How to Save Bitcoin

In a series of brilliant articles, Joe Kelly presents two possible attacks on Bitcoin: a sneak attack and a vocal attack (my terms). In the sneak attack scenario, the goal is to double spend. In the vocal attack scenario, the goal is to kill. In this post, I offer some rebuttals to each. One of Joe’s blog post series is titled “How to Kill Bitcoin” — my title is a clin d’oeil to his.

Sneak attack: Wide and shallow double spend

In the sneak attack scenario, an attacker carries out what Joe calls a “wide and shallow double spend”. The attacker starts off with a treasure chest of X bitcoins and a secret majority hash power. Over some time span T, the attacker spends his treasure chest across a bunch of transactions of various sizes. Each counterparty, only aware of their own transaction, not realizing they are a part of a larger double-spend attempt, will deliver the goods after the transaction has been buried under a relatively small number of blocks. Meanwhile, the attacker has started secretly mining blocks from the moment he initiated the spending spree. Because he has a majority of the hash power, the attacker’s chain will be ahead of the honest chain. Of course, on the attacker’s chain, every transaction made by him will be removed. At time T, when all the purchased goods are collected, the attacker announces his longer chain. This attack is wide because the double spend is spread across a multitude of transactions. It is shallow because it happens in the shortest possible amount of time.

The costs of the attack are:

1. Capital cost: acquiring the majority hash power H
2. Operational cost: the electricity bill over time span T (O)

The revenues of the attack are:

1. The resale value of the hash power H’
2. The mining rewards R accrued during the attack. Those are denominated in bitcoin, and can’t be converted to USD until after the attack.
3. X bitcoins
4. The goods collected

Let P and P’ be the price of Bitcoin before and after the attack respectively. The general formula for the profit therefore is:

π = H’ + P’R + P’X (the stolen bitcoins) + PX (the goods collected) - H - O

Joe then does a basic scenario analysis for the profitability of the operation. We assume here that the value of the hash power is in direct proportion to the price of Bitcoin (there is no alternative use for it).

(1) P’ = P → π = PR + 2PX - O

(2) P’ = .5P → π = .5PR + 1.5PX - .5H - O

(3) P’ = 0 → π = PX - H - O

I would add a fourth scenario where, for whatever reason, the attack fails. (For example, the attacker gets caught and brought to justice.)

(4) π = PX - H - O (while PX in scenario (3) represents the goods, here it represents the bitcoins)

Yes, the profit is the same as in scenario (3), but that’s the best case of scenario (4). In practice, the attacker may incur additional cost (eg, criminal sanction).

There are probabilities assigned to each of these scenarios, such that the expected payoff of an attack is some weighted sum of those payoffs.

The cost H of acquiring majority hash power depends on what kind of hardware is used: older or newer. The older the hardware, the higher O and the lower H. Typically, for old hardware, PR < O while, for new hardware, PR > O. For honest miners, it doesn’t make sense to buy old hardware because it’s an investment with negative cash flow. But maybe it makes sense for our attacker? In scenario (1), the impact of using older hardware is that π will be less than 2PX (because PR < O), but most likely by a negligible amount. In scenario (3), the impact of using older hardware is that O is higher but H is lower. And the increase in O is likely insignificant relative to the savings in H, as long as T (the duration of the attack) is short enough.

In other words, the attacker maximizes his expected payoff by:

1. Minimizing T (to reduce O)
2. Minimizing H (while this increases O, it’s likely better on net)
3. Maximizing X

The one thing the attacker cannot really control is P’, or in other words the world’s reaction to the attack.

We’ve seen how to minimize H (use old hardware). But how do we minimize T and maximize X? T directly maps to “shallow” in “wide and shallow double spend”, while X maps to “wide”. Let’s recap the factors Joe mentions:

High activity: The more value is transacted on the Bitcoin blockchain, the greater X can be, because the more targets are available (or bigger targets) for the wide double spend. One way for the value of transactions to increase is via tokenization of real-world (or digital) assets on the Bitcoin blockchain. The more frequently value is transacted, the shorter T can be. Generally speaking, greater on-chain activity (large, frequent transactions) is good for the attacker. This is the main reason why the attack needs to be sneaky: a vocal attack would significantly reduce activity.

Low security budget: Bitcoin’s security budget is the expenses incurred to mine blocks over some period of time (essentially O + capital depreciation of H). The lower the security budget (O + H) relative to the value of the activity on the blockchain (X), the more profitable an attack.

High privacy: The more privacy there is in the system, the more likely to avoid scenario (4). The more difficult it is to trace Bitcoin transactions back to a real entity, the greater the expected payoff of the attack.

Fast shipping: The attacker is collecting goods from counterparties, those take time to ship, increasing T. The faster and more automated the settlement of transactions are, the shorter T will be. The ideal counterparties, according to Joe, are “vending machines”. By “settlement” here I mean the shipping and delivery of the goods purchased with the X bitcoins.

Hedging: We saw how H’ is perfectly correlated to P’ so that if P’ = kP then H’ = kH. This is because mining ASICs have no other use but mining bitcoins. Therefore, if you can hedge the Bitcoin price risk (P’ - P), you can recoup that significant cost item. There are two ways you can hedge: (1) short Bitcoin, (2) long Bitcoin substitutes (eg, gold, USD). The first method is probably best, but depends on deep derivatives markets for Bitcoin. Assuming a perfect hedge, the profit in scenario (3) then becomes π = PR + 2PX - O - (cost of the hedge). For instance, in the case of shorting, the cost of the hedge would be the interest paid to whomever you borrowed bitcoins from.

Now on to the rebuttals:

Rebuttal 1: There aren’t that many vending machines

Joe’s argument relies heavily on the fiction that the attacker is trading with “vending machines”. Realistically, the trade counterparties will be more inefficient than vending machines, and coordinating a bunch of trades with less-than-ideal vending machines in such a short amount of time seems difficult. This is unrelated to the counterparties’ confirmation blocks policies. For the attack to be successful, the counterparties need to ship whatever goods they are selling and the goods need to be delivered to the attacker. That can take time! This is especially true if the goods are physical. If you limit your targets to non-physical goods, you are shrinking the targetable on-chain activity.

Rebuttal 2: It’ll be hard for the attacker to remain incognito

First of all, amassing enough mining power in order to carry out such an attack would be hard to achieve without outing yourself. Secondly, going back to the vending machine fiction, the most “efficient” “trades” to use as targets would be crypto exchange trades, which are likely to have low privacy. Or, knowing the possibility of such an attack, we could purposely KYC crypto exchanges. This increases the chances the attacker would be brought to justice.

Rebuttal 3: The long-term security budget problem can be solved

Although he doesn’t explain why, Joe claims the security budget is likely to shrink over time as a share of the on-chain activity (“blocks aren’t full and total miner revenue from fees is regularly in the $100s-of-thousands per day, and… there are reasons to believe it will stay that low”). I agree that this is Bitcoin’s biggest risk. But while Joe doesn’t shy away from making convenient assumptions when it suits his argument (“Bitcoin developers will add privacy features anytime soon”), he doesn’t assume that the same Bitcoin developers could come up with elegant solutions to the long-term security budget problem. In fact, there are several good proposals out there to address this issue. The one that I support is BIP300 (a proposal to bring side chains to Bitcoin) and the software already works.

Those three rebuttals should serve to increase the probability of scenario (4) (the attack fails). This might just be enough to make the payoff not worth the while, especially if at the same time the probability of P’ = 0 is high. Or you’d really need to accumulate a massive treasure chest of bitcoins (X) to balance this increased probability of scenario (4).

Vocal attack: License to kill

This is an attack that Joe exposes over two main articles. The goal of the attack is to kill Bitcoin rather than profit from the attack. The rational actor that would do this would therefore have to be someone who would indirectly benefit from it. In particular, it would have to be someone who could control an alternative monetary system — in other words, a nation state, or a coalition of states.

Unlike the previously described attack, this one works best when it is vocal. The idea is to credibly signal the attack plan, hoping that rational actors will play out the ramifications in their head and understand that they have no chance of winning. Ideally, they give up before the battle even starts, making it costless for the attacker. In other words, the more credible the plan, the cheaper.

So what’s the plan? Three steps: (1) ban, (2) control, and (3) asphyxiate.

Ban all things crypto: The first step is to ban the following: crypto exchanges, the sale of goods for bitcoins, mining, ASIC manufacturing. Beyond disarming the enemy, banning serves an important signaling purpose.

Control a mining majority: The second step is to acquire the majority of hash power. The attacker can do so by either seizing existing mines (since it is a state actor) or building new ones over time until he reaches a majority of the hash power. (Building mines is a small investment for a state actor.)

Asphyxiate the rebels: The third step is simply to run the mines and asphyxiate rebel miners, i.e. mine blocks faster than the rebel miners for a bit, then wait for the rebel miners to mine a block. When they do, announce a couple of the blocks you have in reserve, then mine a couple of new ones to replenish your reserve, then you wait again. This steals all revenue from rebel miners. As a result, the rebel miners’ morale or funding dries up, and their hash power diminishes, slowing down block production, in turn bringing down the difficulty, making the attack cheaper.

Joe argues that, without any signaling, at current prices, the attack would cost ~$10m/day (at the time of his writing, and probably still in the same order of magnitude today) and argues this is peanuts for most governments. He fails to quantify the capital cost of the attack, though, so it’s important to keep that in mind. Not that governments couldn’t afford the capital cost (they easily could), but it just makes it that much less palatable to their electorate.

Now on to the rebuttals:

Rebuttal 1: The Bitcoin constituency is too strong

The plan laid out by Joe is extraordinarily authoritarian. Is that realistic? Most likely such an attack would not work without the backing of the wealthiest nations, which just so happen to be mostly democracies laced by liberal principles such as the separation of power, checks and balances, etc. Essentially the government would have to first win the ideological battle before it can engage in the attack credibly. I contend that the government is unlikely to win that battle, because Bitcoin already has a large constituency. Roughly 1/5–1/4 of the US population is reported to own some bitcoin. Comparing a state attack on mines to a state attack on meth labs, as Joe does, is a strawman: it’s likely that there are way more people supportive of Bitcoin mines than of meth labs. People simply won’t vote for such a policy.

In his argument, Joe mentions the government could enlist private sector help (e.g. Lockheed Martin), but I reckon Lockheed Martin would not agree to help the government, precisely because it would be either unpopular or illiberal.

People understand the benefits of government, but they also understand its risks. Control of money gives governments immense powers, and the Bitcoin constituency will make that very clear in the ideological battle. The more threatened the government will feel about Bitcoin, the more salient the power of government control of money will become to the electorate, and the more likely they are to be sympathetic to Bitcoin. Note that the electorate does not need to support “hyperbitcoinization” but merely support Bitcoin’s right to exist — a fairly low bar indeed. Its mere existence is enough of a check on government power. Yes, the anti-Bitcoin camp has many talking points (energy consumption, etc.), but they likely aren’t convincing enough to deny Bitcoin’s mere right to exist.

One may retort, if Bitcoin’s security ultimately depends on the electorate’s desire for a check on the government, couldn’t the electorate just implement that check via laws instead of the Rube Goldberg machine that is Bitcoin? The answer is no. History shows that Leviathan is hard to tame just via laws. Even a Constitution is often insufficient, as its meaning often ends up twisted by the agents of government. In many ways, the point of the Gold Standard, once considered “the ruler of rulers”, was to root a check on government in physics itself. Bitcoin is just the next iteration of such a check, now arguably rooted in math. History shows that the people, at the end of the day, understand the importance of checks on government.

Rebuttal 2: The rebellion can organize

After painting an unrealistic picture of an all-powerful state, Joe then contrasts it with hopelessly uncoordinated rebels on the other side. I contend that collective action on the part of rebels is possible. First, collective action is more likely when incentives are strong. Not only do the rebels have a clear financial stake, they are also bound by a common ideology, which is inherently solidary. Secondly, free-riding problems are often exaggerated by game theorists or self-serving bureaucrats with a God complex. History and empirics show that free-riding problems are overcome more often than we think. In particular, the work of Lin Ostrom on “governing the commons” pushes back on the notion that people are “helplessly trapped in social dilemmas”. She has choice words for the basic assumptions underlying most of game theory. Throughout her work, she presents examples of groups of people naturally evolving institutional memeplexes that are conducive to cooperation. Beyond Ostrom’s work, history is replete with evidence of public goods being voluntarily funded, from social insurance, to roads, to schooling, long before they were co-opted by the state. Joe too easily dismisses the possibility for rebels to get their shit together and mount a counterattack.

Rebuttal 3: Friedman’s Law doubles the attack cost

Friedman’s Law says that the government is twice as inefficient as the market in any kind of endeavor. We should therefore expect this to double the operational cost of the attack. Joe’s response to Friedman’s Law is outsourcing: the government can simply contract out the mining operations to Lockheed Martin. As mentioned earlier, I expect Lockheed Martin to either refuse or see its stock price crater, because it would be an unpopular move. Either way, we would recover Friedman’s Law, since the government would end up in charge of mining, be it by setting up a new government agency or by nationalizing Lockheed Martin. Even if the latter were to willingly take on the mission and remain a private company, I expect Friedman’s Law to extend to government contractors, albeit perhaps to a lesser degree.

Rebuttal 4: Rebels could out-innovate the attacker

This last rebuttal is a bit of a stretch, but here goes. Mining at a loss by a state actor is functionally equivalent to a technological innovation. As such, the attacker is in effect creating a competitive pressure, to which the rebels could respond by innovating in mining technology or energy sources. If those mining innovations are kept secret, the rebels might be able to grow out of the state’s chokehold over time, or render the chokehold more expensive. This is not totally unlike cash-based medical tourism growing despite competing against free public healthcare, or private schooling thriving despite competing against free public education.

Conclusion

In this post, I review the two main attacks against Bitcoin that Joe Kelly has thought up: a sneak attack to achieve a wide and shallow double spend, and a vocal attack by a state actor to kill Bitcoin.

I show that the success of the sneak attack heavily depends on (1) the security budget shrinking over time relative to the on-chain activity, (2) settlement with counterparties being unrealistically quick, (3) a high degree of privacy. I argue that (1) there’s a technological solution to the long-term security budget problem, (2) the counterparty closest to Joe’s ideal of a vending machine is a crypto exchange whose privacy features are likely to be regulated, and (3) anyone amassing enough hash power to carry out the attack is unlikely to remain incognito.

With regards to the vocal attack, the main thrust of my argument is that it would require liberal democracies to be a part of the attacking coalition, and that the Bitcoin constituency is too strong to let that happen. Even if liberal democracies were to take part, the concrete steps of the attack plan have strong authoritarian vibes which would negatively affect its credibility, which is a key element in Joe’s depiction of the plan. I also argue that Joe exaggerates the helplessness and lack of coordination of rebels, and underplays their resourcefulness, including their ability to respond with innovation.