The dismantling of overly large pools is one of the most important and difficult tasks facing the Bitcoin community.Pools are needed to generate consistent income but:
[Miners] can get steady income from pools well below 10%, and they have only little incentive to use very large pools; it's mostly convenience and a feeling of trust in large entities.
Gavin Andresen, chief scientist of the Bitcoin Foundation, has repeatedly urged miners to use smaller pools, and researchers, including ourselves, have suggested technical fixes to reduce pool size (here, and here). But alas, community pressure has only had limited success, and technical solutions are still under development and far from production.Eyal's post, and the detailed analysis in arXiv.org, are important because they show how the block withholding attack on mining pools that has been known since 2011, and has been used at least once in practice, can create a countervailing pressure that would limit the size of mining pools. Below the fold I discuss the details and the implications for my analysis.
The block withholding attack does not appear to be prevalent:
Long term block withholding attacks are difficult to hide, since miners using an attacked pool would notice the reduced revenue density. Nevertheless, such attacks are rarely reported, and we can therefore conclude that they are indeed rare.However, a pool that mounts such an attack can increase its revenue:
This attack affects the revenues of the pools in several ways. The victim pool’s effective mining rate is unchanged, but its total revenue is divided among more miners. The attacker’s mining power is reduced, since some of its miners are used for block withholding, but it earns additional revenue through its infiltration of the other pool. And finally, the total effective mining power in the system is reduced, causing the Bitcoin protocol to reduce the difficulty.Eyal shows the decision process for each pool:
Taking all these factors into account, we observe that a pool might be able to increase its revenue by attacking other pools.
Since pools can decide to start or stop attacking at any point, this can be modeled as the miner’s dilemma — an instance of the iterative prisoner’s dilemma. Attacking is the dominant strategy in each iteration, but if the pools can agree not to attack, both benefit in the long run.Apparently the pools have such an agreement:
The fact that such attacks do not persist may indicate that the active pools have reached an implicit or explicit agreement not to attack one another.But Eyal shows that this is an unstable equilibrium:
Our results imply that block withholding by pools leads to an unfavorable equilibrium. Nevertheless, due to the anonymity of miners, a single pool might be tempted to attack, leading the other pools to attack as well. The implications might be devastating for open pools: If their revenues are reduced, miners will prefer to form closed pools that cannot be attacked in this manner. Though this may be conceived as bad news for public mining pools, on the whole it may be good news to the Bitcoin system, which prefers small pools.Open public pools are those whose miners are anonymous, and therefore untrusted. Pools whose miners are trusted are closed; they behave as a single miner. The assumption here is that only open public pools can grow large enough to threaten the network, which appears to be the case at present.
points out that:
[Miners] have only little incentive to use very large pools; it's mostly convenience and a feeling of trust in large entities.Nevertheless, these weak incentives have concentrated 50% of the mining power in only three pools. So there must be some doubt that the not-very-powerful incentive provided by the possibility of the breakdown of the agreement not to use the block withholding attack would overcome "convenience and a feeling of trust in large entities".
Note that of the three pools controlling 50% of the mining power, two (F2Pool and GHash.IO) are secretive. The third is AntPool, which as I understand it is based on p2pool, a P2P pool protocol. A goal of p2pool is to ensure that an attack by a pool using it can only be performed by modifying the code running at the pool's miners, not by code running at a pool manager. Thus an attack by a p2pool-based pool would be visible to the pool's miners, as a conventional pool's attack would not be. This mitigates the bad effects of a large public pool. But does it leave a p2pool unable to respond to a block withholding attack by attacking back? I need to study p2pool more, so apologies if I misrepresent it.
Neither the withholding attack nor p2pool mitigates the bad effects of a large closed pool, or a large single miner.
Although I'm skeptical of the practical impact of Eyal's analysis, it led me to think that my economies of scale argument needs to be refined. Eyal shows that the incentives for open and closed pools (or single miners) are different, and I think that is true for the effects of economies of scale too.
The costs of mining, and thus the benefits of economies of scale, apply to the individual miner (and thus to closed pools). There are thus powerful incentives causing the majority of mining power to be generated by large miners. But a pool bears none of the costs of actual mining, only the costs of running the pool. A miner increases scale by investing in hardware, which costs a lot. A public pool grows by attracting miners, which costs very little. Even though Eyal points out that miners have "little incentive to use very large pools" it is clear that large miners prefer very large pools. I need to think more about the forces that are operating to drive the domination by very large pools, but clearly the advantages to very large miners must be a major factor. Are they more sensitive to small changes in reward variance?