirmation deposits. There has been no known instance of a 51% attack yet (e.g. double spend after 6 confirmations).

You pretty. Much have to detect the fraud before/as it occurs - the dominant miner being silent for a while is a good indication they are building an alternate chain in private, for example. At least, that would be an indicator for a double-spend.

Not really. That happens regularly just because of luck.

You'd see that every single block was mined by the same pool.

That doesn't mean a 51% attack happened, it just means someone got 51% of the network hash rate.

An honest miner with 51% of the hash rate would only mine 51% of the blocks (example: https://blockchain.info/blocks ); an attacker would mine every single block.

From the bitcoin wiki:

An attacker that controls more than 50% of the network's computing power can, for the time that he is in control, exclude and modify the ordering of transactions. This allows him to:

    Reverse transactions that he sends while he's in control. This has the potential to double-spend transactions that previously had already been seen in the block chain.
    Prevent some or all transactions from gaining any confirmations
    Prevent some or all other miners from mining any valid blocks
The attacker can't:

    Reverse other people's transactions
    Prevent transactions from being sent at all (they'll show as 0/unconfirmed)
    Change the number of coins generated per block
    Create coins out of thin air
    Send coins that never belonged to him

You could theoretically mine your own chain from the genesis block right?

That won't work due to checkpoints and even if it did work it would be the equivalent of nuking the entire Bitcoin ecosystem.

It would be more profitable to do something like extending the current blockchain but charge 1% transaction fees.

Interesting. For the benefit of others unfamiliar with this.

There is a hardcoded list of checkpoint blocks in the Bitcoin client. Any new chain starting before the last checkpoint will be rejected.

https://bitcoin.stackexchange.com/questions/1061/can-a-51-at... https://bitcoin.stackexchange.com/questions/3114/which-block...

So in other words if a 51% attack were to mine starting before a checkpoint block, it would end up "just" hard-forking Bitcoin.

Wait. If the attacker did any of that while it was in control, then wouldn't it fail validation for every other bitcoin miner?

If they lose their 50% control then they generate invalid blocks. Particularly the part regarding the number of coins generated per block. That one will obviously be wrong.

What does "in control" mean in this sense? Is that an equivalent expression to "greater than 50%"?

Also the "Some or all" doesn't seem very specific. What is the factor that makes some become all?

I believe the intention in the phrasing is that they could selectively or universally exercise that action. Not that there is some spectrum of control.

The bitcoin protocol defines the longest chain as the correct/canonical chain.

At 51% you have more hashing power than the rest of the network combined, so you can start mining blocks on your own and create your own chain with the knowledge that eventually your chain will be longer than the 49% chain everyone else is working on. When that happens, the 49% will abandon their chain and start working on yours.

What kind of chain length differential is enough to cause people to switch. Is it a single block?

> Is it a single block?

No. The 'winning chain' is determined by total difficulty, not block count.


And down it goes again: https://bitcoinity.org/markets

In the previous crisis it was all based on trust ("it was just a bad player, trust will return to the market"). Now we've a doomsday scenario and what seems a serious flaw in Bitcoin.

Feels like a chapter out of The Foundation books.

or it's because the silk road bitcoins being auctioned

Or a combination of both factors.

Relatively speaking, this is a pretty small dip, though.

If you look at the 6 month graph, this downward blip is such a small one that it's indistinguishable from noise.

A hash pool at 51% is big news. If this isn't corrected soon, BTC is doomed to fail.

You're assuming that someone with a significant investment in the space would act dishonestly. That's the only reason BTC fails as the result of something like this. Seem like MAD to me, if they were to act dishonestly they would destroy their own investment and profit potential.

The point of a distributed system is not having to trust people to act honestly.

If you're perfectly fine trusting a GHASH to act honestly, you should be perfectly fine trusting them or some other entity to run a centralized, non-distributed currency.

Your statement doesn't work out, because even if a single official mining pool doesn't have >50% of the hash rate, a bunch of small mining pools could be secretly colluding, or even just a bunch of individual people.

GHash.io already have acted dishonestly when they had a large but substantially sub-51% share - they launched a bunch of double spending attacks that effectively stole money from a Bitcoin gambling service.

Then why are you using BTC in the first place? The US Fed and US Government has no reason to act dishonestly. The value of the dollar relies on us trusting the US Government / US Fed to protect it.

If switching over to BTC means "trusting GHash.io"... then nothing has changed.

The difference is that if GHash.io launches an attack, miners have the choice to move to another pool. If the US government inflates the currency (yet again) there is nothing to do.

If GHash.io launches a "no one else can mine" attack, then there won't be any other pools to move to.

https://en.bitcoin.it/wiki/Weaknesses#Attacker_has_a_lot_of_... * Prevent some or all other miners from mining any valid blocks

Unless we hard fork...

I think you might want to look into the history of disastrous collapses of currencies. To think the US dollar is somehow impervious to the same threats is naive.

I'm criticizing BTC, not defending the dollar. Even precious commodities like Gold (Black Friday, 1869) and Silver (Panic of 1873) have been manipulated and crashed throughout the years.

All currencies suffer through booms and busts, even precious Gold and Silver.

However, BTC is unique in that wielding 51% hashing power grants you powers beyond what has ever been seen before in a currency. A properly wielded 51% can absolutely destroy an entire coin system (RIP Feathercoin).

Do NOT take the 51% attack lightly. This could mean the absolute ruin of BTC in its entirety.

"Seem like MAD to me, if they were to act dishonestly they would destroy their own investment and profit potential."

There's more than a few entities with an incentive to seeing a decentralized network capable of replacing established methods of conducting financial transactions go away.

You can't stop pool mining, even with a hard fork.

Let's say you implement a restriction like "5 blocks in a row max for a given pool". GHash can split into GhashA and GhashB, and keep going.

I don't know why you're suggesting anything along those lines, it doesn't look like the author's link to a method to stop pool mining has anything to do with restrictions like that. It seems instead the author links to a post about allowing arbitrary participants in a pool to steal the entirety of the mining reward. Thus, there would be no incentive for individuals to participate in a pool: whoever finds the solution could take the entirety of the reward.

This kills the GHashA.

That's not the kind of restriction that stops pool mining. The trick is to enable the pool members to steal the blocks they discover. Andrew Miller, a grad student at UMD, has an ingenious scheme for doing this. I am pretty sure I put the link in the article, under the first bullet in the "What to Do Now" section.

Wouldn't pool participants that use this extension to steal rewards be exposed to the pool simply due to their work being consistently challenged and thus lost?

i.e: The pool would notice that certain participants contributions are conflicting with other discoveries, and ban such participants?

> The pool would notice that certain participants contributions are conflicting with other discoveries, and ban such participants?

How? Or, you ban me, I sign up again under a different alias.

The pool can use a 2% fee for old accounts and a 20% fee for new accounts (for example, with less than 1 month or less than 10^x hashes calculated.)

Fees cost almost nothing to hostile miners. With a 20% fee, they get 100% of their hashrate through the theft, and 80% from the pool. So long as you pay anything at all to new miners doing this attack is beneficial.

But, you see, the attacker isn't mining anything of value under the pool, thus the pool has nothing to apply the fee over.

And so few new miners would sign up. Which would be good.

That wouldn't work either. Even if to make it so every 3 blocks can be rewarded to an address (let's say), then you can simply write your own wallet that will use randomized addresses and simply forward their reward to the pool's wallet, which then distributes to the "real wallets".

The only way you can truly prevent pools from taking over is create a system of authentication that'll destroy anonymity.

Interesting. I hadn't thought about this, thanks for mentioning it.

A hard fork would be just as devastating as a 51% attack. The author is way over-reacting here. In fact, it looks like GHash is down to 45% and dropping — BitFury just left, and Petamine is considering leaving too: http://www.coindesk.com/bitfury-pulls-power-ghash-community-...

Why do BitFury and Petamine use a pool at all? At their scale, wouldn't they have low enough variance through solo mining? Or perhaps P2Pool?

Another solution: assuming as the article claims that GHash grew to it's current size because it had 0% fees. Other pools can respond by lowering their fees or introduce negative ones. I.e. they pay miners to join the pool. Or have fees but introduce a lottery system that randomly overpays members.

IANABME[1], but it seems that a solution already exists to this problem, which is to use a decentralized mining pool. The unfortunate fact is that we're in a time window right now where large miners have not yet transitioned to this ideal solution.

However, any miner in the long run would prefer to join a mining pool that does not require trusting some pool operator over one that does, all other things being equal.

Yes, the current situation is dangerous for the health of bitcoin, but I don't see any solution besides waiting for distributed, trustless pool technology to catch up in terms of usability with the centralized pools.

This problem isn't going to be solved by a hard fork, as any "fixes" done this way are untested, incomplete, and risky.

[1] I am not a bitcoin mining expert

As long as large centralized pools charge no fees and use less bandwidth than p2pool, people will have no incentive to adopt p2pool.

Presumably large pools aren't charities, so the lack of fees can remain indefinitely.

Bandwidth is certainly a problem though... are there any good numbers on the bandwidth difference?

Their Bitcoin is broken argument doesn't really seem to work. I agree that something needs to be done to stop huge amounts of pooling but this seems to be too alarmist. The initial Bitcoin is Broken post is at http://hackingdistributed.com/2013/11/04/bitcoin-is-broken/ and a counterpoint is at https://freedom-to-tinker.com/blog/felten/bitcoin-isnt-so-br... .

The counterpoint from my colleague Ed Felten is based on a flawed understanding of how mining pools work and how pool participants are rewarded.

Explained here: http://hackingdistributed.com/2013/11/08/fairweather-mining/

The argument in that counterpoint seems to be as follows:

1. Assume that selfish mining doesn't work.

2. Because selfish mining doesn't work there will be fair weather miners who will only mine on whichever chain is furthest ahead, defaulting to the public chain in the case of a tie.

3. Since the selfish mining pool won't be ahead all the time nobody will mine for it.

4. Therefore selfish mining doesn't work.

It's not what I'd term a strong rebuttal.

I think that the "selfish mining" in your first point isn't truly selfish mining. The idea is that the particular method of selfish mining being discussed would be defeated by a truly selfish mining method. No matter what you want to act selfishly and the debate is whether or not their is an optimal selfish strategy that is bad for the overall bitcoin infrastructure. Since little to no incentive exists to stick with a mining pool that is selfishly mining it is my understanding that that the attack using a mining pool mentioned in the previous post will not work well.

That's a valid point, but not at all what I got out of the argument. I picked up primarily on the specific counter-strategy.

It's certainly true that selfish mining strategy A which gave a 5% increase in results would lose out to another selfish mining strategy B which gave 10% increases in results. However that's not an argument that strategy A doesn't break the system, merely that the optimal selfish strategy breaks the system at least badly as strategy A.

Now it is possible that there isn't a stable strategy to use. If we supposed for the purposes of argument that the fair weather strategy was more profitable than the selfish strategy described in the first article you posted, then it would seem that the optimal strategy would oscillate. As more people participate in a selfish pool consistently the more profitable it is to be a fair weather miner. However, supposing that leads to a dissolution of the selfish pool all those fair weather miners turn honest. Against honest miners, however, the selfish strategy is proven to be more profitable. And so you'd see an oscillation where people constantly shift between being honest, selfish and fair weather.

Of course, if the long run gains keeping up on this strategy treadmill is less than simply sticking to the selfish strategy through thick and thin, then perhaps the fair weather strategy isn't better in reality.

Is a "hard fork" really necessary? BTC miners can all just adopt a new version. What's concerning is that the 51% attack has been known since the beginning and the community never addressed it and seemed to irrationally dismiss it. The current response is that GHash is removing processing power, but how is that a good long-term solution? The BTC community should be demanding and supporting technical fixes.

Also it's too bad that BTC is blinding everyone to a variety of other crypto-currencies that have improved features.

The so-called 51% problem will be inherent in any truly decentralized P2P network. All P2P protocols suffer the risk of poisoning by malicious nodes in various different ways, and they mitigate it by assuming that proportionally, most nodes will be good.

There will not be a way of "patching" the issue. The only thing that can be done is to set up a proper emergency handling procedure in the event a 51% attack is conducted, which involves directing as many clients as possible to work on a new fork.

This article feels sensational, but I would say accurately reflects a large portion of the communities feelings.

Great accompaniment is from Peter Todd (Coinkite adviser, respected dev) who announced this AM he is selling 50% of his holdings in bitcoin until this is resolved


This article would be decent if they ditched the hyperbole. Like it or not, this is not Armageddon for Bitcoin - the network is still functioning as intended.

> the network is still functioning as intended.

"as intended" reminds me of this koan from the codeless code[1]. [1]http://thecodelesscode.com/case/135

Well, it's not decentralized anymore.

Can't bitcoin simply require agreement from more than one author of a blockchain? For example do not allow the same entity to sign the blockchain for two consecutive blocks. This would require defining what constitutes a single entity though. How do we define it when talking about mining pools? Can't we have alliances of pools already have reached 51% long ago and colluded "as one strategy"?

In less sensational terms: The biggest pool got too big. Members (BitFury) react by shrinking it back. Community is aware of the problem, solution will probably be coming soon.

Anyway, stay tuned and don't miss the next iteration of 'We are all doomed!!1' by the two muppet academics. To be published shortly after a solution gets deployed. Or earlier.

They don't have 51% anymore, although I think their other concerns are valid:

http://www.coindesk.com/bitfury-pulls-power-ghash-community-... https://blockchain.info/pools

Proof of work can't be decentralized because it has almost infinite economies of scale - starting from the production of asics, and ending at mining farm cooling. It doesn't matter what you change, at the end, you're going to be left with one mining farm.

>GHash [...] just reached 51% of total network mining power today.

Is this official? Seems somewhat surreal...

Not really invested in this but at the very least I'd expect some posts along the lines of "Pool X is fast approaching 50%...BTC in danger". Not "51%...game over".

A couple days back they were at 48% or 49%. It's not that big a surprise.

FYI, GHash.io is a Ukrainian company. As you know, the country is a mess now and there's an ongoing civil war. Just sayin'! (See, I didn't even mention that most black hat hackers come from that part of World.)

The idea that most black hat hackers come from that part of the world is quite interesting. Would you expand on it?

Just stats. We know those fine computer scientists control most of the botnets, for example.

Hmm, would you link to any stats?

You can ignore what I wrote or prove me wrong by providing links. I honestly have better things to do on Friday night.

... What? How did me being curious lead to that?

He probably took it as you questioning his claim as he provided no real evidence.

As someone who works in the information security industry, I can confirm from personal experience that a very disproportionate amount of organized and semi-organized cybercrime comes from Ukraine, Russia, and neighboring countries. I, however, do not have any sources for you at thistime.

Thanks! I'm just curious about the field.

Why would GHash ever want to attack the platform from which it profits and from which it will likely continue to profit, as a leading transaction processor, for many years to come? Should they be silly enough to attempt something nefarious, miners would quickly abandon them, and their business would collapse overnight.

Every major participant in the Bitcoin network, including GHash, has a vested interest in maintaining the network's integrity. Not only that: given Bitcoin's increased mainstream acceptance, it's in the best interest of every major participant to maintain a good reputation.

> Why would GHash ever want to attack the platform from which it profits and from which it will likely continue to profit, as a leading transaction processor, for many years to come?

There's pretty much an infinite number of reasons people choose short-term profit with apparent long-term opportunity cost above what apparently stable long-term profit streams. Betting that an actor with the power to do so would never do so usually is equivalent to creating a greater incentive for them to do so.

I notice you bring up the exact arguments that the piece addresses explicitly, yet you do not acknowledge this one way or another.

But the meta-reason is: if someone thinks they can get away with it, why wouldn't they do it? With that presumption you could even argue it's the rational choice. If you do it subtly, there's plenty of room for doubt. Furthermore, there are enough people who're invested for ideological reasons that, in the absence of strong evidence, all most people will hear is a lot of he-said, she-said.

More to the point, factor in any monetary investment in the scheme -- the prospect of collapse should a critical mass reach the same conclusion, for instance -- and the people who've invested have an incentive to stay the course. That incentive to maintain a good reputation cuts both ways. Reputation is a matter of popular perception.

Makes logical sense, unfortunately we've seen examples in the past of this logic not being adhered to. Take the poker site "Ultimate Bet", when cheating was suspected the line of reasoning against it (and the strongest line of reasoning at that)was "Why would they cheat when they are running a million dollar profitable business and jeopardise the entire operation for a bit more %?" Turns out they were willing to jeopardise it all.

In the case of Ultimate Bet it turned out that it was an inside job, but the individuals involved didn't necessarily share in the long term profits of the company, so they were able to benefit personally to the tune of millions, while most of the negative effects landed on the company rather than themselves.

Thankfully in at least two other poker companies (hint: the largest one and its sister company) it was made impossible to see someone's hole cards before the hand is over, which is what allowed the cheaters at Ultimate Bet to perpetrate their con.

It's my pretty firm belief that when it seems like an entity is throwing away a pretty obvious economic self-interest, there's probably just a misunderstanding of where the economic self interest lies in the parties involved.

So what if the anonymous maintainer works for the US government or a large banking institution? Running a slick-looking pool seems like the easiest way to get in control of enough hash power to set the bitcoin brand back years. Doing the "wrong" thing at the right time would mean further billions in profit without the effort of re-imagining the whole fincancial sector, assuming it staved off a cryptocurrency revolution.

Rather than a fork, wouldn't an alternate, easier approach be to form more pools that charge no fees?

Take a deep breath. Stop hyperventilating. Bitcoin has died a violent, crashy, gory death dozens of times at this point.

It's in Bitcoin community's, and GHash's, economic interest that no miner exceeds 50%. That's all you need to know to know that this is just another exasperated hand-wringer proclaiming the premature death of BitCoin.

BitCoin, RIP 2008 - 2009, 2010, 2011, 2012, 2013, 2014, ?

Yeah, but this time it's different, and many early Bitcoiners are alarmed. A long-held, fundamental social contract has been broken.

We've long known this is a weakness of the system, but most early adopters assumed that our strong decentralized culture would prevail.

Clearly, we were wrong. So we either have to find a technological solution ASAP, or we may as well just let GHash operate servers -- it'd be much cheaper for them and easier on the environment, and the end result is the same.


It's in Bitcoin community's, and GHash's, economic interest that no miner exceeds 50%

But GHash does exceed 50%, right now.

...for very long

>It's in Bitcoin community's, and GHash's, economic interest that no miner exceeds 50%.

Are Bitcoin community's interests and individual miners' interests aligned? I understand why the bitcoin community wouldn't want a mining pool with more than 50% of the share, but why should "selfish" individual miners care?

Miners occupy a powerful and yet somewhat isolated portion of rapidly evolving bitcoin ecosystem.

For many people in the Bitcoin ecosystem, making the technology successful is about more than personal enrichment. A lot of folks see Bitcoin specifically (because of its present success) holding the potential for big changes in a shorter period of time.

The people I've spoken with don't mince words: in general serious miners compete against others to make money, not societal change.

>The people I've spoken with don't mince words: in general serious miners compete against others to make money, not societal change.

Fine, but in their ignorance and greed, they're going to lose their ability to make money.

If the blockchain is dominated by a single interest, and that player starts abusing their market position, BitCoin's exchange rate will plummet and the economic interest in question will lose millions. So yes, it is in the community's interest and individual miners' interest to keep the hashrate distributed enough to prevent that from happening.

What happens when people lose faith in the system? The 2008 financial crisis, the great depression, etc....

Nobody wins if the entire system breaks down.

This reasoning is based on the assumption that a 51% player must also be long on Bitcoin, and that they interpret the nature and value of the Bitcoin market in a similar manner to most members of the Bitcoin community.

In other words, assuming that they don't know anything you don't. Considering we're talking about an entity that's managed to become a 51%er, that assumption sounds downright Pollyannaish to me. The same line of reasoning also supposedly implies that nobody should want to get even close to this point. Counterfactually, as it turns out.

That said, I can see the attraction of that line of reasoning, too. When you've got a tiger by the tail, it probably is best not to contemplate too carefully what's at the other end.

When they bought the mining machines they were entering bitcoin as long weren't they?

They can't even sell their future winnings as they don't have them yet, so they are really long!

Well, they aren't long bitcoin from buying mining rigs, they are long bitcoin call options denominated in energy. If the return seems likely to be too low, as eventually it must be when (if things continue) people make more efficient rigs, then it would eventually be in their interest to let the longer term options expire. It is totally conceivable that taking a huge short position and scaring everyone off of btc could mean more profit than the could be mined out of those rigs. Of course, you would need someone to take the other side of that bet, in a setting with sufficiently little counterparty risk that you can collect (which typically means a more regulated setting) and a sufficiently lax regulatory environment that you aren't likely to be accused of some illegal type of market manipulation. That said, people do seem to overlook such details... and this all only seems unlikely to very unlikely, not impossibly or absudly unlikely.

In other words, the stars would have to align in order for this to occur.

I don't really know what GHash knows, but I can tell you that GHash's hashrate has dipped well below 50% only a day later, as it did when this happened before.

The stars would have to align for it to be genuinely a good idea. Which... well... stars align, sometimes. Moreover, people make mistakes and think stars have aligned.

The threat here is that a single group has the capability to produce 51% of the hashes, possibly reliably (we can't know whether scaling back was deliberate or happenstance). It doesn't matter whether they are persistently using that capability.

Perhaps the deeper threat here is the rate at which the goalpost is moving.

It's strange, this situation where in there are all these things that would be seriously problematic were they to happen, unless of course they actually happen, in which case they're not actually a problem at all.

Large contributors to the GHash pool pulled large amounts of resources out of the pool. GHash isn't a monolithic entity. Miners have to voluntarily commit their resources to GHash. It's not like a single individual can commandeer the entire mining army without fear of repercussion.

>they are long bitcoin call options denominated in energy

You mean, "denominated in energy divided by global hashing power (of all miners collectively)".

Yes, believe I do.

Maybe they were. . . or maybe they've figured out something others haven't. Some sort of shorting-type scheme, perhaps.

Normally I'm not so inclined toward conspiracist thinking, but considering all the different capers that have put Bitcoin in the news over the past couple years, in this particular case I'm inclined to make an exception.

What stops them from taking a short position in Bitcoins and forcing the exchange rate into the ground?

And nobody in the world wants Bitcoin to break down?

GHash doesn't - and that's why they will figure out a way to dip below 50% again.

It's hard for something to be let die when some have made big money already or have lost and want to recover. Bitcoin is gambling and attracts a rare mindset and this prevents it from going mainstream anytime soon - similarly only a small percentage of people trade stocks. Regular people hardly want to get associated with the gambler crowd. We've seen this before where gambling and technology met.

As I've been closely monitoring the ups and downs of Bitcoin price, what always stops Bitcoin free fall is the feeling that you're gonna miss a huge profit, it's not the reason, and dips become smaller, and smaller as speculators who missed the train last time don't wanna risk too much next time. When you have a bunch of greedy people with money, again, it's hard for this thing to die unless more profitable alternatives appear on the horizon. The one unique thing here is China and their limited options for high tech speculation. If China really kills Bitcoin over there, it will mark the final death of Bitcoin.

How is it that you know what GHash's interests are?

They could have short-term profit in mind, or else crippling bitcoin itself. There is plenty of room for them to have interests that are out of line with the rest of the bitcoin community.


Miners join in pools to mine bitcoins to even out their earnings. It's a way to diversify their risk.

Unfortunately, bigger pools let you diversify the best, and this is currently undermining the core tenet of bitcoin, which is to avoid having any one person with central control over the network.

The linked article is suggesting modifying the core software for bitcoin in order to discourage this kind of centralization. Other people, however, think the core software is fine, and that the solution is to instead improve "decentralized mining pool" technology to get rid of the problem.

>bigger pools let you diversify the best

According to the article the big draw is that GHash don't have a fee.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact