What is permissioned-on-permissionless?

As of this writing, more than half of all VC funding to date has gone into building permissioned systems on top of a permissionless network (Bitcoin). Permissioned-on-Permissionless (PoP) systems are an odd hydra, they have all of the costs of Sybil-protected permissionless systems (e.g., high marginal costs) without the benefits of actual permissioned systems (e.g., fast confirmations, low marginal costs, direct customer service).

Thus it is curious to hear some enthusiasts and VCs on social media and at conferences claim that the infrastructure for Bitcoin is being rolled out to enable permissionless activity when the actual facts on the ground show the opposite is occurring.  To extract value, maintain regulatory compliance and obtain an return-on-investment, much of the investment activity effectively recreates many of the same permission-based intermediaries and custodians that currently exist, but instead of being owned by NYC and London entities, they are owned by funds based near Palo Alto.

For example, below are a few quotes over the past 18 months.

In a February 2014 interview with Stanford Insights magazine, Balaji Srinivasan, board partner at Andreessen Horowitz and CEO of 21inc, stated:

Thus, if the Internet enabled permissionless innovation, Bitcoin allows permissionless monetization.

In July 2015, Coinbase announced the winners of its hackathon called BitHack, noting:

The BitHack is important to us because it taps into a core benefit of Bitcoin: permissionless innovation.

Also in July 2015, Alex Fowler, head of business development at Blockstream, which raised $21 million last fall, explained:

At Blockstream, our focus is building and supporting core bitcoin infrastructure that remains permissionless and trustless with all of the security and privacy benefits that flow from that architecture.

Yet despite the ‘permissionless’ exposition, to be a customer of these companies, you need to ask their permission first and get through their KYC gates.

For instance, in Circle’s user agreement they note that:

Without limiting the foregoing, you may not use the Services if (i) you are a resident, national or agent of Cuba, North Korea, Sudan, Syria or any other country to which the United States embargoes goods (“Restricted Territories”), (ii) you are on the Table of Denial Orders, the Entity List, or the List of Specially Designated Nationals (“Restricted Persons”), or (iii) you intend to supply bitcoin or otherwise transact with any Restricted Territories or Restricted Persons.

Is there another way of looking at this phenomenon?

There have been a number of interesting posts in the past week that have helped to refine the terms and definitions of permissioned and permissionless:

Rather than rehashing these conversations, let’s look at a way to define permissionless in the first place.

Permissionless blockchains

permissionless blockchainA couple weeks ago I gave a presentation at the BNY Mellon innovation center and created the mental model above to describe some attributes of a permissionless blockchain.  It is largely based on the characteristics described in Consensus-as-a-service.

DMMS validators are described in the Blockstream white paper.  In their words:

We  observe  that  Bitcoin’s  blockheaders  can  be  regarded  as  an  example  of  a dynamic-membership multi-party signature (or DMMS ), which we consider to be of independent interest as a new type of group signature. Bitcoin provides the first embodiment of such a signature, although this has not appeared in the literature until now. A DMMS is a digital signature formed by a set of signers which has no fixed size.  Bitcoin’s blockheaders are DMMSes because their proof-of-work has the property that anyone can contribute with no enrolment process.   Further,  contribution is weighted by computational power rather than one threshold signature contribution per party, which allows anonymous membership without risk of a Sybil attack (when one party joins many times and has disproportionate input into the signature).  For this reason, the DMMS has also been described as a solution to the Byzantine Generals Problem [AJK05]

In short, there is no gating or authorizing process to enroll for creating and submitting proofs-of-work: theoretically, validating Bitcoin transactions is permissionless.  “Dynamic-membership” means there is no fixed list of signatories that can sign (i.e. anyone in theory can).  “Multi-party” effectively means “many entities can take part” similar to secure multi-party computation.1

Or in other permission-based terms: producing the correct proof of work, that meets the target guidelines, permits the miner (block maker) to have full authority to decide which transactions get confirmed.  In other words, other than producing the proof-of-work, miners do not need any additional buy-in or vetting from any other parties to confirm transactions onto the blockchain. It also bears mentioning that the “signature” on a block is ultimately signed by one entity and does not, by itself, prove anything about how many people or organizations contributed to it.2

Another potential term for DMMS is what Ian Grigg called a Nakamoto signature.

Censorship-resistance, while not explicitly stated as such in the original 2008 white paper, was one of the original design goals of Bitcoin and is further discussed in Brown’s post above as well as at length by Robert Sams.

The last bucket, suitable for on-chain assets, is important to recognize because those virtual bearer assets (tokens) are endogenous to the network.  DMMS validators have the native ability to control them without some knob flipping by any sort of outside entity.  In contrast, off-chain assets are not controllable by DMMS validators because they reside exogenous to the network.  Whether or not existing legal systems (will) recognize DMMS validators as lawful entities is beyond the scope of this post.

Permissionless investments

What are some current examples of permissionless-related investments?

zooko permissionless

Source: Twitter

This past week I was in India working with a few instructors at Blockchain University including Ryan Charles.  Ryan is currently working on a new project, a decentralized version of reddit that will utilize bitcoin.

In point of fact, despite the interesting feedback on the tweet, OB1 itself, the new entity that was formed after raising $1 million to build out the Open Bazaar platform, is permission-based.

How is it permission-based when the DMMS validators are still permissionless?  Because OB1 has noted it will remove illicit content on-demand from regulators.

In an interview with CoinDesk, Union Square Venture managing partner, Brad Burnham stated that:

Burnham acknowledged that the protocol could be used by dark market operators, but stressed the OpenBazaar developers have no interest in supporting such use cases.  “They certainly won’t be in the business of providing enhanced services to marketplaces that are selling illegal goods,” he noted.

Based on a follow-up interview with Fortune, Brian Hoffman, founder of OB1 was less specific and a bit hand-wavy on this point, perhaps we will not know until November when they officially launch (note: Tor support seems to have disappeared from Open Bazaar).

One segment of permissionless applications which have some traction but have not had much (if any) direct VC funding include some on-chain/off-chain casinos (dice and gambling games) and dark net markets (e.g., Silk Road, Agora).  Analysis of this, more illicit segment will be the topic of a future post.

What are some other VC-funded startups that raised at least a Series A in funding, that could potentially be called permissionless?  Based on the list maintained by Coindesk, it appears just one is — Blockchain.info ($30.5 million).

Why isn’t Coinbase, Xapo or Circle?  These will be discussed below at length.

What about mining/hashing, aren’t these permissionless activities at their core?

Certain VC funded mining/hashing companies no longer offer direct retail sales to hobbyists, this includes BitFury and KnC Miner.  These two, known entities, through a variety of methods, have filed information about their operations with a variety of regulators.3  To-date BitFury has raised $60 million and it runs its own pool which accounts for about 16% of the network hashrate.  Similarly, KnC has raised $29 million from VCs and also runs its own pool, currently accounting for about 6% of the network hashrate.

What about other pools/block makers?  It appears that in practice, some require know-your-customer (KYC), know-your-business (KYB), know-your-miner (KYM) and others do not (e.g., selling custom-made hardware anonymously can be tricky).

  • MegaBigPower gathers KYC information.
  • Spondoolies Tech is currently sold out of their hardware but require some kind of customer information to fill out shipping address and customs details.  They have raised $10.5 million in VC funding.
  • GHash allows you to set up a pseudonymous account with throwaway email addresses (or via Facebook and Google+), but they have not published if they raised any outside funding
  • Most Chinese hashing and mining pools are privately financed.  For instance, Bitmain has not needed to raise funding from VCs (yet).  The also, currently, do not perform KYC on their users.  I spoke with several mining professionals in China and they explained that none of the big pools (Antpool, F2pool, BTC China pool, BW.com) require KYM at this time.  Over the past four days, these pools accounted for: 21%, 17%, 10% and 8% of the network hashrate respectively — or 56% altogether.  Update 7/29/2015: a representative at BTC China explained that: “Yes, we do KYC the members of our mining pool. We verify them the same way we KYC all registered users on BTCC.”
  • 21inc, not much more is known publicly at this time but if the idea of a “BitSplit” chip is correct, then what could happen is the following: as more chips are flipped on in devices, the higher the difficulty level rises (in direct proportion to the hashrate added).  As a result, the amount of satoshi per hash declines over time in these devices.  What this likely will lead to is a scenario in which the amount of satoshi mined by a consumer device will be less than “dust limit” which means a user will likely be unable to move the bitcoins off of the pool without obtaining larger amounts of bitcoin first (in order to pay the transaction fee).  Consequently this could mean the users will need to rely on the services provided by the pool, which could mean that the pool will need to become compliant with KYC/AML regulations.  All of this speculation at this time and is subject to changes.  They have received $121 million in VC funding.
  • As explained above, while individual buyers of hashing equipment, Bob and Alice, do typically have to “doxx” themselves up to some level, both Bob and Alice can resell the hardware on the second-hand market without any documentation.  Thus, some buyers wanting to pay a premium for hashing hardware can do so relatively anonymously through middlemen.4  This is similar to the “second-hand” market for bitcoins too: bitcoins acquired via KYC’ed gateways end up on LocalBitcoins.com and sold at a premium to those wanting to buy anonymously.

Notice a pattern?  There is a direct correlation between permissionless platforms and KYC/AML compliance (i.e., regulated financial service businesses using cryptocurrencies are permissioned-on-permissionless by definition).

Blockchain.info attempts to skirt the issue by marketing themselves as a software platform and for the fact that they do not directly control or hold private keys.5

This harkens back to what Robert Sams pointed out several months ago, that Bitcoin is a curious design indeed where in practice many participants on the network are now known, gated and authenticated except the transaction validators.

What about permissioned-on-permissionless efforts from Symbiont, Chain and NASDAQ?  Sams also discussed this, noting that:

Now, I am sure that the advocates of putting property titles on the bitcoin blockchain will object at this point. They will say that through meta protocols and multi-key signatures, third party authentication of transaction parties can be built-in, and we can create a registered asset system on top of bitcoin. This is true. But what’s the point of doing it that way? In one fell swoop a setup like that completely nullifies the censorship resistance offered by the bitcoin protocol, which is the whole raison d’etre of proof-of-work in the first place! These designs create a centralised transaction censoring system that imports the enormous costs of a decentralised one built for censorship-resistance, the worst of both worlds.

If you are prepared to use trusted third parties for authentication of the counterparts to a transaction, I can see no compelling reason for not also requiring identity authentication of the transaction validators as well. By doing that, you can ditch the gross inefficiencies of proof-of-work and use a consensus algorithm of the one-node-one-vote variety instead that is not only thousands of times more efficient, but also places a governance structure over the validators that is far more resistant to attackers than proof-of-work can ever be.

This phenomenon is something I originally dubbed “permissioned permissionlessness” for lack of a better term, but currently think permissioned-on-permissionless is more straightforward and less confusing.

What does this mean?


PoP blockchainThe Venn diagram above is another mental model I used at the BNY Mellon event.

As mentioned 3 months ago, in practice most block makers (DMMS validators) are actually known in the real world.

While the gating process to become a validator is still relatively permissionless (in the sense that no single entity authorizes whether or not someone can or cannot create proofs-of-work), the fact that they are self-identifying is a bit ironic considering the motivations for building this network in the first place: creating an ecosystem in which pseudonymous and anonymous interactions can take place:

The first rule of cypherpunk club is, don’t tell anyone you’re a cypherpunk.  The first rule of DMMS club is, don’t tell anyone you’re a DMMS.

The second bucket, neither censorship resistant nor trade finality, refers to the fact that large VC funded companies like Coinbase or Circle not only require identification of its user base but also be censor their customers for participating in trading activity that runs afoul of their terms of service.  Technically speaking, on-chain trade finality hurdles refers to bitcoin transactions not being final (due to a block reorg, a longer chain can always be found, undoing what you thought was a confirmed transaction).  This has happened several times, including notably in March 2013.

For instance, in Appendix 1: Prohibited Businesses and Prohibited Use, Coinbase lays out specific services that it prohibits interaction with, including gambling.  For example, about a year ago, users from Seals with Clubs and other dice/gambling sites noticed that they were unable to process funds from these sites through Coinbase and vice versa.

brian armstrong coinbase

Source: Twitter

The tweet above is from Brian Armstrong is the CEO of Coinbase, which is the most well-funded permissioned-on-permissionless startup in the Bitcoin ecosystem.  For its users, there is nothing permissionless about Bitcoin as they actively gate who can and cannot be part of their system and black list/white list certain activities, including mining (hashing) itself.6  It is not “open” based on common usage of the word.

In other words, contrary to what some Coinbase executives and investors claim, in an effort to extract value in a legally palatable manner, they must fulfill KYC/AML requirements and in doing so, effectively nullify the primary utility of a permissionless network: permissionlessness.  Furthermore, Coinbase users do not actually use Bitcoin for most transactions as they do not control the privkey, Coinbase does.  Coinbase users are not using Bitcoin on Coinbase, they are using an internal database.7 Or to use the marketing phrase: you are not your own bank, Coinbase is — which leads to a bevy of regulatory compliance questions beyond the scope of this post.8 However, once your bitcoins are out of Coinbase and into your own independent wallet where you control the private key, then you get the utility of the permissionless platform once more.

What are other permissioned-on-permissionless platforms?  Below are twenty-seven different companies that have raised at least a Series A (figures via CoinDesk) in alphabetical order:

  • Bitex.la: ($4 million)
  • BitGo: ($14 million)
  • BitGold: ($5.3 million)
  • Bitnet: ($14.5 million)
  • BitPay: ($32.5 million)
  • Bitreserve: ($14.6 million)
  • Bitstamp: ($10 million)
  • BitX: ($4.82 million)
  • BTC China ($5 million)
  • ChangeTip: ($4.25 million)
  • Chain: ($13.7 million)9
  • Circle: ($76 million)
  • Coinbase: ($106 million)
  • Coinplug: ($3.3 million)
  • Coinsetter: ($1.9 million)
  • Cryex: ($10 million)
  • GoCoin: ($2.05 million)
  • Huobi ($10 million)
  • itBit: ($28.25 million)
  • Korbit: ($3.4 million)
  • Kraken: ($6.5 million)
  • Mirror, formerly Vaurum: ($12.8 million)
  • OKCoin: ($11 million)
  • Ripple Labs ($37 million)
  • Vogogo ($21 million)
  • Xapo: ($40 million)

Altogether this amounts to around $492 million, which is more than half of the $855 million raised in the overall “Bitcoin space.”

What do these all have in common again?  Most are hosted wallets and exchanges that require KYC/AML fulfillment for compliance with regulatory bodies.  They require users to gain permission first before providing a service.

pie chart bitcoin fundingThe chart above visualizes funding based on the schema’s explored in this post.  Based on a total venture capital amount of $855 million, in just looking at startups that have received at least a Series A, 57.5% or $492 million has gone towards permissioned-on-permissionless systems.  An additional $224 million, or 26.1% has gone towards mining and hashing.10

Permissionless-on-permissionless includes Blockchain.info, ShapeShift, Hive, Armory and a sundry of other seed-stage startups that collectively account for around $50 million or 5.8% altogether.  The remaining 10.6% include API services such as Gem and BlockCypher; hardware wallets such as Case and Ledger; and analytic services such as Tradeblock.  In all likelihood, a significant portion of the 10.6% probably is related to permissioned-on-permissionless (e.g., Elliptic, Align Commerce, Bonafide, Blockscore, Hedgy, BitPagos, BitPesa) but they have not announced a Series A (yet) so they were not included in the “blue” portion.

Ripple Labs

Why is Ripple Labs on that funding list above?  While Ripple is not directly related to Bitcoin, it is aggregated on the funding list by CoinDesk.

Is it permissioned or permissionless?  A few weeks ago I met with one of its developers, who said in practice, the validator network is effectively permissionless in that anyone can run a validator and that Ripple Labs validators will process transactions that include XRP.11

This past week, Thomas Kelleher tried to outline how Ripple Labs is some kind of “third way” system, that uses ‘soft permissions’ in practice.  There may be a case for granular permissions on a permissionless network, but it did not coherently arise in that piece.

For example, in early May, Ripple Labs announced that it had been fined by FinCEN for not complying with the BSA requirements by failing to file suspicious activity reports (SARs), including notably, on Roger Ver (who did not want to comply with its KYC requests).

In addition to the fine, Ripple Labs also implemented a new identification gathering process for KYC compliance, stating:

The Ripple network is an open network. No one, including Ripple Labs, can prevent others from using or building on the Ripple protocol as they desire. However, when Ripple Labs provides software, such as the Ripple Trade client, Ripples Labs may impose additional requirements for the use of the software. As such, Ripple Labs will require identification of Ripple Trade account holders.

We will ask you to submit personally identifiable information (PII) similar to what you would submit to open a bank account, such as full name, address, national ID number, and date of birth. Users may also be asked to upload their driver’s license or other identifying documents. We will use this information to verify your identity for compliance purposes. We take privacy seriously, so the information you provide during the customer identification process is encrypted and managed by Ripple Trade’s Privacy Policy.

In other words, Ripple Labs was just fined by FinCEN for doing the very thing that Kelleher wants you to believe he is not required to do.   All new Ripple Labs-based “wallets” (Ripple Trade wallets) require user info — this likely means they can control, suspend and block accounts.12  All eight of the main Ripple gateways are also obliged to gather customer information.  The current lawsuit between Jed McCaleb and Ripple Labs, over the proceeds of $1 million of XRP on Bitstamp, will probably not be the last case surrounding the identification and control of such “wallet” activity (e.g., specific XRP flagged).

Thus, while the Ripple network started out as permissionless, it could likely become permissioned at some point due to compliance requirements.  Why?  If you download and install rippled, in practice you are going to use the default settings which rely on Ripple Labs core nodes. In practice, “choose your own” means “choose the default” for 99% percent of its users, ergo Ripple Labs sets the defaults.13 In a paper recently published by Peter Todd, he explained there is no game theoretic advantage to selecting non-default configurations which were not discussed in Kelleher’s essay.

Bob cannot choose his own rules if he has to follow compliance from another party, Ripple Labs. The UNL set may converge on an explicit policy as nodes benefit from not letting other nodes validate (they can prioritize traffic).14

I reached out to Justin Dombrowski, an academic who has spent the past year independently studying different ledger systems for a variety of organizations.  In his view:

I have a hard time thinking of Ripple as anything but plain permissioned because I have a hard time thinking of a realistic circumstance under which an active user wouldn’t also have an account subject to KYC, or be indirectly connected to one. Sure, I can run a node for the purpose of experimenting with some Ripple app I’m developing, but at the end of the day I expect to be payed for that app. And I could mine for free—and yeah, in that case the network is permissionless for me—but that’s a atypical, trivial example I’d think. Ripple is theoretically permissionless, but practically not because incentives align only with permissioned uses.

As Dombrowski noted, things get taxonomically challenging when a company (Ripple Labs) also owns the network (Ripple) and has to begin complying with financial service regulations.  This trend will likely not change overnight and until it explicitly occurs, I will probably continue to put an asterisk next to its name.

Challenges for DMMS validators in a permissioned-on-permissionless world

Over the past month, I have been asked a number of questions by managers at financial institutions about using public / communal chains as a method for transferring value of registered assets.

For instance, what happens if Bank A pays a fee to a Bitcoin or Litecoin miner/mining pool in a sanctioned country (e.g., EBA concerns in July 2014)?

In February 2015, according to a story published by Free Beacon, Coinbase was on “the hot seat” for explicitly highlighting this use-case in an older pitch deck because they stated: “Immune to country-specific sanctions (e.g. Russia-Visa)” on a slide and then went on to claim that they were compliant with US Treasury and NY DFS requirements.

Another question I have been asked is, what if the Bitcoin or Litecoin miner that processes transactions for financial institutions (e.g., watermarked tokens) also processes transactions for illicit goods and services from dark net markets?  Is there any liability for a financial institution that continues to use this service provider / block maker?

Lastly, how can financial institutions identify and contact the miner/mining pool in the event something happens (e.g., slow confirmation time, accidentally sent the wrong instruction, double-spend attempt, etc.)?  In their view, they would like to be able to influence upgrades, governance, maintenance, uptime (i.e., typical vendor relationship).


In the Consensus-as-a-service report I used the following chart showing trade-offs:permissioned tradeoffsI also used the following diagram to illustrate the buckets of a permissioned blockchain:

permissioned chainsRecall that the term “mintette” was first used by Ben Laurie in his 2011 paper describing known, trusted validators and was most recently used in Meiklejohn (2015).

The general idea when I published the report several months ago was that permissionless-on-permissioned (what effectively what Ripple sits) is untenable in the long-run: due to regulatory pressure it is impossible to build a censorship-resistant system on top of a permissioned network.

Ryan Shea pointed this out in his recent piece, noting that:

Permission-ed blockchains are useful for certain things but they are limited in what they can do. Fully decentralized, permission-less, censorship-resistant applications CANNOT be built on them, which for many is a deal-breaker.

What does this mean for your business or organization?  Before deciding what system(s) to use, it is important to look at what the organizations needs are and what the customer information requirements are.


As explored above, several startups and VC funds have unintentionally turned an expensive permissionless system into a hydra gated permissioned network without the full benefits of either.  If you are running a ledger between known parties who abide by government regulations, there is no reason to pay the censorship-resistance cost.  Full stop.15

fixing bitcoin

[The optics of permissioned-on-permissionless]

Most efforts for “legitimizing” or “fixing” Bitcoin involves counteracting features of Bitcoin that were purposefully designed such that it enables users to bypass third parties including governmental policies and regulations.  Businesses and startups have to fight to turn Bitcoin into something it isn’t, which means they are both paying to keep the “naughty” features and paying to hide them.  For example, if Satoshi’s goal was to create a permissioned system that interfaces with other permissioned systems, he would likely have used different pieces — and not used proof-of-work at all.

The commercial logic of this (largely) VC-backed endgame seems to be: “privatize” Bitcoin through a dozen hard forks (the block size fork is the start of this trend that could also change the 21 million bitcoin hard-cap).16

It seems increasingly plausible that some day we may see a fork between the “permissionless-on-permissionless” chain (a non-KYC’ed chain) and the “permissioned-on-permissionless” chain (a fully KYC’ed chain) — the latter comprising VC-backed miners, hosted wallets, exchanges and maybe even financial institutions (like NASDAQ).  The motivations of both are progressively disparate as the latter appears uninterested in developer consensus (as shown by the special interest groups wanting to create larger blocks today by ignoring the feedback from the majority of active core developers and miners).  At that point, there is arguably minimal-to-no need for censorship resistance because users and miners will be entirely permissioned (i.e. known by/to participating institutions and regulators).

When drilling down, some of the permissioned-on-permissionless investment appears to be a sunk cost issue: according to numerous anecdotes several of these VCs apparently are heavily invested in bitcoins themselves so they double down on projects that use the Bitcoin network with the belief that this will create additional demand on the underlying token rather than look for systems that are a better overall fit for business use-cases.17

This raises a question: is it still Bitcoin if it is forked and privatized?   It seems that this new registered asset is best called Bitcoin-in-name-only, BINO, not to be confused with bitcoin, the bearer asset.18

If the end game for permissionless systems is one in which every wallet has to be signed by something KYC/KYB approved, it appears then that this means there would be a near total permissioning of the ledger.  If so, why not use a permissioned ledger instead for all of the permissioned activity?

The discussion over centralized versus institutionalized will also be discussed in a future post.

[Acknowledgements: thanks to Richard Apodaca, Anton Bolotinsky, Arthur Breitman, Richard Brown, Dustin Byington, Justin Dombrowski, Thomas Kelleher, Yakov Kofner, Antony Lewis and John Whelan for their feedback.]


  1. See Does Smart Contracts == Trustless Multiparty Monetary Computation? []
  2. Thanks to Richard Brown for this insight. []
  3. In raising funds, they have “doxxed” themselves, providing information about founders and management including names and addresses.  They are no longer pseudonymous. []
  4. Thanks to Anton Bolotinsky for this insight. []
  5. Are there any other non-mining projects that are VC funded projects that do not require KYC?  A few notable examples include ShapeShift (which de-links provenance and does not require KYC from its users) and wallets such as Hive and Armory.  All three of these are seed-stage. []
  6. For more about know-your-miner and source of funds, see The flow of funds on the Bitcoin network in 2015 []
  7. Perhaps this will change in the future.  Coinbase users can now send funds both on-and-off-chain in a one-click manner. []
  8. Learning from the past to build an improved future of fintech and Distributed Oversight: Custodians and Intermediaries []
  9. Chain is working with NASDAQ on its new issuance program which requires KYC compliance.  In contrast, I created a new account for their API product today and it did not require any KYC/KYB. []
  10. See What impact have various investment pools had on Bitcoinland?  It bears mentioning that BitFury raised an additional $20 million since that post, bringing the publicly known amount to around $224 million. []
  11. Visited on July 2, 2015 []
  12. Using similar forensics and heuristics from companies like Chainalysis and Coinalytics, Ripple Labs and other organizations can likely gather information and data on Ripple users prior to the April 2015 announcement due to the fact that the ledger is public. []
  13. Two years ago, David Schwartz, chief cryptographer at Ripple Labs, posted an interesting comment related to openness and decentralization on The Bitcoin Foundation forum. []
  14. Thanks to Jeremy Rubin and Roberto Capodieci for their feedback. []
  15. Thanks to Arthur Breitman for this insight. []
  16. Thanks to Robert Sams for this insight. []
  17. Richard Apodaca, author of the forthcoming Decoding Bitcoin book, has another way of looking at VCs purchasing bitcoins, that he delves into on reddit twice. []
  18. One reviewer suggested that, “this would cease being bitcoin if the measuring stick is what Satoshi wanted.” []
Send to Kindle

Buckets of Permissioned, Permissionless, and Permissioned Permissionlessness Ledgers

A few hours ago I gave the following presentation to Infosys / Finacle in Mysore, India with the Blockchain University team.  All views and opinions are my own and do not represent those of either organization.

Send to Kindle

Learning from the past to build an improved future of fintech

[Note: below is a slightly edited speech I gave yesterday at a banking event in Palo Alto.  This includes all of the intended legalese, some of which I removed in the original version due to flow and time.  Special thanks to Ryan Straus for his feedback.  The views below are mine alone and do not represent those of any organization or individual named.]

Before we look to the future of fintech, and specifically cryptocurrencies and distributed ledgers, let’s look at the most recent past.  It bears mentioning that as BNY Mellon is the largest custodial bank in the world, we will see the importance of reliable stewardship in a moment below.

In January 2009 an unknown developer, or collective of developers, posted the source code of Bitcoin online and began generating blocks – batches of transactions – that store and update the collective history of Bitcoin: a loose network of computer systems distributed around the globe.

To self-fund its network security, networks like Bitcoin create virtual “bearer assets.” These assets are automatically redeemable with the use of a credential.  In this case, a cryptographic private key.  From the networks point of view, possession of this private key is the sole requirement of ownership.  While the network rules equivocate possession and control, real currency – not virtual currency – is the only true bearer instrument.  In other words, legal tender is the only unconditional exception to nemo dat quod non habet – also known as the derivative principal – which dictates that one cannot transfer better title than one has.

Several outspoken venture investors and entrepreneurs in this space have romanticized the nostalgia of such a relationship, of bearer assets and times of yore when a “rugged individual” can once again be their own custodian and bank.1 The sentimentality of a previous era when economies were denominated by precious metals held – initially not by trusted third parties – but by individuals, inspired them to invest what has now reached more than $800 million in collective venture funding for what is aptly called Bitcoinland.

Yet, the facts on the ground clearly suggests that this vision of “everyone being their own bank” has not turned into a renaissance of success stories for the average private key holder.  The opposite seems to have occurred as the dual-edged sword of bearer instruments have been borne out.  At this point, it is important to clearly define our terms.  The concepts of “custody” and “deposit” are often conflated.  While the concepts are superficially similar, they are very different from a legal perspective.  Custody involves the transfer of possession/control.  A deposit, on the other hand, occurs when both control and title is transferred.

Between 2009 and early 2014, based on public reports, more than 1 million bitcoins were lost, stolen, seized and accidentally destroyed.2 Since that time, several of the best funded “exchanges” have been hacked or accidentally sent bitcoins to the wrong customer.  While Mt. Gox, which may have lost 850,000 bitcoins itself, has attracted the most attention and media coverage – rightfully so – there is a never ending flow of unintended consequences from this bearer duality.3

For instance, in early January 2015, Bitstamp – one of the largest and oldest exchanges – lost 19,000 bitcoins due to social engineering and phishing via Gmail and Skype on its employees including a system administrator.4 Four months later, in May, Bitfinex, a large Asian-based exchange was hacked and lost around 1,500 bitcoins.5 In another notable incident, last September, Huobi, a large Bitcoin exchange in Beijing accidentally sent 920 bitcoins and 8,100 litecoins to the wrong customers.6  And ironically, because transactions are generally irreversible and the sole method of control is through a private key they no longer controlled them: they had to ask for the bitcoins back and hope they were returned.

A study of 40 Bitcoin exchanges published in mid-2013 found that at that time 18 out of 40 – 45% — had closed doors and absconded with some portion of customer funds.7 Relooking at that list today we see that about another five have closed in a similar manner.  All told, at least 15% if not higher, of Bitcoin’s monetary base is no longer with the legitimate owner.  Can you imagine if a similar percentage of real world wealth or deposits was dislocated in the same manner in a span of 6 years?8

In many cases, the title to this property is encumbered, leading to speculation that since many of these bitcoins are intermixed and pooled with others, a large percentage of the collective monetary base does not have clean title, the implications of which can be far reaching for an asset that is not exempted from nemo dat, it is not fungible like legal tender.9

As a consequence, because people in general don’t trust themselves with securing their own funds, users have given – deposited – their private keys with a new batch of intermediaries that euphemistically market themselves as “hosted wallets” or “vaults.” What does that look like in the overall scheme?  These hosted wallets, such as Coinbase and Xapo, have collectively raised more than $200 million in venture funding, more than a quarter of the aggregate funding that the whole Bitcoin space has received. Simultaneously, the new – often unlicensed – parties collectively hold several million bitcoins as deposits; probably 25-30% of the existing monetary base.10 Amazingly, nobody is actually certain whether a “hosted wallet” is a custodian of a customers bitcoin or acquired title to the bitcoin and is thus a depository.

Yet, in recreating the same financial intermediaries that they hoped to replace – in turning a bearer asset into a registered asset – some Bitcoin enthusiasts have done so in fashion that – as described earlier – has left the system ripe for abuse.  Whereas in the real world of finance, various duties are segregated via financial controls and independent oversight.11 In the Bitcoin space, there have been few financial controls.  For example, what we call a Bitcoin exchange is really a broker-dealer, clearinghouse, custodian, depository and an exchange rolled into one house which has led to theft, tape painting, wash trading, and front-running.12 All the same issues that led to regulatory oversight in the financial markets in the first place.

And while a number of the better funded and well-heeled hosted wallets and exchanges have attempted to integrate “best practices” and even third-party insurance into their operation, to date, there is only one Bitcoin “vault” – called Elliptic — that has been accredited with meeting the ISAE 3402 custodial standard from KPMG. Perhaps this will change in the future.

But if the point of the Bitcoin experiment, concept, lifestyle or movement was to do away or get away from trusted third parties, as described above, the very opposite has occurred.

What can be learned from this?  What were the reasons for institutions and intermediation in the first place?  What can be taken away from the recent multi-million dollar educational lesson?

We have collectively learned that a distributed ledger, what in Bitcoin is called a blockchain, is capable of clearing and settling on-chain assets in a cryptographically verifiable manner, in near-real time all with 100% uptime because its servers – what are called validators – are located around the world.  As we speak just under sixty four hundred of these servers exist, storing and replicating the data so that availability to any one of them is, in theory, irrelevant.13

Resiliency, accountability and transparency, what’s not to like?  Why wouldn’t financial institutions want to jump on Bitcoin then, why focus on other distributed ledger systems?

One of the design assumptions in Bitcoin is that its validators are unknown and untrusted – that there is no gating or vetting process to become a validator on its open network.  Because it is purposefully expensive and slow to produce a block that the rest of the network will regard as valid, in theory, the rest of the network will reject your work and you will have lost your money.  Thus, validators, better technically referred to as a block maker, attempt to solve a benign math problem that takes on average about 10 minutes to complete with the hope of striking it rich and paying their bills. There are exceptions to this behavior but that is a topic for another time.14

The term trust or variation thereof appears 13 times in the final whitepaper.  Bitcoin was designed to be a solution for cypherpunks aiming to minimize trust-based relationships and mitigate the ability for any one party to censor or block transactions. Because validators are unknown and untrusted, to protect against history-reversing attacks, Bitcoin was purposefully designed to be inefficient.15 That is to say attackers must expend real world resources, energy, to disrupt or rewrite history.  The theory is that this type of economic attack would stave off all but the most affluent nation-state actors; in practice this has not been the case, but that again is a topic for another speech.

Thus Bitcoin is perhaps the world’s first, commodity-based censorship resistance-as-a-service.  To prevent attackers on this communal network from reversing or changing transactions on a whim, an artificially expensive anti-Sybil mechanism was built in dubbed “proof of work” – the 10 minute math problem.  Based on current token value, the cost to run this network is roughly $300 million a year and it scales in direct proportion to the bitcoin market price.16

Thus there are trade-offs that most financial institutions specifically would not be interested in.

Why you may ask?

Because banks already know their customers, staff and partners. Their counterparties and payment processors are all publicly known entities with contractual obligations and legal accountability.  Perhaps more importantly, the relationship created between an intermediary and a customer is clear with traditional financial instruments.  For example, when you deposit money in your bank account, you know (or should know) that you are trading your money for an IOU from the bank.17 On the other hand, when you place money in a safe deposit box you know (or should know) that you retain title to the subject property.  This has important considerations for both the customer and intermediary.  When you trade your money for an IOU, you are primarily concerned with the financial condition of the intermediary.  However, when you retain title to an object held by somebody else, you care far more about physical and logical security.

As my friend Robert Sams has pointed out on numerous occasions, permissionless consensus as it is called in Bitcoin, cannot guarantee irreversibility, cannot even quantify the probability of a history-reversing attack as it rests on economics, not technology.18 Bitcoin is a curious design indeed where in practice many participants on the network are now known, gated and authenticated except the transaction validators.  Why use expensive proof-of-work at all at this point if that is the case?  What is the utility of turning a permissionless system into a permissioned system, with the costs of both worlds and the benefits of neither?

But lemonade can still be squeezed from it.

Over the past year more than a dozen startups have been created with the sole intent to take parts of a blockchain and integrate their utility within financial institutions.19 They are doing so with different design assumptions: known validators with contractual terms of service. Thus, just as PGP, SSL, Linux and other open source technology, libraries and ideas were brought into the enterprise, so too are distributed ledgers.

Last year according to Accenture, nearly $10 billion was invested in fintech related startups, less than half of one percent of which went to distributed ledger-related companies as they are now just sprouting.20

What is one practical use?  According to a 2012 report by Deutsche Bank, banks’ IT costs equal 7.3% of their revenues, compared to an average of 3.7% across all other industries surveyed.21)  Several of the largest banks spend $5 billion or more in IT-related operating costs each year.  While it may sound mundane and unsexy, one of the primary use cases of a distributed ledger for financial institutions could be in reducing the cost centers throughout the back office.

For example, the settlement and clearing of FX and OTC derivatives is an oft cited and increasingly studied use case as a distributed ledger has the potential to reduce counterparty and systemic risks due to auditability and settlement built within the data layer itself.22

How much would be saved if margining and reporting costs were reduced as each transaction was cryptographically verifiable and virtually impossible to reverse? At the present time, one publicly available study from Santander estimates that “distributed ledger technology could reduce banks’ infrastructure costs attributable to cross-border payments, securities trading and regulatory compliance by between $15-20 billion per annum by 2022.”23

With that said, in its current form Bitcoin itself is probably not a threat to retail banking, especially in terms of customer acquisition and credit facilities.  For instance, if we look at on-chain entities there are roughly 370,000 actors.  If the goal of Bitcoin was to enable end-users to be their own bank without any trusted parties, based on the aggregate VC funding thus far, around $2,200 has been spent to acquire each on-chain user all while slowly converting a permissionless system into a permissioned system, but with the costs of both.24

That’s about twice as much as the average bank spends on customer acquisition in the US.  While there are likely more than 370,000 users at deposit-taking institutions like Coinbase and Xapo, they neither disclose the monthly active users nor are those actual Bitcoin users because they do not fully control the private key.

If we were to create a valuation model for the bitcoin network (not the price of bitcoins themselves), the network would be priced extremely rich due to the wealth transfer that occurs every 10 minutes in the form of asset creation.  The network in this case are miners, the block makers, who are first awarded these bearer instruments.

How can financial institutions remove the duplicative cost centers of this technology, remove this $300 million mining cost, integrate permissioned distributed ledgers into their enterprise, reduce back office costs and better serve their customers?

That is a question that several hundred business-oriented innovators and financial professionals are trying to answer and we will likely know in less time it took Bitcoin to get this far.

Thanks for your time.


  1. Why Bitcoin Matters by Marc Andreessen []
  2. Tabulating publicly reported bitcoins that were lost, stolen, seized, scammed and accidentally destroyed between August 2010 and March 2014 amounts to 966,531 bitcoins. See p. 196 in The Anatomy of a Money-like Informational Commodity []
  3. Mt. Gox files for bankruptcy, hit with lawsuit from Reuters []
  4. Bitstamp Incident Report []
  5. Bitfinex Warns Customers to Halt Deposits After Suspected Hack from CoinDesk []
  6. Why One Should Think Twice Before Trading On The Bitcoin Exchanges from Forbes []
  7. See Beware the Middleman: Empirical Analysis of Bitcoin-Exchange Risk by Tyler Moore and Nicolas Christin []
  8. This has occurred during times of war.  See The Monuments Men []
  9. Bitcoin’s lien problem from Financial Times and Uniform Commercial Code and Bitcoin with Miles Cowan []
  10. Based on anecdotal conversations both Coinbase and Xapo allegedly, at one point stored over 1 million bitcoins combined. See also: Too Many Bitcoins: Making Sense of Exaggerated Inventory Claims []
  11. See Distributed Oversight: Custodians and Intermediaries []
  12. See Segregation of Duties in the CEWG BitLicense comment []
  13. See Bitnodes []
  14. See Majority is not Enough: Bitcoin Mining is Vulnerable from Ittay Eyal and Emin Gün Sirer []
  15. See Removing the Waste from Cryptocurrencies: Challenges and More Challenges by Bram Cohen and Cost? Trust? Something else? What’s the killer-app for Block Chain Technology? by Richard Brown []
  16. See Appendix B []
  17. See A Simple Explanation of Balance Sheets (Don’t run away… it’s interesting, really!) by Richard Brown []
  18. Needing a token to operate a distributed ledger is a red herring []
  19. See The Distributed Ledger Landscape and Consensus-as-a-service []
  20. Fintech Investment in U.S. Nearly Tripled in 2014 from Accenture []
  21. IT in banks: What does it cost? from Santander []
  22. See No, Bitcoin is not the future of securities settlement by Robert Sams []
  23. The Fintech 2.0 Paper: rebooting financial services from Santander []
  24. One notable exception are branchless banks such as Fidor which is expanding globally and on average spends about $20 per customer.  See also How much do you spend on Customer Acquisition? Are you sure? []
Send to Kindle

A blockchain with emphasis on the “a”

Over the past month a number of VCs including Chris Dixon and Fred Wilson use the term “the blockchain” in reference to Bitcoin, as if it is the one and only blockchain.1

There are empirically, many blockchains around.  Some of them do not involve proof-of-work, some of them are not even cryptocurrencies.  Yet despite this, Dixon blocked Greg Slepak on Twitter (creator of okTurtles and DNSChain) for pointing that out just a couple weeks ago.

But before getting into the weeds, it is worth reflecting on the history of both virtual currencies and cryptocurrencies prior to Bitcoin.

The past

Below are several notable projects that pre-date the most well-known magic internet commodity.

  • DigiCash (1990)
  • e-gold (1996)
  • WebMoney (1998)
  • PayPal (1998) “Bitcoin is the opposite of PayPal, in the sense that it actually succeeded in creating a currency.”  — Peter Thiel
  • Beenz (1998)
  • Flooz (1999)
  • Liberty Reserve (2006)
  • Frequent flyer points / loyalty programs
  • WoW gold, Linden Dollars, Nintendo Points, Microsoft Points

According to an excellent article written a couple years ago by Gwern Branwen:

Bitcoin involves no major intellectual breakthroughs, so Satoshi need have no credentials in cryptography or be anything but a self-taught programmer! Satoshi published his whitepaper May 2009, but if you look at the cryptography that makes up Bitcoin, they can basically be divided into:

  • Public key cryptography
  • Cryptographic signatures
  • Cryptographic hash functions
  • Hash chain used for proof-of-work
    • Hash tree
    • Bit gold
  • cryptographic time-stamps
  • resilient peer-to-peer networks

And what were the technological developments, tools and libraries that spearheaded those pieces?  According to Branwen:

  • 2001: SHA-256 finalized
  • 1999-present: Byzantine fault tolerance (PBFT etc.)
  • 1999-present: P2P networks (excluding early networks like Usenet or FidoNet; MojoNation & BitTorrent, Napster, Gnutella, eDonkey, Freenet, i2p etc.)
  • 1998: Wei Dai, B-money
  • 1997: HashCash; 1998: Nick Szabo, Bit Gold; ~2000: MojoNation/BitTorrent; ~2001-2003, Karma, etc
  • 1992-1993: Proof-of-work for spam
  • 1991: cryptographic timestamps
  • 1980: public key cryptography
  • 1979: Hash tree

Other prior art can be found in The Ecology of Computation from Huberman.2 One open question for permissionless systems is whether or not a blockchain is a blockchain if it is neither proof-of-work-based or proof-of-stake-based (“Cow system” in Bram Cohen’s terminology).  But that’s a topic for another post.

The present

About two weeks ago, /r/bitcoin learned that Bitcoin was not the creator of all this fundamental technology.  That indeed, there were over 30 years of academic corpus that cumulatively created the system we now call “a blockchain,” in this case, Nakamoto consensus.  And this has spawned a sundry of other experiments and projects that have since been kickstarted.

For example:

  • CoinMarketCap currently tracks 592 cryptocurrencies / 59 assets
  • CoinGecko tracks 225 cryptocurrencies/assets
  • Ray Dillinger’s “Necronomicon” includes over 100 dead altcoins
  • Map of Coins is currently tracking 686 derivatives of various cryptocurrencies; this includes all hashing functions (e.g., scrypt, X11, X13) and includes existing and defunct chains
  • These are just publicly known blockchains and there are likely dozens if not hundreds of private trials, proof of concepts in academia, institutions and from hobbyists (e.g., Citibank announced in July 2015 that it was testing out three blockchains with a “Citicoin” to better understand use-cases)

So it appears that there are more than one in the wild.

Yet, a couple weeks ago Fred Wilson wrote that:

If you think of the blockchain as an open source, peer to peer, massively distributed database, then it makes sense for the transaction processing infrastructure for it to evolve from individuals to large global corporations. Some of these miners will be dedicated for profit miners and some of them will be corporations who are mining to insure the integrity of the network and the systems they rely on that are running on it. Banks and brokerage firms are the obvious first movers in the second category.

He later clarified in the comments and means the Bitcoin blockchain, not others.

One quibble is that transaction processing is not clearly defined relative to hashing.  Today, bitcoin transactions are actually processed by very small, non-powerful computers (even a Raspberry Pi).

What about the pictures with entire rooms filled with computers?  Why does it cost so much to run a hashing farm then?

Because of the actual workhorse of the network: ASICs designed to generate proofs-of-work.  These hashing systems do not do any transaction processing, in fact, they cannot even run a Bitcoin client on them.3

Tangentially William Mougayar, investor and author, stated the following in the AVC thread:

Only trick is that mining is not cheap initially, and the majority is done in China. It presents an interesting energy challenge: you need lots of electricity to run the computers, but also to keep them cool. So, if you’re using solar you still need to cool them. And if you put them in cool climates like near the north pole, there is no solar. Someone needs to solve that equation.

Mining cannot be made “cheaper” otherwise the network becomes cheaper to attack.

In fact, as Bram Cohen mentioned last week, “energy efficient” proofs-of-works is a contradiction in terms.

Thus, there is no “equation to solve.”  In the long run, miners will bid up the marginal costs to which they equal the marginal value (MC=MV) of a bitcoin in the long run.  We see this empirically, there is no free lunch.  If hashing chips somehow became 50% more efficient, hashing farms just add 50% more of them — this ratcheting effect is called the Red Queen effect and this historically happens in a private seigniorage system just as it does in proof-of-work cryptocurrencies.4

organ proportionalismAs shown in the chart above, hashrate follows price; the amount of resources expended (for proof-of-work) is directly proportional to market value of a POW token.

Furthermore, in terms of Wilson’s prediction that banks will begin mining: what benefit do banks have for participating in the mining process?  If they own bitcoins, perhaps it “gives them a seat at the table.”  But if they do not own any, it provides no utility for them.

Why?  What problem does mining solve for organizations such as banks?  Or to put another way: what utility does proof-of-work provide a bank that knows its customers, staff and transaction processors?5

Permissioned Permissionlessness, BINO-style

One goal and innovation for Bitcoin was anonymous/pseudonymous consensus which comes with a large requirement through trade-offs: mining costs and block reorganization risk.

To quote Section 1 of the Nakamoto whitepaper regarding the transaction costs of the current method of moving value and conducting commerce:

These costs and payment uncertainties can be avoided in person by using physical currency, but no mechanism exists to make payments over a communications channel without a trusted party


  • Bitcoin was designed with anonymous consensus to resist censorship by governments and other trusted third parties.
  • If you are running a ledger between known parties who abide by government regulations, there is no reason to pay that censorship-resistance cost.  Full stop.

Today several startups and VC funds have (un)intentionally turned an expensive permissionless system into a hydra, a gated permissioned network without the full benefits of either.  Consequently, through this mutation, some of these entities have also turned a bearer asset into a registered asset with the full costs of both.

For instance, it is currently not possible to build a censorship-resistant cash system on top of a permissioned ledger (due to the KYC requirements) yet this is basically what has attempted with many venture funded wallets such as Coinbase.

The end result: Bitcoin in name only (BINO).  In which a permissionless network is (attempted to be) turned into a permissioned network.  It bears mentioning that companies such as Peernova and Blockstack are not trying to compete with Bitcoin — they are not trying to build censorship-resistant cash.

While financial institutions can indeed download a client and send tokens around, Bitcoin was purposefully designed not to interface with financial intermediaries as it was modeled on the assumption that no one can be trusted and that parties within the network are unknown.  Therefore if parties transacting on the network are both known and trusted, then there probably is no reason to use Bitcoin-based proof-of-work.  Instead, there are other ways to secure transactions on a shared, replicated ledger.

Ask the experts

I reached out to several experts unaffiliated with Bitcoin itself to find out what the characteristics of a blockchain were in their view.

Ian Grigg has spent twenty years working in the cryptocurrency field and is the author of the Financial Cryptography blog as well as the Ricardian Contract and most recently the “Nakamoto signature.”  Below are his thoughts:

As far as *history* is concerned, it looks like just about every individual component of Bitcoin was theorised before 2009.  The last thing that I’d thought was new was the notion of a shared open repository of transactions, but it seems Eric Hughes actually proposed it in the 1990s.  And of course Todd Boyle was banging the triple entry drum in the late 1990s.

Bitcoin has no monopoly on any term except bitcoin and BTC as far as I can see. The big question is really between permissioned and permissionless ledger designs.

If you go for a permissioned ledger, then you can do some more analysis and also reduce the need for the consensus signing to be complicated. At the base level, just one signatory might be enough, or some M of N scheme. But we don’t need the full nuclear PoW-enfused Nakamoto Signature.

But also, the same analysis says we don’t need a block. What’s a block? It’s a batch of transactions that the ‘center’ works on to make them so. But if we’ve got permissioned access, and we’ve reduced the signing to some well-defined set, why not go for RTGS and then we haven’t got a block.

The block in the blockchain exists because of the demands of the networking problem – with a network of N people all arguing over multiple documents, we know it can’t be done in less than a second for a small group and less than 10 seconds for a large group. So to get the scaling up, we *have to make a block* or batch of *many* transactions so we can fit the consensus algorithm over enough tx to make it worthwhile.

Therefore the block, the Nakamoto Signature, PoW and the incentive structure all go together. That’s the blockchain.

Zaki Manian, co-founder of SKUChain and all around Bay-area crypto guru:

Cryptography is interesting right now because the primitives have matured and pre-cryptographic systems are becoming less and less robust.

Commitment schemes are widely used in cryptography. Nakamoto signatures (if Adam Back wants to concede the naming rights) are the thermodynamic commitment to a set of values. A conventional signature in attributable commitment.

A cryptocurrency is an application of a ledger. A distributed ledger needs to syndicate the order of stored transaction. There is a lot of value to syndicating and independently validating the commitments to interested parties. Generalized Byzantine Agreement, n-of-m signatures and transaction syndication decrease the discretion in the operating of systems. Ultimately, discretion is a source of fragility. I think Ian’s reference to RTGS is somewhat disingenuous. Systems with a closed set of interacting parties aren’t particularly helpful. Open participation systems are fundamentally different.

There don’t seem to be any settle lines between the properties of permissioned and permission-less systems. We have both and time will tell.

Pavel Kravchenko, formerly chief cryptographer at Stellar, now chief cryptographer at Tembusu Systems:

I’ve seen the discussion, it seems rather political and emotional. Since the term blockchain is not clearly defined people tend to argue. To make everything clear I would start from security model – who is the adversary, what security assumptions we are making, what is the cost of a particular attack etc. For now (still very early days of crypto-finane) using blockchain as a common word for such variety of conditions is acceptable for me.

Vlad Zamfir, who has helped spearhead the cryptoeconomics field alongside others at Ethereum (such as Vitalik).  In his view:

“Blockchains” are a class of consensus protocols (hence why I like to pedantically refer to them as blockchain-based consensus protocols).  They are not necessarily ledgers, although blocks always do contain ordered logs.

These logs need not be transactions – although we can call them transactions if we want, and so you can call it a ledger if you want – it’s just misleading.

Blockchains are characterized by the fact that they have a fork-choice rule – that they choose between competing histories of events.

Traditional consensus protocols don’t do this, so they don’t need to chain their blocks – for them numbering is sufficient.

Economic consensus protocols contain a ledger in their consensus state, in which digital assets are defined – assets who are used to make byzantine faults expensive.

It is much less misleading to refer to this class of protocols as ledgers, than to blockchains generally speaking – although it is still misleading.

You can make an economic consensus protocol that lets people play chess. It would have a ledger, but it wouldn’t be fair to call it a distributed ledger – it’s a distributed chess server.

Economic consensus allows for public consensus, which acts as a (crappy) public computer.

Public consensus protocols have no “permissioned” management of the computers that make up this crappy public computer.

Non-public consensus protocols have “permissioned” management of these computers.

I think the main thing that is consistently lacking from these discussions is the fact that you can have permissioned control of the state of a public consensus protocol without “permissioning” the validator set.

Robert Sams, co-founder of Clearmatics who has done a lot of the intellectual heavy lifting on the “permissioned ledger” world (I believe he first coined the term in public), thinks that:

If I were to guess, I’d say that the block chain design will eventually yield to a different structure (eg tree chains). It’s the chaining that’s key, not the particular object of consensus (although how the former works is parasitic on the latter).

I think Szabo’s use of “block chain” rather than “blockchain” is more than a question of style. Out of habit I still merge adjective and noun like most people, but it’s misleading and discourages people from thinking about it analytically.

I tell you though, the one expression that really gets on my nerves is “the blockchain” used in contexts like “the blockchain can solve problem X”. Compound the confusion with the definite article. As if there’s only one (like “the internet”). And even when the context assumes a specific protocol, “the” subconsciously draws attention away from the attacker’s fork, disagreements over protocol changes and hard forks.

Anyway this debate with people talking up their Bitcoin book and treating innovation outside its “ecosystem” as apostasy is tiresome and idle.

Christopher Allen, who has had a storied career in this space including co-authoring the TLS standard:

I certainly was an early banner waiver — I did some consulting work with Xanadu, and later for very early Digicash. At various points in the growth of SSL both First Virtual and PGP tried to acquire my company. When I saw Nick’s “First Monday” article the day it came out, as it immediately clicked a number of different puzzle pieces that I’d not quite put together into one place. I immediately started using the term smart contracts and was telling my investors, and later Certicom, that this is what we really should be doing (maybe because I was getting tired of battles in SSL/TLS standards when that wasn’t what Consensus Development had been really founded to solve).

However, in the end, I don’t think any thing I did actually went anywhere, either technically or as a business, other than maybe getting some other technologists interested. So in the end I’m more of a witness to the birth of these technologies than a creator.

History in this area is distorted by software patents — there are a number of innovative approaches that would be scrapped because of awareness of litigious patent holders. I distinctly remember when I first heard about some innovative hash chain ideas that a number of us wanted to use hash trees with it, but we couldn’t figure out how to avoid the 1979 Merkle Hash Tree patent whose base patent wouldn’t expire until ’96, as well as some other subsidiary hash tree and time stamp patents that wouldn’t expire until early 2000s.

As I recall, at the time were we all trying to inspired solve the micropayment problem. Digicash had used cryptography for larger-sized cash transactions, whereas First Virtual, Cybercash and others were focused on securing the ledger side and needed larger transaction fees and thus larger amounts of money to function. To scale down we were all looking at hash chain ideas from Lamport’s S/KEY from the late 80’s and distributed transactional ledgers from X/Open’s DTP from the early 90s as inspirations. DEC introduced Millicent during this period, and I distinctly remember people saying “this will not work, it requires consumers to hold keys in a electronic wallet”. On the cryptographic hash side of this problem Adam Back did Hashcash, Rivest and his crew introduced PayWord and Micromint. On the transaction side CMU introduced NetBill.

Nick Szabo wrote using hashes for post-unforgeable transaction logs in his original smart contract paper in ’97, in which he referred to Surety’s work (and they held the Merkle hash tree and other time signature patents), but in that original paper he did not look at Proof of Work at all. It was another year before he, Wei Dai, and Hal Finney started talking about using proof-of-work as a possible foundational element for smart contracts. I remember some discussions over beer in Palo Alto circa ’99 with Nick after I became CTO of Certicom about creating dedicated proof-of-work secure hardware that would create tokens that could be used as an underlying basis for his smart contract ideas. This was interesting to Certicom as we had very good connections into cryptographic hardware industry, and I recommended that we should hire him. Nick eventually joined Certicom, but by that point they had cancelled my advanced cryptography group to raise profits in order to go public in the US (causing me to resign), and then later ceased all work in that area when the markets fell in 2001.

I truly believe that would could have had cryptographic smart contracts by ’04 if Certicom had not focused on short-profits (see Solution #3 at bottom of this post for my thoughts back in 2004 after a 3-year non-compete and NDA)…

What is required, I believe, is a major paradigm shift. We need to leave the whole business of fear behind and instead embrace a new model: using cryptography to enable business rather than to prevent harm. We need to add value by making it possible to do profitable business in ways that are impossible today. There are, fortunately, many cryptographic opportunities, if we only consider them.

Cryptography can be used to make business processes faster and more efficient. With tools derived from cryptography, executives can delegate more efficiently and introduce better checks and balances. They can implement improved decision systems. Entrepreneurs can create improved auction systems. Nick Szabo is one of the few developers who has really investigated this area, through his work on Smart Contracts. He has suggested ways to create digital bearer certificates, and has contemplated some interesting secure auctioning techniques and even digital liens. Expanding upon his possibilities we can view the ultimate Smart Contract as a sort of Smart Property. Why not form a corporation on the fly with digital stock certificates, allow it to engage in its creative work, then pay out its investors and workers and dissolve? With new security paradigms, this is all possible.

When I first heard about Bitcoin, I saw it as having clearly two different parts. First was a mix of old ideas about unforgeable transaction logs using hash trees combined into blocks connected by hash chains. This clearly is the “blockchain”. But in order for this blockchain to function, it needed timestamping, for which fortunately all the patents had expired. The second essential part of Bitcoin was through a proof-of-work system to timestamp the blocks, which clearly was based on Back’s HashCash rather than the way transactions were timestamped in Szabo’s BitGold implementation. I have to admit, when I first saw it I didn’t really see much in Bitcoin that was innovative — but did appreciate how it combined a number of older ideas into one place. I did not predict its success, but thought it was an interesting experiment and that might lead to a more elegant solution. (BTW, IMHO Bitcoin became successful more because of how it leveraged cypherpunk memes and their incentives to participate in order to bootstrap the ecosystem rather than because of any particularly elegant or orginal cryptographic ideas).

In my head, Bitcoin consists of blocks of cryptographic transactional ledgers chained together, plus one particular approach to time-stamping this block chain that uses proof-of-work method of consensus. I’ve always thought of blockchain and mining as separate innovations.

To support this separation for your article, I have one more quote to offer you from Nick Szabo:

Instead of my automated market to account for the fact that the difficulty of puzzles can often radically change based on hardware improvements and cryptographic breakthroughs (i.e. discovering algorithms that can solve proofs-of-work faster), and the unpredictability of demand, Nakamoto designed a Byzantine-agreed algorithm adjusting the difficulty of puzzles. I can’t decide whether this aspect of Bitcoin is more feature or more bug, but it does make it simpler.

As to your question of when the community first started using the word consensus, I am not sure. The cryptographic company I founded in 1988 that eventually created the reference implementation of SSL 3.0 and offered the first TLS 1.0 toolkits was named “Consensus Development” so my memory is distorted. To me, the essential problem has always been how to solve consensus. I may have first read it about it in “The Ecology of Computation” published in 1988 which predicted many distributed computational approaches that are only becoming possible today, which mentions among other things such concepts as Distributed Scheduling Protocols, Byzantine Fault-Tolerance, Computational Auctions, etc. But I also heard it from various science fiction books of the period, so that is why I named my company after it.

The future

What about tokens?

Virtual tokens may only be required for permissionless ledgers – where validators are unknown and untrusted – in order to prevent spam and incentivize the creation of proofs-of-work.  In contrast, if parties are known and trusted – such as a permissioned ledger – there are other historically different mechanisms (e.g., contracts, legal accountability) to secure a network without the use of a virtual token. 6

Is everything still too early or lack an actual sustainable use-case?

Maybe not.  It may be the case, as Richard Brown recently pointed out, that for financial institutions looking to use shared, replicated ledgers, utility could be derived from mundane areas, such as balance sheets.  And you don’t necessarily need a Tom Sawyer botnet to protect that.

What attracts or repels use-cases then?

  • Folk law: “Anything that needs censorship-resistance will gravitate towards censorship-resistant systems.”
  • Sams’ law: “Anything that doesn’t need censorship-resistance will gravitate towards non censorship-resistant systems.”

Many financial institutions (which is just one group looking at shared, replicated ledgers) are currently focused on: fulfilling compliance requirements, reducing cost centers, downscaling branching and implementing digital channels.  None of this requires censorship-resistance.  Obviously there are many other types of organizations looking at this technology from other angles and perhaps they do indeed find censorship-resistance of use.

In conclusion, as copiously noted above, blockchains are a wider technology than just the type employed by Bitcoin and includes permissioned ledgers.  It bears mentioning that “permissioned” validators are not really a new idea either: four years ago Ben Laurie independently called them “mintettes” and Sarah Meiklejohn discussed them in her new paper as well.


  1. See The financial cloud from Adam Ludwin []
  2. Thanks to Christopher Allen for pointing this out. []
  3. See The myth of a cheaper Bitcoin network: a note about transaction processing, currency conversion and Bitcoinland []
  4. See Bitcoins: Made in China []
  5. Why would banks want to use a communal ledger, validated by pseudonomyous pools whom are not privy to a terms of service or contractual obligation with? See Needing a token to operate a distributed ledger is a red herring and No, Bitcoin is not the future of securities settlement []
  6. See also Needing a token to operate a distributed ledger is a red herring and Consensus-as-a-service []
Send to Kindle

Panel with financial service professionals involved with baking shared, replicated ledgers into organizations

The last part of the PwC discussion 10 days ago involved a panel with myself moderating, Peter Shiau (COO of Blockstack) and Raja Ramachandran (co-founder of eFXPath and an advisor at R3CEV).  Robert Schwentker (from Blockchain University) also helped provide a number of questions for us.

We cover a number of topics including use-cases of distributed ledgers for financial institutions.

Send to Kindle

Q&A regarding the Distributed Ledger Landscape

About 10 days ago I had the pleasure of speaking at Blockchain University (hosted over at PwC) regarding distributed ledgers (permissioned and permissionless).  One of the slides was intentionally taken out of context by a user on reddit and unsurprisingly the subsequent /r/bitcoin thread covering it involved a range of ad hominem attacks that really missed what was being discussed at the actual talk: what are the characteristics of a blockchain.

I will likely write a post on this topic at length in the next couple of days.  In the meantime, below is the video which incidentally pre-emptively answered a few of the questions from that thread.

Also, for those curious to know who were asking the good questions in the audience, this included: Jeremy Drane (PwC), Christopher Allen (co-creator of the TLS standard) and Nick Tomaino (Coinbase) among others.

Send to Kindle

Bram Cohen: “Removing the Waste from Cryptocurrencies: Challenges and More Challenges”

Bram Cohen, the creator of BitTorrent, has opined on Bitcoin over the years on social media (such as Twitter).  Over the last couple of weeks he has been increasingly vocal on some hurdles such as the increase in block sizes (via a hard fork) and the dangers of accepting and institutionalizing zero-confirmation transactions.

Last week he gave a presentation at the SF Bitcoin Dev meetup in which he covered a variety of alternatives to proof-of-work such as proof-of-steak (which he dubs “Cow systems”).

Send to Kindle