Ben Laurie blathering

An Efficient and Practical Distributed Currency

Now that I’ve said what I don’t like about Bitcoin, it’s time to talk about efficient alternatives.

In my previous paper on the subject I amused myself by hypothesizing an efficient alternative to Bitcoin based on whatever mechanism it uses to achieve consensus on checkpoints. Whilst this is fun, it is pretty clear that no such decentralised mechanism exists. Bitcoin enthusiasts believe that I have made an error by discounting proof-of-work as the mechanism, for example

I believe Laurie’s paper is missing a key element in bitcoin’s reliance on hashing power as the primary means of achieving consensus: it can survive attacks by governments.

If bitcoin relied solely on a core development team to establish the authoritative block chain, then the currency would have a Single Point of Failure, that governments could easily target if they wanted to take bitcoin down. As it is, every one in the bitcoin community knows that if governments started coming after bitcoin’s development team, the insertion of checkpoints might be disrupted, but the block chain could go on.

Checkpoints are just an added security measure, that are not essential to bitcoin’s operation and that are used as long as the option exists. It is important for the credibility of a decentralized currency that it be possible for it to function without such a relatively easy to disrupt method of establishing consensus, and bitcoin, by relying on hashing power, can.


Ben, your analysis reads as though you took your well-known and long-standing bias against proof-of-work and reverse engineered that ideology to fit into an ad hoc criticism of bitcoin cryptography. You must know that bitcoin represents an example of Byzantine fault tolerance in use and that the bitcoin proof-of-work chain is the key to solving the Byzantine Generals’ Problem of synchronising the global view.

My response is simple: yes, I know that proof-of-work, as used in Bitcoin, is intended to give Byzantine fault tolerance, but my contention is that it doesn’t. And, furthermore, that it fails in a spectacularly inefficient way. I can’t believe I have to keep reiterating the core point, but here we go again: the flaw in proof-of-work as used in Bitcoin is that you have to expend 50% of all the computing power in the universe, for the rest of time in order to keep the currency stable (67% if you want to go for the full Byzantine model). There are two problems with this plan. Firstly, there’s no way you can actually expend 50% (67%), in practice. Secondly, even if you could, it’s far, far too high a price to pay.

In any case, in the end, control of computing power is roughly equivalent to control of money – so why not cut out the middleman and simply buy Bitcoins? It would be just as cheap and it would not burn fossil fuels in the process.

Finally, if the hash chain really works so well, why do the Bitcoin developers include checkpoints? The currency isn’t even under attack and yet they have deemed them necessary. Imagine how much more needed they would be if there were deliberate disruption of Bitcoin (which seems quite easy to do to me).

But then the question would arise: how do we efficiently manage a distributed currency? I present an answer in my next preprint: “An Efficient Distributed Currency”.


  1. Proof-of-work is an interesting tool – but I agree that it has it’s limitations. A single root is clearly flawed. What seems very interesting is multiple trust roots with an well defined means to add and remove points of trust.

    Comment by nymble — 23 Jul 2011 @ 18:00

  2. Do you need a constraint on the proliferation of mintettes? If not a Sybil attack seems possible.
    I like the idea of the different mintettes having different public good type ideas of where the newly created coins get assigned.
    Like Bitcoin though, this seems to only allow inflation of the money supply. What if it should contract?

    Comment by Kevin Marks — 23 Jul 2011 @ 23:08

  3. Yes, you clearly need to constrain new mintettes. Since a consenus would be need to admit a new one, presumably a careful choice of the initial population is the most important factor.

    Comment by Ben — 23 Jul 2011 @ 23:23

  4. No, you do not need 50% of all computing power in the universe to keep it stable – that’s just plain wrong. All you need is for over %50 percent of the computing power __in the bitcoin network__ to be in the hands of the __many__ “good guys”. So on the contrary, all you need to do is __prevent__ over %50 of the processing power __in the bitcoin network__ to fall into the hands of an attacking group. That is nowhere near as difficult as you make out.

    Comment by Scott Ellis — 24 Jul 2011 @ 4:06

  5. “so why not cut out the middleman and simply buy Bitcoins?”
    Uh.. thatss what you’re *supposed* to do!

    Comment by anon e moose — 24 Jul 2011 @ 6:54

  6. It takes effort to maintain the status quo, no matter the realm: Bitcoin, web servers, stock markets, national defense, etc. Defense is expensive.

    Comment by Matt — 25 Jul 2011 @ 18:14

  7. […] An Efficient and Practical Distributed Currency ( […]

    Pingback by BitCoin alternative: distributed, but not decentralized cash | It's like, Really? — 25 Jul 2011 @ 19:00

  8. […] An Efficient and Practical Distributed Currency (tags: bitcoin economics money) […]

    Pingback by links for 2011-07-25 « that dismal science — 25 Jul 2011 @ 20:37

  9. “50% of all the computing power in the universe, for the rest of time”
    … where did you come up with that stupid idea? source pls.

    Comment by moose — 25 Jul 2011 @ 21:14

  10. @anon e moose: “Uh.. thatss what you’re *supposed* to do!”

    Uh, no: that is what the suckers are supposed to do. Laurie’s point is that if it’s all about money in some form or another, then one should be able to buy bitcoins into existence, as opposed to purchasing computational waste material.

    @Scott Ellis: “So on the contrary, all you need to do is __prevent__ over %50 of the processing power __in the bitcoin network__ to fall into the hands of an attacking group.”

    This is so breathlessly naive it’s hard to say anything in response. So instead, I’ll let the bitheads say nothing for me:

    Notice how someone posts a reference to a video that describes how financial companies are hollowing out office buildings(!) near major network hubs, making room for trading hardware, or, incredibly, digging _slightly straighter trenches_(!!) from Chicago to New York(!!!), all to shave a few microseconds(!!!!!) off round-trip times to merely front-run the competition(!!!!!!), and not one single bithead can perceive the significance(!^7).

    Not even a peep of insight!

    Comment by noone — 26 Jul 2011 @ 1:26

  11. This is a nice start – but it only glosses over the greatest difficulty – that is the establishment of new mintettes. By the way – is that name on purpose so easily to mistype or misread?

    Comment by Zbigniew Lukasiak — 26 Jul 2011 @ 11:30

  12. Well, 50-67% of network computing power is what is takes to have a truly decentralized currency. I also think that it is stupid that in the future we would have to have hardware worth several billion $ just to protect such currency, but the whole point of Bitcoin is to experiment and research in the possibility of creating DECENTRALIZED currency. It would always be more practical if we could trust the centralized or distributed model, but at least we now know the price of fully decentralized one.

    Comment by Watcher — 5 Aug 2011 @ 12:37

  13. I like how you conveniently leave out the fact that the Byzantine fault tolerance achieved in the Castro paper boils down to a closed group of predefined servers which must know at all times the structure of the network and be able to communicate with all other servers.

    Scaling this to a semi-open system with a clear process for mintette establishment is worthy of a paper in itself. Hint: deciding how mintettes join and leave the inner network is a Byzantine problem in itself, so to parrot your Bitcoin paper, if you can efficiently solve that you don’t need to use Castro’s algorithm 🙂

    Also the ideea that a system where each server must hear from each other server (or a majority thereof) before authorizing a transaction is “nearly instantaneous” is laughable, considering the system would have thousands or tens of thousands of mintettes. The bandwith for Castro also scales quadratically.

    Comment by BubbleBoy — 11 Aug 2011 @ 11:16

  14. Ben wrote – “(…) The currency isn’t even under attack and yet they have deemed them necessary (…)” – sounds too picky and not too rational. Adding extra security in serious projects even if they already can be seen as secure-enough (whatever that means) is not a bad practice at all (and I’m not thinking about mechanisms limiting performance and usefulness of the whole project greatly). It’s rather matter of pragmatic and humble approach to security (which many people are badly lacking).

    I can’t get rid of impression that Ben simply don’t likes bitcoin and because of that he fired-up his brain machinery to search for it’s faults (but some arguments simply doesn’t fit at all. badly).

    Comment by Milo — 12 Aug 2011 @ 22:15

  15. Milo: the point I was trying to make, perhaps incompetently, was that snapshots appear to be needed for the correct operation of the network as well as being a defensive mechanism.

    I don’t think the argument that it is purely a security measure holds water. For example, consider what happens if several coins happened to be minted simultaneously. Yes, it will probably sort itself out eventually, but not very efficiently. Network splits can have a similar effect.

    Comment by Ben — 12 Aug 2011 @ 22:39

  16. @Milo: “I can’t get rid of impression that Ben simply don’t likes bitcoin and because of that he fired-up his brain machinery to search for it’s faults […]”

    Good grief, the big question is not why Ben Laurie is pointing out the flagrant design flaws of bitcoin, but why the bitheads are strenuously averting their eyes from them. is one of the most transparent displays of cognitive dissonance on the internet today. It is truly amazing reading: every day a new bit.disaster, followed by the fix, and every day the bit.economy looks more and more like the current one it is supposed to replace.

    Comment by noone — 13 Aug 2011 @ 0:42

  17. Ben, I have proposed an alternative to bitcoin that hopefully solves most of the issues you have with it. If you have the time, I would be honored of you would read the proposal. It is far from complete and it is based off of bitcoin, but I believe it is startlingly different in every facet.

    Proof-of-work is still used, but only to create coins, not to secure them. It uses a similar system to the “mintettes” you described in your proposal.


    Comment by Etlase — 25 Sep 2011 @ 9:50

  18. Even after reading this six months later, I am still amazed at the fixation on efficiencies. Several here have already pointed out that of course it would be more efficient to centrally-manage a currency. However, efficiency is not the major goal of a nonpolitical (apolitical) digital currency like bitcoin so it cannot be considered a major flaw.

    It is also less efficient to arm an entire population to prevent unbridled dictatorial State powers and it is also less efficient to reproduce randomly instead of selective breeding of those with superior genetic traits. But, I wouldn’t want to have it any other way, comrade Ben.

    Comment by Jon Matonis — 4 Mar 2012 @ 15:40

  19. Dear Jon,

    I see you’re having trouble understanding Ben’s point.

    Let me break it down for you:

    1) Bitcoin claims to be decentralized via proof-of-work

    2) But Bitcoin isn’t really decentralized (explained in detail)

    3) Therefore Bitcoin’s proof-of-work is just a waste of resources

    You keep repeating that Bitcoin’s goal is not to be efficient but rather decentralized. But as Ben has shown Bitcoin “fails in a spectacularly inefficient way” at this goal. It is neither efficient nor decentralized.

    I hope that makes sense.



    Comment by Manish Jethani — 6 Apr 2013 @ 21:41

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress