 Ryan asks, why can the proof-of-work algorithm prevent one party from dominating the record-keeping? A 51% attack can happen, which means the attacker can change the whole chain. This is a really important question, and often it is a misconception among many people. A 51% attack can happen. The second part of your sentence, however, is not true, which means the attacker can change the chain. No, they can't. The attacker can, using a 51% attack, change the next block, and in fact, be the only one in the long term that is producing blocks. Once you have 51% of the hashing power, you can generate blocks faster than the rest of the network, which means that you can have the dominant chain, which means from the moment you get 51%. And into the future, you get to choose which transactions go into blocks. That gives that miner one very important power. They can cause the network to reorganize, effectively making some of the blocks that were recently mined, be reorganized out of the chain, and replace them with their own blocks, so they can effectively make a transaction disappear. Only for the recent chain, maybe the last four, five, six blocks at most. That is why we say that we look for six confirmations before perhaps shipping something or allowing withdrawal from an exchange. The reason that all of these economic interests on the network consist of six blocks, six confirmations before assuming that a transaction is irreversible, is because in the chance of a 51% attack, you may see reorganizations as big as six blocks, but the longer you look, the harder it is. If you want to do a one-block reorganization, that happens fairly often. A two-block reorganization happens very rarely. A three-block reorganization happens almost never, etc., and it gets harder. By six blocks, you assume that the amount of effort required to do a six-block reorganization is enormous. In fact, it involves spending an enormous amount of energy. Here is what a 51% attack can't do. A 51% attack cannot change the rules. The reason they cannot change the rules is because all of the other nodes on the network that are not mining, the ones operated by exchanges, wallets, merchants, users, intermediate nodes, everybody else on the network, will not accept the new rules. Meaning that if the 51% attacker starts to operate under new rules, they will find all of their blocks rejected by the rest of the network, and what they will achieve effectively is a hard fork. They will fork themselves into an altcoin that is not accepted by anybody else. The same applies about creating fraudulent transactions. They cannot create fraudulent transactions because those transactions and the blocks in which they are mined, will be rejected by the rest of the network, because every node validates every transaction and every block. Meaning that a 51% attacker cannot change the rules in the long term, in the short term, they cannot produce fraudulent transactions, and they cannot produce fraudulent blocks, including blocks that lack the necessary proof of work. In order to produce real blocks that have the proof of work, in order to sustain a 51% attack, they have to spend electricity, which is why they can't go back and change the whole chain. In order to go back and change the whole chain, let's say they picked a point in the past that was 100 blocks past. To go back into the history and change something that is 100 blocks behind you, you have to remind the last 106 blocks and do that in the same amount of time that the other chain is mining one block. That is impossible to do. You would have to do a sustained attack where you start 100 blocks in the past, and then apply 51% so that you can achieve dominance. It may take you 1,000 blocks before you manage to pass. As you mine block minus 106, the other side is mining block plus 1, then you mine block minus 105, they mine block plus 2. They are still ahead, minus 104, plus 3, minus 103, plus 3, minus 102, plus 2. We are catching up now, but very slowly. Minus 101, plus 3, minus 100, plus 4. See, they are still ahead. None of what you are mining is being accepted by anyone. Now, assume that 1,000 blocks into the future, you finally catch up and pass them, because that 1% difference allows you to mine just a tiny bit faster, 1 minute out of every 10 faster, on the blocks you are mining. But because you started 100 in the past, it will take you a long time to get ahead. You passed them in 1,000 blocks, the entire block saying, flips over to your side. Now, here's the thing, you managed to get all of that reward, but you only get it once, meaning that you spent all of that energy rewriting 100 blocks into the past, in order to get paid a reward. Keep in mind, if you have 51% of the mining power, that probably means that before that you had 49%. Until you got 51%, you were probably mining together with everybody else. Which means that out of the 100 blocks you just reorganized, 48 or so were probably mined by you in the first place. Which means you already got paid for that energy use once. Now you spent half of that energy again, and you are not getting paid again, because the second payment is going to overwrite the first one. You have to choose. If you rewrite the chain, you are only getting one of the two chains. The one in which you got paid for 49 blocks, or the one in which you got paid for 100 blocks. But you spent the energy twice, regardless. So you are doing twice the work for half the pay. That doesn't sound very sensible. That is just 100 blocks into the past. That is not even one day's worth of blockchain. To change 1,000 blocks into the past, to change a year of blockchain, it would take more than a year, two years, in fact, at 51%. It would take you two years to mine one year worth of transactions. At that point, the other side will have mine one year or two, so it will take you even longer to pass them. This is why having 51% isn't a winner-take-all scenario. In fact, the amount of stuff you can do with a 51% attack is really limited down to one scenario. That is, you can go to an exchange, withdraw the money from your coin-based transaction, or from a spend that you did on one chain, then reorganize and double-spend that money, and then go to another exchange and withdraw it again. You have withdrawn twice, and the exchange has lost money. In order to do that, you have to manage to wait for six confirmations, remind six-hole blocks, do that secretly without anybody noticing that 51% of the hash power just dropped off the network somehow and is mining secretly, and then pop back onto the network with six pristine blocks that came out of nowhere, and hope that the exchange didn't change their confirmation time. If I am running an exchange and I see 50% of the hash power disappear for a few minutes, I will be like, okay, here we go, someone is playing games. Let's change our confirmation time to ten blocks just to make sure your entire plan is now thwarted. You will have to go even further back in order to remind this. Let me change it to twelve confirmations, just for the next day or two. Let's see what these people are doing with that 50% hash power that dropped off the network. It is a very difficult attack to do, it is a very expensive attack to do, it is a very risky attack to do, and it has very little possible benefit, which is why, in the entire history of proof-of-work chains, we only ever see this happen in chains with very low security, that are either at the very beginning of their proof-of-work, or have had a catastrophic collapse in their proof-of-work due to a fork, and therefore become vulnerable to exploitation because people can shift large amounts of hashing power. It has never happened in Bitcoin, and it is even harder to happen in Bitcoin, because in Bitcoin we have the benefit of dedicated ASIC equipment that cannot be switched from another chain, because it is not really used in other chains. As a result, it is all already in Bitcoin, you can only move it from Bitcoin to Bitcoin, which is noticeable, and that is how the security of proof-of-work works. Edmund asked the follow-up, not sure if I missed this part, how often statistics has a 51% attack happened this far? Allow me to pull up my trusty calculator here on my computer. We will need to do some number crunching, so 0 plus 0 times 0 divided by 1 times 0 plus 0 equals 0. 0 times has a 51% attack actually occurred on the Bitcoin network so far. That tells you something after ten years about how the security of a large ASIC-based proof-of-work network works. People who say that proof-of-work through ASICs on a large scale is a waste of money do not understand the security equation. It is not a waste of money. It is money that has been well spent and invested by miners in order to buy us all. The most robust system of immutability, security, and protection against double-spend that has ever been invented. Connor asks, would it be feasible for a government agency to reverse a transaction which they suspect is nefarious? No, it wouldn't be possible for a government agency to reverse a transaction which they suspect is nefarious. In fact, past a certain state it wouldn't be possible for even miners to reverse a transaction that they either suspect is nefarious or they have been compelled to reverse by a government agency or multiple government agencies. Even if 100% of miners cooperated entirely in order to reverse a transaction, if that transaction happened a few months ago or a couple of weeks ago, the number of blocks that have passed, the amount of electricity required to remind those blocks, would be infeasible. Meaning that even if 100% of the miners agree to go back in time and reverse a transaction, they still have to mine all of those blocks again. The only way to mine all of those blocks again is to spend all of that electricity again, and they won't get rewarded twice. When they spend all of that electricity again, they will invalidate the previous reward transactions they've already done, or they will keep them, but they only got paid once. In any case, they'll spend the electricity twice, they'll only get paid once, and no miner is going to do that. The security of Bitcoin is independent from the desire of anyone to reverse a transaction. Transactions, once they have been embedded deeply enough in the blockchain, are practically irreversible, regardless of the size of the adversary. In 2008, the computational power was much lower than today. Was it anticipated by Satoshi Nakamoto that the electricity consumption would be an important factor in the mining industry? Did he foresee A6 would have enough power to make the calculations? No. Satoshi Nakamoto didn't foresee the very rapid, competitive development of mining to the point of specialized chips, giant industrial manufacturing facilities and mining facilities, and the intense competition that would drive forward that industry to the point that it has been developed today. We know that because Satoshi Nakamoto was surprised by the development of these technologies and the rapid competition in this space. He certainly didn't predict the electricity consumption and the A6. Then again, Satoshi Nakamoto didn't predict the success of Bitcoin to this extent. You have to realize that the development of A6, the electricity consumption, are part of the incredible security that the cryptocurrency space has developed, especially Bitcoin. It is one of the things that makes Bitcoin robust. Having a giant industrial security mechanism that cannot be replicated and that requires the investment of enormous energy in order to prove that you are willing to follow the rules, and the punishment that comes if you don't follow the rules, where you lose a lot of money, makes Bitcoin extremely robust to attack. The fact that A6 and electricity consumption developed in such a rapid way is because it is actually profitable to deliver immense security to the Bitcoin economy, because the Bitcoin economy has grown tremendously, and that security is being rewarded by users. It is really a simple development of market forces. But I don't think Satoshi Nakamoto had foreseen this. Isabel asks, is it true that mining pools in China control over 70% of the global hash power? If so, does that mean there is a centralization issue and could a proof-of-work change be a solution? I have answered this question a number of different ways. To me, I think it is important to distinguish between mining pools and mining farms. We don't really know where the mining farms or the mining pools are. How much are controlled by a few actors, and how much are controlled by competing factors? Whether they can actually do anything with having a majority of the hash power is questionable. We have seen in the past that having more than 50% of the hash power doesn't really result in the ability to compromise the network in a meaningful way, because the incentives are not aligned across the system. Whether it is a centralization issue or not is debatable. But I would like to focus a bit on the second part of the question, which is, could a proof-of-work change be the solution? I have heard this being suggested a number of times, and I would like to disabuse you of this notion, because I think that would not, in fact, be the solution. For the first ten years of Bitcoin, the development of ASICs has proceeded at a frenetic pace. Until ASICs got down to about 16 nanometers of silicon fabrication, the pace of change from the initial mining that happened on CPU, to GPU, to FPGA, to the first primitive ASICs that were done on 60 nanometer and 48 nanometer and 40 nanometer technology, finally down to 26, 24 nanometer, 20 nanometer, and below. We saw enormous increases in the processing power of ASICs. An interesting phenomenon occurred during these times, whereby ASICs became obsolete very, very fast. In some cases, and during the height of this period between 2013 and 2016, we saw ASICs being obsolete as fast as three months, meaning that you buy a new ASIC, you run it for three months, and three months later it's already been superseded by another ASIC that is already at least five to ten times more efficient, and therefore the hash rate increase and difficulty increase wipes you out from a profitability perspective, and you have to replace the ASIC. The companies that operate in today's mining farms have become extremely adept at turning around their entire infrastructure as quickly as you can imagine. They become experts at the logistics of bringing in new ASIC equipment, racking it and dismantling and recycling the old equipment as fast as possible. They basically learn how to change the entire industrial infrastructure of a multi-hundred-million-dollar industry every three months as the technology moved fast in order to maintain a cutting-edge. The miners who have the greatest success today are the ones who learned best to play the game, of throwing away all of their equipment every three months and replacing it with brand-new equipment, straight from factories where they could deliver designs and fabrication as quickly as possible. Guess what happens if you change the proof-of-work algorithm? Who has the biggest advantage? All of the other users who are doing the one CPU, one mining, or perhaps have a home GPU? Or the miners who have a billion dollars in cash sitting in their bank account, and also have access to the factories, the logistics, and the operational skills to turn around a new ASIC on your new proof-of-work algorithm within three months? In three months, not only would all of the miners be back in the game with this new proof-of-work algorithm, they would now dominate it to a greater extent than they did before, just at the time that we are finally seeing competition. You see, something else really important happened. By 2016, we started hitting the edge of Moore's Law, which means that the ASIC miners that were built in 2016 and 2017 were about at the edge of what cutting-edge silicon manufacture for commercial chips, such as the chips you see in your smartphones and your CPUs and your GPUs, on your desktop machines. Meaning that there is no more 5x improvement in performance for ASICs. ASICs now hit Moore's Law. Moore's Law is tremendously fast compared to technological developments in other industries, but compared to the previous speed at which ASICs were being advanced, it is actually very slow. Going from 5 to 10 times increase in performance every 6 to 12 months, down to a doubling in performance every two years, that is a very big change. It is a very big slowdown. What that means is that if you build an ASIC today, it is likely to be viable and profitable within the Bitcoin mining industry for at least two years, possibly three years, before the next generation of chips comes out at the cutting-edge so that you can replace it. So the pace has finally slowed down. What this slowdown has done is it has delivered the ability for miners to compete on a broader level, and it is beginning to diversify the mining environment. It is beginning to allow chip manufacturers to build competing chips and distribute them to users in a way where they are still profitable after two years. It would be catastrophic at this point in time, just when the concentration of miners are losing their primary advantage, which is the ability to turn these chips around faster, and just when there is a bit of competition to change the proof-of-work algorithm and hand the entire mining industry back to the dominant players who would be able to retool in three months with a new proof-of-work algorithm and then compete even more effectively with their cash reserves. Essentially, it would be handing the industry to the dominant players. No, we don't need to do a change in the proof-of-work algorithm, and in fact it would be counterproductive.