The bitcoin community continues to debate Segregated Witness, the Bitcoin Core development team’s proposed scaling solution which would separate signature data (witnesses) from transaction data. There are numerous risks with SegWit, but one in particular needs more attention: SegWit opens the door to methods of collusion and mining cartels which could undermine the bitcoin network.
Protections of the Current Bitcoin Protocol
To understand how SegWit opens this door, let’s review the format of the bitcoin protocol. The way that bitcoin works allows for a large miner who has managed to gain more than 51% of the network to engage in a form of attack based on double spending an existing transaction. This works in the following manner:
“Even if a bad guy does overpower the network, it’s not like he’s instantly rich. All he can accomplish is to take back money he himself spent, like bouncing a check. To exploit it, he would have to buy something from a merchant, wait till it ships, then overpower the network and try to take his money back. I don’t think he could make as much money trying to pull a carding scheme like that as he could by generating bitcoins. With a zombie farm that big, he could generate more bitcoins than everyone else combined.”[1]
This form of attack would cost the miner revenue. Unless the miner has more than 51% of the network, any such attack would be unlikely and expensive given the cost of mining bitcoins. It would also risk the miner’s existing revenue model.
In bitcoin, a large miner can make a small gain if it manages to introduce a double spent transaction into a block. This means that a nefarious miner is able to introduce a transaction that it has itself caused to be spent in an attempt to reverse the first payment. But there is no economic incentive whatsoever to do this for small transactions (such as transactions of less than an order of several thousand U.S. dollars).
In addition, this form of attack would only be viable with careful timing. The miner would have to implement the attack after a sale has occurred (in the above example, sale of a merchant product) and the transaction has been completed, but before the transaction is integrated into a block. Transactions of a higher (more expensive) amount are naturally the most lucrative targets for attack but they would likely be integrated into the block at a suitable depth where the time for being reversed has passed. For instance, when real property is transferred, the laws of many jurisdictions give the purchaser a right to rescind the transaction for some specified amount of time that would exceed any block height that could be reversed. Thus, the current bitcoin protocol provides economic disincentives to deter, and protections against, a double-spend attack, especially for larger transaction amounts.
SegWit Creates Incentives to Form Mining Cartels
If implemented, SegWit would change this for the worse. It opens the door to an economic incentive model that would encourage mining cartels to form. As the bitcoin network currently operates, there is no incentive for miners to form cartels. Mining pools are not cartels; they are a firm. But SegWit introduces a fundamental change to bitcoin: the “AnyOneCanSpend address”, or essentially a blank signature for transactions. SegWit uses an “AnyOneCanSpend” address so that transactions will be validated and recorded into blocks, even though the sender/receiver signature data is separated. Normally, an “AnyOneCanSpend” output (as its name implies) would allow any miner to spend the funds associated with that transaction; therefore, SegWit would introduce new rules for interpreting “AnyOneCanSpend”. This means that miners could not take advantage of that output address to inappropriately spend the funds associated with all SegWit transactions.
But with “AnyOneCanSpend” addressing, the system is only secure while all participants agree it is secure. Proponents of SegWit assume that once its protocol change is activated, all miners will agree to play nicely, never steal funds, and funds will be locked up safely. But the major flaw in their thinking is that it ignores economic incentives for nefarious miners to do the following after SegWit activates:
- Form a cartel to take over the network
- Switch off SegWit and revert back to the current bitcoin protocol
- Take advantage of the “AnyoneCanSpend” address to instantly steal funds associated with all SegWit transactions in blocks they mined.
By using “AnyOneCanSpend” addressing, SegWit therefore opens the door to a corrupt miner mining a block to subvert transactions, and instead redirect them to the miner’s own address. The value of such an illicit attack would grow every day SegWit is used. Over time, the more people use bitcoin, the more SegWit transactions are added to the blockchain, and the more funds are locked up with SegWit aspects of bitcoin, the more valuable this form of cartel attack becomes. A defecting miner could access historical funds that have not been redirected from SegWit to a traditional bitcoin address. Hence, the longer a SegWit system runs, the more likely it is that a cartel will form to steal funds.
Under SegWit, miners are not likely to form a cartel to recover an individual double spent transaction – even if it is a large single transaction. Rather, it is the sum of all SegWit transactions (at least in blocks mined by cartel members) which provides a large enough treasure chest worth pirating. If 51% of miners that signal for SegWit secretly support cartelisation of the protocol, it is only a matter of time before transactions are stolen. This could occur in the following way:
- Miners signal SegWit.
- A group of mining pools and companies with a joint hash rate in excess of 50% of the current network power form a cartel.
- The cartel group then stops signaling SegWit and returns to the network to the former bitcoin protocol.
- If a sufficient quantity of bitcoin is transacted using SegWit, the cartel would switch from SegWit to treat all transactions using the original protocol. Cartel members could then instantly use the “AnyOneCanSpend” address from SegWit to steal funds from the transactions in blocks they mined (especially any high-value block). To incentivize miners to join the cartel, the cartel could agree that each member distributes stolen funds from their attacked blocks to the whole the group in some proportion (for example, according to the hash rate each maintains.) No one miner or mining pool would need to itself have 51% of the hash rate in order to participate.
This is one of several hundred attack scenarios which SegWit could open. Under a SegWit regime, such attacks against the bitcoin network could work because the economics of the system would be changed; rather than illicit activity being discouraged, it would be encouraged under SegWit. This seems to be the aspect of the system that is least understood by Bitcoin Core developers and other proponents of SegWit.
There have been several large individual transactions even in the early days of bitcoin. As noted above, it is not however any individual transaction that creates the major risk to the network; rather it is the overall level of transactions within any one block. As bitcoin scales, it will become more and more likely that a large high-value block will come to exist. Looking at the Visa and MasterCard transaction processing rate, it would be expected that in certain peak transaction times, the collected pool of transactions within a short time period (for example, 1 to 2 hours) could lead to scenarios where total transaction volumes exceed USD $100 billion if bitcoin scales to be the predominant form of Internet money. At such levels, even a normally honest miner could be incentivised to defect from the standard protocol.
Such negative consequences of SegWit have not been explored and publicly vetted for the bitcoin community to consider. Instead, SegWit’s proponents downplay incentives, economics and the game theory of their system, and instead allude that the cryptographic controls are what makes bitcoin secure.
Game Theory Explains Why People’s Self-Interest Often Trumps Social Cooperation
An easy way to visualize the problem is through class game models. The present model of security within bitcoin is equivalent to a super game stag hunt. Conversely, SegWit changes the model into a prisoner’s dilemma, where groups of miners form into either “honest” or defecting groups.
In game theory, the prisoner’s dilemma shows why two people may not cooperate, even when it is in their best interests to do so. Two friends or partners are accused of committing a crime and are held separately, without means to communicate with each other. Prosecutors do not have sufficient evidence to convict them of the principal charge, so offer each of them a choice to either testify against (betray) the other or to help the other by remaining silent. The choice by each prisoner will determine scenarios (laid out in a four-quadrant grid) whether the prisoners go free (if they both choose to help each other by remaining silent), or get sentenced to different levels of prison time (with the worst case scenario being that each betrays the other). More often than not, each prisoner will look out for his self-interest and betray the other – and if both prisoners do that, they each end up receiving longer prison sentences than if they had both helped each other. The game model’s lesson is that personal interest often controls people’s decision-making, even if it often leads to a worse result when all involved persons act in their self-interest. It provides an interesting model for real world situations – such as the bitcoin network – involving cooperative behaviour.
If a prisoner’s dilemma results in both parties choosing to defect (betray the other), the game again becomes a stag hunt – another game model about incentives for individual vs. social cooperation. In a stag hunt, each player can choose to hunt a stag or a hare, and must choose without knowing the other person’s choice. Hunting a stag requires both players’ cooperation to succeed. A hare only requires one player but is worth less than a stag. Cooperation to hunt the stag would thus be better for both players (just as cooperation by both prisoners to help each other leads to the best result in the prisoner’s dilemma).
When applied to the bitcoin network under SegWit, the game model will be perverted. Instead of acting in a form of positive social cooperation to benefit all bitcoin network participants, a mining cartel will wait for a large enough target before engaging in a destructive hunt. Once a block reward is discovered containing a suitably large payment provided through SegWit, either in part or in whole, the cartel acts.
At this point, a cartel with over 51% of the network hashing power switches back to the original bitcoin protocol, changing all outstanding SegWit payments as well as the last block payments to AnyoneCanSpend addresses that can be instantly redistributed to themselves. As the volume of payments into SegWit addresses increase, the incentives for miners to defect from the network also increase. In game theory, this leads to a Nash equilibrium of defection.
As bitcoin becomes more widely used under its default protocol, it becomes more and more secure and less vulnerable to attack (which is a key feature of its default protocol). SegWit alters the protocol fundamentally in a manner that is opposite to this. That is, it allows it to become more and more vulnerable over time. If (for example) in the first week of a SegWit implementation, there are $100 million worth of transactions, and in the first month $1 billion worth of transactions, the incentive to cheat is not simply from the amount in any one transaction or even in any one block, but the total outstanding within the system.
From this, it is apparent that every transaction involving SegWit and not being relayed into a standard bitcoin address slowly increases incentive to attack the system. The larger the system, the larger the incentives to defect. This is exactly the opposite of the existing protocol dynamics within bitcoin: the larger the bitcoin ecosystem and hashrate grows (using bitcoin’s original protocol), the more secure it becomes. In the early days of bitcoin, it was possible for an individual miner to plan and execute a double spend attack. But as the system has grown in power and as it continues to grow, a double spend attack becomes more and more difficult, and less and less profitable. If SegWit is implemented, the longer the system runs and the more it is used, the incentives will only grow for miners to defect and compromise the system. Thus, SegWit would produce exactly the opposite effect of the current bitcoin network when it comes to building (or in the case of SegWit, undermining) security.
Risks from the introduction of new players
One of the key flaws in the modelling of SegWit is the assumption that existing miners who may harbour good intentions towards the protocol will remain as the key players. This assumption ignores new entrants to the system. The mere possibility of the defection strategy described above is likely, under SegWit, to attract new pool miners with illicit motives. These could be groups opposed to SegWit or those who have never mined bitcoin and seek a relatively quick profit. Such quick profit would allow them to enter the market at a discount.
The introduction of SegWit would alter the maximum known risk associated with bitcoin from a 51% attack with the ability to censor transactions or to engage in elaborate double-spending attacks, to a catastrophic risk that could possibly and completely destroy the whole ledger and all contained value. The premise that miners will not steal funds at the genesis of SegWit does not address the introduction of new players who are now incentivised more and more each and every day to steal the funds that are locked into the ledger and which are growing daily. These new players and the increasing level of funds place all open areas of the ledger at risk to attack at a later date.
Initial introduction of SegWit was proposed to activate at 95% hashrate support. This was based on the presumption that once SegWit activated, new entrants or players would need to support existing rules. The consequence is a presumption that all transactions will be safe forever. This presumption is incorrect. Mining pools and miners change periodically, just as industry players change in any other business field
In the current bitcoin protocol, the economically fair nature of the system increases security over time. But under SegWit, governments and other state players with increased incentives to attack bitcoin will benefit. The creation of a cartel secretly formed through a hostile government poses a serious risk.to attack and seriously damage bitcoin. Such a cartel would not require an immediate 51% control through the centralised party.
Rather, the cartel head could engage in a strategy where it boosts the weakest players. This strategy would involve finding mining pools that had been formally profitable but, due to a downturn or technological advancements or even changes in energy pricing, are finding it difficult to compete in the existing market. Joining the cartel would give these players a methodology to profitably leave the network. A final attack that is profitable in the short-term could fund the miner’s decision knowing that ongoing competition would be difficult.
The new player running the cartel would then gain access to the existing market share and be able to buy access to the system at a depreciated price before returning to a system that does not implement SegWit. With the flaws in SegWit then removed, the new entrant could gain a competitive advantage, low cost access to the market, and at the same time, subversive control.
These scenarios of cartel attacks against the bitcoin network may seem alarmist, but they are very real possibilities lurking behind the SegWit door. Does the bitcoin community really want to open the door to this serious risk of SegWit?
Dr. Craig Wright is Chief Scientist at nChain, the global leader in research and development of innovations in blockchain technology. nChain opposes SegWit and instead supports removing the Bitcoin blockchain’s artificial block size limit (temporarily set at 1MB) to fuel increased scalability. nChain also supports on-chain scaling as the only viable method for the Bitcoin protocol to scale globally and remain decentralised. nChain also advocates for the formation of a neutral standards organisation to coordinate and manage the Bitcoin protocol and technical standards.
[1] http://www.mail-archive.com/cryptography@metzdowd.com/msg09967.html