Bitcoin transaction security
Do we need to know who these miners are?
Bitcoin is fundamentally an economic system designed to mitigate an old problem in Computer Science, the Byzantine Generals Problem. As with most economic systems, there have been changes in the way the industry is organised changing the analysis of how good Bitcoin achieves its goal of a resilient, censorship resistance settlement network. The system was designed so that, without identity, we can trust that no one is able to capture or collude with the majority of the computing power in a decentralised network. As Satoshi wrote, the idea was to have one CPU one vote. The ability to count anonymous votes is necessary to converge to a consensus about the current state of the ledger. The nice property of a blockchain is that the amount of work or the number of computer cycles that has gone into producing a chain is easily verifiable after the fact, and hence does not require computers to be online, enabling the network to converge on one true chain.
Miners will continue to mine blocks, so long as it is profitable to do so. If the market were dependant on only commodity hardware (clearly not the case today), we would expect the market to be fiercely competitive, offering only very slim margins. The incentive to mine is predominantly the creation of new bitcoins. Currently each block is worth about $7,500. So, in our perfectly competitive commodity hardware mining market, we would expect the amount that the network expends in producing one block is approximately $7,500. Waiting for 6 confirmations can be considered as waiting for $45,000 worth of work to be expended in extending the current main chain. If the attacker were able to capture more than $22,500, and produce blocks with the same efficiency as the rest of the network, they would be able to double spend with near certainty. Furthermore, if we assume that multiple double spends can be levied against different service providers, the attacker may be able to make smaller transaction amounts, still all adding up to more than $22,500. In this case, the attacker would find it profitable to take over at least half the network and double spend against the merchants / service providers. This assumes that we are in an environment where it is trivial to gain a significant portion of the hashrate. In the current state of the Bitcoin network, this is not impossible, but would require access to very specialised chips making this less likely.
Meni Rosenfeld, a number of years ago wrote down a model that captured the self-referencing security model in Bitcoin. Essentially the question is: What is the largest transaction size that can be considered secure assuming the attacker is a rational agent? He assumes that an attacker can attack 5 services simultaneously and the goods and services that the attacker can make away with are as liquid as bitcoins. Assuming that the attacker cannot capture more than 10% of the network, waiting for 6 confirmations means that a transaction of 168,000 bitcoins (currently worth around $50.4 million) would be secure. This figure is impressive, in the context of mitigating amateur attackers, but in the current state of the network the picture is not as rosy.
Mining pools have been around in Bitcoin since 2011. In order to prove that a pool operator is operating fairly we have seen the emergence of identity of the block creator. Mining pools now sign the coinbase transaction or re-use the generation addresses. Originally, this was done to keep the pool operators honest, but now people rely on this measure to estimate network centralisation. To see why centralisation is such a big issue: With one entity in control of 40% of the network computing power. Waiting 10 confirmations only gives you economic security up to 168 bitcoins (equaling $50.4 million), using the same model from before. This demonstrates that the issue is not really about a 50% attack, but even pools that get close to this can produce fairly long range attacks with high probabilities of success. Currently, the only reference that we have for who is in control of what proportion of the network hashrate is all self-reported. No mechanisms exist in the protocol to make an attack less profitable than mining honestly on the main chain. There are several protocol improvements that are in the works, but they introduce some trade offs and require a huge political consensus that currently does not exist.
This approach to security of the bitcoin network is based only on economics since the computer science parameters in the protocol are all fixed, ie. the consensus algorithm — the chain selection rules. If we assume fairly naive attackers with low proportions of the network hashrate, it seems that Bitcoin provides adequate security for most transactions taking place on the network. However, the security for the Bitcoin network does not scale with the threat of centralisation and the possibility of placing assets that are more valuable than the underlying currency units. According to economics, the security of the chain is self-referencing. The amount of value that can be secured in bitcoin terms is exactly proportional to the amount of fees and block reward that it contains. We need to make some assumptions to decide the exact amounts, but it is clear that more work on alternative protocols and challenges to mining centralisation are sorely needed.
We need to discuss the behaviour of Bitcoin both in terms of its efficiency (judged on its ability to transmit value for a low cost) and its resilience (the capacity for Bitcoin to survive an attack or a change in environment). I have established the criterion for efficiency. Is the network transacting exactly the amount and paying sufficient fees and block rewards such that makes a rational miner follow the protocol and mine honestly? The question of resilience is mostly a computer science question, but the current economics creating incentives for mining centralisation have created a difficult environment where survival is not guaranteed.