 This is a question that comes up often. In fact, there are a few questions today that all relate to the same kind of topic. I'm going to bundle them all together and answer them all together. Can governments launch a 51% network attack? Vasili asks, governments have an unlimited supply of money. They can print an unlimited amount. In theory, they can purchase an almost unlimited amount of mining equipment. Since they also have access to free unlimited power, why can they not acquire the majority of the network, hash rates, and launch a 51% attack to harm the Bitcoin network? They could even bribe all the major pool mining players, distributing all block rewards to them, according to the hash rate percentage, to discourage them from further mining. So what are your thoughts on that? If governments start to feel that Bitcoin is a threat to them and make a collaborative decision, let's say in a G20 summit, what's stopping them from succeeding? What are your thoughts? Well, first of all, I don't believe in this general idea that governments have their shit together, are organized enough, and even enough to collaborate on a global basis to do anything meaningful other than press conferences. If the G20 could get attacked together and figure out how to collaborate, maybe they could solve some more serious problems like climate change, the global rise of fascism, war, and diplomacy. Things like that, for example, poverty, but they can't. Very rarely do governments collaborate on a global scale. Now, what if governments really got it in for Bitcoin and decided they were going to spend a lot of money in order to launch some kind of 51% stack? First of all, you have to understand that what can be done with a 51% attack is limited effectively to a short-term denial-of-service attack against Bitcoin, which would lead to immediate countermeasures, would cost an enormous amount of money, and ultimately would most likely prove that you can't disrupt Bitcoin that way, only by spending a lot of money. So governments don't want to spend a lot of money to prove you can't disrupt Bitcoin for very long. That's the most counterproductive thing they could do. It would actually produce enormously positive marketing for Bitcoin, because if they failed in this 51% attack, eventually failed in this 51% attack, it would prove that Bitcoin is resilient. So it's unlikely that anyone's going to try and attack the Bitcoin chain in such an expensive way, when there are cheaper and more effective ways to attack it through law and propaganda, and various other things that we're seeing already. So let's go and look at this question in a bit more detail. Governments have an unlimited supply of money, yes, but if they use an unlimited supply of money, that money loses its value, it's called inflation. So not really. And in theory, they can purchase with fiat's an almost unlimited amount of mining qubit. Again, in theory, yes, in practice, no. And part of the reason is that in practice, that involves collaborating with chip manufacturers who already have all of their capacity booked, they would have to kick out some other private buyer in order to replace their orders with government orders, that gets noticed, or build their own silicon fabrication plant, which, you know, if they did, maybe they would actually produce something valuable rather than just mining equipment to disrupt Bitcoin. So first of all, it's difficult to buy all of the mining equipment. This is one of the hidden benefits of ASIC mining. It's that you actually need equipment, that equipment is manufactured in some of the more expensive fabrication facilities, you know, seven nanometer and below facilities nowadays. And those facilities are working 24 hours a day in booked months, or sometimes even years in advance with orders, because there aren't that many of them. So it's difficult to acquire this hardware in secret. You could bribe the miners, but first you'd have to find them, and you'd have to persuade them that your bribe in order to do a very risky 51% attack is better than the alternative, which is to simply continue mining honestly and earning fees and block rewards that way. And that's always a challenge, because just continuing to mine honestly and earning fees and rewards has a very high probabilistically determined level of success. You know that with a certain amount of hash rate, you're going to succeed in finding blocks at a certain percentage of the total. And as a result, you have a fairly regular income stream in the future, if you already have the mining equipment. Whereas if you take this bribe from this government to do an attack on the network, yes, if the attack succeeds, you get the mining rewards, but who knows if it's going to succeed. So they'd need to bribe you a lot more. Let's think about it from a point of economics. If you have guaranteed returns at a certain percentage of blocks, simply by continuing to mine honestly, and then you have risky returns by doing an attack against network consensus that may fail, then that risk has to be incorporated into the bribe that they will pay you, which means that the bribe has to be more expensive than the block rewards that you would otherwise earn by a certain percentage that represents the risk of the attack failing, and you're not actually getting paid the bribe. Ooh, well that makes it more expensive for someone to bribe than to simply use that money to buy equipment to mine honestly. And again, these are the profit incentives that exist in every case. So could the government launch a 51% network attack? Theoretically, yes. In practice, it's a very, very expensive effort, with a very low probability of success, that may backfire incredibly badly and is far too expensive compared to all of the other ways you could attack the network, which includes, for example, making the capital gains reporting so onerous that no one's going to do retail transactions, as has happened in the United States. Sending threatening letters from the IRS, as has happened in the United States, making criminals out of anyone who purchases bitcoin or persuading the banks to shut down the bank accounts, as has happened in India, etc., etc., etc. So the reason governments haven't tried a 51% attack is not because they can't afford it, not because they can't try to pull it off. It's because they understand that it's the least likely to succeed of all of the other strategies, and they're trying all of the other strategies instead. Question from Matt. If all it takes is electricity to attack a proof-of-work network, then isn't delegated proof-of-stake a more secure way of reaching consensus. If delegated proof-of-stake is about game theory, and using EOS as an example, you would need to bribe 15 out of 21 elected block producers. Those block producers would then lose their reputation and position as block producers. Not going to happen in my opinion, what is your opinion? My opinion is that the fundamental difference between bribing miners and bribing block producers is in the beginning of your question, where you say, if all it takes is electricity to attack proof-of-work, it's not all it takes. All it takes is electricity and hardware brought together at the right time in the right place with the right incentives, and that is an incredibly difficult thing to do. In the delegated proof-of-stake system, all it takes is money to bribe the producers, and the risk of pulling off an attack is their reputation only, but not monetary risk. In a proof-of-work system, it takes a lot of money to bribe the existing miners, or buy electricity and mining equipment, but the risk is not limited to reputation. It's also the risk of losing the money you spend on energy, because no matter what you do in a proof-of-work system, if you attack the system, you will have to spend the energy again, to at least the same extent that you spent the energy the first time you mined blocks in order to rewrite history. The cost of rewriting the past in a proof-of-work system is the same as the cost it took to write it in the first place. A bit less because you have more efficient equipment, but that's marginal. Whereas the cost of rewriting history in a delegated proof-of-stake system is zero. As long as you collude, the cost of the producers colluding is zero. They can rewrite their history all the way back to the beginning, and they don't lose anything. So, proof-of-work, you still have to provide work, and that work is validated by other producers. Now, you can change these parameters a bit. You can use checkpointing and other techniques to limit what the block producers can do in a network like this. You can punish them in a more severe way for trying to rewrite history further back. The bottom line is that proof-of-work produces a different quality of immutability than proof-of-stake systems. That doesn't mean the proof-of-stake systems are not useful, but if you look at the game theory, EOS block producers have been attacked with their reputation, their lobbying, and various other techniques. A lot of proof-of-stake systems use what they call proof-of-proof, one example of that is very block. Essentially, they checkpoint their proof-of-stake system into Bitcoin in order to protect against... essentially rewriting attacks and consensus attacks against weaker chains. So, proof-of-work and proof-of-stake are not entirely equivalent. You can argue that one is better for one type of application than the other. Sure, go ahead. But they're not equivalent, and you can't just simply substitute one for the other. I think there's a good place for both of them, and they can solve different problems. In fact, I think they work best when used together. You can checkpoint a proof-of-stake system in a proof-of-work system to underpin the security of... many other chains, as is done today with proof-of-proof systems in very block. Tim Wright asks, are chain locks just hype or something interesting? Today, an altcoin called Dash activated chain locks, which they claim makes 51% attacks... virtually impossible, and makes their blockchain arguably as secure or more secure than the Bitcoin blockchain. Zcoin have already announced that they will be copying chain locks, too. Do you think there's anything worthwhile in this tech? How does it differ from checkpoints? Could Bitcoin adopt chain locks? There's a follow-up comment from Jack saying, it sounds like a bit checkpoints based on masternode voting. Yeah, that's exactly what it is. Let's explain the technology a bit. In a system like Dash, there are essentially two layers of consensus. There's proof-of-work. Sorry, there's a proof-of-stake system that operates through the masternodes. And in a proof-of-stake system that operates through the masternodes, in order to operate a masternode, you need to have, I believe it's 1,000 Dash in order to operate one of these masternodes. There are many of these, and these masternodes have a special status within the system. Chain locks are checkpoints. Essentially, what they do is they vote on a specific block being the head of the current chain. As long as the masternodes all see that block as the head of the chain, a certain percentage of them can vote. Once it's received 60% of the votes, I think, then that's check-pointed, meaning that all of the nodes in the system will reject any blocks that are not children of that block. So they will refuse to reorganize the chain. Essentially, what that does is it creates a hybrid proof-of-work proof-of-stake system. You can't attack the proof-of-work with a 51% attack, because the masternodes are checkpointing with a vote, using threshold signatures, and once 60% of them agree on the current state of the chain, that locks in that chain with a checkpoint. So it's a novel and interesting way to do a hybrid proof-of-work proof-of-stake system. And yes, it will make 51% attacks much harder on that particular chain. In fact, if you want to do a 51% attack, you actually have to do a 60% attack where you either compromise the code running on the masternodes, or you put enough stake, which probably wouldn't be possible, to run 60% of the masternodes yourself. I think at current rates, that would be like $300 million, so that's not feasible. So why is Dash doing it? The primary reason Dash and Zcoin are doing it is because we've seen again and again and again that systems that have proof-of-work, that has enormous hash rates, and uses ASICs like Bitcoin, are very difficult and expensive to attack with a 51% attack, so they're not attacked. But systems that have lower hash rates, or that have hash rates that depend on GPUs, not ASIC-based mining, then people can switch GPU mining from other chains and attack a chain that's a bit weaker in its hashing power quite effectively. We've seen 51% attacks against Ethereum Classic. I believe Zcoin had a 51% attack at some point. We've seen attacks against a number of other chains, and I'm not attacking these chains by saying this. It just means that proof-of-work systems are indeed vulnerable when the chains are brand new, and they don't have enough hashing power to make it prohibitively expensive. A chain can only be secure with proof-of-work. If the cost of attacking it far exceeds the potential benefits of attacking it. It's a game theory system. If the cost of attacking it doesn't exceed the potential gains, then it will and does get attacked. We've seen this happen again and again on weaker chains. We haven't seen it happen in Bitcoin. In that case, if you have a chain that doesn't have enough hashing power to really make it completely cost-effective to attack, then you need something else to buttress that. That's essentially what ChainLux is doing here. It's a hybrid proof-of-work proof-of-stake system, and it's a smart way of doing it, because instead of having a proof-of-stake system on its own, which is vulnerable to historical immutability attacks, or a proof-of-work system that without enough hashing power is vulnerable to 51% attacks, by combining them, you have a system that defends better against 51% attacks than proof-of-work, and defends better against historical immutability attacks than proof-of-stake. A good solution for a system like Dash. Could Bitcoin adopt ChainLux? No. The reason, at least not in its conjured iteration, is that ChainLux basically require some kind of Sibyl-proof system of nodes, meaning that they cannot be Sibyl-attack, they cannot be faked. The only way to prevent Sibyl-attacks, the only two ways we know today, are proof-of-work, meaning that you put work behind each node that's participating in consensus, or proof-of-stake, which means you have to put money up behind each node that's participating in consensus. In order for Bitcoin to adopt ChainLux, it would have to have some kind of proof-of-stake system. Interestingly enough, because Lightning nodes deposit a bunch of money in payment channels, and use that money which is locked into transactions to earn fees and things like that, this is the kind of thing that could cause the emergence eventually of a proof-of-stake system. But that's a much longer conversation. So what are ChainLux? Are they just hype or something interesting? There's something interesting for ChainLux that don't have enough hash rate to defend against 51% attacks. They're not really that interesting for Bitcoin, primarily because Bitcoin doesn't need them. It has enough hash rate to defend against 51% attacks. Some of the articles I read about this were very, very waffly. They claim that 51% attacks are a fatal weakness of proof-of-work chains, and that once miners get 51%, they can do anything they want, including validate invalid transactions. Not sure. There's a lot of misconceptions about how proof-of-work actually works in these articles. So be careful when you read that. Don't always take it for granted. Some of the facts are wrong. But an interesting solution from Dash, nevertheless.