Cost of mining. Let’s now look at mining economics. We mentioned it’s quite expensive to operate as a miner. At the current difficulty level, finding a single block takes computing about 1020 hashes and the block reward is about 25 Bitcoins, which is a sizable amount of money at the current exchange rate. These numbers allow for an easy calculation of whether it’s profitable for one to mine, and we can capture this decision with a simple statement:
If
mining reward > mining cost
then miner profits where
mining reward = block reward + tx fees
mining cost = hardware cost + operating costs (electricity, cooling, etc.)
Fundamentally, the mining reward that the miner gets is in terms of the block reward and transaction fees. The miner asks himself how it compares to the total expenditure, which is the hardware and electricity cost.
But there are some complications to this simple equation. The first is that, as you may have noticed, the hardware cost is a fixed cost whereas the electricity cost is a variable cost that is incurred over time. Another complication is that the reward that miners get depends upon the rate at which they find blocks, which depends on not just the power of their hardware, but on the ratio of their hash rate to the total global hash rate. A third complication is that the costs that the miner incurs are typically denominated in dollars or some other traditional currency, but their reward is denominated in bitcoin. So this equation has a hidden dependence on Bitcoin’s exchange rate at any given time. And finally, so far we’ve assumed that the miner is interested in honestly following the protocol. But the miner might choose to use some other mining strategy instead of always attempting to extend the longest valid branch. So this equation doesn’t capture all the nuances of the different strategies that the miner can employ. Actually analyzing whether it makes sense to mine is a complicated game
theory problem that’s not easily answered.
At this point, we’ve obtained a pretty good understanding of how a Bitcoin achieves decentralization. We will now recap the high level points and put it all together in order to get an even better understanding.
Let’s start from identities. As we’ve learned, there are no real‐world identities required to participate in the Bitcoin protocol. Any user can create a pseudonymous key pair at any moment, any number of them. When Alice wants to pay Bob in bitcoins, the Bitcoin protocol does not specify how Alice learns Bob’s address. Given these pseudonymous key pairs as identities, transactions are basically messages that are broadcast to the Bitcoin peer‐to‐peer network that are instructions to transfer coins from one address to another.
Sidebar. Bitcoin doesn’t have fixed denominations like US dollars, and in particular, there is no special designation of “1 bitcoin.” Bitcoins are just transaction outputs, and in the current rules, they can have an arbitrary value with 8 decimal places of precision. The smallest possible value is 0.00000001 BTC (bitcoins), which is called 1 Satoshi.
The goal of the Bitcoin peer‐to‐peer network is to propagate all new transactions and new blocks to
all the Bitcoin peer nodes. But the network is highly imperfect, and does a best‐effort attempt to relay this information. The security of the system doesn’t come from the perfection of the peer‐to‐peer network. Instead, the security comes from the block chain and the consensus protocol that we devoted much of this chapter to studying.
When we say that a transaction is included in the block chain, what we really mean is that the transaction has achieved numerous confirmations. There’s no fixed number to how many confirmations are necessary before we are sufficiently convinced of its inclusion, but six is a commonly‐used heuristic. The more confirmations a transaction has received, the more certain you can be that this transaction is part of the consensus chain. There will often be orphan blocks, or blocks that don’t make it into the consensus chain. There are a variety of reasons that could lead to a block being orphaned. The block may contain an invalid transaction, or a double‐spend attempt. It could also just be a result of network latency. That is, two miners may simply end up finding new blocks within just a few seconds of each other. So both of these blocks were broadcast nearly simultaneously onto the network, and one of them will inevitably be orphaned.
Finally, we looked at hash puzzles and mining. Miners are special types of nodes that decide to compete in this game of creating new blocks. They’re rewarded for their effort in terms of both newly minted bitcoins (the new‐block reward) and existing bitcoins (transaction fees), provided that other miners build upon their blocks. A subtle but crucial point: say that Alice and Bob are two different miners, and Alice has 100 times as much computing power as Bob. This does not mean that Alice will always win the race against Bob to find the next block. Instead, Alice and Bob have a probability ratio of finding the next block, in the proportion 100 to 1. In the long term, Bob will find, on average, one percent of the number of blocks that Alice finds.
We expect that miners will typically be somewhere close to the economic equilibrium in the sense that the expenditure that they incur in terms of hardware and electricity will be roughly equal to the rewards that they obtain. The reason is that if a miner is consistently making a loss, she will probably stop mining. On the other hand, and if mining is very profitable given typical hardware and electricity
costs, then more mining hardware would enter the network. The increased hash rate would lead to an increase in the difficulty, and each miner’s expected reward would drop.
This notion of distributed consensus permeates Bitcoin quite deeply. In a traditional currency, consensus does come into play to a certain limited extent. Specifically, there is a consensus process that determines the exchange rate of the currency. That is certainly true in Bitcoin as well; We need consensus around the value of Bitcoin. But in Bitcoin, additionally, we need consensus on the state of the ledger, which is what the block chain accomplishes. In other words, even the accounting of how many bitcoins you own is subject to consensus. When we say that Alice owns a certain amount or number of bitcoins, what we actually mean is that the Bitcoin peer‐to‐peer network, as recorded in the block chain, considers the sum total of all Alice’s addresses to own that number of bitcoins. That is ultimate nature of truth in Bitcoin: ownership of bitcoins is nothing more than other nodes agreeing that a given party owns those bitcoins.
Finally, we need consensus about the rules of the system because occasionally, the rules of the system have to change. There are two types of changes to the rules of Bitcoin, known respectively as soft forks and hard forks. We’re going to defer this discussion of the differences to later chapters in which we will discuss them in detail.
Getting a cryptocurrency off the ground. Another subtle concept is that of bootstrapping. There is a tricky interplay between three different ideas in Bitcoin: the security of the block chain, the health of the mining ecosystem, and the value of the currency. We obviously want the block chain to be secure for Bitcoin to be a viable currency. For the block chain to be secure, an adversary must not be able to overwhelm the consensus process. This in turn means that an adversary cannot create a lot of mining nodes and take over 50 percent or more of the new block creation.
But when will that be true? A prerequisite is having a healthy mining ecosystem made up of largely honest, protocol‐following nodes. But what’s a prerequisite for that — when can we be sure that a lot of miners will put a lot of computing power into participating in this hash puzzle solving competition? Well, they’re only going to do that if the exchange rate of Bitcoin is pretty high because the rewards that they receive are denominated in Bitcoins whereas their expenditure is in dollars. So the more the value of the currency goes up, the more incentivized these miners are going to be.
But what ensures a high and stable value of the currency? That can only happen if users in general have trust in the security of the block chain. If they believe that the network could be overwhelmed at any moment by an attacker, then Bitcoin is not going to have a lot of value as a currency. So you have
this interlocking interdependence between the security of the block chain, a healthy mining ecosystem and the exchange rate.
Because of the cyclical nature of this three‐way dependence, the existence of each of these is predicated on the existence of the others. When Bitcoin was first created, none of these three existed. There were no miners other than Nakamoto himself running the mining software. Bitcoin didn’t have a lot of value as a currency. And the block chain was, in fact, insecure because there was not a lot of mining going on and anybody could have easily overwhelmed this process.
There’s no simple explanation for how Bitcoin went from not having any of these properties to having all three of them. Media attention was part of the story — the more people hear about Bitcoin, the more they’re going to get interested in mining. And the more they get interested in mining, the more confidence people will have in the security of the block chain because there’s now more mining activity going on, and so forth. Incidentally, every new Altcoin that wants to succeed also has to somehow solve this problem of pulling itself up by its bootstraps.
51‐percent attack. Finally, let’s consider what would happen if consensus failed and there was in fact a 51‐percent attacker who controls 51 percent or more of the mining power in the Bitcoin network. We’ll consider a variety of possible attacks and see which ones can actually be carried out by such an attacker.
First of all, can this attacker steal coins from an existing address? As you may have guessed, the answer is no, because stealing from an existing address is not possible unless you subvert the cryptography. It’s not enough to subvert the consensus process. This is not completely obvious. Let’s say the 51 percent attacker creates an invalid block that contains an invalid transaction that
represents stealing Bitcoins from an existing address that the attacker doesn’t control and transferring them to his own address. The attacker can pretend that it’s a valid transaction and keep building upon this block. The attacker can even succeed in making that the longest branch. But the other honest nodes are simply not going to accept this block with an invalid transaction and are going to keep mining based on the last valid block that they found in the network. So what will happen is that there will be what we call a fork in the chain.
Now imagine this from the point of view of the attacker trying to spend these invalid coins, and send them to some merchant Bob as payment for some goods or service. Bob is presumably running a Bitcoin node himself, and it will be an honest node. Bob’s node will reject that branch as invalid because it contains an invalid transaction. It’s invalid because the signatures didn’t check out. So Bob’s node will simply ignore the longest branch because it’s an invalid branch. And because of that, subverting consensus is not enough. You have to subvert cryptography to steal bitcoins. So we conclude that this attack is not possible for a 51 percent attacker.
We should note that all this is only a thought experiment. If there were, in fact, actual signs of a 51 percent attack, what will probably happen is that the developers will notice this and react to it. They will update the Bitcoin software, and we might expect that the rules of the system, including the
peer‐to‐peer network, might change in some form to make it more difficult for this attack to succeed. But we can’t quite predict that. So we’re working in a simplified model where a 51 percent attack happens, but other than that, there are no changes or tweaks to the rules of the system.
Let’s consider another attack. Can the 51‐percent attacker suppress some transactions? Let’s say there is some user, Carol, whom the attacker really doesn’t like. The attacker knows some of Carol’s addresses, and wants to make sure that no coins belonging to any of those addresses can possibly be spent. Is that possible? Since he controls the consensus process of the block chain, the attacker can simply refuse to create any new blocks that contain transactions from one of Carol’s addresses. The attacker can further refuse to build upon blocks that contain such transactions. However, he can’t prevent these transactions from being broadcast to the peer‐to‐peer network because the network doesn’t depend on the block chain, or on consensus, and we’re assuming that the attacker doesn’t fully control the network. The attacker cannot stop the transactions from reaching the majority of nodes, so even if the attack succeeds, it will at least be apparent that the attack is happening.
Can the attacker change the block reward? That is, can the attacker start pretending that the block reward is, instead of 25 Bitcoins, say 100 Bitcoins? This is a change to the rules of the system, and because the attacker doesn’t control the copies of the Bitcoin software that all of the honest nodes are running, this is also not possible. This is similar to the reason why the attacker cannot include invalid transactions. Other nodes will simply not recognize the increase in the block reward, and the attacker will thus be unable to spend them.
Finally, can the attacker somehow destroy confidence in Bitcoin? Well, let’s imagine what would happen. If there were a variety of double‐spend attempts, situations in which nodes did not extend the longest valid branch, and other attempted attacks, then people are going to likely decide that Bitcoin is no longer acting as a decentralized ledger that they can trust. People will lose confidence in the currency, and we might expect that the exchange rate of Bitcoin will plummet. In fact, if it is known that there is a party that controls 51 percent of the hash power, then it’s possible that people will lose confidence in Bitcoin even if the attacker is not necessarily trying to launch any attacks. So it is not only possible, but in fact likely, that a 51 percent attacker of any sort will destroy confidence in the currency. Indeed, this is the main practical threat if a 51 percent attack were ever to materialize. Considering the amount of expenditure that the adversary would have to put into attacking Bitcoin and achieving a 51 percent majority, none of the other attacks that we described really make sense from a financial point of view.
Hopefully, at this point you’ve obtained a really good understanding of how decentralization is achieved in Bitcoin. You should have a good command on how identities work in Bitcoin, how transactions are propagated and validated, the role of the peer‐to‐peer network in Bitcoin, how the block chain is used to achieve consensus, and how hash puzzles and mining work. These concepts provide a solid foundation and a good launching point for understanding a lot of the more subtle details and nuances of Bitcoin.
