How Coinbase views proof of work security

Coinbase recently changed the confirmation requirement of four different assets, including reducing Bitcoin confirmation requirement from six confirmations to three. This post describes our views concerning proof of work security that informed our decision to make these changes.

By Mark Nesbitt, Security Engineer

Introduction: Proof of Work

All cryptocurrencies define a state of ownership within the currency network. In order for a cryptocurrency to be usable, there must be a way of updating this state of ownership. In most existing cryptocurrencies, the state of ownership is defined by a canonical history of all transactions that have ever occurred, which are stored by network nodes in a data structure known as the blockchain. In order to update the state of ownership, there must be a way to add recent transactions to the transaction history stored in the blockchain.

Different cryptocurrencies add to their blockchains in different ways. In cryptocurrencies that utilize proof of work, the blockchain is extended by a process known as mining. Miners bundle newly announced transactions together into data structures called blocks, which are added to the blockchain.

A miner attempts to add a block by solving a proof of work puzzle unique to the proposed block. If the miner can find a solution to the puzzle, the miner will announce the block and its solution to the rest of the network. The rest of the network will recognize the valid proof of work solution and consider the proposed block as the most recent addition to the blockchain. Notice that there is no permission required for a miner to produce a block, a fact that allows miners to enter and leave the network at will.

In order to determine a canonical transaction history in situations where miners may produce multiple valid transaction histories (i.e., different valid blocks or even chains of valid blocks), proof of work cryptocurrencies define the blockchain with the most accumulated work as the canonical transaction history. This consensus rule introduces a fundamental property of proof of work cryptocurrencies: any actor that can outwork the rest of the network by finding more proof of work solutions can unilaterally produce a valid transaction history that the rest of the network will adopt as the canonical transaction history. (Note: this does not mean that this actor has unlimited power over the network)

This post makes two claims about the security of proof of work Cryptocurrencies.

Claim one: It is a security feature for a particular coin’s mining operations to be the dominant application of the hardware used to mine that coin.

Owners of the hardware lose the value of their investment if the primary application of the hardware loses value.

Hardware owners are incentivized to consider the long term success of the main application of their hardware. The longer the lifetime of their equipment, the more invested they become in the long-term success of the hardware’s primary application. At time of writing, Bitcoin ASICs are beginning to have significantly longer useful lifespans as efficiency increases of newer models are diminishing.

This idea is related to the Dedicated Cost Principle.

Large pools of computational power that exist outside of a coin pose a security threat to the coin

Coins at the greatest risk of 51% attack are the ones where there exists large amounts of hashpower not actively mining the coin that could begin mining and disrupt the coin’s blockchain. This is especially important to consider in light of the argument above regarding hardware owners’ incentives regarding their hardware’s application — if the owners of the hardware have other applications outside of mining where they can monetize their hardware investment, the negative consequences of disrupting a coin’s blockchain are minimal.

Algorithm changes to “brick ASICs” simply allow the massive general purpose computational resources of the entire world to mine, and potentially disrupt, a cryptocurrency at will. Coins that have implemented “ASIC-resistant” algorithms have been, empirically, very susceptible to 51% attacks for this very reason. Notable examples of ASIC-resistant coins that have been successfully 51% attacked include BTG, VTC, and XVG. To date, there is not a single case where a coin that dominates its hardware class has been subject to a 51% double spend attack.

A case study: The 51% attack on Bitcoin Gold (BTG)

In May 2018, Bitcoin Gold (BTG) was repeatedly 51% attacked, resulting in millions of dollars of double spends. In the aftermath of this attack, the BTG developers announced a change to their proof of work algorithm to Equihash-BTG:

Because Equihash-BTG is different from the existing pool of regular Equihash power, we’ll effectively be in a separate pool of power. This means BTG will dominate the hashrate on this new PoW algorithm, which is “personalized” to BTG, adding a layer of incompatibility versus other coins that will be moving to the <144,5> parameter set, such as BTCZ (we’ve been collaborating with many other coin teams in the space.)

This was a very interesting statement. The BTG developers acknowledged the importance of dominance of hashrate, however, they incorrectly concluded that it’s important to dominate the hashrate algorithm, rather than the hardware that produces the hashrate. Unless the hardware producing the hashrate is dominated by mining the coin, nothing about the hashrate is “personalized” to BTG. Miners who own generalized hardware for other currencies can change the mining algorithm at will, allowing the hardware to mine BTG with no new investment.

Claim one summary

The only way a proof-of-work coin can materially reduce the risk from 51% attacks is to be the dominant application of the hardware used to mine the asset. A coin mined on widely available general purpose hardware, such as CPUs and GPUs, lacks this major security feature.

Claim two: Manufacturing and ownership diversity will be improved with ASIC-friendly algorithms.

No algorithm is ever ASIC-proof, merely ASIC-resistant

For any particular computational problem, hardware specialized to solving specifically that problem will always be more efficient than general purpose hardware. In addition to the advantages of writing application-level logic directly into the circuitry, specialized hardware does not need to be burdened by other requirements of general purpose hardware, such as security isolation, clock interrupts, context switching, and other tasks required to support multiple applications. Thus, no proof-of-work algorithm is ever ASIC-proof, merely ASIC-resistant.

Empirically, ASIC-resistant algorithms have repeatedly failed to prevent the development of ASICs. Prominent examples include scrypt (LTC), equihash (ZEC, BTG), ethhash (ETH), and cryptonite (XMR).

ASIC-resistant algorithms raise the barrier to entry in the mining hardware market

ASIC-resistant algorithms are effective in making it more difficult to build an effective ASIC. The natural result of this is that it takes greater investment and expertise before a chip builder can produce an effective ASIC.

Thus, ASIC-resistance merely raises the barrier to entry into the ASIC market. This results in greater centralization of mining hardware manufacturing — the very situation that the selection of an ASIC-resistant algorithm is meant to avoid!

The goal, instead, should be to select an algorithm where it is cheap and easy to manufacture an ASIC. This will result in ASICs that are practically a commodity, with little expertise or IP providing a moat for ASIC manufacturers. This will result in a diversity of manufacturers, which more easily encourages diversity of owners/operators, which is more likely to result in a network with decentralized mining.

When developers choose an ASIC-resistant algorithm, they provide a competitive moat to the chip developers that will eventually build an ASIC for their algorithm.

A case study: Monero’s regularly scheduled algorithm tweaks

The Monero development team has implicitly acknowledged the fact that algorithms cannot be ASIC-proof, merely ASIC-resistant, in their strategy for pursuing a coin minable on general purpose hardware. They seem to realize that an attempt to develop a silver bullet ASIC-proof algorithm aimed to perpetually stop ASIC development will not be effective. Instead, they’ve decided to make tweaks to their proof of work algorithm on a 6 month schedule with the intention that this will disincentivize creating specialized hardware by quickly making it obsolete.

This strategy underestimates the ability of talented hardware designers to quickly incorporate functionality into a chip design. It is almost certainly possible for a highly skilled chip designer to master a development process that can incorporate whatever pattern will inevitably develop for Monero’s proof of work changes. This will force a small, tightly guarded group of Monero developers to attempt a high stakes, highly secretive game of cat and mouse to hide their algorithm plans, with huge financial incentive for any member of this group to violate this circle of trust and leak information to chip builders. The criticality of this group’s decisions and the extreme trust placed in them are not good characteristics for a permissionless world currency, and arguably creates a centralization risk more severe than the risk of miner centralization.

The limitations of this strategy are already clear, with ASICs predictably being successfully developed and deployed on the XMR network for at least 3 different versions of the mining algorithm.

Aspirations are only important insofar as they can be accomplished

The vast majority of arguments in favor of ASIC resistance are expressed aspirationally. The general goal is usually something along the lines of: “Make sure the network isn’t controlled by a small number of people.” This is a fantastic goal, and is critical in ensuring that digital currencies live up to their promise.

Practically speaking, all the good intentions in the world are completely irrelevant when actions taken due to those intentions do more harm than good. Coins that implement ASIC-resistant mining algorithms, ironically, end up with greater miner centralization and control.

Claim two summary

The only accomplishment of ASIC-resistant algorithms is to raise the cost and expertise required to create an effective ASIC. This, in turn, means that any proof-of-work coin with significant value will eventually be mined by ASICs, which will result in highly centralized mining because successful ASIC manufacturers will have a deep competitive moat.

Conclusion

Cryptocurrencies do not provide a completely egalitarian system that eliminates all power structures or advantage provided by additional resources. Cryptocurrencies do achieve a dramatic improvement over the opaque, manual, error-prone, permissioned financial system that currently exists. It is critical to zealously defend one’s principles when attempting to change the world, however, it is equally critical to not make an illusory perfect system the enemy of an achievable good system.

As digital assets mature, participants have to ask themselves if the industry is going to be secured by hobbyists running old laptops in their homes, or if it will become, like nearly every other consequential endeavor in human history, pushed forward at scale by large, self-interested groups of people investing significant resources. Every at-scale, professional industry utilizes specialized equipment — it is naive to think that cryptocurrency mining will or should be any different.


How Coinbase views proof of work security was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.