In the wake of the publication of a new academic paper that says there is a fundamental flaw in the Bitcoin protocol that could allow a small cartel of participants to become powerful enough that it could take over the mining process and gather a disproportionate amount of the value in the system, researchers are debating the potential value of the attack and whether it’s actually practical in the real world. The paper, published this week by researchers at Cornell University, claims that Bitcoin is broken, but critics say there’s a foundational flaw in the paper’s assertions.

Bitcoin is a decentralized cryptocurrency that depends upon the honesty of its users to publish each of their transactions in a central, public ledger. The Cornell paper, written by Ittay Eyal and Emin Gun Sirer, says that if a group controls one third of the Bitcoin mining resources, it can then begin mining “selfishly” mine blocks and keep them secret from the rest of the miners. Then, when the chain that this group has mined is longer than the public one, it can publish its chain and have the authoritative one, since Bitcoin will always ignore the shorter block chain when there’s a fork.

“Ittay Eyal and I outline an attack by which a minority group of miners can obtain revenues in excess of their fair share, and grow in number until they reach a majority. When this point is reached, the Bitcoin value-proposition collapses: the currency comes under the control of a single entity; it is no longer decentralized; the controlling entity can determine who participates in mining and which transactions are committed, and can even roll back transactions at will. This snowball scenario does not require an ill-intentioned Bond-style villain to launch; it can take place as the collaborative result of people trying to earn a bit more money for their mining efforts,” the researchers wrote in a blog post on their paper.

“Conventional wisdom has long asserted that Bitcoin is secure against groups of colluding miners as long as the majority of the miners are honest (by honest, we mean that they dutifully obey the protocol as proscribed by pseudonymous Nakamoto). Our work shows that this assertion is wrong. We show that, at the moment, any group of nodes employing our attack will succeed in earning an income above their fair share. We also show a new bound that invalidates the honest majority claim: under the best of circumstances, at least 2/3rds of the participating nodes have to be honest to protect against our attack. But achieving this 2/3 bound is going to be difficult in practice.”

The idea of a majority of Bitcoin miners joining together to dominate the system isn’t new, but the Cornell researchers say that a smaller pool of one third of the miners could achieve the same result, and that once they have, there would be a snowball effect with other miners joining this cartel to increase their own piece of the pie. However, other researchers have taken issue with this analysis, saying that it wouldn’t hold together in the real world.

“The most serious flaw, perhaps, is that, contrary to their claims, a coalition of ES-miners [selfish miners] would not be stable, because members of the coalition would have an incentive to cheat on their coalition partners, by using a strategy that I’ll call fair-weather mining,” Ed Felten, a professor of computer science and public affairs at Princeton University and director of the Center for Information Technology Policy, wrote in an analysis of the paper.

“Recall that in the ES attack, a team of ES-miners is racing against a team of ordinary miners, to see who can create a longer block chain. A fair-weather miner pretends to be part of the coalition of ES-miners, but in fact secretly switches teams so that mines for the ES-mining team if that team is ahead in the race, and it mines for the ordinary mining team otherwise. It turns out that every block that the fair-weather miner creates is guaranteed to end up on the winning chain. So the fair-weather miner does better (i.e. gets a better reward) than it could get by playing exclusively on either team.”

However, many Bitcoin miners collaborate in pools or guilds that share resources and rewards. Those groups sometimes require that their users produce some of the work that they’ve done in order to prove that they’re actually participating in the mining and should get some of the eventual Bitcoin rewards. That integrity check could mitigate against the potential emergence of the fair-weather miners.

Matthew Green, a cryptographer and research professor at Johns Hopkins University, said that the Cornell paper raises some interesting points but that it’s difficult to know how real-world Bitcoin users would act if such a cartel ever emerged.

“Ed takes aim at this conclusion by pointing out that these coalitions won’t be stable. In real life, self-interested individual miners will hop back and forth between selfish and honest mining to suit their own purposes. That hopping acts as a buffer against further snowballing,” Green said by email.

“I’m very much looking forward to hearing the authors’ response. I think they both have good points, but they’re both working with simplified models of the real world. What I will say is that Bitcoin isn’t so easy to model. For one thing, it’s not really collection of rational nodes working in their own self interest. In fact, Bitcoin today is largely run by people contributing free labor without compensation — storing the block chain, routing transactions, etc. A truly self interested collection of nodes would act very differently. So these results are unlikely to mean much today.”

In the end, Green said, more analysis is needed of the Bitcoin system and the potential vulnerabilities that may lie within it.

“I think it’s fantastic that researchers are finally analyzing Bitcoin as a system. That doesn’t mean we’re likely to see practical attacks anytime soon,” Green said. “The fact that Bitcoin works is pretty amazing. We shouldn’t be surprised if there are a few kinks to work out.”

Although the technology underlying Bitcoin is vital, there a number of other factors that could contribute to problems with the system.

“As with any other scientific research, the one on the alleged Bitcoin flaw has to be reviewed and analyzed by the community. But we already see that the nature of this ‘vulnerability’ lies in the field of economics rather than computer technology. Even if some group of people (or, more likely, a powerful government entity with almost infinite computing power) could gain a certain amount of control over Bitcoin mining process, that would not necessarily mean the demise and fall of the digital currency,” said Sergey Lozhkin, Senior Security Researcher at Kaspersky Lab.

Image from Flickr images of BTC Keychain.

Categories: Cryptography, Hacks

Comments (2)

  1. steve
    1

    I take issue with Ed Felton’s criticism. It is not a fair criticism to say “people will not do this.” A vulnerability is a vulnerability regardless of a motive to exploit you or I can understand.

    • Jonas Lihnell
      2

      This is only a vulnurability if it could actually be used to game the system, and as the so called vulnurability describes it is only feasable if a large enough population of miners are purely selfish. The reason this is so easily dismissed as a vulnurability is because the so-called vulnurability has, in itself, flaws with it’s basic assumptions. Purely selfish nodes would gain more from cheating the selfish collective and as such the collective wouldnt be stable enough to grow to the sizes that is required in order to get the gain in the first place.

      To go further, starting and running a pool that attempts to use this so-called vulnurability will put the miners that join it at risk on multiple levels, not only would they risk cheating eachother, they would risk losing their mining profit altogether by chance and they would undermine the basis of trust which gives their rewards value. Over time as miners accumulate value, the loss of faith becomes more tangible to their investment than the increase in gain they could ever have achieved by doing selfish mining.

      Finally, the only thing in this so-called vulnurability to be even slightly afraid of would be if were able to grow to a large enough size to be able to execute double-spend attacks and maintain their pool population to continously do so.

      The paper is a techinical description of a “what-if” scenario that entirely removes the speculative nature of an investment while seemingly depend entirely on that speculation to be the driving force behind the issue.

      This is not reality. Not by a long shot.

Comments are closed.