Transcription of Episode 126 – Make it Costly to be Big

Participants:

Adam B. Levine (A.L.) – Host

Sam Lee (S.L.) - CEO of BitcoinsReserve

Emin Gün Sirer (E.G.S.) - HackingDistributed.com; referred to by A.B.L. as simply “Gün”

Ittay Eyal (I.E.) - HackingDistributed.com

Steven Levine (St.L.) - CFO of Let's Talk Bitcoin, appears in ad segment at 25:42

Adam B. Levine: Today is the twelfth of July 2014, and this is episode 126. This program is intended for informational and educational purposes only. Cryptocurrency is a new field of study. Consult your local futurist, lawyer and investment advisor before making any decisions whatsoever for yourself.

Welcome to Let's Talk Bitcoin, a twice-weekly show about the ideas, people and projects building the digital economy and the future of money. My name is Adam B. Levine, and today we're pleased to bring you part two of our 51% solution series. On today's episode, I speak with Ittay and Gün from HackingDistributed.com about the problem of pools and their proposed solution – two-factor mining. Basically, instead of just requiring miners to trust the pool, the pools would also need to trust the miners in this scheme, and so large pools become very risky, and thus not feasible. It's a fascinating idea, and it even sounds workable. Check it out.

But first, there's a real, timely concern in the Bitcoin community right now. If you use Gmail, please make sure you're using a strong password and have antivirus software on your computer. You might find a password manager like LastPass or PasswordSafe to be very useful – I know I have. On this note, we'll kick things off with a segment courtesy of the still-in-production documentary The End of Money. Security is an issue, even when hacking isn't in the mix. This is Sam Lee, on his recent experience.

Sam Lee: Hi, I'm Sam Lee, CEO of BitcoinsReserve, and we operate the world's first, and leading, cryptocurrency arbitrage fund. Arbitrage – if you look on Wikipedia – is a risk-free trade. Essentially, what it is is where you buy low and sell high simultaneously across multiple exchanges. Now, as you know, the price of bitcoins are currently very different from market-to-market, and us, as a market-maker, our job is to bring liquidity and to flatten out prices. BitcoinsReserve also does large volume over-the-counter trading; that means when the Silk Road bitcoin auction was hosted by the American marshall service, we saw this as a great opportunity to acquire some large volume bitcoins for our institutional investors. As a result of us bidding on the bitcoins, the marshalls had us on their list, which then leaked to the public, accidentally. This gave the hackers a clearly identifiable list to target, and we were unfortunately the victim of a very creative and amazing social engineering attack. The

hackers then pretended to be a journalist and requested an interview from me. I agreed, and they then shared with me a document which seems to be via the Google Docs suite. So I accepted the document, and it said that the document was unavailable – that I didn't have permission to access. After some more fiddling, they were then able to export out all my passwords on the Chrome browser that I have autosaved in plain text. So not only did they have access to one or two email addresses, but they had everything that I have saved on my Chrome browser. The result of which was them being able to reset my domain registar's password, get into the BitcoinsReserve email hosting, and then access all the staff's email addresses at BitcoinsReserve. Through that, they still weren't able to get any bitcoins, after having full access to all our emails, but they were then able to take the next step in putting together some creative social engineering, which resulted in them convincing one of our staff members to send one hundred bitcoins straight to their address. So that's our story, but I just want to highlight that this is a weakness in our internal processing procedures. It has nothing to do with weaknesses in Bitcoin, because, frankly, Bitcoin, so far, has none.

A.L.: Today on Let's Talk Bitcoin, we're joined by Ittay and Gün, two researchers who have been thinking a lot about mining in the recent past. How are you guys doing?

I.E.: Really good!

E.G.S.: Great, Adam, how are you?

A.L.: I'm good. Did I describe you well? Are you researchers? Can you tell us a little bit about the work that you do? Because I found you through your website, or through Gün's website, HackingDistributed.com, which is a really fascinating thing that I just stumbled upon. Can you tell me a little bit about yourselves?

E.G.S.: This is Gün here and I'm a computer science professor at Cornell University. My background is that I'm actually an operating systems person, so every ten years I build a research operating system, and in between I do distributed systems. Most recently, my interests have been focussed on self-organising peer-to-peer systems. Back around 2004, I worked on a system called Karma, which was a virtual currency system which really got me excited about any kind of distributed system that keeps track of currencies, that keeps track of money, that keeps track of economics, and provides incentives to their participants. So, that's my background coming into this, and when I saw Bitcoin, I was supremely excited because it's really had some really cool technical ideas in it, and it seems to have a very strong community supporting it, and as we have seen, it's actually flourished over the last five years that it's been out. So that's my background.

I.E.: I'm a post-doctor[al student] in Cornell. I arrived here about a year ago. My main research interests are distributed computing and theory and storage systems and the like, and distributed sensor networks. I stumbled into Bitcoin, actually, by coincidence; a friend introduced it to me, and I starte reading, and thoguht “that's a cool concept”, but it was a little difficult to get to grips with how exactly it works. I started to get into it and found some very interesting research questions which led to my current work in this area.

A.L.: I'm curious – how long have both of you been looking at Bitcoin as something more than just a novelty?

E.G.S.: Well, I would say we started looking into it around August or so, last August or so, so it's been about a year or so -

I.E.: - yeah, even a bit earlier for me, I think. About two years, I would say.

A.L.: So, the backdrop for the conversation that we're having today is one of confusion and concern about the future of Bitcoin and things that really rely on mining as a way to generate distributed consensus, which is what – ultimately – mining is doing; it's keeping track of that global ledger that we all like to talk about. But there have been some concerns, notably, about – in a consensus reality, if most of the consenus thinks that the consensus should be different than what it is now, that means that the consensus can change; and so that creates this weird problem where Bitcoin is this thing where everybody has control of all of their assets and all of their keys and all of these other things, but the transaction processing might actually go in a different way, where that's not under the control of the broad community at large, and, in fact, is operating for the benefit of few to the exclusion of many. So, can you talk about that problem that we're faced with?

E.G.S.: Sure, let's see. So, let's actually, first, start out by describing what our philosophical position is. We don't believe that there should be any reasons to be fearful or uncertain about the future of Bitcoin. But there is reason to be concerned about the dynamics of the system, because as we've seen, there are a couple of protocol evolutions that stay in front of us right now. One of them is the emergence of majority miners, so we have Ghash with a fairly high percentage of the total mining power, and that gives them a whole lot of abilities that they did not have before. So that's, indeed, a cause for concern – not panic – but certainly cause for concern. It is time, we believe, for the community to be attuned to these problems, what could be coming down the pipe once we have majority mining, and what our reaction ought to be so we can keep these people in check.

I.E.: I would like to add that, before we get to this issue of majority mining, the key contribution, I think, of the Bitcoin technique - of the concept of Bitcoin – is its ability to keep this trust going, despite the fact that there are many, many players that are participating in the Bitcoin game. So I may be a very small trader in Bitcoin, but there are other, larger traders and mining groups of different sizes. The main contribution of Bitcoin is that it got the incentives mostly right, so that small – even very small – participants can trust that they'll get their fair share in the game, and the others are not able to block them, or change or revoke the rights in any way. And this held true for a long time until the problem that we're facing now, the problem of majority mining.

A.L.: From where I sit, the problem has arisen because there isn't a way to – because you can apply efficiencies to this system, where essentially it is better to do it in large groups than in smaller groups, just from kind of a – taking morality, taking whatever sort of belief structure out of it, just looking at it in terms of absolutes – it is better to have a larger percentage of a smaller payoff than it is to have a much smaller percentage of a potentially larger payoff that you'll probably never receive.

E.G.S.: indeed, there are efficiencies to be had from mining, and perhaps mining at large scale, but from the perspective of an individual, there are only a couple of markers along the way that matter. If you are a lone person mining at home, it matters very much that you join a pool, because that's the way you reduce your variance, but the difference between a 5% pool and a 10% pool versus a 49% pool are pretty small. Beyond 49%, you're actually hurting the system, so any miner that joins a large pool that is actually the majority miner is doing a terrible [disservice] to the entire Bitcoin ecosystem,

and that's the kind of thing we would ideally like to see not done, and unfortunately, at the moment, there really are no mechanisms in place, no safeguards in the protocol, that will dissuade people from joining a majority pool.

A.L.: So, if we agree that that's the problem, how do you solve that? Because again, we're five years into Bitcoin. I think the first time we approached 49% with one was over a year ago, so it's not like this is an out-of-the-blue, completely new, thing. How do we solve this?

I.E.: Yeah, the warning signs are all out there. There are some minor incentives that lead people, like advertising and stuff like that, that lead miners to join these very large pools.

E.G.S.: So, before we say anything, I think it starts by acknowledging reality. We just lived through what many people, until recently, considered a terrible scenario, which is the emergence of a majority miner for Bitcoin. The very first fix, as any psychologist will tell you, is to call out the problem, enunciate it, come to grips with it, acknowledge the fact that it's happening. There were a lot of people who were arguing that no miner in their right mind would go over 50%, because that would be such a disastrous scenario for Bitcoin that they would never want to do that, because that would kill their investment [inaudible] reasoning. Well, it just happened. So, the very first thing to say is “well, this thing that many people predicted would never happen just did. And why did this happen?” Well, there are a lot of reason, and the main reason, I think, is because there are no safeguards against it. First we acknowledge that it just did happen, and the second thing is, “well, OK, so now what do we do from here? How do we push back on this?” So, moving on from there, it's a little more complicated. I think the main message, or the main –

I.E.: Perhaps we should start with what's happening right now to prevent this. Right now, the only means of preventing huge mining are social, so we get messages to the miners out there from people, from Gavin Andreasson, and Bitcoin... talk to everybody who really know about mining. Don't join the largest pools. Go join smaller pools – it's gonna work just as well for you. I think that in recent months we've seen this kind of social pressure does not work. There should be actual incentives not to form these huge pools. Economical incentives, I mean.

A.L.: OK, so how do we go from here to there? If the current system incentivises this, and nobody wants to change the system in a way that fundamentally changes everything – because any sort of radical change is hard – you guys have an interesting proposal.

E.G.S.: We do indeed, and we're not the only ones with an interesting proposal – there have been other ones as well. But I think that the main take-away that any listener should take away from this is that there needs to be more research, more thought, around the whole topic of “how do we align the incentives of the miners with the incentives of the community”? At the moment, they're not exactly aligned, and the emergence of majority miners showed us that, well, there is indeed a genuine issue here. So our proposal is something called Two Phase Proof of-Work. It's a fairly straightforward idea, and I'm happy to describe it in a bit more detail if you like, but there are other ideas out there, and I think if anybody's gonna take away any message from this discussion, I think it ought to be that there needs to be more thought and more attention paid to these miner incentive issues. But we can talk about Two Phase Proof of Work, because it is a cool idea that is imminently doable, and in fact it's a very very elegant idea because it gives you a knob that allows you to accommodate the world as it is right now, and then you can turn that knob to cut off the largest of the pools.

A.L.: You're saying that there are other options out there – this interview is appearing on an episode that has a couple of different people talking about different ideas for this. The question that I have, and again, the question that we always have at Let's Talk Bitcoin is “do you think that this is the right idea?” Do you think that this is an idea that can actually solve the problem, because you're the one that's been spending time thinking about it. I'd love to get more into detail on what a Two Phase Proof of Work would actually look like in the system.

I.E.: Absolutely. We do believe that Two Phase Proof of Work allows the system to accommodate a continuum of potential solutions, and for the community to have very fine-grain control over the work distribution between participants in the pool and the pool operators, and that's what makes it unique. So, perhaps we should describe how this whole system works.

E.G.S.: I wanna give a couple of words of background that led to this Two Phase Proof of Work idea. An important point here is that we want to keep the mining industry a part of Bitcoin, existing mining technology – keep it a part of the system. Bitcoin never suffered from actual denial of service or a real severe attack against it. Perhaps the chief reason is that this huge, huge mining industry – I mean, they're developing specialised hardware to do mining, and there are huge companies doing mining – but this means that any attacker coming from the outside and trying to hack Bitcoin has to overcome these huge powers. If we do want to switch the Proof of Work, we need to do this in a very gentle way that doesn't immediately lose our existing advances and keeps the system secure against attackers.

I.E.: Indeed, if we were to do something too drastic, something that completely changes the way that mining is performed, then we might very well find ourselves back at ground zero – essentially back in the days of the genesis block, having just killed off the entire mining industry. That would be a terrible mistake. The nice thing about Two Phase Proof of Work is it retains backwards compatibility and it retains the mining investment by the mining community.

A.L.: So, this compares against what we have now, which is One Phase Proof of Work. Can you talk about how the system that you guys are proposing contrasts with what we have now, and how it can actually address the problem?

E.G.S.: Let me give a couple of words of explanation about how it works. So, Two Phase Proof of Work; the first phase is really the existing Bitcoin proof of work. That's the first phase. After a miner created a block, by demonstrating their proof of work, they get a reward sent to a Bitcoin address. Now, with Two Phase Proof of Work, in the second phase, the work done in the second phase requires the miner to know the secret of that address. So a miner that works for a pool is able to get the money that the pool earns when it creates a block. This means that the pool needs to trust that miner before giving it work to do.

I.E.: Right, as I explained, the core idea here is to change the way the mining is done so that the pool operator now has to now trust the participants in the pool, and that since it's going to be infeasible for, say, a majority pools to trust the majority of its public participants, this really clamps down on how big pools can grow. To be a little bit more precise: the way the mining was done before, it involved the solution of the crypto-puzzle, a single crypto-puzzle, and whoever came up with it would give that solution to the pool operator; the pool operator would earn the rewards and distribute them. So that's fine and dandy and so forth, but it's unfortunately not sufficient. The way Two Phase

Proof of Work works is that there's a second crypto-puzzle, so you can distribute the initial phase of work just like we did before – the first phase is identical to what we have. So what miners do is they come up with potential solutions, what we call half-solutions, and whether or not a half-solution is a good solution, a complete solution, is something that can only be checked if you possess the private key that controls the payment address. So that is something that has to be done, either by the pool operator or by someone who the pool operator trusts with his private key. That means that it's a difficult process; it's just as hard a crypto-puzzle as the first phase. A mining pool operator who had to distribute and shard the work of coming up with the first-phase solution has to, probably, to be able to afford a 51% pool, has to – unfortunately for him – also distribute the second phase, and that is something that he's going to find very difficult. There are two parameters that guide how the Two Phase Proof of Work idea works. There's the first parameter, the difficulty of the first crypto-puzzle, and then there's a second parameter which governs the difficulty of the second crypto-puzzle. So by adjusting those parameters, we can shift the amount of work that the miner participants have to do, the pool participants have to do, versus the amount of work that the pool operator has to do. If we were to adjust them so that the first phase is hard and the second phase is trivial, then we have exactly what we have now; the first phase can be farmed out, the second phase is done by a single operator and we can accommodate the world as it is without any changes. So our soluton just degenerates into the current world just by picking two parameters the right way.

E.G.S.: And this is how we suggest you start if the community decides to accept the solution: the first thing would be to decide on some start point – let's say two months from now – and then this start point will move to the Two Phase solution, but tune it so that actually it only requires the first phase, so the transition is completely smooth – at first, there is absolutely no difference in anything.

I.E.: And then, the second phase – what the second phase difficulty does is it actually requires the pool operator to bring in more resources. If we were to adjust that difficulty just right, what we can do is make it really difficult for the pool operator to grow to really large sizes, but also – at the same time – enable small amounts of pooling. It should still be possible for the home miner to get into a pool of 1%, 2%, 5% perhaps, and for a pool operator to have, say, 5% of the total hashing power, because of his own computational resources that he can buy and so forth with reasonable resources, and that will be sufficient to check the second, and come up with the second crypto-puzzle. But the difficulty to scale beyond the 5% level. So it's eminently doable to select those difficulty levels so that the iterations are set just right, and pools beyond certain sizes are unfeasible.

(Intermission music)

A.L.: Today's episode, in addition to our LTBCoin sponsors, is brought to you by KryptoKit. KryptoKit is a web wallet that installs right in your Chrome browser, so it's always there when you need it. It has a built in encrypted email client, using PGP as well as being a wallet, lets you control your private keys as a brainwallet and generally is free and awesome. That's Krypto with a K, K-R-Y-P-T-O-K-I-T dot com.

The high number on episode 126 is 32,542 LTBCoin for Brawker.com. Brawker's tagline is “order anything with bitcoins and save up to 20% anywhere online”. It works like this: I want to buy a hat from an online store. They don't accept bitcoin, but I wanna spend bitcoin. This is a problem I could resolve by emailing them, explaining the merits of Bitcoin, trying to convince them to change their procedures for my one order... and that might be noble, and it might even work, but it might not work, and maybe I don't wanna change the world; maybe I just want the hat. On the other hand, Bob

is trying to buy bitcoins, and is having a bit of a frustrating experience. No PayPal credit cards? Is this the stone age or something> Brawker.com is a market that connects guys like me, who wanna spend bitcoins, with guys like Bob, who wanna buy bitcoin. Bob buys the hat, it's shipped to my address with his credit card, and I pay him the bitcoin. The discount comes into play because buying bitcoins with a credit card, as mentioned, is pretty much impossible through most services, and so people who wanna spend bitcoins through Brawker select their desired discount and wait for someone to decide that those are the bitcoins they wanna buy. You can check this out and learn more at Brawker.com. These are cool services.

With a high bid of 28,442 LTBCoins, today's silver sponsor is CoinMarketCap.com. What is it? Think “cryptocoin leaderboards”. With hundreds, if not thousands, of altcoins out there, deciding which ones get your time and attention has become a big problem. CoinMarketCap.com gives you various ways to sort, and an easy one-click path to learning more about your coin of choosing. Here at LTB we're big fans of good tools. I caught up with Steve, our long-time CFO. Tell me, what do you think about CoinMarketCap.com?

St.L.: I think CoinMarketCap.com is nice. It shows all the information I'm looking for when I get up in the morning, see how all the coins are doing and what the market caps are. It's very organised and sortable, and I like it.

A.L.: Do you use any other sites for this sort of research?

St.L.: No, currently, that's pretty much the one that I use.

A.L.: So, thanks for participating. If you'd like to learn more about Let's Talk Bitcoin, or sponsor the Let's Talk Bitcoin show yourself, you can visit LetsTalkBitcoin.com and look for the LTBCoin rewards programme up at the top. Back to the show.

(Intermission ends)

A.L.: What impact would this have on a normal miner who has, say, two or three machines at their house, or something like that – or a couple of ASICs – how would this affect them? Would the still wanna participate? Where would the incentives say that they should be?

I.E.: Great question. It wouldn't impact them much at all. So, those people at the moment [who] are drawn to really large pools; they will find that really large pools are not being operated; that pools are not growing to those sizes. They will end up joining a smaller pool, and they will see their variance drop drastically from what it would be if they were to operate alone. And they would have the benefits of a low variance without the danger of a really large pool.

A.L.: OK, so what does this do to the Bitcoin network's security as a whole? Does it have any impact, either positive or negative, outside of the 51% attack (which is not as viable in this because it's harder to get to 51%)?

E.G.S.: Not particularly. Bitcoin relies on a proof of work, but it doesn't really matter what the proof of work is as long as it abides to certain guiding rules. There are plenty of other virtual cryptocurrencies out there that use different proofs of work, and they all work fine. The specific proof of work used is not significant for the security.

I.E.: Right, yeah. For the security of the network is completely orthogonal from the proof of work algorithm used.

A.L.: Sounds to me like what you're essentially doing with this, more importantly than any of the other things, is you are raising the barrier to entry – not raising the barrier to entry – you're raising the barrier to have a lot of people involved, because the pool needs to trust all of those individual people as it becomes more difficult to do this second layer, right? In the beginning, if the second layer is super easy then it doesn't really matter, but as that second layer gets harder, the burden doesn't increase on the individual – it increases on the pool, because the pool is the group that has to then trust the spending key – spending authority – for at least some segment. One assumes that each user wouldn't be getting their own private key from the pool – although, could something like that happen? Could a pool just sort of morph around this concept and issue a different private key for each person, or does that destroy the efficiencies that they have gained by not doing that?

I.E.: First of all, your description was absolutely spot-on perfect. In answer to your question, we are not aware of a way to gain this Two Phase Proof of Work. Undoubtedly, with any protocol, there could always be some sort of a corner case and so forth, but we are not aware of what the pool operator would do. If they were to give you a specific private key – if they were to give each individual participant a specific private key – it wouldn't really solve the problem at all. The person in possession of that key who comes up with a solution will be able to steal the rewards just as well. The way the key is managed would not actually change anything.

E.G.S.: Yeah, yeah, exactly.

A.L.: So, literally, just – each individual then becomes a potential risk point. So therefore, from a risk management standpoint, it makes sense to have the highest quality, lowest risk that you can get onboard your side, right?

I.E.: Yes, absolutely.

A.L.: Interesting. OK, so, what does this do to pools? There are certainly pool operators out there – I overheard a conversation with Josh Zerlin talking about the fork last year that happened, and how the only reason it was resolved as quickly and cleanly as it was is because there were only fourteen people in the world that needed to be alerted to it, and they all knew each other's phone numbers. So, I mean, is this a good thing or a bad thing, to have that type –

E.G.S.: Huge pools, I think, are definitely not a good way for Bitcoin. The reason for the problem, I think, in the first place, was that there were so few pools that basically controlled the network. We have the technology to basically reach all the miners out there with a single tweet, right? If a bug is found in the protocol that causes this sort of fork, then it's pretty simple to notify all the miners in the world that they should upgrade their versions or whatever is necessary. Two large pools is like having your money in, let's say, a bank, and having some board of directors decide what's going to happen with the policies of the bank, and allowing this board of directors to decide to do anything they want with your money, only there is absolutely no transparency or anything because it's just miners who joined that were not chosen or anything like that.

A.L.: A change like this, any change that impacts the proof of work – unless I'm mistaken – has to be okayed by the miners – they have to actually be the ones that upgrade to it.

E.G.S.: This is yet another reason to do this two phase thing. Because, right now, if the miners agreed – mining equipment dies very q uickly. A few months after a person starts mining, their mining equipment is worth a fraction of what it was worth when they bought it. [The] mining difficulty grows exponentially very quickly, and so mining equipment becomes irrelevant, fast. This is the reason we want to introduce this Two Phase Proof of Work and gradually change from the current mining, from the current proof of work, to the new proof of work. This would enable the existing miners to adapt, like everyone else, so their current mining equipment is going to be irrelevant in six months, either way; if you introduce Two Phase Proof of Work, or if you don't. But if you do, then in six months, the system is going to be safer. So, I believe that we can get the mining industry onboard on this. I think that like us, they have the best interests in the system at large. I wanted to say that the mining industry is also interested in the health of the Bitcoin ecosystem as well, and I think that they will also be happy with improving the safety of the system, specifically where it doesn't hurt their business.

I.E.: I think it's critical to note that any potential changes really must stem from the community. I think it's critical to note that the mining community is not the [be-all-and-]end-all when it comes to protocol changes. That is, types of people who drive the protocol – regular Joes like you and me – and it hurts us when it's possible for a monopolistic miner to emerge, when there's a majority miner on the scene, or when there is the danger of a monopoly miner who doesn't see a problem with becoming a monopoly miner. These are really bad things for Bitcoin. It's us who drive the protocol changes. Now, the miners have to be on board, and the nice thing about this Two Phase Proof of Work idea is that we can start out gentle, having set the parameters such that they match the current world – that they accommodate exactly the mining power distribution that we have – and come up with an adjustments schedule so that the miners themselves can work the expected changes into their financial planning. Now, it's also crucial to note that the miners are not static. It's not like they have some equipment off in a data centre and they're going to be using that equipment forever after, so a lot of people who try to model the Bitcoin space, they take a static view of the world, and that view could not be more wrong. As I described before, there's a critical takeaway from what he's saying there, which is “this is a highly dynamic world. The rigs that these people are buying are becoming obsolete an an exponential rate. Every three weeks or so, the rig is losing half its power, so after six months the rig is doing about 2% of the production that it used to do. So your regular miner is in the constant mode of churn, and that churn is a very well-controlled process; the laws of large numbers apply, and they can predict what's going to happen in the future and they can come up with a financial plan that makes them money. Now, once we introduce Two Phase Proof of Work, we can d it in such a way that, again, laws of large numbers apply, they can predict what's going to happen, and gradually move to a world where really large miners are infeasible and everybody else below a certain treshold is unaffected.

A.L.: This all sounds, like I said, really good. The question that we always come up with is “are there any gotchas here that I haven't asked about, but that you guys have thought about? Are there any concerns here that you think still need to be addresses.

I.E.: No, not at this level. So, when it comes to deterring large pools, I think this is as good an idea as – certainly, that I can come up with – and we are not aware of any gameable aspects of Two Phase Proof of Work. Why is that so? That's probably because we're building on something that was pretty darn cool to begin with. When we already accommodate, into the first phase, every single thing that Satoshi and the rest of the Bitcoin community came up with until today, we're just adding a

secondary phase that makes it infeasible for really large pools. So it's because we're building on this legacy that we can confidently say “yeah, we understand this. This is not an enormous leap, an enormous change; we're not introducing zero-knowledge proofs, we're not introducing heavy crypto-machinery, we're not introducing snarks” and so forth. There are a whole bunch of complicated crypto-tools that one could introduce, and they might actually change the ecosystem, but our suggestion is actually fairly straightforward. We are not aware of any sort of secondary issues. Now, there is a bigger question of “what are the different things that you might want to fix?”, because a change is an opportunity. A change is an opportunity; a change in the proof of work is an opportunity to address outstanding issues, so a question to ask at this point might be “what are the outstanding issues ahead of us?”, and we can talk about that if you'd like.

A.L.: I'd love to talk about that. What are the outstanding issues ahead of us? I love it when people ask questions for me.

I.E.: (laughs) OK...

E.G.S.: So one thing is this 50% percent mark, the majority mark. It's been known to be a danger for a long time, but we also know now – for over a year – that the actual treshold for a miner to become dangerous to the system is much lower than that. In a paper that we published [at] the end of last year, we demonstrated that even at one third of the system, a miner is able to actually game the system in a way that's extremely dangerous to the health of Bitcoin.

A.L.: Is this the selfish mining attack?

E.G.S.: Yes.

A.L.: Interesting – that's your paper as well?

E.G.S. + I.E.: Yes!

A.L.: Oh, I'm sorry. We discussed the paper on the air when it came out, but I hadn't recognised the names. I apologise.

I.E.: Oh, that's us! Yep!

A.L.: Yeah, absolutely. So I think the number there was, yeah, in the 30-34% range, something like that; and again, the idea was – so there are clearly some other issues, so you think this is another pressing one.

E.G.S.: Certainly, yes! So selfish mining is feasible for an attacker greater than 33% in mining power. Such an attacker does not need to be well-positioned in the network; such an attacker does not need to have any special powers; such an attacker does not have to win any races inside the network to make more money than his fair share of mining. So it is a danger whenever somebody's over 33%. In fact, selfish mining could be feasible for somebody even lower than 33% if they have good network connectivity, if they have good peering with other miners and so forth. But for sure, somebody who's over 33% is large enough that, by keeping his blocks private and building on his own solution, at 33 and above, he has enough power to be able to game the rest of the system. So if we're going to do a change to the network, we might as well address all known protocol-level issues, so this is certainly one of them.

I.E.: There is a fix that we introduced in our paper that would limit the power of a pool to attack the network. I just wanted to add, about selfish mining: once an attacker decides to perform selfish mining, they get more than their fair share of mining power, and this means that at this point, there is a real incentive for people to join large pools. So it's different from where we are now, where people join a large pool just because they heard of it first or because they have a cool interface. This will create a real, irrevocable economic incentive to join the largest pool. At the time, we heard arguments saying that “even if selfish mining came to be, then such a huge pool is not going to form because miners won't endanger the system by becoming a majority”. And now we see – that's after the economic – now we see that even with minor incentives, really minor incentives, people tend to join a large miner. So selfish mining, perhaps became [a danger] now that we know how easily a majority miner, a majority pool, can form.

A.L.: The question that I've wanted to ask a few times here is “what is a good size for a pool, in your opinion?” You're not eliminating pools; you're talking about 1% pools, or 3% pools, or are we talking about fractions of a percentage? What do you think an average size will be in the type of paradigm you would like to create, and is that better?

I.E.: I'll let Gün answer that. I just wanted to comment that selfish mining, as of today – the minimal pool size is not known, so it may be that a pool with just 1% of the network is able to do selfish mining. In our paper, we introduce a small fix to the algorithm that can prevent very small pools from doing [selfish] mining.

E.G.S.: At the moment I said “we do not know the minimum size at which selfish mining is feasible”. It could be very, very low. The odd fact is [that] the existence of really large mining pools, like Ghash, actually deter selfish mining; so in some perverse way, the Bitcoin community's centralisation, which is really terrible, is keeping another terrible event from occurring. So starting at zero – we would like people to be able to pool their resources, because we want small miners to be part of the system. At 25%, there is a particular treshold. Ittay and I, when we came up with selfish mining, we also came up with a fix for it, and our fix – if enacted in the protocol – will guarantee that any miner with less than 25% cannot profitably pull off a selfish mining attack. So that's important, and if that fix were to be rolled in, we would be able to sleep well at night as long as there are no pools over 25%. Now, another treshold exists at 33%. Ittay and I also showed that there is no fix possible to deter selfish mining for a miner over 33%. So that's an impossibility proof it's impossible to get around. And so, we definitely need incentives in place to make mining pools not grow beyond 33%, as a result. We just don't have a solution. There is no solution possible for selfish mining above 33%. And over 50%, as you know, a whole lot of behaviours become available to miners that are absolutely horrible for the community, and most importantly, we lose the narrative. The narrative that was so crucial to us; the narrative that drew us into Bitcoin; the narrative that got us all excited; the narrative that made us feel like there's a great technical breakthrough here. And that narrative is “Bitcoin is decentralised”. The moment we cross over the 50% treshold, we are in a different world where Bitcoin is just like every other single-issue payment system, and anybody can come up with those, and we lose the distinction – the differentiation – and that, I think, is the most valuable thing we could possibly lose.

A.L.: So, two questions remaining. One – altcoin ecosystems, not just the Bitcoin-derived ones, but also other altcoins that are trying to solve some of these same problems as Bitcoin – there are some different approaches out there, and there have been lots of different... proof of work has been

recognised as a non-ideal thing. It works, but it doesn't work as well as some people would like it to, and there have been many attempts to “fix it”. Have you seen anything in the panoply of cryptocurrency – I don't know if you've been looking – that has struck you as something that is working, or is clever, or that you'd like to mention?

I.E.: That is an interesting question. There are some clever ideas in that space, but none that stick out, that fix an existing problem. We really think that this 51% monopoly miner problem is a pressing issue, given what just happened, and we also think that selfish mining could become a problem with just [the] emergence of a selfish miner overnight. And, as I mentioned before, selfish mining is different from regular mining. Selfish miners grow additional powers as they command more and more of the mining power. And as they grow, well, then they have [the] incentive to grow more, and so forth, and in fact every single participant has an incentive to join the largest selfish mining pool there is. So that's a terrible dynamic for the system, and once the distributed system starts going in that direction, there really is no force to stop it. So we believe that those two problems are the most pressing at the moment, at the protocol level, for Bitcoin. And we're not aware of any proof of work fixes that deter those two.

E.G.L.: Yeah, we're not aware, either, of any actual competition to the proof of work concept that works. There are some nice directions out there, but nothing that's actually feasible, working.

I.E.: Yeah, there's proof of stake, but it suffers from [unintelligible]. There are a bunch of other things that we've heard about, but they do not fix the two core problems at hand.

A.L.: So, if somebody listening to this is really interested, wants to help you make this a reality, has the resources to do it; how should they contact you? Do you guys have a website set up? This is an idea you've put out there based on post, and you don't really have the ability to implement it – just spread the idea – so how can people help?

E.G.S.: Good question! I think the best way to help is to be aware of what the problems are. So that's, I think, the starting point; there are always elements in any currency-related system who will try to deny, in some short-sighted fashion, what the existing problems are. So step one is awareness. Step two is, if anybody's excited about these ideas and concepts and has, maybe, their own ideas and so forth, and they want to get in touch with us; they can just email us. We're quite accessible, we'd be delighted to hear from interested parties. Our emails are public, so I'm egs@cscornell.edu and Ittay is

I.E.: ittay.eyal@cornell.edu

E.G.S.: So they can just contact us and we'd be delighted to engage. Part of the reason why I keep the blog is engagement with the greater community, so it's been valuable to have input from different parties. It's been valuable to have an open channel to the community. We are not necessarily wedded to seeing our ideas implemented, and we're not wedded to seeing something done right now, but we certainly have an interest in seeing the long-term success of Bitcoin, and it [selfish mining?] would be such a setback for the whole cryptocurrency movement that we need to make sure that Bitcoin is not open to well-known, well-understood problems. So at the minimum, what we'd like to see is awareness and a willingness to fix things when they're broken.

I.E.: And a practical discussion. This includes discussion from developers, from economists... developers have their own mailing list, the Bitcoin-core development list and mailing list... these

solutions have to be thoroughly discussed. Any minor change to the Bitcoin protocol goes through a lot of [discussion] of the implications of any change. So such a significant change, naturally, deserves very large-scale discussion before it's actually implemented. Just in the community, on the fact that this is the direction to go.

A.L.: Thanks for listening to episode 126 of Let's Talk Bitcoin. Content for today's show was provided by Adam B. Levine, HackingDistributed.com and Sam Lee. This episode was edited by Denise Levine; produced by Adam B. Levine; with a special segment courtesy of TheEndofMoney.com. Music for today's show was provided by Jared Rubens and Gurty Beats.

Today marks the second weekly [LTBCoin?] distribution. To that purpose, we've awarded more than four million LTBC today. If you created an episode like this, you earned about 300,000 LTBC. If you wrote a column, you earned 100,000 LTBC. And for a limited time, if you have more than five posts on our community forums, you'll earn a weekly split of nearly 2.5 million tokens given away each Saturday. This week, the split was about 9000 LTBCoin per person. Whatever you've done – if you've added your counter wallet address to your Let'sTalkBitcoin.com profile, we're happy to be able to reward you for the value you add to our community. The five forum post promotion still has another two weekly distributions remaining, so sign up and get involved today. So thanks to everybody for playing. We're having a lot of fun with the LTBCoin project, and I'm excited to announce our new programme, called MagicWords, will be starting next week. Every episode during the break, I'll tell you a magic word. You remember that, and when you get a chance, visit your account at LetsTalkBitcoin.com, enter the word where prompted, and claim your proof of listening credit. You'll have about 48 hours from the release of a given show to enter the word.

So that's all for today. If you have any questions or want to talk, I'm pretty much living over at the forums on LetsTalkBitcoin.com. It's a little bit ridiculous. I'm also auctioning my time; two hours of consulting per week to the highest bidder in LTBCoin. You can, of course, sponsor the show, and the list of things that you can do with it is growing. If you have a project that's unrelated to Let's Talk Bitcoin, but that you think might be a good fit, you should definitely propose it – we're looking for all kinds of collaborations. We've been growing the team very rapidly; we've added another developer to the staff who will be receiving compensation only in LTBCoin, and just generally, things are going fantastic. Thanks for helping.

(Last three minutes consists of audio with vocals)