Recently, the organization BIS (Bank for International Settlements) posted a critique of the Proof of Work consensus algorithm for Bitcoin. While there was significant media coverage around the critique, hardly any individuals/outlets took the time to critically examine the claims made within.
The report can be found at this URL:
Analyzing Initial Critiques From the Report
While the initial critiques may seem minimal, it is these subtle nuances in language that show a slight misunderstanding of what Bitcoin is and how its primary mechanism of achieving consensus is reached.
On page 3, the report states that:
This is mostly true, but not entirely. The design of Bitcoin was built with security in mind. One must remember that the goal of Bitcoin was to serve as a digital form of cash. In order to do so, there could not be any central points of failure (i.e., a third party like a financial institution). Of course, the benefit of having a trusted party in financial transactions is that they maintain the responsibility of adjusting the accounts of all those that are interacting with their system.
“Nakamoto’s key innovation is to balance the cost and reward for updating the blockchain, by creating incentives to ensure that updates are correct.”
For example, a customer at Bank of America that is transferring money to another customer, can safely rely on Bank of America to debit their account for the amount they are trying to transfer and eventually credit the recipient customer’s account with the corresponding amount.
In this way, Bank of America fulfills their custodial duties of ensuring that the money was rightfully transferred. However, in Bitcoin, this convenience does not exist. In order to serve as a digital version of ‘cash’ that can be transferred without any ‘leader’ or ‘middle man’ balancing the ledgers, Proof of Work was designed.
Minting CoinsOne of the primary purposes of mining, as incorporated into the Bitcoin protocol by Satoshi Nakamoto, was to allow for the minting of bitcoins. This was stated by Satoshi Nakamoto in one of his replies to Ray Dillinger, whom was one of the initial individuals that received the Bitcoin whitepaper from Satoshi.
The key statement here is that, ‘Coins have to get initially distributed somehow’.
This is critical because many individuals only view Proof of Work in the context of verifying transactions, but few remember that Proof of Work is critical for guaranteeing that all Bitcoins have been minted legitimately.
Regardless of whether one were to initiate a double-spending attack, there is currently no attack vector known in the greater community that would allow for the arbitrary creation of bitcoins (i.e., ‘counterfeiting’) in a way that circumvents this process.
The True Genius of Proof of WorkThe true genius of Proof of Work is that it cannot be circumvented. As mentioned earlier, it is possible that one can initiate a double-spending attack if they are able to leverage more computing power than all of the honest nodes/miners collectively, but they still must provide the Proof of Work.
In this way, PoW guarantees that there is a certain cost to retain the privilege of adding new blocks to the blockchain.
How Proof-of-Work in Bitcoin Deters Bad Actors
Thus, in this way, the true deterrent for bad actors in the Proof of Work consensus mechanism is implicit:
The primary motivation for committing theft (i.e., a double spending attack) on the blockchain is financial gain. However, in order to do so, the Proof of Work of at least one block must be re-done (whatever block that one wishes to ‘undo’/reverse). Since this block will be behind where the protocol is by default, the attacker must not only forego the block reward and any transaction fees associated with the block’s creation, they must also absorb the costs of mining the block.
In addition, a successful double-spend attack on the protocol would more than likely lead to its rapid devaluation. Thus, the coins that were stolen in the double spending attack would more than likely be worth a fraction of what they were worth beforehand. Also, since the network possesses a public ledger, individuals would possess knowledge of the double-spending attack. The way that the Bitcoin protocol’s software is designed makes it impossible for such an attack to occur without making all participants on the protocol immediately aware.
More than likely, the result would be that the use of Bitcoin (or at least the chain created by the attacker) would no longer be used. This would essentially undermine the attacker’s entire purpose for launching such an attack.
Monetary Reward for ‘Honest’ Mining Far Exceeds That Gleaned From Dishonesty
All of the above does not even consider the fact that a potential attacker with such resources could simply leverage said resources to successfully ‘win’ the hunt to create additional blocks on the protocol legitimately (without attempting to redo the Proof of Work). Since there is a coinbase reward given to the miner(s) responsible for discovering the next block that is accepted by the Bitcoin protocol, it would be significantly more lucrative for the would-be attacker to simply mine the protocol legitimately.
These confluence of factors and incentives in conjunction with the fact that it would take an extraordinary aggregation of resources to successfully mount such an attack on the Bitcoin protocol make such an attack extremely unlikely.
Of course, it is worth mentioning that the minimal likelihood of this attack vector can be attributed entirely to Proof of Work.
Thus, the report is inaccurate in its assertion in the following sentence where it states that, “The updating process deters forgeries by imposing a cost on updating the blockchain.”
The purpose of Proof of Work was not to deter forgeries. Proof of Work made forgery impossible. One cannot ‘counterfeit’ a Bitcoin transaction. One can, however, ‘double spend’, if they are able to submit a chain to the network with the most Proof of Work.
Again, this is a very minor nuance in the wording of the BIS report, but it is worth mentioning and clarifying.
Two Questions the BIS Research Proposes (Outlining and Answering)
The two questions that the research paper asks (pg. 3) are:
A) ‘How efficient is the fundamental architecture of deterring forgeries via costly proof-of-work’
B) ‘Can the market for transactions actually generate rewards that are valuable enough to ensure that payment finality is really achieved?’
Dissecting the First ‘Limitation’ Outlined in the Paper
According to the authors:
“The first limitation is that proof-of-work axiomatically requires high transaction costs to ensure payment finality…Counterfeiters can attack bitcoin via a ‘double-spending’ strategy, ie spending in one block and later undoing this by releasing a forged blockchain in which the transactions are erased.”
The first fundamental misconception that must be addressed in this section of the paper is the fact that there is no settlement/payment finality in the Bitcoin protocol.
Analyzing Bitcoin’s Properties as a Network
There are two important characteristics of Bitcoin as a network that one must know in order to properly analyze it:
A) Bitcoin does not have settlement finalityand B) Bitcoin operates via an asynchronous model
These two characteristics that are inherent in Bitcoin are purposeful and, without them, Bitcoin would not be able to operate in the fully decentralized, permissionless manner that it does currently.
Bitcoin does not have settlement finality because, as the authors of the study have mentioned, a bad actor with the appropriate resources could, in theory, submit a chain that ‘reverses’ payments that were made on the chain. While this is an attack vector, it was one that must exist in order for there to be some sort of consensus mechanism.
In fact, Satoshi mentioned this in one of his opening e-mails to Hal Finney:
There is also a wealth of research that attests to the fact that Bitcoin does not possess any definitive settlement finality due to the reasons described above.
Bitcoin’s Asynchronous Nature (PoW)
Below, is a chart that shows Bitcoin’s properties (PoW) vs. Alternative Consensus Mechanism Protocols:
The asynchronous nature of Bitcoin stems from the fact that only 51% of the network must validate the block in order for it to be accepted. The other 49% could be in disagreement or ‘asynchrony’.
Flaws With the Incentive Structure as Defined by BIS
In specific, we’re going to dissect the following statement by BIS:
“If the incentives of potential attackers are analysed, it is clear that the cost of economic payment finality is extreme. For example, to achieve economic payment finality within six blocks (one hour), back of the envelope calculations suggest that mining income must amount to 8.3% of the transaction volume — a multiple of transaction fees in today’s mainstream payment services. The underlying intuition is simple: double-spending is very profitable. In fact, attackers stand to gain a much higher bitcoin income than does an honest miner. While honest miners simply collect block rewards and transaction fees, counterfeiters collect not only any block rewards and transaction fees in the forged chain, but also the amount that was double-spent, ie the value of the voided transactions.”
Below are a list of some of the information lapses and inaccuracies contained within the above statement:
- The authors state in the first sentence that it is ‘clear the cost of economic finality is extreme’, but as described above — there is no settlement finality with Bitcoin. In fact, this property of Bitcoin is one of the reasons why it is able to function in a decentralized manner. Therefore, this sentence is both erroneous and faulty in its implicit assumption that there is economic finality of some sort.
- The statement then goes on to assert that there are ‘back of the envelope’ calculations that yield some sort of profit percentage ratio for miners. This is perhaps the most ambiguous part of the statement above because it does not elaborate on what these ‘back of the envelope’ calculations are, what numbers/metrics are used, and certainly does not cite any individual/time that has also iterated the same calculation. In addition, the metric, ‘economic finality’, that the authors have allegedly calculated using ‘back of the envelope’ calculations, is an imaginary concept on the Bitcoin protocol. Again, there is no economic finality for Bitcoin. Therefore, any calculations in which the authorship claims to have found the ‘cost’ of ‘economic finality’ must be treated as summarily false and arbitrary in nature.
- The claim that “double-spending is very profitable”, is simply false. For all of the reasons described above, ‘double-spending’ (i.e., compromising the Bitcoin blockchain by creating one that possesses a longer PoW than the ‘legitimate’ chain in existence today), is not only extremely impossible on a resource level, but extraordinarily impractical from a financial perspective. For some reason, the study fails to consider the vast opportunity cost associated with attempting to attack the Bitcoin protocol. The legal, social, and/or political consequences of such a move are not considered at all either. There are no definitive numbers or calculations given to justify such an assertion as well. In fact, this is the portion of the passage where ‘back of the envelope’ calculations would have been a bit more useful, because such a claim must be quantified, or at the very least elaborated upon in order to be taken seriously by the cryptographic community.
- As stated in #3, the concept that “Attackers stand to gain a much higher income than honest miners” is patently false. In fact, if this were the case and one were to assume that there were rational actors mining on the Bitcoin protocol, it is reasonable to assume that it would have been attacked by now. However, as stated numerous times throughout this critical analysis piece, there are a boatload of reasons for why Bitcoin is not nearly as vulnerable as the research disingenuously suggests.
Conclusion (Note From Author)
I initially considered taking the time to dissect and analyze the entire paper/report, but most of what is written above already addresses the main claims in the paper.
With faulty premises (that have already been exposed and shelled out), the conclusion itself must be considered invalid as well.
Again, it is extremely disappointing that the crypto community at large was not able to point out the bulk of inconsistencies, flawed reasoning, and outright misinformation contained in the report. It was clearly written by someone that had zero technical knowledge of how PoW works.
A topical overview of PoW is insufficient and creating a criticism from such a perspective will always render a false conclusion.