The paradox of Bitcoin proof-of-work mining


Everybody knows about bitcoin, but fewer know what goes on under the hood. Bitcoin provides the world a trustable ledger for transactions without trusting any given party such as a bank or government. Everybody can agree with what's in the ledger and what order it was put there, and that makes it possible to write transfers of title to property -- in particular the virtual property called bitcoins -- into the ledger and thus have a money system.

Satoshi's great invention was a way to build this trust in a decentralized way. Because there are rewards, many people would like to be the next person to write a block of transactions to the ledger. The Bitcoin system assures that the next person to do it is chosen at random. Because the winner is chosen at random from a large pool, it becomes very difficult to corrupt the ledger. You would need 6 people, chosen at random from a large group, to all be part of your conspiracy. That's next to impossible unless your conspiracy is so large that half the participants are in it.

How do you win this lottery to be the next randomly chosen ledger author? You need to burn computer time working on a math problem. The more computer time you burn, the more likely it is you will hit the answer. The first person to hit the answer is the next winner. This is known as "proof of work." Technically, it isn't proof of work, because you can, in theory, hit the answer on your first attempt, and be the winner with no work at all, but in practice, and in aggregate, this won't happen. In effect, it's "proof of luck," but the more computing you throw at the problem, the more chances of winning you have. Luck is, after all, an imaginary construct.

Because those who win are rewarded with freshly minted "mined" bitcoins and transaction fees, people are ready to burn expensive computer time to make it happen. And in turn, they assure the randomness and thus keep the system going and make it trustable.

Very smart, but also very wasteful. All this computer time is burned to no other purpose. It does no useful work -- and there is debate about whether it inherently can't do useful work -- and so a lot of money is spent on these lottery tickets. At first, existing computers were used, and the main cost was electricity. Over time, special purpose computers (dedicated processors or ASICs) became the only effective tools for the mining problem, and now the cost of these special processors is the main cost, and electricity the secondary one.

Money doesn't grow on trees or in ASIC farms. The cost of mining is carried by the system. Miners get coins and will eventually sell them, wanting fiat dollars or goods and affecting the price. Markets, being what they are, over time bring closer and closer the cost of being a bitcoin miner and the reward. If the reward gets too much above the cost, people will invest in mining equipment until it normalizes. The miners get real, but not extravagant profits. (Early miners got extravagant profits not because of mining but because of the appreciation of their coins.)

What this means is that the cost of operating Bitcoin is mostly going to the companies selling ASICs, and to a lesser extent the power companies. Bitcoin has made a funnel of money -- about $2M a day -- that mostly goes to people making chips that do absolutely nothing and fuel is burned to calculate nothing. Yes, the miners are providing the backbone of Bitcoin, which I am not calling nothing, but they could do this with any fair, non-centralized lottery whether it burned CPU or not. If we can think of one.

(I will note that some point out that the existing fiat money system also comes with a high cost, in printing and minting and management. However, this is not a makework cost, and even if Bitcoin is already more efficient doesn't mean there should not be effort to make it even better.)

CPU/GPU mining

Naturally, many people have been bothered by this for various reasons. A large fraction of the "alt" coins differ from Bitcoin primarily in the mining system. The first round of coins, such as Litecoin and Dogecoin, use a proof-of-work system which was much more difficult to solve with an ASIC. The theory was that this would make mining more democratic -- people could do it with their own computers, buying off-the-shelf equipment. This has run into several major problems:

  • Even if you did it with your own computer, you tended to need to dedicate that computer to mining in the end if you wanted to compete
  • Because people already owned hardware, electricity became a much bigger cost component, and that waste of energy is even more troublesome than ASIC buying
  • Over time, mining for these coins moved to high-end GPU cards. This, in turn caused mining to be the main driver of demand for these GPUs, drying up the supply and jacking up the prices. In effect, the high end GPU cards became like the ASICs -- specialized hardware being bought just for mining.
  • In 2014, vendors began advertising ASICs for these "ASIC proof" algorithms.
  • When mining can be done on ordinary computers, it creates a strong incentive for thieves to steal computer time from insecure computers (ie. all computers) in order to mine. Several instances of this have already become famous.

The last point is challenging. It's almost impossible to fix. If mining can be done on ordinary computers, then they will get botted. In this case a thief will even mine at a rate that can't pay for the electricity, because the thief is stealing your electricity too.

Other alternatives have come forward. In Proof-of-Stake hoarding coins gives you a better chance of winning the right to do the next block. Its value is debated and while such systems still include some small proof-of-work to introduce some randomness, there are still many concerns over proof-of-stake. Its randomness is untested (since miners do have the ability to save up coin age and make themselves far more likely to be chosen) and it encourages hoarding (though some claim to have fixes for this.)

Another concept, "proof of burn" involves destroying one cryptocurrency (like bitcoin) to generate another, and so doesn't solve the problem.

It should be noted that the leading anti-ASIC currency, Litecoin, is about to get ASIC mining and its price has been falling compared to bitcoin. As I have forecast, the coming of easy and automatic exchanges between cryptocurrencies will put them at risk for "runs on the bank" which can destroy their value quickly. This is not yet the case for Litecoin, but it could be.

Finding randomness

A system in the style of Bitcoin but not using proof-of-work has to assure two real goals

  1. The next party able to write in the ledger must be chosen in some way that is demonstrably random
  2. The set of parties who may be randomly chosen must be well distributed. No one party or colluding group can represent a very large fraction of them (particularly more than half.)

The proof-of-work approach is random, but the set of miners it chooses from is based on ownership of dedicated mining electronics. It is thus closer to "one dollar one vote" than "one person one vote." (It is not a vote -- most of the time -- but there are analogies.) Proof of stake systems also run on "one (coin) one vote" but rely on the fact that if you control most of the coins, it is against your interest to compromise the system using that power.

Sometimes it actually is a vote, in that changes to the bitcoin system, though rare, need the cooperation of a majority, or even supermajority of the miners. A change that didn't get broad support among the miners would either fail or cause a risky fork in the system and its ledger, with two parallel versions both claiming to be the legitimate one, hoping for the support of users, merchants and exchanges. That's so risky that nothing can happen without the support of the miners, and the miners (who are also some of the largest holders of bitcoins) will work to protect their interests. Having invested heavily in mining hardware, they are unlikely to take steps to destroy that investment.

Finding a source of universally accepted randomness is not so easy. It must be impossible for anybody to bias it. With any human generated number, the humans involved might be compromised. There are lots of streams of human generated data out there (such as from stock markets) but people can inject their own values into those streams. The unpredictability of hashes doesn't help as they must only input a number which makes the final hash point to their mining ID.

Astronomical sources of randomness could be used, but they require that lots of people have equipment which can read the data and that they all read the same thing. Images of the sun in the hydrogen-alpha band could work, though they change slowly. You need something that gives you at least 30 bits of entropy every few minutes to be like Bitcoin, and it must be independently verifiable over some decent fraction of the world. You must also be sure that nobody can predict the values in advance. (We can be confident nobody can bias the state of the sun!) A network of H-alpha telescopes around the world would assure there were always plenty of trustworthy ones returning good data. Each high level participant would contract with a small collection of trusted telescopes around the world so they always have access to the state of the sun. Others would subcontract or aggregate results to be almost as sure.

It is also possible to combine human data with astronomical data. For example, while you can't pick your winner based on the hash of the prior block modulo the number of miners, because the last miner could insert a transaction to make that point again to one of her buddies, if you add in astronomical data, and possibly other human generated data, it should be possible to make a random pick that can't be biased usefully.

Generating the list of potential miners

If you have a random number, you can use it to chose from a list of potential miners. You need to generate this list so that no one group can represent a large fraction of the miners on the list. As such, people can't just register, they must prove their uniqueness.

If you are a government, you could use the system you already have to identify people -- government ID numbers like passport numbers or ID card numbers. Even a non-government could make use of the governments' large efforts to secure these numbers, but you then need third parties who certify that a miner showed ID. This requires trusting these 3rd parties -- which cryptocurrency designs are loathe to do -- and it also presents a risk of disclosing a miner's identity. Many want miners to be able to mine anonymously.

DNA could actually be used, though again only with trusted third parties. The trusted 3rd parties would read your DNA (this is quite cheap today) and hash key SNPs from it, and generate an ID for you if the existing public records do not show your DNA has already gotten an ID. Your DNA hash would then go into the public database (in the blockchain) as used. For identical twins to get two IDs they would need to show up together to prove they were twins, and this would allow a second ID to be issued. The relationship between the ID and the DNA should not be stored. Once again, the DNA certifying companies must be trusted, as they could generate fake IDs.

Proof of Work mining hour

A list of miners could also be generated using proof-of-work. Once a week, there could be a "world mining hour" where all miners use their computers to work on PoW mining problems. Each success would add that miner to the pool of miners to be picked randomly for the rest of the week. The hour might be the most off-peak of hours (midnight GMT on Sunday morning.) This has some interesting attributes:

  • It still is worthwhile to buy ASICs to win the most shares in the hour, though it possibly becomes worthwhile to also buy supercomputer time to compete. Those supercomputers get funded but can do useful work most of the week.
  • There is no longer much electricity wasted
  • If the mining is ASIC-proof, we get closer to the ideal of democratized mining, as there is strong incentive to make use of existing computer equipment. It becomes far less competitive to buy expensive GPUs just to run one hour a week.
  • It is a bit easier to look out for botnets and thieves, who must now do their work at the specific hour. Computers that suddenly get busy at that hour are pretty obviously mining. Non-mining computers may in fact just be shut-off at that hour.

Is Mining Innovation the key issue?

As interesting as these mining issues are, I feel it's a bit strange that most of the alternate coins differentiate themselves from Bitcoin through their mining system. While mining should be improved, this is not the level of innovation we should seek in a healthy ecosystem of competing protocols. More interesting are innovations in how the coins are used, which we find in Mastercoin and Etherium. Dogecoin is technically the same as Litecoin, but is interesting because of how it's used as a casual tipping and donation currency. If all that is different about an altcoin is that it is mined differently, or pre-mined to some worthy cause, I am not sure that will be enough to sustain it. But a new coin with valuable features that also works out how to not do wasteful mining will be very attractive.

I believe the most interesting thing about Bitcoin is that it provides an open platform which allows people to innovate independently, without getting permission from anybody, in the world of finance and contracts. From this field, great innovations will come, as they did for the internet. This is what I really want to see.


"It is a bit easier to look out for botnets and thieves, who must now do their work at the specific hour. Computers that suddenly get busy at that hour are pretty obviously mining."

True, but the botnets could just direct your computer toward something else when not during that hour, so that there would be no peak or drop in processing to detect.

"Non-mining computers may in fact just be shut-off at that hour."

This is true as somewhat of a deterrent or defense, though it would still be annoying to have to resort to doing this instead of just figuring out how to remove the infection. You're right that at least it would be at a specific hour.

It is true a mining hour is not a complete answer to hijacking for computing for mining -- but my point is it does improve the problem somewhat. To hijack for mining you really want 100% of the CPU, and doing that the rest of the time too is going to get you noticed a little more.

Hijacking just 10% of the CPU to not get noticed is possible of course.

Add new comment