Note: A lot of people think this is purely about >50% attack. Not true, here’s how this unfolds with 10% of censoring hashrate.
Bitcoin is often said to be anonymous and uncensorable. Thanks to chain analysis, anonymity is to some extent a disputed wishful thinking from the past. And it looks like it won’t be so nice with censorship resistance either.
My reasoning begins with this quote from Twitter of fluffypony:
This mining pool censors transactions that are included in the government blacklist. For the time being, the pool just leaves money on the table, so if the pool decides not to include “dirty” transactions, the end result is that they do not to earn transaction fees for that transaction (and go for cheaper transactions) and the “dirty” transaction is mined in another block by a different miner. But I think it’s still a dangerous precedent and it gets scary when you think it through.
I think if governments or anti-money laundering organizations want to censor Bitcoin, that’s exactly the first step. Try it out on one pool. But if at least one pool mines these transactions, we’re fine, right? Not really.
Let’s think about what these organizations might do next. Spoiler alert, these steps lead to successful censorship of Bitcoin:
- Miners have invested a lot of money in the mining hardware, data centers, they are paying electricity and taxes – especially large mining operations. They are mostly not cypherpunks, but corporations with shareholders, the CEO wears a suit and a tie, the company has a business permit, all stamps in order, … At the same time they need a bank account and an account at some Bitcoin exchange, because they have to pay suppliers (for energy, rent, taxes, …) .
- If the government comes in and says, “You can’t mine the blocks that spend these UTXOs”, or you’ll lose either bank account, exchange account, business permit or go to jail for money laundering, most of the big miners would comply. Blockseer is just a first example. They have shareholders that are awaiting dividends, they are not rebels against establishment. By not mining certain transactions, they are only losing some transaction fees and at this point, no one would know. Some miners even occasionally mine empty blocks even if mempool is not empty, so not including a transaction is not an unusual thing to do.
- Very important note here is that anti-money laundering regulations and blacklists are mostly global and they are not approved by states’ parliaments or governments. The enforcement is done through network effects. If you want to be connected in the payment network of the world (SEPA, SWIFT, ACH, …) is dependent on how well you fight money laundering and how well you are implementing AML standards. These standards are created by organizations such as the FATF-GAFI (remember crypto travel rule?). Thus, it is quite possible that such an organization will start publishing blacklists and they will be accepted by miners in all countries under the threat of jail / loss of business license / loss of bank account / loss of exchange account. For the last two, you only need FATF AML network effects and not local law! The FATF-GAFI rules are considered an international standard of fighting against AML. States are just saying that some entities need to fight money laundering by referring to international standards that are not approved by any parliament in any country.
- Of course, there will always be small scale miners who have bought ASIC and are mining in their kitchens or balconies. They could not care less about FATF-GAFI travel rules. But it won’t help much…
- If these rules are followed by more than 50% of hashrate, there may be a simple addition to the rules: “If you build upon a block that contains prohibited transactions, you are laundering money.” This is actually a soft fork introduced by the regulator (beware, not even directly by a state).
- This creates a weird Schelling point situation. Even if I am a miner mining in my kitchen and don’t care about any transaction blacklist, if there is even a double digit probability that if I (or my pool rather) find a block and it will become orphaned, because the next block will be found by a big miner, I will think twice about including a blacklisted transaction in the blockchain. The math is simple – I either get an additional ~ 5 USD transaction fee, but I could lose the whole block reward, or I don’t include this transaction and can keep the whole block reward (coinbase + all tx fees). Including a tainted transaction is low upside, huge downside decision. Even if I am not under a jurisdiction of such a rule and I don’t particularly want to censor transactions, if I understand risk-reward properly, I will just omit it. No harm done, someone else can try.
- Majority hashrate can introduce such soft fork. In addition to the fact that the company can continue to do business and ensure a return on its investment in hardware, the second reason is economic. You don’t want to mine later orphaned blocks. But it gets even better for the censors. The effect would be the same as if the miners who do not meet the new soft fork rules shut down their mining machines (if there is at least one transaction with “dirty coins” in the mempool). Why? If a lot of miners decide to refuse tainted transactions and build upon the blocks with tainted transactions, every miner that mines them into block is basically burning electricity for nothing. It is the same as if they just stopped mining – the “softfork” hashrate is lower, so the reward per hashrate is higher. Introducing a softfork means more money for complying miners and no money for non-compliant miners. The compliant miners mine more blocks, it is as if the non-compliant miners did not exist. This means that the miners have an economic incentive to enforce this rule. Let me repeat this: Even the miners that are morally against this rule are economically motivated to comply.
- If governments or FATF-GAFI do not want to wait for the majority of the hashrate, they can implement this rule even faster. Just tell the exchanges “if you want to be connected to the fiat payment network, your Bitcoin nodes can only accept compliant blocks, otherwise you will be laundering money and we will shut you off from the fiat network and send nice SEC agents to your shiny office”. Exchangers are dependent on connectivity to the fiat network, because new capital flows through it to the crypto economy and that’s how they make money – from the fees on trades. Kraken, Coinbase, Binance,… will gradually start running full nodes with a blacklist. They are using blacklists already, but they only refuse deposits from tainted addresses. I am talking about refusing blocks with tainted transactions. Guess what the miners do? At the end of the month, they need to send the mined coins to an exchange to get fiat to pay for electricity. For this, it is absolutely essential, that the exchange “sees” the blocks. The miners need to be on the same chain as the exchange, otherwise they are screwed.
The first step of this dystopian scenario has already taken place. We have the first (albeit minority) pool, which does not include some transactions. At this point, it means nothing, at worst, the transaction is mined a bit later. After the introduction of full soft fork (whether by the hashate majority or the economic majority of exchangers), Bitcoin’s non-censorship practically ended.
Lightning network and tainted coins
We will talk about one more dystopian scenario. Imagine for a moment that you are running a node of the Bitcoin Lightning Network (BTW if you have never tried, check out my intro course). So you have installed something like Umbrel or BtcPayServer, you are a good Bitcoiner – you run a full-node Bitcoin, some Lightning daemon, you even run it all through Tor. You’ve opened a few channels, providing liquidity to route payments, and earning some fees. You do it all to help the network and verify transactions. So far so good. Or – so far, great!
One day, a local drug dealer on the dark market will check out your node. He needs to launder the drug Bitcoins. He will do this as follows:
- He will install two Lightning nodes, node A and node B. We will mark your node L.
- He moves his dirty coins to node A onchain.
- He buys incoming liquidity on node B (for example, he buys it from Bitrefill)
- On node A, after the coins are confirmed on chain, he will create a high-capacity channel(s) with your node L.
- On node B, he creates a lightning invoice to receive coins. He will pay the invoice from node A.
- Node A after using all sending capacity is turned off and deleted – it doesn’t even have to close the channel, as there is no capacity on his side, he will only lose the channel reserve. Or he can close the channel and deal with the reserve in a later transaction.
- He closes the channel on node B (cooperative close) and sends nice clean money to his wallet.
- When the channel between node A and node L closes (for example you force close it), you get dirty money from drug sales – tainted coins. You can’t even send them away through Lightning because node A no longer exists. They will end up in your on-chain wallet.
If there are common chain analysis issues and these “dirty” coins are a problem – either legal, problems with depositing them to an exchange or even the fact that these coins are so tainted that no miner will mine the transaction – letting other nodes open channels with you (with their UTXO) is a serious security risk. If someone succeeds and the coins are marked as “dirty” only after the attacker does this operation, it is quite possible that you will not be able to move the coins anymore.
Of course, people will probably not be satisfied with this situation and will rightly complain to the state or regulator that they have nothing to do with drug sales and that someone has just opened a channel with them. One possible solution is for the state and anti-money-laundering organizations to say “sorry, our bad, this censorship thing was a bad idea”. Another solution is much more likely:
“Dear users of the lightning network, we see that you often get dirty coins. We’ve passed a new law that addresses your issue. We therefore recommend that you install this open-souce module in your Lightning node. Through the API, it verifies that the UTXO through which the other party wants to open the channel is clean. If it is clean, we return a state-signed proof of purity as a result of an API call. If you attach this proof of purity to the transaction as supplementary data, the compliant miner will happily mine it for you, because of course you could not know that the coins were dirty – we did not know either! Thank you for you cooperation in fighting money laundering!
API Call parameters : KYC ID of the caller, list of UTXOs in the onchain wallet of the node (why not collect extra data that the state does not need? Have you ever seen a government form that did not ask you when and where you were born? Of course they want to know the age and purity of your UTXOs as well), unsigned transaction by which the other party wants to open the channel
Output : Answer yes-no, State digitally signed certificate of transaction purity
You can get your KYC ID at any branch of the Ministry of the Interior, SEC, just bring two documents and proof of ownership of UTXO – a message signed with your identity with the address keys ”
(Crypto-anti money laundering lightning enablement act of 2021)
(Why enablement? Because when government wants to regulate something, meaning ban something, they always sell it to you that they are enabling you to do something. You know, if it is not forbidden, it is enabled by default, but for some reason, in 2020, if government regulates it, it enables it… Weird, right?)
OK, they probably won’t be able to pass such a law in 2021, the soft fork dystopia must happen first. But a similar approach has already been taken by the European Union when verifying reverse charge VAT numbers – if you are a VAT paying entity and the customer is a VAT payer in another EU country and therefore you do not invoice VAT, you can verify their VAT ID on the European Union website (or via an API) and save the call result. If it is not valid and you do not have stored evidence that you tried to verify it (and it was valid then), you have (perhaps) a problem. But I don’t know that anyone would enforce this rule.
Tadaaaa, I’ll do a coinjoin!
If you have “dirty” coins and the miners refuse to mine transactions containing dirty coins, you will most certainly not do a coinjoin.
Coinjoin is a standard transaction that has inputs – if they are already marked as dirty, then you will not get such a coinjoin transaction into the blockchain (soft-forked away!).
If you get it into blockchain and the coins are marked later, you have a problem – you could even put completely clean coins in the coinjoin and suddenly you are marked as a drug dealer on the dark market because some other coinjoin participant was marked and tried to launder money.
If anyone could just use coinjoin to avoid all this censorship, they would. So let’s do it the other way around – coinjoin is an act of money laundering and if any input is tainted, all outputs are tainted.
Ironically enough, the only safe coinjoin is if the coinjoin provider (and preferably also use) uses and enforces a blacklist. I’ve heard that some coinjoin providers already do this. I don’t know what is worse – if you enforce the blacklist, you are censoring and hurting fungibility. If you are not enforcing blacklist, you taint all your users’ coins and they will be pissed when they want to use them and are not able to.
Of course, this topic is already relevant now, because many services (such as exchanges) reject dirty coins – and many also reject coinjoin outputs. Even if you withdraw crypto from an exchange to a Wasabi or Samourai and then send it directly to a mixer, you will get a love letter from your exchange, telling you nicely to stop doing that, or they will close your account next time. Of course, they know your name and you have shown your ID, so if you piss them off, they will also report you to your local anti money laundering unit (in my country, that would be financial police).
Change it to Monero and back
If someone has Bitcoins that are not exactly clean and wants to keep Bitcoins, they can exchange Bitcoin for Monero using a decentralized exchange and then after some time (and gradually) change Monero back for Bitcoin, through a reputable exchange (eg xmr.to). This will of course cost a few percent in exchange fees and you are also exposed to XMR/BTC exchange rate risk (although it can be both upside risk).
If many people solve this problem in this way, there will be a lot of tainted coins left in the wallets of the exchanges and their clients. I don’t know how people will deal with it.
The key is to do it before the coins are marked tainted of course (similar to lightning strategy).
Possible solutions to censorship issues
Anonymous cryptocurrencies such as Monero do not suffer from this problem, at least not so much. The sender, recipient, and amount sent are not visible in the Monero transaction. The Monero transaction refers to your input and ten other inputs.
This might look similar to a bitcoin coinjoin transaction, but there are key differences:
- In Monero, this is how you make any transaction. Miners will not mine transactions that do not have decoy inputs. That’s just how Monero works. Changing this would not be a soft fork, but a hard fork (you would need to relax the consensus rules).
- In Coinjoin, you are signing the coinjoin transaction with your key. You have seen it, understand what you are doing and all the parties approve and sign. In Monero, only you sign, the other people are unwilling participants that your wallet chose. If you appear as one possible input of a transaction in a drug deal, you did not even have to know it – you did not even needed to be online when it happened.
- Monero uses stealth addresses, so you cannot blacklist an address. You can only blacklist a particular transaction (without view key of the address). If one address of a dark market is revealed, in Bitcoin, you could cluster many more dark market addresses. In Monero, if a transaction is revealed, it can be blacklisted, but that’s about it. You can maybe blacklist a few transactions with a 90% probability that you are wrong about them.
- Although I’m not a fan of ASIC resistance, because network security depends on proof of work, Monero is much more likely to decentralize miners and have someone mining “in their kitchen”. Mining takes place on regular computers, not on dedicated devices. At the same time, miners include botnets, which is sad, but such miners are motivated not to censor transactions, because I assume they use Monero themselves and need to anonymously spend the rewards. I assume it is much harder to come to the majority of the Monero hashrate and demand they do something (I am not sure about this though).
So should we just ditch Bitcoin and switch to Monero? Well, there is a different kind of censorship happening – exchanges are kicking privacy coins out. Most recently ShapeShift.
Here comes the Bitcoin network effect. It is enough if there is one exchange in the world that exchanges Monero for clean untainted Bitcoin without KYC and then any Bitcoin exchange can change it to fiat or anything else. Such exchange, of course, involves two fees (Monero for Bitcoin and Bitcoin for fiat), but it is still possible.
I call this rule “crypto to crypto fungibility”. Crypto to crypto exchanges are not so easily regulated and all it takes is one that works reasonably well and it does not matter if someone bans one cryptocurrency. It is a “ban all or none” effect in practice.
It is very likely that hard core Bitcoiners will try to resist such censorship. And that’s good. One question is: how is it possible technically? A soft fork is a completely valid chain, with following the consensus rules and a majority soft fork will just be Bitcoin. It is hard to enforce that a miner includes a transaction. Consensus rules are good for excluding transactions. Even if there is a hard fork or a checkpoint that all nodes agree on and that includes a tainted transaction, right from the next block a soft fork can continue and censor transactions, including the outputs of the mined tainted transaction. So you can not easily “fork yourself off” to a censorship resistant fork. Censorship decisions are made in each new block. You have to win this fight one block at a time, forever, until the end of timechain.
All this can result in two types of Bitcoin – KYCed and clean vs “black market” Bitcoin. Whether they will live on one blockchain or Bitcoin will be divided into two forked chains depends mainly on the miners and exchanges and their willingness to succumb to the regulatory pressure of the regulators and violent coercion if they fail to comply.
A paradoxical solution might be to change the hashing algorithm, which would significantly reduce network security (Bitcoin’s Proof of Work currently makes Bitcoin the safest blockchain on the planet). In this way, two Bitcoins would also probably be created – less safe, less regulated and mined in the kitchens all over the world and on the other hand safer but heavily regulated. Where it goes from there, no one knows. Is this enough to avoid censorship? Probably not. Introducing better privacy might help, but then why not just use Monero?
Thus, the majority hashrate (i.e. miners who control more than half of the power of the network) decide on censorship. These are companies that have their managers, buildings and state licenses. If decentralized mining pools do not have an absolute majority, it will pay off financially to mine on a regulated pool, as we said above.
The idea that a large miner will “rebel” and move to p2pool (or use Stratum2 and create their own blocks, not dictated by a pool) and problem solved is very naive. Mining companies that control significant hashrates need to achieve a return on their investment in the first place. They are very conservative, don’t want to risk losing rewards by mining blocks that are later orphaned. So the main incentive is not “the government will kick our door if we mine this transaction”. The incentive is simple “let’s kick out all the hashrate that does not comply, more block rewards for us and make sure that no one will kick out our hashrate”.
Bitcoiners like to signal the virtue of running their own node and how this makes sure that all rules are followed and helping to decentralize the network. While this is nice and I applaud everyone who runs their own node, decentralization from the point of view of censorship is mainly about miners, and running one’s own node will not help in any way.
(Of course, we can create new rules – blocks that do not involve censored transactions with a sufficient fee to reject as blocks of censors. This has several problems though – how do you know that everyone sees this transaction? If there is already a consensus about transactions, you would not need miners. So this is nicely said, but very difficult to actually achieve. It would probably also lead to two Bitcoins – guess which version would Coinbase, Kraken, Binance, Bitstamp,… and for that matter Microstrategy run?)
The idea of the unstoppability and uncontrollability of Bitcoin is, in my opinion, an outdated concept. In the past, we could not imagine what censors and regulators could do. We thought that a rule like the crypto travel rule from FATF that is already in force was pure sci-fi – how could states agree to regulate all exchanges in the world the same way? They cannot even agree on the type of power outlet! Yet, it happened. FATF rules are enforced globally through network effects. These rules apply in Europe, the US and China as well. Without any need for elected officials to pass it through democratic rituals. The way that power and enforcement works in the last few years has changed dramatically. While Bitcoiners still believe it is not possible, we are being regulated more and more – and using power structures that have nothing to do with the ideals of democracy. One office in OECD office in Paris is writing worldwide AML regulations. Another office in the same building created the reporting standards that invade our privacy (the Common Recording Standard – CRS). Payment networks create and enforce their own regulations – even outside their users!
What can we do to make sure this dystopia does not happen? Build a parallel society that does not rely on regulated services (shops, courts, exchanges, …). Treat anonymity and privacy as a feature. A core feature. Reject any KYC-requiring service in principle and become an ethical crypto dealer. Buy and sell crypto. Support any services that do not ask for our identity. Promote, build and use decentralized exchanges, ATMs, and local in-person crypto exchange communities. And build a crypto economy that blatantly rejects these ideas, but not only on social media, but in reality.
If the split of Bitcoin into regulated and unregulated really occurs, the unregulated one should have the greatest network effect, the greatest economic power. It should be the Bitcoin, in which we settle small debts with friends and family. The Bitcoin with which we buy vegetables that someone else grew in their garden. And we should also support cryptocurrencies like Monero, which are not traceable and their censorship is much more difficult to achieve. It is not that hard to admit, that privacy is a good thing to have, even if you are a “Bitcoin is hard money maximalist”. They play along nicely.
If this Bitcoin’s global censorship really takes place under the leadership of states or other AML organizations, we should have the strength to say “we don’t want this centralized coin, it’s the same shit as your central bank issued digital fiat money.” And “no, thank you.”
And the time to start building this situation and this network effect is now.
A Twitter thread about how this attack unfolds with 10% hashrate enforcing censorship and what is the cost-benefit analysis for individual miners.
I made a course about how to settle small debts among friends and family and use Lightning network to pay through non-KYC exchanges. If you have never tried Lightning network and don’t know where to start, this might be a good start. Open channels when fees are low, you can thank me later.
I also produce a podcast dedicated to increasing our options, thus increasing our freedom. It’s called Option Plus Podcast. There are episodes about opting out, strategies for being more free here and now. If you want to learn more about strategy of parallel societies, I recommend a Cypherpunk Bitstream episode, where Smuggler and Frank invited me and Martin to talk about Parallel Polis – a strategy to achieve more liberty in a communist dictatorship of former communist Czechoslovakia. Yes, we can use this strategy today.
If you want to learn more about financial surveillance and how it applies to crypto – and especially how it is made and enforced outside of parliaments and governments, check out my talk from HCPP on Financial Surveillance and Crypto Utopias.
You can also follow me on Twitter @jurbed.