The article makes a pretty interesting point: Bitcoin's version of proof of work can be delegated, which makes mining pools possible. An alternative design could ensure that the task to solve is designed so that miners and pool could not trust each other, thus ensuring that pools do not exist.
It seems like this is a pretty big flaw in how Bitcoin is designed, as its security relies on miners remaining independent.
It's pretty easy to break delegation, but the cure is worse than the illness— to reduce mining variance there you must use hosted mining, where miners have even less control (absent more fixes…). GHash.IO is substantially hosted mining in any case.
Really the more important point to note is that pooling for variance reduction has absolutely nothing to do with delegating control. Running a outbound only bitcoin full node, past initial syncup uses less than 20kbit/sec bandwith and a fraction of a percent of cpu... it's not costly to do, purposefully so.
It's perfectly possible to individually run your own consensus decisions but agree with others to, in a provable way, pool your payments. This is what P2Pool does.
Unfortunately many Bitcoin miners don't have a rigorous mathematical understanding of how mining works— they erroneously believe it to be a race where the fastest wins disproportionally— something entirely untrue (absent some proposed attacks which are not happening in practice)... just keeping yourself from getting scammed by the many scammy hardware companies is basically a full time job itself. Then you have various technically unsophisticated Bitcoin pundits claiming that hashpower consolidations in pools isn't something to worry about... not a great mix.
Fortunately, the reasons for the current behavior are mostly inertia— if P2Pool had been invented first the symmetry would have broken differently. It's still possible that there might be a massive swing (say if GHash.io decides to steal a bunch of coins from their miners and makes a runner).
This is the same panic-prone author (@el33th4xor) who, in early November 2013 with Bitcoin at about $220, wrote "@el33th4xor: You heard it here first: now is a good time to sell your Bitcoins" (https://twitter.com/el33th4xor/status/397219415025934336)
This was just before releasing some research that he thought would cause a confidence collapse. (That is, his prediction was almost self-consciously attempting market-manipulation.) In fact, the paper just formalized some concerns discussed in the mining community for years.
So then, rather than collapsing, Bitcoin went on an epic rally, and hasn't been below $339 since the same week of that doomsaying prediction.
There is certainly danger in one entity controlling 51% of the hashing power. But everyone's known this risk, as one of the design assumptions of the system, from the beginning... and also seen the tipping point approach/recede/approach repeatedly. And also, the "Bitcoin lunatic fringe", who this author mocks, has so far been right about the pool(s) attaining such power refraining from taking destructive (and self-bankrupting) next steps.
So: focused concern, yes. But @el33th4xor-style panic, no.
Further, any 'hard fork' (or forks) that were to remedy pool issues, using the "well-known" techniques referenced, would almost certainly retain some continuity with prior key balances. That is: imagine the most destructive transition possible. A total civil war between mining pools. Irreconcilable dissension in the core team (or offshoots thereof). Collapse of the Bitcoin price to values of 1-2 years ago. Still, at the end of that process, there are one or more "offshoot" chains, adopting the Bitcoin history as their own, patched and stronger than before, with pre-crisis Bitcoin balances intact.
(That is: a 51% cartel may not be actually "good" news... but it is survivable and perhaps even necessary.)
So if you like to try to trade in and out of predicted market panics, like @el33th4xor, maybe there are some trading plays here. But if you just like cryptocurrency for the long haul, keep your Bitcoin private keys (end eyes) safe & dry, and trust evolution. There are enough smart, well-funded, and relatively cool heads involved that @el33th4xor's predictions are just a car alarm going off in the night, whether the car is actually at risk or not.
>the "Bitcoin lunatic fringe" this author mocks has been right about the pool(s) having such power refraining from destructive (and self-bankrupting) next steps.
No. The Bitcoin lunatic fringe was adamant that no pool would willingly cross the 50% boundary.
That just happened. Models and reasoning based on "no rational miner would do X" are clearly flawed, partly because the miners may not be rational, or partly because they are rational within a time-frame not modeled. In any case, people who reasoned like you have now been shown conclusively to have the model wrong.
This is an opportunity to fix the protocol, not shill for the price, and certainly not to engage in ad hominems.
If you really want to scare some people you should point out that this is happening as we get ready for the US Marshal BTC auction, and could be related. I would be very reluctant to put 1.5M into BTC right now.
> Like IPv4, the "experiment" has grown so large that it may be impossible to get consensus on any non-backwards-compatible change.
How is that an accurate description of IPv4 at all? IPv6 has made monumental progress[0] in a relatively short time (yes, for what we're talking about, it's only been a short amount of time).
I'm not sure this is true, regardless of how large Bitcoin grows to be. If a significant enough problem were discovered, wouldn't it be in everyone's best interest to protect the value of their wallets by accepting a forked blockchain?
I was under the impression that the mining percentage would give you the same percentage chance to cook the books. 51% means you are more likely to succeed than fail in an attempt. Much like buying 51 percent of lottery tickets gives you a slightly better than even chance of winning the big prize.
in that respect, wouldn't 51% be only marginally different to 49%. Both would be a bit of a concern, but neither would be the "position to exercise complete control over which transactions appear on the blockchain" that this article refers to.
Is there some mechanism I'm missing that makes 51% be vastly more powerful than 49%?
No, 51% is vastly more powerful than 49%. With 51%, you essentially control the entire Blockchain because you can always create a new Blockchain that would be accepted by the network, given enough time. Always.
With 49%, you can only get away with it a few times, and it's less likely you will mine the next 6 blocks.
Essentially, as time progresses, with 49% you lose out, with 51%, you keep winning.
An attacker that controls more than 50% of the network's computing power can, for the time that he is in control, exclude and modify the ordering of transactions. This allows him to:
Reverse transactions that he sends while he's in control. This has the potential to double-spend transactions that previously had already been seen in the block chain.
Prevent some or all transactions from gaining any confirmations
Prevent some or all other miners from mining any valid blocks
The attacker can't:
Reverse other people's transactions
Prevent transactions from being sent at all (they'll show as 0/unconfirmed)
Change the number of coins generated per block
Create coins out of thin air
Send coins that never belonged to him
The bitcoin protocol defines the longest chain as the correct/canonical chain.
At 51% you have more hashing power than the rest of the network combined, so you can start mining blocks on your own and create your own chain with the knowledge that eventually your chain will be longer than the 49% chain everyone else is working on. When that happens, the 49% will abandon their chain and start working on yours.
In the previous crisis it was all based on trust ("it was just a bad player, trust will return to the market"). Now we've a doomsday scenario and what seems a serious flaw in Bitcoin.
You're assuming that someone with a significant investment in the space would act dishonestly. That's the only reason BTC fails as the result of something like this. Seem like MAD to me, if they were to act dishonestly they would destroy their own investment and profit potential.
I don't know why you're suggesting anything along those lines, it doesn't look like the author's link to a method to stop pool mining has anything to do with restrictions like that. It seems instead the author links to a post about allowing arbitrary participants in a pool to steal the entirety of the mining reward. Thus, there would be no incentive for individuals to participate in a pool: whoever finds the solution could take the entirety of the reward.
That's not the kind of restriction that stops pool mining. The trick is to enable the pool members to steal the blocks they discover. Andrew Miller, a grad student at UMD, has an ingenious scheme for doing this. I am pretty sure I put the link in the article, under the first bullet in the "What to Do Now" section.
That wouldn't work either. Even if to make it so every 3 blocks can be rewarded to an address (let's say), then you can simply write your own wallet that will use randomized addresses and simply forward their reward to the pool's wallet, which then distributes to the "real wallets".
The only way you can truly prevent pools from taking over is create a system of authentication that'll destroy anonymity.
A hard fork would be just as devastating as a 51% attack. The author is way over-reacting here. In fact, it looks like GHash is down to 45% and dropping — BitFury just left, and Petamine is considering leaving too: http://www.coindesk.com/bitfury-pulls-power-ghash-community-...
Another solution: assuming as the article claims that GHash grew to it's current size because it had 0% fees. Other pools can respond by lowering their fees or introduce negative ones. I.e. they pay miners to join the pool. Or have fees but introduce a lottery system that randomly overpays members.
IANABME[1], but it seems that a solution already exists to this problem, which is to use a decentralized mining pool. The unfortunate fact is that we're in a time window right now where large miners have not yet transitioned to this ideal solution.
However, any miner in the long run would prefer to join a mining pool that does not require trusting some pool operator over one that does, all other things being equal.
Yes, the current situation is dangerous for the health of bitcoin, but I don't see any solution besides waiting for distributed, trustless pool technology to catch up in terms of usability with the centralized pools.
This problem isn't going to be solved by a hard fork, as any "fixes" done this way are untested, incomplete, and risky.
The argument in that counterpoint seems to be as follows:
1. Assume that selfish mining doesn't work.
2. Because selfish mining doesn't work there will be fair weather miners who will only mine on whichever chain is furthest ahead, defaulting to the public chain in the case of a tie.
3. Since the selfish mining pool won't be ahead all the time nobody will mine for it.
Is a "hard fork" really necessary? BTC miners can all just adopt a new version. What's concerning is that the 51% attack has been known since the beginning and the community never addressed it and seemed to irrationally dismiss it. The current response is that GHash is removing processing power, but how is that a good long-term solution? The BTC community should be demanding and supporting technical fixes.
Also it's too bad that BTC is blinding everyone to a variety of other crypto-currencies that have improved features.
This article feels sensational, but I would say accurately reflects a large portion of the communities feelings.
Great accompaniment is from Peter Todd (Coinkite adviser, respected dev) who announced this AM he is selling 50% of his holdings in bitcoin until this is resolved
This article would be decent if they ditched the hyperbole. Like it or not, this is not Armageddon for Bitcoin - the network is still functioning as intended.
Can't bitcoin simply require agreement from more than one author of a blockchain? For example do not allow the same entity to sign the blockchain for two consecutive blocks. This would require defining what constitutes a single entity though. How do we define it when talking about mining pools? Can't we have alliances of pools already have reached 51% long ago and colluded "as one strategy"?
In less sensational terms: The biggest pool got too big. Members (BitFury) react by shrinking it back. Community is aware of the problem, solution will probably be coming soon.
Anyway, stay tuned and don't miss the next iteration of 'We are all doomed!!1' by the two muppet academics. To be published shortly after a solution gets deployed. Or earlier.
Proof of work can't be decentralized because it has almost infinite economies of scale - starting from the production of asics, and ending at mining farm cooling.
It doesn't matter what you change, at the end, you're going to be left with one mining farm.
>GHash [...] just reached 51% of total network mining power today.
Is this official? Seems somewhat surreal...
Not really invested in this but at the very least I'd expect some posts along the lines of "Pool X is fast approaching 50%...BTC in danger". Not "51%...game over".
FYI, GHash.io is a Ukrainian company. As you know, the country is a mess now and there's an ongoing civil war. Just sayin'! (See, I didn't even mention that most black hat hackers come from that part of World.)
[+] [-] a3_nm|11 years ago|reply
It seems like this is a pretty big flaw in how Bitcoin is designed, as its security relies on miners remaining independent.
[+] [-] nullc|11 years ago|reply
Really the more important point to note is that pooling for variance reduction has absolutely nothing to do with delegating control. Running a outbound only bitcoin full node, past initial syncup uses less than 20kbit/sec bandwith and a fraction of a percent of cpu... it's not costly to do, purposefully so.
It's perfectly possible to individually run your own consensus decisions but agree with others to, in a provable way, pool your payments. This is what P2Pool does.
Unfortunately many Bitcoin miners don't have a rigorous mathematical understanding of how mining works— they erroneously believe it to be a race where the fastest wins disproportionally— something entirely untrue (absent some proposed attacks which are not happening in practice)... just keeping yourself from getting scammed by the many scammy hardware companies is basically a full time job itself. Then you have various technically unsophisticated Bitcoin pundits claiming that hashpower consolidations in pools isn't something to worry about... not a great mix.
Fortunately, the reasons for the current behavior are mostly inertia— if P2Pool had been invented first the symmetry would have broken differently. It's still possible that there might be a massive swing (say if GHash.io decides to steal a bunch of coins from their miners and makes a runner).
[+] [-] gojomo|11 years ago|reply
This was just before releasing some research that he thought would cause a confidence collapse. (That is, his prediction was almost self-consciously attempting market-manipulation.) In fact, the paper just formalized some concerns discussed in the mining community for years.
So then, rather than collapsing, Bitcoin went on an epic rally, and hasn't been below $339 since the same week of that doomsaying prediction.
There is certainly danger in one entity controlling 51% of the hashing power. But everyone's known this risk, as one of the design assumptions of the system, from the beginning... and also seen the tipping point approach/recede/approach repeatedly. And also, the "Bitcoin lunatic fringe", who this author mocks, has so far been right about the pool(s) attaining such power refraining from taking destructive (and self-bankrupting) next steps.
So: focused concern, yes. But @el33th4xor-style panic, no.
Further, any 'hard fork' (or forks) that were to remedy pool issues, using the "well-known" techniques referenced, would almost certainly retain some continuity with prior key balances. That is: imagine the most destructive transition possible. A total civil war between mining pools. Irreconcilable dissension in the core team (or offshoots thereof). Collapse of the Bitcoin price to values of 1-2 years ago. Still, at the end of that process, there are one or more "offshoot" chains, adopting the Bitcoin history as their own, patched and stronger than before, with pre-crisis Bitcoin balances intact.
(That is: a 51% cartel may not be actually "good" news... but it is survivable and perhaps even necessary.)
So if you like to try to trade in and out of predicted market panics, like @el33th4xor, maybe there are some trading plays here. But if you just like cryptocurrency for the long haul, keep your Bitcoin private keys (end eyes) safe & dry, and trust evolution. There are enough smart, well-funded, and relatively cool heads involved that @el33th4xor's predictions are just a car alarm going off in the night, whether the car is actually at risk or not.
[+] [-] emin-gun-sirer|11 years ago|reply
>In fact, the paper just formalized some concerns discussed in the mining community for years.
This is false. Discussed here: http://hackingdistributed.com/2013/11/09/no-you-dint/
>the "Bitcoin lunatic fringe" this author mocks has been right about the pool(s) having such power refraining from destructive (and self-bankrupting) next steps.
No. The Bitcoin lunatic fringe was adamant that no pool would willingly cross the 50% boundary.
That just happened. Models and reasoning based on "no rational miner would do X" are clearly flawed, partly because the miners may not be rational, or partly because they are rational within a time-frame not modeled. In any case, people who reasoned like you have now been shown conclusively to have the model wrong.
This is an opportunity to fix the protocol, not shill for the price, and certainly not to engage in ad hominems.
Cheers.
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] chrisBob|11 years ago|reply
[+] [-] wmf|11 years ago|reply
[+] [-] chimeracoder|11 years ago|reply
How is that an accurate description of IPv4 at all? IPv6 has made monumental progress[0] in a relatively short time (yes, for what we're talking about, it's only been a short amount of time).
[0] https://www.google.com/intl/en/ipv6/statistics.html
[+] [-] cdh|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] Lerc|11 years ago|reply
in that respect, wouldn't 51% be only marginally different to 49%. Both would be a bit of a concern, but neither would be the "position to exercise complete control over which transactions appear on the blockchain" that this article refers to.
Is there some mechanism I'm missing that makes 51% be vastly more powerful than 49%?
[+] [-] tinkerrr|11 years ago|reply
Essentially, as time progresses, with 49% you lose out, with 51%, you keep winning.
[+] [-] aosmith|11 years ago|reply
An attacker that controls more than 50% of the network's computing power can, for the time that he is in control, exclude and modify the ordering of transactions. This allows him to:
The attacker can't:[+] [-] dmclain|11 years ago|reply
At 51% you have more hashing power than the rest of the network combined, so you can start mining blocks on your own and create your own chain with the knowledge that eventually your chain will be longer than the 49% chain everyone else is working on. When that happens, the 49% will abandon their chain and start working on yours.
[+] [-] gtirloni|11 years ago|reply
In the previous crisis it was all based on trust ("it was just a bad player, trust will return to the market"). Now we've a doomsday scenario and what seems a serious flaw in Bitcoin.
Feels like a chapter out of The Foundation books.
[+] [-] platz|11 years ago|reply
[+] [-] sillysaurus3|11 years ago|reply
[+] [-] dragontamer|11 years ago|reply
[+] [-] aosmith|11 years ago|reply
[+] [-] imaginenore|11 years ago|reply
Let's say you implement a restriction like "5 blocks in a row max for a given pool". GHash can split into GhashA and GhashB, and keep going.
[+] [-] AaronFriel|11 years ago|reply
This kills the GHashA.
[+] [-] emin-gun-sirer|11 years ago|reply
[+] [-] Afforess|11 years ago|reply
[+] [-] valarauca1|11 years ago|reply
The only way you can truly prevent pools from taking over is create a system of authentication that'll destroy anonymity.
[+] [-] jayd3e|11 years ago|reply
[+] [-] bobbygoodlatte|11 years ago|reply
[+] [-] sexmonad|11 years ago|reply
[+] [-] srobertson|11 years ago|reply
[+] [-] drcode|11 years ago|reply
However, any miner in the long run would prefer to join a mining pool that does not require trusting some pool operator over one that does, all other things being equal.
Yes, the current situation is dangerous for the health of bitcoin, but I don't see any solution besides waiting for distributed, trustless pool technology to catch up in terms of usability with the centralized pools.
This problem isn't going to be solved by a hard fork, as any "fixes" done this way are untested, incomplete, and risky.
[1] I am not a bitcoin mining expert
[+] [-] wmf|11 years ago|reply
[+] [-] JacobEdelman|11 years ago|reply
[+] [-] emin-gun-sirer|11 years ago|reply
Explained here: http://hackingdistributed.com/2013/11/08/fairweather-mining/
[+] [-] travisb|11 years ago|reply
1. Assume that selfish mining doesn't work.
2. Because selfish mining doesn't work there will be fair weather miners who will only mine on whichever chain is furthest ahead, defaulting to the public chain in the case of a tie.
3. Since the selfish mining pool won't be ahead all the time nobody will mine for it.
4. Therefore selfish mining doesn't work.
It's not what I'd term a strong rebuttal.
[+] [-] logn|11 years ago|reply
Also it's too bad that BTC is blinding everyone to a variety of other crypto-currencies that have improved features.
[+] [-] aresant|11 years ago|reply
Great accompaniment is from Peter Todd (Coinkite adviser, respected dev) who announced this AM he is selling 50% of his holdings in bitcoin until this is resolved
http://www.reddit.com/r/Bitcoin/comments/281ftd/why_i_just_s...
[+] [-] c0ldfusi0nz|11 years ago|reply
[+] [-] EGreg|11 years ago|reply
[+] [-] moe|11 years ago|reply
Anyway, stay tuned and don't miss the next iteration of 'We are all doomed!!1' by the two muppet academics. To be published shortly after a solution gets deployed. Or earlier.
[+] [-] conroe64|11 years ago|reply
http://www.coindesk.com/bitfury-pulls-power-ghash-community-... https://blockchain.info/pools
[+] [-] duckingtest|11 years ago|reply
[+] [-] Havoc|11 years ago|reply
Is this official? Seems somewhat surreal...
Not really invested in this but at the very least I'd expect some posts along the lines of "Pool X is fast approaching 50%...BTC in danger". Not "51%...game over".
[+] [-] supergauntlet|11 years ago|reply
[+] [-] kolev|11 years ago|reply
[+] [-] sillysaurus3|11 years ago|reply