Bitcoin Is Worse Is Better

2011 essay on how Bitcoin’s long gestation and early opposition indicates it is an example of the ‘Worse is Better’ paradigm in which an ugly complex design with few attractive theoretical properties compared to purer competitors nevertheless successfully takes over a niche, survives, and becomes gradually refined.
computer-science, cryptography, Bitcoin, design
2011-05-272018-11-21 finished certainty: likely importance: 8

The ge­nius of Bit­coin, in in­vent­ing a dig­i­tal cur­rency suc­cess­ful in the real world, is not in cre­at­ing any new ab­struse math­e­mat­ics or cryp­to­graphic break­through, but in putting to­gether decades-old pieces in a semi­-novel but ex­tremely un­pop­u­lar way. Every­thing Bit­coin needed was avail­able for many years, in­clud­ing the key ideas.

How­ev­er, the sac­ri­fice Bit­coin makes to achieve de­cen­tral­iza­tion is—how­ever prac­ti­cal—a pro­foundly ugly one. Early re­ac­tions to Bit­coin by even friendly cryp­tog­ra­phers & dig­i­tal cur­rency en­thu­si­asts were al­most uni­formly ex­tremely neg­a­tive, and em­pha­sized the (per­ceived) in­effi­ciency & (rel­a­tive to most cryp­tog­ra­phy) weak se­cu­rity guar­an­tees. Crit­ics let ‘per­fect be the en­emy of bet­ter’ and did not per­ceive Bit­coin’s po­ten­tial. How­ev­er, in an ex­am­ple of ‘Worse is Bet­ter’, the ugly in­effi­cient pro­to­type of Bit­coin suc­cess­fully cre­ated a se­cure de­cen­tral­ized dig­i­tal cur­ren­cy, which can wait in­defi­nitely for suc­cess, and this was enough to even­tu­ally lead to adop­tion, im­prove­ment, and growth into a se­cure global dig­i­tal cur­ren­cy.

What is the great ac­com­plish­ment of the idea of Bit­coin? In dis­cussing Bit­coin’s re­cent rise to $10$82011/₿ in 2011, many have been won­der­ing who is the real man un­der the Satoshi Nakamoto mask; a hard ques­tion—how many ge­nius lib­er­tar­ian cryp­tog­ra­phers are there? But the in­ter­est­ing thing is, Satoshi could be any­body, and I be­lieve this gives us an in­ter­est­ing clue to how Bit­coin has been able to boot­strap it­self from noth­ing.

Satoshi could be any­body, Bit­coin in­volves no ma­jor in­tel­lec­tual break­throughs of a math­e­mat­i­cal/cryp­to­graphic kind, so Satoshi need have no cre­den­tials in cryp­tog­ra­phy or be any­thing but a self­-taught pro­gram­mer!


Satoshi pub­lished the first pub­lic ver­sion of his white pa­per on 2008-11-01 after ear­lier pri­vate dis­cus­sions1 and the was fur­ther edited after­wards, but if you look at the cryp­tog­ra­phy that makes up Bit­coin, they can be di­vided in­to:

  • Pub­lic key cryp­tog­ra­phy2

  • Cryp­to­graphic sig­na­tures

  • Cryp­to­graphic hash func­tions

  • Hash chain used for proof-of-work

    1. Hash tree
    2. Bit gold
  • cryp­to­graphic time-stamps

  • re­silient peer-to-peer net­works


“So the first an­swer to Why Now? is sim­ply ‘Be­cause it’s time.’ I can’t tell you why it took as long for weblogs to hap­pen as it did, ex­cept to say it had ab­solutely noth­ing to do with tech­nol­o­gy. We had every bit of tech­nol­ogy we needed to do weblogs the day launched the first -ca­pable brows­er. Every sin­gle piece of it was right there. In­stead, we got . Why did we get Geoc­i­ties and not weblogs? We did­n’t know what we were do­ing.”

(, 2003)

The in­ter­est­ing thing is that all the pieces were in place for at least 8 years be­fore Satoshi’s pub­li­ca­tion, which was fol­lowed more than half a year later3 by the first pub­lic4 pro­to­type. If we look at the ci­ta­tions in the whitepa­per and oth­ers, and then or­der the rel­e­vant tech­nolo­gies by year in de­scend­ing or­der:

  1. 2001: fi­nal­ized
  2. 1999–p­re­sent: (PBFT etc.)
  3. 1999–p­re­sent: (ex­clud­ing early net­works like or ; Mo­joNa­tion & , , , , , etc.)
  4. 1998: Wei Dai, B-money5
  5. 1997: ; 19986: Nick Sz­abo, Bit Gold; ~2000: Mo­joNa­tion/Bit­Tor­rent; ~2001–2003, Karma, etc
  6. 1992–1993: Proof-of-work for spam7
  7. 1991:
  8. 1980: 8
  9. 1979:

This lack of nov­elty is part of the ap­peal—the fewer new parts of a cryp­tosys­tem, the less dan­ger9. All that was lack­ing was a Satoshi to start a Bit­coin.


But with the ben­e­fit of this hind­sight, one can won­der—why this de­lay?10

If the idea is (rel­a­tive­ly) easy to un­der­stand and uses ba­sic ideas11, if it is very far from the cut­ting-edge of cryp­tog­ra­phy12, then there’s no rea­son it would not be se­ri­ously tried. Cer­tainly the of the ’90s were wildly cre­ative, in­vent­ing every­thing from / to Mo­joNa­tion to to (mem­o­rably de­picted in ). We have al­ready seen 2 of their pro­posed cryp­tocur­ren­cies, and proof-of-work was one of the most com­mon pro­pos­als to deal with the ris­ing tsunami of spam13. Why did Bit­coin take a decade to be born? The nags at me—sim­i­lar to the his­tor­i­cal ques­tion of why Eng­land ex­pe­ri­enced the In­dus­trial Rev­o­lu­tion and grew to em­pire, and not Chi­na, which seems bet­ter equipped in every re­spect14. Where does ? There must be an an­swer. (And it may be sim­i­lar to VR.15)


Is the prob­lem one of re­sources? In the whitepa­per, Satoshi re­marks:

A block header with no trans­ac­tions would be about 80 bytes. If we sup­pose blocks are gen­er­ated every 10 min­utes, 80 bytes * 6 * 24 * 365 = 4.2MB per year. With com­puter sys­tems typ­i­cally sell­ing with 2GB of RAM as of 2008, and Moore’s Law pre­dict­ing cur­rent growth of 1.2GB per year, stor­age should not be a prob­lem even if the block head­ers must be kept in mem­o­ry.

That’s fine to say in 2008, after many dou­blings. Would mem­ory be a prob­lem in the 1990s? It does­n’t have to be. The diffi­culty of bit­coin min­ing is ad­justable, so the prob­lem boils down to:

  1. disk us­age

    • With a smaller hash like SHA116, the 80 bytes can be shrunk

    • 10 min­utes is not graven in stone; why not 20 min­utes? Right there we have halved the trans­ac­tion over­head

    • the hash tree can be ‘garbage col­lected’ and shrunk17

    • it is only nec­es­sary to main­tain a full hash tree if one is para­noid.

      In prac­tice, like many pro­grams of the era such as mail or Usenet clients, the de­fault could sim­ply be to hold onto the last n block­s/hashes (Satoshi es­ti­mates 12k­b/­day); this would con­sume a lim­ited amount of disk space.

  2. net­work con­nec­tiv­ity is solv­able by so­lu­tions to #1

    1. A func­tion of the ex­ist­ing hash tree size
    2. And fre­quency of new trans­ac­tions

It’s worth point­ing out that it’s gen­er­ally ex­pected that at some point or­di­nary desk­top users like you or me are ex­pected to stop be­ing ful­l-fledged nodes and bit­coin min­ers and will in­stead make use of some spe­cial­ist ser­vice run­ning pow­er­ful servers of its own; in a coun­ter­fac­tual uni­verse where Bit­coin was be­gun in the early 1990s, the changeover would sim­ply have oc­curred soon­er. (And with all the in­vest­ment money des­per­ately in­vest­ing in the first In­ter­net bub­ble, it would be quite easy to start such a ser­vice re­gard­less of the tech­ni­cal de­mand­s.)

Contemporary objections

As well, few of the ob­jec­tions to cryp­tocur­ren­cies seem to have been “com­put­ers which can run it are fan­tas­ti­cally ex­pen­sive”18. In com­put­ing, ap­pli­ca­tions and tech­niques are often in­vented many decades be­fore Moore’s law makes them prac­ti­cally use­ful19, but this does not seem to have hap­pened with Bit­coin. A sim­i­lar ob­jec­tion ob­tains with patents or pub­lished pa­pers; if Bit­coin was a known idea, where are they? I have yet to see any­body point out what patents might have de­terred cryp­tog­ra­phy re­searchers & im­ple­menters; the an­swer is that there were none. Be­cause there was no in­vestor in­ter­est? Not that Satoshi needed in­vestors, but there were a tremen­dous num­ber of on­line pay­ment ser­vices started in the ‘90s, each search­ing for the se­cret sauce that would let them win ’mind­share’ and ride ‘net­work effects’ to vic­to­ry; again comes to mind. Even in the ’90s, when the In­ter­net seems em­bry­onic to us of the 2010s, there were still many mil­lions of peo­ple on the In­ter­net who could have used a dig­i­tal cash.

So if the ba­sic idea is ac­ces­si­ble, and it’s use­ful on con­sumer-grade hard­ware for the last 20 years or so, then what’s the prob­lem?

Cryptographers’ objections

I think it’s in­struc­tive to look at Satoshi’s ANN thread on the Cryp­tog­ra­phy news­group/­mail­ing list; par­tic­u­larly the var­i­ous early crit­i­cisms:

Nick Sz­abo sum­ma­rizes the early re­ac­tion:

Bit­coin is not a list of cryp­to­graphic fea­tures, it’s a very com­plex sys­tem of in­ter­act­ing math­e­mat­ics and pro­to­cols in pur­suit of what was a very un­pop­u­lar goal. While the se­cu­rity tech­nol­ogy is very far from triv­ial, the “why” was by far the biggest stum­bling block­—n­early every­body who heard the gen­eral idea thought it was a very bad idea. My­self, Wei Dai, and Hal Finney were the only peo­ple I know of who liked the idea (or in Dai’s case his re­lated idea) enough to pur­sue it to any sig­nifi­cant ex­tent un­til Nakamoto (as­sum­ing Nakamoto is not re­ally Finney or Dai). Only Finney (RPOW) and Nakamoto were mo­ti­vated enough to ac­tu­ally im­ple­ment such a scheme.

As well, let’s toss in some blog posts on Bit­coin by the cryp­tog­ra­pher and Vic­tor Grischchenko; Lau­rie par­tic­u­larly crit­i­cizes23 the hash-con­test which guar­an­tees heavy re­source con­sump­tion:

  1. “Bit­coin”
  2. “Bit­coin 2”
  3. “Bit­coin is Slow Mo­tion”
  4. “De­cen­tralised Cur­ren­cies Are Prob­a­bly Im­pos­si­ble: But Let’s At Least Make Them Effi­cient”
  5. “Bit­coin?”, Vic­tor Grischchenko

What’s the com­mon thread? Is there any par­tic­u­lar fa­tal flaw of Bit­coin that ex­plains why no one but Satoshi came up with it?


No! What’s wrong with Bit­coin is that it’s ugly. It is not 24. It’s clever to de­fine your bit­coin bal­ance as what­ever hash tree is longer, has won more races to find a new block, but it’s ugly to make your net­work’s se­cu­rity de­pend solely on hav­ing more brute-force com­put­ing power than your op­po­nents25, ugly to need now and in per­pe­tu­ity at least half the pro­cess­ing power just to avoid dou­ble-spend­ing26. It’s clever to have a P2P net­work dis­trib­ut­ing up­dated blocks which can be cheaply & in­de­pen­dently checked, but there are tons of ugly edge cases which Satoshi has not proven (in the sense that most cryp­tosys­tems have se­cu­rity proofs) to be safe and he him­self says that what hap­pens will be a “coin flip” at some points. It’s ugly to have a hash tree that just keeps grow­ing and is go­ing to be gi­ga­bytes and gi­ga­bytes in not ter­ri­bly many years. It’s ugly to have a sys­tem which can’t be used offline with­out prox­ies and workarounds, which es­sen­tially re­lies on a dis­trib­uted global clock27, un­like Chaum’s so­lu­tion28. It’s ugly to have a sys­tem that has to track all trans­ac­tions, pub­licly; even if one can use bit­coins anony­mously with effort, that does­n’t count for much—a cryp­tog­ra­pher has learned from in­ci­dents like and decades of suc­cess­ful at­tacks on pseu­do­nymity29. And even if the money sup­ply has to be fixed (a bizarre choice and more ques­tion­able than the ir­re­versibil­ity of trans­ac­tion­s), what’s with that ar­bi­trary-look­ing 21 mil­lion bit­coin lim­it? Could­n’t it have been a rounder num­ber or at least a power of 2? (Not that the bit­coin min­ing is much bet­ter, as it’s a mas­sive give-away to early adopters. may claim it does­n’t mat­ter how bit­coins are al­lo­cated in the long run, but such a bla­tant bribe to early adopters rubs against the grain. Again, ugly and in­el­e­gan­t.) Bit­coins can sim­ply dis­ap­pear if you send them to an in­valid ad­dress. And so on.

The ba­sic in­sight of Bit­coin is clev­er, but clever in an ugly com­pro­mis­ing sort of way. Satoshi ex­plains in an early email: The hash chain can be seen as a way to co­or­di­nate mu­tu­ally un­trust­ing nodes (or trust­ing nodes us­ing un­trusted com­mu­ni­ca­tion links), and to solve the . If they try to col­lab­o­rate on some agreed trans­ac­tion log which per­mits some trans­ac­tions and for­bids oth­ers (as at­tempted dou­ble-spend­s), naive so­lu­tions will frac­ture the net­work and lead to no con­sen­sus. So they adopt a new scheme in which the re­al­ity of trans­ac­tions is “what­ever the group with the most com­put­ing power says it is”! The hash chain does not as­pire to record the “true” re­al­ity or fig­ure out who is a scam­mer or not; but like Wikipedia, the hash chain sim­ply mir­rors one some­what ar­bi­trar­ily cho­sen group’s con­sen­sus:

…It has been de­cided that any­one who feels like it will an­nounce a time, and what­ever time is heard first will be the offi­cial at­tack time. The prob­lem is that the net­work is not in­stan­ta­neous, and if two gen­er­als an­nounce differ­ent at­tack times at close to the same time, some may hear one first and oth­ers hear the other first.

They use a proof-of-work chain to solve the prob­lem. Once each gen­eral re­ceives what­ever at­tack time he hears first, he sets his com­puter to solve an ex­tremely diffi­cult proof-of-work prob­lem that in­cludes the at­tack time in its hash. The proof-of-work is so diffi­cult, it’s ex­pected to take 10 min­utes of them all work­ing at once be­fore one of them finds a so­lu­tion. Once one of the gen­er­als finds a proof-of-work, he broad­casts it to the net­work, and every­one changes their cur­rent proof-of-work com­pu­ta­tion to in­clude that proof-of-work in the hash they’re work­ing on. If any­one was work­ing on a differ­ent at­tack time, they switch to this one, be­cause its proof-of-work chain is now longer.

After two hours, one at­tack time should be hashed by a chain of 12 proof­s-of-work. Every gen­er­al, just by ver­i­fy­ing the diffi­culty of the proof-of-work chain, can es­ti­mate how much par­al­lel CPU power per hour was ex­pended on it and see that it must have re­quired the ma­jor­ity of the com­put­ers to pro­duce that much proof-of-work in the al­lot­ted time. They had to all have seen it be­cause the proof-of-work is proof that they worked on it. If the CPU power ex­hib­ited by the proof-of-work chain is suffi­cient to crack the pass­word, they can safely at­tack at the agreed time.

The proof-of-work chain is how all the syn­chro­ni­sa­tion, dis­trib­uted data­base and global view prob­lems you’ve asked about are solved.

How Worse is Better

In short, Bit­coin is a per­fect ex­am­ple of (orig­i­nal es­say). You can see the trade­offs that Richard P. Gabriel enu­mer­ates: Bit­coin has many edge cas­es; it lacks many prop­er­ties one would de­sire for a cryp­tocur­ren­cy; the whitepa­per is badly un­der­-spec­i­fied; much of the be­hav­ior is so­cially de­ter­mined by what the min­ers and clients col­lec­tively agree to ac­cept, not by the pro­to­col; etc.

The worse-is-bet­ter phi­los­o­phy is only slightly differ­ent: […]

  • Com­plete­ness—the de­sign must cover as many im­por­tant sit­u­a­tions as is prac­ti­cal. All rea­son­ably ex­pected cases should be cov­ered. Com­plete­ness can be sac­ri­ficed in fa­vor of any other qual­i­ty. In fact, com­plete­ness must be sac­ri­ficed when­ever im­ple­men­ta­tion sim­plic­ity is jeop­ar­dized. Con­sis­tency can be sac­ri­ficed to achieve com­plete­ness if sim­plic­ity is re­tained; es­pe­cially worth­less is con­sis­tency of in­ter­face.

…The MIT guy did not see any code that han­dled this [edge] case and asked the New Jer­sey guy how the prob­lem was han­dled. The New Jer­sey guy said that the Unix folks were aware of the prob­lem, but the so­lu­tion was for the sys­tem rou­tine to al­ways fin­ish, but some­times an er­ror code would be re­turned that sig­naled that the sys­tem rou­tine had failed to com­plete its ac­tion. A cor­rect user pro­gram, then, had to check the er­ror code to de­ter­mine whether to sim­ply try the sys­tem rou­tine again. The MIT guy did not like this so­lu­tion be­cause it was not the right thing… It is bet­ter to get half of the right thing avail­able so that it spreads like a virus. Once peo­ple are hooked on it, take the time to im­prove it to 90% of the right thing.

Guar­an­tees of Byzan­tine re­silience? Loosely sketched out and left for fu­ture work. In­cen­tive-com­pat­i­ble? Well… maybe. Anonymi­ty? Punted on in fa­vor of pseu­do­nymi­ty; maybe some­one can add real anonymity lat­er. Guar­an­tees of trans­ac­tions be­ing fi­nal­ized? None, the user is just sup­posed to check their copy of the blockchain. Con­sis­tent APIs? For­get about it, there’s not even a stan­dard, it’s all im­ple­men­ta­tion-de­fined (if you write a client, it’d bet­ter be “bug­ward com­pat­i­bil­ity” with Satoshi’s clien­t). Moon math? Nah, it’s ba­sic pub­lic-key crypto plus a lot of im­per­a­tive stack­-ma­chine bit-twid­dling. Space effi­cien­cy? A straight­for­ward blockchain and on-disk stor­age takes pri­or­ity over any fancy com­pres­sion or data-struc­ture schemes. Fast trans­ac­tions? You can use ze­ro-conf and if that’s not good enough for buy­ing coffee, maybe some­one can come up with some­thing us­ing the smart con­tract fea­tures. And so on.

But for all the is­sues, it seems to work. Just like Unix, there were count­less ways to de­stroy your data or crash the sys­tem, which did­n’t ex­ist on more ‘proper’ OSs like , and there were count­less lack­ing fea­tures com­pared to sys­tems like or the OSs. But like the prover­bial cock­roach­es, Unix spread, net­worked, sur­vived—and the rest did not.30 And as it sur­vives and evolves grad­u­al­ly, it slowly be­comes what it “should” have been in the first place. Or HTML31 vs .

Paul Ford in 2013 has stum­bled onto a sim­i­lar view of Bit­coin:

The In­ter­net is a big fan of the worst-pos­si­ble-thing. Many peo­ple thought Twit­ter was the worst pos­si­ble way for peo­ple to com­mu­ni­cate, lit­tle more than dis­course ab­bre­vi­ated into tiny lit­tle chunks; Face­book was a hor­ri­ble way to ex­pe­ri­ence hu­man re­la­tion­ships, com­mod­i­fy­ing them into a list of friends whom one pokes. The Arab Spring changed the story some­what. (Buz­zFeed is an­other ex­am­ple—let them eat cat pic­tures.) One recipe for In­ter­net suc­cess seems to be this: Start at the bot­tom, at the most aw­ful, ridicu­lous, es­sen­tial idea, and own it. Pro­mote it breath­less­ly, un­til you’re ac­quired or you take over the world. Bit­coin is play­ing out in a sim­i­lar way. It asks its users to for­get about cen­tral bank­ing in the same way Steve Jobs asked iPhone users to for­get about the mouse.

But he lacks the “worse is bet­ter” par­a­digm (de­spite be­ing a pro­gram­mer) and does­n’t un­der­stand how Bit­coin is the worst-pos­si­ble-thing. It’s not the de­cen­tral­ized as­pect of Bit­coin, it’s how Bit­coin is de­cen­tral­ized: a cryp­tog­ra­pher would have diffi­culty com­ing up with Bit­coin be­cause the mech­a­nism is so ugly and there are so many el­e­gant fea­tures he wants in it. Pro­gram­mers and math­e­mati­cians often speak of “taste”, and how they lead one to bet­ter so­lu­tions. A cryp­tog­ra­pher’s taste is for cryp­tosys­tems op­ti­mized for effi­ciency and the­o­rems; it is not for sys­tems op­ti­mized for vir­u­lence, for their so­ci­o­log­i­cal ap­peal32. Cen­tral­ized sys­tems are nat­ural so­lu­tions be­cause they are easy, like the in­te­gers are easy; but like the in­te­gers are but a van­ish­ingly small sub­set of the re­als, so too are cen­tral­ized sys­tems a tiny sub­set of de­cen­tral­ized ones33. Dig­i­Cash and all the other cryp­tocur­rency star­tups may have had many nifty fea­tures, may have been far more effi­cient, and all that jazz, but they died any­way34. They had no com­mu­ni­ties, and their cen­tral­iza­tion meant that they fell with their cor­po­rate pa­trons. They had to win in their com­pressed time­frame or die out com­plete­ly. But “that is not dead which can eter­nal lie”. And the race may not go to the swift, as Hal Finney also pointed out early on:

Every day that goes by and Bit­coin has­n’t col­lapsed due to le­gal or tech­ni­cal prob­lems, that brings new in­for­ma­tion to the mar­ket. It in­creases the chance of Bit­coin’s even­tual suc­cess and jus­ti­fies a higher price.

It may be that Bit­coin’s great­est virtue is not its de­fla­tion, nor its mi­cro­trans­ac­tions, but its vi­ral dis­trib­uted na­ture; it can wait for its op­por­tu­ni­ty. “If you sit by the bank of the river long enough, you can watch the bod­ies of your en­e­mies float by.”

Objection: Bitcoin is not Worse, it’s Better

Nick Sz­abo and Zooko Wilcox-O’­Hearn dis­agree strongly with the the­sis that “Bit­coin is Worse is Bet­ter”. They con­tend while there may be bad parts to Bit­coin, there is a novel core idea which is ac­tu­ally very clev­er—the hash chain is a com­pro­mise which thinks out­side the box and gives us a side­step around clas­sic prob­lems of dis­trib­uted com­put­ing, which gives us some­thing sim­i­lar enough to a trust­wor­thy non-cen­tral­ized au­thor­ity that we can use it in prac­tice.

Gw­ern’s post fails to ap­pre­ci­ate the tech­ni­cal ad­vances that Bit­Coin orig­i­nat­ed. I have been try­ing, off and on, to in­vent a de­cen­tral­ized dig­i­tal pay­ment sys­tem for fifteen years (s­ince I was at Dig­i­Cas­h). I was­n’t sure that a prac­ti­cal sys­tem was even pos­si­ble, un­til Bit­Coin was ac­tu­ally im­ple­mented and be­came as pop­u­lar as it has. Sci­en­tific ad­vances often seem ob­vi­ous in ret­ro­spect, and so it is with Bit­Coin.35

Nick Sz­abo thinks that the main block­ing fac­tors were:

  1. ide­o­log­i­cal be­liefs about the na­ture of money (lib­er­als not in­ter­ested in non-s­tate cur­ren­cies, and Aus­tri­ans be­liev­ing that cur­ren­cies must have in­trin­sic val­ue)
  2. ob­scu­rity of bit gold-like ideas
  3. “re­quir­ing a proof-of-work to be a node in the Byzan­ti­ne-re­silient peer-to-peer sys­tem to lessen the threat of an un­trust­wor­thy party con­trol­ling the ma­jor­ity of nodes and thus cor­rupt­ing a num­ber of im­por­tant se­cu­rity fea­tures”
  4. some sim­pli­fi­ca­tion (not mar­kets for con­vert­ing “old” & hard­er-to-mine bit­coins to “new” & eas­ier-to-mine bit­coins, but a chang­ing net­work-wide con­sen­sus on how hard bit­coins must be to mine)

My own be­lief is that #1 is prob­a­bly an im­por­tant fac­tor but ques­tion­able since the core break­through is ap­plic­a­ble to all sorts of other tasks like se­cure global clocks or time­stamp­ing or do­main names, #2 is ir­rel­e­vant as all dig­i­tal cryp­to­graphic cur­rency ideas are ob­scure (to the point where, for ex­am­ple, Satoshi’s whitepa­per does not cite bit gold but only b-money, yet Wei Dai does not be­lieve his b-money ac­tu­ally in­flu­enced Bit­coin at all36!), and #3–4 are mi­nor de­tails which can­not pos­si­bly ex­plain why Bit­coin has suc­ceeded to any de­gree while ideas like bit gold lan­guished.

See Also


Irreversible transactions: meta-scams

The ir­re­versibil­ity of Bit­coin trans­ac­tions makes for some un­usual dy­nam­ics in ex­changes, along with the en­tire alt­coin ecosys­tem (prob­a­bly the most in­ter­est­ing alt­coin scam to me was the Byte­coin scam+anonymity in­no­va­tion). I learned of an in­ter­est­ing ex­am­ple in May 2013, when a Red­dit post in­tro­duced me to a Tor hid­den site which offers you dou­ble your money back if you send it some bit­coins. A scam, right? Well, it is a scam, but it’s not quite the scam it looks like…

To start, there is a com­ment from some­one claim­ing that they tried it and the way the scam worked was that it dou­bled your money the first time you sent it some bit­coins, but then kept any­thing you sent it sub­se­quent­ly; the idea be­ing that the first trans­ac­tion will be a ‘test’ by sus­pi­cious users, who will then send a ‘real’ trans­ac­tions which can be stolen in toto. Specifi­cal­ly:

Oh dude. I ac­tu­ally tried this like 5 Days ago. I sent 0.5btc and got one back, so tech­ni­cally it works. How­ev­er, when I sent my 1btc back (and emailed the guy about it) he kept it and did­n’t re­spond at all. So it’s a scam, ob­vi­ous­ly, but the way it works is kind of in­ter­est­ing in that it ac­tu­ally works the first time, to lure you in and send even more. EDIT: I SHOULD PROBABLY ADD: DON’T SEND MONEY TO THIS GUY

This is rea­son­able enough—ponzis are care­ful to al­low with­drawals early on, and run­ners of ponzis, like the clas­sic 2006 “Cur­rin trad­ing” ponzi scheme (part 1, 2), record how peo­ple would do 1 or 2 test trans­ac­tions and then de­posit large ‘real’ sums with the ponzi.

Ex­cept… the per­son claim­ing it worked for them is an un­used ac­count, and so are the peo­ple ex­press­ing skep­ti­cism of him! It gets more in­ter­est­ing when you note that the scam as claimed is triv­ially ex­ploitable (or scammed) by any­one who knows how it works (send a large amount the first trans­ac­tion, and never send again), and more in­ter­est­ing still when you re­mem­ber that Bit­coin trans­ac­tions are pub­lic and so the first com­menter could have par­tially proven that the scam worked as they claimed it worked for them yet has not pro­vided any ev­i­dence de­spite be­ing chal­lenged to do so and given 9 days’ grace, and fi­nal­ly, we see 2 Red­di­tors send­ing in to­ken amounts and claim­ing they re­ceived noth­ing back.

So what are we look­ing at here? I can’t know this for sure, but this is what I think is go­ing on.

We are look­ing at a meta scam: the scam is that you think it’s a scam that you can scam, but you get scammed as you try to scam the scam. The orig­i­nal scam­mer puts up a scam web­site, makes 4 shill ac­counts to claim it works and lay out the rules—send it X it sends you 2X back, and then the sec­ond time it keeps your money when you pre­sum­ably sent it 2X+Y—but ac­tu­al­ly, the site sim­ply keeps any money sent to it, and so the peo­ple who planned to scam the scam wind up be­ing scammed.

If we think of de­cep­tion as hav­ing lev­els, this is a lit­tle con­fus­ing; but the site will ei­ther re­turn your money or not. The first level is that the site works as it claims: it re­turns your mon­ey, it dou­bles any money you send it. (This is un­der­stood by any­one who can read the page.) The sec­ond level is that level 1 is a lie: it does not re­turn your mon­ey, it sim­ply steals any money you send it. (This is un­der­stood by any­one with a brain who has read the page.) How­ev­er, then we get to a third lev­el: level 2 is not quite right, the site will ei­ther re­turn your money or not, de­pend­ing on how many trans­ac­tions you’ve done—the site is a scam which will steal your mon­ey, but it will do so only after 1 suc­cess­ful trans­ac­tion. (Un­der­stood by any­one who reads the Red­dit com­ments and blindly trusts them.) The fourth lev­el, the level orig­i­nally above mine un­til I be­came more sus­pi­cious, is that level 3 is a lie too, and ac­tu­al­ly, level 2 was the real truth—the site sim­ply steals your mon­ey.

Phew! How fas­ci­nat­ing! Hon­est­ly, I al­most feel like send­ing the dude a buck or two just for im­ple­ment­ing such an in­ter­est­ing lit­tle scam for me to think about, al­though he could’ve done it a bit bet­ter and shuffled some bit­coins around on the blockchain 7 days in ad­vance to match his shill ac­coun­t’s claims. (He did­n’t in­vent the meta-s­cam, how­ev­er, since it seems to have prece­dents like in Runescape as the “dou­bling money scam”.)

An even more re­cent (2018) -based scam ex­ploits Ethereum’s ‘gas’ trans­ac­tion fees and smart con­tracts: the scam­mer pre­tends to ac­ci­den­tally post pub­licly in a chat room his pri­vate key to an ad­dress with a large amount of some as­set in it and a smart con­tract, but the ad­dress hap­pens to have in­suffi­cient ‘gas’ to al­low im­me­di­ate with­drawal; every­one stam­ped­ing to with­draw the as­set has to send some gas to the ad­dress first to un­lock it… ex­cept that smart con­tract, which they did­n’t have time to in­spect close­ly, merely re­ceives all gas de­posits & im­me­di­ately trans­fers them away to an­other ac­count, so every­one who sends gas loses it and the orig­i­nal as­sets re­main in place.

So in a way, this scam em­bod­ies the old saw “you can’t cheat an hon­est man”37. Well, of course in the real world hon­est men get cheated all the time, so I pre­fer to think of it as :

‘Nash equi­lib­rium strat­egy’ is not nec­es­sar­ily syn­ony­mous to ‘op­ti­mal play’. A Nash equi­lib­rium can de­fine an op­ti­mum, but only as a de­fen­sive strat­egy against stiff com­pe­ti­tion. More specifi­cal­ly: Nash equi­lib­ria are hardly ever max­i­mally ex­ploita­tive. A Nash equi­lib­rium strat­egy guards against any pos­si­ble com­pe­ti­tion in­clud­ing the fiercest, and thereby tends to fail tak­ing ad­van­tage of sub­-op­ti­mum strate­gies fol­lowed by com­peti­tors. Achiev­ing max­i­mally ex­ploita­tive play gen­er­ally re­quires de­vi­at­ing from the Nash strat­e­gy, and al­low­ing for de­fen­sive leaks in one’s own strat­e­gy.

  1. was reg­is­tered 2008-08-18, so pre­sum­ably Satoshi had been de­vel­op­ing the bit­coin idea at least as early as 2008. He refers to work­ing on it ear­lier than that, but the ear­li­est draft of the Bit­coin whitepa­per ap­pears to have been cir­cu­lated pri­vately some­time be­fore .↩︎

  2. Al­though Bon­neau & Miller 2014 de­scribe a cryp­tocur­rency de­sign us­ing just cryp­to­graphic hash func­tions (with com­mit-and-re­veal) with­out any need for pub­lic key cryp­tog­ra­phy and point­edly note that “Bit­coin it­self is some­thing of a cu­rios­ity from an aca­d­e­mic stand­point in that it was dis­cov­ered decades after the req­ui­site cryp­to­graphic prim­i­tives were avail­able. Our work shows that it was in fact pos­si­ble even be­fore the dis­cov­ery of pub­lic-key cryp­tog­ra­phy.”↩︎

  3. The first re­vi­sion in the Github repos­i­tory is dated Au­gust 2009 by sirius-m.↩︎

  4. Satoshi claims that be­fore he write the whitepa­per, he wrote a pro­to­type.↩︎

  5. In the same vein of ‘the net­work is a third party which keeps a copy of all signed trans­ac­tions’, you could in­clude Ian Grig­g’s 2005 pa­per “Triple En­try Ac­count­ing”.↩︎

  6. I had a hard time fig­ur­ing out when bit gold was first thought of; Sz­abo kindly blogged that he had writ­ten about it in 1998 on a pri­vate mail­ing list

    Here are some more spe­cific rea­sons why the ideas be­hind Bit­coin were very far from ob­vi­ous: (1) only a few peo­ple had read of the bit gold ideas, which al­though I came up with them in 1998 (at the same time and on the same pri­vate mail­ing list [libtech) where Dai was com­ing up with b-money—it’s a long sto­ry) were mostly not de­scribed in pub­lic un­til 2005, al­though var­i­ous pieces of it I de­scribed ear­lier, for ex­am­ple the cru­cial Byzan­ti­ne-repli­cated chain-of-signed-trans­ac­tions part of it which I gen­er­al­ized into what I call se­cure prop­erty ti­tles.

  7. “Pric­ing via Pro­cess­ing, Or, Com­bat­ing Junk Mail”, , Dwork 1993, pub­lished in CRYPTO’92.↩︎

  8. This is Satoshi’s ci­ta­tion date; Diffie-Hell­man, the , was in 1976, not 1980.↩︎

  9. In cryp­tog­ra­phy, new parts are guilty un­til proven in­no­cent. Hun­dreds of past sys­tems have been bro­ken, some­times after decades of study & use.↩︎

  10. An­other per­son or group to ask this same ques­tion is Bar­ber et al 2012 (although this es­say was posted in early 2011, so Bar­ber et al 2012 may not be en­tirely in­de­pen­den­t):

    De­spite some pes­simists’ cri­tiques and dis­be­lief, Bit­coin has ad­mit­tedly wit­nessed enor­mous suc­cess since its in­ven­tion. To the se­cu­rity and cryp­to­graphic com­mu­ni­ty, the idea of dig­i­tal cur­rency or elec­tronic cash is by no means new. As early as 1982, Chaum has out­lined his blue­print of an anony­mous e-cash scheme in his pi­o­neer­ing pa­per [10]. Ever since then, hun­dreds of aca­d­e­mic pa­pers have been pub­lished to im­prove the effi­ciency and se­cu­rity of e-cash con­struc­tion­s—to name a few, see [15, 8, 9]. Nat­u­ral­ly, an in­ter­est­ing ques­tion aris­es: De­spite three decades’ re­search on e-cash, why have e-cash schemes not taken off, while Bit­coin—a sys­tem de­signed and ini­tially im­ple­mented pos­si­bly sin­gle-hand­edly by some­one pre­vi­ously un­known, a sys­tem that uses no fancy cryp­tog­ra­phy, and is by no means per­fec­t—has en­joyed a swift rise to suc­cess?

    …Bit­coin has a com­pletely dis­trib­uted ar­chi­tec­ture, with­out any sin­gle trusted en­ti­ty. Bit­coin as­sumes that the ma­jor­ity of nodes in its net­work are hon­est, and re­sorts to a ma­jor­ity vote mech­a­nism for dou­ble spend­ing avoid­ance, and dis­pute res­o­lu­tion. In con­trast, most e-cash schemes re­quire a cen­tral­ized bank who is trusted for pur­poses of e-cash is­suance, and dou­ble-spend­ing de­tec­tion. This greatly ap­peals to in­di­vid­u­als who wish for a freely-traded cur­rency not in con­trol by any gov­ern­ments, banks, or au­thor­i­ties—from lib­er­tar­i­ans to drug-deal­ers and other un­der­ground econ­omy pro­po­nents

    …In­cen­tives and eco­nomic sys­tem. Bit­coin’s eco-sys­tem is in­ge­niously de­signed, and en­sures that users have eco­nomic in­cen­tives to par­tic­i­pate. First, the gen­er­a­tion of new bit­coins hap­pens in a dis­trib­uted fash­ion at a pre­dictable rate: “bit­coin min­ers” solve com­pu­ta­tional puz­zles to gen­er­ate new bit­coins, and this process is closely cou­pled with the ver­i­fi­ca­tion of pre­vi­ous trans­ac­tions. At the same time, min­ers also get to col­lect op­tional trans­ac­tion fees for their effort of vet­ting said trans­ac­tions. This gives users clear eco­nomic in­cen­tives to in­vest spare com­put­ing cy­cles in the ver­i­fi­ca­tion of Bit­coin trans­ac­tions and the gen­er­a­tion of new Bit­coins. At the time of writ­ing the in­vest­ment of a GPU to ac­cel­er­ate Bit­coin puz­zle so­lu­tion can pay for it­self in ~6 month­s…the ear­lier in the game, the cheaper the coins mint­ed.

  11. I am only a lay­man with an in­ter­est in cryp­tog­ra­phy, but I am not alone in see­ing this lack of re­ally novel prim­i­tives or ideas in the Bit­coin scheme; Ben Lau­rie ex­presses ex­actly this idea in an aside in a blog post at­tack­ing Bit­coin:

    A friend alerted to me to a sud­den wave of ex­cite­ment about Bit­coin. I have to ask: why? What has changed in the last 10 years to make this work when it did­n’t in, say, 1999, when many other re­lated sys­tems (in­clud­ing one of my own) were caus­ing sim­i­lar ex­cite­ment? Or in the 20 years since the wave be­fore that, in 1990? As far as I can see, noth­ing.

  12. One thinks of the for­mi­da­ble math­e­mat­i­cal diffi­cul­ties sur­round­ing the area of where one would ex­pect any break­through to be from a bona fide ge­nius, or at least a cre­den­tialed ex­pert.↩︎

  13. Al­though iron­i­cal­ly, proof-of-work never seemed to go into wide­spread use be­cause of gen­eral in­er­tia and be­cause to de­ter large amounts of spam, proof-of-work would also de­ter le­git­i­mate users un­der some mod­els.

    Spam seems to have been kept in check by bet­ter fil­ter­ing tech­niques (eg. ’s “A Plan for Spam” us­ing ) and against bot­nets & spam­mers.↩︎

  14. For more on that his­to­ry, see Wikipedia on , , the ; I rec­om­mend Gre­gory Clark’s A Farewell to Alms.↩︎

  15. “Voices From A Vir­tual Past: An oral his­tory of a tech­nol­ogy whose time has come again” (2014):

    Palmer Luckey: I spent a huge amount of time read­ing through ba­si­cally every sin­gle pub­lished piece of lit­er­a­ture on VR. I think that there were a lot of peo­ple that were giv­ing VR too much cred­it, be­cause they were work­ing as VR re­searchers. You don’t want to pub­lish a pa­per that says, “After the study, we came to the con­clu­sion that VR is use­less right now and that we should just not have a job for 20 years.” There were a few peo­ple that ba­si­cally came to that con­clu­sion. They said, “Cur­rent VR gear is low field of view, high lag, too ex­pen­sive, too heavy, can’t be dri­ven prop­erly from con­sumer-grade com­put­ers, or even pro­fes­sion­al-grade com­put­ers.” It turned out that I was­n’t the first per­son to re­al­ize these prob­lems. They’d been known for decades.

    Here’s a se­cret: the thing stop­ping peo­ple from mak­ing good VR and solv­ing these prob­lems was not tech­ni­cal. Some­one could have built the Rift in mid-to-late 2007 for a few thou­sand dol­lars, and they could have built it in mid-2008 for about $647$5002008. It’s just no­body was pay­ing at­ten­tion to that.

  16. SHA-1, as of 2011, had not been cracked ; it was de­feated in 2017.↩︎

  17. My un­der­stand­ing is that sim­ply no one has both­ered to pro­gram this func­tion­al­ity since 400MB is not that much space.↩︎

  18. Or rather, the ob­jec­tions were that cryp­tocur­ren­cies had to be mo­bile—us­able on the con­tem­po­rary PDAs and cell­phones, with the com­put­ing power of a watch.↩︎

  19. and most of ar­ti­fi­cial in­tel­li­gence (or ma­chine learn­ing in par­tic­u­lar) seem to have waited decades for suffi­ciently fast hard­ware. In­deed, I some­times feel that en­tire ca­reer has es­sen­tially been sketch­ing out what he could do if only he had some de­cent cheap hard­ware.↩︎

  20. It prob­a­bly will. Some in­for­mal pro­jec­tions have been made of what it would take to run mil­lions of trans­ac­tions worth tril­lions of dol­lars, and they tend to come in at com­pa­ra­ble to the ex­ist­ing re­source use of com­pa­nies like Google (which fund their own power plants or mo­nop­o­lize con­ve­nient hy­dro­elec­tric dams to run their dat­a­cen­ter­s).↩︎

  21. Re­cent crit­i­cism, too, some­times fo­cuses on the qual­ity of the C++ code­base and ad hoc na­ture of many of the choic­es; from an anony­mous Face­book com­ment:

    The pro­to­col is not well-de­fined and clearly de­signed by an am­a­teur (that is, not some­one who has done much pro­to­col im­ple­men­ta­tion work). It’s a bi­nary pro­to­col with a smat­ter­ing of length­-pre­fix­ing, , etc. The mes­sages look rea­son­able, just a hor­ri­ble en­cod­ing. The rules of the pro­to­col are poorly de­fined and tightly cou­pled to im­ple­men­ta­tion; the im­ple­men­ta­tion is done by some­one who feels it’s good and well to have only 5 ma­jor source files for 17 . Due to lack of a well-spec­i­fied pro­to­col, there is also a bit of client mono­cul­ture go­ing on.

    It’s worth not­ing that the whole sys­tem as­sumes SHA-256—the bit­coin com­mu­nity says that rolling over to some­thing else is just a mat­ter of in­tro­duc­ing a new al­go, but in ac­tu­al­ity it’s not nearly that sim­ple. The pro­to­col has no con­cept of up­grad­ing to differ­ent al­gos, so it would ne­ces­si­tate a com­plete over­haul of the pro­to­col (s­ince there’s a lot of 32-byte fields in there) AND a re-com­pu­ta­tion/rollover of the en­tire trans­ac­tion his­to­ry. …The pro­to­col also has had no thought put into it re: net­work ar­chi­tec­ture—there are peers and that’s it. Due to the cryp­to­graphic na­ture of trans­ac­tions, it’s sim­ply not pos­si­ble to have re­al­time trans­ac­tions with bit­coin as the net­work scales (it al­ready take 5–10 mins on av­er­age for the net­work to see a sin­gle trans­ac­tion). Thus, there will need to be some con­cept of a node in the net­work that can fa­cil­i­tate in­ter­ac­tions be­tween two peers in a faster fash­ion, with the as­sump­tion of a mea­sure of trust. You should­n’t re­quire it, of course, but it should be de­fined, I think.

    Se­cu­rity ex­pert is sim­i­larly ap­palled at the band­width re­quire­ments to scale (“:0” was his emoti­con) and pre­dicts that the Bit­coin net­work will even­tu­ally turn into a qua­si­-bank-like oli­garchy of su­pern­odes (which changes the sys­tem and “offers a host of ugly se­man­tics” since the su­pern­odes “don’t need 50%—just need to in­con­ve­nience 50% to ac­cept your opin­ion”). He com­ments that while “Nor­mal Code” seems good but “Scratch the sur­face, it’s ac­tu­ally re­ally bad”, the Bit­coin code­base “Looks re­ally bad up front” but “Scratch the sur­face, it’s ac­tu­ally sur­pris­ingly good”. ar­ti­cle’s :

    “When I first looked at the code, I was sure I was go­ing to be able to break it”, Kamin­sky said, not­ing that the pro­gram­ming style was dense and in­scrutable. “The way the whole thing was for­mat­ted was in­sane. Only the most para­noid, painstak­ing coder in the world could avoid mak­ing mis­takes.”…He quickly iden­ti­fied nine ways to com­pro­mise the sys­tem…when he found the right spot, there was a mes­sage wait­ing for him. “At­tack Re­moved”, it said. The same thing hap­pened over and over, in­fu­ri­at­ing Kamin­sky. “I came up with beau­ti­ful bugs”, he said. “But every time I went after the code there was a line that ad­dressed the prob­lem.”…“I’ve never seen any­thing like it”, Kamin­sky said, still in awe…“Ei­ther there’s a team of peo­ple who worked on this”, Kamin­sky said, “or this guy is a ge­nius.”

    On a tech­ni­cal ba­sis, he dis­likes the use of SHA-256 as op­posed to slower func­tions like , be­cause SHA-256 “can be ac­cel­er­ated mas­sively with GPUs” lead­ing to GPU short­ages and mas­sive hash­ing dis­par­i­ties be­tween peers, and his slides con­clude “Bit­Coin is ac­tu­ally well de­signed, if you ac­cept that anonymity and scal­ing forces the en­tire present model to be shifted into some­thing that effec­tively looks like bank­ing”. He re­it­er­ated his pos­i­tive im­pres­sion of Bit­coin in 2013—“But the core tech­nol­ogy ac­tu­ally works, and has con­tin­ued to work, to a de­gree not every­one pre­dict­ed.”—and has be­gun to re­con­sider some of his ear­lier crit­i­cisms about the re­source de­mands & grad­ual cen­tral­iza­tion of nodes. An­other tes­ti­mony to the pro­to­col’s se­cu­rity comes from TechCrunch:

    While re­search­ing Bit­coin, Lemon’s hired two sep­a­rate teams of hack­ers to ex­am­ine the Bit­coin source code for vul­ner­a­bil­i­ties for about a half-year. “They are ar­guably the best in the world. I spent a lot of time and money on the best hack­ers I could find and came back from that con­vinced that Bit­coin’s se­cu­rity is ro­bust,” he said. “What they found was very, very com­pelling for me.”

    Bruce Schneier men­tions offhand­edly that “I haven’t an­a­lyzed the se­cu­ri­ty, but what I have seen looks good.”↩︎

  22. Nick Sz­abo, dis­cussing Chau­mian ecash (“the great­est sim­ple equa­tion since ”), com­ments with al­most pal­pa­ble dis­taste of a hy­po­thet­i­cal sys­tem akin to Bit­coin in this re­spect:

    A use-on­ce-ad­dress com­mu­ni­ca­tions mix plus for­swear­ing any rep­u­ta­tion gain from keep­ing ac­counts, in the­ory also buys us un­link­a­bil­i­ty, but a com­mu­ni­ca­tions mix [BTC: “mix­ing ser­vice”; not nec­es­sar­ily easy] is weak and very ex­pen­sive.

    The most widely known, pop­u­lar, and se­cure com­mu­ni­ca­tions mix is prob­a­bly ; a num­ber of flaws have been found in it over time, and Tor will never be very se­cure—it’s fun­da­men­tally diffi­cult to im­pos­si­ble to have a anonymiz­ing com­mu­ni­ca­tions mix which is also near re­al-time. Some flaws can’t be re­moved by the Tor net­work, like the abil­ity of exit nodes to snoop on traffic (as has been done many times, most mem­o­rably dur­ing the startup of ). Com­mu­ni­ca­tions mixes are usu­ally ex­pen­sive in re­sources, so typ­i­cally only make up a part of an over­all net­work—and the rest of the net­work leaks con­sid­er­able in­for­ma­tion, in­clud­ing .

    These are not nec­es­sar­ily fa­tal ob­jec­tions from a prac­ti­cal point of view. A sim­ple mix or laun­dry may well buy one all the anonymity one needs; they can be chained to sub­stan­tially re­duce risks; more elab­o­rate and se­cure off-blockchain laun­dries can be con­structed us­ing ; and fi­nal­ly, there is al­ways the hope that some­one will fig­ure out how to build upon the ex­ist­ing pseu­do­ny­mous Bit­coin sys­tem to en­able gen­uinely anony­mous and un­trace­able trans­ac­tions (which may have been ac­com­plished in 2013 with the pro­posed Ze­ro­coin ex­ten­sion to the Bit­coin pro­to­col).↩︎

  23. Perry Met­zger sum­ma­rizes Lau­rie’s ap­proach:

    I think peo­ple have missed the more sub­tle point that Ben Lau­rie made here. Bit­coin re­quires the use of an un­usual sort of se­cure con­sen­sus pro­to­col to work re­li­ably, and such pro­to­cols are not known to ex­ist in this con­text. In the pres­ence of such a pro­to­col, how­ev­er, there is no longer any need for min­ing—the sys­tem can sim­ply elect a mem­ber to ac­quire a new coin every N sec­onds via a se­cure elec­tion pro­to­col (and those are known given the rest). Thus, Ben’s point that if you’re go­ing to have a sys­tem like bit­coin, one could at least have an effi­cient sys­tem of this sort rather than a stu­pid one based on an elec­tri­cal pot­latch.

  24. Not every­one agrees with me or those ini­tial posters, though; “Bit­coins cre­ate truly de­mo­c­ra­tic pol­i­cy, fol­low­ers say”, :

    “It’s like the Mona Lisa.” said Bruce Wag­n­er, an IT con­sul­tant who dis­cov­ered bit­coin in Oc­to­ber and now hosts an on­line TV show about it. “It’s a mas­ter­piece of tech­nol­o­gy.”

    From the New Yorker ar­ti­cle:

    Haber is a di­rec­tor of the In­ter­na­tional As­so­ci­a­tion for Cryp­to­logic re­search and knew all about bit­coin. “Who­ever did this had a deep un­der­stand­ing of cryp­tog­ra­phy”, Haber said when I called. “They’ve read the aca­d­e­mic pa­pers, they have a keen in­tel­li­gence, and they’re com­bin­ing the con­cepts in a gen­uinely new way.”

    “The Rise and Fall of Bit­coin”, Wired:

    But slow­ly, word of bit­coin spread be­yond the in­su­lar world of cryp­tog­ra­phy. It has won ac­co­lades from some of dig­i­tal cur­ren­cy’s great­est minds. Wei Dai, in­ven­tor of b-money, calls it “very sig­nifi­cant”; Nick Sz­abo, who cre­ated bit gold, hails bit­coin as “a great con­tri­bu­tion to the world”; and Hal Finney, the em­i­nent cryp­tog­ra­pher be­hind RPOW, says it’s “po­ten­tially world-chang­ing.”…Ste­fan Brands, a for­mer ecash con­sul­tant and dig­i­tal cur­rency pi­o­neer, calls bit­coin “clever”…

    More re­cent­ly, Wei Dai has said:

    …it in­volved ma­jor tech­ni­cal and con­cep­tu­al/philo­soph­i­cal ad­vances on the ex­ist­ing state of the art, and these ad­vances did­n’t orig­i­nate from nor was likely fund­ed/­sup­ported by acad­e­mia, gov­ern­ment or in­dus­try. Al­so, its so­cial im­pact seems larg­er—if Craigslist or Pay­Pal did­n’t ex­ist, some­thing es­sen­tially iden­ti­cal would have been cre­ated very soon any­way, but if Bit­coin did­n’t ex­ist, an­other Bit­coin may not have been cre­ated for an­other decade, and/or may have been cre­ated with very differ­ent char­ac­ter­is­tics, for ex­am­ple it might have been coded with a mon­e­tary pol­icy that em­pha­sized price sta­bil­ity in­stead of a fixed sup­ply of mon­ey.

  25. Com­put­ing power is use­ful be­cause it’s im­pos­si­ble to fake: you ei­ther can reg­u­larly brute­force a hash or you can­not, as­sum­ing the hash is still se­cure. But strictly speak­ing there are other pos­si­ble un­fake­able prop­er­ties which fu­ture dig­i­tal cryp­to­graphic cur­ren­cies may use; Sz­abo lists 3 oth­ers:

    Canon­i­cally Byzan­tine agree­ment as­sumed each node had a se­cure true-name iden­ti­ty, but be­cause pri­vacy is a desider­ata, and be­cause it would be very diffi­cult to im­ple­ment such a se­cure iden­tity sys­tem on the In­ter­net, we have to use some char­ac­ter­is­tic of users prov­able within the Bit­coin or bit gold sys­tem to weigh Byzan­tine “votes”. I’ve now come up with a list of prov­able at­trib­utes in Bit­coin (or bit gold) by which mes­sage cor­rect­ness “votes” might be weighed:

    • proof-of-work/min­ing effort (what Bit­coin cur­rently does)
    • value or num­ber of coins or so­lu­tion bits owned by key
    • num­ber or value of trans­ac­tions as pay­or, pay­ee, or both by a key
    • num­ber or value of trans­ac­tions weighted by how re­cent they are
    • var­i­ous com­bi­na­tions of the above

    This is an in­com­plete list, es­pe­cially if we add new at­trib­ut­es. One of the gen­eral ideas here is to weigh Byzan­tine “vot­ing” to­wards those with more ex­pe­ri­ence in the sys­tem, mak­ing a novel in­va­sion more diffi­cult. How­ever in a cur­rency there should also be a bal­ance be­tween var­i­ous stake­hold­ers (hold­ers, cred­i­tors, and debtors). Since Bit­coin- or bit gold- de­nom­i­nated con­tracts gen­er­ally ex­ist out­side the sys­tem, one would have to, at the very least, pub­licly reg­is­ter those con­tracts signed by the par­ties’ keys for cred­i­tor or debtor sta­tus to be prov­able.

    One pro­posed scheme for Bit­coin is Proof of Stake:

    With Proof of Work, the prob­a­bil­ity of min­ing a block de­pends on the work done by the miner (e.g. CPU/GPU cy­cles spent check­ing hash­es). With Proof of Stake, the re­source that’s com­pared is the amount of Bit­coin a miner hold­s—­some­one hold­ing 1% of the Bit­coin can mine 1% of the “Proof of Stake blocks”….Each block must be signed by its miner us­ing a sin­gle bit­coin ac­count. The ac­count used to sign a block must also be the re­cip­i­ent of txn fees and gen­er­a­tion from this block. Blocks are mined by proof-of-work hash­ing as be­fore, but with mod­i­fied diffi­culty cri­te­ria. The diffi­culty cri­te­rion for block va­lid­ity is mod­i­fied as fol­lows: Hash gen­er­ates valid block if and only if

    Hash Diffi­culty >= Diffi­culty Tar­get / ( max(­Coin-con­fir­ma­tions used to sign block, 100 satoshi-con­fir­ma­tions) )^( p / (1-p))

    where 0 <= p < 1. Stake be­comes more and more im­por­tant as p ap­proaches 1. p = 0.8 is sug­gested as an ap­pro­pri­ate choice. p = 0 is iden­ti­cal to the cur­rent proof-of-work sys­tem. If the block is signed by a bit­coin ac­count hold­ing less than 100 satoshi-con­fir­ma­tions, this is treated as if the ac­count held 100 satoshi-con­fir­ma­tions. Thus non-s­take­hold­ers are al­lowed to ver­ify blocks, but rel­a­tive to stake­hold­ers they must meet ex­tremely strin­gent diffi­culty cri­te­ria. Per­mit­ting non-s­take­hold­ers to ver­ify blocks solves the ini­tial dis­tri­b­u­tion prob­lem. As be­fore the Diffi­culty Tar­get is a pe­ri­od­i­cally ad­justed con­stant which is set to main­tain a tar­get gen­er­a­tion rate of 1 block every 10 min­utes.

  26. “De­cen­tralised Cur­ren­cies Are Prob­a­bly Im­pos­si­ble: But Let’s At Least Make Them Effi­cient”, Ben Lau­rie:

    Now that we un­der­stand the core prob­lem, namely that of agree­ment, we can quite eas­ily un­der­stand Bit­coin’s so­lu­tion to the prob­lem. Bit­coin de­fines the con­sen­sus group as “all the com­put­ing power in ex­is­tence”, and re­quires par­tic­i­pants to prove their pos­ses­sion of what­ever frac­tion of this power they care to spend on Bit­coin by us­ing it to pro­duce proof-of-work to­kens. And once we state the prob­lem like this, we can quite clearly see the flaw. Un­til at least half of the com­put­ing power in ex­is­tence is ac­tu­ally used to pro­duce Bit­coins, we can­not know that we have con­sen­sus! If, for ex­am­ple, 1% of the to­tal power avail­ableStrict­ly, I mean en­ergy rather than pow­er, since Bit­coin ac­tu­al­ly, in effect, sums power over time. is used to pro­duce Bit­coins at present (in fact, the amount is far less than that), then at any point some­one could come along with a fur­ther 1.1% of the to­tal power and use this to de­fine their own con­sen­susBy fork­ing his­tory right back to the first block, and pro­duc­ing a hash chain that is longer than the cur­rent con­sen­sus., thus in­val­i­dat­ing all the work, and all the money, of the ini­tial group, and in­stead take pos­ses­sion of the en­tire cur­rency for them­selves.

    …Even worse, it is clear that ar­riv­ing at the equi­lib­rium state for Bit­coin is in­cred­i­bly ex­pen­sive: half of all the com­put­ing power in ex­is­tence must be burnt, in per­pe­tu­ity, main­tain­ing agree­ment about the cur­rent state of the cur­ren­cy. It also un­know­able: we can never be sure that we ac­tu­ally are burn­ing half of all the power in ex­is­tence, be­cause we do not know how much power ex­ists.

    Lau­rie points out that in prac­tice, the Bit­coin com­mu­nity does de­pend on a cen­tral­ized au­thor­ity which pe­ri­od­i­cally passes down ‘blessed’ block­-chain­s—the Bit­coin de­vel­op­ers pe­ri­od­i­cally hard­wire known-good states of the block­-chain into the clients (which of course is a the­o­ret­i­cal weak­ness).↩︎

  27. Zooko Wilcox O’­Hearn, 2013-04-05 (in hid­den com­ments):

    …I re­call upon first hear­ing about Bit­coin, los­ing in­ter­est in it for pre­cisely one of those “ug­li­ness” is­sues that you cite: it de­pended on (what was de­scribed as) glob­ally syn­chro­nized clocks, which I had a neg­a­tive emo­tional re­ac­tion to.

  28. Chaum pays a price for his sys­tems’ abil­ity to work offline / with­out di­rectly pro­cess­ing trans­ac­tions. Don’t take my word for it; see in sec­tion 12.6.6 of his early ’90s (not to be con­fused with ):

    …Chaum went to great lengths to de­velop sys­tem which pre­serve anonymity for sin­gle-spend­ing in­stances, but which break anonymity and thus re­veal iden­tity for dou­ble-spend­ing in­stances. I’m not sure what mar­ket forces caused him to think about this as be­ing so im­por­tant, but it cre­ates many headaches. Be­sides be­ing clum­sy, it re­quire phys­i­cal ID, it in­vokes a le­gal sys­tem to try to col­lect from “dou­ble spenders”, and it ad­mits the ex­tremely se­ri­ous breach of pri­vacy by en­abling stings. For ex­am­ple, Al­ice pays Bob a unit of mon­ey, then quickly Al­ice spends that money be­fore Bob can…Bob is then re­vealed as a “dou­ble spender,” and his iden­tity re­vealed to whomever wanted it…Al­ice, IRS, Gestapo, etc. A very bro­ken idea. Ac­cept­able mainly for small trans­ac­tions.

    • Mul­ti­-spend­ing vs. on-line clear­ing

      • I fa­vor on-line clear­ing. Sim­ply put: the first spend­ing is the only spend­ing. The guy who gets to the train locker where the cash is stored is the guy who gets it. This en­sure that the bur­den of main­tain­ing the se­cret is on the se­cret hold­er.
      • When Al­ice and Bob trans­fer mon­ey, Al­ice makes the trans­fer, Bob con­firms it as valid (or ver­i­fies that his bank has re­ceived the de­posit), and the trans­ac­tion is com­plete.
      • With net­work speeds in­creas­ing dra­mat­i­cal­ly, on-line clear­ing should be fea­si­ble for most trans­ac­tions. Off-line sys­tems may of course be use­ful, es­pe­cially for small trans­ac­tions, the ones now han­dled with coins and small bills.

    Fur­ther con­tem­po­rary de­scrip­tion can be found in a de­clas­si­fied June 1996 NSA re­view, “How to make a mint: the cryp­tog­ra­phy of anony­mous elec­tronic cash”.↩︎

  29. For ex­am­ple, see some of the most re­cent re­search I linked in Death Note: L, Anonymity & Elud­ing En­tropy.↩︎

  30. , which con­tains many en­ter­tain­ing and often stil­l-ap­plic­a­ble de­scrip­tions of the feck­less­ness and sharp edges of Unix­es, also con­tains an ex­tremely funny ‘An­ti-Fore­word’ by Den­nis Ritchie:

    To the con­trib­u­tors to this book: I have suc­cumbed to the temp­ta­tion you offered in your pref­ace: I do write you off as en­vi­ous mal­con­tents and ro­man­tic keep­ers of mem­o­ries. The sys­tems you re­mem­ber so fondly (, , , , , the Do­rado) are not just out to pas­ture, they are fer­til­iz­ing it from be­low…You claim to seek pro­gress, but you suc­ceed mainly in whin­ing. Here is my metaphor: your book is a pud­ding stuffed with ap­po­site ob­ser­va­tions, many well-con­ceived. Like ex­cre­ment, it con­tains enough undi­gested nuggets of nu­tri­tion to sus­tain life for some. But it is not a tasty pie: it reeks too much of con­tempt and of en­vy. Bon ap­petit!

  31. “Oral His­tory of But­ler Lamp­son”, 2006:

    : “But I wish that you had been at CERN on a sab­bat­i­cal when that…”

    : “I prob­a­bly would have been a dis­as­ter.”

    Kay: “I don’t know. But I think you would have made a slightly bet­ter…”

    Lamp­son: “No. No. No. No. No. No. What Tim [Bern­er­s-Lee] did was per­fect. My view about the web is that it’s the great fail­ure of com­puter sys­tems re­search. Why did com­puter sys­tems re­searchers not in­vent the web? And I can tell you the an­swer. It’s be­cause it’s too sim­ple.”

    Kay: “It is too sim­ple.”

    Lamp­son: “If I had been there I would have mucked it up. I swear to God. The idea that you’re go­ing to make a new TCP con­nec­tion for every mouse click on a link? Mad­ness! The idea that you’re go­ing to have this crusty uni­ver­sal data type called HTML with all those stu­pid an­gle brack­ets? We never would have done that! But those were the things that al­lowed it to suc­ceed.”

  32. Many anony­mous com­menters point this out be­cause it makes Bit­coin smell like some sort of or :

    Bit­coin, like the re­cent com­mer­cial phe­nom­e­non , tends to turn peo­ple into mar­keters be­cause they feel they have some­thing to gain, how­ever small it might be in the end; I think that partly ac­counts for its tem­po­rary suc­cess.

    Or “The Rise and Fall of Bit­coin”, Wired:

    Ste­fan Brands, a for­mer ecash con­sul­tant and dig­i­tal cur­rency pi­o­neer, calls bit­coin “clever” and is loath to bash it but be­lieves it’s fun­da­men­tally struc­tured like “a pyra­mid scheme” that re­wards early adopters.

    John Robb, “More Thoughts on Bit­coin”:

    Lots of peo­ple are say­ing: “The de­fla­tion built into bit­coin was a ter­ri­ble idea. Peo­ple are get­ting rich.” In fact, it was a bril­liant idea. It brought in spec­u­la­tors (peo­ple that are buy­ing/selling it as if in a game). It cre­ated a bub­ble. The bub­ble put it on the map. The bub­ble has at­tracted thou­sands of de­vel­op­er­s/­par­tic­i­pants. Think of how the fu­eled the We­b/In­ter­net.

    Sz­abo is a lit­tle more gen­er­ous in his ex­pla­na­tion of why peo­ple were un­in­ter­ested in Bit­coin-like strate­gies:

    1. Hardly any­body ac­tu­ally un­der­stands mon­ey. Money just does­n’t work like that, I was told fer­vently and often. Gold could­n’t work as money un­til it was al­ready shiny or use­ful for elec­tron­ics or some­thing else be­sides mon­ey, they told me. (Do in­sur­ance ser­vices also have to start out use­ful for some­thing else, maybe as power plants?) This com­mon ar­gu­ment com­ing iron­i­cally from lib­er­tar­i­ans who mis­in­ter­preted ac­count of the ori­gin of money [see “On the Ori­gins of Money” as be­ing the only way it could arise (rather than an ac­count of how it could arise) and, in the same way mis­ap­ply­ing Mis­es’ re­gres­sion the­o­rem [see ]. Even though I had re­butted these ar­gu­ments in my study of the ori­gins of money, which I humbly sug­gest should be should be re­quired read­ing for any­body de­bat­ing the eco­nom­ics of Bit­coin.

    There’s noth­ing like Nakamo­to’s in­cen­tive-to-mar­ket scheme to change minds about these is­sues. :-) Thanks to RAMs full of coin with “sched­uled de­fla­tion”, there are now no short­age of peo­ple will­ing to ar­gue in its fa­vor.

  33. De­cen­tral­ized sys­tems are usu­ally con­vert­ible into cen­tral­ized sys­tems eas­i­ly, while the con­verse is not true. (Much like ver­sus se­r­ial pro­gram­ming—to make a par­al­lel pro­gram se­ri­al, just in­sert a lot of .) For a sim­ple ex­am­ple, con­sider cases where n = 2: imag­ine a swarm (a de­cen­tral­ized sys­tem) with one seed and one leech. Or take like or ; it’s a com­mon­place to point out that if a group re­ally wants a ‘cen­tral­ized’ work­flow, they can just des­ig­nate one par­tic­u­lar repos­i­tory the ‘mas­ter’ canon­i­cal repos­i­tory and con­tinue on­wards with the DVCS as a more ca­pa­ble re­place­ment for or CVS.↩︎

  34. bet­terunix offers an in­ter­est­ing de­fense of Dig­i­Cash:

    …It is worth point­ing out that Dig­i­cash sur­vived longer than Bit­coin has even been around—twice as long, in fact. The rea­sons for its fail­ure are not as sim­ple as “peo­ple just did not care.” There were forces in the US gov­ern­ment ac­tively work­ing against all civil­ian use of cryp­tog­ra­phy, es­pe­cially those sys­tems that might thwart law en­force­ment in­ves­ti­ga­tions. Patents on cryp­tog­ra­phy (iron­i­cal­ly, this in­cludes patents held by Chaum him­self) did what they typ­i­cally do: pre­vent sys­tems from be­ing de­ployed on a large scale. There were bad man­age­ment de­ci­sions, like Chaum’s re­fusal to ac­cept a huge mon­e­tary offer from Mi­crosoft to in­te­grate his sys­tem with Win­dows 95 and an­other large offer from Visa…In an­other four years, if the news about Bit­coin is some­thing other than, “Bit­coin trad­ing at al­l-time lows”, or “An­a­lyz­ing the fail­ure of cryp­tocur­ren­cies”, you can at least claim that Bit­coin fared bet­ter than Chaum’s sys­tems.

  35. Zooko, May 31, 2011 6:42 PM↩︎

  36. Wei Dai, 2011-02-25:

    …If you read the Wikipedia ar­ti­cle, you should know that I did­n’t cre­ate Bit­coin but only de­scribed a sim­i­lar idea more than a decade ago. And my un­der­stand­ing is that the cre­ator of Bit­coin, who goes by the name Satoshi Nakamo­to, did­n’t even read my ar­ti­cle be­fore rein­vent­ing the idea him­self. He and cred­ited me in his pa­per. So my con­nec­tion with the project is quite lim­it­ed.

    Dai has also crit­i­cized the mon­e­tary pol­icy built into Bit­coin:

    I would con­sider Bit­coin to have failed with re­gard to its mon­e­tary pol­icy (be­cause the pol­icy causes high price volatil­ity which im­poses a heavy cost on its users, who have to ei­ther take un­de­sir­able risks or en­gage in costly hedg­ing in or­der to use the cur­ren­cy). (This may have been par­tially my fault be­cause when Satoshi wrote to me ask­ing for com­ments on his draft pa­per, I never got back to him. Oth­er­wise per­haps I could have dis­suaded him (or them) from the “fixed sup­ply of money” idea.) I don’t know if it’s too late at this point to change the mon­e­tary pol­icy that is built into the Bit­coin pro­to­col or for an al­ter­na­tive cryp­tocur­rency to over­take Bit­coin..

    Adam Back, 2013-04-18 (con­firmed by Wei Dai):

    …So any­way I know a few things about ecash, pri­vacy tech, cryp­to, dis­trib­uted sys­tems (my comp sci PhD is in dis­trib­uted sys­tems) and I guess I was one of the mod­er­ately early peo­ple to read about and try to com­pre­hend the p2p crypto clev­er­ness that is bit­coin. In fact I be­lieve it was me who got Wei Dai’s b-money ref­er­ence added to Satoshi’s bit­coin pa­per when he emailed me about hash­cash back in 2008. If like Hal Finney I’d ac­tu­ally tried to run the miner back then, I may too be sit­ting on some gen­e­sis/­boot­strap era coins. Alas I own not a sin­gle bit­coin which is kind of ironic as the ac­tual bit­coin min­ing is ba­si­cally my hash­cash in­ven­tion.

  37. Which is a com­fort­ing lie scam­mers tell them­selves and oth­ers to blame the vic­tim—‘re­al­ly, the vic­tim de­served it, you can’t cheat an hon­est man!’—and which makes for fun­ner fic­tional (ie. ‘not true’) sto­ries. But I think the sor­did re­al­ity looks more like sim­ply good peo­ple be­ing ripped off as they lose their life sav­ings be­cause they aren’t spe­cial­ists in an area and trusted an ex­pert. I think it’s rel­a­tively rare that you get a com­pli­cated setup like this scam, or like the Mad­off scam in which peo­ple as­sumed Mad­off was sim­ply fron­trun­ning the peo­ple he was trad­ing for; al­though now that I think about it, only the savvi­est in­vestors with Mad­off un­der­stood the sheer im­pos­si­bil­ity of his re­turns and con­cluded he was scam­ming by fron­trun­ning, most of the peo­ple who gave him money were just or­di­nary mid­dle-up­per-class folks.↩︎