In my previous article, I explained why I think Bitcoin censorship is coming without majority of miners being forced to censor transactions. I am pleased with the discussions it brought and I would like to clarify some points. Before you choose to discuss, please read the original article and this article. I know it is long, but in order to have meaningful conversation, we should be on the same page.
This article is not about >50% of miners could introduce a censoring soft-fork. It is about other, real world possibilities of introducing censorship and about the fact that it is almost impossible to fight it by changing consensus rules or “forking off the censored chain”.
I assume that there is a 10% (example) minority that is forced by a regulator (i.e. government has guns pointed at them) to do these two things:
- Never mine a transaction spending a UTXO (or alternatively an UTXO belonging to an address) that is on a published blacklist, or any other transaction following from that (at that time spent) transaction output. This rules out any coinjoin that has a tainted input – all outputs are then tainted.
- Never mine on top of one block that breaks the previous rule. This does not mean that a compliant miner should be stuck forever in a minority chain.
We can also improve the attack by adding one more rule, but we will discuss both scenarios with and without this rule. This additional rule that seals the fate of uncensored bitcoin without majority hashrate being forced:
- Every block reward address in coinbase (that’s where the miners get block rewards and tx fees) that breaks previous two rules goes on blacklist and no (regulated) exchange can receive or exchange these coins (either directly or by transactions following from this address). All compliant miners have to enforce that these coins don’t move – it’s on blacklist like any other proceeds from money laundering. A regulator could argue that a transaction fee from mining a banned transaction is direct profit made from aiding money laundering. And building on a banned block is aiding a known money launderer (to build a valid chain with forbidden transaction).
I believe that by introducing this third rule, no sane miner would ever break the first two rules. But let’s look at the scenario with only the first two rules one more time.
In addition to miners that are forced to censor, we have these other types of miners:
- Current consensus following miner. That is a miner with current Bitcoin Core software and mining strategies, doing nothing whatsoever to change their setup.
- Rational miner that is not forced to follow any rules, but wants to maximize short-term profit at all times. I believe that these miners will enforce the censorship rule in the end. Note: Miners are conservative, profit seeking companies that want to achieve fast return on their huge investments. They are not cypherpunks, not rebels. They want bank accounts, exchange accounts, a business license, their CEOs wear suits and they want to look good in an annual report.
- Rebel cypherpunk miner. These either want to mine censored transactions just because it’s Bitcoin (yay, more of them!) or they have better risk tolerance and they want to mine the transaction because of fees – and they don’t care so much about the risk. If the reward is worth it, they’ll do it.
I will show that most rational miners will enforce the censorship rule (without the exchanges).
The second, completely different scenario I mentioned is this:
- The exchanges and other large Bitcoin businesses (for example payment processors) are forced to a soft-fork where no censored transaction is present in the chain. This is different than previous rule where only building on top of one block is prohibited to some of the miners. This is a completely “clean chain” enforced by the exchanges.
- There is no particular regulation for miners to do anything in this scenario, only if they want to sell their coins on an exchange, they have to be on a censored chain.
- The exchanges don’t do this voluntarily, they are forced by government guns or by their need of access to the fiat network.
- A rational miner wants this soft fork to be the majority chain. A chain split would be only temporary and problematic from the point of view of return on investment.
The cost-benefit analysis at chain tip without competing block
First start with the scenario I mentioned. There is a transaction spending censored UTXO in the mempool and miners are building their blocks.
Forced censor will just not include the transaction, end of story. So we know that 10% of hashpower will for sure not include the transaction and they will try to orphan any block that does include it in a block. There is not yet a competing mined block at this point.
Here I claim that a rational miner will not include the transaction either in most cases – and that even without the third rule, if the third rule is in effect, no sane miner ever would include the transaction.
The cost-benefit analysis without the third rule is this:
The benefit is the difference of a price of a block+transaction reward of including censored transaction(s) and not including them. If there is one censored transaction paying a $505 fee and if the miner builds this block, he will not include a $5 transaction (because there is not enough block space), the benefit is $500 (please note that rational miner is most often a corporation and their accounting currency is fiat, not Bitcoin, although they might secondarily want some Bitcoin exposure).
The cost of this operation is a possibility of losing a block reward including transaction fees. Let’s say that is 6.5 BTC or around $100,000. Of course, we need to account for a probability of losing this block reward. Some people claimed that the probability of losing this reward is 10% * 10% – the regulated miners would have to find a competing block, because they cannot build on top of a block with a tainted transaction and then only those miners would build on top of this block, because current miners will build upon a block that they found first. That might be true if there are only regulated, current consensus following miners (note that I am not including rebel cypherpunk miners).
Let’s run the numbers in this case anyway. A $500 profit with a probability of 1% of losing the $100,000 reward is $500 – 0.1*0.1*100,000 = -500. So the transaction fee(s) of the censored transaction(s) would have to be $1,000 higher than standard market fees in order for the rational miner to break even. Now it’s all about their risk apetite – how much more would they need in order to make the risk worthwile?
Two blocks at the same block height
To illustrate the difference, let’s build on the previous scenario when there are two competing blocks – one censored and one non-censored.
We introduce rational miners and rebel cypherpunk miners to the game: A rebel cypherpunk miner would follow the censored block. Why? It makes no difference in their effort which block they follow, if they are successful. At this point, finding a new block – built on either of the two blocks – wins. But there is a clear difference, the censored block has lower transaction fee reward and a rebel cypherpunk miner would want the transaction fee of the censored block for themselves, so it is more rational for them to build upon a chain that does not include this censored transaction. This way they are not censoring, they are upholding their cypherpunk values (the censored transaction would be in in case they are successful), and they would be making money on the censored transaction.
A rational miner would also follow censored block. There are multiple reasons:
- First of all, it makes no real difference to their business case, except for a tiny bit lower fees in the censored block in some cases (the censored block had blockspace to include more non-censored transactions, which are no longer in mempool if this block is valid). They would not be punished in any way and they would keep their block reward if they switch to the censored block when it is found.
- They will not include the pricy censored transaction (as a rebel cypherpunk miner would), because they are risk-averse.
- The previous censored block has much lower transaction fees, meaning less money for the competition to buy more hashrate. Note that mining is a competitive business.
- They can include statements about voluntary anti-money laundering in their annual report for shareholders, give a talk at a government conference about how forced regulation is not necessary, because the industry auto-regulates and if their bank and exchange asks, they can point to a “no money laundering” policy and a proof of all their branded blocks being nice and clean.
But the point is – it makes no real difference to their bottom-line, building on either of those blocks gives them similar block reward. To repeat – miners chosing to build on top of either censored or non-censored block at the same height have zero income from the increased price of the transaction fee of a censored transaction. That’s the previous block’s miner’s reward.
Back to building the original block
Let’s think about the decision to include or not include the transaction in the first place. We know that 10% will not follow a block with tainted transaction for sure. We can reasonably expect that some portion of miners are what I call rational miners that will build on top of whatever block has lower fees and less controversy (yes, they will need to change the software). At first, they will build on top of censored block, but if there are two blocks at the same block-height, they will switch to the censored branch. So will rebel cypherpunk miners, but for a different reason – they want the hefty fee for themselves, they have no reason to give it to the competition.
So let’s run the negative side again: The cost of including a tainted transaction is a block is a possibility of losing a block reward including transaction fees. (Let’s say 6.5 BTC or around $100,000). What is the probability of losing this reward? 10% of hashpower will not build upon it and if they find a block, everyone except “current consensus miners” will follow the censored block. So right now (where everyone not censoring is “current consensus miner”), it is still 10% * 10%. As the number of rational miners and rebel cypherpunk miners increases by “upgrading” the mining software with understanding the blacklists and game theory, the percentage will be different. For example 10% * 50% * $100,000 = $5,000.
Is it worth paying $1,000-5,000 for moving a censored UTXO? Depends on the value of the UTXO, but consider that at this point, everyone knows it is tainted. You will not just coinjoin it easily (the coinjoin would be expensive), you will defninitely not send it to an exchange. What would you gain if you move it anywhere?
Well, you could swap it for untainted coins through lightning or Liquid or some other way – if they don’t verify taint. Liquid will for sure reject tainted transactions if this is the case and any Lightning routing node operator that does not do strict checking on UTXOs of incoming channels will go out of business. So it might be worthwile for now, but when this starts happening more often, the censored UTXO will be unusable.
Introducing a soft-fork by economic nodes – OTC traders, exchanges (Kraken, Coinbase, …) and payment processors is even more likely. But that would need a coordinated action. Enforcing AML by punishing non-compliant miners, putting their block rewards on blacklist is very probable and would turn most miners into what I call rational miners – enforcing the censorship.
There is a world-wide agreement on anti money laundering
Several people said in a discussion that countries cannot agree on much simpler things and they will not coordinate their effort on censorship of Bitcoin.
Yes, it is true that countries cannot agree on coordinated effort on many things, but that does not apply to financial networks.
There is a world-wide tax reporting standard that is applied everywhere, including Bitcoin exchanges called OECD Common Reporting Standard (CRS). Please note that while it has been developed by the OECD, it is applied in all countries that have any kind of access to international payment networks and thus international trade. One notable exception is USA, because they introduced reporting before OECD CRS was invented – called FATCA. And they just did not switch from one standard to another.
For anti-money laundering, there is an organization called FATF-GAFI:
“The Financial Action Task Force, also known by its French name, Groupe d’action financière, is an intergovernmental organisation founded in 1989 on the initiative of the G7 to develop policies to combat money laundering. In 2001, its mandate was expanded to include terrorism financing.”
This organization is headquartered in the OECD building and their whole job is to create international regulations on money laundering. They created the crypto travel rule, by which exchanges have to tag and verify ultimate beneficiary owner of funds moving from one crypto exchange to another. There is not a single country that is actively opposing these regulations, in fact, they are endorsing it as an international standard. FATF-GAFI also creates a “watchlist” of non-cooperating jurisdictions. These jurisdictions are basically under economic sanctions – if a country is on a watchlist by FATF-GAFI, they have trouble accessing international markets and exporting their goods and services.
There is not a single country in the world, who would “stand up for a freedom of miners”. If there is a crypto censorship regulation by FATF-GAFI and a miner in Georgia says “fuck them, I am a cypherpunk”, this happens: FATF-GAFI includes Georgia in a watch-list, because they could not combat money laundering. A farmer in Georgia cannot buy a tractor from Czech Republic, because their payment does not go through – a Czech bank sees a transaction from a country on a watchlist and makes it very difficult if not impossible for the tractor dealer to receive the payment. Farmers in Georgia go to their government and say “get us off this stupid watchlist, we need access to international markets”. Georgian government has thousands of angry farmers and one rebel mining company. Police with guns go to the miner’s datacenter and say “implement this FATF-GAFI censorship blacklist or turn off your machines, we need to get our country off this watchlist”.
Please show me all the rebel exchanges connected to the fiat network that say “we don’t do KYC and we will definitely not implement the FATF-GAFI crypto travel rule”. Hint: There are none that would say this publicly. And even Bitmex and Deribit who are trading derivatives and are not connected to the fiat network introduced KYC.
So I think that even though the scenario was talking about 10% of enforcing hashpower, I think it is coming to 90% of hashpower. Of course, there will be cypherpunk rebels, mining anonymously under their kitchen tables. But what if their rewards end-up on the blacklist?
These rules are introduced slowly. Was there a backlash against FATF-GAFI crypto rule? Chain analysis by exchanges? Is any major economic actor saying “Bitcoin is fungible, I’ll hapilly take the tainted coins for the same price as non-tainted?”.
These rules are already being introduced. One miner not mining censored transactions. Exchanges implementing travel rule, tagging beneficiary owners in chain analysis databases. This database is being built today. It lives outside of Bitcoin blockchain. Exchanges are connected to them and feeding them, because they have to. They did not wake up and say “let’s troll our customers with KYC, AML and source of funds forms”. If they want to be in business, they have to.
Because there is no real opposition to FATF-GAFI rules and most countries and especially payment networks consider them golden standard of anti money laundering, I think this censorship, if introduced by FATF-GAFI after few “test runs” (travel rule, censoring miner, AML at exchanges) can be introduced without a single parliamentary vote in any country. Meaning it would be enforced outside of legislation, just by network effects.
The rules are being adapted from FATF-GAFI into legislation. For example here’s a recent FinCEN proposal to introduce an even more strict version of travel rule for all transactions (including crypto transactions) over $250.
“If there is such an agreement on AML, why is there so much money laundering?”
I did not say that the AML regulations work against money laundering. I am saying that the standards are widely accepted around the world, but they are not effective against money laundering.
Bank needs to show they are fighting money laundering, but they are still doing it anyway. Just search for money laundering, there are multi-hundreds-of-millions money laundering cases revealed every few months.
But that does not mean that AML standards are not enforced, only that banks have a way around them.
With the three-rule AML standard, if introduced, the problem is that miners are creating cryptographic proof of money laundering. Banks can say “ooops, we missed the 300 million dollar transaction from Belarus, we thought it was for gold mining equipment”. Please note, that this would not work if the source account number or company (or country) was on a blacklist. That would be effectively frozen even now.
But a miner cannot say “ooops, I did not notice this transaction on a publicly available blacklist, it must have gone there by accident”. It is a public ledger.
Auditability of hashpower
So how could a government or anyone else tell if a miner is enforcing the rules? I think miners can expect audit requirements in the near future. It can either be private companies (like what chain analysis companies do for exchanges) or public entities. I think private entities are more likely.
It would work like this – mining businesses will need to be audited for AML and tax reasons. They will declare hashpower and submit their proof of work (including the content of the blocks) to a third party (private or public). This third party will verify that they do not aid money laundering (by properly censoring transactions and orphaning blocks) and that they properly declare all mined coins as income. For example by requiring all partial proof of work at the same blockheight requiring the same address for block reward.
If these entities want a bank account, crypto exchange account or simply have “clean coins”, they need to follow something that is called “source of funds verification”. When you open a bank account or receive substantial amount of money, the bank will ask you – how did you get your money?
For now, in many countries, it is enough to say “I mined it” and “here’s a tax declaration on the income and capital gains I submitted to the government”. The problem is this: If you got your money actually by human trafficking and you want to buy yourself a skyscraper in Panama City, you go on a black market and in a few months turn “dirty cash bills” into crypto. Then you fill and submit a tax declaration and come to a bank and say “here’s my clean cash, I got it for crypto I mined, I even taxed it”.
Countries (and banks) are slowly understanding that this is happening and audited partial proof of work will be soon necessary. Right now, there are sites which are buying private keys to addresses that contained Bitcoins in the past. I saw an 1:500 exchange rate. They are probably bought by people who want to declare that they mined or got Bitcoin in the past and are now selling it – so they can sign messages using keys that contained Bitcoin in the past, “proving” it was “their Bitcoin”.
So every block can be mined without miner branding and at the same time completely audited and verified by independent auditor or a government body.
You cannot “fork off” censorship
Another objection to my article was that “we will just fork off the censors” and create an uncensored chain. I believe that this is not possible. You can prove that you are not aiding money laundering to the regulators and at the same time make it impossible to fork off your majority chain that is enforcing censorship.
Let’s start by explaining various types of consensus rules changes. You can make them more strict (also called a soft fork). A soft fork can be introduced by majority of hashpower, nodes have absolutely no say in a soft fork. A successful continuous transaction censorship is a form of soft fork. A miner would never mine a block with a blacklisted transaction.
If you run a verifying (full) node, you just see blocks that conform to consensus rules and you don’t know that someone is censoring.
How do the nodes know they are on the best chain? They verify all the consensus rules (transactions are signed, block size is below limit, mining difficulty condition satisfied, …) and then they verify they are on the longest chain (there is no longer chain that also validates).
Another type of fork is a hard fork – relaxing rules. For example increasing block size is a hard fork. In order for nodes to follow a hard fork, you need to upgrade all the nodes, because they need to validate the blocks that were not valid under the pre-fork rules.
So censorship is a soft fork. It can be introduced by miners (but also enforced by the nodes, if they want to make sure they follow the soft fork). Censored blocks are valid blocks that just do not contain transactions that miners consider tainted (breaking soft-fork rule).
A node does not know or choose that they are on the censored chain. If miners are successful in censoring, it just looks like Bitcoin – all rules check out and it is the longest chain.
If you want to punish miners for censoring, it is hard to do, because it requires consensus. We achieve decentralized consensus with mining. So it is a circular problem – if there is another way to reach consensus about mining without mining, we would not need mining at all.
If you have a previous consensus on what is censorship, you can refuse censored block. But how do you make sure it is a censored block and merely not a block made by miner who did not see the censored transaction? What if only you have seen it, because other nodes don’t even relay those? How do you make sure that other nodes agree that the block is censored? Because if they don’t agree, you forked off the network by yourself.
One approach would be to fork based on orphaned blocks. If a valid block contains a censored transaction and the best chain goes around it, orphaning it, you punish the miner. But how? Miners don’t need to identify their blocks. Each block can be unique and “unbranded”. Also, you would need consensus on which block was first. We have a way to reach this consensus – it’s called mining.
You cannot tell what happened first if it is not in Bitcoin timechain at different heights. So how do you know if the block was orphaned because of censorship or it was just late? You also need to agree on what is censorship. Two ways: Either you agree on blacklist – how? Do you include a government signed blacklist in the block to decide what was censorship at the block time? Another way would be to prefer block with higher fees. Not mining a transaction with a high fee in the block could be censorship. But how do you know if the miner saw the transaction? We have a consensus on what are known valid transactions – it’s called mining.
So really you have to agree on what is censorship before you can punish it (and fork off of it). If you can agree on it beforehand (know which block, which tx, which blacklist), you already reached consensus and don’t need mining. If you know how, please write a paper, that would be huge!
Then you need to identify censors. But they can change their identity every time, while still proving to the government/censorship body that they are censoring. They submit their partial proof of work to the government/auditor API, while making their blocks random – new address every time they find a block.
Please note, that all nodes need to reach this this conclusion about censorship at the same (block)time. Also note, that if this happens, nothing is won. You did not fork off, the censors can (and will) come to your fork and do it again. Do you hard fork twice a day? The fundamental problem with punishing censors is reaching consensus about who the censor is, in a decentralized and fair way and punishing the censor long term (assuming they can be and stay identified). In conclusion: Soft fork can be enforced by miners and the nodes can do very little about it. They can “fork off” once in a while by introucing a difficult-to-coordinate hard fork, but the soft fork enforcing miners can come back.
Your full node does not help in this in any way. Users with full nodes (especially exchanges) can troll miners to force a soft fork (for example enforce censorship), but they can not avoid being soft-forked by miners.
“Censored Bitcoin is worthless”
Another common objection to censorship is that miners would never do it, because that would make their coins worthless. While at the beginning, the appeal of Bitcoin is that it is uncensorable and anonymous money with predictable inflation and hard cap on supply, right now I think by what most users do, it is safe to say that the hard money use case won. Bitcoin is becoming less anonymous (by things like the travel rule and chain analysis). Censorship resistance is also questionable – there are coins that are tainted and it is not possible to exchange them on par with other Bitcoins, losing fungibility.
There are companies that are using the hard money property of Bitcoin by placing Bitcoin investments on their balance sheets as a treasury asset. These people, including many regular HODLers don’t care about censorship resistance. Why would they go and stand out for thieves, money launderers and other people legalizing questionable income? The cypherpunk ideals are nice, but most people just want to get rich by hodling a hard money asset. And censorship makes the asset harder.
Yes, some suckers will lose their investment, their UTXOs will be frozen, but less supply, moon sooner!
Non-fungibility and thus censorship will be also pushed by chain analysis companies, OTC desks, exchanges and professional custodians. They want to justify their fees. What better way to do regulatory capture than “We cooperate with anti money laundering organizations to make sure you will never get censored! We check all the history of the UTXOs, here’s a bill for our fee!”?
Companies with large Bitcoin treasury holdings (or should we call them HODLings?) and ETFs, those precious “institutional investors” that everyone wanted will also love censorship. What better way to go from “Bitcoin is used by money launderers, drug dealers and criminals” to “Bitcoin blockchain is even safer than other assets, ensured by constant auditing and anti-money laundering standards by industry organizations”. If I wanted to convince my board to convert dollars to Bitcoin in my publicly traded company, I would definitely tell them the second story.
The truth is, only HODLing is not a cypherpunk ideal. Privacy, fungibility and censorship resistance was there in the beginning, but it’s slowly evaporating. The market decides and it seems market participants want publicly auditable hard money – with auditable supply and no criminal activity.
Will they ban Monero completely?
As a feedback to my previous blog, some people said that I was shilling Monero too much. If someone went all this way to censor Bitcoin, they would straight out ban Monero completely. And I agree – I believe Monero will be effectively banned on white market and will become a black market money. But it’s blockchain will not be censored. It will be running from behind Tor, I2P and maybe Nym, for black market transactions, but still uncensored. Because it is very difficult to censor a fully anonymous cryptocurrency, I believe that Monero or something like that will take over the cypherpunk ideal – black market, private, fungible, anonymous money. And Bitcoin will become a white collar inflation protection crypto asset. There will be dark markets connecting the two, creating a bridge and a duopoly of two currencies. Because if Bitcoin is censored, there will never be an uncensored version (it is not possible to fork-off censors from publicly auditable ledger, as I’ve shown above). We will have two types of money, with two use-cases.
It does not have to be like that. We should boycott all the FATF-GAFI and other regulations. We should not “talk to the regulators”, we should repeatedly tell them to go away and leave us alone. We should not do “ok, you are right, KYC is reasonable”. If we fail to do it, censorship will come to Bitcoin.
For other things we could do to avoid this sad fate, I recommend reading the conclusion of my previous article.
The previous article about censorship, if you have not read it.
I made a course about how to settle small debts among friends and family and use Lightning network to pay through non-KYC exchanges. If you have never tried Lightning network and don’t know where to start, this might be a good start. Open channels when fees are low, you can thank me later.
I also produce a podcast dedicated to increasing our options, thus increasing our freedom. It’s called Option Plus Podcast. There are episodes about opting out, strategies for being more free here and now. If you want to learn more about strategy of parallel societies, I recommend a Cypherpunk Bitstream episode, where Smuggler and Frank invited me and Martin to talk about Parallel Polis – a strategy to achieve more liberty in a communist dictatorship of former communist Czechoslovakia. Yes, we can use this strategy today.
If you want to learn more about financial surveillance and how it applies to crypto – and especially how it is made and enforced outside of parliaments and governments, check out my talk from HCPP on Financial Surveillance and Crypto Utopias.
You can also follow me on Twitter @jurbed.