A new research paper to be released this week sheds some interesting light on Bitcoin’s first two years of existence, finding that the small group of early miners often played by the rules even when they had an opportunity to cheat.
The paper, “Cooperation among an anonymous group protected Bitcoin during failures of decentralization,” is interesting and valuable work, including the team’s rigorous work tracking early Bitcoin activity through a mining data stream dubbed the “extranonce.” But it is also highly technical and nuanced, and the topics it touches on, including Bitcoin security, privacy and distribution, are highly contentious. This makes it quite vulnerable to misinterpretation (or misrepresentation) by nonspecialists.
The paper finds that for long stretches between January 2009 and February 2011, one miner on the nascent Bitcoin network had the opportunity to conduct a “51% attack.” By virtue of controlling a majority of the network’s mining power (or hashrate), that miner would have been able to double-spend coins or even take bitcoin from other users. But despite these lengthy windows of opportunity, no early bitcoin miners attacked the chain. “Strikingly, we find that potential attackers always chose to cooperate instead,” the researchers write.
The researchers, a large team including members from Baylor College of Medicine and Rice University, have emphasized that the paper does not make claims about Bitcoin outside of that short, early window.
The discovery that early bitcoiners cooperated even when they had a chance to cheat may seem unremarkable on its face. Bitcoin in its earliest years was an experiment with little or no economic value, and the various actors almost certainly had more to gain by supporting the system than attacking it.
But the research is only in a limited sense even about Bitcoin as a technical system. Its primary goal, instead, is to “study responses to a social dilemma in a group of anonymous individuals.” In this case, the social dilemma was how to build a system vulnerable to attack in its early stages. The answer – which is also apparent if you’re familiar with the real-world story of Bitcoin’s early development and growth – was some mix of trust, common cause, and enlightened self-interest.
So early Bitcoin is a useful case study of human behavior under particular game-theoretical conditions, but a better understanding of the Bitcoin system was not the researchers’ primary goal. “The key to the paper is the behaviors that we characterize,” team member Dr. Erez Aiden, a genomics researcher at the Baylor College of Medicine, told CoinDesk in response to emailed questions.
This helps explain why, while the team is composed largely of mathematicians and computer scientists, many of them work on research problems in genomics, biology, and medicine. The research is ultimately concerned less with Bitcoin itself than with the behavior of the humans who created Bitcoin – including those who, given the opportunity to steal, chose not to do it.
This is also why the paper concludes with a psychological experiment using a game-theoretical model to mimic early bitcoiner behavior. Participants played a game called “Centipede,” which allows anonymous players to steal from one another in a way similar to a 51% attack. In experimental repetitions of an eight-player Centipede game, the researchers found that players displayed “high levels of cooperation,” even when the incentive to steal was high and they were anonymous to other players.
While not directly relevant to understanding Bitcoin’s security on a technical level, these findings are at least a bit reassuring on the subject of human nature.
Is Bitcoin less private than we thought?
Not for the vast majority of users – and the researchers make no such claim.
They do rigorously apply an already-known form of “data leakage” relevant to the study of on-chain Bitcoin activity. This form of metadata, known as the “extranonce,” is uniquely generated by individual miners. The method has been known since 2013, when it was described by Sergio Demian Lerner, who used it to track the early tokens mined by Satoshi. The method has fairly limited utility, and according to the researchers, even within the limited sphere of transaction graphing.
“If all we did was add in the extranonce, which is quite error prone, it would be completely impossible to reconstruct the early bitcoin community,” Aiden told CoinDesk. The paper uses many other transaction linking techniques, largely methods that are already in widespread use in chain analysis.
Moreover, it seems the extranonce would only provide additional transparency into the very earliest days of Bitcoin. That’s largely because it relies on metadata generated by miners specifically. Because the earliest bitcoiners relied on Bitcoin clients for both mining and wallet (key control) functions, and because mining on a home computer or gaming rig was economical for much of the study period, a wide variety of early users may have generated extranonce data.
But in the years since, mining has almost entirely migrated to specialized mining machines, known as ASICs (application-specific integrated circuits), run at industrial scale by professional mining companies. Meanwhile, contemporary users are vastly more likely to buy bitcoin (BTC) on a marketplace than mine it themselves. The vast majority of individual Bitcoin users now use wallet-only software with no mining capacity, or will never mine on their own hardware. These users will never generate extranonce data.
The extranonce could be a threat to a handful of very early miners, particularly any who have worked to conceal their identity over the long term. But because this data source is already well known, it's unlikely any early miners who haven't previously been doxxed will be as a result of the new research. There may also be some implications for miners today, but the data seems primarily useful for transaction graph tracking within a limited time period and for a very small group of agents, and perhaps for some who transacted with them.
Just as important, the extranonce data does not add any qualitatively new way to connect transactions or wallets to real-world identities, and no previously unknown real-world identities are revealed in the paper itself. As the researchers detail, they are able to connect identities to wallets through public posts or other disclosures, usually instances where a user posted their own Bitcoin address publicly. Extranonce data may improve the ability to track connections to these doxxed entities, but it does not create a new way to identify the owners of Bitcoin addresses.
Aiden was quite direct about this in response to clarifying questions from CoinDesk. “All of the forms of data leakage we exploited were guided by our desire to understand that 25-month-long period” after Bitcoin’s launch, he said. “Now, obviously Bitcoin has been through extensive changes since 2011! So some forms of data leakage may work less well now, and some may work better. Extranonce is probably going to be less impactful today.”
The research was not intended to make sweeping claims about Bitcoin privacy. And it doesn’t.
Is Bitcoin less secure than we thought?
No – and the researchers make no such claim.
An early passage does seem ripe to be plucked out of context to misrepresent their stance, however. The researchers write that “wealth, income, and resources in the [early] Bitcoin community were highly centralized. This threatened Bitcoin’s security, which relies on decentralization, routinely enabling agents to perform a 51% attack.”
But the takeaway from this is absolutely not that Bitcoin as a system is insecure, because the researchers are explicitly and only talking about the two-year period of study, from January 2009-February 2011.
Instead, their more limited finding is that repeatedly, in the early days of Bitcoin, a single miner was generating more than 51% of network hash power for several blocks in a row. For instance, during the week from Sept. 29-Oct. 4, 2010, a miner described as Agent #2 had “enough resources to perform a 51% attack during several 6+ hour long windows.” This would have made it trivially easy for such a miner to to double-spend tokens, or even to reorganize the chain to give themselves all the bitcoin then existing.
But they didn’t. Agent #2 continued to process transactions normally, even at a moment when they could have done pretty much whatever they wanted. That behavior by individuals is the point of the research, rather than any technical or structural claim about Bitcoin itself.
This claim is itself both fairly abstract and fairly obvious, simply because the risk-reward calculus of performing a 51% attack between 2009-2011 was vastly different than it would be today. For much of the period under study, bitcoin literally had no economic value: “Bitcoin Pizza Day,” the first known monetary transaction using bitcoin, took place in May 2010, two-thirds of the way through the study period. Mt. Gox, the first widely used bitcoin exchange, launched in July 2010, more than three-quarters of the way through the study period.
That means that for most of the study period, even when miners had long strings of uncontested blocks, they had absolutely nothing to gain from a 51% attack. (Agent #2’s altruistic mining is particularly notable because it took place after these economic milestones.)
Miners also had a lot to lose by attacking. First, that’s because the early Bitcoin community was so tight-knit. Many of the players knew each other personally, if only via email and message boards. Attacking the chain in its vulnerable early days might have made a miner a pariah. Furthermore, such an attack was unlikely to actually earn an attacker that much money: Even after bitcoin gained economic value, news of a 51% attack could have led to people seeing bitcoin as a failed experiment, destroying that value.
These days, a brute force 51% on Bitcoin is economically prohibitive and would probably be socially rejected to boot. (That is, other miners and users would migrate to a chain rolled back to a pre-attack state, leaving an attacker holding tokens on a far less valuable fork.) While there may be some sort of alliance or more complex tactics that could lead to a successful 51% attack, they would require Herculean effort. The situation the paper describes, in which there simply aren’t that many competing miners, is unlikely to recur any time soon.
Using this evidence to question Bitcoin’s decentralized security model is simply a non-sequitur – a complete misreading of the research.
Is Bitcoin more unequal than we thought?
No – and in fact, the researchers find overwhelming evidence that it rapidly became more economically egalitarian rapidly after its launch.
The researchers do use some terms that could lead superficial readers astray. In particular, the researchers write that “in line with the findings of Vilifredo Pareto …. wealth, income, and resources in the [early] Bitcoin community were highly centralized.”
Pareto is often cited in social science research on income and wealth inequality in society. Broadly, his “Pareto Principle” is often used to analyze or diagnose the tendency in some societies for wealth to become increasingly concentrated in a society over time because of an inequality of returns for effort. (It’s also sometimes known as the 80/20 rule.)
The citation seems at first glance to implicate Bitcoin in this dynamic. (Notably, even on its own terms such a finding would not be a critique of Bitcoin alone, but also of the broader society it exists within.) But the researchers are not claiming, as some may assert, that Bitcoin as a whole tends toward wealth concentration in a way that, in turn, threatens network security.
Instead, the paper’s actual on-chain data about mining and token distribution shows quite the opposite. In a footnote, the researchers make this explicit: “During the final two intervals [January 2010 – February 2011], [miner] income inequality declines greatly, falling in line with the levels seen in typical economies.”
On a related note, the researchers found that “almost all contemporary bitcoin addresses can be connected to … top [early] agents by a chain of six transactions.” This finding could easily be misrepresented to argue that Bitcoin remains highly centralized today, or that those early miners have undue power in the system.
But the significance of the finding is unclear because real-world human beings even across a large geographic area are often separated from one another by six relationship links or fewer. This hypothesis was first developed by Stanley Milgram in the 1960s and was elaborated and significantly validated by researchers in the early 2000s. It is difficult, in this light, to see anything notable, much less scandalous, in the claim that most Bitcoin addresses are linked by six transactions to early miners. Though it is useful data to have, it’s more a matter of universal principles of probability and human behavior than the discovery of some secretive Bitcoin Mafia.
Similarly, the above chart of mining output during Bitcoin’s first two years may appear to highlight concentration of mining among a small set of actors – including Satoshi themselves. But its presentation may obscure what it actually shows: the speed with which this concentration ended.
Though it’s easy to miss, the chart is actually a timeline moving clockwise starting from Satoshi’s big red block of coins mined between January and July of 2009. Once you get to the upper left quadrant, representing the period from August 2010 to February 2011, the multitude of rainbow-colored dots around those last few big miners represents the rising decentralization of bitcoin mining and earning over time, a trend which has more or less continued since.
Conclusion: A decentralized strawman
In the current environment, Bitcoin and blockchain technology are frequently demonized by powerful voices who either don’t comprehend its promise – or comprehend it all too well and want to stop it. While the new research is compelling on its own terms, it unfortunately seems likely that it will be misrepresented by voices that want to leverage it for their own ends. Intentionally or not, the paper does occasionally give more rhetorical fuel to such misrepresentations than its actual findings merit.
The researchers have also gone to at least some effort to exploit Bitcoin’s centrality to their research to get more attention for it, as shown by coverage in the New York Times ahead of the paper’s publication. This is fine as far as it goes – more academics could benefit from a bit of marketing savvy, and again, this appears to be interesting stuff.
Unfortunately, we can predict with some confidence that this broader visibility will create more opportunities for it to be misinterpreted by those who approach it with an agenda, rather than on its own terms. While early bitcoiners were willing to cooperate to build something world-changing, not everyone is so generous.
Correction (June 7, 2022 1:41 PM UTC): This piece previously described "extranonce" data as a new graphing technique discovered by the Baylor-Rice research group. It has been known since 2013 and was first described by Sergio Demian Lerner, whose work is cited in the paper.
The paper makes no claims about the network today, more than a decade after the end of the period analyzed. But it underscores well-known and longstanding privacy challenges.
New research on Bitcoin’s early years undermines its foundational myths of privacy through pseudonymity and decentralization, Jaron Lanier and Glen Weyl write.