[Cryptography] Another Bitcoin issue (maybe) (was: BitCoin bug reported)

Phillip Hallam-Baker hallam at gmail.com
Sat Feb 15 18:27:34 EST 2014

Let us assume for the sake of argument that BitCoin survives to the no more
mining phase.

At this point there is only an incentive to mine if the return justifies
the cost of mining. Which means that miners have to be making more money in
transaction fees than they are paying for in electricity. Which means that
the difficulty of mining may go up or down depending on how many miners
stay in the game.

This then creates a situation where it is very likely that there is a large
amount of mining hardware sitting idle because it isn't economic to run it
for the transaction fees on offer. If only 10% of the mining rigs built are
running it becomes quite easy for a 51% attack to work because it is now
only an 11% attack.

Similar problems follow any large scale slide in the price of BitCoin. In
the short run the price of coin is set by supply and demand but in the
longer term people will buy rigs if they think they will make money (a much
weaker condition than actually making money). Once the rigs are bought they
will run if they are profitable.

So if we run a simulation based on these assumptions it is easy to put the
system into a positive feedback situation. The price of coin goes up, this
creates an incentive to mine, more rigs are bought, the difficulty of
mining goes up.

But if the price of bitcoin falls sharply we end up with something that
looks very similar to the zero lower bound problem. Once a mining rig is
bought, the capacity of the BitCoin network is permanently increased but
the capacity is only used if it is profitable. So we can come into a
situation where 51% type attack becomes feasible because it is only
necessary to have 51% of the active capacity and that becomes much easier
when there is idle capacity.

What I have never worked out is why join the blockchain to the mining at
all. As Ben Laurie points out, it is wading through treacle.

The blockchain is just an adaptation of the Surety/Harber/Stornetta scheme.
Forget the mining part for a moment, lets imagine that there are 100
independent notaries and every ten minutes they each produce an output
value that is based on local inputs plus the outputs of all the other

It is not possible for a notary to defect in such a scheme unless every
other notary also defects.

There are no 51% attacks possible, the cost of running the network is
acceptable. It is possible for someone to check if they have finality in a

The key difference would be that the transaction chain would have to be
maintained by parties that form a consortium for that purpose.

If there was going to be a PoW component then it would be the blocks go to
whoever gets the lowest hash output in a given computation chunk and has
the hash notarized in time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140215/8aa077fe/attachment.html>

More information about the cryptography mailing list