This article explains the huge Bitcoin energy demand and how that helps to make sure the Bitcoin network is secure from being manipulated. It shows some important attack vectors, how consensus is built and why its financial system is secure especially because the participants work independently and in their own interest. The last part gives a brief insight about even newer ways to achieve the same security properties without needing an exceptional amount of energy.
How much energy is spent?
Most comes from renewable energy but it is still a big ecological footprint for a technology that is supposed to be disruptive and innovative in a time when a big part of the world is doing its best to reduce the energy consumption and protect the climate of our planet.
The main arguments that defend the Bitcoin energy consumption
The main aspect of course is that the Bitcoin network provides the storage and exchange of value with minimal trust needed and that requires energy to make it safe. In the current discussion the amount of the energy consumption is defended by three main arguments:
- Comparing it to the traditional financial systems.
- By highlighting that renewable energy is a rare commodity.
- By highlighting that the Bitcoin network can incentivice building plants for renewable energy. There is too much energy produced when the demand is low and not enough when it is high. Batteries reduce the problem but by powering the Bitcoin network during the time of low demand there is a better return on investment possible that can promote building plants for renewable energy. Another advantage ought to be that the energy can be consumed close to the place where it is produced which is reducing the energy needed for transport.
I will not judge the arguments but instead provide you with some insights on why the Bitcoin network needs the energy and a short outlook on how innovation drives the actual reduction of the energy consumption in distributed ledger technologies.
How is the energy spent and why?
But why does Bitcoin need all the energy in the first place?
To understand that, one needs to know how Bitcoin makes sure it is secure from being manipulated.
As it has no central authority, there needs to be a decentralized consensus about which block of transactions is valid and which one is not.
There are around 35 rules that need to be met for a transaction and a block to be considered valid.
The users check the blockchain by themselves using the so-called Bitcoin node software. Those are e.g. the persons and exchanges that use the wallet software to create a transaction and merchants that sell goods for Bitcoin. They all have their own interest in working on a valid blockchain. For example, the merchant will use this node software to make sure he has got a valid bitcoin before sending a good. The transactions created by the wallet software will be secure by themselves as the owner of the Bitcoin wallet that contains Bitcoin uses the private key of the wallet that authorizes him to spend it and to encrypt the transaction. That makes sure nobody else can change the target and the amount.
All that takes no exceptional amount of energy.
But that changes when the miner tries to create the next block for the blockchain.
As soon as they know about a new block in the network they validate it by themself, take transactions from a pool of unconfirmed transactions (aka mempool), validate those and create a new block based on that data. They will also add a special transaction (aka the “coinbase” transaction) that rewards them for creating (aka mining) the block. Currently it will send 6,25 BTC and some transaction fees to their wallet.
They earn that for the last task they have to accomplish in order to make the block valid: They have to guess a specific integer value called “nonce” (from “number used once”) by executing a mathematical algorithm (the „hash“ algorithm). Guessing that value needs a lot of computational power. The more a miner has, the higher their odds are to be the first one among all the miners to find that value and mine the next valid block in the chain. This is what consumes so much energy in Bitcoin mining. Other characteristics of that algorithm include:
- It takes a deterministic range of time to find the correct nonce. Currently it takes ten minutes until someone in the network finds it and that is the reason why a Bitcoin block is mined every ten minutes.
- It is computationally trivial to prove that the found nonce is correct and thus to prove that the computational work has really been done. That is where the name „proof of work“ comes from. It also allows the Bitcoin nodes to easily check if that aspect of the block is valid.
An important consequence of that is that it prevents the network from being spammed by blocks (aka Sybil attacks) as it would be too costly to spend the energy on guessing the nonce.
Who validates that and why do they do it?
While this all explains how and why the energy is spent it doesn’t yet explain how and why this is validated.
Bitcoin is designed in a way that it doesn’t depend on the miners or rational participants in general to cooperate with each other or to be altruistic.
Let’s assume a miner wants to create a dishonest block 2d on top of the honest block 1h that dishonest block fraudulently rewards them with more Bitcoin than they is allowed to mine. They would then spend money on energy and create a confirmed block 3h with a valid nonce. In the meantime honest miners also tried to find the nonce for a new block on top of block 1h. Let’s call it block 2h. But as the dishonest miner published 2d first they will try to validate 2d in parallel to trying to find 2h because if 2d is indeed valid they need to cancel their attempt to build their block (2h) as it would create a fork and they would instead start over and try to create a new block 3h on top of 2d to build a chain. During validation they will recognize that the dishonest miner tried to reward themself with too many Bitcoin. It’s a simple choice for the miners to recognize the block 2d is invalid because otherwise their own block 3h would be considered invalid as well. They will now just continue to work on finding the block 2h, find it at some point and other miners will reject 2d as well and also try to build on 2h by mining 3h. Thus 2d will become orphaned.
But what happens to the block reward for the nonce the dishonest miner found?
Block rewards for orphaned chains
In addition to the block being invalid it is a rule in the Bitcoin node software that only the longest chain of valid blocks is considered to be valid. Their block reward is not part of the official chain of blocks as it is orphaned and shorter. The node software run by merchants, exchanges and others will mark it as invalid. That’s why they will not be able to spend it and the money they spent on the energy is wasted.
If miners mined a block on top of an invalid one their block would also be invalid and their mining reward would also be worthless. That’s why they are incentivized to first validate the parent block.
The users of the node software usually exchange value for Bitcoin they receive. The blocks they validate contain the transactions that send them Bitcoin. It is in their own interest to make sure it’s valid before sending the countervalue.
This shows that the energy for building a block serves as kind of a collateral. A rational miner understands that spamming the network with invalid blocks would be detected by other miners and the node software used by merchants, exchanges and others. Instead they are better off to just build valid blocks out of self-interest and without any central entity that tells them to do that.
Why is so much energy needed?
The only way a miner can cheat is by having more computational power (aka hashing power) than all other miners combined (>50%). This is called a 51% attack.
This chapter first explains this attack and then the reason how the energy consumption of the Bitcoin network among other factors helps to prevent it.
The 51% attack
It could theoretically work like this:
- Let’s assume there is an attacker Anton who has >50% computational power and thus a >50% probability to find the next nonce. He would spend 1.000.000,0 Bitcoin for very rare paintings from Coco the collector. To do that he creates the transaction tx-paintings that would be included in an honest block named 2h built by an honest miner after a parent block named 1h.
- He now mines his own dishonest blocks on top of 1h (2d, 3d, …) in parallel to the honest chain. Attacker Anton is doing that privately to make sure that tx-paintings will never be part of his chain and he puts all their computational resources into that (>50% of the whole network). The more resources he has the better his chances to build the longest chain soon.
- Every spendable Bitcoin amount has a unique address on the blockchain in the same way that a 10 Euro bill is unique with an individual number. The 1 M spendable Bitcoin that Anton owns have the address addr-anton1 in our example.
Anton will now attempt to spend his 1 M Bitcoin from addr-anton1 again on his dishonest chain in another transaction that we call invalidate-paintings-tx. This transaction will just send his Bitcoin to another address Anton owns. The Bitcoin amount with the address addr-anton1 are now double spent in two different transactions. Of course it is Antons goal to make sure that the transaction invalidate-tx-paintings will be valid in the end as he will then still own this Bitcoin and not give it away to Coco. He just has to make sure to build the longest chain.
- But Coco knows what he is doing. He understands that malicious miners with <50% of hashing power – let’s say 30% – might double spend Bitcoin and end up being lucky for a few blocks to have the longest chain. This is why he waits for five additional blocks to confirm that this does not happen and only sends his paintings after six confirmations. The block containing the transaction is said to be the first confirmation of his transaction. We will go into more detail on that in one of the next chapters.
- Today Coco has a bad day as Anton has >50% of hashing power and this means it is just a matter of time until he has the longest chain.
As soon as Anton recognizes he is one block ahead of the confirmations needed he will publish his chain of dishonest blocks. This dishonest chain (2d, 3d, … 8d) will now be valid according to the rules and it will be accepted by all Bitcoin nodes. The honest chain (2h, … 7h) will be invalid. If there would not be the transaction invalidate-paintings-tx then the tx-paintings transaction would just be returned to the mempool and the next honest miner would pick it up and include it in a block. But as the Bitcoin with the address addr-anton1 has been spent already in the longest chain the transaction containing the same Bitcoin in the now orphaned chain will be invalid and discarded.
Now Anton has got all the expensive paintings and he still owns his Bitcoin. He has basically reversed a transaction as tx-paintings which was seen as valid for some blocks now became invalid. As a cherry on the cake he has got all the Bitcoin rewards for mining his blocks.
What would happen to the value of attacker Antons Bitcoin?
As of today high net-worth individuals, family offices, institutions, payment providers, other big companies, retail investors and others invested a combined >1 trillion USD into Bitcoin. Their basic assumption is that Bitcoin is safe from being manipulated. If attacker Anton would really be successful this trust would be broken and all Bitcoin including Antons would lose very significant value.
Another effect of Anton having >50% probability of mining the next block is that it is mainly he who chooses which transactions to include and which not to include. He could use that to suppress certain transactions or transactions from some addresses which is a kind of a denial-of-service attack.
What is not at stake for the Bitcoin network
Anton would still not be able to change the amount and target of transactions from others or change the rules about which blocks are valid and which aren’t. He could also not avoid that the Bitcoin network will otherwise service the participants as usual.
What are Antons risks?
In April 2013 Bitcoin had an emergency caused by a bug that resulted in a fork of 26 blocks. When that happened people came together and found a solution (a bug fix) and patched their system. Anton would lose all this block rewards in this case and the Bitcoin he bought his paintings for.
The network of the Ethereum blockchain faced a hack (aka the DAO hack) in June 2016 when $ 50 Mio worth of ETH, the currency of Ethereum, were stolen which was possible because of a bug. The majority of ETH holders decided to change the software and return the funds. That splitted the Ethereum network into two versions. The version that allowed to return the funds from the hacker which is currently known as Ethereum and the one that did not allow that arguing with a “code is law” philosophy that is now known as Ethereum Classic. But as most users and miners decided not to work with the Ethereum Classic blockchain it was worth <7% of the main Ethereum version leaving the hackers fund with only a fraction of the value on the Ethereum Classic blockchain and no value on the Ethereum blockchain.
Today an attack on the Bitcoin blockchain might see a different response. But the examples show that Anton would certainly be at risk of an individual collective response from many entities having much money at stake.
How much money and energy would it currently take to pull off a 51% attack?
Back in 2014 a mining pool reached >50% of the hashing power even without any malicious attitude. He later voluntarily reduced it. Let’s see how easy that would be for a miner today.
Cost of Bitcoins energy consumption
The Bitcoin network currently produces 157 exa hashes per second (EH/s). The same amount plus 1% to reach 51% could be produced by using 1,42 Mio WhatsMiner M30S++ devices that produce 112 tera hashes per second (TH/s) each.
Let’s make a quick price calculation. A single WhatsMiner M30S++ costs currently $2850. As we need 1,42 M of them it would cost around $4 Billion only for the mining devices themselves. Set aside that it is questionable that one could get so many.
Let’s say we would like to mine 12 blocks to be sure we are ahead even with more than six confirmations. As there is a block in around every 10 minutes we risk the energy of 2 hours. One of our mining devices needs 3,472 kW and one kW/h costs let’s say $0,149 in the USA.
Given we need 1,42 M of them for 2 hours and $0,149 kW/h the plain energy would only cost $1,47 M.
That would even be neglectable given the $4 Billion price tag for the devices.
For the sake of simplicity we leave out the costs for the property, building the data center and maintaining the data center. We also assume that we talk about a governmental actor that is not interested in double spending but only in destroying the trust in the network. This means we need no money for initiating Bitcoin transactions that should later be reverted by the attack.
For a governmental actor that would not be a big amount of money.
Bitcoin energy demand as a limited resource
But getting the amount of energy needed would be a bigger problem. 1,42 M WhatsMiner M30S++ devices would consume a whopping 4,9 Giga Watt of power. This also matches the current theoretical lower bound that the University of Cambridge calculated.
One nuclear power station unit produces only 1 Giga Watt. Which means one would currently need almost 5 nuclear power station units for a 51% attack which is practically impossible to get.
In 2014 a mining pool could reach >51% of the network’s hashing power as part of their normal operation of their business.
The information above shows how unrealistic that would be today because of the sheer energy (and limited mining hardware) that would be needed.
In that way the energy spent by the Bitcoin network makes it much safer compared to the earlier days.
May an attack even work with less than 50% of the computational power available?
If a malicious miner has more than 50% of computational power it is just a matter of time until they will lead with the longest chain. But with less hashing power e.g. 33% they would at least have a bit of a chance to build the longest chain.
The equivalent would be rolling a biased dice with four zeroes and two ones on it. On average two out of six times the one would show up and otherwise it would be the zero. The chances of ending up with more consecutive ones than consecutive zeros is the same as the attacker trying to build the longer chain with a mining power of 33%.
If a merchant sends their goods after they see the paying transaction in a confirming block a malicious miner would only need to build this block without their transaction and one additional block to build the longest chain and convince the rest of the network their two blocks without their payment are the valid chain.
If a dishonest miner had so much computational power available they would have very good chances of success if they tried that two or three times. But in the cases where others would build a longer chain all the money they spent on building the blocks would be lost. That is because their shorter chain with all the mining rewards in it would become orphaned and would not be part of the valid and accepted Bitcoin blockchain.
As time does not work in favor of the dishonest miner the merchant or other entities that are on the other side of the sent transaction could easily reduce the chance of the dishonest chain to take the lead. They would just need to wait for additional confirming blocks on top of the paying transaction.
The relationship between the confirming blocks, the hashing power of the adversary and the probability of them to build the longest chain is calculated in our GitHub repository and shown in this chart:
What is a better alternative to the Bitcoin and its energy consumption?
Bitcoin represents the first generation of blockchains. It has limited scripting capabilities as it does not allow for loops for example so it mainly provides a distributed ledger and uses the Proof of Work (PoW) algorithm described above to secure the financial transactions.
Second generation of blockchains
The second generation of blockchains is said to be projects like Ethereum. They still use a PoW algorithm that needs a lot of energy. But they provide more utility with their smart contract functionality. This contract is a piece of software. Once it is developed and deployed on the blockchain it is executed there under the rules developed for it and its behaviour cannot be changed by a centralized authority. It is used to create additional crypto currencies (aka tokens), to run exchanges on the blockchain (aka decentralized exchanges), for borrowing, lending, crowdfunding and many other applications. All interactions happen peer to peer with only the blockchain being the intermediary.
Third generation of blockchains
The third generation of blockchains is said to be projects like Cardano, Polkadot, Ethereum 2.0 and others. They provide utility with e.g. smart contract functionality but do not use the PoW algorithm to reach consensus about the validity of a block and don’t select the next one who builds a block by the first one who guessed a number. Instead they use a mechanism that does not consume a lot of energy e.g. Proof of Stake (PoS) which is most prominent in that group.
What the name implies is that the aspect of the computational power in PoW (guessing the number) is replaced partially by proving ownership of coins in the blockchain. Sometimes the next one who will build a block is chosen randomly while being biased by the amount of coins he proved to own in the network. As an attacker is limited by the amount of coins they can have they cannot spam the network with blocks. But the implementations of PoS differ significantly and would need articles on their own.
Obviously, a very big advantage is that there is not such a waste of energy as in PoW. But it also results in lower operational costs for the people who validate and create blocks, which allows for lower transaction fees. It also lowers the barrier to become such an entity which in turn results in a better decentralization.