The Bitcoin One

Alright, fine, here we go:

A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending. We propose a solution to the double-spending problem using a peer-to-peer network. The network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work. The longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power. As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they’ll generate the longest chain and outpace attackers. The network itself requires minimal structure. Messages are broadcast on a best effort basis, and nodes can leave and rejoin the network at will, accepting the longest proof-of-work chain as proof of what happened while they were gone.

That’s the abstract of the Bitcoin white paper, published pseudonymously in 2009 by Satoshi Nakamoto. It’s only nine pages long; you can read the whole thing! It helps to have a surface-level understanding of hash functions and public key cryptography but even that is optional. Of course, most people have not read the nine pages and that is really where all the trouble with Bitcoin begins.

The blockchain is the public ledger of Bitcoin transactions. Transactions contain the (anonymous) identifiers of the payer and payee as well as the quantity of bitcoins being transferred. Each transaction also contains the identifier (hash) of the previous transaction; this is what makes the ‘chain’. Each transaction is linked to the previous one, on and on, all the way back to the beginning.

Briefly, a hash is a type of function that can reduce arbitrary input data to a unique identifier, a random series of letters and numbers. Hashes are quick to compute, but almost impossible to reverse (i.e. you can easily compute the hash for a given input but it is computationally infeasible to convert a hash value back into the input that produced it). As an analogy, consider multiplication and division. Imagine you have two very large prime numbers. It is easy (for a computer) to multiply them. But given only the result (a truly gigantic number with only two prime factors) it is much more intensive to find the prime factors. You don’t know what the factors are so you have to check lots of numbers. Quick one way, slow the other. Hashes are kind of like that, but to the extreme.

Bitcoin uses a concept called ‘proof-of-work’ that relies on hashes to provide immutability to transactions on the blockchain (i.e. transactions cannot be reversed). Proposed transactions are grouped into ‘blocks’ (hence, blockchain). In order to add a new block of transactions to the chain users combine the block’s transaction data with a hash of the previous block and a ‘nonce’ (a randomized piece of data) and hash the result. The block is only recognized as valid when its hash contains a defined number of leading zeros. Changing the nonce changes the block’s hash (with random effect) so many different nonces must be tried until a hash with the prescribed number of zeros is found. The number of nonces that must be tried grows exponentially with each required leading zero, but the validity of a ‘solved’ block can be verified instantly by computing its hash. This process of ‘solving’ the block is the ‘proof-of-work’. When you hash a previous block and verify the zeros, you know that a massive amount of computing power was expended to find the correct nonce — since the hash results are random there is no way to cheat the puzzle.

Free, open-source implementations of the Bitcoin protocol are run on computers owned by people all over the world. These computers (‘clients’, ‘nodes’) pass messages to each other in a sort of interconnected web. Nodes talk to other nodes who talk to other nodes, rather than having any centralized broadcast or communication mechanism (this is what people mean when they say Bitcoin is ‘decentralized’). This means that the Bitcoin network is only ‘eventually consistent’. Some groups of nodes may for a short time have different chains and only later ‘agree’ on the real state of the blockchain. However, decentralization provides the advantage of resilience: the network has no single point of failure.

Operation of the network is summarized succinctly in the white paper:

The steps to run the network are as follows: 1) New transactions are broadcast to all nodes. 2) Each node collects new transactions into a block. 3) Each node works on finding a difficult proof-of-work for its block. 4) When a node finds a proof-of-work, it broadcasts the block to all nodes. 5) Nodes accept the block only if all transactions in it are valid and not already spent. 6) Nodes express their acceptance of the block by working on creating the next block in the chain, using the hash of the accepted block as the previous hash.

Nodes always consider the longest chain to be the correct one and will keep working on extending it. If two nodes broadcast different versions of the next block simultaneously, some nodes may receive one or the other first. In that case, they work on the first one they received, but save the other branch in case it becomes longer. The tie will be broken when the next proof-of-work is found and one branch becomes longer; the nodes that were working on the other branch will then switch to the longer one.

The part about the nodes switching to the longest valid chain is important. People like to describe the blockchain as “immutable” but transactions can be undone! If block A is added to the chain in one part of the network and block B is added simultaneously in another part, suddenly tension is created. If, later, block C is added onto block A then eventually nodes will accept the A-C chain and discard the chain containing block B, effectively undoing its transactions. For this reason, the paper proposes waiting for a certain number of blocks to be added past the block containing a transaction before assuming its permanence. This is fine in principle but has implications for de facto transaction speed. Currently, block creation averages ten minutes and transaction throughput is capped by fundamentals of the protocol structure[0].

The ‘longest chain’ switching is also the mechanism for exploiting Bitcoin’s fundamental weakness. It’s right there in the abstract (emphasis mine): “The longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power. As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they’ll generate the longest chain and outpace attackers.” The paper demonstrates mathematically that the chances of a minority collection of CPU power ‘overwriting’ a block by making a longer chain from an ancestor block decreases exponentially with each added block. However, if a majority of CPU power is coordinated the ability to overwrite blocks becomes guaranteed. The paper argues this is unlikely since a) the network is large, so controlling a majority of CPU power is hard; b) nodes have an incentive to support the system (rather than attempt to destabilize it) if they are coin holders; and c) even if someone did control a majority of CPU power it would be more profitable to solve new blocks than to attempt forgery.

Nodes are rewarded for ‘solving’ a block with a modest amount of Bitcoin. This is also the mechanism by which new coins are introduced into circulation. When the (predetermined) maximum number of coins has been reached, nodes will be incentivized by transaction fees provided by the originator of the transaction. These rewards for solving blocks are the main conceptual argument against the danger of a majority CPU power attack (‘51% attack’). The paper says:

If a greedy attacker is able to assemble more CPU power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to generate new coins. He ought to find it more profitable to play by the rules, such rules that favor him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth.

That strikes me as not very convincing? As the value of a bitcoin rises so does the potential impact and value of a destabilizing attack. The paper presents this as fairly impossible — with such a massive pool of computing power solving blocks it would be financially and logistically infeasible to amass a majority. It’s a compelling vision of decentralization-as-security! The reality is far from that. Nodes organize themselves into ‘pools’ in order to share the work and rewards of solving transactions. This is economical for individual network nodes but drastically reduces the effective decentralization of the network. Massive coordination between nodes is antithetical to the ideas laid out in the white paper. In 2014, one of these pools briefly controlled a majority of CPU power before voluntarily reducing its resources. This week, users of the Ethereum network are actively coordinating a 51% attack in protest of proposed changes to the Ethereum protocol.

Another good counter argument to ‘51% attacks are unlikely because they are hard to do’ is ‘well, they happen all the time’. Although Bitocin is yet to suffer a 51% attack, other cryptocurrencies have not been so lucky:

At least five cryptocurrencies have recently been hit with an attack that used to be more theoretical than actual, all in the last month. In each case, attackers have been able to amass enough computing power to compromise these smaller networks, rearrange their transactions and abscond with millions of dollars in an effort that’s perhaps the crypto equivalent of a bank heist.

That’s from 2018, a year that also produced this gem of a headline: “Pornhub Payment Option Verge Suffers Massive Blockchain Reorganization”. In that instance 560k blocks were overwritten representing 200 days of transactions. Anyways, there is this cool MIT Media Lab website that has some in-depth reports on specific attacks. In the last two years they’ve done write-ups of attacks on Bitcoin Gold, Vertcoin, Litecoin, and Expanse. These smaller cryptocurrencies (‘altcoins’) are more vulnerable because they are less popular and the total CPU power backing them is small. Also, they are more prone to vulnerabilities in the software used by nodes to operate their networks. Unfortunately for Bitcoin, its fate is somewhat intertwined with its altcoin brethren. Prices of cryptocurrencies tend to fluctuate in tandem and the failure of an individual coin (due to fraud, hacking, etc.) can put direct downward pressure on the cryptocurrency market.

So where does this leave us? If you are a Bitcoin purist — a True Believer™ who awaits the day when Bitcoin supplants all fiat currency — then all of this is probably fine. You can have your Bitcoins and send them back and forth (very slowly) to pay for things (though not many things). Your net worth swings wildly with Bitcoin’s volatility but you are not looking to cash out so that is not a concern. There is a small chance that a catastrophic event will occur and the price will crash and you will be left destitute but you are ready to roll those dice. In the interim (before Bitcoin makes the global financial system obsolete) you just sort of live in the financial Wild West. It feels fun and exciting and you’re part of building the future but also you might suddenly die of cholera.

For everyone else who transacts in a fiat currency like good old U.S. dollars Bitcoin has another systemic risk: the interface between cryptocurrency and the existing financial system[1]. For most people, the easiest way to acquire Bitcoins (or other cryptocurrencies) is to buy them on an exchange. Companies like Coinbase act as market makers that accept traditional currency like dollars in exchange for units of cryptocurrency. They also provide custody service: they keep users’ Bitcoins safe so the users don’t accidentally forget their Bitcoin wallet password and lose all their money. That’s a potentially valuable service!

Sometimes, though, users lose all their money anyway:

FCoin, a crypto exchange that adopted the controversial “trans-fee mining” model, has paused trading and withdrawal as it reveals a shortage of crypto assets worth up to $130 million.

Zhang Jian, the former Huobi CTO who launched FCoin in May 2018, wrote a lengthy post on Monday, saying the exchange is now unable to process users’ withdrawal demands as its asset reserve has fallen short of its liability – and the gap is estimated to be about 7,000 to 13,000 bitcoin (BTC).

The post, first published in Chinese and later translated on Reddit, comes as a shocking notice to users in China as the significant amount of assets in question led to the insolvency of the controversial model that at one point made FCoin one of the largest exchanges by trading volume.

Zhang claimed in the post the exchange was neither hacked nor an exit scam but the problem is “a little too complicated to be explained in a single sentence.”

This sort of thing happens on a regular-enough basis that for some time there was a satirical site that tracked the number of days since an exchange had lost over $100M. Of course, anywhere there is money changing hands there will be fraud. Cryptocurrency mixes that natural danger with a special sauce of nascent technology and light regulation to create a cocktail of Ponzi schemes, predatory products, and swindling.

There is also the problem of how to get your money out. In the event of a catastrophic event (51% attack, software vulnerability, draconian regulation) exchanges are vulnerable to a ‘bank run’ phenomenon where they are unable to cash out users as (hypothetically) the value of Bitcoin plummets and everyone attempts to close their positions simultaneously.

So Bitcoin is a slow medium of exchange with limited uses that carries fundamental risks from both the underlying technology and the human systems that support it. It is a magnet for fraudsters and speculators and if it all comes tumbling down there is little-to-no downside protection. Boo, this is so pessimistic! I just want to hear about the future of financial technology on the blockchain! Well good news, when it comes to Bitcoin that is all people really talk about. Here’s some choice content from a 2015 TEDxTampaBay talk titled “At the Speed of Money: How Cryptocurrency Will Transform Everything”:

[Blockchain] will do for our money system what the internet did for information and what the internal combustion engine did for transportation by making it more swift, cheap, widespread, granular, and fast.

And

[Satoshi Nakamoto] figured out how to make data secure on the internet.

I am really not sure what that sentence means.

[Bitcoin is] as safe as any bank ledger and it’s safer than most credit card networks as any customer of Target or Ashley Madison can tell you.

Valid critiques of privacy legislation aside, banks and credit card networks do not routinely run off with all of their customers’ money.

And because we have total security on the blockchain…

Pornhub would like a word!

Artificial intelligences gifted with the agility of the blockchain asset network could set real-time prices on things that we need to know about in real-time, especially as population increases.

I don’t think three-to-seven transactions (globally!) per second qualifies as either ‘agility’ or ‘real-time’. The talk also presents an example application of the blockchain as a replacement for government contractors that provide paid street parking apps. Because credit card fees are higher (as a percentage) for low-value transactions, the blockchain is often touted as an ideal alternative. This idea relies on two of the most common blockchain fallacies: that transactions are fast (they are not), and that fees are both lower than credit cards and stable (they are sometimes low but extremely variable). No one wants to wait half an hour for their parking payment to go through or discover that their $3/hour spot will incur a $22 payment fee.

That talk is a random source, but I’ve kept it in the Notes app on my phone for four years (!) because it is a typical example of the discourse around Bitcoin and the blockchain[2]. With even a light understanding of the underlying technology you can see that those statements are somewhere between wrong and meaningless. But they are representative! 53% of executives surveyed by Deloitte identified either speed or security as Bitcoin’s greatest advantage over existing financial systems. Madness!

Lots of people talk about Bitcoin (and the blockchain, and cryptocurrency, generally) in a way that is divorced from the realities and trade-offs that underlie the technology. That is critical, because Bitcoin really is a technology at its core (as opposed to most of the financial system, which is made of human systems overlaid with technical ones). Because of that, the technical underpinnings matter much more with Bitcoin than they do with other financial infrastructure. If Visa suffers a cyberattack or the stock market has a software glitch things will get crazy for a little while. But the stabilizing force in those situations is the American government and military and judicial system. They will work to calm people down and catch the criminals and pull the many levers of the financial system to aid the affected parties. With Bitcoin, the stabilizing force is just the technology! You can’t reason about Bitcoin like other pieces of financial infrastructure because the forces stabilizing it — the forces that protect its continued, consistent functioning — are completely different.


[0] Based on the number of transactions per block this comes out to between 3 and 7 transactions per second. For comparison, the Visa network does about 1,700 transactions per second. This should convince you that anyone suggesting that a blockchain-based payment system can replace credit card providers doesn’t know what they’re talking about.

[1] There is a third systemic risk, which is that maybe the ‘stablecoin’ Tether has fraudulently inflated Bitcoin’s price and will eventually cause a tremendous crash. It is a fascinating and scary and real possibility but merits another 1,500 words and we just can’t fit that here.

[2] This piece is primarily a critique of Bitcoin, but it should be clear why blockchains in general are not a pragmatic or suitable choice for almost any task. There are very few things for which a centralized database is not a better option (for security, speed, security, reliability, and security).