50 comments

[ 4.8 ms ] story [ 111 ms ] thread
So basically: "I do not have a comment at this time."

That's fine and all. But not very newsworthy.

Except he did make a comment, although not a concrete one:

> However, it is good to note that in my initial review, I believe the paper’s assertion of a fundamental flaw is based on some over-simplified assumptions about how the bitcoin mining market works.

Not playing by the rules as stated in the paper, can result in greater than expected return. It can also return less than expected, and on average you gain the most by being a well behaved mining node.
Yeah, fair enough. I just went into the post expecting less boilerplate.
(comment deleted)
"...it is unfortunate (but entirely predictable) that the release of a not-yet-peer-reviewed paper generated so many sensationalistic headlines. Peer review works best when everybody involved is given time for conversation and debate without being contacted by reporters on deadline."

Translation: next time, please send us the paper in advance and get it peer reviewed before you start talking to reporters.

"I’m not going to write about the specific claims in the paper... However, it is good to note that in my initial review, I believe the paper’s assertion of a fundamental flaw is based on some over-simplified assumptions about how the bitcoin mining market works."

Translation: the paper's claims are probably wrong.

Why do they pander so much? It's hard to imagine pg ever writing something that tiptoes around like that, yet pg has been in dozens of situations requiring a public response to a perceived problem. He's never pandered, yet he's never suffered for it either. So is pg just a better writer than Gavin, or is this an academic tradition, or...? Just curious.
no need to be combatative, he actually wants to encourage researchers to undertake this sort of work, it may lead to improvments in the protocol and could save the developers some time too.

If he tore into them then other researchers may feel less inclined to look at the network/protocol and undertake their own research.

I would say that it is probably because a large portion of the mainstream media/ general population thinks bitcoin is for complete loonies. If Gavin's tone were confrontational, it would likely make people think he's getting defensive over his obviously ridiculous magic internet money. He has to err on the side of caution to avoid people making that assumption.
They're trying hard not to discourage academic research into Bitcoin, or to scare off security researchers. They desperately want more security researchers. I actually think Gavin is handling this very well, and the response seems well-measured.

That said, the way this whole paper has been released smacks of sensationalism. I'll take the Eyal at his word that he's concerned with Bitcoin's future, but failing to adhere to the standards of responsible disclosure and entitling a blog post "Bitcoin is Broken" really make me wonder about what they're trying to do, other than self-promote.

Besides, this basic attack is something that has been discussed since 2010. There may be a few subtle differences in the paper, but based on my reading of the blog post, this is an attack that mining pools have even accused each other of doing a year or two ago. It's a potential problem, but definitely not a "Bitcoin is fundamentally broken" problem as the blog post claims.

The way bitcoin is broken is that there are people with VAST wallets that could be state actors. If the CIA truly did invent bitcoin then they have immense power on it and it's stability. The hard part about this risk is that there is no way to mitigate it.
There's absolutely nothing to suggest that any state actor created Bitcoin.
Actually there is quite a bit to suggest that a state actor created bitcoin. Satoshi is probably three people and the CIA and NSA don't really screw around when it comes to this type of thing. Even if they didn't create it, they had the man/computer power to control large chunks of bitcoin.
> Actually there is quite a bit to suggest that a state actor created bitcoin.

Not really. Most of the arguments are based on false premises, like the claim that the codebase is of high quality or has never had serious breaks. I've looked pretty deeply into Satoshi, and nothing makes me think it's not exactly what it looks like: one guy.

Every claim like this that says the code base is high quality has me rolling with laughter. The core developers at still trying to fix some of the crazy oversights that Satoshi left in the core code.
And even if it were, in what world does high-quality code imply state actor?
The part of the world where professionals who are able to write high-quality code are well paid for quality work.
Sure, but why does that mean government money? There are tons of very, very good programmers outside of the intelligence-industrial complex. "It's good, therefore the CIA made it" is unbelievably terrible logic.
"It's bad, therefore the CIA probably didn't make it" is fine logic; therefore the reverse also works fine - probabilisticly. If P(CIA|good) > P(CIA), then P(CIA|~good) < P(CIA).
Logically sound but significantly negligible. I'd say P(CIA|~good) is very small, but P(CIA) is also quite small. P(CIA|good) >= 50% iff the CIA produces at least 50% of the good security-related code in the world. I don't see it.
I don't know. I would worry about the fact that SHA256 was chosen for the hashing algorithm. There's good reason to believe that the NSA has attempted to develop hardware that can perform incredible quantities of SHA256 hashes, because it is also used as the standard for most encryption online.

They might not have powerful enough machines to actually brute-force normal Internet encryption standards, but they are probably still attempting to develop them, and it shouldn't be surprising if they now have a SHA256 hashing network that can blow the entire world's bitcoin mining operations out of the water.

Alternatively, some other entity may have attempted to build a hashing network to crack online encryption, and they developed bitcoin as another way to try to use their network.

Conspiracy theories, yeah I know, but come on. Is it not at least plausible?

Depends on whether or not you believe the NSA has its own fab.
The NSA does have its own fab and partners with commercial fabs, but its fab is small and apparently out of date, and so it seems to be primarily for producing legacy hardware. I looked this up once for reasons that had nothing to do with Bitcoin: http://www.gwern.net/Slowing%20Moore%27s%20Law#fn24
Who cares? About the worst thing they can do is sell the coins they have.
Given the large numbers of coins held and the comparatively smaller depths of the BTC markets, selling off a lot of coins would create a massive crash in their market value. If you wanted to have the ability to destabilize it in the future, this is a good tactic.
Are you worried they might try to "disrupt" the market by selling them or something? Else, I really can't see how this poses any problem at all.
Most of the large wallets (with the exception of DEA/FBI) are held my early adopters who have no interest in fuckign things up,
This isn't true. Most of the early bitcoins are held by one "person" named Satoshi whose real identity we don't know.
Gavin Andresen writes: > Peer review works best when everybody involved is given time for conversation and debate without being contacted by reporters on deadline.

In other words, the entire institution of science (computer science in this case) is better off if the individual researchers are careful about presenting things to the press and make sure to review things carefully before publishing.

But the incentive for individual researchers may not be aligned with this. An individual researcher might be able to advance their career by going to the press (particularly about a hot-in-the-news-right-now topic like Bitcoin) and by making sensational claims ("Bitcoin is 'Broken'!") even if the overall scientific enterprise suffers. After all, had you ever heard of Ittay Eyal or Emin Sirer before this? Given these skewed incentives, at least a few people will "cheat" the system by going to the press, and those people will profit by it.

Rather like Eyal and Sirer's claim for Bitcoin miners.

- - - - - - - - - -

To discuss the merits of the paper itself (rather than Gavin's response), if a mining pool were to utilize the strategy described in the paper it would result in that pool repeatedly releasing new chains that are longer than the existing blockchain but which fork one OR MORE of the previously released chains. While this is allowed under the Bitcoin protocol (this is the way that forks in the chain get "healed"), it is also rather obviously visible. So if certain miners were following this protocol then it would quickly become obvious that they were doing so. The community would then be able to take actions to redress the problem.

I thunk it misses a fundamental point which is that this would be detrimental to the network. the assumption is that miners would join the dishonest/unethical miner to increase their block rewards, however it would be at the cst of bitcoins overall value and succcess. So you may get 25% more coins but you have coins that are worth less.
I think it's interesting to calculate how much less the BTC/USD exchange rate would have to be as a function of how much power the ES-adversary has. It's substantial!

One could even imagine creating "poison pill" derivative instruments where someone agrees to sell a lot of BTC if some predicate over the blockchain becomes true (such as a predicate that's only true if ES-mining is happening).

This is pure innuendo.

The Bitcoin paper at least presented a thorough argument. Andresen, who did not seem (in his Bitcoin Reddit post) to have grasped that argument, is obviously unhappy that "Bitcoin" didn't get a preprint or approve its presentation to the press. But the authors of the paper signed their name to it; the lead author is a lecturer at a serious university.

Instead of rebutting any technical point the paper makes, Andresen casts aspersions, alludes to a "peer review" process that would not have prevented the paper's publication, and then suggests the paper is flawed technically. Well, how?

Here, instead, is a vastly superior critical response by Ed Felten:

https://freedom-to-tinker.com/blog/felten/bitcoin-isnt-so-br...

Hi, Author of the referenced blog post [2] here (and one of Felten's grad students).

Let me lay out the argument from our post in a more technical way: the biggest problem with the Eyal/Sirer paper is that they don't think about the problem as an equilibrium problem, but rather argue about what's best from the perspective of a particular player. This leads them to propose a strategy which is not even optimal for any player (we prefer to think of Bitcoin as a kind of consensus game, in the game theoretic sense. See our earlier paper on the topic [1]).

They argue that Bitcoin is not incentive-compatible by virtue of the strategy they demonstrate. I think this question needs to be the crux of any Bitcoin research paper. I'll define "incentive compatible" to mean one of two things

(1) (weakly incentive compatible) If people follow their incentives, rather than the rules of Bitcoin as written down and understood by the community, then there exists an equilibrium in which all players follow the rules.

(2) (strongly incentive compatible) The above equilibrium is the only equilibrium in Bitcoin.

The question of whether the current Bitcoin ruleset is incentive compatible strikes me as the most important Bitcoin research question: it answers whether Bitcoin, as a system, will continue to be stable over the long term. A secondary question is to ask "what rule sets could exist which would be incentive compatible?" Obviously, if the answer to the first question is "no" then the second question is more important.

[1] https://news.ycombinator.com/item?id=5874786

[2] https://news.ycombinator.com/item?id=6689254

Gavin's post is not innuendo; he's just trying to be diplomatic in my view. However, I could not agree more with deepblueocean: figuring out if and under which conditions the Bitcoin network will tend toward an equilibrium in which all players follow the rules should be a priority for researchers. It's the biggest question mark hanging over Bitcoin's future.

I also agree that the Eyal/Sirer paper seems naive about markets.

--

PS. This thread should be at the top of this page. (Currently, another thread I started is at the top; I hope this thread shoots up past it.)

The question of whether the current Bitcoin ruleset is incentive compatible strikes me as the most important Bitcoin research question: it answers whether Bitcoin, as a system, will continue to be stable over the long term.

Is a Democratic Republic incentive compatible over the long term?

If you'd like to cast Andresen's innuendo in the best possible light, I won't object.

But my assessment of his post is descriptive, not normative. When you respond to a detailed technical report by criticizing the way it was presented to the press, then suggest technical flaws without actually explaining what those flaws are, that is innuendo.

Maybe you feel innuendo is warranted. Whether the mining game in Bitcoin is or isn't tenable over the long term doesn't much matter to me, because I'm one of those people who feel Bitcoin has no intrinsic value, and has a spot price today that represents in part irrational excitement about Bitcoin and in part a cynical scalping of that excitement by speculators. Bitcoin could be the most solid imaginable distributed cryptosystem and I'd still have problems with it.

I was motivated to comment about Andresen's post because I was also struck by his Reddit comment on the ES paper, where it seemed that random laypeople on Reddit were better prepared to discuss the technical implications of the paper than he was.

I see your point, but still doubt that Gavin intended his post as innuendo. My assessment is that he's not yet ready to respond to the paper with carefully written, fully-thought-out, detailed technical counter-arguments, but wanted to assuage the Bitcoin community and address all those "sensationalistic headlines" put forth by "reporters on deadline" with an 'official response' as soon as possible.
Thanks for your analysis. Even if this new equilibrium claimed by Eyal/Sirer doesn't hold up under scrutiny, haven't they at least succeeded in lowering the controlling percentage an individual would need to "cheat" the system in some way from 51% to 33%?

In the ES paper, and in your responses, the assumption is a colluding group of miners. I find myself agreeing with you there; it looks like the colluders have more incentive to break ranks. But suppose a single individual controlled 33%. Couldn't they use this same strategy to benefit more than we previously thought they could?

> In the ES paper, and in your responses, the assumption is a colluding group of miners. I find myself agreeing with you there; it looks like the colluders have more incentive to break ranks. But suppose a single individual controlled 33%. Couldn't they use this same strategy to benefit more than we previously thought they could?

Yes, I think they could. I'm currently trying to model what happens in mining pools where the pool master attempts to keep the pool's state a secret from the pool members to deter the kind of hopping behavior necessary for fair weather mining.

Thank you for posting this link! I've had no luck trying to get people to take the attack presented by the original paper seriously over on Reddit [1] and hadn't seen this critique yet.

Still, I would have liked to see a more technical rebuttal from Mr. Felten, so I hope he posts more in the near future. I don't see how being a fairweather miner like he describes is an issue. Pools already employ strong protections that prevent pool-hoppers from gaining anything.

I started implementing a simulation of the attack last night in an attempt to reproduce their results.

[1] http://www.reddit.com/r/Bitcoin/comments/1q22kg/a_start_to_r...

pool hopping? Don't miningpools have a really simple system to prove work? You submit blocks with hashes that have being solved to a much lower difficulty. Those submissions get you placed as a receiving party for the next completed block. At least that's my understanding of how mining pools work, so how could this work?
Imagine I have N resources, and instead of hopping between pools, I'm deciding what percent to allocate to ES-mining and what percent to allocate to "honest" mining. I could certainly allocate 99% of my resources to one or the other in each round, which would be a good (99%) simulation of fair-weather mining.
Sure, the issue isn't so much the mechanics of jumping from one pool to another, it's just pools have a way of gauging exactly how much work you're doing for them.

You can't know ahead of time which pool to bet on, unless you know that the ES pool is ahead. There's nothing guaranteeing that pool miners are decentralized, in fact by design they would have to be centralized to keep completed blocks private.

If they were public they could be neutered by one rouge agent in the pool that immediately publishes completed blocks. So you have no way of knowing how far ahead an ES mining pool is. So on what grounds could you decide which pool to help?

It's not possible for the pool to hide what chain it is working on from its miners. If you're connected to the ES-pool when it is working on the mainline chain and you see it start working on top of a block that is not on the main chain, that's a good indicator that it is a block ahead of the main chain.

If you see it work on top of yet another block that is not published, it's probably two ahead, and so on.

You of course, can't just connect and immediately know, but if you watch the pool (as a miner) you can figure it out.

Ah. I see, your right, in that way you can know it's ahead, but can't spoil the advantage. Thanks for pointing that out.

So I was wrong.

It's not clear to me that Felten's response you've linked to identifies a fatal flaw in the ES attack, because the ES attackers aren't limited to following just the bitcoin protocol. The ES attackers could follow a protocol under which coalition members are required to prove to each other that they are working on the ES chain and not "fair weather mining". For example, coalition members could log cyptographic proof that they were working on certain chains, and then keep a certain number of bitcoins in virtual escrow that will be forfeit if fair weather mining is discovered.
How would such a proof protocol work? I spent most of yesterday trying to answer that question and came up with nothing. Imagine that you and I are mining and we've agreed to use the ES "selfish" strategy. When I want to getWork, I have to choose which branch I'm targeting as the parent of whatever block I'm trying to mine (I have to choose which hash to put into my block). But how do I prove this to you? I could send you a commitment to the hash and you could promise to come beat me up after the fact if I lied, but that's outside the stated protocol. In fact, if your model is that you can coerce me to follow your protocol when it's better for me to do something else, then you may as well coerce me to give you all my bitcoins.

Our argument is that the protocol, as stated, is not incentive compatible. That's ironic, because the protocol, as stated, is offered as an argument that Bitcoin is not incentive compatible.

Thinking about this more, I don't understand the importance of your fair-weather mining idea. If the parties collaborating on the ES attack are willing to betray each other, then isn't a much simpler form of betrayal to steal the block that someone else in the group found and claim it for yourself?

Bitcoin attempts to create a protocol that doesn't require trust between parties, but needs to robust against large groups (e.g. blocks of Chinese) who trust each other. So I don't think it's ironic that the ES attack is not incentive compatible, nor do I think it's really a flaw.

You cannot "steal the block". You must commit to the full solution (including who it pays) before testing it.

The reason this doesn't prevent defection is that while you can produce a provable commitment that you're mining with the ES miners in one moment, all other moments you can be defecting and sharing the ES state with your friends.