It appears that Satoshi have convinced himself that bitcoin was secure or secure enough. In his paper he repeatedly claims that bitcoin is secure IF a certain assumption holds. What is the exact assumption of Satoshi?
Knowing the assumption is crucial because if we have stated our assumption and bitcoin is later shown to be broken or insecure, we can blame EITHER the real world which does not satisfy our assumption, or the designers and engineers of bitcoin which have not been able to design a secure system based on this assumption. In other worlds we could have a clear cut situation and we should be able to determine without ambiguity who is to blame for bitcoin being insufficiently secure.
In this respect Satoshi sets a bad example of not being clear about what his assumption is, and yet explicitly several times claiming that his system is in some sense secure:
- For example in the abstract of his paper Satoshi says that he assumes that “majority […] are not cooperating to attack the network“. Here Satoshi claims the system is secure under this assumption, which security claim is NOT TRUE in pooled mining as people can easily be part of large scale attack without cooperating (we recall that Satoshi paper is all about CPUs, so not only he did not predict pooled mining, but he did not anticipated that people will built ASICs hardware miners only for the purpose of mining).
- In Section 6 of his paper initially there is no security result claimed just an “incentive” which possibly “may help encourage nodes to stay honest.” This however could be interpreted as a very weak security assumption: we may assume for example see that ‘nodes have some incentives to stay honest’ (a fact) and then the assumption would be ‘if nodes have non-zero incentive to stay honest they will be honest‘ (a clear assumption). In the text which follows a security result is claimed: the attacker is claimed to have a certain choice which is clearly an incorrect security claim. Even under some assumption the security result claimed here by Satoshi is incorrect.
- The Section 6 can also be interpreted differently, as another security assumption, that the attacker is assumed NOT to be “able to assemble more CPU power than all the honest nodes”. This assumption is clearly badly confused and flawed as the attacker could control the hash power of the same honest nodes (both have some control, not exclusive). Now let us assume this and possibly we could make an even stronger assumption that he cannot assemble hash power at all, in any meaningful sense. Now does bitcoin become secure under this assumption? Again not in the sense claimed by Satoshi in the text which follows, the same fake dilemma is claimed.
- In the conclusion of his paper Satoshi again claims that the system is secure if “honest nodes control a majority of CPU power”. This is a very different and STRONGER assumption than our 1. above: nodes could be not honest and deviate from the protocol for fun or for profit in a variety of creative ways without “cooperating” with any attacker.
- Does this stronger assumption make that bitcoin becomes secure? Of course not, the security result claimed by Satoshi is wrong again if you take it literally: even if honest nodes control a majority of hash power, because the control is not exclusive, bitcoin can still be attacked.
- Maybe we need to require an even stronger assumption such as – some ideas below:
- Assumption 253: Honest nodes have exclusive control over a majority of hash power and honestly include all the bitcoin transactions with valid digital signatures which are received by them from the network and mine on the longest chain or mine on the branch which they have received first.
- We should remark the Cornell researchers have proposed to modify this last rule and choose a branch at random in case of a fork.
Future research will show if bitcoin is secure under this (yet much stronger) assumption (or a version of it). Clearly the first version is not ideal and does not make bitcoin totally secure against some attacks however little practical these attacks may be. It is also possible so see that the work of Cornell researchers on the honest mining is yet very innocent: they assume that the attacker is honest in the sense that he is NOT trying in some way to cancel any transactions, the only thing which he is trying to achieve is to earn a bit more from ordinary (honest) mining.