Bitcoin Is Worse Is Better

2011 essay on how Bitcoin’s long gestation and early opposition indicates it is an example of the ‘Worse is Better’ paradigm in which an ugly complex design with few attractive theoretical properties compared to purer competitors nevertheless successfully takes over a niche, survives, and becomes gradually refined.
computer-science, cryptography, Bitcoin, design
2011-05-272018-11-21 finished certainty: likely importance: 8

The genius of Bit­coin, in invent­ing a dig­i­tal cur­rency suc­cess­ful in the real world, is not in cre­at­ing any new abstruse math­e­mat­ics or cryp­to­graphic break­through, but in putting together decades-old pieces in a semi­-novel but extremely unpop­u­lar way. Every­thing Bit­coin needed was avail­able for many years, includ­ing the key ideas.

How­ev­er, the sac­ri­fice Bit­coin makes to achieve decen­tral­iza­tion is—how­ever prac­ti­cal—a pro­foundly ugly one. Early reac­tions to Bit­coin by even friendly cryp­tog­ra­phers & dig­i­tal cur­rency enthu­si­asts were almost uni­formly extremely neg­a­tive, and empha­sized the (per­ceived) ineffi­ciency & (rel­a­tive to most cryp­tog­ra­phy) weak secu­rity guar­an­tees. Crit­ics let ‘per­fect be the enemy of bet­ter’ and did not per­ceive Bit­coin’s poten­tial. How­ev­er, in an exam­ple of ‘Worse is Bet­ter’, the ugly ineffi­cient pro­to­type of Bit­coin suc­cess­fully cre­ated a secure decen­tral­ized dig­i­tal cur­ren­cy, which can wait indefi­nitely for suc­cess, and this was enough to even­tu­ally lead to adop­tion, improve­ment, and growth into a secure global dig­i­tal cur­ren­cy.

What is the great accom­plish­ment of the idea of Bit­coin? In dis­cussing Bit­coin’s recent rise to $10/₿ in 2011, many have been won­der­ing who is the real man under the Satoshi Nakamoto mask; a hard ques­tion—how many genius lib­er­tar­ian cryp­tog­ra­phers are there? But the inter­est­ing thing is, Satoshi could be any­body, and I believe this gives us an inter­est­ing clue to how Bit­coin has been able to boot­strap itself from noth­ing.

Satoshi could be any­body, Bit­coin involves no major intel­lec­tual break­throughs of a mathematical/cryptographic kind, so Satoshi need have no cre­den­tials in cryp­tog­ra­phy or be any­thing but a self­-taught pro­gram­mer!


Satoshi pub­lished the first pub­lic ver­sion of his white paper on 2008-11-01 after ear­lier pri­vate dis­cus­sions1 and the whitepa­per was fur­ther edited after­wards, but if you look at the cryp­tog­ra­phy that makes up Bit­coin, they can be divided into:

  • Pub­lic key cryp­tog­ra­phy2

  • Cryp­to­graphic sig­na­tures

  • Cryp­to­graphic hash func­tions

  • Hash chain used for proof-of-work

    1. Hash tree
    2. Bit gold
  • cryp­to­graphic time-stamps

  • resilient peer-to-peer net­works


“So the first answer to Why Now? is sim­ply ‘Because it’s time.’ I can’t tell you why it took as long for weblogs to hap­pen as it did, except to say it had absolutely noth­ing to do with tech­nol­o­gy. We had every bit of tech­nol­ogy we needed to do weblogs the day launched the first -ca­pable brows­er. Every sin­gle piece of it was right there. Instead, we got . Why did we get Geoc­i­ties and not weblogs? We did­n’t know what we were doing.”

(, 2003)

The inter­est­ing thing is that all the pieces were in place for at least 8 years before Satoshi’s pub­li­ca­tion, which was fol­lowed more than half a year later3 by the first pub­lic4 pro­to­type. If we look at the cita­tions in the whitepa­per and oth­ers, and then order the rel­e­vant tech­nolo­gies by year in descend­ing order:

  1. 2001: final­ized
  2. 1999–p­re­sent: (PBFT etc.)
  3. 1999–p­re­sent: (ex­clud­ing early net­works like or ; & , , , , , etc.)
  4. 1998: Wei Dai, B-money5
  5. 1997: ; 19986: Nick Szabo, Bit Gold; ~2000: MojoNation/BitTorrent; ~2001–2003, Karma, etc
  6. 1992–1993: Proof-of-work for spam7
  7. 1991:
  8. 1980: 8
  9. 1979:

This lack of nov­elty is part of the appeal—the fewer new parts of a cryp­tosys­tem, the less dan­ger9. All that was lack­ing was a Satoshi to start a Bit­coin.


But with the ben­e­fit of this hind­sight, one can won­der—why this delay?10

If the idea is (rel­a­tive­ly) easy to under­stand and uses basic ideas11, if it is very far from the cut­ting-edge of cryp­tog­ra­phy12, then there’s no rea­son it would not be seri­ously tried. Cer­tainly the of the ’90s were wildly cre­ative, invent­ing every­thing from / to to to (mem­o­rably depicted in ). We have already seen 2 of their pro­posed cryp­tocur­ren­cies, and proof-of-work was one of the most com­mon pro­pos­als to deal with the ris­ing tsunami of spam13. Why did Bit­coin take a decade to be born? The nags at me—sim­i­lar to the his­tor­i­cal ques­tion of why Eng­land expe­ri­enced the Indus­trial Rev­o­lu­tion and grew to empire, and not Chi­na, which seems bet­ter equipped in every respect14. Where does ? There must be an answer. (And it may be sim­i­lar to VR.15)


Is the prob­lem one of resources? In the whitepa­per, Satoshi remarks:

A block header with no trans­ac­tions would be about 80 bytes. If we sup­pose blocks are gen­er­ated every 10 min­utes, 80 bytes * 6 * 24 * 365 = 4.2MB per year. With com­puter sys­tems typ­i­cally sell­ing with 2GB of RAM as of 2008, and Moore’s Law pre­dict­ing cur­rent growth of 1.2GB per year, stor­age should not be a prob­lem even if the block head­ers must be kept in mem­o­ry.

That’s fine to say in 2008, after many dou­blings. Would mem­ory be a prob­lem in the 1990s? It does­n’t have to be. The diffi­culty of bit­coin min­ing is adjustable, so the prob­lem boils down to:

  1. disk usage

    • With a smaller hash like SHA116, the 80 bytes can be shrunk

    • 10 min­utes is not graven in stone; why not 20 min­utes? Right there we have halved the trans­ac­tion over­head

    • the hash tree can be ‘garbage col­lected’ and shrunk17

    • it is only nec­es­sary to main­tain a full hash tree if one is para­noid.

      In prac­tice, like many pro­grams of the era such as mail or Usenet clients, the default could sim­ply be to hold onto the last n blocks/hashes (Satoshi esti­mates 12kb/day); this would con­sume a lim­ited amount of disk space.

  2. net­work con­nec­tiv­ity is solv­able by solu­tions to #1

    1. A func­tion of the exist­ing hash tree size
    2. And fre­quency of new trans­ac­tions

It’s worth point­ing out that it’s gen­er­ally expected that at some point ordi­nary desk­top users like you or me are expected to stop being ful­l-fledged nodes and bit­coin min­ers and will instead make use of some spe­cial­ist ser­vice run­ning pow­er­ful servers of its own; in a coun­ter­fac­tual uni­verse where Bit­coin was begun in the early 1990s, the changeover would sim­ply have occurred soon­er. (And with all the invest­ment money des­per­ately invest­ing in the first Inter­net bub­ble, it would be quite easy to start such a ser­vice regard­less of the tech­ni­cal demand­s.)

Contemporary objections

As well, few of the objec­tions to cryp­tocur­ren­cies seem to have been “com­put­ers which can run it are fan­tas­ti­cally expen­sive”18. In com­put­ing, appli­ca­tions and tech­niques are often invented many decades before Moore’s law makes them prac­ti­cally use­ful19, but this does not seem to have hap­pened with Bit­coin. A sim­i­lar objec­tion obtains with patents or pub­lished papers; if Bit­coin was a known idea, where are they? I have yet to see any­body point out what patents might have deterred cryp­tog­ra­phy researchers & imple­menters; the answer is that there were none. Because there was no investor inter­est? Not that Satoshi needed investors, but there were a tremen­dous num­ber of online pay­ment ser­vices started in the ‘90s, each search­ing for the secret sauce that would let them win ’mind­share’ and ride ‘net­work effects’ to vic­to­ry; again comes to mind. Even in the ’90s, when the Inter­net seems embry­onic to us of the 2010s, there were still many mil­lions of peo­ple on the Inter­net who could have used a dig­i­tal cash.

So if the basic idea is acces­si­ble, and it’s use­ful on con­sumer-grade hard­ware for the last 20 years or so, then what’s the prob­lem?

Cryptographers’ objections

I think it’s instruc­tive to look at Satoshi’s ANN thread on the Cryp­tog­ra­phy newsgroup/mailing list; par­tic­u­larly the var­i­ous early crit­i­cisms:

Nick Szabo sum­ma­rizes the early reac­tion:

Bit­coin is not a list of cryp­to­graphic fea­tures, it’s a very com­plex sys­tem of inter­act­ing math­e­mat­ics and pro­to­cols in pur­suit of what was a very unpop­u­lar goal. While the secu­rity tech­nol­ogy is very far from triv­ial, the “why” was by far the biggest stum­bling block­—n­early every­body who heard the gen­eral idea thought it was a very bad idea. Myself, Wei Dai, and Hal Finney were the only peo­ple I know of who liked the idea (or in Dai’s case his related idea) enough to pur­sue it to any sig­nifi­cant extent until Nakamoto (as­sum­ing Nakamoto is not really Finney or Dai). Only Finney (RPOW) and Nakamoto were moti­vated enough to actu­ally imple­ment such a scheme.

As well, let’s toss in some blog posts on Bit­coin by the cryp­tog­ra­pher and Vic­tor Grischchenko; Lau­rie par­tic­u­larly crit­i­cizes23 the hash-con­test which guar­an­tees heavy resource con­sump­tion:

  1. “Bit­coin”
  2. “Bit­coin 2”
  3. “Bit­coin is Slow Motion”
  4. “Decen­tralised Cur­ren­cies Are Prob­a­bly Impos­si­ble: But Let’s At Least Make Them Effi­cient”
  5. “Bit­coin?”, Vic­tor Grischchenko

What’s the com­mon thread? Is there any par­tic­u­lar fatal flaw of Bit­coin that explains why no one but Satoshi came up with it?


No! What’s wrong with Bit­coin is that it’s ugly. It is not 24. It’s clever to define your bit­coin bal­ance as what­ever hash tree is longer, has won more races to find a new block, but it’s ugly to make your net­work’s secu­rity depend solely on hav­ing more brute-force com­put­ing power than your oppo­nents25, ugly to need now and in per­pe­tu­ity at least half the pro­cess­ing power just to avoid dou­ble-spend­ing26. It’s clever to have a P2P net­work dis­trib­ut­ing updated blocks which can be cheaply & inde­pen­dently checked, but there are tons of ugly edge cases which Satoshi has not proven (in the sense that most cryp­tosys­tems have secu­rity proofs) to be safe and he him­self says that what hap­pens will be a “coin flip” at some points. It’s ugly to have a hash tree that just keeps grow­ing and is going to be giga­bytes and giga­bytes in not ter­ri­bly many years. It’s ugly to have a sys­tem which can’t be used offline with­out prox­ies and workarounds, which essen­tially relies on a dis­trib­uted global clock27, unlike Chaum’s solu­tion28. It’s ugly to have a sys­tem that has to track all trans­ac­tions, pub­licly; even if one can use bit­coins anony­mously with effort, that does­n’t count for much—a cryp­tog­ra­pher has learned from inci­dents like and decades of suc­cess­ful attacks on pseu­do­nymity29. And even if the money sup­ply has to be fixed (a bizarre choice and more ques­tion­able than the irre­versibil­ity of trans­ac­tion­s), what’s with that arbi­trary-look­ing 21 mil­lion bit­coin lim­it? Could­n’t it have been a rounder num­ber or at least a power of 2? (Not that the bit­coin min­ing is much bet­ter, as it’s a mas­sive give-away to early adopters. may claim it does­n’t mat­ter how bit­coins are allo­cated in the long run, but such a bla­tant bribe to early adopters rubs against the grain. Again, ugly and inel­e­gan­t.) Bit­coins can sim­ply dis­ap­pear if you send them to an invalid address. And so on.

The basic insight of Bit­coin is clev­er, but clever in an ugly com­pro­mis­ing sort of way. Satoshi explains in an early email: The hash chain can be seen as a way to coor­di­nate mutu­ally untrust­ing nodes (or trust­ing nodes using untrusted com­mu­ni­ca­tion links), and to solve the . If they try to col­lab­o­rate on some agreed trans­ac­tion log which per­mits some trans­ac­tions and for­bids oth­ers (as attempted dou­ble-spend­s), naive solu­tions will frac­ture the net­work and lead to no con­sen­sus. So they adopt a new scheme in which the real­ity of trans­ac­tions is “what­ever the group with the most com­put­ing power says it is”! The hash chain does not aspire to record the “true” real­ity or fig­ure out who is a scam­mer or not; but like Wikipedia, the hash chain sim­ply mir­rors one some­what arbi­trar­ily cho­sen group’s con­sen­sus:

…It has been decided that any­one who feels like it will announce a time, and what­ever time is heard first will be the offi­cial attack time. The prob­lem is that the net­work is not instan­ta­neous, and if two gen­er­als announce differ­ent attack times at close to the same time, some may hear one first and oth­ers hear the other first.

They use a proof-of-work chain to solve the prob­lem. Once each gen­eral receives what­ever attack time he hears first, he sets his com­puter to solve an extremely diffi­cult proof-of-work prob­lem that includes the attack time in its hash. The proof-of-work is so diffi­cult, it’s expected to take 10 min­utes of them all work­ing at once before one of them finds a solu­tion. Once one of the gen­er­als finds a proof-of-work, he broad­casts it to the net­work, and every­one changes their cur­rent proof-of-work com­pu­ta­tion to include that proof-of-work in the hash they’re work­ing on. If any­one was work­ing on a differ­ent attack time, they switch to this one, because its proof-of-work chain is now longer.

After two hours, one attack time should be hashed by a chain of 12 proof­s-of-work. Every gen­er­al, just by ver­i­fy­ing the diffi­culty of the proof-of-work chain, can esti­mate how much par­al­lel CPU power per hour was expended on it and see that it must have required the major­ity of the com­put­ers to pro­duce that much proof-of-work in the allot­ted time. They had to all have seen it because the proof-of-work is proof that they worked on it. If the CPU power exhib­ited by the proof-of-work chain is suffi­cient to crack the pass­word, they can safely attack at the agreed time.

The proof-of-work chain is how all the syn­chro­ni­sa­tion, dis­trib­uted data­base and global view prob­lems you’ve asked about are solved.

How Worse is Better

In short, Bit­coin is a per­fect exam­ple of (orig­i­nal essay). You can see the trade­offs that Richard P. Gabriel enu­mer­ates: Bit­coin has many edge cas­es; it lacks many prop­er­ties one would desire for a cryp­tocur­ren­cy; the whitepa­per is badly under­-spec­i­fied; much of the behav­ior is socially deter­mined by what the min­ers and clients col­lec­tively agree to accept, not by the pro­to­col; etc.

The worse-is-bet­ter phi­los­o­phy is only slightly differ­ent: […]

  • Com­plete­ness—the design must cover as many impor­tant sit­u­a­tions as is prac­ti­cal. All rea­son­ably expected cases should be cov­ered. Com­plete­ness can be sac­ri­ficed in favor of any other qual­i­ty. In fact, com­plete­ness must be sac­ri­ficed when­ever imple­men­ta­tion sim­plic­ity is jeop­ar­dized. Con­sis­tency can be sac­ri­ficed to achieve com­plete­ness if sim­plic­ity is retained; espe­cially worth­less is con­sis­tency of inter­face.

…The MIT guy did not see any code that han­dled this [edge] case and asked the New Jer­sey guy how the prob­lem was han­dled. The New Jer­sey guy said that the Unix folks were aware of the prob­lem, but the solu­tion was for the sys­tem rou­tine to always fin­ish, but some­times an error code would be returned that sig­naled that the sys­tem rou­tine had failed to com­plete its action. A cor­rect user pro­gram, then, had to check the error code to deter­mine whether to sim­ply try the sys­tem rou­tine again. The MIT guy did not like this solu­tion because it was not the right thing… It is bet­ter to get half of the right thing avail­able so that it spreads like a virus. Once peo­ple are hooked on it, take the time to improve it to 90% of the right thing.

Guar­an­tees of Byzan­tine resilience? Loosely sketched out and left for future work. Incen­tive-com­pat­i­ble? Well… maybe. Anonymi­ty? Punted on in favor of pseu­do­nymi­ty; maybe some­one can add real anonymity lat­er. Guar­an­tees of trans­ac­tions being final­ized? None, the user is just sup­posed to check their copy of the blockchain. Con­sis­tent APIs? For­get about it, there’s not even a stan­dard, it’s all imple­men­ta­tion-de­fined (if you write a client, it’d bet­ter be “bug­ward com­pat­i­bil­ity” with Satoshi’s clien­t). Moon math? Nah, it’s basic pub­lic-key crypto plus a lot of imper­a­tive stack­-ma­chine bit-twid­dling. Space effi­cien­cy? A straight­for­ward blockchain and on-disk stor­age takes pri­or­ity over any fancy com­pres­sion or data-struc­ture schemes. Fast trans­ac­tions? You can use zero-conf and if that’s not good enough for buy­ing coffee, maybe some­one can come up with some­thing using the smart con­tract fea­tures. And so on.

But for all the issues, it seems to work. Just like Unix, there were count­less ways to destroy your data or crash the sys­tem, which did­n’t exist on more ‘proper’ OSs like , and there were count­less lack­ing fea­tures com­pared to sys­tems like or the OSs. But like the prover­bial cock­roach­es, Unix spread, net­worked, sur­vived—and the rest did not.30 And as it sur­vives and evolves grad­u­al­ly, it slowly becomes what it “should” have been in the first place. Or HTML31 vs .

Paul Ford in 2013 has stum­bled onto a sim­i­lar view of Bit­coin:

The Inter­net is a big fan of the worst-pos­si­ble-thing. Many peo­ple thought Twit­ter was the worst pos­si­ble way for peo­ple to com­mu­ni­cate, lit­tle more than dis­course abbre­vi­ated into tiny lit­tle chunks; Face­book was a hor­ri­ble way to expe­ri­ence human rela­tion­ships, com­mod­i­fy­ing them into a list of friends whom one pokes. The Arab Spring changed the story some­what. (Buz­zFeed is another exam­ple—let them eat cat pic­tures.) One recipe for Inter­net suc­cess seems to be this: Start at the bot­tom, at the most awful, ridicu­lous, essen­tial idea, and own it. Pro­mote it breath­less­ly, until you’re acquired or you take over the world. Bit­coin is play­ing out in a sim­i­lar way. It asks its users to for­get about cen­tral bank­ing in the same way Steve Jobs asked iPhone users to for­get about the mouse.

But he lacks the “worse is bet­ter” par­a­digm (de­spite being a pro­gram­mer) and does­n’t under­stand how Bit­coin is the worst-pos­si­ble-thing. It’s not the decen­tral­ized aspect of Bit­coin, it’s how Bit­coin is decen­tral­ized: a cryp­tog­ra­pher would have diffi­culty com­ing up with Bit­coin because the mech­a­nism is so ugly and there are so many ele­gant fea­tures he wants in it. Pro­gram­mers and math­e­mati­cians often speak of “taste”, and how they lead one to bet­ter solu­tions. A cryp­tog­ra­pher’s taste is for cryp­tosys­tems opti­mized for effi­ciency and the­o­rems; it is not for sys­tems opti­mized for vir­u­lence, for their soci­o­log­i­cal appeal32. Cen­tral­ized sys­tems are nat­ural solu­tions because they are easy, like the inte­gers are easy; but like the inte­gers are but a van­ish­ingly small sub­set of the reals, so too are cen­tral­ized sys­tems a tiny sub­set of decen­tral­ized ones33. Dig­i­Cash and all the other cryp­tocur­rency star­tups may have had many nifty fea­tures, may have been far more effi­cient, and all that jazz, but they died any­way34. They had no com­mu­ni­ties, and their cen­tral­iza­tion meant that they fell with their cor­po­rate patrons. They had to win in their com­pressed time­frame or die out com­plete­ly. But “that is not dead which can eter­nal lie”. And the race may not go to the swift, as Hal Finney also pointed out early on:

Every day that goes by and Bit­coin has­n’t col­lapsed due to legal or tech­ni­cal prob­lems, that brings new infor­ma­tion to the mar­ket. It increases the chance of Bit­coin’s even­tual suc­cess and jus­ti­fies a higher price.

It may be that Bit­coin’s great­est virtue is not its defla­tion, nor its micro­trans­ac­tions, but its viral dis­trib­uted nature; it can wait for its oppor­tu­ni­ty. “If you sit by the bank of the river long enough, you can watch the bod­ies of your ene­mies float by.”

Objection: Bitcoin is not Worse, it’s Better

Nick Szabo and Zooko Wilcox-O’­Hearn dis­agree strongly with the the­sis that “Bit­coin is Worse is Bet­ter”. They con­tend while there may be bad parts to Bit­coin, there is a novel core idea which is actu­ally very clev­er—the hash chain is a com­pro­mise which thinks out­side the box and gives us a side­step around clas­sic prob­lems of dis­trib­uted com­put­ing, which gives us some­thing sim­i­lar enough to a trust­wor­thy non-cen­tral­ized author­ity that we can use it in prac­tice.

Gwern’s post fails to appre­ci­ate the tech­ni­cal advances that Bit­Coin orig­i­nat­ed. I have been try­ing, off and on, to invent a decen­tral­ized dig­i­tal pay­ment sys­tem for fifteen years (since I was at Dig­i­Cas­h). I was­n’t sure that a prac­ti­cal sys­tem was even pos­si­ble, until Bit­Coin was actu­ally imple­mented and became as pop­u­lar as it has. Sci­en­tific advances often seem obvi­ous in ret­ro­spect, and so it is with Bit­Coin.35

Nick Szabo thinks that the main block­ing fac­tors were:

  1. ide­o­log­i­cal beliefs about the nature of money (lib­er­als not inter­ested in non-s­tate cur­ren­cies, and Aus­tri­ans believ­ing that cur­ren­cies must have intrin­sic val­ue)
  2. obscu­rity of bit gold-like ideas
  3. “requir­ing a proof-of-work to be a node in the Byzan­ti­ne-re­silient peer-to-peer sys­tem to lessen the threat of an untrust­wor­thy party con­trol­ling the major­ity of nodes and thus cor­rupt­ing a num­ber of impor­tant secu­rity fea­tures”
  4. some sim­pli­fi­ca­tion (not mar­kets for con­vert­ing “old” & hard­er-to-mine bit­coins to “new” & eas­ier-to-mine bit­coins, but a chang­ing net­work-wide con­sen­sus on how hard bit­coins must be to mine)

My own belief is that #1 is prob­a­bly an impor­tant fac­tor but ques­tion­able since the core break­through is applic­a­ble to all sorts of other tasks like secure global clocks or time­stamp­ing or domain names, #2 is irrel­e­vant as all dig­i­tal cryp­to­graphic cur­rency ideas are obscure (to the point where, for exam­ple, Satoshi’s whitepa­per does not cite bit gold but only b-money, yet Wei Dai does not believe his b-money actu­ally influ­enced Bit­coin at all36!), and #3–4 are minor details which can­not pos­si­bly explain why Bit­coin has suc­ceeded to any degree while ideas like bit gold lan­guished.

See Also


Irreversible transactions: meta-scams

The irre­versibil­ity of Bit­coin trans­ac­tions makes for some unusual dynam­ics in exchanges, along with the entire alt­coin ecosys­tem (prob­a­bly the most inter­est­ing alt­coin scam to me was the Byte­coin scam+anonymity inno­va­tion). I learned of an inter­est­ing exam­ple in May 2013, when a Red­dit post intro­duced me to a Tor hid­den site which offers you dou­ble your money back if you send it some bit­coins. A scam, right? Well, it is a scam, but it’s not quite the scam it looks like…

To start, there is a com­ment from some­one claim­ing that they tried it and the way the scam worked was that it dou­bled your money the first time you sent it some bit­coins, but then kept any­thing you sent it sub­se­quent­ly; the idea being that the first trans­ac­tion will be a ‘test’ by sus­pi­cious users, who will then send a ‘real’ trans­ac­tions which can be stolen in toto. Specifi­cal­ly:

Oh dude. I actu­ally tried this like 5 Days ago. I sent 0.5btc and got one back, so tech­ni­cally it works. How­ev­er, when I sent my 1btc back (and emailed the guy about it) he kept it and did­n’t respond at all. So it’s a scam, obvi­ous­ly, but the way it works is kind of inter­est­ing in that it actu­ally works the first time, to lure you in and send even more. EDIT: I SHOULD PROBABLY ADD: DON’T SEND MONEY TO THIS GUY

This is rea­son­able enough—ponzis are care­ful to allow with­drawals early on, and run­ners of ponzis, like the clas­sic 2006 “Cur­rin trad­ing” ponzi scheme (part 1, 2), record how peo­ple would do 1 or 2 test trans­ac­tions and then deposit large ‘real’ sums with the ponzi.

Except… the per­son claim­ing it worked for them is an unused account, and so are the peo­ple express­ing skep­ti­cism of him! It gets more inter­est­ing when you note that the scam as claimed is triv­ially exploitable (or scammed) by any­one who knows how it works (send a large amount the first trans­ac­tion, and never send again), and more inter­est­ing still when you remem­ber that Bit­coin trans­ac­tions are pub­lic and so the first com­menter could have par­tially proven that the scam worked as they claimed it worked for them yet has not pro­vided any evi­dence despite being chal­lenged to do so and given 9 days’ grace, and final­ly, we see 2 Red­di­tors send­ing in token amounts and claim­ing they received noth­ing back.

So what are we look­ing at here? I can’t know this for sure, but this is what I think is going on.

We are look­ing at a meta scam: the scam is that you think it’s a scam that you can scam, but you get scammed as you try to scam the scam. The orig­i­nal scam­mer puts up a scam web­site, makes 4 shill accounts to claim it works and lay out the rules—send it X it sends you 2X back, and then the sec­ond time it keeps your money when you pre­sum­ably sent it 2X+Y—but actu­al­ly, the site sim­ply keeps any money sent to it, and so the peo­ple who planned to scam the scam wind up being scammed.

If we think of decep­tion as hav­ing lev­els, this is a lit­tle con­fus­ing; but the site will either return your money or not. The first level is that the site works as it claims: it returns your mon­ey, it dou­bles any money you send it. (This is under­stood by any­one who can read the page.) The sec­ond level is that level 1 is a lie: it does not return your mon­ey, it sim­ply steals any money you send it. (This is under­stood by any­one with a brain who has read the page.) How­ev­er, then we get to a third lev­el: level 2 is not quite right, the site will either return your money or not, depend­ing on how many trans­ac­tions you’ve done—the site is a scam which will steal your mon­ey, but it will do so only after 1 suc­cess­ful trans­ac­tion. (Un­der­stood by any­one who reads the Red­dit com­ments and blindly trusts them.) The fourth lev­el, the level orig­i­nally above mine until I became more sus­pi­cious, is that level 3 is a lie too, and actu­al­ly, level 2 was the real truth—the site sim­ply steals your mon­ey.

Phew! How fas­ci­nat­ing! Hon­est­ly, I almost feel like send­ing the dude a buck or two just for imple­ment­ing such an inter­est­ing lit­tle scam for me to think about, although he could’ve done it a bit bet­ter and shuffled some bit­coins around on the blockchain 7 days in advance to match his shill accoun­t’s claims. (He did­n’t invent the meta-s­cam, how­ev­er, since it seems to have prece­dents like in Runescape as the “dou­bling money scam”.)

An even more recent (2018) -based scam exploits Ethereum’s ‘gas’ trans­ac­tion fees and smart con­tracts: the scam­mer pre­tends to acci­den­tally post pub­licly in a chat room his pri­vate key to an address with a large amount of some asset in it and a smart con­tract, but the address hap­pens to have insuffi­cient ‘gas’ to allow imme­di­ate with­drawal; every­one stam­ped­ing to with­draw the asset has to send some gas to the address first to unlock it… except that smart con­tract, which they did­n’t have time to inspect close­ly, merely receives all gas deposits & imme­di­ately trans­fers them away to another account, so every­one who sends gas loses it and the orig­i­nal assets remain in place.

So in a way, this scam embod­ies the old saw “you can’t cheat an hon­est man”37. Well, of course in the real world hon­est men get cheated all the time, so I pre­fer to think of it as :

‘Nash equi­lib­rium strat­egy’ is not nec­es­sar­ily syn­ony­mous to ‘opti­mal play’. A Nash equi­lib­rium can define an opti­mum, but only as a defen­sive strat­egy against stiff com­pe­ti­tion. More specifi­cal­ly: Nash equi­lib­ria are hardly ever max­i­mally exploita­tive. A Nash equi­lib­rium strat­egy guards against any pos­si­ble com­pe­ti­tion includ­ing the fiercest, and thereby tends to fail tak­ing advan­tage of sub­-op­ti­mum strate­gies fol­lowed by com­peti­tors. Achiev­ing max­i­mally exploita­tive play gen­er­ally requires devi­at­ing from the Nash strat­e­gy, and allow­ing for defen­sive leaks in one’s own strat­e­gy.

  1. was reg­is­tered 2008-08-18, so pre­sum­ably Satoshi had been devel­op­ing the bit­coin idea at least as early as 2008. He refers to work­ing on it ear­lier than that, but the ear­li­est draft of the Bit­coin whitepa­per appears to have been cir­cu­lated pri­vately some­time before .↩︎

  2. Although Bon­neau & Miller 2014 describe a cryp­tocur­rency design using just cryp­to­graphic hash func­tions (with com­mit-and-re­veal) with­out any need for pub­lic key cryp­tog­ra­phy and point­edly note that “Bit­coin itself is some­thing of a curios­ity from an aca­d­e­mic stand­point in that it was dis­cov­ered decades after the req­ui­site cryp­to­graphic prim­i­tives were avail­able. Our work shows that it was in fact pos­si­ble even before the dis­cov­ery of pub­lic-key cryp­tog­ra­phy.”↩︎

  3. The first revi­sion in the Github repos­i­tory is dated August 2009 by sirius-m.↩︎

  4. Satoshi claims that before he write the whitepa­per, he wrote a pro­to­type.↩︎

  5. In the same vein of ‘the net­work is a third party which keeps a copy of all signed trans­ac­tions’, you could include Ian Grig­g’s 2005 paper “Triple Entry Account­ing”.↩︎

  6. I had a hard time fig­ur­ing out when bit gold was first thought of; Szabo kindly blogged that he had writ­ten about it in 1998 on a pri­vate mail­ing list

    Here are some more spe­cific rea­sons why the ideas behind Bit­coin were very far from obvi­ous: (1) only a few peo­ple had read of the bit gold ideas, which although I came up with them in 1998 (at the same time and on the same pri­vate mail­ing list [libtech) where Dai was com­ing up with b-money—it’s a long sto­ry) were mostly not described in pub­lic until 2005, although var­i­ous pieces of it I described ear­lier, for exam­ple the cru­cial Byzan­ti­ne-repli­cated chain-of-signed-trans­ac­tions part of it which I gen­er­al­ized into what I call secure prop­erty titles.

  7. “Pric­ing via Pro­cess­ing, Or, Com­bat­ing Junk Mail”, , Dwork 1993, pub­lished in CRYPTO’92.↩︎

  8. This is Satoshi’s cita­tion date; Diffie-Hell­man, the , was in 1976, not 1980.↩︎

  9. In cryp­tog­ra­phy, new parts are guilty until proven inno­cent. Hun­dreds of past sys­tems have been bro­ken, some­times after decades of study & use.↩︎

  10. Another per­son or group to ask this same ques­tion is Bar­ber et al 2012 (although this essay was posted in early 2011, so Bar­ber et al 2012 may not be entirely inde­pen­den­t):

    Despite some pes­simists’ cri­tiques and dis­be­lief, Bit­coin has admit­tedly wit­nessed enor­mous suc­cess since its inven­tion. To the secu­rity and cryp­to­graphic com­mu­ni­ty, the idea of dig­i­tal cur­rency or elec­tronic cash is by no means new. As early as 1982, Chaum has out­lined his blue­print of an anony­mous e-cash scheme in his pio­neer­ing paper [10]. Ever since then, hun­dreds of aca­d­e­mic papers have been pub­lished to improve the effi­ciency and secu­rity of e-cash con­struc­tion­s—to name a few, see [15, 8, 9]. Nat­u­ral­ly, an inter­est­ing ques­tion aris­es: Despite three decades’ research on e-cash, why have e-cash schemes not taken off, while Bit­coin—a sys­tem designed and ini­tially imple­mented pos­si­bly sin­gle-hand­edly by some­one pre­vi­ously unknown, a sys­tem that uses no fancy cryp­tog­ra­phy, and is by no means per­fec­t—has enjoyed a swift rise to suc­cess?

    …Bit­coin has a com­pletely dis­trib­uted archi­tec­ture, with­out any sin­gle trusted enti­ty. Bit­coin assumes that the major­ity of nodes in its net­work are hon­est, and resorts to a major­ity vote mech­a­nism for dou­ble spend­ing avoid­ance, and dis­pute res­o­lu­tion. In con­trast, most e-cash schemes require a cen­tral­ized bank who is trusted for pur­poses of e-cash issuance, and dou­ble-spend­ing detec­tion. This greatly appeals to indi­vid­u­als who wish for a freely-traded cur­rency not in con­trol by any gov­ern­ments, banks, or author­i­ties—from lib­er­tar­i­ans to drug-deal­ers and other under­ground econ­omy pro­po­nents

    …In­cen­tives and eco­nomic sys­tem. Bit­coin’s eco-sys­tem is inge­niously designed, and ensures that users have eco­nomic incen­tives to par­tic­i­pate. First, the gen­er­a­tion of new bit­coins hap­pens in a dis­trib­uted fash­ion at a pre­dictable rate: “bit­coin min­ers” solve com­pu­ta­tional puz­zles to gen­er­ate new bit­coins, and this process is closely cou­pled with the ver­i­fi­ca­tion of pre­vi­ous trans­ac­tions. At the same time, min­ers also get to col­lect optional trans­ac­tion fees for their effort of vet­ting said trans­ac­tions. This gives users clear eco­nomic incen­tives to invest spare com­put­ing cycles in the ver­i­fi­ca­tion of Bit­coin trans­ac­tions and the gen­er­a­tion of new Bit­coins. At the time of writ­ing the invest­ment of a GPU to accel­er­ate Bit­coin puz­zle solu­tion can pay for itself in ~6 month­s…the ear­lier in the game, the cheaper the coins mint­ed.

  11. I am only a lay­man with an inter­est in cryp­tog­ra­phy, but I am not alone in see­ing this lack of really novel prim­i­tives or ideas in the Bit­coin scheme; Ben Lau­rie expresses exactly this idea in an aside in a blog post attack­ing Bit­coin:

    A friend alerted to me to a sud­den wave of excite­ment about Bit­coin. I have to ask: why? What has changed in the last 10 years to make this work when it did­n’t in, say, 1999, when many other related sys­tems (in­clud­ing one of my own) were caus­ing sim­i­lar excite­ment? Or in the 20 years since the wave before that, in 1990? As far as I can see, noth­ing.

  12. One thinks of the for­mi­da­ble math­e­mat­i­cal diffi­cul­ties sur­round­ing the area of where one would expect any break­through to be from a bona fide genius, or at least a cre­den­tialed expert.↩︎

  13. Although iron­i­cal­ly, proof-of-work never seemed to go into wide­spread use because of gen­eral iner­tia and because to deter large amounts of spam, proof-of-work would also deter legit­i­mate users under some mod­els.

    Spam seems to have been kept in check by bet­ter fil­ter­ing tech­niques (eg. ’s “A Plan for Spam” using ) and against bot­nets & spam­mers.↩︎

  14. For more on that his­to­ry, see Wikipedia on , , the ; I rec­om­mend A Farewell to Alms.↩︎

  15. “Voices From A Vir­tual Past: An oral his­tory of a tech­nol­ogy whose time has come again” (2014):

    Palmer Luckey: I spent a huge amount of time read­ing through basi­cally every sin­gle pub­lished piece of lit­er­a­ture on VR. I think that there were a lot of peo­ple that were giv­ing VR too much cred­it, because they were work­ing as VR researchers. You don’t want to pub­lish a paper that says, “After the study, we came to the con­clu­sion that VR is use­less right now and that we should just not have a job for 20 years.” There were a few peo­ple that basi­cally came to that con­clu­sion. They said, “Cur­rent VR gear is low field of view, high lag, too expen­sive, too heavy, can’t be dri­ven prop­erly from con­sumer-grade com­put­ers, or even pro­fes­sion­al-grade com­put­ers.” It turned out that I was­n’t the first per­son to real­ize these prob­lems. They’d been known for decades.

    Here’s a secret: the thing stop­ping peo­ple from mak­ing good VR and solv­ing these prob­lems was not tech­ni­cal. Some­one could have built the Rift in mid-to-late 2007 for a few thou­sand dol­lars, and they could have built it in mid-2008 for about $647. It’s just nobody was pay­ing atten­tion to that.

  16. SHA-1, as of 2011, had not been cracked ; it was defeated in 2017.↩︎

  17. My under­stand­ing is that sim­ply no one has both­ered to pro­gram this func­tion­al­ity since 400MB is not that much space.↩︎

  18. Or rather, the objec­tions were that cryp­tocur­ren­cies had to be mobile—us­able on the con­tem­po­rary PDAs and cell­phones, with the com­put­ing power of a watch.↩︎

  19. and most of arti­fi­cial intel­li­gence (or machine learn­ing in par­tic­u­lar) seem to have waited decades for suffi­ciently fast hard­ware. Indeed, I some­times feel that entire career has essen­tially been sketch­ing out what he could do if only he had some decent cheap hard­ware.↩︎

  20. It prob­a­bly will. Some infor­mal pro­jec­tions have been made of what it would take to run mil­lions of trans­ac­tions worth tril­lions of dol­lars, and they tend to come in at com­pa­ra­ble to the exist­ing resource use of com­pa­nies like Google (which fund their own power plants or monop­o­lize con­ve­nient hydro­elec­tric dams to run their dat­a­cen­ter­s).↩︎

  21. Recent crit­i­cism, too, some­times focuses on the qual­ity of the C++ code­base and ad hoc nature of many of the choic­es; from an anony­mous Face­book com­ment:

    The pro­to­col is not well-de­fined and clearly designed by an ama­teur (that is, not some­one who has done much pro­to­col imple­men­ta­tion work). It’s a binary pro­to­col with a smat­ter­ing of length­-pre­fix­ing, , etc. The mes­sages look rea­son­able, just a hor­ri­ble encod­ing. The rules of the pro­to­col are poorly defined and tightly cou­pled to imple­men­ta­tion; the imple­men­ta­tion is done by some­one who feels it’s good and well to have only 5 major source files for 17 . Due to lack of a well-spec­i­fied pro­to­col, there is also a bit of client mono­cul­ture going on.

    It’s worth not­ing that the whole sys­tem assumes SHA-256—the bit­coin com­mu­nity says that rolling over to some­thing else is just a mat­ter of intro­duc­ing a new algo, but in actu­al­ity it’s not nearly that sim­ple. The pro­to­col has no con­cept of upgrad­ing to differ­ent algos, so it would neces­si­tate a com­plete over­haul of the pro­to­col (since there’s a lot of 32-byte fields in there) AND a re-computation/rollover of the entire trans­ac­tion his­to­ry. …The pro­to­col also has had no thought put into it re: net­work archi­tec­ture—there are peers and that’s it. Due to the cryp­to­graphic nature of trans­ac­tions, it’s sim­ply not pos­si­ble to have real­time trans­ac­tions with bit­coin as the net­work scales (it already take 5–10 mins on aver­age for the net­work to see a sin­gle trans­ac­tion). Thus, there will need to be some con­cept of a node in the net­work that can facil­i­tate inter­ac­tions between two peers in a faster fash­ion, with the assump­tion of a mea­sure of trust. You should­n’t require it, of course, but it should be defined, I think.

    Secu­rity expert is sim­i­larly appalled at the band­width require­ments to scale (“:0” was his emoti­con) and pre­dicts that the Bit­coin net­work will even­tu­ally turn into a qua­si­-bank-like oli­garchy of supern­odes (which changes the sys­tem and “offers a host of ugly seman­tics” since the supern­odes “don’t need 50%—just need to incon­ve­nience 50% to accept your opin­ion”). He com­ments that while “Nor­mal Code” seems good but “Scratch the sur­face, it’s actu­ally really bad”, the Bit­coin code­base “Looks really bad up front” but “Scratch the sur­face, it’s actu­ally sur­pris­ingly good”. arti­cle’s :

    “When I first looked at the code, I was sure I was going to be able to break it”, Kamin­sky said, not­ing that the pro­gram­ming style was dense and inscrutable. “The way the whole thing was for­mat­ted was insane. Only the most para­noid, painstak­ing coder in the world could avoid mak­ing mis­takes.”…He quickly iden­ti­fied nine ways to com­pro­mise the sys­tem…when he found the right spot, there was a mes­sage wait­ing for him. “Attack Removed”, it said. The same thing hap­pened over and over, infu­ri­at­ing Kamin­sky. “I came up with beau­ti­ful bugs”, he said. “But every time I went after the code there was a line that addressed the prob­lem.”…“I’ve never seen any­thing like it”, Kamin­sky said, still in awe…“Either there’s a team of peo­ple who worked on this”, Kamin­sky said, “or this guy is a genius.”

    On a tech­ni­cal basis, he dis­likes the use of SHA-256 as opposed to slower func­tions like , because SHA-256 “can be accel­er­ated mas­sively with GPUs” lead­ing to GPU short­ages and mas­sive hash­ing dis­par­i­ties between peers, and his slides con­clude “Bit­Coin is actu­ally well designed, if you accept that anonymity and scal­ing forces the entire present model to be shifted into some­thing that effec­tively looks like bank­ing”. He reit­er­ated his pos­i­tive impres­sion of Bit­coin in 2013—“But the core tech­nol­ogy actu­ally works, and has con­tin­ued to work, to a degree not every­one pre­dict­ed.”—and has begun to recon­sider some of his ear­lier crit­i­cisms about the resource demands & grad­ual cen­tral­iza­tion of nodes. Another tes­ti­mony to the pro­to­col’s secu­rity comes from TechCrunch:

    While research­ing Bit­coin, Lemon’s hired two sep­a­rate teams of hack­ers to exam­ine the Bit­coin source code for vul­ner­a­bil­i­ties for about a half-year. “They are arguably the best in the world. I spent a lot of time and money on the best hack­ers I could find and came back from that con­vinced that Bit­coin’s secu­rity is robust,” he said. “What they found was very, very com­pelling for me.”

    Bruce Schneier men­tions offhand­edly that “I haven’t ana­lyzed the secu­ri­ty, but what I have seen looks good.”↩︎

  22. Nick Szabo, dis­cussing Chau­mian ecash (“the great­est sim­ple equa­tion since ”), com­ments with almost pal­pa­ble dis­taste of a hypo­thet­i­cal sys­tem akin to Bit­coin in this respect:

    A use-on­ce-ad­dress com­mu­ni­ca­tions mix plus for­swear­ing any rep­u­ta­tion gain from keep­ing accounts, in the­ory also buys us unlink­a­bil­i­ty, but a com­mu­ni­ca­tions mix [BTC: “mix­ing ser­vice”; not nec­es­sar­ily easy] is weak and very expen­sive.

    The most widely known, pop­u­lar, and secure com­mu­ni­ca­tions mix is prob­a­bly ; a num­ber of flaws have been found in it over time, and Tor will never be very secure—it’s fun­da­men­tally diffi­cult to impos­si­ble to have a anonymiz­ing com­mu­ni­ca­tions mix which is also near real-time. Some flaws can’t be removed by the Tor net­work, like the abil­ity of exit nodes to snoop on traffic (as has been done many times, most mem­o­rably dur­ing the startup of ). Com­mu­ni­ca­tions mixes are usu­ally expen­sive in resources, so typ­i­cally only make up a part of an over­all net­work—and the rest of the net­work leaks con­sid­er­able infor­ma­tion, includ­ing .

    These are not nec­es­sar­ily fatal objec­tions from a prac­ti­cal point of view. A sim­ple mix or laun­dry may well buy one all the anonymity one needs; they can be chained to sub­stan­tially reduce risks; more elab­o­rate and secure off-blockchain laun­dries can be con­structed using ; and final­ly, there is always the hope that some­one will fig­ure out how to build upon the exist­ing pseu­do­ny­mous Bit­coin sys­tem to enable gen­uinely anony­mous and untrace­able trans­ac­tions (which may have been accom­plished in 2013 with the pro­posed Zero­coin exten­sion to the Bit­coin pro­to­col).↩︎

  23. Perry Met­zger sum­ma­rizes Lau­rie’s approach:

    I think peo­ple have missed the more sub­tle point that Ben Lau­rie made here. Bit­coin requires the use of an unusual sort of secure con­sen­sus pro­to­col to work reli­ably, and such pro­to­cols are not known to exist in this con­text. In the pres­ence of such a pro­to­col, how­ev­er, there is no longer any need for min­ing—the sys­tem can sim­ply elect a mem­ber to acquire a new coin every N sec­onds via a secure elec­tion pro­to­col (and those are known given the rest). Thus, Ben’s point that if you’re going to have a sys­tem like bit­coin, one could at least have an effi­cient sys­tem of this sort rather than a stu­pid one based on an elec­tri­cal pot­latch.

  24. Not every­one agrees with me or those ini­tial posters, though; “Bit­coins cre­ate truly demo­c­ra­tic pol­i­cy, fol­low­ers say”, :

    “It’s like the Mona Lisa.” said Bruce Wag­n­er, an IT con­sul­tant who dis­cov­ered bit­coin in Octo­ber and now hosts an online TV show about it. “It’s a mas­ter­piece of tech­nol­o­gy.”

    From the New Yorker arti­cle:

    Haber is a direc­tor of the Inter­na­tional Asso­ci­a­tion for Cryp­to­logic research and knew all about bit­coin. “Who­ever did this had a deep under­stand­ing of cryp­tog­ra­phy”, Haber said when I called. “They’ve read the aca­d­e­mic papers, they have a keen intel­li­gence, and they’re com­bin­ing the con­cepts in a gen­uinely new way.”

    “The Rise and Fall of Bit­coin”, Wired:

    But slow­ly, word of bit­coin spread beyond the insu­lar world of cryp­tog­ra­phy. It has won acco­lades from some of dig­i­tal cur­ren­cy’s great­est minds. Wei Dai, inven­tor of b-money, calls it “very sig­nifi­cant”; Nick Szabo, who cre­ated bit gold, hails bit­coin as “a great con­tri­bu­tion to the world”; and Hal Finney, the emi­nent cryp­tog­ra­pher behind RPOW, says it’s “poten­tially world-chang­ing.”…Ste­fan Brands, a for­mer ecash con­sul­tant and dig­i­tal cur­rency pio­neer, calls bit­coin “clever”…

    More recent­ly, Wei Dai has said:

    …it involved major tech­ni­cal and conceptual/philosophical advances on the exist­ing state of the art, and these advances did­n’t orig­i­nate from nor was likely funded/supported by acad­e­mia, gov­ern­ment or indus­try. Also, its social impact seems larg­er—if Craigslist or Pay­Pal did­n’t exist, some­thing essen­tially iden­ti­cal would have been cre­ated very soon any­way, but if Bit­coin did­n’t exist, another Bit­coin may not have been cre­ated for another decade, and/or may have been cre­ated with very differ­ent char­ac­ter­is­tics, for exam­ple it might have been coded with a mon­e­tary pol­icy that empha­sized price sta­bil­ity instead of a fixed sup­ply of mon­ey.

  25. Com­put­ing power is use­ful because it’s impos­si­ble to fake: you either can reg­u­larly brute­force a hash or you can­not, assum­ing the hash is still secure. But strictly speak­ing there are other pos­si­ble unfake­able prop­er­ties which future dig­i­tal cryp­to­graphic cur­ren­cies may use; Szabo lists 3 oth­ers:

    Canon­i­cally Byzan­tine agree­ment assumed each node had a secure true-name iden­ti­ty, but because pri­vacy is a desider­ata, and because it would be very diffi­cult to imple­ment such a secure iden­tity sys­tem on the Inter­net, we have to use some char­ac­ter­is­tic of users prov­able within the Bit­coin or bit gold sys­tem to weigh Byzan­tine “votes”. I’ve now come up with a list of prov­able attrib­utes in Bit­coin (or bit gold) by which mes­sage cor­rect­ness “votes” might be weighed:

    • proof-of-work/mining effort (what Bit­coin cur­rently does)
    • value or num­ber of coins or solu­tion bits owned by key
    • num­ber or value of trans­ac­tions as pay­or, pay­ee, or both by a key
    • num­ber or value of trans­ac­tions weighted by how recent they are
    • var­i­ous com­bi­na­tions of the above

    This is an incom­plete list, espe­cially if we add new attrib­ut­es. One of the gen­eral ideas here is to weigh Byzan­tine “vot­ing” towards those with more expe­ri­ence in the sys­tem, mak­ing a novel inva­sion more diffi­cult. How­ever in a cur­rency there should also be a bal­ance between var­i­ous stake­hold­ers (hold­ers, cred­i­tors, and debtors). Since Bit­coin- or bit gold- denom­i­nated con­tracts gen­er­ally exist out­side the sys­tem, one would have to, at the very least, pub­licly reg­is­ter those con­tracts signed by the par­ties’ keys for cred­i­tor or debtor sta­tus to be prov­able.

    One pro­posed scheme for Bit­coin is Proof of Stake:

    With Proof of Work, the prob­a­bil­ity of min­ing a block depends on the work done by the miner (e.g. CPU/GPU cycles spent check­ing hash­es). With Proof of Stake, the resource that’s com­pared is the amount of Bit­coin a miner hold­s—­some­one hold­ing 1% of the Bit­coin can mine 1% of the “Proof of Stake blocks”….Each block must be signed by its miner using a sin­gle bit­coin account. The account used to sign a block must also be the recip­i­ent of txn fees and gen­er­a­tion from this block. Blocks are mined by proof-of-work hash­ing as before, but with mod­i­fied diffi­culty cri­te­ria. The diffi­culty cri­te­rion for block valid­ity is mod­i­fied as fol­lows: Hash gen­er­ates valid block if and only if

    Hash Diffi­culty >= Diffi­culty Tar­get / ( max(­Coin-con­fir­ma­tions used to sign block, 100 satoshi-con­fir­ma­tions) )^( p / (1-p))

    where 0 <= p < 1. Stake becomes more and more impor­tant as p approaches 1. p = 0.8 is sug­gested as an appro­pri­ate choice. p = 0 is iden­ti­cal to the cur­rent proof-of-work sys­tem. If the block is signed by a bit­coin account hold­ing less than 100 satoshi-con­fir­ma­tions, this is treated as if the account held 100 satoshi-con­fir­ma­tions. Thus non-s­take­hold­ers are allowed to ver­ify blocks, but rel­a­tive to stake­hold­ers they must meet extremely strin­gent diffi­culty cri­te­ria. Per­mit­ting non-s­take­hold­ers to ver­ify blocks solves the ini­tial dis­tri­b­u­tion prob­lem. As before the Diffi­culty Tar­get is a peri­od­i­cally adjusted con­stant which is set to main­tain a tar­get gen­er­a­tion rate of 1 block every 10 min­utes.

  26. “Decen­tralised Cur­ren­cies Are Prob­a­bly Impos­si­ble: But Let’s At Least Make Them Effi­cient”, Ben Lau­rie:

    Now that we under­stand the core prob­lem, namely that of agree­ment, we can quite eas­ily under­stand Bit­coin’s solu­tion to the prob­lem. Bit­coin defines the con­sen­sus group as “all the com­put­ing power in exis­tence”, and requires par­tic­i­pants to prove their pos­ses­sion of what­ever frac­tion of this power they care to spend on Bit­coin by using it to pro­duce proof-of-work tokens. And once we state the prob­lem like this, we can quite clearly see the flaw. Until at least half of the com­put­ing power in exis­tence is actu­ally used to pro­duce Bit­coins, we can­not know that we have con­sen­sus! If, for exam­ple, 1% of the total power avail­ableStrict­ly, I mean energy rather than pow­er, since Bit­coin actu­al­ly, in effect, sums power over time. is used to pro­duce Bit­coins at present (in fact, the amount is far less than that), then at any point some­one could come along with a fur­ther 1.1% of the total power and use this to define their own con­sen­susBy fork­ing his­tory right back to the first block, and pro­duc­ing a hash chain that is longer than the cur­rent con­sen­sus., thus inval­i­dat­ing all the work, and all the money, of the ini­tial group, and instead take pos­ses­sion of the entire cur­rency for them­selves.

    …Even worse, it is clear that arriv­ing at the equi­lib­rium state for Bit­coin is incred­i­bly expen­sive: half of all the com­put­ing power in exis­tence must be burnt, in per­pe­tu­ity, main­tain­ing agree­ment about the cur­rent state of the cur­ren­cy. It also unknow­able: we can never be sure that we actu­ally are burn­ing half of all the power in exis­tence, because we do not know how much power exists.

    Lau­rie points out that in prac­tice, the Bit­coin com­mu­nity does depend on a cen­tral­ized author­ity which peri­od­i­cally passes down ‘blessed’ block­-chain­s—the Bit­coin devel­op­ers peri­od­i­cally hard­wire known-good states of the block­-chain into the clients (which of course is a the­o­ret­i­cal weak­ness).↩︎

  27. Zooko Wilcox O’Hearn, (in hid­den com­ments):

    …I recall upon first hear­ing about Bit­coin, los­ing inter­est in it for pre­cisely one of those “ugli­ness” issues that you cite: it depended on (what was described as) glob­ally syn­chro­nized clocks, which I had a neg­a­tive emo­tional reac­tion to.

  28. Chaum pays a price for his sys­tems’ abil­ity to work offline / with­out directly pro­cess­ing trans­ac­tions. Don’t take my word for it; see in sec­tion 12.6.6 of his early ’90s (not to be con­fused with ):

    …Chaum went to great lengths to develop sys­tem which pre­serve anonymity for sin­gle-spend­ing instances, but which break anonymity and thus reveal iden­tity for dou­ble-spend­ing instances. I’m not sure what mar­ket forces caused him to think about this as being so impor­tant, but it cre­ates many headaches. Besides being clum­sy, it require phys­i­cal ID, it invokes a legal sys­tem to try to col­lect from “dou­ble spenders”, and it admits the extremely seri­ous breach of pri­vacy by enabling stings. For exam­ple, Alice pays Bob a unit of mon­ey, then quickly Alice spends that money before Bob can…Bob is then revealed as a “dou­ble spender,” and his iden­tity revealed to whomever wanted it…Al­ice, IRS, Gestapo, etc. A very bro­ken idea. Accept­able mainly for small trans­ac­tions.

    • Mul­ti­-spend­ing vs. on-line clear­ing

      • I favor on-line clear­ing. Sim­ply put: the first spend­ing is the only spend­ing. The guy who gets to the train locker where the cash is stored is the guy who gets it. This ensure that the bur­den of main­tain­ing the secret is on the secret hold­er.
      • When Alice and Bob trans­fer mon­ey, Alice makes the trans­fer, Bob con­firms it as valid (or ver­i­fies that his bank has received the deposit), and the trans­ac­tion is com­plete.
      • With net­work speeds increas­ing dra­mat­i­cal­ly, on-line clear­ing should be fea­si­ble for most trans­ac­tions. Off-line sys­tems may of course be use­ful, espe­cially for small trans­ac­tions, the ones now han­dled with coins and small bills.

    Fur­ther con­tem­po­rary descrip­tion can be found in a declas­si­fied June 1996 NSA review, “How to make a mint: the cryp­tog­ra­phy of anony­mous elec­tronic cash”.↩︎

  29. For exam­ple, see some of the most recent research I linked in Death Note: L, Anonymity & Elud­ing Entropy.↩︎

  30. , which con­tains many enter­tain­ing and often stil­l-ap­plic­a­ble descrip­tions of the feck­less­ness and sharp edges of Unix­es, also con­tains an extremely funny ‘Anti-Fore­word’ by Den­nis Ritchie:

    To the con­trib­u­tors to this book: I have suc­cumbed to the temp­ta­tion you offered in your pref­ace: I do write you off as envi­ous mal­con­tents and roman­tic keep­ers of mem­o­ries. The sys­tems you remem­ber so fondly (, , , , , the Dorado) are not just out to pas­ture, they are fer­til­iz­ing it from below…You claim to seek pro­gress, but you suc­ceed mainly in whin­ing. Here is my metaphor: your book is a pud­ding stuffed with appo­site obser­va­tions, many well-con­ceived. Like excre­ment, it con­tains enough undi­gested nuggets of nutri­tion to sus­tain life for some. But it is not a tasty pie: it reeks too much of con­tempt and of envy. Bon appetit!

  31. “Oral His­tory of But­ler Lamp­son”, 2006:

    : “But I wish that you had been at CERN on a sab­bat­i­cal when that…”

    : “I prob­a­bly would have been a dis­as­ter.”

    Kay: “I don’t know. But I think you would have made a slightly bet­ter…”

    Lamp­son: “No. No. No. No. No. No. What Tim [Bern­er­s-Lee] did was per­fect. My view about the web is that it’s the great fail­ure of com­puter sys­tems research. Why did com­puter sys­tems researchers not invent the web? And I can tell you the answer. It’s because it’s too sim­ple.”

    Kay: “It is too sim­ple.”

    Lamp­son: “If I had been there I would have mucked it up. I swear to God. The idea that you’re going to make a new TCP con­nec­tion for every mouse click on a link? Mad­ness! The idea that you’re going to have this crusty uni­ver­sal data type called HTML with all those stu­pid angle brack­ets? We never would have done that! But those were the things that allowed it to suc­ceed.”

  32. Many anony­mous com­menters point this out because it makes Bit­coin smell like some sort of or :

    Bit­coin, like the recent com­mer­cial phe­nom­e­non , tends to turn peo­ple into mar­keters because they feel they have some­thing to gain, how­ever small it might be in the end; I think that partly accounts for its tem­po­rary suc­cess.

    Or “The Rise and Fall of Bit­coin”, Wired:

    Ste­fan Brands, a for­mer ecash con­sul­tant and dig­i­tal cur­rency pio­neer, calls bit­coin “clever” and is loath to bash it but believes it’s fun­da­men­tally struc­tured like “a pyra­mid scheme” that rewards early adopters.

    , “More Thoughts on Bit­coin”:

    Lots of peo­ple are say­ing: “The defla­tion built into bit­coin was a ter­ri­ble idea. Peo­ple are get­ting rich.” In fact, it was a bril­liant idea. It brought in spec­u­la­tors (peo­ple that are buying/selling it as if in a game). It cre­ated a bub­ble. The bub­ble put it on the map. The bub­ble has attracted thou­sands of developers/participants. Think of how the fueled the Web/Internet.

    Szabo is a lit­tle more gen­er­ous in his expla­na­tion of why peo­ple were unin­ter­ested in Bit­coin-like strate­gies:

    1. Hardly any­body actu­ally under­stands mon­ey. Money just does­n’t work like that, I was told fer­vently and often. Gold could­n’t work as money until it was already shiny or use­ful for elec­tron­ics or some­thing else besides mon­ey, they told me. (Do insur­ance ser­vices also have to start out use­ful for some­thing else, maybe as power plants?) This com­mon argu­ment com­ing iron­i­cally from lib­er­tar­i­ans who mis­in­ter­preted account of the ori­gin of money [see “On the Ori­gins of Money” as being the only way it could arise (rather than an account of how it could arise) and, in the same way mis­ap­ply­ing Mis­es’ regres­sion the­o­rem [see ]. Even though I had rebutted these argu­ments in my study of the ori­gins of money, which I humbly sug­gest should be should be required read­ing for any­body debat­ing the eco­nom­ics of Bit­coin.

    There’s noth­ing like Nakamo­to’s incen­tive-to-mar­ket scheme to change minds about these issues. :-) Thanks to RAMs full of coin with “sched­uled defla­tion”, there are now no short­age of peo­ple will­ing to argue in its favor.

  33. Decen­tral­ized sys­tems are usu­ally con­vert­ible into cen­tral­ized sys­tems eas­i­ly, while the con­verse is not true. (Much like ver­sus ser­ial pro­gram­ming—to make a par­al­lel pro­gram seri­al, just insert a lot of .) For a sim­ple exam­ple, con­sider cases where n = 2: imag­ine a swarm (a decen­tral­ized sys­tem) with one seed and one leech. Or take like or ; it’s a com­mon­place to point out that if a group really wants a ‘cen­tral­ized’ work­flow, they can just des­ig­nate one par­tic­u­lar repos­i­tory the ‘mas­ter’ canon­i­cal repos­i­tory and con­tinue onwards with the DVCS as a more capa­ble replace­ment for or .↩︎

  34. bet­terunix offers an inter­est­ing defense of Dig­i­Cash:

    …It is worth point­ing out that Dig­i­cash sur­vived longer than Bit­coin has even been around—twice as long, in fact. The rea­sons for its fail­ure are not as sim­ple as “peo­ple just did not care.” There were forces in the US gov­ern­ment actively work­ing against all civil­ian use of cryp­tog­ra­phy, espe­cially those sys­tems that might thwart law enforce­ment inves­ti­ga­tions. Patents on cryp­tog­ra­phy (iron­i­cal­ly, this includes patents held by Chaum him­self) did what they typ­i­cally do: pre­vent sys­tems from being deployed on a large scale. There were bad man­age­ment deci­sions, like Chaum’s refusal to accept a huge mon­e­tary offer from Microsoft to inte­grate his sys­tem with Win­dows 95 and another large offer from Visa…In another four years, if the news about Bit­coin is some­thing other than, “Bit­coin trad­ing at all-time lows”, or “Ana­lyz­ing the fail­ure of cryp­tocur­ren­cies”, you can at least claim that Bit­coin fared bet­ter than Chaum’s sys­tems.

  35. Zooko, May 31, 2011 6:42 PM↩︎

  36. Wei Dai, 2011-02-25:

    …If you read the Wikipedia arti­cle, you should know that I did­n’t cre­ate Bit­coin but only described a sim­i­lar idea more than a decade ago. And my under­stand­ing is that the cre­ator of Bit­coin, who goes by the name Satoshi Nakamo­to, did­n’t even read my arti­cle before rein­vent­ing the idea him­self. He and cred­ited me in his paper. So my con­nec­tion with the project is quite lim­it­ed.

    Dai has also crit­i­cized the mon­e­tary pol­icy built into Bit­coin:

    I would con­sider Bit­coin to have failed with regard to its mon­e­tary pol­icy (be­cause the pol­icy causes high price volatil­ity which imposes a heavy cost on its users, who have to either take unde­sir­able risks or engage in costly hedg­ing in order to use the cur­ren­cy). (This may have been par­tially my fault because when Satoshi wrote to me ask­ing for com­ments on his draft paper, I never got back to him. Oth­er­wise per­haps I could have dis­suaded him (or them) from the “fixed sup­ply of money” idea.) I don’t know if it’s too late at this point to change the mon­e­tary pol­icy that is built into the Bit­coin pro­to­col or for an alter­na­tive cryp­tocur­rency to over­take Bit­coin..

    Adam Back, 2013-04-18 (con­firmed by Wei Dai):

    …So any­way I know a few things about ecash, pri­vacy tech, cryp­to, dis­trib­uted sys­tems (my comp sci PhD is in dis­trib­uted sys­tems) and I guess I was one of the mod­er­ately early peo­ple to read about and try to com­pre­hend the p2p crypto clev­er­ness that is bit­coin. In fact I believe it was me who got Wei Dai’s b-money ref­er­ence added to Satoshi’s bit­coin paper when he emailed me about hash­cash back in 2008. If like Hal Finney I’d actu­ally tried to run the miner back then, I may too be sit­ting on some genesis/bootstrap era coins. Alas I own not a sin­gle bit­coin which is kind of ironic as the actual bit­coin min­ing is basi­cally my hash­cash inven­tion.

  37. Which is a com­fort­ing lie scam­mers tell them­selves and oth­ers to blame the vic­tim—‘real­ly, the vic­tim deserved it, you can’t cheat an hon­est man!’—and which makes for fun­ner fic­tional (ie. ‘not true’) sto­ries. But I think the sor­did real­ity looks more like sim­ply good peo­ple being ripped off as they lose their life sav­ings because they aren’t spe­cial­ists in an area and trusted an expert. I think it’s rel­a­tively rare that you get a com­pli­cated setup like this scam, or like the Mad­off scam in which peo­ple assumed Mad­off was sim­ply fron­trun­ning the peo­ple he was trad­ing for; although now that I think about it, only the savvi­est investors with Mad­off under­stood the sheer impos­si­bil­ity of his returns and con­cluded he was scam­ming by fron­trun­ning, most of the peo­ple who gave him money were just ordi­nary mid­dle-up­per-class folks.↩︎