Wednesday, November 18, 2015

The effect of colored coins on Bitcoin security

Right now, Bitcoin mining is still subsidized to a considerable degree, because newly minted coins comprise the vast majority of each block reward. When this initial distribution of the money supply subsides and becomes insignificant, the Bitcoin miners will earn their revenues from transaction fees.

For the Bitcoin network to be secure against an attacker who has a large amount of hashpower, the transaction fees should be high enough to make it lucrative for honest miners to participate in the mining process. When this is the case, there will be a suitable amount of honest mining power devoted to the security of the Bitcoin network, which would make external attacks more costly.

In the way that the Bitcoin network has been operating so far, the miners impose flat fees whose main purpose is to make it costly to attack Bitcoin by bloating the blockchain and UTXO set. Since the block reward subsidy (currently 25 BTC) is still much greater than the fees that the market can bear, miners don't care much for dealing with more involved transaction fees policies. In fact, there are miners who consider it financially lucrative to avoid validating the transaction data altogether. For example, see what happened with the BIP66 forks here and here (in this case SPV mining lead to a financial loss, a better strategy would be to validate the previous block after starting to solve the current block).

As long as the Bitcoin network continues to operate as it always has, meaning that miners impose only flat fees to counter blockchain bloat attacks, there isn't any particular difference between colored and uncolored transactions in relation to the security of the Bitcoin system.

However, the subsidy will be 0.78 BTC in less than 20 years, which means that in the not so distant future we will see miners impose transaction fees policies that maximize their profits. A useful policy is to demand fees that are proportional to the amount of BTC transacted, which would allow most people to do low-value transactions for a low fee, and collect more significant fees from high-value transactions.

What would then happen when colored coins transactions take place on the Bitcoin network?

When high-value colored coins are transacted on the Bitcoin network, it implies that the Bitcoin system has a higher value and therefore there are greater incentives to attack it. If the honest miners are unaware of this extra value and are not compensated for it, then the total amount of honest mining power will be derived according to a value that is lower than the actual value of the Bitcoin system. This would make Bitcoin prone to double-spending attacks.

To see that this is the case, consider the simple scenario where the miners impose a fixed flat fee per transaction, while the value that is being transferred in the transactions increases further and further. Here, the honest miners will continue to earn the same amount, while it becomes increasingly lucrative for an attacker to obtain hashpower that would be under her control. This is because the attacker could then spend her valuable (colored or uncolored) coins and receive other goods in return, and then utilize her hashpower to create a competing chain in which she double-spends those high-value coins back to herself.

The straightforward way to avoid this bad outcome is by having Bitcoin miners that aren't color-oblivious. This means that if a valuable colored asset is traded on public exchanges for a certain price, then the Bitcoin miners will recognize transactions that transfer this asset, and therefore demand a fee that is proportional to its price.

But what if the asset is traded in an inner circle that is inaccessible to the general public? The Bitcoin transaction may contain an encrypted message of this trade by using OP_RETURN to store arbitrary data. One may claim that secretive assets are likely to represent less value than publicly traded assets...

Worse still, the asset may be publicly traded, but the Bitcoin transaction will encode the transfer by using a time-lock encryption. Thus, individual miners would wish to collect the attached fee by adding this transaction to the current block that they try to solve, even though the content of transaction could be seen only later (e.g., in a few hours). Here too, one may try to argue that the value of such assets is likely to be lower than the value of real-time publicly traded assets.

So, should we conclude that Bitcoin miners can be forced into being color-oblivious, which would make them impose too low fees and thereby damage the security of Bitcoin? Not necessarily.

In fact, when you put unrecognizable trades inside arbitrary OP_RETURN (or bare multisig) data, it does not necessarily imply that you lower your fees this way. Instead, it may imply that you increase the fees of everyone else who incorporates OP_RETURN data into their transactions. How come? Miners may arrive at an informed decision regarding how to charge an appropriately high flat fee for all transactions that contain arbitrary data. One possible way to do it is as follows. The Bitcoin miners can adjust an estimate V as the total amount of value that is transmitted as OP_RETURN data in a given time window (for example two weeks), by having each solved block cast a vote for the value of V, and setting V as the average of the votes in the time window. The miners would then demand a fixed fee cV/N where c is a protocol constant and N estimates the number of OP_RETURN transaction in the time window. This would hurt those who wish transact a relatively low value via OP_RETURN encoding, but the Bitcoin miners on the whole will collect fees that are adequate for the security of the network. To avoid the tragedy of the commons (refer e.g. to Proof of Activity paper), Bitcoin nodes can deploy a hard protocol rule that considers blocks with arbitrary data but less than cV/N fee to be invalid.

Another point is that perhaps in the future tagging-based colored coins will be supported by the Bitcoin network, see e.g. this presentation for illustrations. This would mean that all of the Bitcoin full nodes (rather than only color-aware nodes) need to do a little extra work to verify that colored transactions are valid, thereby allowing lite clients (like mobile phones) to do color verifications efficiently. For ordinary/uncolored transactions, full nodes wouldn't need to do any extra work. Since inaccessible or time-encrypted colored transactions are incompatible with tagging-based support, this makes them less valuable.

Going forward, it is difficult to predict the total amount of hashpower that will be dedicated to securing the Bitcoin network. The current hashpower amount is quite high relative to the popularity of Bitcoin, hence double-spending attacks do not take place in the present. One possibility is that the added value that will be transacted on Bitcoin via colored coins remains low enough relative to the security threshold that honest miners will provide anyway. Else, as discussed above, there are technical proposals that the Bitcoin network can adopt to become more resilient to attacks that may occur as a result of this added value. In summary, colored coins don't present any immediate danger, but in case colored coins become highly popular they might put the security of Bitcoin at risk, thus requiring the Bitcoin network to incorporate modifications that would make it more robust.


  1. There is great strength in having all blockchain-based applications (Bitcoin, alternative cryptocurrencies and non-currency usage) join forces and be secured by the total of all the world's hashpower. It will be interesting to see the future developments in monetization methods that maximize the amount of funds available to sponsor mining.

    1. Right, there's more going on than just Bitcoin mining, quite a lot of power is used for Litecoin mining and so on. If these efforts could be combined in the future to provide better robustness overall, then this will enable better security for colored assets too. Also hybrid of proof-of-work and proof-of-stake can be helpful in this regard, etc.