menu
search

Blogs & Articles: Defining and Discussing “Bitcoin Security” 🔗 3 years ago

Block Digest Mempool - Medium

There Is No “Network Security”

Human beings love to measure things. Our time, our food, everything. We do it instinctively, it’s how we track what we own and consume and all the other fun things we pay attention to.

Bitcoin security is one of those things we love to measure, but it’s hard to measure something you don’t properly define. Most people when they think of “Bitcoin security” provided by miners they think of the security of the entire network as a whole. As if it is a singular thing. “The Bitcoin network as a whole is this secure.” That is not a thing. And I’m not saying that to make some silly pedantic point regarding semantics, that is literally not a thing you can coherently measure as a discrete singular thing.

Every individual UTXO has it’s own level of security based on the block it is included in and the difficulty of that block, and the ones built on top of it. To put another way, there is no such thing as the level of security of the entire UTXO set. Each UTXO has a different level of security. My UTXO buried until 12,000 blocks of constantly increasing difficulty is more secure than your UTXO just delivered to you from Coinbase under 3 blocks in a single difficulty period. Think about it visually like this:

All numbers here are totally arbitrary, and yes, I am well aware there are more than 11 blocks in a difficulty period. But for the sake of a simple example that doesn’t require me to spend 4 hours counting 2016 squares in an image I create, let’s just suspend disbelief here for a minute. Let’s assign an “energy cost” for the most recent difficulty period, say 5 energy units. Now we can assign a cost of 25 energy units to reorg the 5 blocks back to TX A and undo it. Now again, remembering this is totally arbitrary, let’s say that 5 energy units costs half of a bitcoin. That would mean undoing TX A has a cost of 2.5 bitcoin.

There are two situations where a miner would rationally pay that 2.5 bitcoin and expend 5 energy units to reorg TX A.

  • A miner is the sending party in the transaction, and they sent more than the 2.5 bitcoin necessary to reorg the chain and take back the bitcoin they sent. This nets them a profit of the difference between the money they are “unspending” and the cost to do so in terms of energy units.
  • The fees in the block TX A is confirmed in, plus all the subsequent blocks afterwards to the chain tip, will earn them more in fee income by spending 2.5 bitcoin to mine them than they would earn simply paying .5 bitcoin to mine the next block on top of the chain tip.

For TX B, let’s assign an energy cost of .4 bitcoin to the difficulty period that it was mined in. This would require 63 units of energy, at a cost of 6.3 bitcoin, to reorg the chain and undo TX B.

And keep in mind, in both cases said miner needs to have a clear majority of hashrate so that by the time they successfully “re-mine” these old blocks the rest of the miners on the network will not have produced a longer chain. So the miner has to have a clear majority of hashrate, not just 51%, but substantially more than that.

The key take away should be though: unless the fees for past blocks are substantially more than the fees for future blocks (including the cost of reorging old blocks versus just mining a new one), or a miner is the sender in a very large transaction worth reorging, there is no rational economic incentive to reorg the blockchain.

There is however a third factor to consider: entities that are not motivated by profit, such as nation states who might want to attack Bitcoin. They might not care at all about the direct cost/profit calculations that other actors would care about when considering whether or not to reorg the blockchain. However this does not mean that such an actor can just “kill Bitcoin” or undermine the security of the entire network (as I’ve explained above, that is not even a coherent concept). They still have to eventually publish a reorged blockchain. As well, if they want to keep it up persistently, then their operational costs per energy unit will be pushed up higher to the degree there exists some % of miners not going along with their attack. For instance if the attackers are half of the miners, then both groups of miners will effectively be paying twice the energy units to ignore the non-compliant miners blocks and prevent them from being included in the chain. This doubled energy cost to mine will continue until non-compliant miners stop mining. (And yes, I know above I said this requires substantially more than half of the hashrate to attack, don’t read into the specific numbers. I’m simply trying to make the dynamics here as intuitive to reason about as possible). Once the attacker stops spending twice the energy required in a non-hostile environment to stop other miners’ blocks from being included in the blockchain, the increased energy cost of mining will revert to normal.

The economic incentives are different with such a nation state actor, but the reality remains that the security of UTXOs can only be affected by such an attack to the depth that such an attack is able to successfully pull of a reorg. If such an attacker is only able to reorg 6 blocks back in the blockchain, then only UTXOs created in those last 6 blocks from the chain tip are at any security risk due to the attack.

What Is “Bitcoin Security” Miners Provide Defending Against?

I laid out above the basic economic incentives regarding reorgs and the security of UTXOs relating to actors incentivized only by internal profit motivations as well as actors not incentivized by such profit motives, but I laid this out in a vacuum. The factor I did not discuss was the availability of energy units to buy! You can have all the ASICs in the world and they do you no good if you don’t have electricity to operate them.

Let’s say that Bitcoin mining consumes 1 million energy units a year. Let’s also say that human society consumes a 1 billion energy units per year for other productive purposes (industry, heating, lighting, water, etc.). I’m betting most of you would think that is wildly insecure, that a nation state could easily attack that. But there’s a third factor here to consider: the amount of wasted energy. Let’s say a nation only had access to 10,000 units of wasted energy a year. That’s no where near enough to attack Bitcoin, which is consuming 1 million units a year. You might think “but wait, there’s a billion energy units a year other stuff is using, take that.” Well…that would make it even more expensive than the basic doubling of costs a 51% attack would create. You have to outbid the consumers of that on top of that. That increases the attack cost even more. “But the government can just take it.” How much energy can the government “just take” from other things before people start getting pissed off and creating other problems? Such things start revolutions past a point.

Now the reality is the wasted energy units available in the real world (in the context of these totally made up arbitrary example numbers) is probably somewhere on the order of 10s of millions of wasted energy units. There definitely is, if you had the chips available, enough wasted energy to attack Bitcoin. But more and more honest Bitcoin miners are seeking out these sources of wasted energy because they are just outright cheaper. And some of them like flared gas from wells is very distributed as well, so not as easy to exert control over physically.

What’s the point of this section? In discussing nation state attacks honest miners are NOT defending some imaginary or meaningless ratio of energy units spent versus the market capitalization of all bitcoins. They are defending against those units of wasted energy that a malicious actor could potentially hook ASICs up to. Once the majority of that wasted energy is consumed by honest miners (and not enough energy exists that could be diverted without causing social unrest), or even malicious miners that will not cooperate with others to attack but do not make up a large enough percentage of hashrate to attack themselves, then Bitcoin is secure against nation state attacks. There is no requirement to have the energy consumed by miners continue increasing as Bitcoin’s market capitalization does to be hardened against that.

In discussing internal actors with the incentive to reorg based purely off profit based motives, the market solves that itself. If an entity expends energy units up to the cost of their expected profit, and does not capture that profit, they will stop. In the case of such an actor trying to capture fees another miner did, there should not be a worry of censorship or many transactions being not included again: the miner is after the fees. In the case of such an actor trying to wind back a transaction of their own: that affects no one but the receiver of that transaction, and again they have no explicit incentive to specifically undo any other transactions. Transactions that are large enough the sender is well capitalized enough to be a miner will naturally lead to people waiting for many many more confirmations before honoring the other end of such a transaction. The market solves it.

Timelocks, Multisig, And The Incentives There

Hopefully everything I’ve gone over so far are things you knew, or intuited even if you couldn’t properly articulate it, but I’m pretty sure this next section is going to be an aspect of this many people have not really deeply considered outside of developer circles.

So in the case of a malicious miner trying to wind back their own transaction (or someone bribing a miner to do it for them), there is one requirement that is so obvious that it almost never needs to be said: that party actually has to have the keys to sign a new transaction double spending the money, otherwise the receiver could just rebroadcast the original one.

I hope you see where I’m going with this. :)

Second layers are based on multisig. Lightning is based on n-of-n mutisig (100% of participants have to sign a transaction to be valid), and things like Liquid are based on m-of-n multisig (less than 100% of participants have to sign a transaction to be valid. So in a world where more and more economic activity moves to second layers like Lightning and Liquid (and Statechains, and Channel Factories, and as yet uninvented things) the most basic requirement to even perform such an attack is extremely difficult or literally impossible. For n-of-n protocols, all it takes is a single participant to refuse to sign and a double spending transaction to claw back the money through a reorg cannot even be signed! The attack is just not possible! For m-of-n constructs (which are implicitly based on trusted relationships), you would need (n-m) +1 participants to refuse to sign in order to make the transaction construction possible. So in a world of individual transactions pushed to second layers this class of attack has to concern themselves with the much deeper buried funding transactions for the multisig, because once that is buried too deep to attack this class of attack is either outright impossible or absurdly difficult to coordinate without luring people into sybilled and fake federations. Also something to consider, is in cooperative situations where funds move from one multisig to another and so on without touching addresses controlled by a single individual you might never have a UTXO controlled by one party in a chain of UTXOs to pull this attack near the tip of the chain ever again.

Now…timelocks. The other class of attack I went over was pure profit based motives going backwards in the chain to get fees because that is more profitable than progressing the chain forward. Something that a few wallets do as a very basic response to that potential today is timelock transactions to the next block after the current block height. Second layer protocols like Lightning inherently do this with non-cooperative closures or responses. They literally set up a pre-signed chain of transactions all hitting chain with staggered timelocks so they all cannot be included immediately in the next block. These non-cooperative operations guarantee a distribution of some fee income over a smoother range of multiple future blocks instead of all being viable to stuff in the next block if they fit.

Conclusion

Many aspects of Bitcoin get modeled on a regular basis, and people look to inform decisions they make around those models. I see nothing wrong with modeling Bitcoin, and attempting to take advantageous action based on modeling. Or using such models to better respond to criticism against Bitcoin, or help people understand it. But those models don’t do much good if they are based on fundamentally flawed premises.

Hopefully I’ve laid out some clearer definitions of how POW security works and what it is defending against, and also shown how some natural long term dynamics in how second layers will interact with the blockchain will help correct some incentives to attack the blockchain naturally by just existing.

A single transaction being reorged out of the blockchain does not mean Bitcoin is not immutable, that was never the guarantee being made.

Defining and Discussing “Bitcoin Security” was originally published in Block Digest Mempool on Medium, where people are continuing the conversation by highlighting and responding to this story.

More from this author

3rd August 2021 11:42

3rd July 2021 12:52

29th January 2021 10:54

20th December 2020 09:12

1st October 2020 11:43

4 years agoVirtual HTLCs

23rd September 2020 07:00

16th September 2020 10:38

13th January 2020 06:04

8th January 2020 11:39

Feel free to send a tip using tippin.me

Or alternatively you can send a few sats directly:

btc logo BTC ln logo BTC (Lightning)

btc tip qr

33ELQ1ye29gB6YVQY6zRLFVCNYkJez9jMh

lightning tip qr

lnurl1dp68gurn8ghj7cm0d9hxxmmjdejhytnfduhkcmn4wfkz7urp0yhn2vryv5ukvdm995ckydph956rvv3h94sk2dny95mkgv34xdsnvvrpv4jxz6whyrn