Ben Laurie blathering

Bitcoin is Slow Motion

OK, let’s approach this from another angle.

The core problem Bitcoin tries to solve is how to get consensus in a continuously changing, free-for-all group. It “solves” this essentially insoluble problem by making everyone walk through treacle, so it’s always evident who is in front.

But the problem is, it isn’t really evident. Slowing everyone down doesn’t take away the core problem: that someone with more resources than you can eat your lunch. Right now, with only modest resources, I could rewrite all of Bitcoin history. By the rules of the game, you’d have to accept my longer chain and just swallow the fact you thought you’d minted money.

If you want to avoid that, then you have to have some other route to achieve a consensus view of history. Once you have a way to achieve such a consensus, then you could mint coins by just sequentially numbering them instead of burning CPU on slowing yourself down, using the same consensus mechanism.

Now, I don’t claim to have a robust way to achieve consensus; any route seems to open to attacks by people with more resources. But I make this observation: as several people have noted, currencies are founded on trust: trust that others will honour the currency. It seems to me that there must be some way to leverage this trust into a mechanism for consensus.

Right now, for example, in the UK, I can only spend GBP. At any one time, in a privacy preserving way, it would in theory be possible to know who was in the UK and therefore formed part of the consensus group for the GBP. We could then base consensus on current wielders of private keys known to be in the UK, the vast majority of whom would be honest. Or their devices would be honest on their behalf, to be precise. Once we have such a consensus group, we can issue coins simply by agreeing that they are issued. No CPU burning required.


  1. but who are they issued to initially?

    Comment by AnotherComputerScientist — 21 May 2011 @ 6:15

  2. I agree, though in fairness it may be helpful to note that rewriting all Bitcoin history from scratch would be much more expensive than the attacks I’ve outlined in the links I previously provided. And ironically, the development team has attempted to address a “full rewrite” attack by releasing a client that has checkpoints in the code that honor what they regard as the authoritative data. (I say it’s “ironic” because it’s a move that’s accepted by a community that detests the role of all central banks and which uses the phrase “fiat currency” derogatorily in every third sentence. More technically, it’s also ironic because all Bitcoin’s structural complication, and all its need for energy, derives from its attempt to be thoroughly decentralized, a feature directly undermined when a central development team passes practically authoritative judgment about wealth distribution.)

    The other problem that the Bitcoin protocol aims to address is the prevention of double-spending of currency units; it does this by means of a consensus-based linked list backed by proof-of-work, but this too is overcomplicated and wasteful. Any distributed public-key infrastructure that supports revocations is sufficient to prevent double-spending in concept; after that recognition, appropriate tradeoffs between speed, reliability, and decentralization lie in relatively straightforward implementation details that don’t require anything like the apparatus of the “block chain.”

    That said, Bitcoin is a legitimately interesting research offering in at least a few narrow ways; it could have some promise as a mechanism for decentralized timestamping, for example, though the need for that application isn’t entirely clear. There may even be ways to apply the technology directly toward finance, in an altered implementation. The most significant tragedy of Bitcoin in my view is not especially technological; it’s a result of the context of its deployment. It’s come to be promoted virally (in multiple senses) by ideologues who’ve functionally turned it into a significant financial fraud, and as you emphasize, it’s attracted “miners” who are burning literal fuel to feed the frenzy.

    (As an aside, I encourage you and others to read the Bitcoin Forum to get a sense of precisely how rabid and extreme most of the prominent early adopters and promoters of the technology are, because that is where the marketing comes from, and those are the people who stand to benefit from the scheme. I don’t mean to harp on it, but it’s really rather shocking and unfamiliar among the dozens of open-source communities I’ve followed. Many of the early adopters want to see assassination markets arise, for example, and — less drastically — are already consciously violating the securities laws of their countries by promoting unregistered stock in Bitcoin-related companies to the public.

    A further characteristic of this group is their reasoning by solely formal analogy, even in pragmatic spheres. I’ve been following comments to various articles about Bitcoin on the web, and the reasoning popular by those who promote the scheme almost always depends on such arguments as “wasting energy doesn’t matter here because central banks and gold miners do it” and “Bitcoins aren’t a pyramid scheme unless you think gold, dollars, and every IPO are also pyramid schemes.” This sort of reasoning misses all nuance and institutional context.)

    Your point that when designing currencies, you can’t get around “trust” and ought to leverage it even in this context is a very nice one. The costs of total decentralization in this context seem sharply to outweigh the benefits, and sadly they only get worse (in ways required by the Bitcoin protocol) as time passes.

    Comment by ComputerScientist — 21 May 2011 @ 7:01

  3. Ben, would you currently accept bitcoin as a tax-free payment for your services?

    Comment by Jon Matonis — 21 May 2011 @ 8:18

  4. Isn’t one of the problems with this debate that it is dealing with three essentially orthogonal issues. Issue 1 is how to send “coins” over the internet, issue 2 is anonymity and issue 3 is monetary. From my lay position of cryptographic inexpertise, I don’t understand the “bundle” and can’t help but suspect that dealing with these issues separately might not only help the debate but the engineering, if you see what I mean.

    Comment by Dave Birch — 21 May 2011 @ 8:30

  5. The reason that CPU is used to generate coins is because this provides an incentive for people to perform block generation. I think a better way to look at it is that you are not using CPU to generate a coin, you are using CPU to generate a block and as a reward for generating that block the network will allow you to mint 50 BTC.

    Incentivising block generation is important as the greater CPU power the network has the harder it becomes to perform a DoS attack on the network. But significantly even with a large amount of CPU it is difficult for an attacker to perform any dangerous or destructive attacks. See

    I think you are fundamentally mistaken about your assessment of the value of BitCoins. It’s value is not related to what it cost to generate it, the value is derived from what users are willing to pay for it – in precisely the same way that traditional currencies receive their value.

    Regarding trust, a lot of people using currencies *aren’t* honest and BitCoin largely removes the need to trust other parties (aside from them honouring their side of any transactions). I accept that consensus is a problem under the system, it seems extremely unlikely that any non-trivial changes to the way the network functions could be applied in the future.

    As others have mentioned, the reason a distributed currency like this works now and didn’t work 10 years ago, and 20 years ago is that we now have the infrastructure to enable us to quickly and cheaply transmit the blockchain to all clients – this would have been entirely infeasible using dial-up connections. Additionally, BitCoin has grown to the size it is because users chose to adopt it whereas they didn’t with previous projects. Most importantly it exists right now and is available for use, whereas the idea you propose – regardless of merit – is simply speculation.

    I’d love to discuss this with you more, I think BitCoin is a great concept and even if it doesn’t ultimately succeed it will have been a very significant experiment from many aspects.

    Comment by Robert Leverington — 21 May 2011 @ 9:02

  6. The deeper a block is in the main chain, it becomes exponentially harder to rewrite out of history because it is essentially race; you have to fork the block chain at a block previous and outpace all of the honest workers continually until your fork is longer. Simply saying the equivalent of, ‘You could do it if you have the resources’ is essentially meaningless, especially at this stage when the network is still admittedly small. The more popular Bitcoin becomes, the harder this will be.

    Even if you could succeed in doing this, all that you have achieved is to make Bitcoin worthless as a currency and so it is now worthless to you also (especially if you rewrite all of history; it would be obvious what is happening to everybody). You have undertaken a huge personal cost for no reason other than to be an arsehole; you’re not going to gain anything from the action. The most you could do is achieve a double spend i.e. spend and wait for the merchant to verify the transaction and release the goods to you, then write the transaction out of history and spend again. And even with a rewrite of a block 6 blocks deep in the chain, let alone a full rewrite, I think it would be obvious to everybody what is going on because the chances of that happening in an honest way is remote. At most you can have a few orphan links because of the way transmissions are broadcast across the network to some first rather than all (Byzantine Generals’ Problem), but a rewrite of an hour or more deep would seem fishy. So people would begin to not trust bitcoin due to the attacks, and again all you have succeeded is making Bitcoin worthless for everybody. Contrast that with the potential to make a profit (it would obviously depend on how much purchasing power a bitcoin has or will have relative to the cost of your super computer) by using your vast hashing rate to do honest work to mine bitcoins honestly.

    Comment by Jack — 21 May 2011 @ 9:13

  7. Ben will remember the Edinburgh Crypto conference in 2001 or 2002 or whenever it was. A Dutch chap who had been working – from memory – with the Dutch Central Bank gave a presentation. In the Q&A there was some discussion about such currencies and I remember the comment very well: control the money supply, and you have power. Would governments/political systems move on “alternative” currencies that threaten this power? Yes, absolutely.

    Comment by robin — 21 May 2011 @ 9:54

  8. “Right now, with only modest resources, I could rewrite all of Bitcoin history.”


    Comment by FM — 21 May 2011 @ 11:42

  9. Jack: I’ve pointed out previously that the notion that an attack is necessarily uneconomical, given the rewards of mining within the system, is far too tidy and is incomplete. There are many factors outside the Bitcoin system that could motivate an attack. It’s not just “arseholes” but anyone with any plausible motivation to reduce the value of a Bitcoin: competitors, market speculators, fraudsters, regulators, those who wish to extract value from large Bitcoin holders by threat, etc. “Satoshi’s” original paper makes this mistake; it assumes attacks won’t be mounted because it hypothesizes an arbitrary “rational attacker” and imputes unrealistic characteristics to the attacker. This is one way in which the paper would have benefited from peer review. The Bitcoin economy has already experienced small attacks that the paper would have considered irrational and thus impossible; nothing prevents larger ones from succeeding.

    To JD in the prior sequence of comments: I hesitate to take your bait, but it may be instructive to use your remark as an example of the sort of formal and immature schoolyard logic that’s being used to defend Bitcoin and the politics of most of those who support it stridently. Suppose that you in turn said of my faculty, “They’re a bunch of socialists and communists”; do you think it would be persuasive for me to respond, “Ah, you used the word ‘and,’ and thus you’ve proved you’re an imbecile because nobody is both a socialist and a communist”? What you call “proved, as in proof” is a much harder construct in the real world than it is on paper, and the current Bitcoin experiment (including its extreme politics and what Dave rightly calls its bundled monetary policy) needs to be evaluated in the real world.

    To Edward in that same sequence of comments: the nature of the adopters is an integral part of how the system is being promoted to the public, how the experimental Bitcoin economy functions, what reasons the public has to adopt it, and so on. I’ve fairly clearly distinguished my arguments about the technology itself from those about the economy of the current “block chain.”

    Comment by ComputerScientist — 21 May 2011 @ 17:33

  10. “So people would begin to not trust bitcoin due to the attacks, and again all you have succeeded is making Bitcoin worthless for everybody. Contrast that with the potential to make a profit (it would obviously depend on how much purchasing power a bitcoin has or will have relative to the cost of your super computer) by using your vast hashing rate to do honest work to mine bitcoins honestly.”

    So the only thing required for bitcoin to fail is for there to exist an entity that derives more value from bitcoin failing than it would from deploying the same amount of computing resources in playing the same.

    Hence, the only thing required for bitcoin to fail is for it to represent significant competition to any large bank or government.

    That’s also the only scenario in which you could call it a success. Oh dear.

    Comment by Andrew Suffield — 21 May 2011 @ 18:22

  11. Computer Scientist Wrote: “More technically, it’s also ironic because all Bitcoin’s structural complication, and all its need for energy, derives from its attempt to be thoroughly decentralized, a feature directly undermined when a central development team passes practically authoritative judgment about wealth distribution.”

    I don’t understand why you find that ironic. If the Bitcoin development team was a government whose dictates I was required to comply with, it would be ironic. However the team are volunteers offering the public a product – there are many other virtual currencies out there. If I felt their plans for decentralized currency were disingenuous, I would and could use another place holder

    Comment by Heisenberg — 21 May 2011 @ 18:58

  12. Ben Laurie wrote: “But I make this observation: as several people have noted, currencies are founded on trust: trust that others will honour the currency. It seems to me that there must be some way to leverage this trust into a mechanism for consensus.”

    Except that they aren’t based on trust. They’re based on faith.

    In your example, the group that know and trust each other don’t need a medium of exchange – they can just barrow from each other or trade favors. The point of money is the facilitation of trades that extend beyond your circle, at which point faith in the system replaces trust in the individual.

    And the reason you have faith in the GBP is because you’ve used them to buy groceries all of your life – not because you know and trust everyone you buy from and sell to. Certainly not because you trust the printers (if you are rational).

    Like everything, virtual currency will gain respectability with age.

    Comment by Heisenberg — 21 May 2011 @ 19:23

  13. ComputerScientist made two good points above. The checkpoints actually provide the best proof IMO that the bitcoin forums have gone full-retard; search for it, and you’ll find a couple posts pointing out “uh wtf, isn’t this system totally contradictory to the entire point of bitcoin and gives the development team full control over the blockchain?”, and the fanboys explain why its OK.

    One unfortunate aspect of bitcoin’s design is that there is not a clean separation between the MINTING of new coins and keeping a CONSISTENT TRANSACTION LOG for existing coins.

    My main problem with bitcoin is the way it does MINTING. I think designing a new currency where the initial wealth distribution is proportional to the CPU power under your control is a terrible idea due to the simple fact that most CPU power is in the hands of bot herders.

    For keeping a transaction log, I’m not yet convinced it’s totally a bad idea, and it actually seems quite clever in the fact that it seems to provide a means to do byzantine agreement with very low communication (at the cost of very high cpu use). See:

    Unfortunately I think the problem here is this system works well when you know the total amount of cpu power in the world, and therefore know when more than 2/3 of it has accepted your message. But nobody knows that.

    As ComputerScientist pointed out, the transaction consensus problem here is more or less the same as key revocation in PKI. Hopefully recent PKI issues gets more people thinking about better ways to do decentralized PKI. A better key-revocation scheme will immediately lead to a better bitcoin architecture IMO.

    Comment by AnotherComputerScientist — 21 May 2011 @ 21:19

  14. There is no need to get all the bitcoins by minting them right now. On every moment of system’s existence/life someone can get by exchange/service great number of them (spending much, much less resources).

    Well, “Minting” exchangeable goods (especially before era dominated by virtual/paper money) was preformed this way for a long, long time – those who were able, those with power were introducing more goods to the market (for example those with access to rare resources and with they operation backed by their social position).

    It is a interesting problem – let some people make money out of the air and give some people right to control it’s natural ecosystem ( sounds familiar? ) or introduce scarce “thingy” without such possibility for control (at least not in this form – all you can do efficiently is to get as much as you are able and regulate flow of money).

    What’s more – Ben stated that nothing changed from the time when he worked on ‘lucre’. Well, world changed much. Even if technology (crypto?) is similar whole context of it’s usage is new and quite exotic. And that makes great difference.

    Comment by Milo — 21 May 2011 @ 22:20

  15. “Right now, with only modest resources, I could rewrite all of Bitcoin history.”

    Right now, the Bitcoin network clocks in at around 20 PFLOPS, and to rewrite the Bitcoin block chain you’d need to exceed that.

    Unless you’re aware of some exploitable flaw in the Bitcoin client, I’m not certain how you plan to acquire that much computing power using “only modest resources”.

    Comment by James Reeves — 21 May 2011 @ 22:48

  16. Heisenberg: Topological centralization doesn’t imply coercion. My point is that if you trust some arbitrary development group to make decisions about the wealth in the block chain (as you functionally seem to do anyway), why not trust them (or, better, some more obviously public-regarding and accountable entity) simply to centralize the initial distribution of the currency based on an agreeable set of rules and then avoid all the wasted work and carbon emissions? That lowers both your externalities and very likely, in the long run, your own costs.

    Like Ben, I don’t have a perfect solution, but obviously Bitcoin’s isn’t perfect either. Maybe something using domain-name purchases in a moderately sized, distributed group of top-level domains could be a straightforward way to assign initial ownership of coins. Maybe a relatively uncontroversial charity could issue the coins in exchange for other currencies, in the manner of an initial public offering over a period of time, thereby allocating the currency’s seigniorage to the charity. There are dozens of other possibilities that deserve to be examined empirically for their social costs and benefits.

    Bitcoin’s solution is geared to an extreme lack of trust in those making the initial coin distribution, and that’s where many environmental costs and security threats come from. But in that respect, Bitcoin seems to be a solution in search of a problem, because as Ben has pointed out, the need for trust isn’t much greater in the initial allocation than it is in any other part of the system. Even so, Bitcoin’s solution to the “problem” is questionable: the concentrated seigniorage among unaccountable parties, and also the good degree of trust pragmatically given to a handful of centralized parties anyway, is a large part of what has convinced me and many others that the current incarnation of Bitcoin is substantively (even if not logically necessarily) a pyramid scheme.

    Comment by ComputerScientist — 21 May 2011 @ 22:51

  17. PKI cannot work because it is not decentralized. A decentralized PKI cannot work because there is no way to limit the number of certifying authorities, so an attacker can spoof an unlimited number and take over the network.

    There needs to be proof of work. Bitcoin’s method does it.

    Comment by NotaComputerScientist — 22 May 2011 @ 1:13

  18. The problem with majority consensus is not that “that someone with more resources than you can eat your lunch”. The problem is that in an anonymous, open network, it is hard to keep people from cheaply creating any number of identities, thus gaining the majority. hence the requirement to bind identities to real world resources. proof-of-work is the only way to achieve this without user interaction that I am aware of (captchas would be another way WITH user interaction).

    Comment by theoreticalcomputerscientist — 22 May 2011 @ 12:38

  19. This isn’t a technical issue, it’s an age old philosophical issue.

    In the beginning, if I had a pig and you had 10 chickens, we could swap. Both those products came from ‘work’, which is analogous to coin mining if you’re so politically inclined. In those days it was simple because I had physical possession of something that could perform more work and earn a ‘profit’.

    Then came money. Instead of chickens, I agree to take this lump of metal which I can’t readily come by from digging in the back yard (unless I’m lucky). My confidence doesn’t come from it’s shiny allure, it comes from the big policeman who will bang you over the head if you try and exchange it unfairly.

    The only reason money actually works long term, is because a central authority with some form of rule of law says it does. If I try and buy a $100k house with $1 by claiming it’s of a different worth I will get laughed at. If I try and enforce it, a court and then a big policeman will stand in my way.

    Go ask the Russians what the value of a Rouble was around 1990. The government had one opinion, the street traders were taking dollars. They did this because the US government backed that currency and assured it’s worth, even in suitcases under tables in Moscow. It had rule of law backing it, even though that law was thousands of miles away across borders. Those funny Americans would send over shiny cars if you gave them those funny looking pieces of paper. However, Russia had corrupt communism effectively telling people that a chicken was worth 20 horses with no legal recourse if they disagreed. You can do the same experiment in Cuba today if you like.

    So what actually happens to BitCoin when the UK/US/EU govts. say it’s money laundering and starts handing out 10-20 for touching it? You couldn’t pay me to take a BitCoin 🙂

    Can you lend BitCoins and make interest? No, because I can’t enforce it in the courts? What are they going to do, award me damages in dollars? 🙂

    Solve the crypto and tech all you like.

    (That’s why there are so many loony anarchists associated with it.)

    Comment by Robert Nice — 25 May 2011 @ 2:45

  20. Difficulty will increase in time. mining is a temp solution 🙂

    Comment by Bitcoin — 27 May 2011 @ 10:29

  21. Soon the bitcoin network will be larger in size that the top five supercomputers in the world COMBINED. This is the power of economic incentives on the human psyche. A system based on trust has already been tried and has totally failed to account for corruption.

    Comment by noagenda — 27 May 2011 @ 16:25

  22. Who owns what bitcoins is the consensus of those who expend the most computer power. The works if bitcoins represent the expenditure of computer power, represent mining for digital gold.

    If, however, there is a fixed limit on the number of bitcoins, to prevent inflation as computers get more and more powerful, this does not work. One must instead identify a set of honest people, an aristocracy, represented by a set of public keys, and say that who owns what bitcoins is the consensus of this set of honest people.

    Comment by James A Donald — 28 May 2011 @ 4:01

  23. As far as I can see, your entire motivation is based on analogies. In your first post you labelled Bitcoin mining “burning money”. In your next you invent a “certificate for the smoke caused by burning money”. Now you describe being on the Bitcoin network as “walking through treacle”.

    Instead of using analogies, why not learn and understand Bitcoin for what it actually is?

    Finally in this post you’ve reached something which is near a concrete proposal, but it still lacks many details. Even after you add those details, it’s quite obvious that your system isn’t better in every respect, and therefore that it’s possible that some reasonable people will use Bitcoins while other reasonable people will use Yourcoins.

    Until you’ve written a little more about Yourcoins, it’s pointless for you to tell us that bitcoin’s problems can be solved, without suggesting a Yourcoin – which then allows us to point out the new problems which your “solution” has created.

    Comment by Tomer Chachamu — 31 May 2011 @ 18:36

  24. I think the ComputerScientists have brought up an excellent point: The biggest problem Bitcoin may have right now are the almost religious frenzy, antisocial tendencies and inability to engage in reasonable arguments displayed by large parts of its user communities on the forums.

    In the minds of the general public technologies like email encryption and Bittorrent are often associated with criminal behaviour, which must have hurt their adoption. Looking at the forums, Bitcoin might be headed to an even worse image.

    The success of Bitcoin and the trust that can be invested in it depends on the rational behaviour of the majority of participants in the network. The benefits of its distributed nature stem mostly from the fact that no single party can exercise undue control. The party in the best position to do so are the core developers.

    Any opposition to the controversial checkpointing has been shouted down. Who is to say that if the core developers decide to implement really harmful changes, such as removing the provision that limits the total amount of coins being created (as a gift to the mining community), most of the network will not just go along with them?

    Comment by Thilo — 5 Jun 2011 @ 2:19

  25. To add to what Mr Nice said,

    Comment by Barney — 22 Jun 2011 @ 17:32

  26. Will the real “computerscientist” please stand up?

    Comment by Question — 24 Jul 2011 @ 19:45

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress