So the last topic in this lecture about mining will be mining incentives and strategies. So what do I mean by mining strategies? I've spent most of this lecture talking about how the main challenge of being a miner is to get some good hardware, get some cheap electricity, run as fast as you can, and hope for some good luck. But it turns out there's also some interesting strategic considerations that every miner has to make before they pick which blocks to work on. So in particular, miners get to choose which transactions they want to include in a block. The default strategy is to include any transaction that includes higher than some minimum transaction fee. Miners get to decide which block they wanna mine on top of. And the default behavior there is to choose whatever the longest current chain is that's been announced. Miners have to choose how to decide between two colliding blocks when they get announced. So if two people find blocks around the same time, miners have to decide which block to extend because both will be the longest chain in history. Miners have to decide when to announce new blocks, they can choose when to find a block and wait before actually announcing it to others. So in each case, there's a default strategy, which is what most miners are currently doing because they run the default Bitcoin client. Remember it's about 90% of fully validating nodes run the default client. It's not clear what proportion of mining power that represents but it's safe to assume that it's probably a majority. So most miners are doing this default strategy. So what if you wanna change some of those decisions? Can you make more money as a miner if you implement some other strategy besides the default one? Well, it's all gonna depend on how much mining power you actually have, and we'll express that with a parameter alpha from 0 to 1 which is the proportion of all the mining capacity in the world that you actually control. It turns out that for some alpha, yes, you can make more money by implementing a non-default strategy. Although the analysis is still ongoing, so this is very much new underdevelopment stuff. So the simplest attack is a forking attack. And the idea here is to perform a double spend. So we have a valid state of the block chain here and the miner will send money to some victim Bob. So it may look as if that transaction sending money to Bob is in the valid longest chain. Now this forking miner is gonna work on an earlier block and to do this in practice it would need to be about six blocks earlier based on the standard number of confirmations that people usually wait before accepting that the payment is final. And then the miner will insert an alternate payment where they keep the money for themself by transferring it to a different address. Now, at this point, that block won't be valid, since it builds on an earlier point. In the block chain, it doesn't represent the longest possible chain of blocks. But, if you have a majority of hash power if alpha is greater than 0.5, eventually your alternate chain will be longer than what was previously the longest chain. And at this point, your longest chain now becomes the valid block chain. So, you've rewritten history, you've removed that payment that you made to Bob and you've now kept that money for yourself. And if your target had given you something in exchange for those bitcoins, preferably real currency or some kind of goods in the real world that they can't easily take back, then you've swindled them. And this is a way that you could profit, if you have a majority of power in the network. So like I said, this attack is certainly possible if alpha is greater than 0.5, if you have the majority of the mining power. It might be possible in practice with a little bit less, because of things like network overhead and the fact that, as one mining pool, you shouldn't be working on colliding blocks in your alternate chain. So sometimes people talk about a 51% attacker in bitcoin, but it's a mistake to think that, that's a magic threshold where as soon as you cross it all of a sudden you can do this attack. In reality, it's more of a gradient where the attack gets easier, the further over 50% you go. As a more new arises this attack is detectable and it's possible if you're doing it in a large scale that the community would decide to reverse it by refusing to accept your alternate chain even if it was longer. So, it's not clear and practice that this would actually work. And it is also possible that doing this would completely crash the exchange rate of bitcoin. So it might be that, once a miner started trying to do this, people lose so much confidence in the system, that they would not wanna buy into it, and the amount of dollars that bitcoins were worth would go way down. In fact, if this is done on a large-scale, it's possible it could destroy the currency completely by a dramatic loss of confidence. So, who would wanna do this? The concealable scenario where people are worried about an attack like this has been referred to as a Goldfinger Attack. Named after the famous villain in the James Bond movie of course whose goal in the movie was to irradiate all of the gold that the U.S. government held at Fort Knox to make it valueless. So if you're goal is to destroy bitcoin, then you might be willing to do this forking attack in order to specifically to tank the market, make bitcoins worthless, and possibly profit because you either shorted bitcoin or because you had significant holdings in some competing currency. So, beyond that threat model, it's not clear in which scenarios we would have to worry about a large-scale forking attack. Although it's possible that the attack is easier than achieving that alpha greater than 0.5, all that hash power, by simply buying it. So whereas it would be really expensive to buy enough mining capacity to have more than everybody else in the world, it might be possible to just bribe the people who do control that capacity to work on behalf of you. So there's a couple of ways you could pay the bribe to them. You could try to do it out of band, you could hand them an envelope full of cash, say. You could declare yourself to be a new mining pool and run it at a loss. You could say, I'll pay out 1.01 or something that clearly wasn't sustainable, but enough to get miners to join your pool at the expense of all other pools, maybe that would push you over 50%. And there's some other subtle ways you could try to get people to work on your alternate chain, say by leaving big tips in the block chain. But the idea is that instead of actually acquiring all of the mining capacity yourself, you just pay the people who already have it to work on your fork. Now, it might be a bad idea for those miners to actually participate, because by doing so, they would be hurting the currency that they've invested so much money and mining equipment, hoping it will stay sustainable. So why would anybody be subject to such bribery? Well, it would be an incentive problem. All of the miners together have an incentive in keeping the bitcoin currency solvent, but individual miners would have the incentive to defect and accept a bribe if they thought they could make more money in the short-term. So this would be a classic tragedy of the commons from an economic perspective. Now this hasn't happened, this is pure speculation. But it's an open problem if a bribery attack like this could actually be viable. So one defense that does exist in BitCoin against forking attacks is Checkpointing. So since 2010, each version of the default BitCoin client ships with a specific checkpoint and will refuse to accept versions of the block chain that don't date back to that version. And it's usually several hundred blocks before whatever the current longest chain is. So there's some questions about the implications for this in terms of how decentralized this is. Because this now means that, essentially, a central party, the developers who maintain the core BitCoin client, are deciding something about the value of the valid block chain. But this does serve as a good practical mitigation against the risk of a deep fork in the block chain. Another type of attack that's quite interesting is a block-withholding attack. So the idea here is that you don't want to announce your blocks right away as soon as you find them. Instead, you're gonna want to try to get ahead. What do I mean by get ahead? Well, you want to do a little bit of mining and hopefully find two blocks in a row before the rest of the network finds even one. And you keep these blocks to yourself as a secret. Now why would you want to do that? What would you gain from keeping blocks secret? Well, as long as you have those two blocks that are being held secret in your back pocket, the rest of the network is going to be trying to extend what they think is the current longest block chain. And all of that effort is going to be a waste for them. So while you're ahead by two blocks, all of the mining that you're doing is essentially unopposed. And the reason is that as soon as the rest of the network actually found a valid block, they would publish it and everybody would accept it. But then immediately, boom, you can drop the two blocks that you had in reserve, and that would instantly be the new longest valid block chain. And that block that the rest of the network worked so hard to find would immediately be orphaned and cut off from the longest chain So this approach has been called selfish mining which I think is a little bit of a misnomer because all mining is inherently selfish. At least at this point, now that the hobbyist interest in mining has largely died down, mining is a business, and people are in it to try to make money. So we should say that it's all in the game for miners to do this if they think that they'll make more profit. So what happens if you're trying this block-withholding strategy and you're ahead by one when the rest of the network finds the next block? So instead of being two blocks ahead, you just have one secret block held in your back pocket, and then the rest of the network announces what they think will be the next valid block. Well, if this happens, you're gonna want to immediately push your secret block out the door. And now there's two versions of potentially the longest chain and every other miner is going to have to decide which version they wanna work on. And we're in that race condition. So you basically have to race as soon as you hear somebody else finding a valid block to get your secret block out the door and hopefully get more miners to hear about your block first. So the viability of this block withholding approach is going to depend really heavily on your ability to win these races. So when is it a good idea to do a block-withholding attack? Well, if you assume that you can win every race every time there's competition for the next valid block, the rest of the network is going to accept yours. Then no matter what alpha, no matter how much mining capacity you have, it's better to try selfish mining. By selfish mining, I mean this block withholding strategy that I've just described. So how would you try to win every race, well, you could just fight really hard to have a good network position. You could try to peer with every node. So that you'll announce to more nodes ahead of the legitimate flooding algorithm. Or you could try bribing people, and again, you could bribe by including small tips in your block, so that it makes it more attractive for people to mine on top of you rather than the competing block So if you assume that you only have a 50% chance of winning these races, which is about what the natural chances would be if you're competing fairly. Then this block-withholding strategy is an improvement if alpha is greater than 0.25. And again, this is a theoretical attack which is very interesting, but it hasn't actually been observed yet in practice. And it should be something that you'd be able to tell by monitoring the block chain and when miners are announcing new blocks. But even though it hasn't been observed in practice, it's very surprising that this is possible. And it's contrary to the original idea of BitCoin that without alpha over 0.5, without a majority of the network, there was no better mining strategy than the default. So the very existence of this attack shows that it's not safe to assume that a miner who doesn't control 50% of the network doesn't have anything to gain by switching to an alternate strategy. Another interesting case is if miners want to do punitive forking. So specifically, if miners want to blacklist transactions from a specific address, which would freeze the money held by that address forever. They could announce that they'll refuse to mine on any chain with a transaction originating from address X. So the reason this is an extreme strategy, is that if you have less than the majority of the network. By announcing that you will refuse to mine on any chain that has a transaction from X. As soon as a chain exists that the majority of the network accepts, that has that transaction from X. Then you will have cut yourself off from the longest chain forever, and all of the mining that you're doing is essentially wasted. So you could do this strategy, but very quickly you would just be mining on an orphaned fork. And it would be a waste of all of your time and electricity. But, there's a much more clever way to do punitive forking which is called feather-forking. And, the idea here is that instead of announcing that you're going to fork forever as soon as you see a block that has a transaction from address X. You announce very publicly that you're going to fork, you're going to try to mine an alternate longest chain, if you see a block that has a transaction form address X, but you will give up after a while. Typically after one or two blocks confirm the transaction from address X, you'll go back to the longest chain. So your chance of actually pruning that block, or orphaning that block, that has the transaction from address X, if you give up after one confirmation, is alpha squared. And the reason is because you have to find two consecutive blocks to get rid of the block with the transaction from address X before the rest of the network can find the next valid block. So alpha squared might not be very good. Say you're a 20% miner, alpha squared is going to be quite low. It's going to be only a 4% chance of actually getting rid of that transaction that you don't want to see in the block chain, but you might motivate other miners to join you. Now why is that? As long as you've been very public about this other miners know that if they include a transaction from address X, they have an alpha squared chance that the block that they find will end up being orphaned because of your feather forking attack. And if they don't have any strong motivation to include that transaction from address X and it only has a very low transaction fee. That alpha squared chance of losing their mining reward, might be a much bigger incentive than including the transaction. So those other miners might rationally say we have this person, this miner, doing feather forking. it's in our interest to join them, and just do the black list of their demanding, rather than run the risk that they'll feather fork away from the new block that just we've just found. And the cool thing is that you can now enforce a blacklist, even if alpha is less than 0.5, if you have less than the majority of the mining capacity. And your success in doing this is gonna depend really heavily on how convincing you are to the other miners that you're definitely going to fork. So ideally what you would want to do, is say I've burned this into hardware. I have no choice, I have to do this, so no matter what you do, I'm going to be feather forking. In which case the miners would say, well, this miner really is gonna go through with it, so maybe we should just give them what they want and do this blacklist. So why would you want to have a blacklist? Well, like I said there's the ability to freeze money held by an individual and if you're blacklisting successfully, you can keep them from ever spending that money. So maybe you could profit off of this by some sort of ransom or extortion, demanding that the person you're blacklisting pay you in order to be taken off of your blacklist. It also might be something that you might wanna do for legal reasons. Maybe certain addresses are designated by law enforcement as being bad, those assets are demanded to be frozen. In which case some proportional minors, say those operating in the jurisdiction where the asset freezing has legal authority will say, well, we really have to enforce this blacklist where it is being demanded to by the government, therefore maybe we should feather fork to try to make it happen. But a much more interesting case is if miners do this to try to enforce a minimum transaction fee. So instead of a blacklist against a specific address, you wanna blacklist against any transaction that doesn't include some minimum transaction fee that you think is fair to you as a miner for your hard work. So we haven't talked a lot about transaction fees in practice yet, we said that they exist and we said that there is the capacity in Bitcoin to pay transaction fees. But what are transaction fees? So this is the default policy for transaction fees taken essentially right out of the Bitcoin code. Transactions are assigned a priority, which sums over all the inputs. The value of that input times how old the transaction is. How long ago that input was put on the block chain, divided by the size of the transaction. So this basically means, transactions that are larger, transactions that are spending older coins that haven't been moved in a while, and transactions that are smaller have higher priority. And by smaller, I mean smaller in size of the transaction which means they don't have a long complicated script. So, the idea is to prioritize large transactions, people who don't move their coins very often and who do it in a simple way. Whereas if you want to move money quickly, if you want to move small amounts, or if you want to do complicated scripts, you have to pay a higher transaction fee. And currently by default, there's a magic number where miners accept with no transaction fee if the priority is higher than .576. And if you're sitting there thinking that seems pretty random, where did that number come from, I'd say you're right. It's a very arbitrary choice, but it's in the default client so that's basically what you need to pay if you wanna move Bitcoin. So, currently transactions fees don't matter that much, and the reason is that block rewards provide the vast majority well over 99% of all the revenue that miners are making. But keep in mind, we mentioned earlier that the size of mining rewards is going down constantly over time. So every four years it's halving. So eventually in the distant future, the mining rewards, the fixed rewards, by creating new coins are going to be much lower and transactions fees are going to be the main gain for miners. It's going to be where they are making all of their revenue. So it's an open question in that new world where transaction fees are everything for the miners. They really depend on transactions fees for their revenue. Are miners going to be more aggressive about enforcing minimum transaction fees, and how are they going to enforce that? Will they need to form a cartel to enforce minimum transaction fees? Is that something that market concentration provided by mining pools, will make easier to happen? These are really interesting long term open questions about how Bitcoin will evolve. So in summary, miners are free to implement any strategy that they want. Although, in practice, in the wild we've seen very little behavior of anything but implementing the default strategy. And I should stress that there's no complete model for miner behavior that says that the default strategy is optimal. We've seen then in a world where most miners do choose the default strategy, Bitcoin seems to work fairly well. So it seems to work fairly well on practice, we're not sure it works in theory yet. But even though it works in practice so far, the facts on the ground are going to change for Bitcoin. They're changing slowly because of more network hashing capacity, the miners are getting better and better, there's more centralization and professionalization of the miners. But even beyond those trends they have to change in the long run because of the transition from fixed mining rewards to transaction fees. So overall I'd say you should stay tuned to this space. Things might be about to get a lot more interesting for Bitcoin mining. And currently, it's a very interesting research topic to try to play out using what we know from game theory. How is this going to evolve in the long term? So that's all on Bitcoin mining for now. A few lectures from now we'll have another lecture about mining, but about alternative models for mining. How could we redesign Bitcoin mining to have different properties? But before we get to that, in the immediate next lecture we're going to look at anonymity in Bitcoin. How much anonymity does Bitcoin provide? If I use Bitcoin, will people be able to link my Bitcoin transactions to my real name? And what technologies are there to try to either strengthen anonymity in Bitcoin, or design an alternate currency with more anonymity? That's all coming your way in the next lecture.
