Academics Spy Weaknesses in Bitcoin’s Foundations
Game theory suggests the rules governing Bitcoin may need to be updated if the currency is to endure.
Bitcoin’s rise could lead to changes in the technology of payments and finance.
One thing cannot be disputed about the person (or persons) responsible for creating Bitcoin: they were skilled in math, and expert at coding. Five years after the Bitcoin software was first released, no major fixes have been needed to the core code, which uses cryptography to generate and transfer virtual money.
Yet signs are emerging of more subtle flaws in the vision of Satoshi Nakamoto (which may or may not be a pseudonym), with analysis suggesting the rules governing how Bitcoin operates as a currency may be far from perfect. Some researchers claim that these rules leave room for cheats to destabilize Bitcoin. Others have concluded that major changes to the currency’s rules will be needed as the number of bitcoins in circulation increases.
“In the real world, people don’t always follow the rules—they do what’s best for them,” says Joshua Kroll, a researcher at Princeton. “Understanding this is the key to understanding whether and how Bitcoin survives—it tells you whether the system can last for a long time, [and] how robust is it in the face of shocks.”
Kroll and others are exploring possible problems using game theory, a way to mathematically calculate how individuals might choose to coӧperate, compete, or cheat given the options available to them and the strategies of others.
One conclusion drawn by Kroll and his Princeton colleagues Ian Davey and Ed Felten is that those rules will have to be significantly changed if Bitcoin is to last. Their models predict that interest in “mining” for bitcoins, by downloading and running the Bitcoin software, will drop off as the number in circulation grows toward the cap of 21 million set by Nakamoto. This would be a problem because computers running the mining software also maintain the ledger of transactions, known as the blockchain, that records and guarantees bitcoin transactions (see “What Bitcoin Is and Why It Matters”).
Miners earn newly minted bitcoins for adding new sections to the blockchain. But the amount awarded for adding a section is periodically halved so that the total number of bitcoins in circulation never exceeds 21 million (the reward last halved in 2012 and is set to do so again in 2016). Transaction fees paid to miners for helping verify transfers are supposed to make up for that loss of income. But fees are currently negligible, and the Princeton analysis predicts that under the existing rules these fees won’t become significant enough to make mining worth doing in the absence of freshly minted bitcoins.
The only solution Kroll sees is to rewrite the rules of the currency. “It would need some kind of governance structure that agreed to have a kind of tax on transactions or not to limit the number of bitcoins created,” he says. “We expect both mechanisms to come into play.”
That kind of approach is common in established economies, which tame things like insider trading with laws and regulatory agencies and have central banks to shape economies. But many backers of Bitcoin prize the way it currently operates without centralized control, and would likely rebel at any suggestion of changing the rules.
Researchers from Cornell claim to have found another problem with bitcoin mining. At the Financial Cryptography conference this month, they presented work suggesting that so-called “selfish miners” could exploit the current rules to gain more than a fair reward for their work.
Bitcoin miners run software that races to solve a mathematical puzzle and thereby add the next section to the blockchain, netting the reward that comes with it. Under the selfish-mining strategy, a mining operation would refrain from announcing it had completed the next new block, shunning the reward in an attempt to get a head start on the competition on the following block.
The Cornell analysis shows that although selfish miners do worse initially, the strategy can pay off over time by causing honest miners to waste time on puzzles that are irrelevant. The strategy does, however, depend on having a significant share of the overall computing power of all bitcoin miners.
“If your mining power is more than a third of the system total, this always works,” says Ittay Eyal, who did the research with colleague Emin Gün Sirer. “You may be able to do it with much less,” Eyal adds.
Eyal proposes a modification to the mining protocol that would ensure that only someone controlling at least a quarter of all mining power could profit from selfish mining, and says the Bitcoin community should also make efforts to limit the power of mining operations.
The selfish-mining theory has been controversial in the Bitcoin community and academia, with some claiming it wouldn’t work. But the idea of somehow reducing the influence of the largest mining operations has wide support. It has long been known that a miner controlling 51 percent of all bitcoin mining power could tamper with the blockchain to do things like spend bitcoins twice.
That threat began to feel genuine in January this year when the G.Hash mining group from China grew to control 41 percent of the network’s power, before backing off in the face of outcry. Nonetheless, the dominance of a handful of large mining operations suggests a 51 percent attack remains possible, whether from one growing or two colluding. G.Hash now controls 29 percent of the network’s power, with the next three largest controlling a further 42 percent between them.
One other reason to reduce the dominance of large mining ventures is that their size seems to encourage the use of denial of service attacks, says Benjamin Johnson, a researcher at the University of California, Berkeley. He was lead author on a paper at the Financial Cryptography conference that used game theory to show that it makes sense for smaller miners to boost their own success by preventing large miners from operating rather than investing in more mining power, and that the incentive disappears if mining is not dominated by a handful of large players.
Another paper presented at the conference reported that 63 percent of large mining pools had been attacked, compared to only 17 percent of small ones. “This argues that way before a pool reaches the 51 percent threshold, it creates unhelpful incentives,” says Johnson.
Johnson says the Bitcoin Foundation, a nonprofit created to standardize and promote Bitcoin, and the people maintaining the Bitcoin software have shown interest in his work and that of others probing the currency’s design. “They’re really invested in making sure this protocol works and doesn’t fail due to some economically motivated attack strategy.”
Gavin Andresen, chief scientist for the foundation, and leader of the group that maintains the Bitcoin software, says he would welcome closer ties with academic researchers as a way to keep track of potential problems. “Security is a process; it is never done,” says Andresen. “There are always new threats.”
Andresen will speak at a conference in Princeton this week intended to foster such collaboration. “I’m looking forward to making deeper connections with the academic community,” he says.
Identifying problems in the Bitcoin protocol and possible fixes will be easier than implementing them, though. Although the growth of Bitcoin businesses has diluted the anti-government feeling that motivated many of the earliest adopters (see “Bitcoin Hits the Big Time”), making major changes to the basic rules of how the currency works is likely to meet stiff resistance.
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today