Self-doxxing, dynamic block making and re-decentralization of mining

Posted on April 28, 2016 by Tim Swanson

There are currently two popular interrelated narratives on social media surrounding participation of the block making process on a public blockchain. The stories are most pronounced within the Bitcoin community but are also reused by Litecoin, Ethereum and other cryptocurrencies too.

This includes the unchallenged statements that:

(1) anyone can still participate in block making, it is ungated and “permissionless”

(2) following a reward halving (“halvening”), networks become more decentralized because large, centralized farms and actors split apart due to economic pressures

This post looks at both of these and show that in practice neither is really true as of April 2016.

Named block makers

A year ago I reflected on some of the debate surrounding permissioned and permissionless blockchains. Part of that post involved looking at how the mining market actually evolved in practice; not just based on the generalized claims made by enthusiasts at conferences.

For instance, based on block height below is a list of the first time a pool self-doxxed and signed a coinbase transaction, courtesy of Organ of Corti. Only the first 50 are chronologically included:

Pool name	Block height	Date
Eligius	130635	14-Jun-11
BitMinter	152246	7-Nov-11
BTC Guild	152700	10-Nov-11
Nmcbit.com	153343	15-Nov-11
YourBTC	154967	27-Nov-11
simplecoin.us	158291	20-Dec-11
Ass Penny Pool	161432	10-Jan-12
btcserv.net	163672	25-Jan-12
Slush	163970	27-Jan-12
BitLC	166462	12-Feb-12
pool.mkalinin.ru	170937	13-Mar-12
Bitclockers	173863	1-Apr-12
MaxBTC	174819	9-Apr-12
Triplemining	175144	11-Apr-12
CoinLab	180947	21-May-12
wizkid057	184148	12-Jun-12
Generated by General	194247	17-Aug-12
HHTT	197602	7-Sep-12
Ozcoin	207017	8-Nov-12
EclipseMC	208419	18-Nov-12
MTRed	219115	2-Feb-13
50BTC.com	219933	7-Feb-13
Bitparking	226272	17-Mar-13
Discus Fish	236494	17-May-13
ASICMiner	237050	20-May-13
ST Mining Corp	238456	29-May-13
Satoshi Systems	245445	8-Jul-13
GHash.IO	250205	5-Aug-13
175btc.com	253884	24-Aug-13
For Pierce and Paul	259214	21-Sep-13
Alydian5335	261051	1-Oct-13
Megabigpower	261530	4-Oct-13
GIVE-ME-COINS	267919	4-Nov-13
Polmine	282943	29-Jan-14
KoiSystems	285715	14-Feb-14
AntPool	286681	19-Feb-14
MMPool	294747	8-Apr-14
KNC Miner	300700	14-May-14
Bitfinex pool	306406	18-Jun-14
BitAffNet	309657	8-Jul-14
Bitfury	311333	18-Jul-14
Hashmine.io	313882	4-Aug-14
Solo.ckpool	319980	10-Sep-14
Kano.is	325306	14-Oct-14
BTCChina Pool	327211	27-Oct-14
Tangpool	339210	16-Jan-15
For Pyra	339547	19-Jan-15
BW Pool	341167	30-Jan-15
Huobi	341760	3-Feb-15
Dot pool	342104	6-Feb-15

Recall that even though it didn’t initially sign coinbase transactions, Slush began publicly operating at the end of November 2010. Eligius was announced on April 27, 2011. DeepBit publicly launched on February 26, 2011 and at one point was the most popular pool, reaching for a short period in July 2011, more than 50% of the network hashrate.

While many enthusiasts claim that “anyone can mine,” in practice, very few choose to for a number of reasons that will be discussed below.

But more to the point, the reason cryptocurrencies allegedly have a “permissionless” characteristic in the first place has to do exclusively with the fact that there is no administrative gating or vetting process for allowing actors on the network to participate in the block making process. In 2009 there was no whitelist, blacklist, KYC or KYM (know your miner) process.

That is to say, those wanting to create a block did not need permission from a network administrator.1 That is the sole context of the term “permissionless.”

It is not related to developing other platforms that plug into the network. It is not related to whether the network codebase is open source or not. It is not related to being able to build software products that somehow utilize the network. It is not related to being able to view or not view transactions.

Yet due to how the market evolved, today in 2016 while everyone is still paying for the high marginal costs to maintain a network designed for pseudonymous and anonymous interaction, few participants, specifically block makers, are actually capitalizing off of that utility.

For instance:

(1) Acquiring the necessary hardware to become a profitable miner invariably leaves a paper trail. If instead you acquire the hardware on the second-hand market — in order to remain anonymous — you will still likely leave a paper trail with your legal identity in order to pay for the large energy bill and property taxes. This is one of the reasons why miners in locations such as China do not publicize their fundraising activities or annual revenue: they don’t want to leave a paper trail to pay any extra taxes.2

(2) The other main mechanism for vetting miners now is through the use of data science itself. Roughly 10 companies globally provide law enforcement, compliance teams and regulators access to relatively robust analytics tools to track provenance of bitcoins (or other cryptocurrencies) back to coin generation itself. And in order to sell these mined bitcoins (e.g., to pay for the electricity and the mining hardware), nearly every bitcoin conversion to fiat marketplace now requires some compliance of local KYC and AML regulations.

While there are workarounds such as LocalBitcoins and SharedCoin, generally speaking the pseudonymous network itself in 2016 has largely become doxxed. Yet the high costs of maintaining pseudonymity, via proof-of-work, still remain.

Hashrate distribution

Source: Blockchain.info

Above is a pie chart that estimates the hashrate distribution among mining pools over the past 4 days (as of late April 2016). The 10 largest pools collectively made 97% of the blocks during that time period.3

What about beyond 4 days?

Source: Blocktrail

Above is the pool distribution of the past year based on coinbase data aggregated by Blocktrail.

The 10 largest pools collectively account for roughly 91.6% of all block making activity. There is also a relatively long tail that includes roughly another 60 entities (some of whom do sign coinbase transactions) that represent the remaining 8.4% of all block making the past year.

Why do any actors sign transactions at all, after all, isn’t a core characteristic of a public blockchain pseudonymous consensus? To my knowledge, no one has formally published a thorough explanation for the reasons why. But one repeated rationale is that pools do so in order to prove to the miners (hashers) connected to the pool what the provenance of the block reward income is.

What does that mean?

For those who have never partaken in the mining process before, a quick history lesson: within the first two years of Bitcoin’s existence a division of labor arose in which block making became separated from hashing itself (e.g., generating proofs-of-work).

That is to say, the security of network security was outsourced to entities who create proofs-of-work and who are colloquially referred to as miners.4 Miners, in return for steady payouts of income, send their work to a pool operator who subsequently batches transactions together into blocks and pays workers based on a pre-arranged agreement (usually proportional, share-based).5

Today, if average Joe buys ASIC mining equipment, he typically does not connect them to his own pool but instead connects them to a pool run by Bob the devops professional.6 And how can Joe trust Bob not to shave off pennies from each share of work that Joe submits?

Block signing in theory provides some semblance of transparency: letting the hashers know if pool operators are skimming off the proceeds by not accurately reporting blocks found (e.g., income).

For instance, if a pool operator makes a block based off of the proof-of-work submitted by one of the hashers connected to a pool, such as Joe, but does not sign the coinbase, the pool operator can try to pretend that it didn’t win the block reward in the first place and therefore would not have to pay the workers (hashers). This was allegedly more commonplace prior to 2013, before the advent of VC financed farms and pools.7 Now many of the medium and large hashing farm operators want to know the exact revenue number and hear good reasons for why some is missing or if the pool was just “unlucky.”8

Why doesn’t everyone become a block maker, after all, the process is billed as being “open” to all?

There are multiple reasons why, but the most important reason boils down to economics. Dave Hudson has written about 10 different articles on the baked-in variance (inhomogenous Poisson process) that motivates individuals to continually pool their mining effort versus solo mine.9 Spoiler alert: you are likely to be struck by lightning before you will ever create a block and reap a block reward by solo mining off of your laptop at home.

Other reasons for why few decide to become block-makers include: the added costs of providing DOS protection to your pool and the need to hire competent staff that can prevent and be on the lookout for problems like BGP hijacking which results in lost revenue.

This has not changed for multiple years and will likely not change for reasons discussed below.

Non-existent re-decentralization

With the upcoming Bitcoin block reward halving that is expected to take place in mid-July, there is a growing chorus of ‘hope’ that it will somehow lead to fewer large mining farms and pools.

This probably won’t occur for several simple reasons, namely due to economic incentives.

Recall that the major reasons why mining activity itself has gravitated to locations such as China isn’t due to conspiracy theories involving lizards but instead ancillary costs.

Specifically the following factors:

relatively low labor costs (e.g., professional hashing facilities need to be maintained by a workforce 24 x 7 and wages in China are lower than Russia and the US for this activity)
relatively low property costs (e.g., if you have good guanxi, you can utilize and own land at rates below those found in parts of Russia and the US)
lower energy costs; I and others have frequently written about this10
first-to-market with hardware; because a lot of the final assembly of hashing equipment takes place in southern China, in terms of logistics and transportation end-users have a lead-time advantage over other geographical regions
close personal connections with hardware manufacturers and fabrication plants in China and Taiwan; acquiring hardware for mining cryptocurrencies is just as relationship driven as other specialized non-commoditized industries. Because medium and large miners know who the chip design teams are and what the ASIC roadmaps will be, they can stand in line at the front and acquire hardware before others.

What will happen after a block reward halving?

Just as oil producers with the highest marginal costs have been forced to exit the fracking market over the past couple of years, Bitcoin miners with the thinnest margins will likely exit the market immediately.

What this actually results in, at least the short run, is a more concentrated group of larger hashing farms and pools.

Why?

Because miners as a whole are effectively being given a 50% pay cut to provide the same utility as before. And ceteris paribus, if Alice doesn’t currently have thick 50% margins, then she will likely exit the market.

In contrast, some of the most profitable miners in China and Republic of Georgia are now operating — even with the large difficulty rise over the past 6 months — with 50+% margins. They may be squeezed, but they do not have to exit the market.

Basically, the less efficient players will be squeezed out and the more efficient players will remain. Who is likely be be more efficient? Larger farms in cheaper locations, or smaller pools made up of less sophisticated players with less capital?

But if the price of cryptocurrencies rise — in this case bitcoins — then won’t former miners come back into the market?

Maybe, but recall, we have seen this song and dance before and it is likely that the block reward halving is already factored into both the current market price and the hardware replacement cycle and as a result there probably will not be a doubling of the market price of bitcoins. However, that is a topic for a different post.

Other public blockchains

What do mining pool distributions look like for other cryptocurrencies?

Source: Litecoinpool.org

Above is the distribution of mining pools for Litecoin over the past day. Interestingly, Coinotron — a pool I used when mining 3 years ago — currently represents 2.8% of the block making during that time frame. Two years ago, in May 2014, it represented about 50%.

In August 2015, Litecoin underwent its first block reward halving. Contrary to popular belief, its market price did not double. In fact, nine months later the price of a litecoin measured in USD is just fifty cents higher than what it was pre-halving.11

Source: Etherchain

Above is the distribution of mining pools for Ethereum over the past day.

Interestingly Ethereum formally launched in August 2015 and has seen the same consistent pattern of 3-4 pools representing the majority of block making activity as other cryptocurrencies have witnessed.

In fact, Dwarfpool, despite its name, has flirted with the 50% threshold several times, most notably in March. The Ethereum development team plans to transition the network from proof-of-work to proof-of-stake (Casper) later this year; it is unclear if the “staking” process will result in similar centralization.

Other cryptocurrencies continue to face similar pool centralization. This includes Namecoin which last year saw one pool, F2Pool provide more than 50% of the network hashrate for multiple months. While it does not appear that F2Pool behaved maliciously, the fact that one block maker could potentially rewrite history by doing block reorgs motivated Onename to migrate away from Namecoin.

China

It is surprising that with the 60%+ hashrate located in China that there is scant detail in English about how that ecosystem works. But there are reasons for this.

Recall that based on the current 25 BTC block reward, roughly $450 million in mining rewards has been divvied out over the past year to miners. On paper that would mean that China-based miners received more than $270 million in revenue, which cements this industry as one of two that continually see large annual revenue flows (the second being exchanges themselves).

I contacted a mining operator in China that currently operates about 40 petahashes per second in equipment. Note: miners use the abbreviated term ‘P’ and ‘PH’ to denote petahashes per second.

According to him:

“Our public hashing number is based on all our own hardware. This includes two facilities in western Sichuan plus a new Xinjiang site. All of these machines were originally S3’s from Bitmain but we have replaced them with S7’s. We want to build larger operations than what we have today, but our goal is to maintain a specific percentage of the entire network.”

“Remember our electric rates changes from season to season: different time of year and that hydro power has problems in the winter because of less melt water which results in an energy price that is twice as the rate in the summer.”

“The land is basically free because it is in the mountains and no one is interested in buying property there. So all it takes is construction materials and labor. We hired 10 people last year. We intentionally hired more than we needed so we can build a team and send them places. Our front end operation probably only needs 4-5 people and we pay them $1,000 a month which is actually very competitive for that region.”

“We know a Chinese guy, Mr. LY. He lives in Sichuan and was originally a hydroelectric operator but now owns his own hydro power station. He learned he could make more money mining than just running the station.”

“Why are people like us able to be competitive? In Yunnan, Guizhou and Sichuan there was an overinvestment in hydropower last decade and now there is a surplus of electricity.12 Dam operators couldn’t sell the electricity generated so that’s where Bitcoin miners moved to. Also, in Liaoning, some people can free electricity because of the proximity to oil fields – they are given cheap electricity to local residents as compensation for confiscated land/polluting the environment — it is subsidized electricity.”

“No one really pays taxes because miners don’t generate something considered valuable. That’s to say from the perspective of taxpayer, miners don’t generate something of value, because the government doesn’t really recognize bitcoin. Bitcoin mining isn’t illegal, we still pay a small amount of taxes but it’s like running a company that doesn’t make money. Instead a miner just pays a small amount of taxes and all the profit is invisible to the law as it stands today.”

I also reached out to another mining operator based in southern China who explained that in practice, mining farms that produce 1 PH or more are usually not based in cities:

“Most of the time they are not in cities, more like in the middle of nowhere and it would be inaccurate to name towns.”

Instead he listed provinces where they are spread out including: Heilongjiang,Liaoning, Hebei, Sichuan, Tianjin, Anhui, Jiangsu, Ghuizhou, Inner Mongolia, Shanxi, Guangdong. “Shenzhen for sure, there are testing facilities that are easily over 1P.”

What about ‘subprovincial’ locations?

“It is inaccurate to present information that way. A lot of the time, the sites are between borders because it’s in the middle of nowhere. And it normally spreads over lots of sites. One place has nearly 200 sites crossing two provinces; a lot of small ones representing about 100KW of power each. They are spread over several hundred kilometers; no economy of scale after a certain point.”

No service-level agreements

This type of self-doxxing, quasi-dynamic environment has led to another interesting phenomenon: ad hoc customer service via social media.

For example, two days ago, a user sent approximately 291.2409 bitcoins as a mining “fee.”13 A small pool called BitClub Network built the block that included this fee. This fee is equivalent to about $136,000.

The community as a whole then began a crowdsourced investigation into who may have sent this fee and the motivations for doing so, with many believing it to be a mistake. After all they reasoned, a typical “fee” that most mining pools require in order to be included in the next block is usually less than 25 cents on most days.

A user affiliated with BitClub has since publicly stated it would like to return the fee to the original entity that sent it, though it is unclear if he is speaking with any authority or if the whole thing was a ruse to begin with.

But, as I have argued before, this not only sets a bad precedent for miners as a whole due to a loss of revenue from the forthcoming ‘halvening,’ but the ability to contact a block maker sets a dangerous precedent for the core utility of the network: the disappearance of pseudonymous consensus.

Or as one redditor adroitly pointed out:

Comment
byu/theonevortex from discussion
inBitcoin

Or in other words, if block making was actually pseudoymous and decentralized, with 100+ unidentified pools creating blocks each day, it would be difficult if not impossible to locate and provide timely customer service to a user who made a mistake.

For instance, the most well-known block reorg occurred in March 2013 and it was only resolved when miners, including Slush and BTCGuild, contacted and coordinated with one another via IRC. If the network was more decentralized and pseudonymous, this coordination would have been very difficult to do, and this was by design.

I pointed out this irony on Twitter earlier this week as well: that there are trade-offs with this approach and the downside of using a bearer asset-based system that had no service level agreement, no EULA, no terms of service results in a world in which users who make mistakes have to complain on social media and hope someone is charitable.

And this happens on a regular basis: earlier this month a user accidentally sent 13.65 bitcoins to the BTCC pool and used reddit as his customer service forum.

That type of friction is not what most consumers want.14 It is a poor user experience which has gradually led to the creation of ‘trusted’ intermediaries in this ecosystem which as described in previous posts, recreates the existing financial system but without the same level of oversight and financial controls.

The cryptocurrency community is learning the hard way why intermediaries exist, why SLAs exist, why legal identities are required for financial transactions, why consumer protection laws arose and so forth. Pointing out these patterns is not malice or due to a lack of understanding of how cryptocurrencies work, but rather it serves as illustrations for why it has been hard to find real sustainable traction in the space.

How else is this visualized?

Source: Jameson Lopp

This past December an event was held in Hong Kong called “Scaling Bitcoin.”

One of the sessions involved a panel comprised of the world’s largest mining farm and pool operators.

The individuals in the photo above allegedly represent about 90% of the network hashrate.

Thus, for all the hype around “trust anchors” tied into public blockchains such as Bitcoin, claims of decentralization and “trust-lessness” are empirically untrue.

In practice, due to centralization and identity leakage, the cost to successfully reorganize a block isn’t through a Maginot Line attack (e.g., via hashrate), but through cheaper out-of-band attacks, such as hosting events in which self-doxxed miners participate. But that is also a topic for a different post.

Conclusion

16 months ago, Vitalik Buterin and others jokingly quipped that the trends towards centralization in Bitcoin mining (and other cryptocurrencies) resulted in a world where each coinbase transaction effectively arose from a multisig process.

To quote Buterin: “with Bitcoin, we’re paying $600 million a year on a 5-of-10 multisig.”

10 is roughly the amount of quasi-permanent block makers in a given day. And $600 million was the amount of revenue that miners received at that time due to the higher market value of bitcoin.

In theory, anyone can turn on their computer and hope to become a block maker on a public blockchain — no one has to register with a “Blockchain Admin” because there is no admin. However, in practice it requires a certain amount of technical knowledge and more importantly, capital, to profitably and sustainably operate a mining farm and pool.

And in order to scale this profitably, in practice, most miners at some point reveal their legal identities thereby negating the core characteristic of a public blockchain: pseudonymity. How? Miners, after having erected purpose-built facilities or to liquidate their holdings, may be required by external authorities to go through a gating / vetting process (such as KYC).

Ironically, a substantial increase in cryptocurrency prices may inevitably result in self-doxxing of all major farms. How? As market prices increase, miners in turn expend more capital to increase their own hashrate to chase the seigniorage rents.

Because of the KYC requirements of utilizing resources like electricity at a hydroelectric dam and the subsequent identity leakage, this turns the block making process itself into a mostly known, permissioned activity. Consequently, based on this past history, the term DMMS should probably be qualified with a “quasi” modifier in the front: QDMMS.

Similarly, while many enthusiasts have been led to believe a block reward halving will somehow re-decentralize the mining ecosystem, the fact of the matter is chip performance (as measured in hashrate efficiency) is only one factor in the total calculation that professional miners must account for.15

Furthermore, semiconductor engineering itself is effectively on a known, mature trajectory and which appears to be lacking any significant leaps in technological improvement. The largest entities, such as Intel, see this relatively static path which is one of the reasons why they have formally abandoned their tick-tock roadmap and now plan to lay off 12,000 people.

In contrast, energy prices, land prices, labor costs and taxes are among other major components that professional mining operators look at as a whole and decide whether to stay in a market or not. Even if there is some price increase after the halvening, home mining by amateurs outside of China will likely continue to remain unprofitable after July.

Thus a year from now the mining ecosystem will probably look a lot like it does today, with most farms and pools being self-doxxed and relatively centralized.16

[Special thanks to Antony Lewis for his constructive feedback]

Endnotes

Censorship-resistance is an emergent property that arises from this design. See also: Settlement Risks Involving Public Blockchains [↩]
There are other reasons too including not wanting to divulge any comparative advantage they might have that would incentivize new entrants to come into the market. [↩]
Note: it is believed that some large mining operators, such as Bitfury, may actually spread some of their hashers (workers) across multiple pools, in order to reduce their own pool percentage and thereby reduce the concerns over centralization. This can only be proven with an on-site physical audit. [↩]
There has been research done on non-outsourceable block making. See Nonoutsourceable Scratch-Off Puzzles to Discourage Bitcoin Mining Coalitions by Miller et. al. [↩]
Analysis of Bitcoin Pooled Mining Reward Systems by Meni Rosenfeld [↩]
Most of the pools in operation do not require documentation of equipment or legal identification of miners. [↩]
Note: technically speaking nothing is stopping mining pools from signing blocks and in fact, some do it for advertising purposes. [↩]
There is also a term-of-art called “luck” which Organ of Corti and others analyze on a regular basis. [↩]
Incidentally for those wanting access to the block-making superhighway, to reduce orphan rates, there exists a centralized service: Bitcoin Relay Network. [↩]
See also Appendix B and Section 2 [↩]
Note: Dogecoin began to merge mine with Litecoin in September 2014 and in terms of hashrate the two have moved in tandem with one another ever since. [↩]
China’s water hegemony in Asia from Livemint [↩]
Note: a fee implies something that is mandatory. The discussion surrounding what is and is not a fee or how it should be calculated and applied is a contentious topic in the cryptocurrency community. [↩]
Cryptocurrencies are effectively designed ‘for cypherpunks by cypherpunks.’ While caveat emptor may be desirable to certain demographics, others prefer consumer protection which bearer-based systems do not have. [↩]
Note: in terms of efficiency, 28nm chips are usually in the range of 0.25-0.35 watts/(gh/s), while the newer 14nm or 16nm ones are more likely 0.12 watts/(gh/s) or less. [↩]
See also: Permissioned-on-permissionless [↩]

Reading the tea leaves

Posted on April 8, 2016 by Tim Swanson

Three years since the current wave began and $1 billion later, cryptocurrency / public blockchain ecosystem is experiencing such a level of “fast growth” that no one is able to publish any real usage numbers.1

Sarcasm aside, despite copious amounts of news coverage, interviews and conferences, very few VC-backed cryptocurrency-related startups are divulging any non-gamable numbers.

I had hoped to do a regular quarterly update (see previous January post regarding usage numbers) but there just isn’t much public data to go on. In fact, there is less data today than 3 months ago.

For instance, at some point in the past couple of months, Coinbase removed its wallet transaction volume chart from its chart site. This coincides with a public announcement made in February that ‘Coinbase is not a wallet.’ As Brian Armstrong, CEO of Coinbase stated:

Over the next year or so, you’ll see the Coinbase brand shift from being a hybrid wallet/exchange to focusing on purely being a retail and institutional exchange. It will take some time to update, but the transition will happen.

Interestingly, this somewhat conflicts with another statement made in a Forbes piece this past week covering Coinbase and Blockchain.info, stating:

Currently, 80% of Coinbase’s customers buy bitcoin as an investment, and 20% transact with it, though that balance is currently shifting more toward transactions.

Perhaps transaction volume overall is increasing, but if so, why remove the wallet transaction volume chart? Or is it solely related to transaction volume on the exchange?

The same Forbes article also mentioned another specific aggregate number:

“Startups play a pretty integral role in the sense that we represent most of the end. If you look at users of Bitcoin on the network, most of them are represented by one of the major Bitcoin companies,” says Peter Smith, chief executive of Blockchain, adding that five or six companies, including Coinbase and Blockchain, represent about 80% of transaction volume on the network. Numerous startups are also using Bitcoin to enable their users to more easily send remittances, cross-border payments and peer-to-peer payments, as well as make mobile in-app purchases.

Maybe this is true, maybe there are 5 or 6 companies that represent the lionshare of volume on the Bitcoin network itself. If so, we should be able to see that.

This is a simplified, color coded version of a tool that Chainalysis provides to its customers such as compliance teams at exchanges. The thickness of a band accurately represents the volume of that corridor, it is drawn to scale. The names of certain entities are redacted.

The image is based on data for the first quarter of 2016 and is an update to the chart I published in an article back in January.

Based on the chart above, there are in fact 5-6 organizations that represent 80% of the volume; both Coinbase and Blockchain.info are among them (Blockchain.info also operates SharedCoin).

In fact, Chainalysis recently updated their methodology and found that Coinbase transactions represent every 6th or 7th transaction on the Bitcoin blockchain. 2 This specific area of data science is continuously undergoing refinement and should be looked at once again in the coming months.

The same Forbes article says that Coinbase has 3.5 million users and Blockchain.info has 6.5 million wallet holders.

But as we have looked at before, what does that even mean? Few companies publicly define what a user or wallet actually represents. I have looked at this twice in the past:

The bottom line is that “monthly active users” (MAU) — which is one of the standard methods for measuring real growth (and success) of an application, is still largely unreported by any cryptocurrency-related company that has raised a Series A or higher.3

Other public data

Where can we find data that is still be published and could reflect usage numbers of public blockchains?

Source: P2SH.info

As shown above, over the past month, the amount of bitcoins stored using P2SH addresses increased from 9.99% to 11.7%.

A large noticeable pop took place two weeks ago and some speculated that it could be a Liquid-related multi-sig movement.

Source: opreturn.org

OP_RETURN has also seen increased usage. Above is a chart measuring the past 15 months of usage.

As described in Watermarked Tokens, OP_RETURN is an opcode in Bitcoin’s scripting language that is commonly used by colored coin projects.

At the time of this writing, in terms of percentages, the top 5 projects that have used OP_RETURN the most are:

Blockstack: 107254 transactions (28.4%)4
Open Assets: 68069 (18%)5
Monegraph: 51601 (13.7%)6
Factom: 34007 (9%)7
Coinspark: 25223 (6.7%)8

Two of the five are colored coin-specific projects and all five cumulatively account for about 76% of all OP_RETURN usage.

Any other numbers?

Looking at the previous charts from January, the ‘Bitcoin Distribution by Address at Block 400,000‘ looks roughly the same as the distribution at a block height of 390,000.
According to CoinATMRadar, the ‘number of Bitcoin ATMs installed by Bitcoin machine type’ increased from 536 at the beginning of January to 612 at the end of March. This comes to roughly 0.84 ATMs installed per day or a rate slightly higher than the past 2 years (it is on pace for 308.2 installations altogether this year compared with 275 per year for 2014 and 2015).
In terms of market prices, there were some relatively big swings in volatility (about $100 from peak to trough) in the first quarter due in part to the continued block size debate which still remains unresolved.9
And activity on both BitWage and Blockchain.info wallets looks roughly the same as they did in January.

Funding

Some venture funding bounced back from the dearth in Q4 2015.

According to the venture capital aggregation at CoinDesk there was $148 million of publicly announced rounds for both Bitcoin-related and Blockchain-related startups spread among 14 deals in Q1 2016. Though two investments alone (DAH and Blockstream) accounted for more than two-thirds of that funding tranche.

However, the list is probably not complete as two investments into Kraken’s Japanese subsidiary were for undisclosed amounts (first from SBI in January and then by Money Partners Group in March). Similarly, Ripple also received capital from SBI in January (for a reported 3 billion yen or ~$25 million).

In addition, last week, CB Insights (a venture tracking firm) held a webinar that covered the “Bitcoin / Blockchain” ecosystem (deck) (recording).

While providing a good general overview, I think it lacks a number of recent developments in the overall “Blockchain” capital markets world.10

For instance, Tradeblock recently launched Axoni (a private / permissioned blockchain) and Peernova isn’t really a “Blockchain” company now. 11 The webinar is a little outdated on the cryptocurrency side of things too. For example, Mirror is completely out of the ecosystem altogether, 21inc is basically a software company at this point, Buttercoin is bankrupt and Blockscore shouldn’t be included in either bucket.

Any other charts?

Source: Blockscan

I would be remiss to not include Counterparty, a platform has effectively plateaued (see image above) and has now been eclipsed by Ethereum based on multiple measurements including transaction growth (which actually may be eventually be gamed via “long chains” just like some Bitcoin transactions are).

What kind of other metrics are available?

Source: Coingecko

Ignoring the liquidity and market cap sections (basically all cryptocurrencies are illiquid and easily manipulable) there is a marked difference in terms of terms of social media engagement and interest between the two platforms. For example, in terms of public interest, one measure that could be added to the Coingecko list is the amount of organized Meetup’s: Ethereum has roughly a hundred globally and Counterparty has about 10.

As an aside, I attended two Ethereum meetup’s last month: one hosted by Coinbase in San Francisco and another one hosted by IFTF in Palo Alto. Both were well-attended with roughly 120 people showing up for the latter.

[Note: I do not own, control or hold any cryptocurrency nor do I have any trading position on them either.]

Why is no one actively publishing numbers?

It could be the case that some of the startups feel that any user / usage number is commercially important and therefore treat it like a trade secret.

Is there really less transparency in this market compared to other tech markets?

Maybe, maybe not. What about public markets?

Last spring, Blizzard Entertainment announced it would no longer publish World of Warcraft subscription numbers. This was done because of the continual decline in subscriptions (more than halving from its 12 million peak). Similarly, last fall, Microsoft said it would no longer publish Xbox One unit sales and would instead share Xbox Live usership. ((Disclosure: I own an Xbox One)) At the time this move was seen as a way to downplay the growing gap in sales between Sony’s PS4 and the Xbox One.

Source: Statista / Zynga

An exception to this rule is Zynga — the mobile / social gaming company — which has seen continual drop offs in monthly active users for over three years, but still publishes numbers. 12

Back to the public blockchain sphere: why would 40+ companies that have closed a Series A or higher as a whole decide not to publish user / usage numbers in a market that claims to always be growing by leaps and bounds?

One of the problems appears to be that when you raise a lot of money, $50+ million for B2C applications your charts are expected to look a bit like other high-growth companies.

Source: TechCrunch

For instance, above is a two-year chart displaying two types of users: daily active and paid for Slack. With 3.5x daily user growth over the past year, Slack announced last week that it has closed its new round, raising $200 million at $3.8 billion post-money valuation. About a third of its daily users which are paid users, a relatively high conversion rate.

Obviously social media commenters will point out that “cryptocurrencies” are not the same thing as communication tools, but the point remains that eventually the aspirations of investors will re-calibrate with the actual growth trajectories of a platform. And as of right now, based on public data it is unclear where that traction is in the cryptocurrency world — perhaps it does exist somewhere but no one is publicly revealing those stats.

It bears mentioning, based on anecdotes there are several cryptocurrency-related startups that have gained relatively large customer bases in certain corridors focused on cross-border payments and remittances involving The Philippines.13 There are also several cash-flow positive companies in this space that have flown under the radar. On the flipside, based on similar anecdotes, multi-level marketing scams like MMM Global also have seen continued traction.14

Conclusion

Where is the growth, where are the numbers? Those are the two questions that continue to drive blog posts on this site. Perhaps startups in the public blockchain ecosystem will be more forthcoming later this year as more capital is deployed. We will try to revisit this topic once more information is publicly available.

It will also be interesting to see how many more cryptocurrency-related companies rebrand or pivot into the “private blockchain” sphere without actually changing how they interact with cryptocurrencies. Thus, my older October post on the Great Pivot should be revisited at some point as well. In addition, if “private blockchain” platforms are eventually flipped on into production mode, they may begin to yield usage numbers worth looking at in a year or so.

For a concise explanation of “fast growth” in this context see the recent interview with Chamath Palihapitiya: Top V.C. on “Mostly Crap” Start-Ups, Mark Zuckerberg, and Early Facebook’s Grim Lunches by Vanity Fair. [↩]
And according to other data science companies I have spoken to in the recent past, several confirm this as well. [↩]
A notable exception was in December 2015 when BitPay provided a transaction chart to Forbes. Additionally, BitGo has published numbers from time to time. And while it hasn’t raised a Series A, Blockstack is also fairly open about its userbase. [↩]
Blockstack.org is not the same thing as Blockstack.io — two different groups. [↩]
Flavien Charlon, creator of Open Assets, also maintains Openchain. [↩]
Monegraph is a platform for managing digital artwork. [↩]
During its crowdsale last year, Factom sold about 4.4 million factoid (tokens) for 2,278 bitcoins. [↩]
CoinSciences, the team behind Coinspark, also has another product called MultiChain. [↩]
See: What is the blockchain hard fork “missile crisis?” and also Appendix B [↩]
One interesting stat they mentioned was in terms of ratios: in 2015 there was about $15 billion invested in “fintech” overall and about $450 million in the entire umbrella of “cryptocurrency / blockchain” ecosystem. That amounts to about 3%. [↩]
Peernova has transitioned from being a Bitcoin mining company to creating “Blockchain-inspired” tools for other industries. [↩]
See Zynga quarterly earnings reports and Statista [↩]
This includes: Align Commerce, BitX and Coins.ph [↩]
This is based on actual data I have been shown. [↩]

A brief update on the shared ledger ecosystem

Posted on April 6, 2016 by Tim Swanson

A year ago to the day I published: “Consensus-as-a-service: a brief report on the emergence of permissioned, distributed ledger systems.”

Since then, the paper and portions thereof, have been translated into multiple languages, emailed and downloaded thousands of times, copied word-for-word by many consulting companies and used as a primer for managers and executives at organizations big and small. In short, it helped articulate what was then happening in a new niche industry, one that has grown over the subsequent months.

What has changed and why did it become popular to the point where vendors now use bullet points marketing their product as a “permissioned ledger”?

Before answering these questions I should point out that it was Robert Sams, CEO of Clearmatics, that actually coined the term “permissioned ledger.” He first publicly used it at a Coinscrum event a month before the publication of CaaS. Prior to that he had been using it in private discussions including on a now-defunct mailing list which incidentally involved other notable individuals who still work in the overall “blockchain” space.1

Fluid market

Let’s quickly look at what happened to the market participants that were highlighted in the main body of the report (by alphabetical order):

Clearmatics: in November 2015 they announced they had closed their seed funding; have also publicly announced their pilot “utility settlement coin” with UBS (note: ‘settlement coin’ is not a cryptocurrency)
CryptoCorp: rebranded as Blockstack and were acquired in October 2015 by Digital Asset Holdings (DAH)
Eris Industries: in January 2016 they announced they were selected to be part of the PwC “strategic blockchain portfolio”2
Hyper (Hyperledger): in June 2015 they announced they had been acquired by DAH. 3 Its namebrand was then donated to the Linux Foundation; see What is the difference between Hyperledger and Hyperledger?
Ripple (Labs): in October 2015 they announced that their Series A had closed at $32 million in funding with the inclusion of Santander. In January 2016 additional funding from SBI Holdings into Ripple’s Japanese subsidiary was also announced.
Tembusu System: they had a co-founder dispute that led to dormancy of the company
Tezos: the project has continued in the background as a part-time project of its creator
Tillit: rebranded as Ldger and is currently focused on market place lending and structured products; no longer uses Ripple.

If we extend the analysis to the tangentially related projects listed in Appendix A:

Blockstream: in October 2015 it announced a cryptocurrency product called “Liquid” for wallets and exchanges and in February 2016 announced it had closed its Series A funding of $55 million
Augur: in October 2015 it concluded its crowdfunding of over $5 million and in March 2016 launched its beta
SKUChain: in January 2016 it announced its seed funding and in March 2016 joined the Plug and Play FinTech Incubator
Ethereum: officially launched its Frontier release at the end of July 2015 and then launched a “production” version called Homestead in March 2016
Pactum: turned from a standalone product into a technology specification and approach – currently being used by ULedger – and being further developed by Bitsapphire
Symbiont: in June 2015 it announced closing a seed round for $1.25 million and then in March 2016 announced it was creating a new company with Ipreo
Vennd: in April 2015 it joined the Startmate accelerator and later moved away from the “vending machine” cryptocurrency creation market

What about the rest of the marketplace?

The non-cryptocurrency distributed ledger marketplace has bifurcated into two distinct areas:

those creating some type of ledger or blockchain; and
those creating some type of application that connects to a ledger, chain or network

[Note: sometimes those creating #1 are also creating #2 but usually not vice versa]

Altogether, since September 2015, at R3 we have been approached or pitched by around 150 vendors of all shapes and sizes who do something orthogonally related to distributed ledgers.

By and large, most of them are uninvolved with cryptocurrencies themselves: that ship seems to have sailed with the Great Pivot. Perhaps that will change again?

We are currently tracking around two dozen companies that have built or are building some kind of distributed ledger and about the same amount of startups trying to build applications on top of a ledger. 4

Many of these can be seen on slides 21 and 23 of the presentation I published in December:

The end of “Proof-of-work maximalism”

What has resonated with people, especially financial institutions regarding this new market?

Part of it for sure is related to hype. Distributed ledgers and blockchains have been sold as silver bullets and panaceas to all the worlds ills. This exuberance will likely lead to another washout cycle which has happened in many other tech segments (most notably cleantech).

Another reason is that as articulated in Appendix B, while there was latent interest in the cryptographic toolkit utilized by Ethereum and Bitcoin, managers were finally afforded an explanation as to why something like proof-of-work is purposefully expensive and why it is unneeded and undesirable in an environment in which trusted intermediaries with legal contracts already operate in (e.g., capital markets).

In short: CaaS began to untie the narrative and fable that “the only secure network is one that involves proof-of-work.”

While they are not the only entities experimenting with blockchains, regulated financial institutions have also spent the past year looking at the consequences of using pseudonymous consensus methods, discovering that platforms like Bitcoin fundamentally lack definitive settlement finality which was briefly discussed on page 22 and 23 in CaaS.

The reaction on social media to this over the past year has ranged from acceptance all the way to angry threats. Yet fundamentally it is empirically clear that the marketing spin which proof-of-work maximalists have used — such as “hardening a chain” — is simply a misapplication of Bitcoin’s Sybil protection. But that is a topic for another day.5

Conclusion

This was supposed to be a brief post so we have to pass on dovetailing into the myriad of other interesting changes in the landscape.

Regular readers may have noticed just a few posts on this site over the past few months. Why? Part of this is because the content I do write is typically sent to R3 members only.

What about other discussions?

Even though the capital markets have largely settled on a specific class of ledger — one that is integrated with the existing legal system without any type of cryptocurrency or proof-of-work — the debate around public versus private blockchains will likely continue into the year by enthusiasts.

For those involved in regulated capital markets who are looking at solutions to problems with a set of requirements involving post-trade activities of clearing and settlement, it is worth pointing out that yesterday Richard Brown unveiled the project he has been working on the past 7 months: Corda.

A year from now the distributed ledger landscape will likely look a lot different than what it did in 2016 let alone 2015. It will be interesting to see how many projects are still replicating and reusing older “blockchain” designs versus building systems that are fit-for-purpose like Corda.

[Endnotes]

Source: I am an advisor to Clearmatics and a member of the mailing list. This included: Vitalik Buterin (Ethereum), Vlad Zamfir (Ethereum), Dominic Williams (Mirror / String), Jae Kwon (Tendermint), Andrew Miller (IC3 / University of Maryland), Nick Szabo (Mirror / Access), Jonathan Levin (Chainalysis), Dave Hudson (Peernova), Richard Brown (R3), Zaki Manian (SKUChain) and about a dozen others. [↩]
According to Dominic Williams: 21.91% of all tweets using the term “marmots” involved Eris Industries and Preston Byrne (its COO). [↩]
Disclosure: I was an advisor to Hyper. [↩]
It is a noisy startup ecosystem, but once you filter out companies reliant on cryptocurrency price appreciation there aren’t hundreds or thousands of startups to keep track of. [↩]
See also Anchor’s aweigh [↩]

Additional citations, quotes and panels

Posted on April 4, 2016 by Tim Swanson

Following up from the last batch, below are some of the public-facing activities I have been involved with the past couple of months.

Op-ed:

Settlement Risks Involving Public Blockchains at TabbFORUM

Public presentations / panels:

BNY Mellon Blockchain Day on January 28, 2016 in Jersey City (recap)
FIA/SIFMA Asset Management Derivatives Forum on February 5, 2016 in Laguna Beach
- Panel: “Disruptive Technology”
Fuqua School of Business, Finance 898: Innovation and Cryptoventures on February 26, 2016
- Guest workshop: Discussing the distributed ledger landscape

Wharton/SIFMA Securities Industry Institute (SII) in Philadelphia on March 10, 2016
- Flex Core course: “Block Chain Technology – The Hype, The Potential and The Fundamentals“
Alliance Bernstein Financial Summit held in Boston, March 9, 2016
- Panel: “The Bitcoin vs. Permissioned Blockchain Debate”
Korean Financial News in Seoul on April 6, 2016
- Presentation: “What will finance look like with a blockchain?”

Quoted:

Blockchain: wisdom of crowds begins in blind competition from Global Capital
Can an Arcane Crypto Ledger Replace Uber, Spotify and AirBnB? from Backchannel
Bankers Weigh Blockchain Challenges at BNY Mellon Event from CoinDesk
From Toxic Assets to Digital Currency: Barry Silbert’s Bold Bet from American Banker (p. 5)
Have We Reached Peak Blockchain Hype? from CoinDesk
Industry Speaks Out As CoinDesk’s Text Size Turmoil Continues from CoinDesk

Citations:

Bitcoin Mining Decentralization via Cost Analysis by Jonathan Harvey-Buschel and Can Kisagun
Corporate Governance and Blockchains by David Yermack
Beyond Bitcoin: Issues in Regulation Blockchain Transactions by Trevor I. Kiviat
Blockchain: A Fundamental Shift for Financial Services Institutions by Capgemini (p. 9)
Virtual Currencies and Beyond: Initial Considerations from the IMF (p. 20)
“Smart Contracts” report from CoinDesk (p.5 and p.11)
The Hutchins Center Explains: How blockchain could change the financial system (part 1) from The Brookings Institution
Bank consortium R3CEV successfully tests Bitcoin tech in traditional bank transactions from The Stack
Distributed Ledger Technology: beyond block chain by the UK Government Chief Scientific Adviser (p. 36)
CoinDesk’s Most Influential People in Bitcoin and Blockchain 2015 (co-honorable mention)
Thought Bitcoin Was Dead? 2016 Is the Year It Goes Big from Wired

Settlement Risks Involving Public Blockchains

Posted on March 24, 2016 by Tim Swanson

[Note: this article first appeared on Tabb Forum]

Over the past several months there has been a crescendo of pronouncements by several cryptocurrency enthusiasts, entrepreneurs and investors claiming that public blockchains, such as Bitcoin and Ethereum, are an acceptable settlement mechanism and layer for financial instruments. Their vision is often coupled with some type of sidechain or watermarked token such as a colored coin.

The problem with these claims and purported technical wizardry is that they ignore the commercial, legal and regulatory requirements and laws surrounding the need for definitive settlement finality.

For instance, the motivation behind the European Commission’s Directive 98/26/EC was:

“[T]o minimize systemic risk by ensuring that any payment deemed final according to the system rules is indeed final and irreversible, even in the event of insolvency proceedings.

“Without definitive finality, the insolvency of one participant could undo transactions deemed settled and open up a host of credit and liquidity issues for the other participants in the payment system. This results in systemic risk and undermines confidence in all the payments processed by the system.

“Thus, by ensuring definitive settlement, the concept of finality fosters trust in the system and reduces systemic risk. This makes it one of the most important concepts in payments and one that is applied to all clearing and settlement systems, including settlement and high-value payment system Target2 and bulk SEPA clearing system STEP2.”

While many cryptocurrency proponents like to pat themselves on the back for thinking that “immutability” is a characteristic unique to public blockchains, this is untrue. Strong one-way cryptographic hashing (usually via SHA 256) provides immutability to any data that is hashed by it: If Bob changes even one bit of a transaction, its hash changes and Alice knows it has been changed.

What about proof-of-work?

Proof-of-work, utilized by many public blockchains, provides a way to vote on the ordering and inclusion of transactions in a block, in a world where you do not know who is doing the voting. If you know who is doing the voting, then you do not need proof-of-work.

Consequently, with proof-of-work-based chains such as Bitcoin, there is no way to model and predict the future level of their security, or “settlement,” as it is directly proportional to the future value of the token, which is unknowable.

Thus, if the market value of a native token (such as a bitcoin or ether) increases or decreases, so too does the amount of work generated by miners who compete to receive the networks seigniorage and expend or contract capital outlays in proportion to the tokens marginal value. This then leaves open the distinct possibility that, under certain economic conditions, Byzantine actors can and will successfully create block reorgs without legal recourse.

In particular, this means miners can remove a transaction from the history such that a payment you thought had been made is suddenly unmade.

In addition, with public blockchains, miners (or rather mining pools) have full discretion on the ordering and reordering of transactions. While mining pools cannot reverse one-way hashes such as a public key (immutable on any blockchain), they can make it so that any transaction, irrespective of its value, can be censored, blocked or reordered.

To be clear, by reordered, we mean that in the event two conflicting transactions are eligible for block inclusion (e.g., a payment to Bob and a double-spend of the same coins to Alice), the payment to Bob could be mined and then, at any point in the future, replaced by the payment to Alice instead.

In Bitcoin and Ethereum (as well as many others), mining pools have full discretion of organizing and reorganizing blocks, including previous blocks. While there is an economic cost to this type of rewriting of history, there are also tradeoffs in creating censorship-resistant systems such as Bitcoin.

One of the tradeoffs is that entire epochs of value can be removed or reorganized without recourse, as public blockchains were purposefully designed around the notion of securing pseudonymous consensus.

Pseudonymous consensus is a key characteristic that cannot be removed without destroying the core utility of a public blockchain: censorship-resistance. So, as long as Bitcoin miners have full discretion over the transaction validation process, there is always a risk of a reorg.

What if you remove censorship-resistance by vetting the miners and creating “trusted mining”?

If you remove censorship-resistance (pseudonymous consensus) but still utilize proof-of-work, you no longer have a public blockchain, but rather a very expensive hash-generating gossip network.

While this type of quasi-anarchic system may be useful to the original cypherpunk userbase, it is not a desirable attribute for regulated financial institutions that have spent decades removing risks from the settlement process.

Ignoring for the moment the legal and regulatory structures surrounding the clearing and settlement of financial instruments, in our modern world all participants recognize that, from a commercial perspective alone, it makes sense to have definitive – not probabilistic – settlement finality. Because of how the mining process works – miners can reorganize history (and have) – a public blockchain by design cannot definitively guarantee settlement finality.

Markets do not like uncertainty, and consequently mitigating and removing systemic risks has been a key driver by all global settlement platforms for very good apolitical reasons.

Public blockchains may be alluring because of how they are often marketed – as a solution to every problem – but they are not a viable solution for organizations seeking to provide certainty in an uncertain world, and they are currently not a reliable option for the clearing and settling of financial instruments.

There are solutions being built to solve this problem that do not rely on public blockchains for settlement. For example, private and consortium blockchains are specifically being designed to provide users definitive legal settlement finality, among other requirements, because this certainty is necessary for adoption by regulators and regulated financial institutions.

For context, over the past 18 months banks have looked at more than 150 proof-of-concepts and pilots and rejected nearly all of them. Not because they are anti-cryptocurrency, but because public blockchains were not purposefully built around the requirements of financial institutions. So why would they integrate a system that does not provide them utility?

Yet if researchers empirically observe that the failure risks associated with various public blockchains is within an accepted risk profile – in certain niche use-cases – it may be the case that some institutions will consider conducting additional proof-of-concepts on them.

The tradeoffs in designing public blockchains and permissioned ledgers are real. For instance, it is self-defeating to build a network that is both censorship-resistant from traditional legal infrastructure and simultaneously compliant with legal settlement requirements. Yet both types of networks will continue to coexist, and the vibrant communities surrounding the two respective spaces will learn from one another.

And if the goal for fintech startups is to create a new commercial rail for securing many different types of financial instruments, then shipping products that actually satiate the needs of market participants is arguably more important than trying to tie everything back into a pseudonymous network that intentionally lacks the characteristics that institutional customers currently need.

What is the difference between Hyperledger and Hyperledger?

Posted on March 5, 2016 by Tim Swanson

I am frequently asked this question because there is some confusion related to the legacy name and the current branding of certain technology. The two are distinct. And how we got there involves a little history.

Hyper, the parent company of Hyperledger, was founded by Dan O’Prey and Daniel Feichtinger in the spring of 2014. Fun fact: one of the alternative names they considered using was “Mintette.com” — after the term coined by Ben Laurie in his 2011 paper.

The simplest way to describe Hyperledger, the technology platform from Hyper, during its formative year in 2014 was: Ripple without the XRP. Consensus was achieved via PBFT.1 There were no blocks, transactions were individually validated one by one.

Hyperledger, the technology platform from Hyper, was one of the first platforms that was pitched as, what is now termed a permissioned distributed ledger: validators could be white listed and black listed. It was designed to be first and foremost a scalable ledger and looked to integrate projects like Codius, as a means of enabling contract execution.

Most importantly, Hyperledger in 2014 was not based off of the Bitcoin codebase.

Note: in the fall of 2014 Richard Brown and I both became the first two advisors to Hyper, the parent company of Hyperledger. Our formal relationship ended with its acquisition by DAH.2

In June 2015, DAH acquired Hyper (the parent company of Hyperledger) which included the kit and caboodle: the name brand, IP and team (the two Dans). During the same news release, it was announced that DAH had acquired Bits of Proof, a Hungary-based Bitcoin startup that had designed a Java-based reimplementation of Bitcoin (which previously had been acquired by CoinTerra).3

It was proposed at that time that Hyperledger, the Hyper product, would become the permissioned ledger project from DAH. It’s product landing page (courtesy of the Internet Archive) uses roughly the same terminology as the team had previously pitched it (see also the October homepage older homepage for DAH as well).

Source: Digital Asset / Internet Archive

On November 9, 2015, on a public blog post DAH announced that it was “Retiring Hyperledger Beta, Re-Open Sourcing Soon, and Other Changes.”

The two most notable changes were:

(1) development would change from the languages of Erlang and Elixir to Java and Scala;

(2) switch to the UTXO transaction model

The team noted on its blog in the same post:

We are also switching from our simplistic notion of accounts and balances to adopt to de facto standard of the Bitcoin UTXO model, lightly modified. While Hyperledger does not use Bitcoin in any way, the Bitcoin system is still extremely large and innovative, with hundreds of millions of dollars invested. By adopting the Bitcoin transaction model as standard, users of Hyperledger will benefit from innovation in Bitcoin and vice versa, as well as making Hyperledger more interoperable.

During this same time frame, IBM was working on a project called OpenChain, which for trademark reasons was later renamed (now internally referred to as OpenBlockchain).4

IBM’s first public foray into distributed ledgers involved Ethereum vis-a-vis the ADEPT project with Samsung (first announced in January 2015). Over the subsequent months, IBM continued designing its own blockchain (see its current white paper here).

In December 2015, the Linux Foundation publicly announced it was creating a new forum for discussion and development of blockchain technology. Multiple names were proposed for the project including Open Ledger (which was the name originally used in the first press release). However, in the end, the name “Hyperledger” was used.

How did that occur?

DAH, one of the founding members of the project, donated two things to the Linux Foundation: (1) the brand name “Hyperledger” and (2) the codebase from Bits of Proof.

Recall that Bits of Proof was the name of a Bitcoin startup that was acquired by DAH in the fall of 2014 (the Chief Ledger Architect at DAH was the co-founder of Bits of Proof). 5 Architecturally, Bits of Proof is a Java-implementation of Bitcoin. 6

In other words: today the term “Hyperledger” represents an entirely different architectural design and codebase than the original Hyperledger built by Hyper.7

The major architectural switch occurred in November 2015, which as noted above involved adopting the UTXO transaction set and Java language that Bits of Proof was built with. Therefore, Hyperledger circa 2016 is not the same thing as Hyperledger circa 2014.

Over the past two months there have been multiple different codebases donated to the Linux Foundation all of which is collectively called “Hyperledger” including the IBM codebase (partly inspired by Ethereum) as well as the DAH and Blockstream codebase (one is a clone of Bitcoin and the other is a set of extensions to Bitcoin). The technical discussions surrounding this can be found on both the public Linux Foundation mailing list and its Slack channel.

How do different, incompatible codebases work as one?

This technical question is being discussed in the Linux Foundation. It bears mentioning that as of now, the codebases are incompatible largely due to the fact that Bitcoin uses the UTXO transaction set and OpenBlockchain uses an “accounts” based method for handling balances. There are other reasons for incompatibility as well, including that they are written in completely different languages: Java/Scala versus Go versus C++ (Blockstream).

How extensive is the reuse of the Bits of Proof Bitcoin codebase donated to the Linux Foundation from the DAH team? According to a quick scan of their GitHub repo:

Source: DigitalAsset GitHub

So when someone asks “what is Hyperledger technology?” the short answer is: it is currently the name of a collective set of different codebases managed by the Linux Foundation and is not related to the original distributed ledger product called Hyperledger created by Hyper. The only tenuous connection is the name.

Timeline in brief: Hyperledger was originally created in Spring 2014 by Hyper; Hyper was acquired in June 2015 by DAH; the original Hyperledger architecture was entirely replaced with Bits of Proof in November 2015; the Hyperledger brand name and Bits of Proof code was donated to the Linux Foundation in December 2015.

Interestingly enough, the current OpenBlockchain project from IBM also uses PBFT for its consensus mechanism and uses an “accounts” based method; two characteristics that the original Hyperledger platform from Hyper had too. [↩]
For more info on the original Hyperledger, see the Innotribe pitch; the description in Consensus-as-a-service from April 2015 and the Epicenter Bitcoin interview. [↩]
Following the bankruptcy of CoinTerra, the Bits of Proof team became independent once again. [↩]
CoinPrism launched a project called OpenChain, before IBM did. [↩]
Sometimes there is a confusion between Bits of Proof and Bits of Gold. Bits of Proof was the independent Java-implementation of Bitcoin (which is not the same thing as bitcoinj). Bits of Gold is an Israeli-based Bitcoin exchange. A co-founder of Bits of Gold also works at DAH and is their current CTO. [↩]
In the future it may contain some modifications including Elements from Blockstream. [↩]
What was once the original Hyperledger GitHub repo has been handed over to the Linux Foundation but some of the original code base and documentation from the 2014 project can still be viewed elsewhere. [↩]

Short interview with the CFA Institute

Posted on March 3, 2016 by Tim Swanson

[Note: I neither own nor have any trading position on any cryptocurrency. The views expressed below are solely my own and do not necessarily represent the views of my employer or any organization I advise.]

Below are several questions I recently received from the CFA Institute along with my responses.

Q1. In your book you make a convincing case that Bitcoin has a number of significant structural design flaws that will likely prevent it from ever develop into something of economically meaningful scale. Could you briefly outline the main reasons for your view?

A1. The two fundamental challenges that do not appear surmountable in the short-run are:

(1) An endogenous money-like informational commodity (such as bitcoin or litecoin) that lacks purchasing power stability relative to goods and services which live external to the system. This is a characteristic that is common to contemporary cryptocurrencies that are divorced from external information: how to securely provide information of the exogenous outside world back into the internal network in a trust-minimized manner? There have been multiple proposals over the past 2 years but no production systems in large part because solving this is solving a public goods problem, so where does the funding come from to R&D it?

(2) The second main challenge is sustainable decentralized security. Empirically all proof-of-work based cryptocurrencies have trended towards some form of centralization. Looking at CoinGecko, all of the top PoW cryptocurrencies are currently dominated by a handful of pools. The reason why has to do with the inhomogeneous Poisson process used by these systems which creates variance in payouts. And as we see in the world of traditional finance, one way to reduce risks is to pool capital. Thus, with the origination of the first mining pools in late 2010, we see miners – the security force – acting rationally by pooling hashrate to smooth out the variance in payouts.

Ernie Teo and Dave Hudson are just a handful of researchers who have looked into the long-term implications this has and have shown via simulations that as block rewards decline over time, the labor force declines as fewer participants can profitably compete in the mining process. Thus there is an open question as to whether or not any PoW cryptocurrency can remain robustly decentralized and secure or if they just “self-destruct.” Note: that there are over 100 dead altcoins, so empirically these networks are not automatically self-healing or anti-fragile.

Solving both of these issues – if they are indeed solvable – so far has remained in the realm of posturing on social media: very little real research and statistical modelling has taken place which is very surprising considering many companies have raised funds with the assumption (and promise) that these two issues will be solved.

I remain skeptical that the first is solvable without compromising the integrity of the network: how do you rebase the purchasing power of an endogenous unit of account without needing to trust the external data source? Vitalik Buterin, Robert Sams and a few others have proposed solutions dubbed “stablecoins” but most of the community, especially early adopters of popular cryptocurrencies are against purchasing power stability, preferring volatility with the belief that external market forces will somehow coordinate and permanently smooth it out, usually in a trajectory towards the moon.

Similarly I have yet to see any modelling that shows how POW mining becomes more decentralized over time. There have been companies that claim and market that they will “redecentralize” with embedded ASICs, but when you drill down deeper it is merely decentralizing hashing, not block making (the key part).

Q2. There seems to be a new consensus developing in fintech circles and among incumbents of ‘Bitcoin bad, blockchain good’. Do you agree with this or is it too simplistic – can you truly have one without the other?

A2. I think it is too simplistic and a little unfair to Bitcoin. Satoshi, from his written accounts, did not appear interested in developing software for financial institutions. He had a problem-set in his mind: how to build a censorship resistant payments system without introducing some kind of trusted third party to prevent double spending. In 2007, when he began the project (or so he stated on a mailing list) if he had thought about how to build a distributed ledger for regulated financial institutions, the deliverable would look different than Bitcoin does. We only have the benefit of hindsight to make that “Blockchain good, Bitcoin bad” claim today.

Why? Because quite frankly, Bitcoin itself does not really solve anything for banks.

Banks have seen probably 100-200 proof-of-concept/pilot projects over the last 18 months and have rejected nearly all of them. Not because it involved a cryptocurrency but because the tech didn’t solve their actual problems. I have yet to be in a meeting where someone says “I hate bitcoin because it is bitcoin” — perhaps some banks do, but all of the people I interact with at banks want solutions to their problems and cryptocurrencies in their current form, were not designed to solve problems banks have. So why should they use them?

For instance, if I built some typewriters and then claimed that banks weren’t buying them because they’re anti-typewriter. It’s not because they are anti-typewriter it is because they don’t have a use for typewriters in 2016. Yet the useful parts of typewriters are of course the keyboard which can be repurposed and used with laptops. Similarly, the useful bits of cryptocurrencies are the cryptographic signing and shared data structure elements.

Q3. Incumbent organisations experimenting with blockchain technology seem to be mostly designing permissioned blockchains. Could you elaborate on how these differ from, for example, the Bitcoin blockchain, and some of its advantages and disadvantages?

A3. Since September 2015, R3 has been pitched by over 100 software companies ranging from pre-seed startups to large enterprises. Among them are about 30 different distributed ledger proposals. Some are very much half-baked altcoins. A large number are highly modified derivatives of existing platforms (e.g., Bitcoin, Ethereum, Ripple) and a few others were customized and built from the ground up or with elements of existing systems. Universally they all involve some kind of permissioning: in which the validators on the network are gated and vetted and the users of the network are KYC’ed.

Why are they building these? There are a number of different motives but by and large this has to do with the operating environment their customers exist in: trusted, known relationships. Those relationships, market structures and laws, much to the chagrin of cypherpunk prophecies, are not going to disappear. So if you are building a commercial business and want to actually generate revenue and not permanently live off of venture funding, you will need to deliver products customers want and not just work on public goods problems.

Another advantage of designing these types of permissioned systems is that the validation model – the creation of contracts and service level agreements around who or what validates transactions – typically removes the probabilistic settlement issues found in public blockchains like Bitcoin. Public blockchains cannot provide legal settlement finality of exogenous financial instruments. And introducing new risks into the financial system via probabilistic finality is absurd. Regulated financial institutions cannot and do not want to be in a position in which assets on their balance sheet only have a 95% possibility that they own them or that a block reorganization from a pool in a sanctioned country mines it.

Incidentally there are now Bitcoin mining companies that are pitching themselves as “trusted miners” – which is an oxymoron. In fact, if the validation process (mining) of public blockchains becomes fully trusted, gated and permissioned then users lose the benefit of censorship resistance while they simultaneously have to pay the large operating costs that proof-of-work requires. Or in other words, a permissioned-on-permissionless system that provides more kabuki theater than it does commercial utility.

Q4. Increasingly, financial institutions are trying to figure out whether they can benefit from integrating blockchain technology into their operations, including your organisation R3CEV. What do you see as the main barriers of integrating blockchain into existing financial services?

A4. There are multiple challenges each financial institution has and technology alone probably only solves a fraction of them. For instance, what are the problems a blockchain actually solves for an organization? Maybe there are only a handful if any. What are the switching costs? What are the total costs of operation? How does it plug into their existing legacy systems?

Most startups lack the subject matter expertise or the relationships into the financial services industry to be able to answer those questions, so they end up building tech for tech sake. Science fair projects that remain underutilized and even unused. No amount of marketing can ultimately salvage a platform that does not solve a problem that customers do not have.

The myth of The Right Stuff

Posted on February 27, 2016 by Tim Swanson

[Note: opinions expressed below are solely my own and do not represent the views of my employer or any company I advise.]

This past week Joi Ito, director of MIT Media Lab, weighed in on the block size debate, stating:

The future of Bitcoin, decentralized ledgers and other Blockchain-like projects depends on this community. Many people call them “Bitcoin Core” as if they are some sort of company you can fire or a random set of developers with skills that you can just train others to acquire. They’re not. They’re more like artists, scientists and precision engineers who have built a shared culture and language. To look for another group of people to do what they do would be like asking web designers to launch a space shuttle. You can’t FIRE a community and, statistically speaking, the people working on the Bitcoin ARE the community.

The crux of his comment is that there is only a handful of people in the world who have the skills or as Tom Wolfe might call it, The Right Stuff.

Source: IMDB

Yet it’s unclear how many real blockchain engineers there are in the world. Who are those capable of building from scratch a network with the features and characteristics of Ethereum, Zcash, Bitcoin or Ripple (among others)?

After all, there is no PhD in Blockchainology (yet) or Distributeledgerology (god help us) so how does one qualify? By random lines of code in a github repo or hours spent in IRC chat rooms?

Maybe none of the above.

By all accounts, it is a hobbyist field in still — it is sufficiently esoteric that it’s not very accessible unless you have the time to decipher it on your own. But there doesn’t appear to be anything magical about this technology either.

For instance, as a personal anecdote, last year I traveled as a guest lecturer with Blockchain University (which is on semi-permanent hiatus) to both India and Japan and gave several other guest presentations with BU throughout the year. The primary goal of BU was to help educate developers — and some entrepreneurs — in the burgeoning artisan skill of block making.

While the learning curve was somewhat difficult (since Satoshi apparently uses every number format in the history of number formats), like all other technology, eventually developers got the hang of it.1

Similarly, many working groups at financial institutions exploring this technology are basically self-taught, autodidacts just like the rest of the community largely is.2

In other words, the problem with Ito’s comment is that it assumes that only the few dozen rocket scientists working in Peenemünde could possibly ever build rockets. Whereas empirically, knowledge transfer occurred (via Operation Paperclip and Operation Osoaviakhim) and the ability to build rockets was disseminated worldwide, including the infamous shuttle he cites.

So too has the knowledge of building magic internet ledgers.

Groups such as Bitcoin Core may have some bright developers, but it certainly doesn’t have a monopoly on talent, especially when it comes to building and shipping commercial products for regulated financial institutions. But the key take away is there are now tools and venues for IT team both small and large to learn and get up to speed on how this tech actual works, it is no longer siloed off in random IRC rooms or obscure crypto mailing lists.

I would like to thank Ryan X. Charles for pointing that out; as an aside, I believe Ryan holds the distinction to have the first formal title of “blockchain engineer” at a non-Bitcoin company. [↩]
Actually there are quite a few financial engineers who have formal backgrounds involving elements of this technology as well as many bank architects who need to build and maintain stable, secure networks. There are also various professors and cypherpunks who formally studied distributed computing/consensus in college involved too. [↩]

Using just the “rails”

Posted on February 24, 2016 by Tim Swanson

[Note: opinions expressed below are solely my own and do not represent the views of my employer or any company I advise.]

Yesterday the following question and comment was made to the previous blog post:

So just to be clear, you consider a company a “blockchain company” even if it runs its platform using Bitcoin’s blockchain as the rails ? For example, I believe Symbiont does this, but they certainly license out their software for a profit.

Yes, technically speaking using any blockchain as a “rail” (e.g., for storing or moving messages between parties) could effectively classify the startup as a “blockchain” company. But I also think it’s worth looking at whether or not this is useful or even a wise decision.

In the short term, maybe: if a company only cares about distributing data to a geographically distributed third party, then using a blockchain as a “rail” could be a solution for a few problems. For instance: Peernova, Chain, DigitalX (AirPocket) and others have built systems/platforms that are independent of a blockchain but then will store a “hash” of information onto a blockchain such as Bitcoin (typically via OP_RETURN). This is a process called “anchoring.”

But you can actually “anchor” in multiple mediums, it just happens that this medium is what they have currently chosen to do in the short run (e.g., could also tweet it, post it on a public mailing list, broadcast it on TV, or if you are paranoid use a numbers station). I wrote about the anchoring idea last month and previously elaborated why users such as banks do not need to use a public blockchain for anchoring.

There is another company called GuardTime that is pitching a “trust anchoring” service as well (called KSI). Their product is similar to Surety which publishes hashes of data into newspapers. If you are interested in this general idea, be sure to look into linked timestamping and “How to time-stamp a digital document” by Haber and Stornetta (and again, this is not an endorsement).

Regarding Symbiont, my understanding is that they are still using “embedded consensus” (based on their blog post) because their core team created Counterparty, which also uses an “embedded consensus mechanism” tied to Bitcoin. Currently I do not think that it is a particularly elegant solution for post-trade but it may have its uses. However that is a topic for another day (see this paper starting at page 5).

Source: Surety

Long term, no: I don’t think it is necessarily wise for Bob to rely or depend on Alice’s chain for the security of Bob’s chain. It may be a short term stop-gap occurrence, but network designers should ultimately have to assume that other networks can become compromised and/or are unsustainable. The network needs to be as self-reliant as possible. And it is currently not possible to accurately forecast the security of Bitcoin (or other public blockchains) as it is economically driven – directly proportional to the market price of the tokens.

I think the drama around OP_RETURN size (40 versus 80 bytes) two years ago (see pages 29-30) and even the current block size debate should also serve as a cautionary tale to any organization looking at using a public blockchain. Because of the way “decentralized governance” works (an oxymoron?), the end-users are at the mercy of nebulous governance structure that can arbitrarily nerf or take away a feature (like OP_RETURN) just as much as they gave it without direct feedback or recourse from the users themselves.

As an aside, there are also cross border/remittance companies like Align Commerce that attempt to send bitcoins back and forth between liquidity providers/exchanges and do not rely on the appreciation or depreciation as part of their business model — in fact, they dislike any volatility as it harms their margins (e.g., they lock in a price for their customers for a short window of time). But since they do not rely on bitcoins qua bitcoins, they could just as easily create and use their own proprietary ledger (it doesn’t even need to be decentralized). Whether or not the “rebittance” business model makes sense is also another topic for another day (I recommend this post from Save On Send for starters).

Recall 15-20 years ago people used to attend “Internet conferences” and tell their friends that they were building an “Internet company.” That sounds anachronistic two decades later.

Today a small business owner, Bob, would simply say he operates a small business that happens to have a website, but that doesn’t mean he is operating a website company. Or if Bob accepted payments via Stripe, he wouldn’t say his company is an ACH or Stripe company – Bob is just using these “rails” as a means to an end. Hopefully when all the hype and noise lowers over time we will begin to see the companies that are actually trying to create real commercial businesses that just happen to integrate with DLT, rather than everyone positioning themselves as a DLT company that might also have a commercial product.

Five frequently asked questions about permissioned chains

Posted on February 20, 2016 by Tim Swanson

I was recently asked by someone: what are short arguments as to why permissioned blockchains are preferable than public ones for regulated financial services companies?

There are multiple reasons why permissioned blockchain are currently more appropriate than public ones specifically for regulated financial companies:

Governance: public blockchains are designed around being censorship-resistant which makes the ability to change, enhance or upgrade the network difficult to do (e.g., as shown by the current block size debate). “An Act of Congress” is the inside joke on how difficult it is supposed to be to make major changes to fully decentralized blockchains. In contrast, permissioned chains are usually built with a known, agreed upon governance structure with explicit decision making processes. One trade-off comes with reduced censorship-resistance. See Appendix A for more.
Most public blockchains were intentionally not designed around the needs of regulated financial institutions, quite the contrary: many were designed with the goal of circumventing institutions and regulatory bodies. As a consequence, they likely cannot in their current form fulfill the functional and non-functional requirements that large regulated financial institutions need in order to operate. And in order to modify an existing public blockchain to do so, you typically end up breaking their core utility (censorship resistance)
Financial institutions need to know who they are dealing with, who their counterparties, customers and staff members are. As a result, architects building systems for financial institutions have a different set of design assumptions than those programmers designing public blockchains. In short: participation and validation on a permissioned blockchain involves known, trusted parties that are legally obligated to perform certain tasks. In contrast, participation and validation on public blockchains is assumed to involve, unknown and untrusted parties hence the reason for proof-of-work. If financial institutions are already working with trusted parties, then design features found in public blockchains — like proof-of-work — effectively are very expensive dice rolling machines, they provide no real utility other than to generate random numbers. And to compound this issue, due to AML / KYC / KYCC regulations for financial institutions in many countries, payment service providers (which effectively what “mining pools” are) potentially requires KYC of the mining pool. If you know the identities of all the pools then you are no longer operating an unknown network, the design assumptions change.
Who are you going to call when something goes wrong with a transaction? For instance, in the traditional financial world, institutions and organization create and sign service-level agreements with service providers: contracts with specific guarantees and conditions — along with clauses for when something goes wrong (e.g., customer service reqs). In a permissioned blockchain ecosystem, this tradition will continue because mistakes will be made and will need to be fixed. In contrast, when something goes wrong or is broken on a public blockchain, you are probably out of luck unless you know some mining pool operators.
Sustainability. Because public blockchains are effectively unowned, then you end up recreating a ‘tragedy of the commons’ in which no one wants to pay but everyone wants to use. We see this with the Bitcoin network, where no one wants to pay (higher) fees to use the network and no one wants to pay developers to enhance the network. As a consequence, there are now over 100 dead altcoins because their was no incentive to maintain the network — the commons collapsed as it was no long sustainable to operate via charity and altruism. In contrast, permissioned blockchains are closer to owning private property: a set of stakeholders have a direct incentive to maintain the network through business and commercial incentives. This is not to say that either Bitcoin or Ethereum will collapse tomorrow, but the longevity of a public blockchain is an open question.

The Cool Kid at School

Posted on February 19, 2016 by Tim Swanson

[Note: opinions expressed below are solely my own and do not represent the views of my employer or any company I advise.]

Earlier this week a piece appeared on Yahoo with a number of quotes from individuals who are trying to create a new narrative for why “Blockchain” is the cool kid at school right now.

Stating:

“I can see why banks are interested in using permissioned ledgers, and maybe it will make their back office more efficient,” says Jerry Brito, executive director of digital currency nonprofit Coin Center. “But at the end of the day, it’s not a very exciting innovation. The real innovation is a completely open and global ledger that is permission-less. Having a closed, permissioned ledger run by banks, that might allow for better auditing, but there’s no innovation there, you still have to go through a consortium to use the ledger.” That is, what banks seem to want to do is incongruous to the purpose of the blockchain.

The claim in here is false. In fact, this line of reasoning is literally the No True Scotsman fallacy (or in this case, no true ledger fallacy).

There is a lot of real innovation going on behind the scenes (and a lot of non-innovation going on too) by several dozen companies building new types of applications that couldn’t really work on public blockchains (due to the lack of definitive legal settlement finality, governance, scalability and capacity — among other reasons).

Innovation and ideation are occurring, it just isn’t happening with Bitcoin or with some Bitcoin companies beyond trying to ignore state, federal and international laws (slightly kidding).

Furthermore, not all ledgers are alike. To claim that technology is “incongruous” because it isn’t fixed to the original project is a non sequitur.

Bitcoin visualized how and what one application of distributed ledger technology could look like. It showed, much like the Wright Flyer and the Benz Patent Motor Car previously did, how cobbling together existing pieces could provide a new form of utility. But for something important like regulated capital markets you wouldn’t continue reusing experimental tech just because it already exists. That’s a sunk cost fallacy.

The original Mercedes

Continuing:

But Brito also believes the interest will subside once banks actually learn more about blockchain technology. “I think right now investors are kind of waiting for Wall Street to get through this blockchain phase,” he says. “They have blockchain fever and they need to just get over it. Because if they develop their own closed blockchains, soon they’ll all realize they want to talk to each other, and they’ll be back to square one, doing banking.”

This is also untrue. There have been between 150-200 pilots and proof-of-concepts for banks that utilize some type of cryptocurrency (or fork thereof), nearly all of which have been rejected. Not because the banks are “anti-bitcoin” or “don’t get the blockchain” but because Bitcoin doesn’t solve the actual problems banks actually have — it wasn’t designed to.

Furthermore, as I have repeatedly explained — as early as September — in both public and private venues that:

1) the ledger/network/fabric will be open sourced
2) that recreating lots of silos probably isn’t very productive

There has been a lot of backlash from some members of the cryptocurrency because their bet hasn’t paid off but it’s disingenuous to create a narrative that is factually untrue.

I certainly cannot speak on behalf of banks, but if the goal is to get banks and other financial institutions to actually use a product then the product needs to actually provide a solution for them; cryptocurrencies as they currently exist weren’t built with their needs or requirements in mind, so why would they use them?

What is the difference between a Bitcoin company and a Blockchain company?

Posted on February 17, 2016 by Tim Swanson

[Note: opinions expressed below are solely my own and do not represent the views of my employer or any company I advise.]

Let’s be clear: to do anything on the Bitcoin blockchain (the data structure) a user must use bitcoins. There is no other native currency/commodity/receipt built into the ledger that enables users to do something on the Bitcoin network.

So when Bob says: “My company uses Blockchain” — what does that mean? Does that mean he is using the Bitcoin blockchain to do something? Does that mean he’s using another distributed ledger altogether? Does that mean he hates definite and indefinite articles (a, an, the)?

Where is the line between a Bitcoin company and a Blockchain company?

First off, I dislike the term “blockchain” because it is so vacuous and vague. At fintech conferences, when presenters say “blockchain” most people in the audience probably think of a database run by air-gapped computers in missile silos or something else from a sci-fi movie. When panelists at Davos say “blockchain” it is probably just short hand for all of the warm and fuzzy bits of moon math invented at MIT which we think protects our bank accounts.

In December I mentioned it was a bit like gluten, everyone is talking about it but no one knows what it is in great detail.

Last week, a PwC article on LinkedIn stated that:

“So, to help make sense of the market for ourselves and others, we invested approximately 10,000 hours to evaluate what is now more than 1,000 blockchain companies.”

In the ensuing Twitter thread, I pointed out that there are not 1,000 blockchain companies.

In response, a team member from PwC tweeted the following screenshot of the PwC library:

(Source: Ajit Tripathi / PwC and Fergus Lemon / PwC)

My point regarding Bitcoin companies not being blockchain companies has to do with what venture firms like Nyca Partners categorize activity by. They have five characteristics including: does your platform/product depend on a cryptocurrency appreciating in value or not?

In contrast, “Blockchain” platforms, of which there are probably less than 50 (certainly not 1000) are not setting out to build convertible virtual currency systems. They do not need to burn mountains of coal to secure their network because they operate in a different environment where the platform or application is the actual utility.

Put it on a sticky note: the appreciation of a token (or whatever it might be called) is not the business model for blockchain companies — the uptake and adoption of the platform and application are.

Bitpay is a bitcoin company because its business model depends exclusively on the uptake in usage of the token (bitcoins) and the value of the token appreciating — the token is the business model. In contrast, Chain is no longer a bitcoin company — the token is not their business model, uptake of their platform is.

Conflating the two worlds, like some investors do, creates confusion in an already noisy marketplace.

For perspective, since September I have been pitched or spoken to ~125 companies that claim they are building or relying on some type of distributed ledger.

This also includes various repurposed altcoins and Bitcoin companies that are reliant on bitcoin, the token, to appreciate in value in order for the company to profit. In other industries that type of bet is called “a hedge fund” except many of these forget to do the hedging part.

If you’re interested, I gave a presentation in December explaining the diverging ecosystems. One is not better than the other. The two can and will coexist. But the two are not the same thing.

AT&T is the only tested and secure telecommunication system, the rest are altscams

Posted on February 4, 2016 by Tim Swanson

[Note: opinions expressed below are solely my own and do not represent the views of my employer or any company I advise.]

Over the past several weeks there has been a concerted marketing push by several Bitcoin investors and enthusiasts to promote the view that banks do not want new(er) technology. That bitcoind (one Bitcoin implementation maintained by a group called “Core”) can satiate the needs of organizations big and small and that other distributed ledger efforts are vain, insecure and snake oil.

This anti-competitive line of reasoning is reminiscent to the early-80s when AT&T was broken up into Baby Bells and had to compete with new market participants. Sure there were several ne’er-do-well fly-by-night telecom startups that popped up, but this downplaying of new distributed ledger efforts is basically Luddism against new techniques and competitors.

So what actually do regulated financial institutions want?

I have flown almost 50,000 miles the past 6 weeks and personally speak to about 4-5 banks face to face each week. Many of them have forked, poked and prodded a handful of platforms, including variants of Bitcoin itself. Yet I don’t think they have ever said, “you know what Tim, we want to reuse bitcoind because it’s been around for longer than Alice’s solution.” Banks want solutions to their problems and bitcoind is not necessarily one of them; it wasn’t designed to be a solution to their problems.

While I cannot speak on behalf of banks or the roughly two dozen distributed ledger efforts (slide 21) out there, many of the elements within their proposals actually have some of the same elements reused in Bitcoin, Ethereum, Ripple and Open-Transactions.

It bears mentioning that all of the key elements of Bitcoin itself are more than 15 years old now and that no company unilaterally invented or wrote the Core code commonly used by mining pools today.

According to Gwern Branwen this includes:

2001: SHA-256 finalized
1999-present: Byzantine fault tolerance (PBFT etc.)
1999-present: P2P networks (excluding early networks like Usenet or FidoNet; MojoNation & BitTorrent, Napster, Gnutella, eDonkey,Freenet, i2p etc.)
1998: Wei Dai, B-money
1997: HashCash; 1998: Nick Szabo, Bit Gold; ~2000: MojoNation/BitTorrent; ~2001-2003, Karma, etc
1992-1993: Proof-of-work for spam
1991: cryptographic timestamps
1980: public key cryptography
1979: Hash tree

And as I have mentioned previously: if Satoshi had wanted to design a network for regulated financial institutions, it would look different than what Bitcoin does today. Why? Because the problems financial institutions are different than the problems cypherpunks have. So some of those elements above, like proof-of-work, are entirely unnecessary in a different environment.

If you had a chance to start from scratch, what would that network architecture look like? Would it even be a chain of blocks containing hashes in them? Maybe not. And if not, then reusing bitcoind because you have already put millions into development behind bitcoind is a sunk costs fallacy.

What about the view that bitcoind is the most battle-tested distributed ledger code base? Aren’t all the new efforts just closed source Excel sheets filled with backdoors?

This is factually untrue. Some Bitcoin enthusiasts make it sounds like all of the other two dozen ledger projects in this space are not going to be open sourced, or peer reviewed or publicly tested. As far as I know, most of the new efforts are genuinely interested in making most if not all of the lower layers of their tech open. Some of them are already contributing to the new Linux Foundation effort.

This is also a false dilemma, to make it sound like the only two choices in the world are the “tested” sacrosanct Bitcoin code base versus “untested” hill billy code.

If by “tested” proponents mean it has been running for a while and some of its faults are plainly evident then there’s some merit in that, but you could use the same logic to argue that SWIFT is the only tested and secure financial network therefore don’t create new rails.

Yet even if it were true it is irrelevant: security is only as good as its weakest link. The security of systems in this space will depend on the properties of the overall system, not just one component. So all the stuff Bob builds on to and around it has to be secure too. And if that is compromised and over complicated because Bob is contorting himself to fit into the Bitcoin model, what has Bob gained?

A non-starter

The basic vision of several Bitcoin marketers is to push the narrative in which non-Bitcoin ledgers are fully dependent on the security of the Bitcoin network itself. Several proposals involve some type of sidechain, a dubious technique that purportedly involves merged mining, which itself is unsustainable (see pgs. 20-22). That in this scenario, regulated financial institutions with trillions of dollars under management operating on trusted networks would for some reason want to rely on an unsustainable public good. That Bitcoin becomes the ultimate trust anchor in the world.

This ignores the requirements that enterprises have. Not only do regulated financial institutions have a lot of real concerns surrounding probabilistic settlement finality and untrusted validators — none of which goes away with wider adoption of Bitcoin — but there are many different ways to “anchor” data that does not involve burning mountains of coal in China or subsidized hydroelectricity in Washington.

The “bitcoin codebase is the only tested/secure code” also relates to the meme of “everyone should use bitcoind as otherwise we’re in danger of hard forks.”

This is short sighted engineering; a more appropriate motto would be because of the danger of hard forks, we want everyone to diversify the code base. This then ties back in to Dan Geer’s infamous monoculture jibe.

It is also strategic marketing on the part of Bitcoin maximalists: if they can convince everyone of the meme “everyone use the bitcoin codebase” while at the same time capturing the power of Bitcoin Core into one small group of companies that handles the hard code then they will have convinced the market that their solutions are irreplaceable, which, while of no particular technical merit, has the benefit to the few of being a self-fulfilling prophecy.

And what about all those “unnecessary” customized bells and whistles new distributed ledgers provide to financial institutions? Can’t plain old vanilla Bitcoin provide everything a customer could want?

Dispelling myths could be a full time job in this space, but this comment has also become part of the bitcoind zeitgeist: that financial institutions are wasting their time looking at customized ledgers when Bitcoin startups and its ecosystem are a one-stop shopping center capable of satiating the wants and needs of financial institutions.

The reason why Bitcoin is not being used by financial institutions is simple: it does not and cannot meet their needs because it wasn’t designed to do so. And in order to “fix” the perceived issues you end up removing the core utility of public blockchains, such as censorship-resistance.

Based on what we have seen and heard, banks have done by now hundreds of pilots and proofs of concept and in almost all cases those PoCs have been rejected. The reasons are almost always the same – they don’t meet the banks’ needs – but where’s the credible debate on what those needs are? Surely some of the banks must have told some of those providers some hint, even if by accident. If nobody’s listening to the feedback being handed out, it’s no wonder Bitcoin is stuck in an echo chamber.

There will likely not be one codebase or one ledger to rule them all and it is important for regulated organizations to continue doing due diligence not just on the functional abilities of proposed ledger solutions, but also the veracity of the claims of the proponents.

[Special thanks to the architecture working group for their constructive feedback]

What did bitcoin movements look like in 2015?

Posted on January 10, 2016 by Tim Swanson

[Note: opinions expressed below are solely my own and do not represent the views of my employer or any company I advise.]

Last April, May and August I wrote three posts that attempted to look at the flow of funds: where bitcoins move to throughout the ecosystem.

Thanks to the team at Chainalysis we can now have a more granular view into specific transfer corridors and movements (not necessarily holdings) between miners, exchanges, darknet markets, payment processors and coin mixers.

The first three charts are backwards looking.

Above is a simplified, color coded version of a tool that Chainalysis provides to its customers such as compliance teams at exchanges. The thickness of a band accurately represents the volume of that corridor, it is drawn to scale.

What is the method used to generate the plot?

The chord-plot shows all bitcoin transactions in 2015 traced down all the way back to a known entity. This means that the connection between the entities can be any number of hops away.

So for instance, for the exchanges it will include direct arbitrage, but also the modus operandi for bitcoin: individuals buying bitcoins at an exchange and then doing peer-to-peer transfers. Again this can be any number of hops and then perhaps later end at an exchange again where someone is cashing out.

According to Chainalysis, by hiding all the intermediate steps we can begin to learn how most of the Bitcoin ecosystem is put together (e.g., can it be split into sub systems?, is there a dark and a lit economy?, and what is bitcoin actually used for?).

Legend:

Blue: virtual currency exchanges
Red: darknet markets
Pink: coin mixers
Green: mining pools
Yellow: payment processors

Altogether there are 14 major exchanges tracked in blue including (in alphabetical order): Bitfinex, Bitreserve (now Uphold), Bitstamp, BitVC (subsidiary of Huobi), BTCC (formerly BTC China), BTC-e, Circle, Coinbase (most), Huobi, itBit, Kraken, LocalBitcoins, OKCoin and Xapo.

The identity of 12 exchanges were removed with the exception of BTC-e and LocalBitcoins.

BTC-e was founded in July 2011 and is one of the oldest operating exchanges still around. It does not require users to provide KYC documentation nor has it implemented AML processes. This has made it an attractive exchange for those wanting to remain anonymous.

LocalBitcoins was founded in June 2012 and is a combination of Craigslist and Uber for bitcoin transfers. It enables users to post trade requests on its site and provides escrow and reputation services for the facilitation of those trades. Like BTC-e, it does not require users to provide KYC documentation nor has it implemented AML processes. As a result it is a popular service for those wanting to trade bitcoins anonymously.

SharedCoin (depicted in pink above) is a product / service from Blockchain.info that allows users to mix their coins together with other users. It is one of about a dozen services that attempt to — depending who you talk to — delink the history or provenance of a bitcoin.

Founded in the spring of 2013, Agora (depicted in red above) was the largest known darknet market operating in 2015.

Forward Tracing

For each of the entities labeled on the charts below there is a ‘send to self’ characteristic which in fact are the UTXOs that originate from that entity and ends in unspent funds without first hitting another service. So it can be both cold storage owned by the service or someone hoarding (“hodling”) coins using that service.

Interestingly enough, the deposits held at one VC-backed intermediary almost all stay cold.

Above is LocalBitcoins.

Above is BTC-e.

Above is SharedCoin.

Questions and Answers

I also spoke with the Chainalysis team about how their clustering algorithm worked.

Q: What about all the transactions that did not go between central parties and intermediaries? For instance, if I used my wallet and sent you some bitcoins to your wallet, how much is that in terms of total activity?

A: The analysis above is intended to isolate sub-economies, not to see who is directly trading with who. The Chainalysis team previously did a Chord of that roughly a year ago which shows the all-time history (so early days will be overrepresented) and it was based only on one hop away transactions and normalized to what the team can ascribe to a known service.

The new chord above is different as it continues searching backwards until it locates an identified entity – this means it could have passed through an other either unidentified or less perfectly described service – but as it is same for everything and we have the law of large numbers it will still give a pretty accurate picture of what subeconomies exist. It was made to identify if the Bitcoin network had a dark economy and a lit economy (e.g. if the same coins were moving in circles e.g. dark-market->btc-e->localbitcoin->dark-market and what amount of that loop would include the regulated markets too).

So, for example, the transfers going between the regulated exchanges, many will be multihop transfers, but they start and end in regulated exchanges and as such could be described as being part of the lit economy.

Q: What specific exchange activity can you actually identify?

A: It varies per service but Chainalysis (and others) have access to some “full wallets” from clients. Also newer deposits are often not known so the balance in a wallet will be underestimated due to how the current algorithms work.

Further, some services require special attention and special analytics to be well represented due to their way of transacting – this includes some of the regional dark markets and Coinbase (due to how the company splits and pools deposits, see below). By looking at all the known entities and how many addresses they contain as a percentage of all addresses ever used for bitcoin in all time, Chainalysis has significant coverage and these are responsible for more than half of all transactions ever happened.

Q: And what was the motivation behind building this?

A: The initial purpose of the plot was to identify subsystems and pain points in the ecosystem – the team was at first uncertain of the possibility that every Bitcoin user simply bought bitcoins from exchanges to buy drugs but that does not seem to be the case. Most drug buyers use LocalBitcoins and sellers cash-in via mixers on LocalBitcoins or BTC-e (for the larger amounts).

Q: How large is SharedCoin and other mixers?

A: SharedCoin is currently around 8 million addresses and Bitcoin Fog is 200,000 addresses; they are the two largest.1

Additional analysis

Based on the charts above, what observations can be seen?

With a forward tracing graph we can see where all the unspent bitcoins come from (or are stored). One observation is that intermediaries, in this case exchanges, are holding on to large quantities of deposits. That is to say that many users (likely traders) — despite the quantifiable known risks of trusting exchanges — still prefer to store bitcoins on virtual currency exchanges. Or to look at it another way: exchanges end up with many stagnant bitcoins and what this likely means is that users are buying lots of bitcoins from that exchange and not moving them and/or the exchange itself is holding a lot of bitcoins (perhaps collected via transaction fees or forfeited accounts).2
A lot of the activity between exchanges (as depicted in blue lines) is probably based on arbitrage. Arbitrage means if Exchange A is selling bitcoins for a higher price than Exchange B, Alice will buy bitcoins on Exchange B and transfer them to Exchange A where they are sold for a profit.
Despite the amount of purported wash trading and internal bot trading that several Chinese exchanges are believed to operate, there is still a lot of on-chain flows into and out of Chinese-based exchanges, most likely due to arbitrage.
An unknown amount of users are using bitcoin for peer-to-peer transactions. This may sound like a truism (after all, that’s what the whitepaper pitches in its title), but what this looks like above is that people go to exchanges to transfer fiat currencies for virtual currencies. Then users, using the P2P mechanic of bitcoin (or other virtual currencies), transfer their coins to someone else. We can see this by counting hops between the exchanges.

A potential caveat

Because of how certain architectures obfuscate transactions — such as Coinbase and others — it can be difficult for accurate external data analysis. However with their latest clustering algorithm, Chainalysis’s coverage of Coinbase now extends to roughly the same size of the size of Mt. Gox at its height.3

Why can this be a challenge? Coinbase’s current design can make it difficult for many data analytics efforts to clearly distinguish bitcoins moving between addresses. For instance, when Bob deposits bitcoins into one Coinbase address he can withdraw the deposit from that same address up to a limit. After about two bitcoins are withdrawn, Bob then automatically begins to draw out of a central depository pool making it harder to look at the flow granularly.

Other secondary information also makes it unclear how much activity takes place internally. For instance, in a recent interview with Wired magazine, Coinbase provided the following information:

According to Coinbase, the Silicon Valley startup that operates digital bitcoin wallets for over 2.8 million people across the globe, about 20 percent of the transactions on its network involve payments or other tasks where bitcoin is used as a currency. The other 80 percent of those transactions are mere speculation, where bitcoin is traded as a commodity in search of a profit.

In a subsequent interview with New York Business Journal, Coinbase stated that it “has served 2.9 million people with $3 billion worth of bitcoin transactions.”

It is unclear at this time if all of those transactions are just an aggregation of trades taking place via the custodial wallet or if it also includes the spot exchange it launched last January.

Future research

Publishing cumulative bitcoin balances and the number of addresses for different entities such as exchanges could help compliance teams and researchers better understand the flows between specific exchanges. For instance, a chart that shows what percentage of the 15 million existing bitcoins everyone holds at a given moment over different time intervals.

This leads to the second area: rebittance, a portmanteau of remittance and bitcoin. Last year it was supposed to be the “killer app” for cryptocurrencies but has failed to materialize due in part, to some of the reasons outlined by Save on Send.4 Further research could help identify how much of the flows between exchanges and the peer-to-peer economy is related to cross-border value transfer as it relates to rebittance activity.

And as the market for data analysis grows in this market — which now includes multiple competitors including Coinalytics, Blockseer, Elliptic and Scorechain — it may be worth revisiting other topics that we have looked at before including payment processors, long-chains and darknet markets and see how their clustering algorithms and coverage are comparable.

Conclusions

For compliance teams it appears that the continued flow between illicit corridors (darknet markets) is largely contingent on liquidity from two specific exchanges: BTC-e and LocalBitcoins. In addition, coin mixing is still a popular activity: from this general birds-eye view it appears as if half of the known mixing is directly related to darknet market activity and the motivation behind the other half is unknown.

Based on the information above other economic activity is still dwarfed by arbitrage and peer-to-peer transactions. And lastly, based on current estimates it appears that several million bitcoins are being stored on the intermediaries above.

[Note: special thanks to Michael Gronager and the Chainalysis team for their assistance and feedback on this post.]

There are many regional smaller projects in, for example, smaller European countries whose flows may be underrepresented as they are less known in part because they do not use commonly used languages. However most are likely a part of the long tail of coin distribution. [↩]
There is a spectrum of intermediaries in which bitcoins are stagnant (or active). For instance, in an interview last May, Wences Casares, founder and CEO of Xapo stated:
Still, Casares indicated that Xapo’s customers are most often using its accounts primarily for storage and security. He noted that many of its clientele have “never made a bitcoin payment”, meaning its holdings are primarily long-term bets of high net-worth customers and family offices.

“Ninety-six percent of the coins that we hold in custody are in the hands of people who are keeping those coins as an investment,” Casares continued. [↩]
See also The missing MtGox bitcoins from WizSec [↩]
There are notable exceptions that have gained regional traction including: BitX, Coins.ph and Align Commerce. [↩]

AFA Presentation: Cryptocurrencies, Blockchains and the Future of Financial Services

Posted on January 6, 2016 by Tim Swanson

The slideshow below was first presented at an AFA panel on January 4, 2016 in San Francisco.

Cryptocurrencies, Blockchains and the Future of Financial Services from Tim Swanson

References:

Slide 2: Google Trends
Slide 5: “Long-chains“
Slide 7: Bitcoin Blockchain for Distributed Clearing: A Critical Assessment by Robert Sams and Watermarked tokens and pseudonymity on public blockchains by Tim Swanson
Slide 8: Access to what? Does PSD2 grant access to payment systems? by Remco Boer and Settlement Finality from the European Committee
Slide 12: A proxy for users
Slide 16: Fedcoin by JP Koning, Fedcoin: On the Desirability of a Government Cryptocurrency by David Andolfatto, A Central Bank “cryptocurrency”? An interesting idea, but maybe not for the reason we think by Richard Brown, Which Fedcoin? by Robert Sams, Fedcoin—how banks can survive blockchains by Robin Winkler and Centrally Banked Cryptocurrencies by George Danezis and Sarah Meiklejohn

A proxy for users

Posted on January 3, 2016 by Tim Swanson

[Note: opinions expressed below are solely my own and do not represent the views of my employer or any company I advise. Today is the 7th anniversary of the Genesis block.]

With over $900 million invested in cryptocurrency startups over the past couple of years, what does adoption and usage numbers look like?

Unfortunately very few of the companies that have received funding have publicly divulged actual numbers, primarily because consumer uptake has been lower than expected (or promised).

For instance, Coinbase recently published five charts it says reflect growth.

The first chart they show is transactions per day.

However, since we know that most transactions are “long-chain” transactions (comprised of spam, wallet shuffling, coin mixing, mining payouts, faucets, etc.), this is a poor indicator of actual on-chain trade and commerce or adoption.

As illustrated in the chart above, once long-chains are removed, growth (as highlighted in the pink region) is roughly linear since 2014, at ~0.5x per year.

What about Coinbase itself?

Coinbase doesn’t typically divulge much about specifics, however it’s older pitch deck (from September 2014) does give a few details about its users, such as 40% of all Coinbase users are from three states: California, New York and Texas; as well as the amount of deposits that Coinbase holds for each customer.

Slide 14, Coinbase pitch deck

While this number likely has changed in the past 15 months, ignoring the fluctuation in token prices it may be the case that the average deposit per customer has not increased significantly. Why might that be?

Source: Coinbase charts

Above is a 1-year chart produced by Coinbase showing the daily amount of off-chain transactions. Or rather, transactions that take place on their own internal system. As we can see, the volume is roughly the same across all of 2015. If usage actually was increasing or user numbers were growing substantially, then we should be able to see some visible changes upward. This has not occurred.

P2SH

Source: P2SH.info

P2SH, or pay to script hash, is probably the most common method for securing bitcoins (or UTXOs) via multisig. As shown in the two charts above, over the course of 2015 the percentage of existing bitcoins held in P2SH addresses increased from 6% to around 10% today. Though over the past 5 months the amount has effectively plateaued.

According to marketing material, BitGo processes more than 50% of all P2SH transactions (more than all other service providers combined). So this may also be an upward bound indicator of people who are savvy enough to secure their bitcoins via multisig (note: many custodial wallets such as Coinbase and Xapo purportedly secure certain layers of “cold wallets” via multisig and P2SH is just one method of doing so).

Multisig and Top Rich List

Source: Bitcoin Richlist

The chart above visualizes the percent of bitcoins owned by each address balance range.

As of block height 390,000 approximately 98.16% of all bitcoins reside on 513,648 addresses. This is not to say there are only half a million bitcoin users on the planet, as some of the addresses are owned or controlled by multiple people (such as a custodial wallet or exchange). But it is probably a pretty good proxy of on-chain users — users who actually control the private key and do not use an intermediary.

This is roughly twice as many on-chain users as twenty-one months ago (in April 2014) — at block height 295,000 — when I first started looking at this source.1

One interesting trend that ties in with the multisig window above is that at one point as recently as April 2014, none of the Top 500 addresses were using multisig. But over the past year, as seen by the “3” prefix at the start of addresses, we can visibly see several dozen Top 500 addresses that now use multisig (note: some of the other addresses may use hardware wallets such as Trezor, Ledger or Case and not use multisig).

ATMs

Source: CoinATMRadar

I once heard a Bitcoin reporter tell me in the August 2014 that BitAccess was on track to be the first billion dollar Bitcoin company. Whoops!

As we know empirically, the ATM industry in general is very low margin; companies make it up on volume which none of these startups have been able to thus far. Despite the hype, over the past a grand total of 536 Bitcoin ATMs have been installed, roughly 275 per year.

For comparison, according to the ATM Association there are roughly 3 million ATMs globally.

Can’t this change in the future? Perhaps, but recall that the average two-way (roundtrip) Bitcoin ATM fee is ~11% and there are only a handful located in emerging markets. Why is the fee relatively high? Because ATM owners are not operating charities and want to turn a profit. If Bitcoin adoption truly was going gang busters you would expect this number to be growing exponentially and not linearly.

Bitcoin volatility

Admittedly this chart doesn’t have to deal with adoption. There is no scientific correlation between the amount of usage or users of cryptocurrencies and the volatility of its trading pairs.

The reason I have included this is because in the Coinbase post above they state that bitcoin volatility is decreasing… relative to the Russian ruble and Brazilian real. Yet from the volatility chart above, it is clear that volatility has not really decreased. The BTC/USD volatility may be less than what it was in 2012, but on any given day it is still 10x more volatile than CNY/USD and 6x more volatile than USD/EUR — trading pairs that represent the real lionshare of global economic activity.

VC Funding

Source: btcuestion / Coindesk

The chart above was created by user “btcuestion” and is based on data in the Coindesk venture investment spreadsheet. It is a month by month bar chart over the course of the past two years.

What it shows is that VC investment in cryptocurrency-related startups peaked in Q1 2015. Yet, the bulk of the Q1 investments came from the 21inc announcement which itself was an aggregation of its previous rounds that had taken place over the previous 18 months. So funding may have actually peaked in Q4 2014.2

What this probably illustrates is that aside from a couple of permabull investors (such as Boost and Pantera), most serious venture capital has decided to wait and see how the dust settles before investing anything in this space. Why? Basically there has been no product market fit and few viable business models.3 Sure there has been a lot of publicity, but as Kevin Collier recently explored, there does not appear to be any permanent impact of say: Bitpay sponsoring a college bowl game last year.4

Bitwage activity

Source: Bitwage

Source: Bitwage

The two charts above both come from Bitwage, a startup that converts payrolls into bitcoins. Ignoring the drop-off in January 2016 (it is the beginning of a new month), for most of 2015 there were roughly 200-300 new user signups each month and about $250,000 in salaries converted as well.

Again, this is not to say that Bitwage’s service is not useful, rather that if there was increased bitcoin growth and adoption, then one proxy could be through payroll conversion. However, as shown above, growth is linear not exponential.

Blockchain.info wallets

Source: Blockchain.info

Above is a 2-year, nearly linear line chart from Blockchain.info depicting the “My Wallet” Number of Users. It bears mentioning that many people still use Blockchain.info wallets like a “temporary” wallet (or burner wallet) for coin mixing, yet despite the rapid creation rate for this purpose even if we look just at the last 6 months, it is not close to being exponential.

Hash rate

Source: Blockchain.info

But what about hash rate? It has continually gone up and to the right the last few months, surely this is an indicator of mass adoption?

All hash rate is measuring is the amount of work being generated by an unknown amount of computers (typically ASICs) somewhere on the planet. Hash rate typically rises when the price of bitcoins rise and falls when the price of bitcoins fall (see Appendix B). Since prices have nearly doubled over the past four months then it stands to reason that hash rate would correspondingly increase as hashing farms deploy new capital.5

Unless each site is inspected, it’s difficult to tell if there are more hashing farms and equipment and therefore “more users.” However, what we do know is that there are roughly the same amount of pools today (~20) as there were three years ago.6

Counterparty

Source: Blockscan

Counterparty is an embedded consensus system (see section 1): an asset issuance platform that effectively staples itself onto the Bitcoin blockchain.

As shown above, on a given day roughly 500-1000 transactions take place through the platform. According to Laurent MT, the spikes may be related to the weekly distribution of LTBCoins. And again, despite turnkey services and vending machines such as Tokenly and CoinDaddy (and CounterpartyChain), overall growth on the ECS has effectively plateaued over the past year.

Conclusion

Bitcoin is a solution and service provider for those who hold bitcoins. Despite the fanfare, the conferences and the perpetual feel-good op-eds in Techcrunch, the only people who seem to use it regularly seven years later are a niche demographic group: young, white, tech-savvy men in North America and Western Europe. Many of whom have access to multiple other payment networks and asset classes for investment.

As a result, it is probably not a surprise that instead of using bitcoins to pay for coffee on-chain each day, most private key owners prefer to “hodl” or use intermediaries. This may make sense for those with low time preferences, but it shouldn’t then come as a surprise that there are few, if any metrics that show wide-scale adoption beyond this core demographic. Will this change in 2016 or will the “great pivot” continue?

Spam and dust (such as “tips”) likely represents the remaining 1.84% of all bitcoins (located on 99% of all addresses). [↩]
Funding has instead switched over to the fledgling non-cryptocurrency distributed ledger industry. [↩]
Anecdotally, it appears that Coins.ph, BitX and Align Commerce have each gained actual traction in their respective regions. [↩]
Stephen Pair provided a new chart for Forbes which purportedly shows a large uptick in transactions processed. This “surge” occurred during the same month as Bitcoin Black Friday and should be looked at again in the following months to see if it was a one-off event. [↩]
There are also stories of new chips supposedly being deployed. In practice hashing farms do the Red Queen race: replace a machine… with another machine that uses the same amount of energy. [↩]
The claim that 21inc or other mining chip manufacturers will “redecentralize mining” is a misnomer. Mining and hashing are not the same thing. Unless a hashing operator also runs a fully validating node, then they are part of the outsourcing process. More people may be hashing as part of the 21inc botnet, but not mining (mining is defined as selecting transactions to include in blocks; hashers do not do this activity, pools do). [↩]

Anchor’s aweigh

Posted on January 2, 2016 by Tim Swanson

One comment I have noticed continually re-appear on social media over the last couple months is roughly the following:

If you’re building a new blockchain you should regularly take a hash of the network state and “anchor” it (write it) into another blockchain, for redundancy purposes.

This “anchor” idea has appeared in public material from BitFury, Factom, Tierion, Gil Luria and now 21inc (a VC-backed botnet operator).

Part of the current popularity in the anchoring meme is that some cryptocurrency enthusiasts and Bitcoin maximalists in particular want other non-cryptocurrency distributed ledgers to rely on existing cryptocurrency networks — networks that some enthusiasts own tokens to and hope that price appreciation will take place in the event that the network is used.

Ignoring the hypothetical monetary incentives, let’s assume that writing/storing network states externally is useful and it is the goal of every blockchain designers such as Bob and Alice. Are other blockchains the only relevantly secure places that all blockchain designers should look at using?

Probably not.

For instance, if the goal is to publish a hash of a state in a media that is difficult to censor and widespread enough to retrieve over time, then there are several “old school” newspapers and magazines that can be used for such purposes (which is what Guardtime does).

For instance:

There are half a dozen Japanese newspapers that each have over 2 million in circulation.
In the UK, both The Sun and Daily Mirror have a circulation of over 1.5 million
Similarly, in the US, there are three companies: USA Today, The New York Times and The Wall Street Journal that also have a circulation of over 1.5 million

The question for the paranoid is, what is more likely: someone deliberately destroying and/or replacing 1.5 million newspapers which contain the hash of the network state, or someone knocking out 5,728 network nodes?

While “anchoring” the hash of state into other media may be useful, leaving it in just one blockchain — such as the Bitcoin blockchain — does not fully reduce the risk of a well-funded attacker trying to revise history. Safety in this case comes in numbers and if it is redundancy Bob and Alice are looking for (and paranoid about), it may be worth it to publish hashes in multiple venues and media.

Similarly, if sustainability is a key concern then public goods such as cryptocurrencies have a question mark on them as well. Why? Because there are over 100 dead altcoins now. Convincing users — and more importantly miners — to maintain a network when it is no longer profitable to do so is an uphill challenge.1

Lastly, a well designed network (or distributed ledger in this case) that is robust and mature should not necessarily rely on “anchoring” at all. But this dovetails into a different conversation about how to design a secure network, a topic for another post. Either way, hash-storage-as-service, is probably not the next big trillion dollar idea for 2016.

It’s a challenge for any public good, not just Bitcoin, that eventually relies solely on altruism and charity. [↩]

The evolving distributed ledger tech landscape

Posted on December 19, 2015 by Tim Swanson

Yesterday I gave an abbreviated presentation based on R3CEV research first publicly shown at the GaiaX – Blockchain University event “Blockchain Summit” held in Tokyo.

[The tech landscape surrounding distributed ledgers]

[Japanese translation 日本語]

Note: below are the citations and notes for several of the slides:

Slide 3: The companies in the red square boxes are some of the startups that are primarily trying to create non-cryptocurrency distributed ledgers. (Source: Startup Management)
Slide 6: CB Insights
Slide 7: CNN|Money
Slide 9: Twitter
Slide 10: CoinDesk Venture Capital aggregation
Slide 13: The great pivot or just this years froth? and NY Post estimate
Slide 15: Field of Dreams image in reference to the model that you build it first with the hope that customers come
Slide 19: One example of this euphemism is from Adam Draper (and a similar reference point on Twitter). Each of these five companies has a couple product lines, one of which focuses on cryptocurrencies in a non-marginal manner.
Slide 21: This list could include a number of others including Tezos (DLS) and a handful of other startups including a couple in Japan
Slide 22: Aite Group
Slide 23: Collective head count for these companies is just under 100 and total funding raised (that is publicly announced) is around $10 million. There are still more companies trying to build foundational layers (some proprietary, others open) than teams building applications on top. Legend in parenthesis: E=Ethereum, R=Ripple, CP=Counterparty, OA=OpenAssets, TM=Tendermint
Slide 24: Most of the large non-bank financial institutions such as clearing houses and exchanges all have working groups focused on distributed ledger technology (e.g., CLS, SWIFT, LSEG, CME, Nasdaq, Deutsche Borse, DTCC). The Linux Foundation project is in its formative stage.

Watermarked tokens and pseudonymity on public blockchains

Posted on November 18, 2015 by Tim Swanson

As mentioned a couple weeks ago I have published a new research paper entitled: “Watermarked tokens and pseudonymity on public blockchains”

In a nutshell: despite recent efforts to modify public blockchains such as Bitcoin to secure off-chain registered assets via colored coins and metacoins, due how they are designed, public blockchains are unable to provide secure legal settlement finality of off-chain assets for regulated institutions trading in global financial markets.

The initial idea behind this topic started about 18 months ago with conversations from Robert Sams, Jonathan Levin and several others that culminated into an article.

The issue surrounding top-heaviness (as described in the original article) is of particular importance today as watermarked token platforms — if widely adopted — may create new systemic risks due to a distortion of block reorg / double-spending incentives. And because of how increasingly popular watermarked projects have recently become it seemed useful to revisit the topic in depth.

What is the takeaway for organizations looking to use watermarked tokens?

The security specifications and transaction validation process on networks such as the Bitcoin blockchain, via proof-of-work, were devised to protect unknown and untrusted participants that trade and interact in a specific environment.

Banks and other institutions trading financial products do so with known and trusted entities and operate within the existing settlement framework of global financial markets, with highly complex and rigorous regulations and obligations. This environment has different security assumptions, goals and tradeoffs that are in some cases opposite to the designs assumptions of public blockchains.

Due to their probabilistic nature, platforms built on top of public blockchains cannot provide definitive settlement finality of off-chain assets. By design they are not able to control products other than the endogenous cryptocurrencies they were designed to support. There may be other types of solutions, such as newer shared ledger technology that could provide legal settlement finality, but that is a topic for another paper.

This is a very important issue that has been seemingly glossed over despite millions of VC funding into companies attempting to (re)leverage public blockchains. Hopefully this paper will help spur additional research into the security of watermarking-related initiatives.

I would like to thank Christian Decker, at ETH Zurich, for providing helpful feedback — I believe he is the only academic to actually mention that there may be challenges related to colored coins in a peer-reviewed paper. I would like to thank Ernie Teo, at SKBI, for creating the game theory model related to the hold-up problem. I would like to thank Arthur Breitman and his wife Kathleen for providing clarity to this topic. Many thanks to Ayoub Naciri, Antony Lewis, Vitalik Buterin, Mike Hearn, Ian Grigg and Dave Hudson for also taking the time to discuss some of the top-heavy challenges that watermarking creates. Thanks to the attorneys that looked over portions of the paper including (but not limited to) Jacob Farber, Ryan Straus, Amor Sexton and Peter Jensen-Haxel; as well as additional legal advice from Juan Llanos and Jared Marx. Lastly, many thanks for the team at R3 including Jo Lang, Todd McDonald, Raja Ramachandran and Richard Brown for providing constructive feedback.

Watermarked Tokens and Pseudonymity on Public Blockchains

What challenges arise when trying to scale watermarked tokens on Bitcoin?

Posted on November 18, 2015 by Tim Swanson

[Note: the following overview on scaling Bitcoin was originally included in a new paper but needed to be removed for space and flow considerations]

Looking in the past, the older Viceroy overlay network scaled at O(logN) where N is the number of peers which is different than the contentious scaling in Bitcoin, where even Core developers do not agree on how per node bandwidth actually scales.1

For instance, one group of developers thinks that per node bandwidth on the Bitcoin network scales linearly, O(n).2

The use of O(n) is a way of capturing simply whether something scales linearly or not. O(n) means: if it takes 5 seconds to do something when there are 10 nodes, it will take 50 seconds if there are 100. An example would be washing the dishes. It takes 30 seconds per plate and you just keep going one plate after another.

In contrast, another group of developers believes bandwidth requirements squares per node, which reads as O(n²).3

O(n²) means: if it takes 5 seconds to do something when there are 10 nodes, it will take 5 hundred seconds if there are 100. O(x) notation is an approximate. That is to say, while you have increased the number of items by a factor of 10, the time taken increased by a factor of about 100.

An example here might be if Bob needs to broker bilateral contracts between all the members of a new limited partnership fund. Four partners would require six bilateral NDAs in total. Eight partners would require 24. Thus if Bob doubled the number of partners he would need more than four times as many contracts executing.4

One calculation (BitFury 2015a) implies that in terms of block verification time, Bitcoin scales at: N(1 + 0:091 log2 N).5 For comparison, Ripple’s consensus ledger also has O(n²) scaling.6 7

What does this have to do with watermarked tokens?

As described in (Breitman 2015c):8

[C]olored coins are potentially nefarious to the Bitcoin ecosystem. The security of Bitcoin rests on the assumption that miners stand to lose more by departing from consensus than they stand to gain. This assumption requires a balance between the reward received by miners, and the amounts they might stand to gain by reversing transactions. If colored coins represent valuable assets, this balance might be upset, endangering the status of all transactions.

A consequence of the hold-up problem is that it could lead to vertical integration. That is to say, to prevent this type of event (holding up the whole network) from happening in the future, colored coin platforms could acquire (or build) hashing facilities and pools.

Yet if they did this, not only would they need to increase expenditures by several orders of magnitude – which is the very reason they wanted to piggy back off the existing infrastructure to begin with – but they would effectively be building a permissioned network, with very high marginal costs.

In (Breitman 2015c) the author uses a car analogy to describe the cantankerous situation colored coins have created.9

In the analogy, the author explores an alternative universe in which the car was recently created and new owners foresaw the ability to use the car in many different ways, including a new “application” called shipping.

Source: Arthur Breitman

In this scenario, the car owners unilaterally dismissed unproven alternative “truck technology” and instead designed a solution for shipping: bolt a new wooden layer on top of four cars, much like watermarked platforms bolt themselves on top of Bitcoin.

But what about all the various mechanical challenges that came with this new ad hoc design?

Breitman makes the point that, though the same functionality of a truck can be achieved by putting a slab of wood on top of four cars, choosing it as a solution when other options exist is not effective. Similarly, in the context of a closed system, it makes little sense to rely on bitcoind, though inexperienced developers may have a bias towards it:

To be sure, they were several problems with the design. The aerodynamics were atrocious, but that could be somewhat alleviated by placing a tent over the contraption. Turning was initially difficult, but some clever engineers introduced swivels on top of the car, making the process easier. The cars would not always stay at the same speed, but using radio communication between the drivers more or less remedied the issue.

But, truck technology? Well that was unproven, and also trucks looked a lot like train wagons, and the real innovation was the car, so cars had to be used!

Where am I going with this? A large number of projects in the space of distributed ledgers have been peddling solutions involving the use of colored coins within permissioned ledgers. As we’ve explained earlier, colored coins were born out of the near impossibility of amending the code base of Bitcoin. They are first and foremost a child of necessity in the Bitcoin world… a necessary evil, a fiendish yet heroic hack unlocking new functionality at a dire cost.

One could argue that reusing the core bitcoind code offers the benefit of receiving downstream bug fixes from the community. This argument falls flat as the gist of such fixes can be incorporated into any implementation. Issues encountered by Bitcoin have ranged from a lack of proper integer overflow checking to vulnerabilities with signature malleability. Such issues can potentially affect any blockchain implementation; the difficulty lies in identifying them, not in producing a patch to fix them, a comparatively straightforward process. Of course, other bugs might be introduced when developing new functionalities, but the same is true regardless of the approach undertaken.

Basing a fresh ledger, independent from the Bitcoin blockchain, on a colored coin implementation is nothing short of perversion. It is akin to designing a truck using a wooden board bolted on the top of four cars. If, for some reason, the only type of vehicle that could use a highway were sedans, that solution might make sense. But if you have the chance to build a truck and instead chose to rig a container on top of a few cars then perhaps you should first learn how to engineer trucks.

As explored in the game theory model in Appendix B and car example above, there are real security issues with using this specific layered approach in both permissionless and permissioned systems.

The typical excuse for going such route is that building a new blockchain from scratch (e.g., Ethereum, Zerocash, Tendermint, Tezos) delays market entry and could make your startup fall behind the competition.

While it may be true that spending a year or more to purposefully design a new distributed ledger network from scratch will take significant time and resources, the reasons for doing (better security and scalabity) outweigh the downsides (systemic risks and vulnerabilities). Future research should also build models with additional agents.

It also bears repeating that based on the model presented in Appendix B, if the cost of attack is very high, the more plausible outcome is to not attack. However, if it is very attractive to attack there could have a different outcome that is worth further research.

See A Survey and Comparison of Peer-to-Peer Overlay Network Schemes by Lua et al. p. 10 and Big-O scaling by Gavin Andresen [↩]
Over the past five months there have been volumes of emails, forum posts and panel discussions on the topic of how Bitcoin can and does scale. One thread that is recommended to readers is a recent reddit debate between Mike Hearn (mike_hearn) and Greg Maxwell (nullc). [↩]
Why do people say that bitcoin scales according to O(n^2)? from StackExchange [↩]
I would like to thank Richard Brown for this example and illustration. [↩]
Block Size Increase from BitFury Group, p. 5 [↩]
See p. 9 from Ripple Protocol Consensus Algorithm Review by Peter Todd [↩]
Surveying literature we can see that historically there have been dozens of attempts to create decentralized peer-to-peer reputation systems that needed to be self-organizing, Sybil-resistant, fault tolerant as well as the ability to scale. A Survey and Comparison of Peer-to-Peer Overlay Network Schemes by Lua et al.; A Survey of Attack and Defense Techniques for Reputation Systems by Kevin Hoffman, David Zage and Cristina Nita-Rotaru; and Survey of trust models in different network domains by Mohammad Momani and Subhash Challa [↩]
Making sense of colored coins by Arthur Breitman [↩]
Ibid [↩]

A brief literature review

Posted on November 18, 2015 by Tim Swanson

[Note: the following literature review was originally included in a new paper but needed to be removed for space and flow considerations]

How has previous research looked at information security?

Academic literature covering distributed computing and economics of information security and specifically peer-to-peer networks “Before Bitcoin” spans several decades.

Surveying literature (Lua et al. 2004; Hoffman et al. 2007; Momani and Challa 2009) we can see that there have been dozens of attempts to create decentralized peer-to-peer reputation systems that needed to be self-organizing, Sybil-resistant and fault tolerant.1

For instance, the Content Addressable Network (CAN), Chord, Kademlia and the Cooperative File System (CFS) each had a variety of characteristics that attempted to stave off abuse from attackers due to the environments they operated in (e.g., a distributed decentralized P2P infrastructure). Some used public-private key pairs, content hashes and others used NodeID.

These surveys also looked at Distributed Hash Trees (DHT) which have been known to be vulnerable to a number of attacks including Eclipse attacks, where the peering network itself comes under attack (which Bitcoin’s network is also prone to).2

What about other game theory issues? For example in (Lua et al., 2004) the authors wrote that:3

The ability to overcome free-rider problems in P2P overlay networks will definitely improve the system’s reliability and its value.

Sybil attacked termed by Douceur4 described the situation whereby there are a large number of potentially malicious peers in the system and without a central authority to certify peers’ identities. It becomes very difficult to trust the claimed identity. Dingledine et al.,5 proposes puzzles schemes, including the use of micro-cash, which allows peers to build up reputations. Although this proposal provides a degree of accountability, this still allows a resourceful attacker to launch attacks.

This is the same problem discussed above, that (Rosenfeld 2012) runs into regarding how to pay nodes on an open network.

How do these researchers believe it could be solved or fixed? According to (Lua et al., 2004):6

Having some sort of incentive model using economic and game theories, for P2P peers to collaborate is crucial to create an economy of equilibrium. When non-cooperative users benefit from free-riding on others’ resources, the tragedy of the commons7 is inevitable. Such incentives implementation in P2P overlay services would also provide a certain level of self-regulatory auditing and accounting behavior for resource sharing.

As shown above, despite rhetoric at Bitcoin-related conferences, many of the challenges facing Bitcoin today are in fact known problems facing decentralized peer-to-peer networks in general. The problem space for preventing Sybil attacks was and is relatively well-defined, Bitcoin again side-steps the actual solution by making it economically expensive, but not technically impossible to conduct history-reversing attacks, or even Sybil attacks on the gossip network.

P2Prep is a reputation system designed to “mitigate the effects of selfish and malicious peers in an anonymous, completely decentralized system.”8

How did it do this?

The system guards the anonymity of users and the integrity of packets through the use of public key cryptography. All replies are signed using the requester’s public key, protecting the identity of the responder and the integrity of the data. Only the requester is able to decrypt the packet and check the validity of the information.9

Credence (Walsh and Sirer 2006) is another peer-to-peer reputation system that uses gossip-based techniques to disseminate information.10 It defends itself:11

A key security consideration in the Credence system is the use of mechanisms to prevent spoofed votes or votes generated by fake identities. The system guards against such attacks by issuing digital certificates in an anonymous but semi-controlled fashion. The authors propose to mitigate Sybil attacks by requiring expensive computation on the part of the client before the server grants a new digital certificate. Every voting statement is digitally signed by the originator and anyone can cryptographically verify the authenticity of any given voting statement.

In (Momani and Challa 2010) the authors looked at security and trust concepts surrounding wireless sensor networks (WSN). At first glance this may seem unrelated to peer-to-peer networks but there are many similarities:12

The security issue has been raised by many researchers [14 – 24], and, due to the deployment of WSN nodes in hazardous and/or hostile areas in large numbers, such deployment forces the nodes to be of low cost and therefore less reliable or more prone to overtaking by an adversary force. Some methods used, such as cryptographic authentication and other mechanisms [25 – 32], do not entirely solve the problem. For example, adversarial nodes can have access to valid cryptographic keys to access other nodes in the network. The reliability issue is certainly not addressed when sensor nodes are subject to system faults. These two sources of problems, system faults and erroneous data or bad routing by malicious nodes, can result in the total breakdown of a network and cryptography by itself is insufficient to solve these problems. So new tools from different domains social sciences, statistics, e-commerce and others should be integrated with cryptography to completely solve the unique security attacks in WSNs, such as node capturing, Sybil attacks, denial of service attacks, etc.

In their survey they identified previous research that had looked at some of these same issues including In (Xiong and Liu 2003) where the authors attempted to build a reputation-based trust model for peer-to-peer distributed commerce platforms and use game theory to ameliorate the trust parameters by threats from malicious attacks.13

Going back more than fifteen years we can see that other researchers (Lamport 1998) and (Castro and Liskov 1999), that successful attempts were made to “use cryptographic techniques to prevent spoofing and replays and to detect corrupted messages” on a network that replicates services in the face of Byzantine faults.14

Volumes more can and will likely be written covering the research on these specific topics due in large part to the integral role that different types of information and financial networks play in the lives of consumers and businesses alike.

A Survey and Comparison of Peer-to-Peer Overlay Network Schemes by Lua et al.; A Survey of Attack and Defense Techniques for Reputation Systems by Kevin Hoffman, David Zage and Cristina Nita-Rotaru; and Survey of trust models in different network domains by Mohammad Momani and Subhash Challa [↩]
Eclipse Attacks on Bitcoin’s Peer-to-Peer Network by Heilman et al. [↩]
A Survey and Comparison of Peer-to-Peer Overlay Network Schemes by Lua et al., p. 11 [↩]
J. R. Douceur, “The sybil attack,” in Proceedings of the First International Workshop on Peer-to-Peer Systems , March 7-8 2002, pp. 251– 260. [↩]
R. Dingledine, M. J. Freedman, and D. Molnar, “Accountability measures for peer-to-peer systems,” in Peer-to-Peer: Harnessing the Power of Disruptive Technologies , D. Derickson, Ed. O’Reilly and Associates, November. [↩]
A Survey and Comparison of Peer-to-Peer Overlay Network Schemes by Lua et al., p. 20 [↩]
G. Hardin, “The tragedy of the commons,” Science , vol. 162, pp. 1243– 1248, 1968. [↩]
A Survey and Comparison of Peer-to-Peer Overlay Network Schemes by Lua et al., p. 28. Among other startups, Mnet was a peer-to-peer distributed data store, whose (former) employees would go on to help create BitTorrent and Tahoe-LAFS. This was during the same survey period. [↩]
Ibid, p. 29 [↩]
Experience with an Object Reputation System for Peer-to-Peer Filesharing by Kevin Walsh and Emin Gün Sirer [↩]
A Survey of Attack and Defense Techniques for Reputation Systems by Kevin Hoffman, David Zage and Cristina Nita-Rotaru, p. 30 [↩]
Survey of trust models in different network domains by Mohammad Momani and Subhash Challa [↩]
A Reputation-Based Trust Model for Peer-to-Peer eCommerce Communities by Li Xiong and Ling Liu [↩]
Practical Byzantine Fault Tolerance by Miguel Castro and Barbara Liskov. According to Leslie Lamport, in The Part-Time Parliament, p. 23: “The Paxon Parliament protocol provides a distributed, fault-tolerant imiplmentation of the database system.” [↩]

Creative angles of attacking proof-of-work blockchains

Posted on November 5, 2015 by Tim Swanson

[Note: the following views were originally included in a new paper but needed to be removed for space and flow considerations]

While most academic literature has thus far narrowly focused under the assumption that proof-of-work miners such as those used in Bitcoin will behave according to a “goodwill” expectation, as explored in this paper, there may be incentives that creative attackers could look to exploit.

Is there another way of framing this issue as it relates to watermarked tokens such as colored coins and metacoins?

Below are comments from several thought-leaders working within the industry.

According to John Light, co-founder of Bitseed:1

When it comes to cryptocurrency, as with any other situation, an attacker has to balance the cost of attacking the network with the benefit of doing so. If an attacker spends the minimum amount required to 51% attack bitcoin, say $500 million, then the attacker needs to either be able to short $500 million or more worth of BTC for the attack to be worth it, or needs to double spend $500 million or more worth of BTC and receive some irreversible benefit and not get caught (or not have consequences for getting caught), all while taking into consideration the loss of future revenues from mining honestly. When you bring meta-coins into the equation, things get even murkier; the cost is less dependent on the price of bitcoin or future mining revenues, and depends more on the asset being attacked, whether it’s a stock sale or company merger that’s being prevented, or USD tokens being double-spent.

There’s no easy answer, but based on the economics of the situation, and depending on the asset in question, it doesn’t seem wise to put more value on chain than the market cap of BTC itself (as a rough benchmark – probably not that exact number, but something close to it).

Not a single study has been publicly published looking at this disproportionalism yet it is regularly touted at conferences and social media as a realistic, secure, legal possibility.

According to Vitalik Buterin, creator of Ethereum:2

There are actually two important points here from an economics perspective. The first is that when you are securing $1 billion on value on a system with a cryptoeconomic security margin that is very small, that opens the door to a number of financial attacks:

Short the underlying asset on another exchange, then break the system
Short or long some asset at ultrahigh leverage, essentially making a coin-flip bet with a huge amount of money that it will go 0.1% in one direction before the other. If the bet pays off, great. If it does not pay off, double spend.
Join in and take up 60%+ of the hashrate without anyone noticing. Then, front-run everyone. Suppose that person A sends an order “I am willing to buy one unit of X for at most $31”, and person B sends an order “I am willing to sell one unit of X for at least $30”. As a front-runner, you would create an order “I am willing to sell one unit of X for at least $30.999” and “I am willing to buy one unit of X for at most $30.001”, get each order matched with the corresponding order, and earn $0.998 risk-free profit. There are also of course more exotic attacks.

In fact, I could see miners even without any attacks taking place front-running as many markets as they can; the ability to do this may well change the equilibrium market price of mining to the point where the system will, quite ironically, be “secure” without needing to pay high transaction fees or have an expensive underlying currency.

The second is that assets on a chain are in “competition” with each other: network security is a public good, and if that public good is paid for by inflation of one currency (which in my opinion, in a single-currency-chain environment, is economically optimal) then the other currencies will gain market share; if the protocol tries to tax all currencies, then someone will create a funky meta-protocol that “evades taxes by definition”: think colored coins where all demurrage is ignored by definition of the colored coin protocol. Hence, we’ll see chains secured by the combination of transaction fee revenue and miner front running.

Unsolved economics question: would it be a good thing or a bad thing if markets could secure themselves against miner frontruns? May be good because it makes exchanges more efficient, or bad because it removes a source of revenue and reduces chain security.

Cryptoeconomics is a nascent academic field studying the confluence of economics, cryptography, game theory and finance.3

Piotr Piasecki, a software developer and independent analyst explained:4

If a malicious miner sees a big buy order coming into the market that would move the price significantly, they can engage in front running – the buy order could be pushed to the back of the queue or even left out until the next block, while the miner buys up all of the current stock and re-lists it at a higher price to turn a profit. Alternatively, when they see there is a high market pressure coming in, especially in systems that are inefficient by design, they can buy the orders up one by one by using their power to include any number of their own transactions into a block for free, and similarly re-list them for people to buy up.

Or in other words, because miners have the ability to order transactions in a block this creates an opportunity to front run. If publicly traded equities are tracked as a type of colored coin on a public blockchain, miners could order transaction in such a way as to put certain on-chain transactions, or trades in this case, to execute before others.

Robert Sams, co-founder of Clearmatics, previously looked at the bearer versus registered asset challenge:5

One of the arguments against the double-spend and 51% attacks is that it needs to incorporate the effect a successful attack would have on the exchange rate. As coloured coins represent claims to assets whose value will often have no connection to the exchange rate, it potentially strengthens the attack vector of focusing a double spend on some large-value colour. But then, I’ve always thought the whole double-spend thing could be reduced significantly if both legs of the exchange were represented on a single tx (buyer’s bitcoin and seller’s coloured coin).

The other issue concerns what colour really represents. The idea is that colour acts like a bearer asset, whoever possesses it owns it, just like bitcoin. But this raises the whole blacklisted coin question that you refer to in the paper. Is the issuer of colour (say, a company floating its equity on the blockchain) going to pay dividends to the holder of a coloured coin widely believed to have been acquired through a double-spend? With services like Coin Validation, you ruin fungibility of coins that way, so all coins need to be treated the same (easy to accomplish if, say, the zerocoin protocol were incorporated). But colour? The expectations are different here, I believe.

On a practical level, I just don’t see how pseudo-anonymous colour would ever represent anything more than fringe assets. A registry of real identities mapping to the public keys would need to be kept by someone. This is certainly the case if you ever wanted these assets to be recognised by current law.

But in a purely binary world where this is not the case, I would expect that colour issuers would “de-colour” coins it believed were acquired through double-spend, or maybe a single bitcoin-vs-colour tx would make that whole attack vector irrelevant anyway. In which case, we’re back to the question of what happens when the colour value of the blockchain greatly exceeds that of the bitcoin monetary base? Who knows, really depends on the details of the colour infrastructure. Could someone sell short the crypto equity market and launch a 51% attack? I guess, but then the attacker is left with a bunch of bitcoin whose value is…

The more interesting question for me is this: what happens to colour “ownership” when the network comes under 51% control? Without a registry mapping real identities to public keys, a pseudo-anonymous network of coloured assets on a network controlled by one guy is just junk, no longer represents anything (unless the 51% hasher is benevolent of course). Nobody can make a claim on the colour issuer’s assets. So perhaps this is the real attack vector: a bunch of issuers get together (say, they’re issuers of coloured coin bonds) to launch a 51% attack to extinguish their debts. If the value of that colour is much greater than cost of hashing 51% of the network, that attack vector seems to work.

On this point, Jonathan Levin, co-founder of Chainalysis previously explained that:6

We don’t know how much proof of work is enough for the existing system and building financially valuable layers on top does not contribute any economic incentives to secure the network further. These incentives are fixed in terms of Bitcoin – which may lead to an interesting result where people who are dependent on coloured coin implementations hoard bitcoins to attempt to and increase the price of Bitcoin and thus provide incentives to miners.

It should also be noted that the engineers and those promoting extensibility such as colored coins do not see the technology as being limited in this way. If all colored coins can represent is ‘fringe assets’ then the level of interest in them would be minimal.

Time will tell whether this is the case. Yet if Bob could decolor assets, in this scenario, an issuer of a colored coin has (inadvertently) granted itself the ability to delegitimize the bearer assets as easily as it created them. And arguably, decoloring does not offer Bob any added insurance that the coin has been fully redeemed, it is just an extra transaction at the end of the round trip to the issuer.

Personal correspondence, August 10, 2015. Bitseed is a startup that builds plug-and-play full nodes for the Bitcoin network. [↩]
Personal correspondence, August 13, 2015. [↩]
See What is cryptoeconomics? and Formalizing Cryptoeconomics by Vlad Zamfir [↩]
Mining versus Consensus algorithms in Crypto 2.0 systems by Piotr Piasecki [↩]
As quoted in: Will colored coin extensibility throw a wrench into the automated information security costs of Bitcoin? by Tim Swanson; reused with permission. [↩]
This example originally comes from Will colored coin extensibility throw a wrench into the automated information security costs of Bitcoin? by Tim Swanson; reused with permission. [↩]

A few known Bitcoin mining farms

Posted on November 4, 2015 by Tim Swanson

[Note: the following overview on known Bitcoin mining farms was originally included in a new paper but needed to be removed for space and flow considerations]

Several validators on the Bitcoin network, as well as many watermarked token issuers, are identifiable and known.1 What does this mean? Many Bitcoin validators are drifting usage outside the pseudonymous context of the original network due to their use of specialty equipment that creates a paper trail. In other words, pseudonymity has given way to real world identity. Soon issuers of color will likely follow because they too have strong ties to the physical, off-chain world.

For instance, on August 4, 2015, block 368396 was mined by P2Pool. This is notable for two reasons.

The first is that the block included a transaction sent from Symbiont.io, a NYC-based startup building “middleware” that enables organizations and financial institutions to create and use ‘smart securities’ off-chain between multiple parties and have the resulting transaction hashed onto a blockchain, in this case, the Bitcoin blockchain.2

Several weeks later, Symbiont announced that it would begin using their “stack” to provide similar functionality on a permissioned ledger.3 This follows a similar move by T0.com – a wholly owned subsidiary of Overstock.com – which initially used Open Assets to issue a $5 million “cryptobond” onto the Bitcoin blockchain, but have subsequently switched to using a “blockchain-inspired” system designed by Peernova.4 5 6

The second reason this was notable is that the block above, 368396, included at least one transaction from Symbiont which was mined by a small pool called P2Pool.7 Unlike other pools discussed in this paper, P2Pool is not continually operated in a specific region or city.

It is decentralized in that all participants (hashers) must run their own full Bitcoin nodes which stand in contrast with pools such as F2Pool, KnC mining pool and BTCC (formerly called BTC China), where the pool operator alone runs the validating node and the labor force (hashers) simply search for a mid-state that fulfills the target difficulty.8

Due to this resource intensive requirement (running a full node requires more bandwidth and disk space than merely hashing itself), P2Pool is infrequently used and consequently comprises less than 1% of the current network hashrate.

P2Pool’s users are effectively pseudonymous. Due to the intended pseudonymity it is also unclear where the transaction fees and proceeds of hashing go. For instance, do the hashers comprising this pool benefit from the proceeds of illicit trade or reside in sanctioned countries or who to contact in the event there is a problem? And unlike in other pools, there is no customer service to call and find out.

Bitcoin’s – and P2Pool’s – lack of terms of service was intentionally done by design (i.e., caveat emptor). And in the event of a block reversal, censored transaction or a mere mistake by end-users, as noted above there is no contract, standard operating procedure or EULA that mining pools (validators) must adhere to. This is discussed in section 3.

This pseudonymous arrangement was the default method of mining in 2009 but has evolved over the years. For example, there are at least two known incidents in which a miner was contacted and returned fees upon request.

Launched in late summer of 2012 and during the era of transition from GPUs and FPGA mining, ASICMiner was one of the first publicly known companies to create its own independent ASIC mining hardware. Its team was led by “FriedCat,” a Chinese businessman, who custom designed and integrated ASIC chips called Block Eruptors, ASICMiner operated their own liquid immersion facility in Hong Kong.9

At its height, ASICMiner (which solo-mined similar to KnC and BitFury do today) reached over 10% of the network hashrate and its “shareholders” listed its stock on GLBSE (Global Bitcoin Stock Exchange), GLBSE is a now defunct virtual “stock market” that enabled bitcoin users to purchase, trade and acquire “shares” in a variety of listed companies.10 GLBSE is notable for having listed, among other projects, SatoshiDice which was later charged by the Securities and Exchange Commission (SEC) for offering unregistered securities to the public.11 12

While unregistered stock exchanges catering to cryptocurrency users and China-based mining pools may be common sights today, on August 28, 2013, a bitcoin user sent a 200 bitcoin fee that was processed by ASICMiner.13 Based on then-market rates, this was approximately worth $23,518.14 The next day, for reasons that are unknown, ASICMiner allegedly sent the errant fee back to the original user.15 At the time, one theory proposed by Greg Maxwell (a Bitcoin Core developer) was that this fee was accidentally sent due to a bug with CoinJoin, a coin-mixing service.16

Liquid cooled hashing equipment at ASICMiner in 2013. Source: Xiaogang Cao

The second notable incident involved BitGo, a multisig-as-a-service startup based in Palo Alto and AntPool, a large China-based pool (which currently represents about 15% of the network hashrate) operated by Bitmain which also manufacturers Antminer hardware that can be acquired directly from the company (in contrast to many manufacturers which no longer sell to the public-at-large). On April 25, 2015 a BitGo user, due to a software glitch, accidentally sent 85 bitcoins as a mining fee to AntPool. Based on then-market rates, this was worth approximately $19,197.17

The glitch occurred in BitGo’s legacy recovery tool which used an older version of a library that causes a 32-bit truncation of values and results in a truncation of outputs on the recovery transaction.18 To resolve this problem, the user “rtsn” spent several days publicly conversing with tech support (and the community) on Reddit.19

Eventually the glitch was fixed and Bitmain – to be viewed as a “good member of the community” yet defeating the purpose of a one-way-only, pseudonymous blockchain – sent the user back 85 bitcoins.

Fee to Bitmain (Antpool) highlighted in red on Total Transaction Fee chart. Source: Blockchain.info

On September 11, 2015 another user accidentally sent 4.6 bitcoins (worth $1,113) as a fee to a mining pool, which in this instance was AntPool.20 Bitmain, the parent company, once again returned the fee to the user.

Do we know about other farms?21

HaoBTC is a newly constructed medium-sized hashing farm located in Kangding, western Sichuan, near the Eastern border with Tibet.22 It currently costs around 1.5 million RMB per petahash (PH) – or $242,000 – to operate per year. This includes the infrastructure and miner equipment costs. It does not include the operating costs which consists of: electricity, labor, rent and taxes (the latter two are relatively negligible).

The facility itself cost between $600,000 – $700,000 to build (slightly less than the $1 million facility BitFury built in 2014 in the Republic of Georgia) and its electrical rate of 0.2 RMB per kWh comes from a nearby hydroelectric dam which has a 25,000 kW output (and cost around $10 million to construct).23

In dollar terms this is equivalent to around $0.03 / kWh (during the “wet” or “summer” season). For perspective, their electric bill in August 2015 came in at 1.4 million RMB (roughly $219,000); thus electricity is by far the largest operating cost component.

When all the other costs are accounted for, the average rises to approximately $0.045 per kWh. The electricity rate is slightly more expensive (0.4 RMB or $0.06) during winter due to less water from the mountains. The summer rate is roughly the same price as the Washington State-based hashing facilities which is the cheapest in the US (note: it bears mentioning that Washington State partly subsidizes hydroelectricity).

HaoBTC staff installing hashing equipment. Source: Eric Mu

At this price per joule it would cost around $105 million to reproduce “work” generated by the 450 petahash Bitcoin blockchain. Due to a recent purchase of second-hand ASICMiner Tubes, HaoBTC currently generates just over 10 PH and they are looking to expand to 12 PH by the end of the year.24 The key figure that most miners are interested in is that at the current difficulty level it costs around $161 for HaoBTC’s farm to create a bitcoin, giving them a nearly 100% margin relative to the current market price.

The ASIC machines they – and the rest of the industry uses – are single use; this hashing equipment cannot run Excel or Google services, or even bitcoind. Thus common comparisons with university supercomputers is not an apples-to-apples comparison as ASIC hashing cannot do general purpose computing; ASIC hashing equipment can perform just one function.25

There is also a second-hand market for it. For instance, hashing facilities such as HaoBTC actively look to capitalize off their unique geographical advantages by using older, used hardware. And there is a niche group of individuals, wanting to remain anonymous, that will also purchase older equipment.26

Although individual buyers of new hashing equipment such as Bob, do typically have to identify themselves to some level, both Bob can also resell the hardware on the second-hand market without any documentation. Thus, some buyers wanting to buy hashing equipment anonymously can do so for a relative premium and typically through middlemen.27 28

While Bitbank’s BW mining farm and pool have been in the news recently29, perhaps the most well-known live visual of mining facilities is the Motherboard story on a large Bitcoin mining farm in Dalian, Liaoning:30

Incidentally, while Motherboard actually looked at just one farm, the foreigner helping to translate for the film crew independently visited another farm in Inner Mongolia which during the past year Bitbank apparently acquired.31

Are there any other known facilities outside of China?32

Source: Business Insider / Genesis Mining

Genesis Mining is a cloudhashing service provider that purportedly has several facilities in Iceland.33 According to a recent news story the company is one of the largest users of energy on the island and ignoring all the other costs of production (aside from electricity), it costs about $60 to produce a bitcoin.34 However, when other costs are included (such as hardware and staffing) the margin declines to — according to the company — about 20% relative to the current bitcoin price. At the time of the story, the market price of a bitcoin was around $231.

The four illustrations above are among a couple dozen farms that generate the majority of the remaining hashrate.

What does this have to do with colored coins?

The network was originally designed in such a way that validators (block makers) were pseudonymous and identification by outside participants was unintended and difficult to do. If users can now contact validators, known actors in scenic Sichuan, frigid Iceland or rustic Georgia, why not just use a distributed ledger system that already identifies validators from the get go? What use is proof-of-work at all? Why bother with the rhetoric and marginal costs of pseudonymity?

The social pressure type of altruism noted above (e.g,. Bitmain and BitGo returning fees) actually could set a nebulous precedent: once block rewards are reduced and fees begin to represent a larger percentage of miner revenue, it will no longer be an “easy” decision to refund the user in the event there is a mistake.35 If Bitmain did not send a refund, this backup wallet error would serve as a powerful warning to future users to try and not make mistakes.

While there have been proposals to re-decentralize the hashing process, such as a consumer-device effort led by 21inc which amounts to creating a large corporate operated botnet, one trend that has remained constant is the continued centralization of mining (block making) itself.36 37 The motivation for centralizing block making has and continues to be about one factor: variance in payouts.38 Investors in hashing prefer stable payouts over less stable payouts and the best way to do that with the current Poisson process is to pool capital (much like pooling capital in capital markets to reduce risk).

Whether or not these trends stay the same in the future are unknown, however it is likely that the ability to contact (or not contact) certain pools and farms will be an area of continued research.

Similarly one other potential drawback of piggy backing on top of a public blockchain that could be modeled in the future is the introduction of a fat tail risk due to the boundlessness of the price of the native token.39 In the case of price spikes even if for short time can create price distortions or liquidity problem on the off-chain asset introducing a correlation between the token and the asset that theoretically was not supposed to be there.

For instance, the staff of Let’s Talk Bitcoin issues LTBCoin on a regular basis to listeners, content creators and commenters. [↩]
Wall Street, Meet Block 368396, the Future of Finance from Bloomberg [↩]
On August 20, 2015, Symbiont announced it is also building a permissioned ledger product. See also the second half of Bitcoin’s Noisy Size Debate Reaches a Hard Fork from The Wall Street Journal, Why Symbiont Believes Blockchain Securities Are Wall Street’s Future from CoinDesk and Why Symbiont Believes Blockchain securities are Wall Street’s Future [↩]
The CoinPrism page for the specific token that Overstock.com initially used for the “cryptobond” can be viewed here; similarly the file on the T0 domain that verifies its authenticity can be seen here. See also: World’s First Corporate “Cryptobond” was issued using Open Assets [↩]
Overstock CEO Uses Bitcoin Tech to Spill Wall Street Secret from Wired and Overstock.com and FNY Capital Conclude $5 Million Cryptobond Deal from Nasdaq [↩]
One reviewer likened the Overstock “cryptobond” proof of concept as a large wash trade: ”Basically it’s a cashless swap of paper and thus no currency settlement. And the paper has no covenants and thus very easy to digitally code. Basically Overstock is paying FNY a spread of 4% for doing this deal. And if the bond and loan are called simultaneously, say in the next month, that means that Overstock paid FNY about $16,667.00 to do this trade. And since there was no cash exchanged, I am presuming, then this is smoke and mirrors. But they actually did it. However, I don’t see much of a business model where the issuer of a bond has to simultaneously fund the investor with a loan to buy the bond and pay him 33 basis points to boot!” [↩]
P2Pool wiki and P2Pool github [↩]
See Target, How Bitcoin Hashing Works and On Mining by Vitalik Buterin [↩]
ASICMINER: Entering the Future of ASIC Mining by Inventing It from Bitcoin Talk, Mystery in Bitcoinland…. the disappearance of FriedCat from Bitcoin Reporter; Chinese Mining mogul FriedCat has stolen more than a million in AM hash SCAM from Bitcoin Talk and Visit of ASICMINER’s Immersion Cooling Mining Facility from Bitcoin Talk [↩]
See 12.2 Pool and network miner hashrate distributions from Organ of Corti and Bitcoin “Stock Markets” – It’s Time To Have A Chat from Bitcoin Money [↩]
See SEC Charges Bitcoin Entrepreneur With Offering Unregistered Securities from SEC and the Administrative Proceeding order [↩]
In (Rosenfeld 2012) the author noted that one of the risks for running an “alternative to traditional markets” – such as GLBSE – were the regulatory compliance hurdles. Overview of Colored Coins by Meni Rosenfeld, p. 4. [↩]
Block 254642 and Some poor person just paid a 200BTC transaction fee to ASICminer. [↩]
According to the Coindesk Bitcoin Price Index, the market price of a bitcoin on August 28, 2013 was approximately $117.59. [↩]
Included in block 254769 [↩]
A thread discussed this theory: Re: CoinJoin: Bitcoin privacy for the real world (someday!) [↩]
According to the Coindesk Bitcoin Price Index, the market price of a bitcoin on April 25, 2015 was approximately $225.85. [↩]
The user “vytah” debugged this issue in a reddit thread: Holy Satoshi! Butter pays 85Btc transaction fees for a 16Btc transaction. Is this the largest fee ever paid? [↩]
Help! Losing Over 85 BTC Because of BitGo’s Flawed Recovery Process! on Reddit [↩]
To AntMiner, miner of block #374082. I did an accidental 4.6 BTC fee. on Reddit [↩]
Readers may be interested in a little more history regarding self-identification by miners: Slush, the first known pool, began publicly operating at the end of November 2010 and was the first to publicly claim a block (97838). Eligius was announced on April 27, 2011 and two months later signed the first coinbase transaction (130635). DeepBit publicly launched on February 26, 2011 and at one point was the most popular pool, reaching for a short period in May 2011, more than 50% of the network hashrate. See Deepbit pool owner pulls in $112* an hour, controls 50% of network and DeepBit pool temporarily reaches critical 50% threshold from Bitcoin Miner and What has been the reaction to permissioned distributed ledgers? [↩]
This information comes from personal correspondence with Eric Mu, July 7, 2015 as well as two other public sources: Inside a Tibetan Bitcoin Mine: The Race for Cheap Energy from CoinTelegraph and Three months living in a multi-petahash BTC mine in Kangding, Sichuan, China from Bitcoin Talk [↩]
Last summer BitFury quickly built a relatively cheap data center in Georgia partly due to assistance from the national government. See BitFury Reveals New Details About $100 Million Bitcoin Mine from CoinDesk [↩]
Personal correspondence with Eric Mu, August 10, 2015 [↩]
One common talking point by some Bitcoin enthusiasts including venture capitalists is that Google’s computers, if repurposed for mining Bitcoin, would generate only 1-2% of the network hashrate – that the Bitcoin network is “faster” than all of Google’s data centers combined. This is misleading because these Bitcoin hashing machines cannot provide the same general purpose utility that Google’s systems can. In point of fact, the sole task that ASIC hashing equipment itself does is compute two SHA256 multiplications repeatedly. [↩]
Some academic literature refers to miners on the Bitcoin network as “anonymous participants.” In theory, Bitcoin mining can be anonymous however by default mining was originally a pseudonymous activity. Participants can attempt to remain relatively anonymous by using a variety of operational security methods or they can choose to identify (“doxx”) themselves as well. See The Bitcoin Backbone Protocol: Analysis and Applications by Garay et al. [↩]
Thanks to Anton Bolotinsky for this insight. [↩]
This is similar to the “second-hand” market for bitcoins too: bitcoins originally acquired via KYC’ed gateways sometimes end up on sites like LocalBitcoins.com (akin to “Uber for bitcoins”) – where the virtual currency is sold at a premium to those wanting to buy anonymously. [↩]
The Unknown Giant: A First Look Inside BW, One of China’s Oldest and Largest Miners from Bitcoin Magazine [↩]
Inside the Chinese Bitcoin Mine That’s Grossing $1.5M a Month from Motherboard [↩]
Jake Smith, the translator, also wrote a short story on it: Inside one of the World’s Largest Bitcoin Mines at The Coinsman [↩]
While it is beyond the scope of this paper, there are a couple of general reasons why medium-sized farms such as HaoBTC have been erected in China. Based upon conversations with professional miners in China one primary reason is that both the labor and land near energy generating facilities is relatively cheap compared with other parts of the world. Furthermore, energy itself is not necessarily cheaper, unless farms managers and operators have guanxi with local officials and power plant owners. And even though it is common to assume that due to the capital controls imposed at a national level – citizens are limited to the equivalent of $50,000 in foreign exchange per year – there have been no public studies as to how much capital is converted for these specific purposes. There are other ways to avoid capital controls in China including art auctions and pawn shops on the border with Macau and Hong Kong. See also How China’s official bank card is used to smuggle money from Reuters and What Drives the Chinese Art Market? The Case of Elegant Bribery by Jia Guo See On Getting Paid From China. Is There Really A $50,000 Yearly Limit? from China Law Blog and Bitcoins: Made in China [↩]
Look inside the surreal world of an Icelandic bitcoin mine, where they literally make digital money from Business Insider [↩]
It is unclear how much hashrate they actually operate or control, a challenge that plagues the entire cloudhashing industry leading to accusations of fraud. [↩]
And this is also a fundamental problem with public goods, there are few mechanisms besides social pressure and arbitrary decision making to ration resources. As described in (Evans 2014), since miners are the sole labor force, they create the economic outputs (bitcoins) and security, it is unclear why they are under any expectation to return fees in a network purposefully designed to reduce direct interactions between participants. See Economic Aspects of Bitcoin and Other Decentralized Public-Ledger Currency Platforms by David Evans [↩]
See 21 Inc Confirms Plans for Mass Bitcoin Miner Distribution from CoinDesk and What impact have various investment pools had on Bitcoinland? [↩]
In 2014 the state of New Jersey sued a MIT student, Jeremy Rubin, for creating a web-based project that effectively does the same thing as the silicon-based version proposed by 21inc. See Case Against Controversial Student Bitcoin Project Comes to Close from CoinDesk. In addition, the FTC, in its case against Butterfly Labs also looked at BFL not informing customers properly regarding difficulty rating changes. According to the FTC’s new release on this case: “A company representative [BFL] said that the passage of time rendered some of their machines as effective as a “room heater.” The FTC charged that this cost the consumers potentially large sums of money, on top of the amount they had paid to purchase the computers, due to the nature of how Bitcoins are made available to the public.” [↩]
This issue was cited in the CryptoNote whitepaper as one motivation for creating a new network. On p. 2: “This permits us to conjecture the properties that must be satisfied by the proof-of-work pricing function. Such function must not enable a network participant to have a significant advantage over another participant; it requires a parity between common hardware and high cost of custom devices. From recent examples [8], we can see that the SHA-256 function used in the Bitcoin architecture does not possess this property as mining becomes more efficient on GPUs and ASIC devices when compared to high-end CPUs. Therefore, Bitcoin creates favourable conditions for a large gap between the voting power of participants as it violates the “one-CPU-one-vote” principle since GPU and ASIC owners possess a much larger voting power when compared with CPU owners. It is a classical example of the Pareto principle where 20% of a system’s participants control more than 80% of the votes.” [↩]
I would like to thank Ayoub Naciri for providing this example. [↩]

A dissection of two Bitfury papers

Posted on November 3, 2015 by Tim Swanson

Bitfury, the Bitcoin mining company, recently published two papers:

Public versus Private Blockchains Part 1, Permissioned Blockchains
Public versus Private Blockchains Part 2, Permissionless Blockchains

The underlying motivations for writing them was that Bitfury is trying to assure the world that public blockchains can still be used in “proprietary contexts.” While they provide a good frame for the issue, there are several leaps in logic, or direct contradictions to established theory that necessarily weaken their argument.

Below is my discussion of them. Note: as usual, this only represents my opinion and does not necessarily represent the views of the organizations that I advise or work for.

Overall I thought the two papers did not seem to have been reviewed by a wider audience including lawyers: specifically they should have sent them to commercial and securities lawyers to see if any legal issues should be considered. Much of their pitch basically amounts to mining for the sake of mining.

One final note: for additional commentary I also reached out to Dave Hudson who is proprietor of HashingIt and an expert as it relates to Bitcoin mining analysis. He is unaffiliated with Bitfury.

Notes for Part 1:

On p. 2, Bitfury wrote the following statement:

The key design element of blockchains – embedded security – makes them different from ordinary horizontally scalable distributed databases such as MySQL Cluster, MongoDB and Apache HBase. Blockchain security makes it practically impossible to modify or delete entries from the database; furthermore, this kind of security is enforced not through the central authority (as it is possible with the aforementioned distributed databases), but rather through the blockchain protocol itself.

Is this a problematic summary?

According to Dave Hudson:

As a network protocol engineer of many years I tend to find the concept of a “blockchain protocol” somewhat odd. Here’s a link to definitions of “protocol.”

What do we mean by protocol here? It’s not actually a network protocol because there is no “blockchain protocol”, there are many different ones (each altcoin has its own and there are many more besides). At best the idea of a “blockchain protocol” is more a meta-protocol, in that we say there are some things that must be done in order for our data to have blockchain-like characteristics. It’s those characteristics that provide for non-repudiation.

Also on p. 2, Bitfury uses the term “blockchain-based ledger.” I like that because, as several developers have pointed out in the past, the two concepts are not the same — distributed ledgers are not necessarily blockchains and vice versa.

On p. 4 and 5 they list several objections for why financial institutions are hesitant to use a public blockchain yet leave a couple noticeable ones off including the lack of a service level agreement / terms of service between end users and miners. That is to say, in the event of a block reorg or 51% attack, who calls who?

On p. 7, I don’t think that censorship resistance can be generalized as a characteristic for “all blockchains.”

In Dave Hudson’s view:

Moreover, censorship resistance makes absolutely no sense in many instances. Who would be censoring what?

I’m actually not convinced that censorship resistance is actually a “thing” in Bitcoin either. Plenty of well-formed transactions can be censored by virtue of them being dust or having non-standard scripts. If anything the only thing that Bitcoin does is provide a set of conditions in which a transaction is probabilistically going to be mined into blocks in the network.

For those interested, there are a handful of “standard’ transaction types that are usually accepted by most mining pools.

On p. 11, I disagree with this statement:

If a blockchain database is completely opaque for clients (i.e., they have no access to blockchain data), the security aspect of blockchain technology is diminished. While such system is still protected from attacks on the database itself, interaction with clients becomes vulnerable, e.g. to man-in-the middle attacks. As a built-in protocol for transaction authorization is one of core aspects of blockchain technology, its potential subversion in favor of centralized solutions could negatively influence the security aspect of the system. Additionally, as transactions are accessible to a limited set of computers, there exists a risk of human factor intervening into the operation of the blockchain with no way for clients to detect such interference. Thus, the opaque blockchain design essentially undermines the core aspects of blockchain technology:
• decentralization (absence of a single point of failure in the system)
• trustlessness (reliance on algorithmically enforced rules to process transactions with no human interaction required).

I think trustlessness is a red herring that cypherpunks and Bitcoiners have been perpetually distracted by. It may be an end-goal that many would like to strive for but trust-minimization is a more realistic intermediate characteristic for those operating within the physical, real world.

Why? Because existing institutions and legal infrastructure are not going to disappear tomorrow just because a vocal group of cryptocurrency enthusiasts dislikes them.

According to Dave Hudson:

As with so many things-Bitcoin, I think this is an implementation necessity being seen as a innately desirable characteristic. Bitcoin requires “trustlessness” because it’s non-permissioned, yet in truth it totally relies on trust to work. We trust that Sybil attacks aren’t happening and that network service providers are not colluding to support such attacks. We trust that a large body of miners are not colluding to distort the system. We trust that changes to the software (or updates to compilers and operating systems) have not rendered old, non-recently-used keys are still able to support signing of transactions. We trust that Satoshi (and other large holders) will not drop 1M, or worse 10M coins onto exchanges crashing the price to a few cents per coin! There’s no “too big to fail” here!

In truth real-world people actually like to trust things. They want to trust that their national governments will ensure services work and that invaders are kept out. They want to trust that law enforcement, fire and medical services will keep them safe. I’m not sure that I like the idea of a trustless Police force?

What people do like is the ability to verify that the entities that they actually do trust are in fact doing what they should. Blockchain designs allow us to do just this.

That last statement in particular succinctly summarizes some of the motivations for financial institutions looking to use a shared ledger that is not the Bitcoin blockchain.

On p. 12, I disagree with this statement:

While the permissioned nature of blockchains for proprietary applications may be a necessary compromise in the medium term because of compliance and other factors, read access to blockchain data together with the publicly available blockchain protocol would remove most of vulnerabilities associated with opaque blockchain designs and would be more appealing to the clients of the institution(s) operating the blockchain. As evidenced by Bitcoin, simplified payment verification softwarecan be used to provide a direct interface to blockchain data that would be both secure and not resource intensive.

The reason I disagree with this statement is because the term “opaque” is loaded and ill-defined.

For instance, several groups within the Bitcoin ecosystem have spent the last several years trying to delink or obfuscate transaction history via zk-SNARKs, stealth addresses, mixing via Coinjoin and Coinshuffle and other methods. This type of activity is not addressed by Bitfury — will they process Bitcoin transactions that are obfuscated?

Granular permissions — who is allowed to see, read or write to a ledger — is a characteristic some of these same Bitcoin groups are not fans of but is a needed feature for financial institutions. Why? Because financial institutions cannot leak or expose personal identifiable information (PII) or trading patterns to the public.

Securely creating granular permissions is doable and would not necessarily reduce safety or transparency for compliance and regulatory bodies. Operating a non-public ledger is not the same thing as being “opaque.” While hobbyists on social media may not be able to look at nodes run by financial institutions, regulators and compliance teams can still have access to the data.

It also bears mentioning that another potential reason some public blockchains have and/or use a token is as an anti-spam mechanism (e.g., in Ripple and Stellar a minute amount is burnt).1

On p. 13, I disagree with this statement:

The problem is somewhat mitigated if the access to block headers of the chain is public and unrestricted; however, convincing tech-savvy clients and regulators that the network would be impervious to attacks could still be a difficult task, as colluding operators have the ability to effortlessly reorganize the arbitrary parts of the blockchain at any given moment. Thus, the above consensus protocol is secure only if there is no chance of collusion among blockchain operators (e.g., operators represent ideal parties with conflicting interests). Proof of work provides a means to ensure absence of collusion algorithmically, aligning with the overall spirit of blockchain technology.

This is untrue. People run pools, people run farms. Earlier this year Steve Waldman gave a whole presentation aptly named “Soylent Blockchains” because people are involved in them.

As we have seen empirically, pool and farm operators may have conflicting incentives and this could potentially lead to collusion. Bitcoin’s “algorithms” cannot prevent exogenous interactions.

On p. 14 I disagree with this statement:

There is still a fixed number of miners with known identities proved by digital signatures in block headers. Note that miners and transaction processors are not necessarily the same entities; in the case that mining is outsourced to trusted companies, block headers should include digital signatures both from a miner and one or more processing institutions.

Having a “trusted company” run a proof-of-work mining farm is self-defeating with respect to maintaining pseudonymity on an untrusted network (which were the assumptions of Bitcoin circa 2009). If all miners are “trusted” then you are now operating a very expensive trusted network. This also directly conflicts with the D in DMMS (dynamic-membership multi-party signature).

According to Dave Hudson:

If the signing is actually the important thing then we may as well say there’s a KYC requirement to play in the network and we can scale it all the way back to one modest x86 server at each (with the 1M x reduction in power consumption). Of course this would kill mining as a business.

On p. 14 I think the Bitfury proposal is also self-defeating:

The proposed protocol solves the problem with the potentially unlimited number of alternative chains. Maintaining multiple versions of a blockchain with proof of work costs resources: electricity and hashing equipment. The hashing power spent to create a blockchain and the hashing power of every miner can be reliably estimated based on difficulty target and period between created blocks; an auditor could compare these numbers with the amount of hashing equipment available to operators and make corresponding conclusions.

The authors go into detail later on but basically they explain what we can already do today: an outside observer can look at the block headers to see the difficulty and guess how much hashrate and therefore capital is being expended on the hash.

On p. 15 they present their proposal:

Consequently, $10 million yearly expenses on proof of work security (which is quite low compared to potential gains from utilizing blockchain technology, estimated at several billion dollars per year [54]) correspond to the hash rate of approximately 38 PHash / s, or a little less than 10% of the total hash rate of the Bitcoin network.

This is entirely unneeded. Banks do not need to spend $10 million to operate hardware or outsource operation of that hardware to some of its $100 million Georgia-based hydro-powered facilities.

According to Dave Hudson:

Precisely; banks can use a permissioned system that doesn’t need PoW. I think this also misses something else that’s really important: PoW is necessary in the single Bitcoin blockchain because the immutability characteristics are derived from the system itself, but if we change those starting assumptions then there are other approaches that can be taken.

In section 3.1 the authors spend some time discussing merged mining and colored coins but do not discuss the security challenges of operating in a public environment. In fact, they assume that issuing colored coins on a public blockchain is not only secure (it is not) but that it is legal (probably not either).2

On p. 16 they mention “transaction processors” which is a euphemism that Bitfury has been using for over a year now. They dislike being called a mining company preferring the phrase “transaction processors” yet their closed pool does not process any kind of transactions beyond the Bitcoin variety.

On page 17 they wrote:

[M]aintenance of the metachain could be outsourced to a trusted security provider without compromising confidential transaction details.

If taken to the logical extreme and all of the maintenance was “outsourced” to trusted security providers they would have created a very expensive trusted network. Yet in their scenario, financial institutions would have to trust a Republic of Georgia-based company that is not fully transparent.

Also on page 17 they start talking about “blockchain anchors.” This is not a new or novel idea. As other developers have spoken about the past and Guardtime puts anchors into newspapers like The New York Times (e.g., publishes the actual hashes in a newspaper). And, again, this could easily be done in other ways too. Why restrict anchoring to one location? This is Bitcoin maximalism at work again.

On p. 20 they wrote:

Bitcoin in particular could be appropriate for use in blockchain innovations as a supporting blockchain in merged mining or anchoring due to the following factors: • relatively small number of mining pools with established identities, which allows them to act as known transaction validators by cooperating with institutions

This is self-defeating for pseudonymous interactions (e.g., Bitcoin circa 2008). Proof-of-work was integrated to fight Sybil attacks. If there are only a few mining pools with established identities then there are no Sybil’s and you effectively have an extremely expensive trusted network.

Notes on Part 2:

On p. 3 they wrote:

If an institution wants to ensure that related Bitcoin transactions are mined by accredited miners, it may send transactions over a secure channel directly to these miners rather than broadcasting them over the network; accepting non-broadcast transactions into blocks is a valid behavior according to the Bitcoin protocol.

An “accredited miner” is a contradiction.

On p. 4 the first paragraph under section 1.3 was well written and seems accurate. But then it falls apart as they did not consult lawyers and financial service experts to find out how the current plumbing in the back-office works — and more importantly, why it works that way.

On p.4 they wrote:

First, the transfer of digital assets is not stored by the means of the Bitcoin protocol; the protocol is unaware of digital assets and can only recognize and verify the move of value measured in bitcoins. Systems integrating digital assets with the Bitcoin blockchain utilize various colored coin protocols to encode asset issuance and transfer (see Section 2.2 for more details). There is nothing preventing such a protocol to be more adapted to registered assets.

Yes there is in fact things preventing Bitcoin from being used to move registered assets, see “Watermarked tokens and pseudonymity on public blockchains.” And their methods in Section 1.6 are non-starters.

Also on page 4 they wrote:

Second, multisignature schemes allow for the creation of limited trust in the Bitcoin environment, which can be beneficial when dealing with registered assets and in other related use cases. Whereas raw bitcoins are similar to cash, multisignature schemes act not unlike debit cards or debit bank accounts; the user still has a complete control of funds, and a multisignature service provides reputation and risk assessment services for transactions.

This is the same half-baked non-sense that Robert Sams rightly criticized in May. This is a centralized setup. Users are not gaining any advantage for using the Bitcoin network in this manner as one entity still controls access via identity/key.

On p. 5 they wrote:

One of the use cases of the 2-of-3 multisignature scheme is escrow involving a mediator trusted by both parties. A buyer purchasing certain goods locks his cryptocurrency funds with a multisignature lock, which requests two of the three signatures: the buyer’s, the seller’s, and the mediator’s.

This is only useful if it is an on-chain, native asset. Registered assets represent something off-chain, therefore Bitcoin as it exists today cannot control them.

On p. 6 they talk about transactions being final for an entire page without discussing why this is important from a legal perspective (e.g., why courts and institutions need to have finality). This paper ignores how settlement finality takes place in Europe or North America nor are regulatory systems just going to disappear in the coming months.

On page 7 they mention that:

To prevent this, a protocol could be modified to reject reorganizations lasting more than a specified number of blocks (as it is done in Nxt). However, this would make the Bitcoin protocol weakly subjective [21], introducing a social-driven security component into the Bitcoin ecosystem.

There is already a very publicly known, social-driven security component: the Bitcoin dev mailing list. We see this almost daily with the block-size debate. The statement above seems to ignore what actually happens in practice versus theory.

On p. 7 and 8 they write:

The security of the Bitcoin network in the case of economic equilibrium is determined by the rewards received by block miners and is therefore tied to the exchange rate of Bitcoin. Thus, creating high transaction throughput of expensive digital assets on the Bitcoin blockchain with the help of colored coin protocols has certain risks: it increases the potential gain from an attack on the network, while security of the network could remain roughly the same (as there are no specific fees for digital asset transactions; transaction fees for these transactions are still paid in bitcoins). The risk can be mitigated if Bitcoin fees for asset transactions would be consciously set high, either by senders or by a colored coins protocol itself, allowing Bitcoin miners to improve security of the network according to the value transferred both in bitcoins and in digital assets.

There is no way to enforce this increase in fee. How are “Bitcoin fees for asset transactions … consciously set high”? This is a question they never answer, (Rosenfeld 2012) did not answers it, no one does. It is just assumed that people will start paying higher fees to protect off-chain securities via Bitcoin miners.

There is no incentive to pay more and this leads to a hold-up problem described in the colored coin “game” from Ernie Teo.

On p. 8 they wrote:

As there is a relatively small number of Bitcoin mining pools, miners can act as known processors of Bitcoin transactions originating from institutions (e.g., due to compliance reasons). The cooperation with institutions could take the form of encrypted channels for Bitcoin transactions established between institutions and miners.

This is silly. If they are known and trusted, you have a trusted network that lacks a Sybil attacker. There is no need for proof-of-work mining equipment in such a scenario.

On p. 8 they wrote:

In the ideal case though, these transactions would be prioritized solely based on their transaction fees (i.e., in a same way all Bitcoin transactions are prioritized), which at the same time would constitute payments for the validation by a known entity. Thus, this form of transaction processing would align with the core assumption for Bitcoin miningthat miners are rational economic actors and try to maximize their profit.

It cannot be assumed that miners will all behave as “rational economic actors.” They will behave according to their own specific incentives and goals.

On p. 9 they wrote:

Additionally, partnerships between institutions and miners minimize risk in case transactions should not be made public before they are confirmed.

Registered and identifiable miners is the direct anti-thesis of pseudonymous interactions circa Bitcoin 2008. That type of partnership is a win-lose interaction.

On p. 10 they wrote:

One of the interesting financial applications of colored coins is Tether (tether.to), a service using colored coins to represent US dollars for fast money transfer. Several cryptocurrencies such as Nxt and BitShares support custom digital assets natively.

As it exists today, Tether.to is similar in nature to a Ripple gateway such as SnapSwap: both are centralized entities that are subject to multiple regulatory and compliance requirements (note: SnapSwap recently exited its USD gateway business and locked out US-based users from its BTC2Ripple business).

According to FinCEN’s MSB Registrant Search Web page, Tether has a registration number (31000058542968) and one MSB. While they have an AML/CTF program in place, it is unclear in its papers how Bitfury believes the Bitcoin network (which Tether utilizes) can enforce exogenous claims (e.g., claims on USD, euros, etc.).

Furthermore, there has been some recent research looking at how the Federal Reserve and the Bank of England could use distributed ledgers to issue digital currency.3

If a central bank does utilize some kind of distributed ledger for a digital currency they do not need proof-of-work mining or the Bitcoin network to securely operate and issue digital currency.

Ignoring this possible evolution, colored coins are still not a secure method for exogenous value transfers.

On page 10 they wrote:

Colored coins are more transparent for participants and auditors compared to permissioned blockchains

This is untrue and unproven. As Christopher Hitchens would say, what can be asserted without evidence can be dismissed without evidence.

On page 10 they wrote:

As colored coins operate on top of permissionless blockchains, systems using colored coins are inherently resistant to censorship – restrictions on transactions are fully specified by a colored coins protocol instead of being enforced by a certain entity

This is also untrue. This is a bit like trying to have their cake and eat it too.

On page 11 they have a diagram which states:

Figure 2: Using colored coins on top of the Bitcoin blockchain to implement asset transactions. For compliance, financial institutions may use secure communication channels with miners described in Section 2.1 to place asset transactions on the blockchain

Again this is self-defeating. As the saying goes: be careful what you wish for. If Bitfury’s proposal came true, their pool(s) could become payment service providers (PSP) and regulated by FinCEN.

On page 12 and 13 they wrote:

Bitcoin and other public permissionless blockchains could be a part of the interconnected financial environment similarly to how cash is a ubiquitous part of the banking system. More concretely, cryptocurrencies could be used as: • one of the means to buy and sell assets on permissioned blockchains • an instrument that enables relatively fast value transfer among permissioned blockchains • an agreed upon medium for clearing operations among blockchains maintained by various institutions (Fig. 4).

Bitcoins as a permanent store-of-value are effectively a non-starter as they lack any endogenous self-stabilizing mechanism.4

According to Dave Hudson:

The systemic risks here just make this idea farcical. The Internet is somewhat immune to this because there are technology providers all over the world who can independently choose to ignore things in regulatory domains that want to do “bad things”. There is no such safety net in a system that relies on International distributed consensus (the Internet has no such problem, although DNS is a little too centralized right now). Even if it could somehow be guaranteed that things can’t be changed, fixed coin supply means artificial scarcity problems are huge (think Goldfinger trying to irradiate the gold in Fort Knox) – you wouldn’t need a nuclear weapon, just a good piece of malware that could burn coins (if they’re not stolen then there’s no way to trace who stole them). There’s also the 1M coins dropped onto exchanges problem.

The discussion over elastic and inelastic money supplies is a topic for another post.

On page 15 they wrote:

If a blockchain is completely opaque for its end users (e.g., a blockchain-based banking system that still uses legacy communication interfaces such as credit cards), the trustless aspect of blockchains is substantially reduced. End users cannot even be sure that a blockchain system is indeed in use, much less to independently verify the correctness of blockchain data (as there is no access to data and no protocol rules to check against). Human factor remains a vulnerability in private blockchain designs as long as the state of the blockchain is not solely based on its protocol, which is enforced automatically with as little human intervention as possible. Interaction based on legacy user authentication interfaces would be a major source of vulnerabilities in the case of the opaque blockchain design; new interfaces based on public key cryptography could reduce the associated risk of attacks.

While mostly true, there are existing solutions to provide secure verification. It is not as if electronic commerce did not or could not occur before Bitcoin came into existence. Some private entities take operational security seriously too. For instance, Visa’s main processing facility has 42 firewalls and a moat.

On page 15 they wrote:

Proprietary nature of private blockchains makes them less accessible; open sourced and standardized blockchain implementations would form a more attractive environment for developers and innovations. In this sense, blockchains with a public protocol are similar to open Internet standards such as IP, TCP and HTTP, while proprietary blockchain designs could be similar to proprietary Internet protocols that did not gain much traction. A proprietary blockchain protocol could contain security vulnerabilities that remain undiscovered and exploited for a long time, while a standardized open blockchain protocol could be independently studied and audited. This is especially true for protocols of permissionless blockchains, as users have a direct economic incentive to discover vulnerabilities in the system in order to exploit them.

This is just scaremongering. While some of the “blockchain” startups out there do in fact plan to keep the lower layers proprietary, the general view in October 2015 is that whatever bottom layer(s) are created, will probably be open-sourced and an open-standard. Bitcoin doesn’t have a monopoly on being “open” in its developmental process.

On page 15 they wrote:

As the Bitcoin protocol has been extensively studied by cryptographers and scientists in the field, it could arguably form the basis for the standardized blockchain design.

This is untrue, it cannot be the backbone of a protocol as it is not neutral. In order to use the Bitcoin network, users are required to obtain what are effectively illiquid pre-paid gift cards (e.g., bitcoins). Furthermore, an attacker cannot collect “51%” of all TCP/IP packets and take over the “internet” whereas with Bitcoin there is a real “majoritarianism” problem due to how network security works.

A truly neutral protocol is needed and there have been at least two proposals.5

On page 15 they wrote:

The key design element of blockchains is “embedded economy” – a superset of embedded security and transaction validation. Each blockchain forms its own economic ecosystem; a centrally controlled blockchain is therefore a centrally controlled economy, with all that entails.

This is untrue. If we are going to use real-world analogies: Bitcoin’s network is not dynamic but rather disperses static rewards to its labor force (miners). It is, internally, a rigid economy and if it were to be accurately labeled, it is a command economy that relies on altruism and VC subsidies to stay afloat.6

On page 16 they wrote:

It is not clear how the blockchain would function in the case validators would become disinterested in its maintenance, or how it would recover in the case of a successful attack (cf. with permissionless blockchains, which offer the opportunity of self-organization).

The statement above is unusual in that it ignores how payment service providers (PSPs) currently operate. Online commerce for the most part has and likely will continue to exist despite the needed maintenance and profit-motive of individual PSPs. There are multiple motivations for continued maintenance of maintenance transfer agreements — this is not a new challenge.

While it is true that there will likely be dead networks in the futures (just like dead ISPs in the past), Bitcoin also suffers from a sustainability problem: it continually relies on altruism to be fixed and maintained and carries with it an enormous collective action burden which we see with the block-size debate.

There are over a hundred dead proof-of-work blockchains already, a number that will likely increase because they are all public goods that rely on external subsidies to exist. See Ray Dillinger’s “necronomicon” for a list of dead alt coins.

If Bitfury’s proposal for having a set of “fixed” miners arises, then it is questionable about how much self-organization could take place in a static environment surrounding a public good.

Conclusion

Despite the broad scope of the two papers from Bitfury neither was able to redress some of the most important defects that public blockchains have for securing off-chain assets:

how is legal settlement finality resolved
how to incentivize the security of layers (such as colored coins) which distort the mining process
how to enforce the security of merged mining which empirically becomes weaker over time

If Bitfury is truly attempting to move beyond merely processing Bitcoin transactions in its Georgian facilities, it needs to address what constraints and concerns financial institutions actually face and not just what the hobbyist community on social media thinks.

See also: Needing a token to operate a distributed ledger is a red herring and A blockchain with emphasis on the “a” [↩]
See also: Can Bitcoin’s internal economy securely grow relative to its outputs? and Will colored coin extensibility throw a wrench into the automated information security costs of Bitcoin? [↩]
This includes: Fedcoin—how banks can survive blockchains by Robin Winkler and Centrally Banked Cryptocurrencies by George Danezis and Sarah Meiklejohn [↩]
See Seigniorage Shares from Robert Sams [↩]
See: A Protocol for Interledger Payments by Stefan Thomas and Evan Schwartz and An architecture for the Internet of Money by Meher Roy [↩]
See also: Chapter 10 in The Anatomy of a Money-like Informational Commodity and Economic Aspects of Bitcoin and Other Decentralized Public-Ledger Currency Platforms by David Evans [↩]

Great Wall of Numbers

Business Opportunities and Challenges in Emerging Markets

Self-doxxing, dynamic block making and re-decentralization of mining

Reading the tea leaves

A brief update on the shared ledger ecosystem

Additional citations, quotes and panels

Settlement Risks Involving Public Blockchains

What is the difference between Hyperledger and Hyperledger?

Short interview with the CFA Institute

The myth of The Right Stuff

Using just the “rails”

Five frequently asked questions about permissioned chains

The Cool Kid at School

What is the difference between a Bitcoin company and a Blockchain company?

AT&T is the only tested and secure telecommunication system, the rest are altscams

What did bitcoin movements look like in 2015?

AFA Presentation: Cryptocurrencies, Blockchains and the Future of Financial Services

A proxy for users

More events and articles

Anchor’s aweigh

The evolving distributed ledger tech landscape

Watermarked tokens and pseudonymity on public blockchains

What challenges arise when trying to scale watermarked tokens on Bitcoin?

A brief literature review

Creative angles of attacking proof-of-work blockchains

A few known Bitcoin mining farms

A dissection of two Bitfury papers