Author: Hasu, James Prestwich, Brandon Curtis
Translation: Harry Zhang
Source: Encrypted Valley
If an application or protocol can achieve its goals in a confrontational environment, it is safe. In the case of BTC, the goal is to create a payment system that anyone can participate in. Only legal owners can spend tokens, and all valid transactions will eventually be deposited in a distributed ledger.
In its first decade of existence, BTC successfully acquired these security attributes. At the same time, however, the academic community has largely failed to replicate the stability of BTC in its research model, resulting in arguments such as "BTC is safe in practice, but not theoretically safe." . This paper aims to bridge the gap between theory and practice by introducing the BTC security model.
We believe that BTC can now withstand high attacks, so that miners' motives remain consistent with system benefits for a long time. Mining requires a large amount of upfront investment, and its value is closely related to the health of the network. Normally, miners are equivalent to buying in advance half of all the tokens they are expected to mine in the next two years. Before the miners receive these tokens, any damage to the value of the token is extremely destructive, which explains why many of the attacks that scholars are worried about do not work in practice.
On the other hand, the biggest threat to BTC security is more reflected in the protocol itself than external attackers. BTC's block reward halving mechanism will result in a reduced binding of the network to the interests of miners. If there is no booming block space market, the decline in block rewards will pose a major threat to the future. Users cannot make up for this by simply waiting for more block confirmations.
Finally, we have provided new ideas, including some suggestions for improvement for community discussions.
This article was officially released in October this year. It is a joint work of Hasu, James Prestwich and Brandon Curtis. In the process of creation, it draws on the existing research results of Nick Szabo and Emin Gun Sirer. Encrypted Valley compiles this article for professional investors and technology enthusiasts. Due to the length of the full text (close to 16,000 words), it is divided into three journals, this is the second. See the previous article:
Depth | Block rewards are about to be halved, is BTC still safe? (on)"
Next, we want to explore how the most important attack on the BTC system under known models is how.
To a large extent, the attacks that may occur on the BTC network depend on the amount of computing power the attacker has. In theory, miners can only engage in self-propelled mining or stubborn mining with only 30% of their total power. They do not broadcast to the whole network after excavating the block, but directly pre-excavate the next block to achieve the purpose of wasting the competitor's computing power, thereby earning more than fair mining.
But as far as we know, these strategies have not appeared in the BTC network so far. This is because our model suggests that miners are unlikely to adopt a strategy to reduce public trust in BTC, because even a small price drop will undermine the miners' own interests, far exceeding the MEV they wish to obtain.
Research data can support this theory. In 2014, the GHash.io mining pool power has been fluctuating around 50% of the total network computing power. They have attracted a large number of miners through policies such as zero mine pool fees. Even suspected of acquiring the popular betting site BetCoin Dice at a false high price. As the news of the concentration of the pool was spread through the BTC community, people’s confidence in the system was shaken. Several important figures have publicly sold some BTCs. Subsequently, the miners began to flee a lot of mines to protect their investment.
Since then, no mine has dared to reach this level of computing power again. Miners seem to have realized that any form of market panic will have a significant negative impact on their bottom line.
Here, we can see the difference between the Byzantine model and the rational model: under the Byzantine model, once the miner's computing power is > 50%, BTC is unsafe. However, in a complex real world, a state-stable BTC is likely to have a power monopolist. There may be a monopolist at the moment, but we cannot prove it. Analysis of the participants' motivations reveals that BTC does not automatically fail under the premise of the majority of miners.
When the miner has more than 50% of the computing power, he can be sure that any chain he proposes will become the normative chain in the Nakamoto consensus. This is a prerequisite for a more serious attack on BTC users. These attacks can be divided into two categories: double flowering and destruction.
In the double-flower attack, the attacker rewrote a chain and replaced the chain that was previously consumed with BTC with a chain that still had the merchandise but did not pay.
Our model shows that a small drop in BTC prices makes even large-scale double-flower attacks not feasible because the benefits of MEV must be higher than the loss of miners' benefits. In addition, the miners must also consider a factor: the user can completely suspend the Nakamoto consensus, thereby indirectly causing damage to his own earnings.
A double-flowered attacker wants to minimize the likelihood that the network will perceive its attack intentions, so as not to trigger a penalty mechanism. He can maintain his reorganized blocks at less than 100, so the token rewards in the original chain will work.
Large-scale rewrites are no longer a single user, but actually destroy the token system and create a chain reaction that invalidates more transactions.
The attacker will restore all transactions on the original chain as much as possible, and only change the record of the double flower transaction to hide the attack intention.
Considering the above restrictions, a simple double-flower attack is unlikely to become a rational choice for miners in the short term.
Unlike a simple double-spending attack, destroying an attacker has no intention of making money in the BTC system. He does not care about possible user penalties at all. In contrast, disrupting attackers attempts to cause BTC price collapses through various means, causing users to lose confidence in the network.
Destructive attacks are reasonable for those who short the BTC price. It is also possible that their purpose is to defend the existing income that is threatened by the BTC. A similar source of income may be the coinage tax of the legal currency system, or it may be the tax that people evade through the hidden assets of digital assets.
The motive for this attack is somewhat similar to the "007" series. The big villain plans to pollute the reserve gold in Fort Knox (the US Treasury gold reserve base) to make the gold in his hands scarier and more valuable. Therefore, it is also called "Golden Finger Attack".
In order to minimize the user's trust in the system, the attacker focused on the three original design goals of the BTC: safety, liveness, and permissionless access (permissionless)
Access). They intend to invalidate these features one by one.
One way to achieve this is to establish a power monopoly and stop processing any transactions altogether. If you want, any miner with great computing power can establish a monopoly by directly ignoring the blocks dug by the small computing miners. Because he dominates, the blocks created by the small computing miners will eventually be rewritten.
Miners who have reached the monopoly of computing power can refuse to package any transaction, or set the minimum transaction amount to extort the user's transaction fee, or simply establish their own transaction processing rules. For example, he can ignore all transactions that have not passed his personal KYC / AML check. Users can defend against such censorship attacks in three basic ways.
- We should be certain that the damage caused by the censorship system is equal to the cost of the user being censored from the system. The more competing products that BTC has, the lower the exit cost, and the lower the motivation to review BTC users first. Similar logic applies to on-ramps and off-ramps, such as decentralized transactions. There is an interesting paradox here: the powerful KYC/AML layer on BTC reduces the appeal of theft (the hacker attacks Bitfinex's tokens are blacklisted), but it also makes the system more vulnerable to censorship attacks. On the other hand, a system without any identity authentication will have more motives for theft, but it reduces the incentive to review attacks.
- When the transaction begins to be reviewed, the attacker will reduce the transaction and the user being reviewed may increase the transaction fee for the unconfirmed transaction. This can result in a yield difference between MR (honest mining) and MR (attack mining). The user being reviewed can be effectively free-rolling at this time (any operation only increases the positive return, does not affect the existing revenue pattern), and can continuously increase the transaction fee until they consume all the balance. This difference in returns can attract other big computing miners to challenge the existing monopoly of computing power.
When predicting the future through the model, we must consider which parameters will change and why.
From the above analysis, we have come to the conclusion that the safety of BTC is largely due to a few unexpected factors: the bundling of interests of miners, the price sensitivity of MEVs and users. Suspension of the coordination ability of the Nakamoto consensus can solve the problem, but this cannot be the basis of security itself. Because, if there is already a coordination mechanism that is cheaper than the Nakamoto consensus, then we do not need to mine.
Today, the volatility of BTC requires mining tools to have higher risk tolerance. If the price continues to climb and peaks, the BTC remains stable, and the mining industry will begin to resemble the traditional commodity market, which will provide producers with low volatility and, of course, lower returns. This is a process of dynamic balancing.
Lower volatility allows miners to take advantage of higher leverage, and even small price changes are more noticeable.
If the BTC seriously threatens the sovereign state of the sovereign state and the government's taxation capacity, then the government will increase the review. The existence of a deep derivatives market can also make it easier for people to make large-scale shorts on the price of BTC, which further increases the possible MEV.
BTC's biggest security threat is rooted in the protocol itself, not any form of external attacker. The largest variable in this system has been encoded into the protocol. All miners' income is a decisive factor in the strength of their bundled benefits, from block rewards, which include: fixed block rewards and transaction fees.
Fixed block awards account for 99% of all block awards and are currently being phased out based on BTC's fixed issuance schedule. In 2020, the annual circulation of BTC will drop to 1.8%. By 2028, the figure will be halved to 0.5%.
This will eventually lead to the most important source of miners' income (fixed block rewards) that will have to be replaced by new sources of income.
So far, BTC has gained security from its own value. Looking ahead, it will gain security from the secondary market that has yet to be developed.
The success of this transition in income sources largely determines the future of BTC. Today, the purpose of transaction fees is to determine the supply priority of block space. In order to create enough miners' income, the demand for block space must exceed the supply of block space. Price is an important factor in maintaining the smooth operation of this system.
Although the demand for block space may be high and the volatility is small in the future, there are still some cases where the market finds that BTC is useful and transaction costs remain low. This can happen if most people only hold BTCs and most of the transactions take place on centralized exchanges or various chain solutions.
4.1 Block confirmation of the impact on security
Fang believes that the decline in fixed block rewards will not pose a significant risk, because users can make up for waiting for multiple block confirmations. Our model shows that the relationship between security and the number of block acknowledgments is much more complicated.
First, we consider the impact of additional blocks to confirm the benefits of miners' bundling. As mentioned earlier, miners have already invested 50% of the tokens they expect to dig in the next two years. Their total bundling benefit is 658,800 BTC, which is an average of 6.25 BTC per block. In each block, the miner combines the operating cost of 6.25 BTC with the bundled benefit cost of 6.25 BTC into a total MC of 12.5 per block, equal to the block reward.
If the user believes that a transaction can be finally confirmed after 6 blocks, the minimum attack period of the double-flower attacker is 7 blocks. In order to dig out these 7 blocks, the attacker only needs to spend an additional 7 * 6.25 BTC = 43.75 BTC.
In the last seven block attacks, he needs to take a huge risk (equivalent to 658,800 BTC), which is not included in the operating cost of 43.75 BTC.
If the block rewards planned for the attack are changed to 70 and 700, then the above cycle and cost will be: 12 hours, 658,800 BTC plus 437.5 BTC; 5 days, 658,800 BTC and 4,375 BTC.
We can see that if the user is willing to wait a week, the miners' total risk of bundled benefits only increases by less than 1%. Therefore, waiting for more block confirmations does not substantially increase the risk that the miners bear, and no one will wait for a transaction that needs to wait for more than a few months to finalize. This logic applies equally if the block reward is halved in the future. The increase in block confirmation number will affect the stake of MR part of this part. For each additional block confirmation, an additional cost equivalent to 50% of the current block award is added. As the MR decreases, each additional cost will also decrease synchronously.
This logic can change a lot under low block acknowledgment numbers. Although an attacker with a longer duration will be considered to require more computing power, it will take a greater risk, but an attacker with a shorter duration does not need to have a large amount of computing power. A miner with 10% of total power has a 17% chance of successfully rewriting two blocks, and his chances of successfully rewriting six blocks are only 1%.
If the miners' interest bundles are low and the MEV is high, then the attack is profitable at this probability. Therefore, waiting for the first few blocks to confirm is not an effective defense against large-scale attackers, but only for small computing miners.
Although there may not be a significant difference between waiting for 6 block confirmations and 60 block confirmations, after waiting for more than 100 block confirmation numbers, the security gains will start to accumulate again. As mentioned earlier, this is the threshold at which block rewards are available, and block rewrites beyond this depth are more destructive to the network. The greater the user's interference, the lower the coordination cost of counterattacking by selling tokens or suspending the Nakamoto consensus.
Therefore, when receiving payments without recourse outside the agreement, a rule that may be reasonable is: for large transactions, wait for > 100 block confirmations; for any other transaction, wait for 6 Block confirmation. We found that miners' attack costs barely increased between 6 and 100 block confirmations. (To be continued)
- Finally, the user can coordinate and punish the monopolistic miners by suspending the Nakamoto consensus and modifying the rules. For example, you can change the workload proof algorithm from SHA256 to other algorithms. Of course, monopolistic miners can also continually rewrite the original chain instead of expanding the original chain with invalid blocks. But the effect is the same.
The content is for reference only, not as an investment recommendation.
Copyright is strictly prohibited without permission