A View from Emerging Technology from the arXiv
Bitcoin Vulnerability Could Allow Malicious Miners to Seize Control
One of Bitcoin’s big advantages is that it is decentralised with nobody in overall control. But now a simple strategy has emerged that could allow almost any group to take over, say computer security analysts.
The digital currency Bitcoin is one of the zeitgeist phenomena of our time. Since 2009, it has grown from a digital curiosity to an online phenomenon. There are now some 11.5 million Bitcoins in circulation and each one is worth over $300.
The Bitcoin system is specifically designed to overcome one of the serious flaws of previous digital currencies—the possibility of double spending; that two people could spend two copies of the same currency at the same time. It is also decentralised so that no single organisation or organised group of individuals can control the currency and prevent certain types of transactions.
But Bitcoin may not be quite as secure as everybody thought. Today, Ittay Eyal and Emin Gun Sirer at Cornell University in Ithaca say they’ve discovered a flaw that allows any organised group of Bitcoin miners to take over the currency. And they say that some groups today are already big enough to do the job.
First some background. Perhaps Bitcoin’s biggest advantage is its unique approach to preventing double spending. It does this by recording every transaction in a single log known as a blockchain. An individual account can only spend a Bitcoin if the blockchain records that it owns the Bitcoin in the first place.
This log is protected by cryptopuzzles that can only be solved by large scale number crunching. When anybody solves such a puzzle, they can record new transactions and are rewarded with a fee in the form of new Bitcoins.
Hence the emergence of Bitcoin miners. These are people who devote computing power to solve cryptopuzzles and are paid for their work in Bitcoins.
If you’re thinking of a career as a Bitcoin miner, you’ll immediately run into a problem. The cryptopuzzles are so difficult that the chances of solving one by yourself is tiny. So Bitcoin miners work together in groups so that they can solve the problems more quickly. If any one of them solves a puzzle, they all share the proceeds.
There are lots of groups to join and there’s no advantage in joining one over another. The received wisdom is that this keeps the mining decentralised.
But now Eyal and Sirer say that’s not true and have worked out how a selfish group of miners could take over the currency. “We show that the conventional wisdom is wrong,” they say.
The trick is to mine for Bitcoins but to keep the results secret. This creates a fork in the blockchain so that one half of the fork is public and the other half is secret.
The Bitcoin system has a way of resolving these kinds of forks, which occur by accident from time to time. It requires miners to join the longest fork. The transactions in the other fork are then resubmitted for resolution.
If the selfish miners make their fork longer than the public one, it becomes the chosen chain.
The problem is that the number crunching done on the fork that is abandoned is wasted. So the selfish miners end up getting more than their fair share of Bitcoins. This “enables pools of colluding miners that adopt it to earn revenues in excess of their mining power,” say Eyal and Sirer.
Having skewed the system in favour of selfish miners, other miners see that they can make more Bitcoins by joining this group. The result is a tipping point in which the Bitcoin mining system suddenly becomes dominated by a single group. And this group can exercise whatever control it likes over how transactions are recorded.
Of course, selfish mining only reaches a tipping point if the selfish group consists of a certain fraction of Bitcoin miners. Groups that are smaller than this cannot force the system to tip.
The key result that Eyal and Sirer have calculated is that the tipping threshold is close to zero zero. So almost any group could adopt the selfish mining strategy and end up controlling the system.
Eyal and Sirer have a solution of sorts. This involves a changing the system so that it chooses one fork over another at random (rather than choosing the loner one). When this choice is random, then it is harder for the selfish miners to take control.
But not that much harder. Eyal and Sirer calculate that this raises the tipping threshold to groups that control around 25 per cent of all Bitcoin mining. “Even with our proposed fix that raises the threshold to 25 per cent, the outlook is bleak: there already exist pools whose mining power exceeds the 25%,” they point out.
There is another possible solution—that miners themselves will stop groups becoming too big. “Miners should break off from large pools until no pool exceeds the threshold size, and so no pool can benefit from the Selfish-Mine strategy,” they suggest.
It’s possible that the altruistic instincts of Bitcoin miners could prevent the nightmare scenario of the system being taken over. But whether that will trump the selfish instincts of malicious miners remains to be seen.
Either way, an interesting battle looms ahead.
Ref: arxiv.org/abs/1311.0243: Majority is not Enough: Bitcoin Mining is Vulnerable
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today