The Economic Limits of Bitcoin and the Blockchain

This article is based on the paper ‘The Economic Limits of Bitcoin and the Blockchain’ by Eric Budish. Please visit this link to access the paper.

Bitcoin Architecture

Bitcoin is an electronic cash system that’s fully peer to peer and works without a trusted third party acting as an intermediary. The basic workings of Bitcoin are similar to India’s UPI model: The sender initiates the transaction using their own public address (or UPI address), adds the recipient’s public address (or recipient’s UPI address) and finally approves the transaction using a private signature (in case of UPI, users use a PIN). This is a standard procedure and is implemented using modern cryptography.

While UPI uses a centralized authority i.e. the National Payments Corporation of India to authenticate and record these transactions, Bitcoin is a ‘decentralized’ network. The innovative idea behind Bitcoin was that its transactions are verified and publicly recorded without involvement of any trusted third party. Bitcoin uses multiple computers (or CPU) connected via network to verify transactions and create a public ledger by using blockchain technology. These CPUs are also referred as nodes. Every ten minutes, a large anonymous and decentralized collection of these nodes compete in a computational tournament for the right to add a new block of transactions to the public ledger. The problem is based on both the new block being added and the previous block added to the ledger. The first node to solve this difficult computational problem is declared as winner and reports both the new block of transactions and the solution to the computational problem. Other nodes accept this block and the whole tournament is restarted to add the next block in the chain. These nodes are owned by individuals or companies, they can also be referred as participants of the tournament. Each participant can hold any number of nodes all they need to do is add the buy the CPU and keep it running.

Each node in the tournament incurs a cost in form of electricity (consumed to keep the CPU running) for solving the computational problem. As an incentive to solve the computational problem, the winner gets rewarded in the form of newly minted bitcoins and transaction fees. Higher the number of nodes owned by a participant higher will be the cost and higher probability of winning. This activity of incurring cost in the hope to get rewarded is also known as mining and the participants as miners. Let’s convert this into a mathematical formula.

Presuming the following variables:

1. the reward per block = ‘P _block’
2. the cost of one unit of computational power = c
3. no. of nodes in the network = N

There can be any number of nodes in the system, but for the system to be in equilibrium total cost expensed should be roughly equal to total rewards. Thus, if N* is the optimal number of nodes, then:

Total Cost = Total Reward, or mathematically

N* c = P _block

The reward is distributed in the form of Bitcoin. So, higher the price of Bitcoin (in dollar terms), higher will be the reward for miners, leading to more energy consumption in longer run. It is also important to note that technological innovation that increases the efficiency of the Bitcoin mining process will not reduce the total energy consumption as a greater number of nodes are added. Also note that the number of participants can be less than the total nodes in the system as each participant can have more than one node.

Can the Bitcoin blockchain be attacked?

A dishonest participant can attack the system by creating an alternate chain faster than the honest chain. The alternate chain can reverse the earlier transactions and thus enable double spending (explained later). Now the probabilistically the likelihood of a participant creating an alternate chain and thus reversing z blocks exponentially decline by increasing z. Usually after couple of blocks it becomes improbable to attack the system and thus by waiting for an escrow period of two blocks is sufficient for payment confirmation. However, this is only true if majority of the blocks are honest i.e. the attacker controls less than 50% of the computational power.

What happens in case an attacker has a majority of the computational power? Even Satoshi Nakamoto’s paper states that an attack with more than 51% of computational power will succeed.

Cost of the attack

What is the cost of gaining majority computational power? If there are N* nodes in the system, the total computational power would be N* c. An outsider to gain a simple majority will have to bring in slightly more power into the system, thus total cost would be similar to N* c. While the attacker will be incurring this cost to attack the system in the process, they will also be gaining rewards of P _block per block and thus the net cost will be less than N* c, say α N* c where α is net cost per block. Now suppose the expected payoff to the majority attacker is V _attack, for the blockchain to remain safe the cost of attack should be more than the payoff:

α N* c > V _attack

The above equation captures that what enables the decentralized trust of the blockchain is the computing power devoted to maintaining it. The key thing to note here is that the security of blockchain is linear to the amount of expenditure on mining power. In contrast to other investments in security yield convex returns. Consider we want to keep products worth ₹ 1,000 safe, we can do that by using a lock wort ₹ 50, but if the products are expensive and worth ₹10,00,000 we will need a much better lock which will cost us more probably ₹ 500 or even ₹ 1,000. But essentially, we are able to have security of products worth 1000x more by investing 20x more on the lock (security system). This is called Convex returns and this is not tru foe Bitcoin which has a liner relation.

i.e. an analogous to how a lock on a door increases the security of a house by more than the cost of the lock.

Combining the first two equations:

P _block > V _attack / α

In other words, the equilibrium per-block payment to miners for running the blockchain must be large relative to the one-off benefits of attacking it. This puts a serious constraint on the technology. By analogy, imagine if users of the Visa network had to pay fees to Visa, that were large relative to the value of a successful one-off attack on the Visa network.

How an attack affects the system?

Before defining how the attack will affect the system, let’s see what an attacker can do and can’t do technologically.

As the attacker controls the majority of computational power, they can control what transaction gets added to the block and within computational limits remove recent transactions from the blockchain. The attacker even earns the block awards ‘P _block’ in the process. What the attacker cannot do is spend the bitcoin earned by other participants i.e. they cannot steal Bitcoins from other accounts.

Double Spending Attack

An attacker can manipulate the blockchain to their advantage. For example, an attacker gets into a contract to buy a new car by paying two Bitcoin. The attacker- (i) sends two Bitcoins to the merchant, (ii) allows that transaction to be added to blockchain, (iii) merchant delivers the car once the transaction is confirmed, (iv) the attacker can remove the transaction from public blockchain by building an alternate blockchain. The attacker can now spend the two Bitcoins recovered elsewhere, and thus the term double spending. Technically, the term ‘double spending’ is a misnomer because the attacker can spend the bitcoins multiple times.

The attacker in this scenario can maximize their gain by increasing the transaction amount and doing as many transactions as possible in a block. Assuming the maximum transaction size V_{transaction_max} and k transactions per block, maximum gain an attacker can realize can be k . V_{transaction_max}. The mining reward can also be divided across k transactions and assuming P _transaction is the reward per transaction the above equation can be rewritten as:

P _transaction > V _{transaction_max} / α

The value of α depends upon

1. Escrow period e, or the number of blocks attacker is trying to reverse, more the number of blocks more will be the cost.
2. Level of Super Majority A. The attacker can have simple majority or super majority. Higher level of majority requires more computational power and thus higher cost.

The author ran multiple simulations to calculate α, reported in Table 1. Panel C in the table represents net cost i.e. Cost of equipment – Block Reward. Let’s focus on e = 6 blocks or escrow period of one hour (6 X 10 minutes) and least majority of A=1.05. The net cost α = 2.33. Based on the equation above P _transaction > V _{transaction_max} / 2.33 ≈ 42% of V _{transaction_max}. This can be interpreted as implicit tax, if the maximum transaction size is one lakh rupees the transaction cost should be 40% or ₹ 40k. This is even larger percent on a cheaper transaction, if the transaction is small say ₹1,000, the tax is still applicable on the max transaction size and thus effective cost will be 400% in this case. Increasing the escrow period to say e = 1000 (around 1 week) helps to reduce this cost 1/53.5 ≈ 2% of max transaction, but it’s still substantial specially since all transaction will not be maxed out. To draw an analogy if same constraints were applicable on UPI payments and one needs to transfer ₹ 100, the transaction cost would be ₹ 200 (2% of maximum transaction of one lakh) and the payment confirmation would take one week instead of seconds as is the case with UPI.

Sabotage Attack

One rational given by the Bitcoin advocators is that a miner with more than 50% power is strongly invested in the system and thus has more incentive to keep the system running smoothly rather than attacking it. This does make sense. Imagine getting a news notification that says “Bitcoin network attacked: People lost Bitcoins received in last week”. Such news will sabotage the value of Bitcoin, resulting in a steep decline in its value. In the above scenario where attacker gained two Bitcoins from the attack, if the value of Bitcoin itself drops by say 20% (let’s call it Δ _sabotage) the attacker’s net gain will also reduce by 20% (or Δ _sabotage). The best-case scenario here will be that Δ _sabotage = 100% i.e., value of Bitcoin goes to zero and the attacker’s gain reduces to zero.

The attacker does stands to lose value due to sabotage, but there are many financial instruments available in market to hedge that loss and even the attacker can obtain speculative profits from holding a short position in Bitcoin futures. So, if one can attach a value to sabotage (V _sabotage) by speculative profits or other value gained externally, the attack will make economic sense. Bitcoin poses a threat to all the central banks across the world as they might lose their power of setting up the monetary policy, keeping this power would be highly valuable and thus high value of the collective V_sabotage.

Blockchain Mining Technology

In beginning, we assumed that the cost of waging the attack was similar to the cost incurred by miners to run the system or flow cost of the mining (α N* c). Here we assume that processing chips used for mining can be used elsewhere and hence once the attack is complete these chips will be deployed on other applications. However, in case of Bitcoin that is not true. At present, Bitcoin mining is done by highly specific and efficient chips called ASICs (application specific integrated circuits). These chips are more than 1000 times more efficient than general purpose chips and can’t be used anywhere else.

Since these chips are highly efficient, anyone planning to gain majority of the computational power will have to procure these specific chips. Also, these ASICs will be rendered useless after the attack and hence will have close to zero reusable value. The attacker will have to incur stock cost of these chips which is much higher than the flow cost assumed previously. The modified equation will now be:

N* C _{stock cost} > V _sabotage

The above equation states that security of Bitcoin relies on use of highly specialized equipment.

Collapse Scenarios

The increased security of Bitcoin due to increased cost can be nullified in three scenarios:

1. Ultra-cheap specialized ASICs

As the ASIC technology matures, Bitcoin ASICs might become very cheap and thus the cost would only be electricity required to run it which is equivalent to the flow cost

2. Efficient-enough general-purpose chips

As the popularity grows it is plausible that general purpose chips might become as efficient as ASIC. The gap might not close completely but even if it reduces to great extent, an attacker might invest in general purpose chips and put them to use elsewhere after the attack.

3. Value of sabotage becomes sufficiently tempting

As discussed earlier, many central governments might collude to sabotage the network as the collective value might become too high.

Conclusion

The anonymous, decentralized trust enabled by use of blockchain, while ingenious, is expensive.  In the double spending attack the implication is that the transaction costs of the blockchain must be large in relation to the largest-possible economic uses of the blockchain, which can be interpreted as a large implicit tax. The trust enabled by blockchain requires that the flow cost of running the blockchain is large relative to the one-shot value of attacking it. The attack itself might be more than the flow cost relies on Bitcoins use of scarce, non-repurposable technology which can make Bitcoin vulnerable to collapse if either condition change in the specialized chip market or if it becomes economically important enough to tempt a saboteur.

Overall, the results place potentially serious economic constraints on the use of the Nakamoto’s blockchain innovation. Most businesses and governments presumably have access to cheaper forms of data security, e.g., distributed ledgers or databases that require a trusted party (e.g., the business or businesses themselves), rather than having to pay the high costs of the trust that is emergent from a large network of untrusted computers coordinating on maximum proof-of-work.