4D long text | Bitcoin security model and declining block subsidies

Hasu, James Prestwich, Brandon Curtis

This article was compiled by the Credit Research Institute. The original link:

https://uncommoncore.co/wp-content/uploads/2019/10/A-model-for-Bitcoins-security-and-the-declining-block-subsidy-v1.02.pdf

The copyright of this article belongs to the original author, only represents the author's own point of view, does not represent the views or positions of the credit letter or the credit research institute.

This article is about 17,000 words, and it takes about 40 minutes to read the full text.

As the block rewards continue to decrease, it is always a focus of our attention whether Bitcoin can be adequately secured in the future. Last month, Hasu, James Prestwich, and Brandon Curtis gave a comprehensive discussion of the issue. In view of the importance of this issue, we have carried out a detailed full-text translation of the paper. The full text is as follows:

We thank the editors of Anthony Towns, Arjun Balaji, Brian Venturo, David Vorick, Joe Kendzicky, Lucas Nuzzi, Matthew Hammond, Nic Carter, Philip Daian, Steve Lee, Su Zhu, Tarun Chitra, and Yassine Elmandjra for their valuable ideas. This paper is further influenced by Andrew Miller, Arvind Narayanan, Ed Felten, Elaine Ou, Emin Gun Sirer, Eric Budish, Eric Lombrozo, Eric Voskuil, Fernando Nieto, Ittay Eyal, Joseph Bonneau, LaurentMT, Nick Szabo, Paul Sztorc and Raphael Auer. Inspired by excellent papers, blog posts and tweets.

If an application or a protocol achieves its goals in a confrontational environment, including defending those who are willing to spend a lot of resources to damage the system, we call it "security." Unfortunately, there is no system that can defend against omnipotent attackers. Therefore, a pragmatic approach to security is to maximize the motivation to act on the agreement while minimizing the motivation to act on the agreement. The goal of Bitcoin is to build such a payment system:

1) Anyone can participate (no license access required),

2) Only legal owners can spend money (safe), and

3) All valid transactions will eventually enter the ledger (active)

These attributes have been around for more than 10 years, indicating that Bitcoin is safe in practice. On the other hand, in theory, bitcoin usually does not produce the same guarantee. This led scholars to call it "broken 1" and "doomed 2", and so on.

In this article, we hope to bridge the gap between theory and practice by introducing our bitcoin security model. We have shown that Bitcoin can currently withstand very high attack stimuli, which is a few unexpected factors. We further prove why many of the attacks put forward by scholars are irrational to miners.

In the second half, we demonstrate that the biggest threat to Bitcoin security is more than the protocol itself, compared to any outside attacker. As part of the Bitcoin fixed issuance program, the continuous reduction of block subsidy programs will result in lower prospective income for miners. If we have not developed a robust block space market, we explain why the decline in block rewards poses a significant risk to the future. Contrary to popular belief, users cannot make up for this by simply waiting for more confirmation.

Finally, we provide some general methods for thinking about this issue, including some suggestions for improvement that can be discussed by the community.

1. Why Bitcoin needs to mine

In past payment systems, one or a group of trusted central servers were needed to process transactions. This has proven to be an important point of failure because central certifiers often fail or are forced to exclude certain groups of people or certain types of transactions. Therefore, a system designed to provide unlicensed access cannot use the center's party. Satoshi Nakamoto saw such a solution, replacing the popular client-server model with a flat point-to-point model that has proven its worth in a highly flexible distributed network such as BitTorrent.

With public key cryptography, we have been able to prove and verify the ownership of the message. In Bitcoin, the owner of a coin can sign a message with his private key. Then, other nodes in the network can use the sender's hash public key to verify the message to prove that the message is indeed valid. This satisfies the "security" requirements in the Bitcoin system. However, when a node receives two conflicting messages that are valid but not valid at the same time (for example, when someone tries to spend the same coin twice), public key encryption is almost unhelpful.

Bitcoin elegantly solves this problem by replacing the signature of the trusted server with a set of computational capabilities (the nodes can follow these signatures to coordinate on a single chain). The node can trust this signature highly because it is costly to produce and the cost is easily verified. When a node receives two conflicting signatures from a miner, they distinguish them by favoring a higher-priced signature. This "forking selection rule" is now called Nakamoto consensus.

Back, Corallo, and others first proposed the idea of ​​considering bitcoin mining as a dynamic multiparty-membership signature (DMMS). 3 DMMS is a signature consisting of a group of variable anonymous signers who can join and leave at any time. They weighted the power share of the Bitcoin network by their contribution to the signature. These signatures are cumulative because each block references the previous block, creating a blockchain.

The process of creating a signature is as follows: First, the miner performs a load calculation by generating a random output. When these outputs fall within a certain range, other nodes can use this as a basis to prove that the virtual dice must have been thrown a certain average number of times (similar to having to roll a 1000-sided dice on average 100 times to produce a mediation. A number between 1 and 10. 4) Next, a miner releases his block (including proof of work) to the rest of the network. If the consensus rule is met, the other nodes will add it to its blockchain and compensate the winning miner with the block reward and all transaction fees in the block.

1.1 Limitations of cryptography

Although miners have a certain degree of freedom in building their own blocks, they can't give themselves more money, can't steal other people's coins on the same chain, or even retroactively change the revenue of the block. The miner must follow the Bitcoin protocol like any other node, and the node will automatically reject any attempts to compromise the protocol.

However, the agreement cannot be enforced by cryptography in some important respects. A node does not know which of the two conflicting transactions is valid, or which of the two competing chains should support, so the user relies on the fork selection rule to coordinate on a single chain. Although the fork selection rule is necessary for Bitcoin to maintain consensus, it also gives the miner considerable power that is not controlled by the agreement itself (and cannot be controlled!).

The most famous "incentive failure" is a double-flower attack, and most miners first use Bitcoin to purchase non-bitcoin goods or services on the original chain. Once he has irreversibly obtained the goods or services, he produces a longer chain in which the transaction never happened, and eventually he received both money and goods. Nodes that diligently follow the most expensive signatures automatically switch to the new chain, even if it contains chain theft or other malicious behavior.

Thus, "hard" protocol rules such as cryptographic signatures do not fully secure the ordering of transactions – it also relies on "soft" economic incentives for miners to publish updates that serve Bitcoin users.

2. Modeling the security of Bitcoin

If users can't trust the agreement to enforce the "correct" transaction history, how can they know if a transaction is final or will it be revoked by miners in the future? In the traditional financial system, transactions are unchangeable because they are prohibited by law. In Bitcoin, the law cannot cover miners. Miners can be anonymous, operate anywhere in the world, and can join and leave the network at any time.

If this is profitable for the miners, then we should think that they will always cancel the transaction, including the transactions of other people paying for it. Therefore, users should not consider a payment to be unchangeable unless it is unprofitable to revoke it. Folk wisdom has expressed this problem as "how many times a person must wait to make a payment unchangeable." We have shown why additional confirmation does not make much sense for Bitcoin security. Instead, security is primarily the result of two simple factors.

2.1 Security assumptions

We must first set up a basic payment system with a block subsidy of 12.5 BTC and no transaction fees. All the hardware and computing power required for mining can be rented on demand, so miners have no long-term commitment to the Bitcoin network. Their behavior will not affect the transaction price of Bitcoin, and no user will ignore the most expensive chain selected by Nakamoto. All models use bitcoin as the base currency.

We define the value of Bitcoin that follows the agreement (or “honest mining”) as EV (honest mining) .

For example, in an example of 10 blocks, the miner's income ( MR) would be 125 BTC. Assuming that the miners enter the mine for free and compete completely, we can assume that the entire mine union spends 125 BTC of mining cost (MC) to win this award.

Equation 1 Mining revenue (MR)mining cost (MC) = 0
Equation 2 EV (honest mining) = MRMC

Therefore, the EV for honest mining was determined to be the baseline for 0 BTC.

The Miner-extractable value (MEV) describes how many BTC a miner wants to win from his attack. The concept is the invention of Daian, Goldfeder, etc. to describe the value that miners can extract from smart contracts, but we extend it to cover any miners can extract by manipulating consensus or trading orders. value.

Importantly, the MEV does not describe how much a single user can safely exchange in a block, because an attacker can spend many different users at once. It doesn't even describe how much all users can safely swap in a block, because an attacker can spend twice across multiple blocks. The MEV describes the full value of the attacker. For a user waiting for six confirmations, the attacker's minimum attack duration is seven blocks. Therefore, users who only calculate MEVs based on their own personal transactions will underestimate the magnitude of the actual incentives of miners.

The final EV (eg, double flower) of the attack mining can be modeled as:

Equation 3 EV (attack mining) = MEV + MR – MC

As long as EV (honest mining) > EV (attack mining), a rational miner will follow the agreement instead of attacking it .

Therefore, we can deduce that EV (honest mining) > EV (attack mining) is a necessary condition for Bitcoin to ensure the safety of rational attackers .

It follows from this that the distinction between EV (honest mining) and EV (attack mining) describes bitcoin against irrational ("Byzantine") attackers – they do not care about profits, but will attack the bits for any reason. Tolerance of the currency . It is worth noting that this tolerance does not have to include the value that the attacker takes directly from the attack, for example, the value obtained by re-injecting the bitcoin price. The MEV has captured any such value.

In this simple model, we don't even need to talk about Byzantine attackers. The system is no longer able to withstand a rational attacker, because any MEV > 0 is enough to make the attack more attractive than honest mining. Suppose a miner can extract 100 MEV from an attack that lasts 10 blocks, we can see

Example 1: EV (attack mining) = MEV + MR – MC = 100 + 10 – 10 = 100; 100 > 0, so bitcoin is not safe

This finding is consistent with intuition because the attack chain has no real cost to the attacker. Its budget requirement is only 10 BTC. After the attack was successful, all the resources he spent on the attack were returned. Here are three notable warnings:

1) If an attacker has to invalidate some of his own blocks, the attack will begin to have actual cost because his effective MR (attack) drops while the MC remains unchanged.

2) If a few miners ("defenders") continue to dig the original chain, he can increase the duration of the attack. However, as long as the attacker finally catches up, it will not lower its EV; it will only increase the budget. The resources of the defenders will be wasted.

3) In this model, we assume that the attacker has a majority of computing power, or that coordination between several smaller attackers has no cost. In the real world, coordination is costly, and if the miners disagree on the value of the MEV or the duration of the attack required, the cost of coordination may increase.

2.2 Market Governance

As the saying goes, as economic actors, we have been voting – by spending money on something, not on others. Blockchains are also markets, so when users (consumers) buy and sell bitcoin, they continue to vote for miners (producers or service providers) to act in some way. When users are dissatisfied with the services provided by miners, confidence in the payment system may decline, and the transaction price of Bitcoin may fall compared to before the attack.

We define p (post-attack price) as the relative BTCUSD price after the attack. For example, the price indicated by the 95% post-attack price is 5% lower in the attack.

Equation 4 EV (attack mining) = p (post-attack price) * (MEV + MR) – MC

In the updated equation, since the bitcoin price drops due to the attack, the MR (block reward + transaction fee) and MEV are both smaller, while the MC (attack mining) remains unchanged. Although it is not uncommon to use bitcoin here and illicit currency as the basic unit, we find it easier to reason. In fact, the miners' nominal bitcoin did not decrease after the attack, but since they lost 5% of their purchasing power, he could only change it to 95% of the pre-attack bitcoin.

Due to the introduction of market governance, EV (attack mining) will now be unprofitable as long as MR (honest mining) is greater than p (post-attack price) * (MEV + MR (attack mining)).

Equation 5 EV (attack mining) < 0, if MR > p (price after attack) * (MEV + MR)

Thus, we can derive three ways of system security:

1) The MEV can be low , for example, because few people are trading in bitcoin, or the user does not consider the final payment without additional guarantees such as knowing the buyer's identity.

2) p ( post-attack price) can be low , which means that users need to be very sensitive to what Bitcoin should do, and need to be willing to switch to competitors if miners stop doing their job. This is a bit like a "station" parameter, because if the bitcoin price collapses easily, other forms of attack (such as sabotage) will become more attractive, thus increasing the MEV. 6

3) MR can be high , so the effect of p (post-attack price) on MR begins to exceed the potential gain from MEV.

2.3 Miner Commitment

So far, we have made the unrealistic assumption that everything needed for mining can be rented on demand (this view dominates academic commentary on bitcoin security.) In fact, mining is not the case. In a fiercely competitive model, miners are running on treadmills. If a miner speeds up and increases his income at the same cost, then other miners must keep up with the pace, otherwise they may be completely bankrupt. There is almost no sustainable moat for mining. As a result, the mining industry may be faster than any other industry in history.

With the industrialization of mining, the unit cost of finding a block is becoming more and more important. There are several ways to reduce the cost per unit of business:

1) If the operation of the production facility is lower than the production capacity, the enterprise can sell more products and use more commodities to share its operating expenses. In mining, there is a bitcoin network as an automatic buyer for every computing power, so there is nothing to optimize here.

2) This business can reduce the daily material cost of production. The equivalent goal of mining is to constantly look for cheaper energy, better heat dissipation or cooling, and manufacturing optimization.

3) Companies can reduce operating expenses by specializing their production facilities. In bitcoin mining, this has led to more and more optimization of hardware for a job: hash SHA-256. The moment the hardware can no longer dig bitcoin, it is actually worthless. It is worth noting that this applies even to large GPU mining networks such as Ethereum. Even if you can use general hardware to dig Ethereum, the demand for GPUs is not enough to suddenly saturate the supply. If the price of Ethereum collapses, the commitment of the Ethereum miners will lose most of its value.

4) Miners can also reduce unit energy costs by signing increasingly long PPAs.

Therefore, in order to reduce unit costs to start competitive mining, a rational miner needs highly specialized hardware and needs to take a long-term view of the network. The more specialized the miners are, the less their assets and expenditures can be changed. From Equation 1, we know that MR + MC = 0. This means that we can derive the total cost of mining from the total revenue of the mining, which is only the sum of all the block rewards.

How much does the miner have to pay in advance? After talking to bitcoin miners and experts, we came up with a rough estimate that ordinary miners and the entire mining industry, about 50% of their total cost belong to such unchangeable assets. In addition, we understand that these assets are depreciated on average within 24 months.

If we run on this assumption, then the entire mining industry will receive a full year of block rewards (two years * 50%), promised to dig bitcoin in the next two years. Under the block award of 12.5 BTC, it is equal to 658800 BTC.

In other words, before the miners began mining, they had to *pre-* purchase 50% of all the coins they expected to dig in two years .

Anything that is detrimental to its value is extremely destructive until the coins are available.

Therefore, we can say that the miners are firmly committed to digging bitcoin in a way that maximizes bitcoin value and network utility .

Equation 6 EV (attack mining) = p (price after attack) * (MEV + MR) – MC – [1 – p (price after attack)] * Commitment

In the first example, the power can still be rented, 95% of p (post-attack price), and the impact on MR is only 10 blocks of attacks. Once the miners promised bitcoin, the same price drop affects the entire year's revenue – 52,704! The 5% price drop, now all miners will now eliminate the equivalent of the 32,940 BTC before the attack.

It's worth noting that an attacker does not need to have 100% of computing power to make the attack successful. If he uses 60% of the power to attack, his own commitment will only account for 60% of the total commitment, which is 395,280 BTC.

Example 2: EV (attack with 10 blocks of 60% power and 100 MEV) = 95% * (100 BTC + 10 * 12.5 BTC) – (100 * 12.5 BTC) – 5% * 395280 BTC = -19.675 BTC

For an attacker with 60% power, the MEV is about 21,000 BTC, which is $187 million at today's price to make the attack profitable. The high tolerance to MEV indicates that today's bitcoin network is indeed safe. These findings can be extended to all cryptocurrencies using PoW and show how important the use of unchangeable miners is to safety.

2.4 Suspension of the Nakamoto consensus

We have proven that the Bitcoin network can tolerate a large number of MEVs today, which creates a huge obstacle to the profit of the attack. However, in order to improve our bitcoin security model, we need to update the last remaining hypothesis, that is, Bitcoin users will never question the Nakamoto consensus.

Users are seeking to minimize the signal of trust on the market that allows them to coordinate on a single chain. They spend a lot of money on these signals because doing so is cheaper than coordinating any other way (for example, by talking directly to each other until a similar consensus emerges).

However, this does not mean that even if most users are dissatisfied with the miners, the user will certainly follow the signals generated by the miners. There are many precedents in the history of Bitcoin, and users ignore the consensus of Nakamoto, because the resulting chain no longer represents the social contract they have signed.

In 2010, the integer overflow error in block 74638 resulted in the creation of up to 184 billion BTCs, which is much larger than the 21 million that should exist. Within three hours, Nakamoto released a new bitcoin client with no errors and “rolled back” this chain of hyperinflation. 8

The second example is the 0.7/0.8 consensus error in 2013, which caused the blockchain to split into two in a matter of hours. Bitcoind, the most popular bitcoin implementation at the time, recently released a 0.8 update. What the developer didn't know was that the new software also made minor changes to the consensus rules, which caused block 225430 to be incompatible with older clients. After the Bitcoin developers and the mines decided to temporarily suspend the fork selection rules, the fork was resolved. They manually supported the 0.7 branch and abandoned the 0.8 chain, which required the miners to abandon any block rewards in the 0.8 chain to maximize the overall utility of the network. 9

Finally, the most famous example might be the 2017 User Activated Soft Fork (UASF) campaign. A full year after the code was released, most miners still refused to use the Segregated Witness update—perhaps because it undermined ASICBoost, a patented technology that improved the efficiency of mining hardware10. In order to push this change anyway, some Bitcoin users installed a client that again had the threat of suspending the Nakamoto consensus because it ignored the block of miners who refused SegWit after a certain date. . If the miners let it happen, it will lead to controversial forks on the main network. The threat to the utility and value of Bitcoin severely touched the miners' bottom line, and they eventually gave up the resistance to the SegWit update.

These examples show that, ultimately, the user will lead the miners. When they disagree with which governance decisions will make the most of the overall network utility, users can run custom code (such as the invalidateblock parameter) to temporarily suspend the Nakamoto consensus and thus “deprive” the miners.

Even if the protocol rules are met, the attacker must consider the risk of the user rejecting their chain.

We define p (following the Nakamoto consensus) as the probability of suspending the Nakamoto consensus under the user coordination chain. From the attacker's point of view, this further reduces the potential reward, and his cost remains the same.

Equation 7 EV (attack mining) = p (following Nakamoto's consensus) * p (price after attack) – MC – [1 – p (price after attack)] * Commitment

Since the suspension of the Nakamoto Satoshi consensus only affects the MR and MEV during the duration of the attack, and has no effect on the miners' commitment, the safety of the Nakamoto Satoshi consensus is less than market governance. However, in theory, users can not only change the transaction history, but also change the core protocol rules. If there is a consensus to change the mining algorithm from SHA256 to other algorithms, even if the bitcoin price does not fall to zero, the user may immediately invalidate the entire miner's promise. This makes social intervention a very useful defense against attackers who actively try to lower bitcoin prices or damage the network.

2.5 Summary

By building this model and populating it with real data, we can get some key insights.

1) In order to achieve a high level of safety, honest mining must be more profitable than attack mining for any duration that the user considers to be unchangeable.

2) If the user wishes to be able to make a large transaction, the MEV must be allowed to be high.

3) The ability of the system to withstand high MEVs depends on the scale of the miners being punished for malicious behavior. Users can punish miners in two main ways:

a) First, they can sell some or all of Bitcoin. When the trading price of BTCUSD fell by 10%, miners lost 10% of the promised value of the pre-attack bitcoin.

b) Secondly, the user can coordinate the suspension to temporarily suspend the Nakamoto consensus.

4) In order to make the penalty potential bigger, the miners' commitment must be great, and the willingness of users to sell coins must be high.

5) The scale promised by the miners is a function of the miners' income (MR), the ratio of committed costs to total costs, and their depreciation schedule.

6) If we maintain the promised cost, depreciation schedule, and willingness to sell coins, MR is the determining factor for MEV tolerance and is therefore the determining factor in how much user activity the network can support.

We invite anyone to download and try out our models based on their own criteria. 11

3. Mining attack

Next, we want to know how, according to our model, the most important attack on the Bitcoin system will proceed.

The attacks that can occur on the Bitcoin network depend to a large extent on how much power the attacker has. In theory, a miner can perform operations such as selfish mining or stubborn mining with only 30% of computing power, earning with strategic concealment blocks. Revenue that exceeds the fair share of miners' income (Translator's Note: After the new block is dug out of the self-owned mine pool, the block will not be released yet, but the next block will be continued. When others are discovered on the network, the new block will be released. This block, for higher returns). To the best of our knowledge, these strategies have not been discovered in Bitcoin so far. Our model suggests that it is irrational for miners to adopt strategies that may reduce public trust in Bitcoin, because even a small price decline will undermine the value of their commitments, which is greater than the MEV they wish to obtain.

At least one data point supports this theory. In 2014, the GHash.io pool (which attracted miners through a zero-fee policy) repeatedly tested >50% of computing power and even suspected of participating in the double-popular betting site BetCoin Dice12. As news about the centralization of the mine pool spread in the Bitcoin community, people’s trust in the system began to waver. Several important figures publicly sold some of Bitcoin 13.

After that, individual miners fled the mine to protect their investment. After that, no mine pool dared to approach this level of computing power again. Miners seem to have realized that any form of market panic can have a significant negative impact on their bottom line.

Here, we can see the difference between the Byzantine model and the rational model: under the Byzantine model, once the miner's computing power is > 50%, Bitcoin becomes unsafe. However, in a complex world, the steady state of Bitcoin is likely to be a power monopoly. There may be a monopoly at the moment, and we cannot refute it. Viewing the motivation of all participants can indicate that Bitcoin does not automatically fail due to the existence of most major miners. Users can still build the blocks they want through the incentives of the miners.

When a miner has more than 50% of his calculation power, he can be sure that any chain he proposes will eventually become the standard chain in the Nakamoto consensus. This certainty is a prerequisite for a more serious attack on Bitcoin users. These attacks can be divided into two categories: double-flower attacks and vandalism attacks.

3.1 Double flower attack

In a double-flower attack, the attacker replaces a chain that he made a lot of purchases with bitcoin, and reorganized it with a version that he still owns but never pays.

Our model suggests that a small drop in bitcoin prices can make even large-scale double-flower attacks infeasible because the benefits of MEV must be higher than the damage to miners' promises. In addition, the miner must also consider that the user will suspend the Nakamoto consensus and thus completely deny his reward.

As a result, the double-flower attacker wants to minimize the perceived and actual disruption in the network to avoid triggering any of the above penalties. He can start by keeping the reorganization less than 100 blocks, where the original chain's coinbase reward can be used for expenses. Such in-depth reorganization will no longer only affect individual users, but actually destroy the currency and its descendants, possibly invalidating more than expected transactions. A surgical attacker replays every transaction (including the coinbase output) as much as possible to recreate the exact same history, only the double flower transaction is different.

With all these limitations in mind, isolated double-flower attacks are unlikely to become rational miners' choices in the near future.

3.2 Destruction attack

Unlike an isolated double-flower attack, destroying an attacker does not intend to make money in the Bitcoin system. As a result, he does not consider the punishment of the user at all. Instead, a vandal attacker may try to crash the price and let the user lose confidence in Bitcoin. Destroying an attack may be rational for those who short the price of bitcoin, or for defending existing revenue streams that are threatened by Bitcoin. Such income streams may be the coinage tax of the legal currency system, or the ability of the state to collect taxes, while Bitcoin allows users to hide funds from local governments. This program is also aptly called the "Golden Finger Attack", named after James Bondri's villain, who plans to tarnish all of Fort Knox's currency to make his gold more valuable14.

To minimize the user's trust in the system, attackers should focus on abolishing the design goals we set for Bitcoin: security, activity, and unlicensed access.

One way to achieve this is to create a mining monopoly and stop processing any transactions altogether. If you like, most miners can establish a monopoly by simply ignoring the blocks that a few miners have dug. Because he will definitely lead in the end, the blocks temporarily added by a few miners will be reorganized in the future. Instead of dealing with any transaction, a monopoly miner can also extort a user by setting a minimum fee or establish his own rules to decide which transactions to process. For example, he can ignore all transactions that have not passed his private KYC/AML inspection. Users can defend against this type of attack by three basic methods.

1) We should establish that the damage from the review is equal to the exit cost of the user being reviewed in the system. The more alternatives Bitcoin has, the lower the exit cost, and the lower the motivation to first review Bitcoin users. Similar logic applies to the entrance and exit ramps, just like decentralized exchanges. There is an interesting puzzle here: although the powerful KYC/AML layer on Bitcoin reduces the appeal of theft (the coins from Bitfinex hackers are blacklisted), it also makes the system more susceptible to censorship. On the other hand, a system without any identity concept would increase the motivation for theft, but reduced the motivation for the review.

2) When the transaction is reviewed, the transaction handled by the attacker is reduced, and the user being reviewed begins to increase the transaction fee for the unprocessed payment. As a result, propagation begins to form between MR (honest mining) and MR (attack mining). The reviewed user can effectively scroll freely at this time, and can increase the transaction fee over time until they consume almost all of the balance. The difference in these transaction fees can translate into a generous reward for the honest majority challenge the existing mining monopoly and possibly overturn it.

3) Finally, the user can coordinate to suspend the monopoly miners by suspending the Nakamoto consensus and making changes to the rules. One way to change the method is to change the workload proof algorithm from SHA256 to an algorithm that has not been dominated by the attacker. Monopoly miners can also reorganize the chain repeatedly, instead of using the useless blocks to expand the chain with the most work, but the effect and treatment are largely the same.

4. Constantly reduced block subsidies

If we extrapolate our model to the future, we must consider what the current parameters will change and why. We have established that the vast majority of Bitcoin's security comes from a surprising few factors: miners' commitment, MEV and user price sensitivity. The ability to suspend the Nakamoto consensus can solve the problem, but it cannot be the basis of security itself. If the user knows a coordination mechanism that is cheaper than the Nakamoto consensus, we don't need to mine.

Today, the volatility of Bitcoin requires mining tools to have higher risk tolerance. If the price appreciation peaks and stays at a stable peak, then mining will begin to resemble a more traditional commodity market, providing producers with low returns and low volatility. Lower volatility naturally allows miners to use higher leverage, making it easier to feel even small price changes.

If Bitcoin threatens the sovereignty of its own currency and the ability of local governments to collect taxes, then the opportunity to attack the network through the implementation of censorship or other forms of destruction increases. The existence of a deep derivatives market can also make it easier for people to re-note the price of Bitcoin, which further increases the possible MEV.

However, the biggest changes are programmed into the Bitcoin protocol itself. All miners’ income is a decisive factor in the strength of miners’ commitments, and it comes from block rewards, including

1) block subsidies in the form of newly minted coins , and

2) Transaction fee .

Block subsidies currently account for 99% of all block awards and are currently being phased out based on Bitcoin's fixed issuance schedule. In 2020, the annual circulation of Bitcoin will fall to 1.8%. By 2028, the figure will be halved to 0.5%.

As a result, block subsidies, the most important source of miners' income, need to be replaced by a new source of income . So far, the security of Bitcoin comes from the value of Bitcoin itself. Looking ahead, its security will come from a secondary market that does not yet exist.

The success of this transition largely determines the future of Bitcoin. Now, the purpose of the transaction fee is to arbitrate the supply priority of the fixed block space. In order to create enough miners' income, the demand for block space must exceed the supply of block space at a meaningful price level to create a constant backlog of pending transactions.

Although the demand for block space may be high and the volatility is small in the future, in some cases, it is possible that the market finds Bitcoin useful, but the transaction fee is still very low. If most people just use bitcoin to hold bitcoin, and most of the transactions happen in centralized exchanges or various chain solutions, then this is the case (there is no reason to say that large exchanges It should be settled more than once a day or weekly.)

4.1 Confirmation of the impact on security

Folk wisdom shows that the decline in block subsidies does not pose a significant risk because users can make up for it by waiting for more confirmation. Our model shows that this is not the case, because the increased commitment costs of miners are overshadowed by existing commitments.

We will demonstrate this through a case. Recall that the miners have promised 50% of the mining cost (ie 105,408 blocks) in two years. Their total commitment is 658800 BTC (or 6.25 BTC per block). In each block, the miner combines the operating cost of 6.25 BTC and the committed cost of 6.25 BTC into a total MC of 12.5 per block, which is equal to the block reward.

If the user believes that the payment after 6 blocks is unchangeable, the minimum attack duration of the double-flower attacker will become 7 blocks. To dig out these 7 blocks, the attacker only needs to spend an additional 7 * 6.25 BTC = 43.75 BTC.

In a 7-block attack, he now takes the risk of 658800 BTC from the promise and the risk of 43.75 BTC from the operating cost. In an attack of 70 blocks (about 12 hours), he risked 658800 BTC plus 437.5 BTC. In the case of 700 blocks (about 5 days), his risk is 658800 BTC plus 4375 BTC. Therefore, we can see that if the user is willing to wait a full week, the total commitment of the miners will increase by less than 1%. Most importantly, waiting for more confirmation does not add any substantial security, and there is no need for trading at the point where it can be increased (more than a few months).

If the block rewards are reduced in the future, the same logic is used. In contrast to MR, the validation contributes to an effective miner's commitment to accurately increase the current block reward by 50% for each additional confirmation. As the MR decreases, each confirmed value will decrease synchronously.

However, waiting for more confirmation does have another benefit. By increasing the minimum attack duration of the miner, the user can gain some form of group immunity. Unless there is a lot of extra computational power, directing most of the computational power to the historical part of the chain rather than the end of the chain will greatly slow down block discovery. Although this does not sound like a benefit, the greater the interference with the user, the lower the cost of coordination for users who counterattack by selling coins or suspending the Nakamoto consensus.

Therefore, waiting for more confirmation only adds security at the margin, and it is impossible to replace the miners' commitments that the system needs to endure a large number of MEVs.

5. Long-term security considerations

If there is no robust block space market, Bitcoin will not become unavailable overnight. On the contrary, block subsidies will decline steadily for a long time. Any problems caused by lower MR will first appear in a weaker form and then become more severe over time, giving users enough time to react and coordinate on possible solutions.

We believe that we must be aware that even if these issues become a reality, we are still optimistic about the prospects of Bitcoin. Bitcoin has the largest user base, the most respected supply allocation, and is increasingly integrated into the financial infrastructure. In its short life cycle, Bitcoin has evolved from a technology to a social political movement that has ideological followers and uses bitcoin as its currency. In addition to the complete lack of demand, it is hard to imagine that Bitcoin can die completely from anything else.

Although there has been much discussion about the invariance of bitcoin's unwanted changes, the case in Chapter 2.4 shows that bitcoin can change as long as the system is at risk. Future recommendations for improving safety are generally divided into three categories: they can seek to increase MR, reduce MEV, or increase the ability to punish miners.

5.1 Improve block space

First, Bitcoin developers can try to increase the demand for bitcoin block space. This can be achieved by making protocol-level changes that make Bitcoin block space more attractive and usable, and by developing profitable business processes that consume bitcoin block space as input.

The need for bitcoin block space includes the need to trade bitcoin and the need to store arbitrary data within the chain. Innovations that enhance bitcoin trading capabilities and flexibility include adding time locks and building Bitcoin lightning networks. Any data store can be used to implement non-consensus asset books, such as USDT or dyed coins, or to anchor a certificate to another system, such as Factom or Veriblock.

The Bitcoin system is highly optimized for transferring bitcoins, but there are limits to the extent that storage of arbitrary data is discouraged. Because this arbitrary data can represent unlimited value outside the Bitcoin network, business processes that occupy block space in this way may have unchangeable demands and high willingness to pay, which will (if necessary, inefficiently ) Change the Bitcoin transaction structure to achieve its goals. Although this demand for arbitrary data may create a stable demand for bitcoin block space, even if the demand for transferring bitcoin experiences large transients, it will continue to increase costs and increase MR, but it also injects Potentially infinite MEVs and increased motivation for the attack chain. To this end, Bitcoin users will have to consider the relative value and risk of using block space for this purpose, and estimate that Bitcoin is the adjustment block due to the limitations on the attribution and technical disadvantages of arbitrary data storage. Motivation arising from this aspect of space demand.

5.2 Permanent release

The second mechanism may be to fork out the newly issued new currency. Although we know that this topic will be highly controversial in the Bitcoin community, we still want to talk about it to eliminate some popular misunderstandings. If we accept that there must be a certain level of MR for Bitcoin to operate, then the user must pay MR in some way. If the necessary MR is 1% per year, then all Bitcoin users will have lost 1% of their purchasing power each year to power the Bitcoin system. In the final analysis, although Bitcoin can be a nominal fixed supply asset, it cannot be a fixed purchasing power asset.

In addition, it is wrong to regard permanent issuance as inflation. If Bitcoin would in any case require the user to lose 1% of its purchasing power, then paying these fees through a permanent issuance would not be more cost-effective than paying through the transaction fee. In fact, a 1% perpetually issued and secure Bitcoin system may be more purchasing power than a 0% permanent and less secure Bitcoin system.

Instead, we should ask, who should pay for MR and what mechanism? In an ideal system, the user will pay for operating costs based on the value obtained from it. This will maximize revenue and maximize security because all users will pay for their utility. It further ensures the fairness and longevity of the system. A system that is considered unfair by some members is unlikely to last a long time – for "stupids" there is a huge incentive to fork a system and leave the free-rider behind.

In fact, the system designer may not know who is the highest value user in advance. Once established, all users may agree that changing the original parameters to more optimized parameters will cost more than simply using them.

Conceptually, there are two main users in the Bitcoin system: the holder and the trader. There is no clear boundary between them, because any trader must hold Bitcoin for at least a short period of time, and any holder must ultimately plan to trade his bitcoin (although not necessarily on the chain).

A confrontational system should be able to withstand external shocks in the form of soft parameters, such as the need to hold bitcoin or the need to use block space. In the case of permanent issuance, MR will not be affected by events in the block space market, and in the current case, the impact on block space requirements will make the security of the entire system plummet.

Intuition tells us here that the ownership of the monetized goods we want is crucial. If we want to monetize the block space from the trader, we must ensure that most of the block space units are always owned by someone. Charges to the holders completely eliminate this friction because there is always one owner per bitcoin.

Finally, it should be noted that the contribution of the holder is less obvious than the trader, but it is still true. When the system is attacked, the currency holders will have more vital interests and are more likely to pay the cost of social coordination. In assessing how much each use case contributes to security, it is important in all cases to have a holistic view of the Bitcoin system.

While the permanent issuance of coins can reduce the uncertainty of miners' income, some people believe that the zero-issuance policy is the eternal Schelling Point of cryptocurrency. 15 If users really hate the kind of implicit taxation brought about by permanent issuance, the bet on a less secure zero-issue structure can be rewarded by generating a higher permanent demand than a low-issued asset.

5.3 Crowdfunding

In the paradigm of the block space market, a less controversial way for Bitcoin holders to donate MR is to use crowdfunding. Large households and businesses that have a strong interest in maintaining bitcoin security can pay to a fund and create a “transaction that anyone can spend” (perhaps in the form of Bitcoin-DAO). Miners can claim these transactions at a certain block height as privately subsidized block subsidies. The benefit of this solution is that there is no need to change the protocol. The downside is that you end up in a classic hitchhiking scenario: Many people want Bitcoin to be safe, but no one wants to be a fool to pay the full cost to others.

One solution to the free-riding problem can be the Dominant Assurance Contract (DAC), a variant of a crowdfunding contract that attempts to make contributions a dominant strategy rather than waiting for others to contribute16. In the DAC, one must act as an entrepreneur, and he wants a public good (in this case, MR) to receive funding. He defines the target amount to be raised and encourages others to contribute by paying a small amount of money to others if the fundraiser fails to meet the target. It is said that this small detail makes the donation more attractive, because the donor now wins in both cases – they either get the item or get back the principal and profits.

5.4 Adjusting the supply of block space

Finally, one solution to improve MR is to change the supply of block space. The biggest disadvantage of a fixed supply system is that even if the demand is only marginally lower than the supply, the transaction fee will immediately become zero. All users in a block may be willing to pay a 5 BTC transaction fee collectively, but if there is a surplus, they will eventually not pay any transaction fees because there is no congestion.

Even if the total demand exceeds the available supply, there is no guarantee that the income will be maximized. For example, suppose that 1 MB of demand is willing to pay 15 BTC, while another 1 MB of demand is willing to pay 5 BTC. If the available supply is between 1 MB and 2 MB, the total transaction fee will be slightly higher than 10 BTC, because the group that wants to pay the least has already set the price for everyone else (the first group pays 5.01, the second) Group pays 5.00). If the supply drops below 1 MB, the first group will have to pay 15 BTC, which will result in a much higher MR, even if the second group is no longer used.

This value can be captured by reducing the block size to slightly below demand to cause permanent congestion. Such changes can be made manually by the developer or automatically by the Bitcoin protocol. One solution is adaptive block size: the system observes the MR generated by the transaction fee and compares it to the target MR required to make the system safe. If MR < target MR, the maximum block size is reduced, causing human congestion. If MR > Target MR, ie the user overpaid for security, some artificial congestion can be eliminated, increasing the block size until the hardtop limit of the community selection (currently 2.3 MB).

Other proposals that require miners to control block size are not robust because there are incentives for miners to fool the system and make the block as large as possible. The reason is that as the block's propagation time increases, the largest and best-connected miners have a competitive advantage over miners with smaller or poorer connections. We don't have to worry about this here, because the low ceiling of the block size ensures that the propagation time is always short.

5.5 Reduce the extractable value of miners

In addition to increasing MR, Bitcoin users can also consider various ways to reduce MEV. A good starting point is to consider the potential sources of MEVs in the Bitcoin blockchain.

As discussed in Chapters 2 and 3, as the cost of exiting from a system decreases, the motivation for reviewing the system is also reduced. When a miner cannot distinguish between different transactions, he cannot review any individual users. Thus, the fierce space of a competing variety of cryptocurrencies, with private transactions and unlicensed exchanges between them, will make any of them individually more powerful in anti-censorship.

If users reduce the barriers to neglecting Nakamoto's consensus by adopting strategies such as USAF, they may reduce the MEV caused by certain attacks, thereby risking a reduction in the social scalability of the system. As more and more people in the Bitcoin system hold different or even opposite political views, it seems that it will become more difficult to reach a social consensus without proof of workload.

Perhaps a technical solution can be found during this time to further limit the available options for miners, thereby reducing the attractiveness of the attack. One such suggestion is to have bitcoin transactions submitted to a particular block where they become invalid outside of the block. This will make it impossible for miners to replay transactions in the reorganization, which has two distinct benefits.

1) The cost of the attack is higher because the miners cannot access previous transactions and their transaction fees.

2) Since the miners are no longer able to attack individual users in isolation, it is easier to coordinate around the suspension of the Nakamoto consensus. Now he has to choose between reorganizing many transactions or not reorganizing any transactions at all.

In addition, we can improve the automatic detection of malicious miners' behavior. Responding to an attack requires all users to understand them first. The more we monitor the state of the Bitcoin system, the harder it is for miners to escape non-consensus attacks, such as self-contained mining.

More education around the Bitcoin trust model can also help reduce the likelihood of theft. Not every transaction the user receives comes from a miner, or someone who bribes a miner, and there is a risk of being double-paid. Where possible, the use of traditional legal systems outside of Bitcoin can greatly enhance their viability in business. As long as the buyer has a legal relationship with the seller, the seller can treat it as an external commitment through the traditional legal system, thereby gaining additional confidence that the payment will not be revoked.

5.6 Strengthening miners' punishment

The low tolerance of Bitcoin users to the malicious behavior of miners is a powerful test of their behavior. When prices react more strongly to attacks, Bitcoin can provide the same level of MEV with fewer miners committed. If the price is very stable, the promise must be greater.

Again, the sensitivity of bitcoin prices to system utility is a function of system exit costs. When leaving is very cheap, it is much easier to turn around and leave, probably because Bitcoin is not the only game here, and there are competitions between many cryptocurrencies with similar guarantees. In fact, the concept of cryptocurrency is the most powerful when there are many "micro-chains" that are more fragile but allow for the exchange of flows between them. The reason is that smaller blockchains make it easier for users to leave, resulting in scorched defense against attackers. 17

6. Missing and future research

There are many ways to extend our bitcoin security model. First, you can look at the ability of miners to "not submit" from the system. So far, we have implicitly considered – if the miners bet on the price of the BTC, we can increase its MEV to reflect this. With unlimited capital, miners can fully hedge their commitments while maintaining the same level of computing power – thus having a potential MEV. Subsequent analysis can focus on the cost of hedging capital, its impact on costs and MEVs, and how the existence of complex derivatives markets can change the motivation of all participants.

Second, previous security analyses may greatly underestimate the motives of a possible power minority to respond back to an attack or immediately after an attack to defend its promised value. Because the defender effectively rolls freely, hashing at a much higher unit cost becomes profitable again, and the old hardware may rejoin the network. In addition, existing hardware can be overclocked, which will increase efficiency in the short term, but depreciate at a faster rate. Often, users and minority miners should begin to see each other as an ally against external attackers. Due to the promise of the miners, they both sat on the same boat. The dynamic relationship between attack and counterattack is worth exploring further because they can greatly increase the cost of attack.

Finally, even if a strong block space market is indeed established, Bitcoin's security model will change in many ways. These changes affect the best behavior of miners and users. For example, if the transaction fees attached to each block are very low, then the strategy of concealing blocks is attractive. The increased competition between miners will further revolve around the “rich” block, resulting in a reduction in transaction fees and a gap in block production18. We strongly encourage the organization of transaction-based systems in a different way than distribution-based systems.

Comment

1 http://hackingdistributed.com/2013/11/04/bitcoin-is-

Broken/

2 https://www.bis.org/publ/work765.htm

3 https://blockstream.com/sidechains.pdf

4 Doomsday Economics Beyond Digital Money “Workload Proof”

Https://www.bis.org/publ/work765.htm

5 Flash Boys 2.0 https://arxiv.org/pdf/1904.05234.pdf

6 Although, if the price is known to be vulnerable, the derivatives market should begin to price it and make the short selling cost higher.

7 This number represents a lower bound because the fact that all miners are collectively punished in the proof of workload creates some interesting developments. The remaining 40% of the miners who did not participate in the attack still have a huge commitment to the network and have the motivation to defend the network. However, we can only speculate on how accurate the results will be.

8 https://hackernoon.com/bitcoins-biggest-hack-in-history-184-4-ded46310d4ef

9 https://bitcoinmagazine.com/articles/bitcoin-network-

Shaken-by-blockchain-fork-1363144448

10 It may be interesting to explore the motivations of miners in our commitment model.

11 https://docs.google.com/spreadsheets/d/1b6-BtD_

sd7x5k3-nDrR-I139nINsotiMH43CAq58YOM/edit?u sp=sharing

12 https://bitcoinmagazine.com/articles/mining-2-

1403298609

13 https://www.reddit.com/r/Bitcoin/comments/281ftd/why_i_just_sold_50_of_my_bitcoins_ghashio/

14 https://www.semanticscholar.org/paper/The-Economics-

of-Bitcoin-Mining-%2C-or-Bitcoin-in-the-KrollDavey/

7bf78054192d98e999edcdf08971a5eed42518d2

15 http://www.truthcoin.info/blog/deflation-the-last-word/

16 Mike Hearn first applied the concept of mechanism design to Bitcoin

https://zh.bitcoin.it/wiki/Dominant_Assurance_Contracts

17 Concept proposed by David Vorick.

18 http://randomwalker.info/publications/mining_CCS.pdf

And https://arxiv.org/abs/1805.05288

– The End –