Today at the Deconomy 2018 conference, Ethereum co-founder Vitalik Buterin stood up from the audience during a panel discussion and asked why nChain Chief Scientist Craig Wright, a man he called "crazy," was being allowed to speak at the conference.
As proof of Craig Wright's insanity, Buterin brought up Wright's mention of the proposed selfish mining attack in Bitcoin, where Wright had stated that a factor in the attack called gamma (Greek letter γ) is actually "negative."
The odd thing about Wright's statement is that gamma (γ) is a number that varies from 0 to 1 by definition and cannot possibly be a negative number.
However, the striking thing about Buterin's pronouncement that this remark proves Wright a madman, is how presumptuous and intellectually uncurious it is. When someone says something that cannot possibly be true in any interpretation you can think of, you have to make a judgment call: is this person clueless/insane or are they just phrasing things in a strange way?
Well, that largely depends on whether you see what their strange phrasing is getting at. If you see it, the phrasing is simply written off as an oddity. If you don't see it, you might start to question the person's sanity, but in my experience perhaps 9 times out of 10 the person is simply wording things in a way that is failing to cross a vast gulf of inferential distance that is separating you.
When I heard Buterin make his claim, even without hearing Wright's presentation nor his answer to Buterin, it was obvious to me from even the two words "negative gamma" what Craig was likely referring to. In fact, anyone who understands the network topology of Bitcoin and the financial incentives that drive the formation of that network topology, and is familiar with the selfish mining idea of using zero-hashpower virtual nodes to increase the gamma (γ) coefficient, should be able to see the issue immediately.
Indeed, it is not a matter of a negative value for the coefficient gamma (γ) but a reversal of sign in terms of the benefit gamma is purported to bring to the selfish mining pool.
I'll now show that the suggestion that gamma is "negative" is simple, correct, and relevant but worded in a weird way - a habit Wright is known for, which makes all the more puzzling the widespread kneejerk dismissal of his statements based on an eccentricity of verbiage. If there's one thing you realize within a few minutes of listening to Craig Wright, it's that he's not going to use language in a normal way and you're going to have to do a lot of thinking through the gaps to grasp his points and their relevance.
Anyway, let's begin by looking at this section of the original selfish mining paper [emphasis mine]:
The Bitcoin protocol prescribes that when a miner knows of multiple branches of the same length, it mines and propagates only the first branch it received. Recall that a pool that runs the Selfish-Mine strategy and has a lead of 1 publishes its secret block P once it hears of a competing block X found by a non-pool block. If block P reaches a non-pool miner before block X, that miner will mine on P.
Because selfish mining is reactive, and it springs into action only after the honest nodes have discovered a block X, it may seem to be at a disadvantage. But a savvy pool operator can perform a sybil attack on honest miners by adding a significant number of zero-power miners to the Bitcoin miner network. These virtual miners act as advance sensors by participating in data dissemination, but do not mine new blocks. (Babaioff et al. also acknowledge the feasibility of such a sybil attack [4]). The virtual miners are managed by the pool, and once they hear of block X, they ignore it and start propagating block P. The random peer-to-peer structure of the Bitcoin overlay network will eventually propagate X to all miners, but the propagation of X under these conditions will be strictly slower than that of block P. By adding enough virtual nodes, the pool operator can thus increase γ [gamma].
The first thing to note is that this passage is premised on a network model that has nothing to do with the Bitcoin mining network. The Bitcoin mining network is nearly a complete graph.
Every significant hashpower miner has a direct connection* to every other significant miner, with networking resources devoted to connecting to each other miner in proportion to its demonstrated hashrate.
Contrary to the claim made in the selfish mining paper, the Bitcoin mining network is not a "random peer-to-peer structure" but instead an all-to-all structure, and this structure is determined not randomly but by the financial incentives of each miner to propagate their blocks to as much of the rest of the hashpower owners as possible, as quickly as possible, as well as to receive new blocks as quickly as possible.**
Given the all-to-all topology, you can see that any zero-hashpower virtual nodes ("spy nodes") the selfish mining pool places near the honest mining nodes do nothing to alert the selfish miner any faster of any blocks the honest miner releases.
In fact, insofar as the selfish mining pool were to follow the paper's advice and rely on these spy nodes to alert them of new honest miner blocks, they would merely add an extra hop for the selfish miner when the original honest and selfish nodes were all already connected to one another through very fast direct connections whose speed and directness are ensured by strong financial incentives.
The selfish mining pool would be foolish to throw in an extra hop and listen through that necessarily slower and less direct connection.
In that way, the effect of this attempt to increase gamma (γ) is actually negative; it would hurt the SM and help the HM, the opposite of the intended result.
As a bonus point, since the prioritization of connections are of course based on demonstrated hashpower (you prioritize connections to the most productive miners**), honest-miner networking resources invested in connections to any such zero-hashpower spy nodes will at best be provisional and minimal compared to the fast direct connections they already maintain to the existing selfish mining pool nodes.
If you can visualize what the shape of a complete graph network looks like under the incentives mining creates, it is easy to see that the idea that zero-hashpower spy nodes could ever help the selfish mining pool is in fact what Buterin should be calling the insane position: it cannot possibly be true given the mining network topology. The conclusion could only be arrived at if the network were an entirely different shape: a loose mesh network with random connections, for example, where blocks going from one miner to another would have to propagate along multiple hops and could therefore be blocked to slow propagation (this, by the way, is the same myth that underlies the misunderstanding that a UASF by non-mining nodes can exert any influence via the software alone).
It seems that Ittay Eyal and Emin Gün Sirer, the authors of the selfish mining paper had something like (c) "distributed network" below in mind when they claimed, "By adding enough virtual nodes, the [selfish mining] pool operator can thus increase γ [gamma]." In their defense, the conventional wisdom in 2013 when they penned the initial paper was to assume the Bitcoin mining network was shaped basically like this loose mesh network.
In such a network the claim would be true, but Bitcoin mining nodes are not structured in this way at all. If you think about the incentives, it would make no sense for you as a miner with one of the nodes near the bottom of network graph (c) to not make a direct connection to all the significant hashpower nodes near the top of the graph, and to invest network resources preferentially to this connection over any connection to a zero-hashpower node. It would just be throwing money away to competing miners who did make such connections and didn't waste their resources on nodes that haven't demonstrated any hashpower.

The incentives drive the topology.

The foregoing shows how the shape of the network, far from being an incidental feature, is crucial. The difference between a loose mesh structure and a complete graph means the difference between a Sybil attack hurting the network or just hurting the attacker. It means the difference between a 0-confirmation transaction being viable after tens of seconds or tenths of seconds. It means the difference between being able to partition the network by knocking out just a few nodes and not being able to partition the network even if you knock out all but a few nodes.
Indeed, it means the difference between bigger blocks making Bitcoin easier to attack and bigger blocks - even at the gigabyte and terabyte level - making Bitcoin harder to attack. Bitcoin Cash is the only blockchain that embraces the full implications of the all-to-all network topology driven by mining incentives, which when properly understood enable on-chain scaling at least 6 orders of magnitude greater than is conventionally thought possible, with superior decentralization, robustness, and security to boot.
For the numbers on this, check out Lokad founder Joannes Vermorel's presentation Terabyte Blocks for Bitcoin Cash:
*Some will misunderstand what is meant by a direct connection here. "After all, isn't the Internet itself made of many hops? How can you speak coherently of direct connections versus connections via multiple hops?" Yes, the Internet onto which the Bitcoin mining network is overlaid consists of many hops. What "hops" here refers to is the number of hops counted along the Bitcoin mining network nodes themselves. This is important because each node can choose to relay blocks or not; indeed this ability to refuse to relay blocks is the premise of the quoted passage whereby the selfish pool operator can supposedly increase gamma. (To cut off movement of block packets along hops on the Internet at large, such as by compromising ISPs, would be a different attack and not the subject of the selfish mining paper.)
**The incentives are as follows: if you are late getting a block that has just been mined by another miner, you end up wasting hashpower and losing a lot of money. Every second counts. Likewise, if you are late getting your newly mined block out to other miners, you risk losing the block reward to another miner who has invested more in networking. These incentives push all significant miners to connect directly to all other significant miners, with very fast and robust connections, and with even faster connections to the most productive miners. Again, every second counts. Any additional hops or less-that-blazing-fast connections from or to you to the other miners is money down the drain. Proof of work is as much about proof (fast communication) as it is about work (fast hashing).

Note: Nothing behind the paywall but a thank-you for reading, and for being curious :)
 

$29.50
$13.75

Reviews
22 of 22 reviewers say it's worth paying for

0 of 22 reviewers say it's not worth paying for
Comments
  earned $1.56
So many flaws in the selfish mining paper, that it should be retracted. I imagine that it's easier for Emin to allow it's flawed premises to stand though, and attack anyone who criticizes it.
Thanks for the well-written article! It was very clear in laying out the pieces of the puzzle you were focusing on.
$1.56
   6mo ago
25.0¢ 25.0¢ 1.0¢ 25.0¢ 25.0¢ 25.0¢ 5.0¢ 25.0¢
  earned 25.0¢
Sorry, a presumption of a zero-hop structure is irresponsible and not robust at all. If you start your modeling by assuming zero-hops, you also take away the permissionlessness of your network - since any disagreements and censorships that happen between nodes will necessarily degrade that structure and introduce hops in propagation. We do not require people to run nodes, but basing designs on an assumption of small number of nodes all with zero hops is just asking for trouble. Lose permissionlessness, and you lose bitcoin - it's pointless, might as well use XRP.
You do not hand-wave it away by "economic incentives". High-level economic incentives not built into the protocol (such as the one mentioned here) work out over the long term, and are susceptible to sudden changes in short term incentives. That's not how you build robust networks.
25.0¢
   6mo ago
25.0¢
  earned 0.0¢
So that is it? Draw a 7 node Complete Small World Graph slap a "Bitcoin Network sticker on it", say "Very fast direct connections" , "My economic incentives" and now the whole Selfish Mining paper is wrong?
0.0¢
   6mo ago
  earned 95.0¢
I have no clue what some of the commenters are referring to as the presumption of a zero-hop structure in this article. I've read and reread the article and I don't see anything implying an absolute, zero-hop structure.
95.0¢
   6mo ago
50.0¢ 10.0¢ 25.0¢ 10.0¢
  earned 35.0¢
Also, thanks for the great article! Please write more! :)
35.0¢
   6mo ago
10.0¢ 25.0¢
  earned $12.36
@im_uname Miners creating fat pipes to each other is exactly what you would expect in a permission-less network. And you will be censored precisely in accordance with your demonstrated hash power. Just like a neural network, you increase the weight of neurons which have demonstrated more reliable outcomes. In biology, dopamine is that metric. In Bitcoin, hash power is that metric.
When you start producing hash power, you send the headers through a thin pipe, and then those miners start to see your hash power demonstrated, and only then do they increase your weight.
This is what is meant when describing Bitcoin as a Biologically inspired network. You can literally SEE this happening when you graph the network from chain history. Craig is describing reality. Seeing is believing. Watch what I'm talking about when new nodes join the network.
$12.36
   6mo ago
10.0¢ 10.0¢ 1.0¢ 25.0¢ 25.0¢ 25.0¢ 10.0¢ $10.00 25.0¢ 10.0¢ 25.0¢ 25.0¢ 10.0¢ 10.0¢ 25.0¢
  earned 10.0¢
>> Indeed, it is not a matter of a negative value for the coefficient gamma (γ) but a reversal of sign in terms of the benefit gamma is purported to bring to the selfish mining pool.
If he wanted to illustrate the fact that trying to sybil attack the network would actually only hurt the attacker's own profits, it makes no sense to just take variable that **affects** the profits of the selfish miner and make it negative. The sensible thing to do would be to introduce a **new variable** that's affected by how many sybil nodes are introduced and the cost of introducing them.
Even if Craig Wright's decision to allow for negative gamma provides "accurate" results with regard to the selfish miner's profits, it's not just him phrasing things weirdly. It is literally nonsensical in the context in which he's using it, which is the context of the selfish mining paper, where **they defined the variables they used**.
>We denote by the ratio of honest miners that choose to mine on the pool's block, and the other (1 ) of the non-pool miners mine on the other branch.
Craig Wright can't just change the meaning of a variable from "the ratio of honest miners that choose to mine on the pool's block" to "A number that affects the profits of the selfish miner having to do with how many sybil nodes they introduce to the network" and not expect people to call him out for not making any sense.
10.0¢
   6mo ago
10.0¢
  earned 27.0¢
Notice the strange arbitrary lines that are being drawn in the sand in these comments.
Some weird terminology that someone came up with elsewhere, which has no real meaning, "zero-hop structure".
"Craig Wright can't just change the meaning of a variable.."
None of these things mean anything, nor are they really backed up with anything more than vague hand-waving, they're just the tenuous support on which the poster's cognitive dissonance is based.
27.0¢
   6mo ago
2.0¢ 25.0¢
  earned 53.0¢
Thanks to @wecx for highlighting Emin's particular cognitive dissonance in the form of a revealing tweet, in it Emin denies that the original selfish mining paper referred to particular topography. Now scroll up and find the section of the original paper @zanglebertdingleback quoted, it specifically talks about assumed network topography! Good point @wecx, that's a humdinger of a mistake on Emin's part.
Emin's tweet contents preserved: "What a crock. SM assumes nothing of the topology. It is this particular piece that assumes a fully-connected, 0-latency mesh among miners. This is as physically impossible as Craig's network w/ a consensus protocol that operates faster than speed of light."
And for direct reference, a relevant portion of the quoted original selfish mining paper, used by Zanglebert in his article: " The random peer-to-peer structure of the Bitcoin overlay network will eventually propagate X to all miners, but the propagation of X under these conditions will be strictly slower than that of block P. By adding enough virtual nodes, the pool operator can thus increase γ [gamma]. "
What can we take from this? That Emin doesn't understand what is in his selfish mining paper, and/or didn't really read this article. How did we arrive in this sad situation? Repeal the paper.
53.0¢
   6mo ago
10.0¢ 18.0¢ 25.0¢
  earned 0.0¢
The incident does speak to Buterin's level of intellectualism. At the same time, Buterin gets a pass now and then while Wright is pretty clearly out of passes, having gone deep sea diving in the muck for no particular reason save vanity dozens of times in under three years since declaring himself satoshin.
0.0¢
   6mo ago
25.0¢
  earned 25.0¢
I'm getting tired of hearing about CSW—and much of what I'm tired of hearing comes from him. We don't need a cult of personality. It's time for him to sit down and produce something.
25.0¢
   6mo ago
25.0¢
  earned 0.0¢
Kenneth, since when did the world revolve around what you want to hear or not? :-) There are other people with other interests.
0.0¢
   6mo ago
  earned 0.0¢
This whole “selfish mining” thing appears to be a bit of a farce. I might have been willing to give it some cred if they had called it “parasitic mining,” because destruction of the Bitcoin protocol appears to be the end game of the strategy, not some disproportionate value sequestration. I mean, who would use Bitcoin at that point. The successful parasitic mining pool would be metaphorically toasting the iceberg after rearranging the deck chairs on the Titanic. I guess the word “selfish” aligns more with some sort of perpetual right to take, which is why I believe there was an effort to persuade in the “selfish mining” paper. Seems a little Malthusian, and it will not be paralyzing me with some sort of Strangelovian fear, especially having performed some elaboration on the concepts in this post.
0.0¢
   6mo ago
  earned 50.0¢
This debate seems so odd to me, since 0-conf has been used for years is and is being used right now by merchants. They know the risks, they accept the risks under whatever $ level they deem appropriate, and on rare occassion, they have to eat the cost of a double spend. This is no different than risks of taking checks or credit cards that sometimes don't clear. It's being debated as if 0-conf is something that maybe someday could be used if the risk were eliminated...meanwhile it is being used every day and merchants seem fine with it.
50.0¢
   6mo ago
25.0¢ 25.0¢
  earned 0.0¢
Where is the paper where Craig (supposedly) said gamma was negative?
The selfish mining pool would be foolish to throw in an extra hop and listen through that necessarily slower and less direct connection.
This is misguided. The selfish mining paper doesn't suggest listening through an extra hop. Each extra node would already possess the hidden block and would by itself be able to publish it as soon as it sees another block. There is no extra hop involved. More nodes can't have a negative effect on gamma as they don't change any other node's ability to publish the hidden block as soon as it see a new block.
0.0¢
   6mo ago
  earned 0.0¢
0.0¢
   5mo ago