Ben Laurie blathering


A friend alerted to me to a sudden wave of excitement about Bitcoin.

I have to ask: why? What has changed in the last 10 years to make this work when it didn’t in, say, 1999, when many other related systems (including one of my own) were causing similar excitement? Or in the 20 years since the wave before that, in 1990?

As far as I can see, nothing.

Also, for what its worth, if you are going to deploy electronic coins, why on earth make them expensive to create? That’s just burning money – the idea is to make something unforgeable as cheaply as possible. This is why all modern currencies are fiat currencies instead of being made out of gold.

Bitcoins are designed to be expensive to make: they rely on proof-of-work. It is far more sensible to use signatures over random numbers as a basis, as asymmetric encryption gives us the required unforgeability without any need to involve work. This is how Chaum’s original system worked. And the only real improvement since then has been Brands‘ selective disclosure work.

If you want to limit supply, there are cheaper ways to do that, too. And proof-of-work doesn’t, anyway (it just gives the lion’s share to the guy with the cheapest/biggest hardware).

Incidentally, Lucre has recently been used as the basis for a fully-fledged transaction system, Open Transactions. Note: I have not used this system, so make no claims about how well it works.

(Edit: background reading – “Proof-of-Work” Proves Not to Work)


  1. You’ve missed the most important point. Can anything actually stop Bitcoin’s rise?

    Comment by Dave UK — 17 May 2011 @ 18:34

  2. Ben, I like your work and I also go back the 10 or 15 years in digital bearer certificates. But what has changed from the Chaumian (or even Brands) days is that distributed p2p architecture has flourished. It has flourished not only for efficiency but for ultimate survival. It would be irresponsible and naïve to think that a centralised issuing mint (required to prevent double-spend) can avoid shut-down if that were the goal of the authorities.

    However, the more important consideration is that auditable reserves themselves create a point of failure through confiscation. Bitcoin’s author has a fairly lengthy (and robust) exchange on the cryptography mailing list prior to launch. The transactional block chain has allowed decentralisation and that in itself is a major change. I’m really surprised that a friend had to ‘alert’ you to bitcoin! Realizing that all money is a mass illusion in some way, I would personally prefer to trust in cryptography than to trust in God and I thought you would as well.

    Comment by Jon Matonis — 17 May 2011 @ 19:14

  3. Sounds a bit like sour grapes. What has changed since 1999? The Internet has gone from widely-hyped but still not really mainstream behavior to utterly pervasive and worldwide. The mining metaphor allows the coins to originate in the hands of the participants rather than with some central authority. Sure, those with larger CPUs get a larger share, but those tools are in theory available to anyone (unlike a centralized printing press) and given the amount of work going into mining right now, I can’t imagine it’s going to be very lucrative to run large mining efforts. (Although presumably the price of a Bitcoin will rise to make it +EV.)

    If you have some clever way to limit supply that doesn’t involve trusting some central authority not to simply print more, then we’re all ears. I have not seen any such proposals in the literature and certainly none in the field. The inventors of Bitcoin obviously have some political beliefs about inflation and how much trust we can put in central authorities (not much.) They’ve embodied those political beliefs into running code, rather cleverly if you ask me. Bitcoin is modelled on gold where there is a finite amount in the ground, it takes increasing work to get smaller amounts of it and it takes a very long time to really exhaust the supply.

    Sure there are other possibilities (personally I think monetary policy does slightly more good than harm although just barely) and perhaps you should dust off one of your old systems and clean it up for the modern era. But I think Bitcoin is one of those rare cases of a powerful idea made flesh and so far I am impressed and perhaps a little scared.

    Comment by Jordan Graf — 17 May 2011 @ 19:15

  4. no central authority

    Comment by eternal1 — 17 May 2011 @ 19:23

  5. low transaction fees

    Comment by eternal1 — 17 May 2011 @ 19:24

  6. “Also, for what its worth, if you are going to deploy electronic coins, why on earth make them
    expensive to create? That’s just burning money”

    You obviously didn’t do your homework and find out what the actual reason if for them being “expensive” to create. It has to do with securing the network against attacks.

    Please go read the paper, and understand the system. And then go write another blog post after being fully informed.


    Comment by sad — 17 May 2011 @ 19:32

  7. Hi, it’s interesting to read a critique from someone who could arguably understand bitcoin. However, it seems from reading your post that you have not bothered to understand it before criticizing it.

    I read your linked paper, and it’s kind of interesting, but it’s sorely outdated and I honestly can’t see how it applies to Bitcoin. In the paper the big problem (please correct me if I’m wrong) is that an undue burden could be placed on legitimate users, while not effectively stopping abusers.

    With bitcoin the proof of work is spread out over willing miners, and while they are paid every time they succeed, the whole network benefits from the collective effort. Users that don’t have GPUs and don’t want to mine are still able to use the system just fine. If you read Satoshi’s paper you’ll find that the proof-of-work scheme in Bitcoin has the effect of making it very very difficult to change the past, and somewhat difficult to double-spend (i.e. change the course of the immediate future in an abusive way).

    I confess to not understanding your proposed signatures over random numbers as a basis, especially with respect to a peer-to-peer block chain system, but I’ll have a look at the things you’ve linked.

    You say, “What has changed in the past X years” — I think the biggest change has been the success of peer-to-peer systems in a few arenas — bittorrent in particular. There is nothing new in bitcoin technologically, but the specific combination of components is, AFAIK, new and useful.

    Comment by Brock Tice — 17 May 2011 @ 19:33

  8. For those of us not familiar with the literature, can you elaborate on how to make Chaumian digital cash both scarce and decentralized? Or do you think those properties are not valuable?

    I agree that botnets are problematic; the entire Bitcoin network currently has only about 8,000 GPU-equivalents.

    Comment by Wes Felter — 17 May 2011 @ 19:40

  9. What are some other ways to limit supply in a Bitcoin-like system?

    Comment by Rudiger — 17 May 2011 @ 20:02

  10. BitCoin is the first decentralized digital currency to my knowledge. By “decentralized” I don’t mean just “there are many centralized currencies available”.

    The only easier way to limit supply that I can think of is to make it centralized and give someone power to determine supply.

    (I already posted these two comments on twitter, but I’m not sure you’ll see them there.)



    Comment by Zooko — 17 May 2011 @ 21:50

  11. Nobody remembers. It’s sad, really — but maybe we need to do a better job of educating them about what came before?

    Comment by J.D. Falk — 18 May 2011 @ 4:36

  12. “This is why all modern currencies are fiat currencies instead of being made out of gold.”

    This is also why they fucking suck. Centralised, cheap as chips to create from thin air and the demand created from the use of aggression by the government (legal tender laws) = recipe for disaster.

    You completely skip over the fact that Bitcoin is completely decentralised in both the way bitcoins are created and in the way transactions are validated, and the proof of work is how this is able to be achieved. In addition, the proof of work also provides the mechanism by which rampant inflation can be limited with a de-centrally created currency. If this happened 10 or 20 years ago feel free to correct me, but there’s the answer to your question.

    The PDF is also irrelevant as it’s about the infeasibility of proof of work being implemented to prevent email spam. It’s says nothing about it in this context.

    Comment by Jack — 18 May 2011 @ 5:23

  13. > I have to ask: why? What has changed in the last 10 years to make this work when it didn’t in, say, 1999
    What Bitcoin has that lucre apparently didn’t is marketing and inertia. Whether the algorithms are an improvement is obviously an independent topic.

    The conflation of limited supply and proof-of-work has probably already served its purpose: it helped to bootstrap the system by getting them interested in earning “something” and seeing numbers go up (humans like numbers that go up). In the long term, the incentive to continue mining converts from creation of new coins to collection of coins via transaction fees.

    Comment by Stu Hood — 18 May 2011 @ 5:55

  14. Just a couple quick comments…

    Bitcoin does use signatures to transfer funds. You create a transaction with one or more unspent outputs as inputs, an output to the recipient, and an optional output to yourself for change. Then you sign this transaction with your private key and broadcast it to the network.

    Proof of work is for distributed double-spend protection. Since each block takes a statistically predetermined amount of work, and each block is connected to the last, in order to double spend the attacker must have enough computing power to out-grow the honest block chain.

    Comment by Chris Rico — 18 May 2011 @ 8:15

  15. Hi there Ben,

    I think what’s new about Bitcoin compared to previous systems is just that it’s decentralised.

    Who runs the Lucre mint? Any Lucre economy needs a common trusted third party to do so. That’s OK for many situations, but as a general, global, currency? There’s a lot of reasons to be wary of a single central point of trust.

    Bitcoin has downsides – expensive minting, transactions take an hour to be confirmed – in exchange for being decentralised. I suspect that it will be of value as a global currency, with systems like Lucre used for smaller economies backed by it, providing cheap, rapid, transactions within communities that can all agree to trust a mint, and then using slow Bitcoin transactions between mints.

    Comment by Alaric Snell-Pym — 18 May 2011 @ 9:43

  16. Please tell me that you, of all people, know the difference between centralized and decentalized.

    Comment by David N. — 18 May 2011 @ 10:43

  17. (disclaimer: I’m not familiar with e-money systems, so please correct me if I’m wrong)

    The great thing about Bitcoin is that it’s decentralized. For example, Lucre requires a central trusted mint: this means that if it somehow acts dishonestly or, worse, loses control of the private key, the whole system breaks down, which is going to make people very weary of using it.

    Because Bitcoin is decentralized, the privilege to “act like a mint” has to be “paid for” somehow, and that’s where the proof-of-work comes into play. Sure, that causes some waste, but it’s a small price to pay to have a system that actually works because it’s trustworthy. Not to mention that the amount of money wasted by the proof-of-work would still have to be paid in the centralized mint model: the difference is that it would be pocketed by the mint instead of being burnt away, but that really makes no difference to the end-user.

    I don’t think the failure of proof-of-work system in the case of spam applies to e-money: the idea of Bitcoin is that the average user will NOT mine his own gold. This is different because users will actually be willing to pay for their money, unlike e-mail where people expect to send it for free from a wide variety of computers and therefore any non-trivial proof-of-work would make e-mail unusable. In Bitcoin, the “guy with the cheapest/biggest hardware” will be able to afford this hardware and energy not because he’s some sort of evil genius, but because actual users are going to pay him 101$ to obtain 100$ worth of virtual money. And because there’s a very low barrier to entry, we have a guarantee that this big guy is not going to charge 120$ or 200$ for this work, ensuring the system is as efficient as possible.

    To be honest I think the greater danger of decentralized money is going to be lack of government control and all the money laundering issues it brings. Expect it to be severely crippled by regulation.

    Comment by lantin — 18 May 2011 @ 10:47

  18. 1) Bitcoin, unlike Lucre, is decentralised. There is no single “mint” relied on to disburse the coins. People can trust that nobody at the mint is stealing coins for free.

    2) Maybe it’s just an idea whose time has come? In 1999 most people didn’t have always-on internet access, and many weren’t accepting of e-commerce, but now they are.

    3) What way of limiting supply would you suggest? If proof-of-work is out of the question, then clearly not everybody can generate coins, returning to the “mint” problem.

    Comment by Tomer Chachamu — 18 May 2011 @ 10:48

  19. Hello,

    I am new to anonymous digital currency and so my thoughts are still naive. It seems to me a coincidence that I’m interested in bitcoin just as there is perceived hype around it, since my interest came from a completely different source (I was not led here by a link or article, but by another path of research I happened to be engaged in just a few weeks ago). Weird coincidence, though.

    In any case, I wanted to find out more about bitcoin and I ended up on this blog post. After reading the criticisms, I had some comments that I hope you can comment on so I can learn a bit more about this domain.

    * the point of the busy-work in bitcoin, I thought, was to encourage a particular useful activity on the network (create blocks that are used to distribute and “freeze” the transactions in maximal block chains). Your point I take it is that the computational intensity of this busy-work is not necessary to accomplish this goal. But I thought the point of it was that if you remove the computational difficulty, then it becomes more likely that an attacker can generate a competing maximal chain of blocks with the same ease that someone could generate the legit chain of blocks, and this opens the way for double-spending and other attacks on the currency. Do the no-work systems address this problem in a different way? Also, I’m not completely dissuaded from the idea that a technical meritocracy (non-random, effort-based distribution of initial funds based on cycles dedicated to the network) is a bad way to distribute the currency initially anyway. Do you have comments on this, too?

    * you ask what the difference is between bitcoin and the older systems is. I suppose you might argue that these older systems also had some degree of hype surrounding them. However, the very fact that laypeople are getting intrigued by bitcoin does seem to indicate that this particular system, for whatever reason, has greater penetration into popular visibility. This alone might be the very thing that’s necessary to get it off the ground — after all, the final measure of an alternative currency is precisely whether a reasonably large group of diverse vendors is willing to accept it in exchange for goods and services. No?

    Thank you very much for your responses, and for your article. -0

    Comment by Zeroaltitude — 18 May 2011 @ 14:47

  20. You’ve misunderstood the purpose of the Bitcoin proof-of-work system. It is not designed to make bitcoins hard to create; it’s designed to ensure there is a canonical transaction history without the need to rely on a central authority.

    Comment by James Reeves — 18 May 2011 @ 16:00

  21. Ben, I concur with other who commented on your post:

    I think you failed to fully understand a number of innovations that bitcoin brings to the table, most notably its decentralized nature. I would suggest you spend more time trying to fully understand the implications of what’s been built here, as well as the elegance of the technical solution.

    As to the argument that “proof of work doesn’t work”, you may have a point there (which has been made countless time on the forums).

    However, what’s nice about bitcoin, is that one way or the other, one side of this discussion will be vindicated by either the failure or success of bitcoin. There’s nothing like taking an actual sample when it comes to settling theoretical wankings like the “proof of work doesn’t work” discussion.

    Comment by znort987 — 19 May 2011 @ 10:05

  22. What I don’t understand about Bitcoin: how will they deal with deflation?

    Comment by slw — 19 May 2011 @ 14:14

  23. This is worth a read:

    From the first post:

    >>No. Bitcoin is a ludicrously bad idea. It is a scam. A Scam. It is not a currency. The economic assumptions underpinning the Bitcoin ecosystem are laughable, and ignore hundreds of years of accumulated understanding of how currencies work with each other.

    Comment by Jon Vaughan — 20 May 2011 @ 14:34

  24. […] LinksBen Laurie blathering « Bitcoin […]

    Pingback by Links » Bitcoin 2 — 20 May 2011 @ 16:32

  25. […] there's a very interesting discussion about Bitcoin going on over at Ben Laurie's place […]

    Pingback by Last week on Twitter | 15Mb: yet another blog from Dave Birch — 22 May 2011 @ 13:52

  26. sawbuck comments about proof of work systems regarding anti-spam. Hopefully I can clear up a few misconceptions. Ben’s paper on proof of “work does not work” has more than one fundamental flaw. It’s based on a strawman e-mail architecture and a real working system (twopenny blue on launch pad) suffers none of its flaws.

    One of the major flaws in Ben’s paper is how he calculates the cost of a proof a work calculation. It’s not the amortized cost of hardware, electricity over time. He did a calculation right, he just did the wrong calculation. The proper calculation, and it’s hard, is the reduction in spam traffic caused by generating a single stamp for each message. On a single machine, this is a 600 to one reduction. as you increase the number machines and slow the per message delivery rate, then the reduction is correspondingly smaller until it reaches parity.

    Yes there is a burden on the sender but that burden doesn’t need to be paid if the user doesn’t care about bypassing the content filter. The burden on the center can be further reduced with a secondary service where you query the mail server on the other end saying “how big a stamp” before sending. Once your reputation is high enough, stamp sizes drop down to where they are almost invisible.

    In summary, there’s a lot of really good things that can happen with proof of work combined with a dynamic reputation engine. Most the objections raised over the years have been found to be overstated problems that have been fixed. Unfortunately, too many people have said “for for work doesn’t work” without paying attention to the actual work with proof of work.

    Comment by esj — 31 May 2011 @ 21:39

  27. […] (Und noch eine Kritik mit ausführlichen Antworten) […]

    Pingback by My 2 Cents on Bitcoins - vwp-online blog — 2 Jun 2011 @ 12:34

  28. […] time flies. Following my admittedly somewhat rambling posts on Bitcoin, I decided to write a proper paper about the problem. So, here’s a […]

    Pingback by Links » Decentralised Currencies Are Probably Impossible (But Let’s At Least Make Them Efficient) — 2 Jul 2011 @ 20:04

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress