Ben Laurie blathering

Decentralised Currencies Are Probably Impossible (But Let’s At Least Make Them Efficient)

How time flies. Following my admittedly somewhat rambling posts on Bitcoin, I decided to write a proper paper about the problem. So, here’s a preprint of “Decentralised Currencies Are Probably Impossible (But Let’s At Least Make Them Efficient)”. It’s short! Enjoy.

I may submit this to a conference, I haven’t decided yet. Suggestions of where are welcome.

By the way, Bitcoin fanboys: I see I have been taken to task for my heretic views on the Bitcoin forums. Since those have cunningly been closed to anyone who does not already have some kind of track record of conforming to the standards of the forums (presumably meaning “don’t diss Bitcoin”) I am unable to respond to comments there, but I would like to note, for the record, that I have not deleted a single non-spam comment on my Bitcoin posts, contrary to claims I see there.


  1. You realize that the title of the paper is paradoxical, right?

    Comment by Stu Hood — 3 Jul 2011 @ 5:37

  2. Looks like good fodder for Financial Cryptography –

    Comment by Chris Swan — 3 Jul 2011 @ 6:27

  3. As a duly authorised representative of the 15th annual Digital Money Forum, which will be held in London on 28th/29th March 2011, I hereby formally invite you deliver the paper as a talk there.

    Comment by Dave Birch — 3 Jul 2011 @ 9:40

  4. Kind offer, Dave, but my time machine is broken…

    Comment by Ben — 3 Jul 2011 @ 12:03

  5. OK, for those few without a time machine, 28th/29th March 2012…

    Comment by Dave Birch — 3 Jul 2011 @ 12:29

  6. I think that your hypothetical “unbounded agreement” mechanism actually exists. It is used not only to achieve consensus on checkpoints in the block chain, but also to decide all of the other technical details of bitcoin: the genesis block, the hashing and signing algorithms, the rules by which proof-of-work difficulty is adapted, the amount of coin generated, etcetera.

    However, the properties of this mechanism are such they cannot be used to achieve real-time consensus on a large volume of transactions. It involves developers of bitcoin software, miners, and end users. It involves debates on mailing lists and message boards. It involves network effects that discourage people from starting their own bitcoin fork. It involves people trusting certain developers and installing new releases.

    The alternative mechanism of using proof-of-work to achieve consensus is necessary because we need a way for computers to achieve consensus *on our behalf* in an automated manner, so that thousands of transactions per second can be verified.

    Both mechanisms complement each other. Consensus between people is less vulnerable to attack, but it cannot be automated. Consensus between computers based on proof-of-work might be vulnerable to an attacker with a large amount of CPU power, but it can be automated.

    Comment by wcoenen — 3 Jul 2011 @ 13:58

  7. I wrote a response to this paper here:

    Comment by Amin — 3 Jul 2011 @ 15:44

  8. I think Me Ben Laurie has some good points stated out.

    Check these out

    See comments Here :

    Comment by @Michele1940 — 3 Jul 2011 @ 17:04

  9. AH,forgot this one : Title Google & Co go mining ???

    Comment by @Michele1940 — 3 Jul 2011 @ 17:09

  10. > someone could come along with a further 1.1% of
    > the total power and use this to define their own
    > consensus, thus invalidating all the work, and
    > all the money, of the initial group, and instead
    > take possession of the entire currency for themselves.

    My bitcoins are stored in my wallet, protected by my private key.

    The attacker controlling 50% + 1 of the hashing power doesn’t get to touch the currency I hold.

    What the attacker can do is block my attempts to spend my bitcoins (by ignoring my transactions).

    The attacker can also try to spend bitcoins under control of the attacker (from the attacker’s own wallet) with one party, and then spend them again with another party.

    So while technically, it is possible to attempt this 50% + 1 attack and then double-spend, it would be not very profitable. Controlling 50% + 1 requires about $10 million worth of hard-to-acquire hardware at the current rate. They better hurry … the amount of hardware needed just weeks ago was only $2 million. (see where this is going?)

    Now if profit is irrelevant, then yes — a big bank or rogue state initiative could pay the millions to some ASIC company to build the hardware necessary, operate it and cause some temporary grief to Bitcoin. That would also be a criminal act and because profit isn’t a motive that narrows down the list of possible suspects.

    Comment by Anony Mouse — 4 Jul 2011 @ 1:38

  11. > First we use efficient unbounded agreement to
    > number the current participants sequentially.

    So instead of the proof of work being based on the block chain hashing you propose the proof of work being the existing of a node.

    Of course, the result is spinning up multiple nodes. If I can run 100,000 nodes (which is trivial) versus your 1 node I would earn 100,000 times more than you.

    The problem is, the goal of bitcoin’s architecture is not to fairly distribute coins, it is to enable a workable method to have decentralized authority.

    To this day, there has not been a single suggestion for an alternative method that would allow a decentralized authority (using technology that exists and/or is anywhere near affordable today).

    > here’s a preprint of “Decentralised Currencies …”

    Hopefully “preprint” means “draft”, and you get a chance to revisit the foundations of your arguments.

    Comment by Anony Mouse — 4 Jul 2011 @ 1:58

  12. > I am unable to respond to comments there

    Assuming that was because you were stuck in the newbie quarantine, know that occurred as an unfortunate consequence of attempts by an all-volunteer “staff” to manage the growth (er, more like limit the amount of sabotage) occurring with Bitcoin’s primary communication channel.

    Not sure if you happened to notice, but there are some people willing to take actions to influence the price of bitcoin to their favor and others who just don’t particularly like this idea of a decentralized digital currency.

    Comment by Anony Mouse — 4 Jul 2011 @ 2:12

  13. I have every confidence that your assessment of Bitcoin is correct, Ben, however I cannot resist pointing out that the Royal Mint is an anachronism dating back to the days when coins had intrinsic worth. Money is issued in the form of credit by the Central Bank, which in the UK’s case would be the Bank of England. I find very few people understand how our current money system works, which makes me somewhat cynical of attempts to replace it.

    Comment by Ray Daniels — 4 Jul 2011 @ 2:28

  14. About one month ago, I wrote a little paper

    in which I stated that ‘Bitcoins are not truly decentralized’ and that developers should refrain from hard coding ’correct block hashes’ in a reference implementation.

    At that time I didn’t fully realize the implications of what Ben Laurie now stated more formally. So the rest of the paper is an attempt to establish an improved decentralized currency, based on a ‘block-chain’ created by 50% or more cpu-power.

    Meanwhile I have come to the conclusion that it can be easily proved that as soon as bitcoins would become truly valuable, it would be lucrative to ‘fraud’ the system by gaining more than 50% of that cpu-power.

    1) Gain 50%+ of the computing power.
    2) Generate transactions favouring you and have them included into the block chain.
    3) In the mean-time, with your 50%+ power, start creating a forked chain, with your coins double-spended in different transactions.
    4) Publish the fork when your original transactions are accepted and collect the benefits of your new transactions.

    At the moment each block generates 50 new bitcoins, and it would take a huge investment already to gain 50%+ of the cpu-power involved.

    In the long run however, blocks will only be rewarded with transaction fees and (a market equilibrium will form where) the cost of producing the hashing power needed to find a block will be equivalent to the total of transaction fees in that block.

    Assuming transaction fees are much lower than the value of transactions in a block, the cost of forking a block are then much lower than the rewards of the double-spended coins.

    Comment by Steven Mooij — 4 Jul 2011 @ 13:39

  15. The problem with Bitcoin miners not having the majority of the world’s hashing power applies to all national currencies as well (in a slightly different way of course). No country today could resist an invasion by a coalition of the rest of the world, and that coalition could easily abolish its currency. There are many reasons why this doesn’t happen, of course, and a lot of them are relevant to Bitcoin too.

    (1) Nobody cares about anyone’s currency enough to go to war about it, (2) Against powerful countries, weaker countries would face a coordination problem – if Nicaragua and Honduras wanted to attack the U.S., they would have a hard time getting anyone to join them, because any coalition with just one more country would still be too weak. With Bitcoin, the equivalent of (1) is that any group that had the resources to do that would gain much more from mining Bitcoins, and (2) probably no single group can out-compute the Bitcoin network right now — it has more computing power than the top 500 supercomputers combined. While your point makes sense, it is unlikely to be a practical problem for Bitcoin, just as a foreign invasion is unlikely to be a problem for the U.S. dollar, the euro, the yuan, etc.

    Comment by Eric Yu — 4 Jul 2011 @ 19:35

  16. @Eric: If you refer to the total computing power of Bitcoin right now, please realize that about 99.8% is payed for by the temporal rewards of 50 bitcoins per block.

    I think it would be reasonable that if normal bitcoin operation is discussed (that rewards new blocks with only transaction fees) to only refer to the part of that computer power that is payed for by current transaction fees (about 0.10 bitcoin per block). Which is about 26 Ghash/s.

    Comment by Steven Mooij — 5 Jul 2011 @ 10:10

  17. >> someone could come along with a further 1.1% of
    >> the total power and use this to define their own
    >> consensus, thus invalidating all the work, and
    >> all the money, of the initial group, and instead
    >> take possession of the entire currency for themselves.
    > My bitcoins are stored in my wallet, protected by my private key.

    I also thought this was an error, but then the footnote says “By forking history right back to the first block…”. Of course, doing that and catching up with the current state of the system would probably take quite a bit more than 1.1% extra power.

    Comment by YC — 6 Jul 2011 @ 7:40

  18. To be fair, the footnote is a clarification I uploaded after the original blog post.

    Comment by Ben — 6 Jul 2011 @ 12:35


    There are a lot of talk going on around the world about virtual currency such as Bitcoins and others.

    Many are arguing that virtual currency is a reality and that it’s here to stay. I personally agree with this proposition but virtual currency shouldn’t be used as an alternative store of value asset only.

    Bitcoin is probably the most known and talked virtual currency in these days. From what we can see in the exchange markets, that have been created to trade Bitcoin, there is a lot of daily activity in the trading environment.

    What we cannot see is a similar activity in the retail environment either for on-line or real world transactions. Aside from a few examples, this virtual currency does not seem to be taking off.

    What are the reasons for this ? Well there are many.

    First of all, aside from the early adapters , “mining” Bitcoin for the individual has become a difficult task.
    This means that if you want to have some of this Bitcoin , you can exchange them for your fiat currency on the exchange markets. So you have to take some of your stored “real money” and use them to store them again into Bitcoin. Unless, of course, you have a real intention to use this Bitcoin to buy something that you like and you need/want to buy.

    Second, why do you have to convert your “real money” into Bitcoin if you need/want to buy something ? Because Bitcoin allows you and the seller to have a cost free transaction in the same way you would have if you would hand over your cash money to the vendor. In addition handling cash money is also a cost both for you and the vendor.

    Third, is the vendor giving you any additional advantage if you pay in Bitcoin like, for example, a small discount ? Not that I am aware of. But might be possible that same are doing it. What I know for sure is that if you pay with real cash money instead of your credit card, you have a very high possibility to get a small discount if you dare asking for it.

    Fourth, there are the exchange markets that makes the conversion rate change and it is difficult for you and the vendor to forecast its future value. You may exchange your “real money” into Bitcoin today or you can accept a payment in Bitcoin as a vendor today at a fixed current rate and find out a few days later that the value of Bitcoin has dropped. Or it has increased. This uncertainty, surely complicates the matter even more. Unless you see into Bitcoin a form of investment in the hope that its value will go sky high someday.

    Many might argue that even your “real money” are subject to the same process described above.
    All fiat money of course are subjected to inflation and deflation. And the conversion rate between them vary daily. Some might also argue that fiat money might collapse and that you would end up having a bank account filled up with numbers that have no purchase value at all.

    So, it seems that what we need for a virtual currency to become a usable currency is a sort of stability of its value. In order to accomplish this, we have to reduce the trading and increase the actual use of our beloved virtual currency.

    It is my opinion that the present monetary system is just a paradigm, a model. Therefore it is subjected to a shift. And a Global Virtual Currency ( not necessarily Bitcoin ) could be a good entry point for the shift to occur. But it needs to be available for everybody.

    Signed : Twitter @Michele1940

    Comment by @Michele1940 — 6 Jul 2011 @ 12:04

  20. The Bitcoin eligible voters are not “the majority of computing power in existence” because computing power is not a fungible, homogeneous substance. You can easily see a 10^4 performance ratio on specialized versus commodity hardware (ASIC vs CPU), so that the Bitcoin network becomes impervious to attack if it makes up only 0.01% of the “computing power of the world” as expressed in transistors*Hz. Rather, Bitcoin, like most other currencies in the world, is up against any adversary more financially powerful than it’s backers (the miners). So if you are willing to invest more than the compounded mining profit, you can take the majority vote and influence consensus, by expanding the computing power of the world in the form of efficient mining machines.

    It’s pretty clear that rewriting the history is not equivalent with stealing everybody’s money, rather it means destroying the system and making the coins worthless, so the likely attackers will not be profit-motivated by any definition of profit expressed in bitcoins. We could talk about governments, banks, competing currencies, lulz etc. It’s only a matter of speculation if an attacker likely to act in such a manner exists. Furthermore, as the network expands the window of opportunity closes to exclude small scale lulz-motivated attackers, and allow only governments or large corporations. The hashing power of the network already surpasses what could be accomplished by ~10 million commodity PCs, excluding even the largest botnets as worthy attackers.

    Comment by BubbleBoy — 6 Jul 2011 @ 15:39

  21. Ben, your analysis reads as though you took your well-known and long-standing bias against proof-of-work and reverse engineered that ideology to fit into an ad hoc criticism of bitcoin cryptography. You must know that bitcoin represents an example of Byzantine fault tolerance in use and that the bitcoin proof-of-work chain is the key to solving the Byzantine Generals’ Problem of synchronising the global view.

    Comment by Jon Matonis — 10 Jul 2011 @ 16:54

  22. […] or Ben, your analysis reads as though you took your well-known and long-standing bias against proof-of-work and reverse engineered that ideology to fit into an ad hoc criticism of bitcoin cryptography. You must know that bitcoin represents an example of Byzantine fault tolerance in use and that the bitcoin proof-of-work chain is the key to solving the Byzantine Generals’ Problem of synchronising the global view. […]

    Pingback by Links » An Efficient and Practical Distributed Currency — 23 Jul 2011 @ 15:51

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress