Tuesday, June 16, 2015

Do colored coins make 51%-attacks inevitable?

UPDATE: I have updated the post by adding some points from Peter Todd at the bottom. The rest of the post remains as originally written.

I have enough posts on Bitcoin that it should be obvious that I am "pro" Bitcoin. But I am also a skeptic, and I seek out evidence of my beliefs being wrong. It's the only way to minimize mistakes in life. Unfortunately for my Bitcoin fandom, most of Bitcoin's critics either don't understand how Bitcoin works or they don't understand the current banking system well. Or both! But I have just read what I think is the most cogent and convincing critique of Bitcoin's limitations from the Clearmatics blog.

Now, Clearmatics is in the distributed ledger space, and they have a product that competes with Bitcoin. So some might dismiss their arguments as motivated reasoning. But that would be foolish. The argument, evaluated on its own merits, is quite sound.

The core insight of Clearmatic's argument is that colored coins are technically possible but it would be a disaster to implement them at significant scale. The reason is that Bitcoin's ledger is not protected by cryptography. Bitcoin is protected by game theory, and colored coins change the rules of the game.

The Bitcoin network is maintained and verified by its miners. The miners compete against each other to verify blocks of transactions and add them to Bitcoin's block chain. Anyone can set up a miner and start broadcasting blocks though, including fraudulent blocks. To defend against this sort of fraud, Bitcoin's nodes and wallets follow the rule that whichever block chain is longer is deemed authoritative, and to ignore all other block chains. It is merely assumed that miners are too diverse to coordinate a conspiracy against the network, and thus non-conspirators always have more aggregate computing power than any one fraudster, and thus the non-conspirators' blockchain is always longest. Fraud is thus ignored.

This breaks down though if a fraudster ever amasses computing power equal to all other miners globally, plus 1%. If the fraudster's computing power is equal to 51% of more of the global network as a whole, then the fraudster's miners will produce blocks faster than the "honest" miners, and the rest of the bitcoin ecosystem (the nodes and wallets) will switch from the honest blockchain to the fraudulent blockchain. This is called a 51% attack.

51% attacks don't happen though, because the expense of doing so outweighs any benefit. The most recent figure I saw was that the cost of a 51% attack would be about $110 million. Since a 51% attack would destroy the value of Bitcoin itself (the only asset currently on the Bitcoin network), there really isn't a way to extract $110 million from the Bitcoin network before the fraud is discovered and the fraudulent blockchain abandoned by the nodes. Thus a 51% attack is always a money-losing proposition.

There are two scenarios where this game theory breaks down, one of which I have been aware of for some time. One fear I've had for a while is that a government will attack Bitcoin if it's ever deemed to be a threat to their national interest. A lot of Bitcoin's miners are already in China, for instance. If the government there deemed Bitcoin to be a material threat to their capital controls or financial system, it could seize the miners there and coordinate their efforts to assemble a 51% attack against the network. This is a theoretical threat though, and I'm not sure it would ever happen.

Clearmatics' point though is that as soon as you start using colored coins in any serious way, the payoffs of a 51% attack change. For instance, there's roughly 5.8 billion shares of APPL outstanding, so if you assigned one share per Satoshi, you'd only need 58 BTC to list the entire APPL market cap on bitcoin. And that's just one company. Global debt and equity markets have many trillions in value. You could even color Satoshis to represent large blocks of currency (say 10 million USD or EUR each) to handle daily settlements between banks.

At those prices, a $110M investment in taking control of the settlement network becomes profitable. Anyone who can track down the various miners operating the mining pools today can coordinate them into a 51% attack, transfer several billion dollars into various accounts, and then de-coordinate the miners so that the new blockchain continues forward as the "real" one.

Boom. Bitcoin is done for colored coins. The fact that this risk exists at all means no one should adopt it for this use case.

I'm still a fan of Bitcoin for what it is, but as long as this risk exists I don't think colored coins (at least for financial market use) are in its future. Perhaps they're still useful for things like door locks and rental cars, but only because those items are also too small (or too hard to aggregate a theft of) to make a 51% attack profitable. Nakamoto's design-goal of censorship resistance was achieved, but at the price of not being trustworthy with assets of significant value.

UPDATE: I reached out to Peter Todd via Twitter, and he was kind enough to respond to my queries. I think the strongest point he made is that if there is ever $trillions of value on the Bitcoin network in the form of colored coins, that would make higher mining fees possible. Users would still be paying a small percentage of their overall assets for the secure transfer, so that's bearable, and, as Peter put it, 1% of several trillion would pay for a lot of mining security.

On the other hand, in order to get higher fees, the maximum block size has to remain small. Users compete for access to block confirmations by paying fees to the miners. If blocks are too large though, there's no competition to get into them, and users can get away with paying a small fee or no fee at all. In the future as the mining reward of new Bitcoins becomes smaller over time, only miner fees would pay for mining operations. Those fees would have to be pretty high to pay for a secure network. Thus getting to trillions in value exchange is a more-or-less necessity for Bitcoin to be a viable and secure network over the long term.

I don't envy the careful balancing act the core developers must navigate to get there.

No comments:

Post a Comment