Interview with Ray Dillinger

[Note: the 10th anniversary of the Bitcoin whitepaper is this month.  Below is a detailed interview with one of the first individuals to have interacted with Satoshi both in public and private: Ray Dillinger.

All of the written responses are directly from Ray with no contributions from others.]

Logo from 2010: Source

Q1: Tell us about yourself, what is your background?

A1: I am originally from Kansas.  At about the same time I entered high school I became interested in computers as a hobbyist, although hobby computers were still mostly useless at that time.  I got involved in early BBS systems when DOS hadn’t been released yet, modems were acoustically coupled and ran at 300 bits per second or slower, and software was stored mostly either on notebook paper or cassette tapes.

The early interest in computers is part of my lifelong tendency to become deeply involved in technology and ideas that are sufficiently interesting. This has led me to develop interests, obsessions, and expertise in a huge variety of things most of which the public does not discover reasons to care about until much later.

I graduated from KU with a degree in Computer Science in December of 1995 after spending far too long alternating between semesters of attending classes and semesters of working to pay for classes.

After graduation I moved to the San Francisco Bay area.  I worked for several AI startups in the next seven years and hold a couple of patents in natural-language applications from that work.  After that, I worked the night shift for FedEx for some years while doing occasional security consulting gigs during daytime hours.  I am currently doing AI algorithm research and implementation (and some cryptographic protocol/document design) at a FinTech startup.  I work on General AI projects on my own time.

I am somewhat pessimistic by nature and tend to assume until given reason to believe otherwise that anyone trying to sell me something or convince me of something is a scammer.  I know that’s irrational, but knowing doesn’t make the belief stop.  I have an abiding hatred of scammers and find them viscerally disgusting.

I consider making noise to be rude, avoid crowds and public appearances, and distrust anyone speaking faster than they can think.  Although I write a great deal, I rarely speak and strongly dislike talking on the phone.

In spite of my peculiar interests and asocial tendencies, I somehow managed to get married to a wonderful woman who tolerates an unbelievable degree of geekdom in an unbelievable variety of subjects, ranging from mild interest to full-on mad scientist levels in scope. I am tremendously thankful to have her in my life, and to whatever degree
I might be considered social, she deserves most of the credit.

I became marginally involved with Bitcoin in its early development because cryptocurrency, and the application of block chains to cryptocurrency in particular, are interesting.  I ceased to be involved in Bitcoin when the next steps would necessarily involve salesmanship, frequent talking, and social interaction, because those things are not interesting.

Q2: Perry Metzger created the now infamous Cryptography mailing list years ago.  When did you join and what made you interested in cryptography?

A2: I joined so many years ago it’s hard to remember.  It was pretty much as soon as I became aware of the list, but I’m sure it was more than fifteen years ago. It may have been late 2001 or early 2002.

I think I may even have been one of the first twenty or thirty posters on that list – it was still very young.

I remember being vaguely annoyed that it hadn’t been available when I was actually still in college and doing a crypto project in a grad-level networking course – I’d been a member of the even-earlier ‘cypherpunks’ list back when I was in school, but its strident political ideologues (including a guy named Hal Finney, whom you’ve probably heard of)
annoyed me, even back then.

‘cypherpunks’ was where I became aware of and started corresponding with Hal.  Although, way back then, I think we were both mostly annoying to each other.  And possibly to others as well.  Hal had been stridently political all the way from those days (and probably before) to the day he died, and in retrospect, I think I really needed some ‘remedial human-being lessons’ and some wider education at the time.  I’ve learned a lot since then – and perspective outside the narrow specialties we studied in school really does matter.

Q3: There were a lot of other non-cryptocurrency related discussions taking place simultaneously in November 2008 and many of the frequent posters didn’t comment on Bitcoin when it was first announced.  What interested you in it?  How involved would you say you were with providing coding suggestions prior to the genesis block that following January?

A3: I was interested in it for several reasons.  First, Bitcoin was a digital cash protocol, and digital cash protocols have some significant challenges to overcome, and I’d been interested in them for a long time already.  I’d even designed a couple by then.  The first I designed was unsound. The second, which is the only one worth talking about, which I’ll talk more about below.

Second, Bitcoin used a central proof chain (which we now call a block chain) as means of securing the history of each note, and I had known for a long time that any successful digital cash protocol had to use proof chains in some form or it couldn’t circulate (couldn’t be spent onward by someone who’d been paid in it).  And I was very, very much interested in proof chains, especially for a digital cash protocol.  I had already used proof chains (very differently) for a digital cash protocol when I extended Chaum’s e-cash protocol in 1995.

(see Digression #1 below to understand the differences between my protocol and Satoshi’s, and their effect on protocol design.)

Third, Satoshi eventually convinced me that he wasn’t a scammer.  I’m sort of a natural pessimist at heart, and digital cash protocols have a long history of scammers, so at first I had assumed the worst.  I think a lot of others also assumed the worst, which would be why few of them responded.  I made my first couple of replies without even having read it yet, to see how he responded before I wasted mental effort on something that would probably turn out to be a scam.

When I finally bothered to actually read the white paper, and spent the mental effort to understand it, I realized that (A) it wasn’t the usual incompetent bullshit we’d seen in far too many earlier digital-cash proposals, and (B) Its structure really and truly contained no Trusted Roles – meaning the opportunity to scam people was NOT built into the structure of it the way it had been with e-gold, e-cash, etc.

Fourth, and absolutely the clincher for me; it was very very INTERESTING!  It was an entirely new paradigm for a digital cash protocol, and had no Trusted Roles!  Nobody had EVER come up with a digital cash protocol having no Trusted Roles before!

Of course it wasn’t a “serious” proposal, I thought. It wouldn’t work for any kind of widespread adoption (I thought at the time) because of course people would conclude that spent hashes which absolutely couldn’t be redeemed for the electricity or computer power that had been used to create them were valueless.  And it would never scale beyond small communities or specialized applications of course because of its completely stupid bandwidth requirements.

But it was INTERESTING!

I could never have come up with Bitcoin because of the tremendous bandwidth.  Without Satoshi’s proposal, the idea of transmitting every transaction to every user would just have bounced off my mind as inconceivable.  Hell, I didn’t even understand it the first couple of times through the white paper because I was looking for ANY WAY AT ALL to parse those sentences and ‘transmitting every transaction to every user wasn’t even a POSSIBLE parse for me until Satoshi explicitly told me yes, that really was what he meant.

When I finally understood, I started doing math to prove to him that it was impossible, tried to relate bandwidth to rate of adoption and got a largest possible answer that’s only about one-eighth of today’s number of nodes.   I was assuming transaction volume proportional to userbase, which would be at least three times the transactions that today’s blocksize-limited block chain handles, and looking at a version of the protocol which doubled it by transmitting every transaction twice.  So,GIGO, I was wrong – but for good reasons and in the correct order of magnitude anyway.

But that was a couple orders of magnitude larger than the highest answer I had expected to get!  And that meant Satoshi’s idea actually seemed…. surprisingly plausible, if people really didn’t care about bandwidth.

The fact that bandwidth seemed to be available enough for the proposal to be technically plausible was sort of mind-boggling.  So was the idea that so many people did not care, at all, about bandwidth costs.

(See digression #2 to understand why it was hard for me to accept that
people now consider bandwidth to be valueless.)

Anyway, problems aside, it was INTERESTING! If the proof-of-concept actually sort-of worked at least on scales like for a campus or community merchandise token or something it would extend our understanding of protocol design!

What I had done back in 1995 had been INTERESTING for a different reason. At that time nobody had ever come up with a digital cash protocol that allowed people who’d been paid digital coins to respend them if they wanted instead of taking them right back to the issuer.  Of course it wouldn’t work for general adoption because of its own problems, but it had extended our understanding of protocol design back then, so back then that had been INTERESTING!

And before that, Chaum had demonstrated a digital cash protocol that worked at all, and at the time that was INTERESTING!

And in between a whole bunch of people had demonstrated ways to cooperate with bankers etc to have different kinds of access to your checking account or whatever.  Some of those had had privacy features v. the other users, which were also INTERESTING!

And so on.  I was very much looking at things that improved our understanding of digital cash protocols, and had no idea that Bitcoin was intended for widespread release.

Anyway, Satoshi and I talked offlist about the problems, and possible solutions, and use of proof chains for digital cash, and my old protocol, and several previous types of digital cash, and finally he sent me the proof chain code for review.

And the proof chain code was solid, but I freaked out when I saw that it used a Floating Point type rather than an Integer type for any kind of accounting. Accounting requirements vs. floating point types have a long and horrible history.

So that prompted some more discussion. He was designing specifically so that it would be possible to implement compatible clients in languages (*cough* Javascript *cough*) in which no other numeric type is available, so he wanted to squish rounding-error bugs in advance to ensure compatibility.  If anybody gets different answers from doing the same calculation the chain forks, so it’s sort of important for everybody to get the same answer.  Because Javascript clients were going to use double float, and he wanted them to get the same answer, he was going to make sure he got correct answers using double floats.

He was trying to avoid rounding errors as a way of future-proofing: making it completely consistent so clients with higher-precision representations wouldn’t reject the blocks of the old chain – but on the ground he wanted to be damn sure that the answers from Javascript clients, which *would* by necessity use double float, could be compatible with checking the block chain.

The worst that could happen from a rounding error, as long as everybody gets the *SAME* rounding error, is that the miner (whose output is unspecified in the block and defined as “the rest of the TxIn values input”) gets a few satoshis more or less than if the rounding error hadn’t happened, and no satoshis would be created or destroyed.

But if people on different clients get *DIFFERENT* rounding errors, because of different representation or differently implemented operations, the chain forks. And That Would Be Bad.

I would have said *screw* Javascript, I want rounding errors to be impossible, and used integers.  If the Javascripters want to write a float client, they’d better accept accurate answers, even if they have to allow for answers different than their code generates.  And if they make transactions containing rounding errors, let everybody in the universe reject them and not allow them into blocks.  But that’s me.

It was when we started talking about floating-point types in accounting code that I learned Hal was involved in the effort. Hal was reviewing the transaction scripting language, and both the code he had, and the code I had, interacted with the accounting code. So Satoshi brought him in for the discussion on floating point, and both of us reviewed the accounting code. Hal had a lot of experience doing exact math in floating point formats – some of his crypto code in PGP even used float types for binary operations. So he wasn’t as freaked-out about long doubles for money as I was. We talked a lot about how much divisibility Bitcoins ought to have; whether to make ‘Satoshis’ an order of magnitude bigger just to have three more bits of cushion against rounding errors, or keep them near the limit of precision at 10e-8 bitcoins in order to assure that rounding errors would always fail. Failing, immediately, detectably, and hard, at the slightest error, is key to writing reliable software.

So I went over the accounting code with a fine-toothed comb looking for possible rounding errors.  And I didn’t find any.

Which is more than a little bit astonishing.  Numeric-methods errors are so ubiquitous nobody even notices them.  Inevitably someone multiplies and divides in the wrong order, or combines floats at different magnitudes causing rounding, or divides by something too small, or makes equality comparisons on real numbers that are only equal 65535 times out of 65536, or does too many operations between sequence points so that they can be optimized differently in different builds, or uses a compiler setting that allows it to do operations in a different sequence, or checks for an overflow/rounding in a way that the compiler ignores because it can prove algebraically that it’s “dead code” because it will never be activated except in case of undefined behavior (like eg, the roundoff or overflow that someone is checking for)!  Or SOMETHING.  I mean, in most environments you absolutely have to FIGHT both your language semantics and your compiler to make code without rounding errors.

Clearly I hadn’t been the first pessimistic screaming hair-triggered paranoid aware of those issues to go over that accounting code; I could not find a single methods error.  The ‘satoshi’ unit which is the smallest unit of accounting, is selected right above the bit precision that can be handled with NO rounding in the double float format, and every last operation as far as I could find was implemented in ways that admit no rounding of any bits that would affect a unit as large as a satoshi.

To cause rounding of satoshis in the Bitcoin code, someone would have to be adding or subtracting more than 21 million Bitcoins (I think it’s actually 26 million, in fact…).  So, the Bitcoin chain is, I believe, rounding-free and will continue to check regardless of whether clients use any higher floating point precision.

For comparison Doge, which has so many coins in circulation that amounts larger than 26 million Doge are actually transacted, has rounding errors recorded in its block chain.  If a new client ever uses a higher-precision float format, their old chain won’t check on that client.  Which would be seen as a bug in the new client, and “corrected” there (by deliberately crippling its accuracy when checking old blocks). In fact it’s a bug in the Doge coin design which will never be fixed because they’ve already committed too much to it.

Integers.  Even with code that is meticulously maintained and tested for consistency, even where methods errors have been boiled out by somebody’s maniacal obsessive dedication, Integers would have been so much cleaner and easier to check.

Digression #1:
Why I was VERY interested in proof chains and digital cash protocols.

When I extended Chaum’s protocol in 1995, I had used proof chains attached to each ‘coin’, which grew longer by one ‘link’ (nowadays we say ‘block’) every time the coin changed hands. That allowed coins to circulate offline because all the information you needed to make another transaction was in the chains attached to the individual coins.  In order to make it possible to catch double spenders, the ‘links’ contained secret splits which, if two or more contradictory links were combined, would reveal the identity of the spender.

So, it could circulate offline and make transfers between users who weren’t even connected to the Internet. It didn’t have the ferocious bandwidth expense and even more ferocious proof-of-work expense of Bitcoin. Double spenders couldn’t be caught until the differently-spent copies of a coin were compared, potentially after going through several more hands which meant you had to have some kind of resolution process. And a resolution process meant you absolutely had to have a Trusted Certificate Authority with a database that could link UserIDs to RealWorld IDs in order to figure out who the RealWorld crook was.

Buyer and seller had to have valid UserIDs issued by the Trusted CA, which were known to each other even if to no one else.  And although not even The Trusted CA could link UserIDs and transactions except in case of a double spend, the parties to each transaction definitely could. Either party could later show and cryptographically prove the details of the transaction including the counterparty’s UserID, so your transactions were “Private”, not “Secret”. Finally, the ‘coins’ were non-divisible meaning you had to have exact change.

It was, at best, clunky compared to Bitcoin, and not being able to identify double spends until unspecified-time-later would probably be a deal-killer for acceptance. But it also had some advantages: It didn’t create a central permanent ledger that everybody can datamine later the way Bitcoin does, so Trusted CA or not it might actually have been better privacy in practice.  It was completely scalable because no transaction needed bandwidth between anybody except buyer and seller. And it had no proof-of-work expense.  But it needed a God-Damned Trusted Certificate Authority built directly into the design, so that CA’s database was open to various kinds of abuse.

Digression #2:

I had no comprehension of modern attitudes toward bandwidth costs.

I mean, I knew it had gotten cheap, but it was still taking me hours, for example, to download a complete Linux distribution. I figured other people noticed big delays like that too, and wide adoption of Bitcoin would mean slowing down EVERYTHING else they (full nodes anyway) did.  I just hadn’t understood that – and still have trouble with – the idea that by 2008, nobody even cared about bandwidth any more.

I got my first computer, because at that time privately owned computers were INTERESTING!  So I had to, even though they were also mostly useless.  (See a pattern here?)

But at that time, computers were not communications devices.  At All. If you hadn’t invested in something called a “LAN”, which anyway could only work inside one building, probably cost more than the building itself, and was useless unless you’d also invested in multiple computers, you moved data back and forth between your machines and your friends’ machines using cassette tapes.  Or, if and your friend were both rich enough to buy drives, or had been lucky enough dumpster diving to get drives you could repair, and had access to the very expensive media through some kind of industrial or business supply place, you might have done it using floppy disks.  Which held eighty kilobytes.

I got my first modem a few years later, and modems at the time were flaky hardware only BARELY supported by single-tasking systems that had never been designed to handle any signal arriving anywhere at a time they did not choose.  If your computer didn’t respond fast enough to interrupts, a modem could crash it.  If you were running anything that didn’t suspend and resume its business correctly (and most things didn’t because they’d never had to before) or anything that was coded to use the same interrupt, the modem would crash it.  If the software on your end ever started taking too long to execute per input character, the modem would fill up the short hardware buffer faster than your software could empty it, and crash it.  If you transmitted characters faster than the software running on the remote system could handle them, you’d crash the remote system.  There were no error correcting protocols because none of us had the compute power to run them fast enough to avoid a crash at the speeds the modems ran.

And that modem couldn’t transmit or receive characters even as fast as I could type. Sometimes you could crash the remote system just by accidentally typing too fast for a minute or two.

Computer security wasn’t a thing. Pretty much anybody you allowed to connect could at least crash your system and probably steal anything on your computer or delete everything on your computer if they really wanted to.   The host programs weren’t *intended* to allow that, but something as simple as transmitting an unexpected EOT signal could often crash them – sometimes crashing the whole machine, sometimes leaving the caller at the all-powerful command-line prompt. Stuff like that happened all the time, just by accident!  So people were understandably reluctant to let strangers connect to their systems.

There was one place in my whole state that I could call with it where I found people who’d leave a modem running on their machine despite the risk of crashes, and would allow a stranger on their system.  That sysop, in an act of sheer grace that he didn’t have to extend and which nobody was paying him for, allowed me to connect to it.  There were no such things as commercial providers; they could not exist until at least some system security actually worked.

There was barely even any commercial software: Every machine came with its own BIOS and Operating System, and the ONLY way to distribute a program that would run on more than a tiny fraction of systems was to distribute it as source code which people could tweak and fix and adapt in order to get it running, and commercial vendors didn’t want to distribute any source code.

So our software was all shared.  It came from fellow hobbyists, and unless we were physically in the same room to exchange media (and had the ability to read and write media compatible with the other’s systems), we could not share it without using bandwidth.

Long distance calls were over a dollar a minute, modems ran at 160 or 300 bits per second, and I could have burned through my entire monthly paper route income in under three hours.

Finally, every second I was connected to that remote system, that phone line was busy and everybody else couldn’t use it. And the other users needed it for reasons FAR more important than I did. They were military veterans, some of them profoundly not okay after Viet Nam, using it as sort of a hobby-mediated support group, and I was a fifteen-year-old kid hobbyist with a paper route.  Hobby in common or not, I had no illusions about the relative value of our access.   So I tried to be a good guest; I took my turns as fast as possible, at times least likely to conflict as possible, using as many pre-recorded scripts (played off a cassette tape deck!) as possible to waste absolutely no time, and got off.  I didn’t want to keep anybody out of something which was that important to them.

That’s the way things were when I started learning about the value of bandwidth.

No matter how much bandwidth I’ve got now, no matter how cheap it becomes, I’m still aware of it and it’s still important to me to not waste it.  I’ve sweated every byte every time I’ve designed a protocol.

And that’s why – to me anyway – universal distribution of a globally writable block chain is still amazing.  Just the fact that it’s now POSSIBLE seems incredible.

Q4: When Satoshi released the white paper, you had many public exchanges with her on that mailing list.  For instance, you asked her about inflation and Satoshi seemed to think that there could be some price stability if the number of people using it increased at the same level as the supply of bitcoins increased.  But, relative to the USD, there has never really been much price stability in its history to date.  Is there a way to re-engineer Bitcoin and/or future cryptocurrencies to do so without having to rely on  external price feeds or trusted third parties?

A4: Whoof…  that’s a hard question.  “Is not Gross Matter Interchangeable with Light?”  was considered impossible until Einstein figured it out. And the people who’d been asking that question didn’t even recognize or care about Einstein’s answer because his answer wasn’t about bodies and souls and the afterlife.  If the answer is ‘yes’ but the re-engineering involved changes the fundamental qualities that make you (or anybody) value cryptocurrencies, then is the answer really yes?

Satoshi tried to do it by anticipating the adoption curve.  We know how that turned out.

I think it’s fundamentally impossible to plot an adoption curve before launch.  I mean, I was the pessimist who assumed that there’d be a small group, formed early, that wasn’t going to be growing at all as these additional millions of coins pumped into that campus or that community economy.  So I figured, some initial value and rapid inflation thereafter.

Satoshi was far less pessimistic in figuring a widespread and fairly gradual adoption, and had picked the logarithmic plot to put coins into the economy at about the rate envisioned for adoption, assuming Bitcoin would follow a logarithmic adoption curve. It wasn’t a bad guess, as it’s a decent approximation to the Bass Diffusion Model, but the
parameters of the curve were completely unknown, and the Bass curve often appears after something’s been around a long time – not just when it’s launched.

Most importantly, nobody anticipated Bitcoin’s primary use as being a vehicle of financial speculation. The Bass Diffusion Model isn’t applicable to speculative commodities, because price changes in speculative commodities are responsive to PREVIOUS price changes in the speculative commodity.  That makes them nonlinear and chaotic.

And that, I think, is what it comes down to.  If people will be using something as a vehicle of speculation, then its price point is chaotic and defies all attempts to stabilize it by predicting and compensating for it.  So I think we need to abandon that notion.

You’ve already ruled out the idea of external price feeds and trusted third parties, because those would change the fundamental qualities that make you value cryptocurrencies.

That leaves internal price feeds:  If a cryptocurrency is used as a medium of exchange in other fungible assets, and those exchanges are recorded in its own block chain, then exchanges of crypto for dollars and exchanges of crypto for, eg, gold bars are visible in the block chain and could at least in theory be used to detect economic conditions and adjust the rate of issue of cryptocoins.

But the fly in that ointment is, again, the fact that the crypto is being used as a speculative asset.  People can read the block chain before the changes are made, anticipate what changes the code is about to make, and will front-run them.  Or, operating as “Sybil and her Sisters”, make a thousand completely bogus transactions in order to fool the software into doing something crazy.  Either way reintroducing positive feedback via market manipulation.

Most schemes aimed at stabilizing the value of a coin via any automatic means assume that the price can be changed by changing the rate of issue.  But the more coins are in circulation, the less possible it becomes for changes in the rate of issue to shift the price, meaning it devolves back to the first case of nonlinear and chaotic feedback.  IOW, the new coins being added represent a much smaller fraction of the available supply, and withholding them will affect almost no one except miners.

Honestly I’m very surprised Tethercoin isn’t dead yet.  What they propose, economically speaking, simply will not work.  They got themselves somehow declared to be the only way to get money OUT of a major wallet, which props up their transaction volume, but if the people haven’t already walked away with most of the money they’re supposedly holding but won’t say where, then I’m very surprised.

Q5: About a year ago you wrote a highly-commented upon, passionate retrospection published on LinkedIn.  You called out a lot of the nonsense going on then, is there anything that has been on your mind since then that you wanted to expand upon?

A5: Um.  Artificial Intelligence, Financial Markets, Human Brains and how they are organized, the nature, origins and mechanisms of consciousness and emotion, a generalization of neuroevolution algorithms intended to scale to recurrent networks of much greater complexity than now possible, scope of political corruption and the politics of divisiveness, gene migration and expression, the way cells control and regulate mutation in different kinds of tissues, directed apoptosis via a multiplicity of P53 genes as a preventive for cancer (happens naturally in elephants; easy to do with CRISPR; engineered humans would probably be radiation-resistant enough for lifetimes in space, or just plain longer-lived, or both), history of the Balkans, history of the Roman Empire, ancient religions, writing a science fiction novel ….

You know, things that are INTERESTING!  I actually _can’t_ turn my brain off.  It’s a problem sometimes.

I have had a few thoughts about cryptocurrencies, however, which is probably what you intended to ask about.

The first:

I have figured out how to redesign the cryptographically secured history database built by cryptocurrencies so that you don’t need any full nodes.  There are other ways to organize the blocks that give the proof property you need; They don’t have to form something that’s only a chain, and you don’t have to have specialized nodes for the purpose of holding them because everybody can hold just the blocks they need to show the validity of their own txOuts.

In order to verify the validity of any txOut, you need three things:  to see the block where it was created, to be sure that block is part of the same database as that proposed for the transaction, and to be sure that no block exists between those two in which that txOut was spent in another transaction.

Call it a “Block Hyperchain”, by reference to the N-dimensional hypercube it’s based on and the block chain it replaces.

I should be clear and say there are things it does and things it doesn’t do.  If your goal is to check all transactions, you’ll download a scattering of blocks for each transaction that soon add up to most of the block database, so someone who wants to check every transaction will rapidly accumulate the whole database.

But most users should be happy with just the few blocks they need to demonstrate the validity of the txOuts they hold, and it’s damn nice to be able to download a client, open it up, and just use it with minimal delay because someone offered to pay you bitcoins one minute ago and you want to be able to make sure the transaction he’s offering is valid RIGHT NOW, instead of waiting to accumulate the whole chain to check anything.

Suppose we pick a base, for convenience, of 10.  This helps make things easy to explain because we work with base-10 numbers, but we could have picked 16 and used hexadecimal for our explanations.

In a base-10 Block Hyperchain, every block that’s published has its own set of transactions, and the hashes of the blocks  10^N blocks ago for every integer value of N from N=0 to N <= log10 of block height.

Every block would record its own transactions, and also one list of destroyed txOuts per integer value N over the same range.

Each destroyed-txOut list would be all txOuts created in blocks whose block numbers match (modulo 10^N) the current block number, that have been destroyed in the last 10^N blocks.

Example:
If someone shows me a transaction seeking to spend a txOut, I want to check and see if it’s valid.  Ie, I want to see the block where it was created, and see evidence that it hasn’t been spent since.

So I can look at that txOut’s ID and know it was created in block 124. If the current block is 7365,  I get block 7365 and 7364 to make sure it hasn’t been spent in those, the same way we can do with a block chain.

Then I have a block whose last digit matches the last digit of the block where the txOut was created.  So I start checking the 10-block txOut-destroyed lists.  I check the list in block 7364 to make sure it wasn’t spent in blocks 7354 to 7363.

Then, jumping back by 10-block increments (relying on the second recorded hash in the header), I can check to make sure it hasn’t been spent in the previous ten blocks to each of blocks 7354, 7344, and 7334.  Then I get block 7324.

Now I’m at a block whose last 2 digits match the block where the txOut was created, so I can start checking the previous hundred blocks using the second txOut-destroyed list, and jumping back by hundred-block increments using the third recorded hash.  So I get blocks 7224 and 7124.

Finally, I’m at a block whose last 3 digits match the block where the txOut was created, so I can start jumping back by thousand-block increments, checking the thousand-block txOut-destroyed lists.  So I get blocks 6124, 5124, 4124, 3124, 2124, 1124, and finally 124.

So finally, I have a txOut created over 7200 blocks previous to the current block, and I have downloaded a total of 15 blocks to make sure that it was created in the same Hyperchain and hasn’t been spent since.

The number of blocks downloaded is proportional to the log base 10 of the number of blocks in the chain.

The blocks I’ve downloaded are larger because of the spent-txOut lists, but the spent-txOut lists have an average length that is the same regardless of the span of blocks they cover.  Lists that report transactions from a set 10x as long, only need to report individual transactions from that set 1/10 as often.

With more efficient access to the history database, it is possible to substantially raise transaction bandwidth.  People who make transactions during the next 7 blocks or so would need to see that block;  Later on, people who accept txOuts created during that block will need to see that block. And there’ll be about 49 blocks worth of txOuts,  scattered through the earlier history, that someone eventually has to traverse this block to verify.

All this means you have drastically smaller bandwidth requirements (remember I obsess on bandwidth costs?) for the same transaction volume but larger data-at-rest requirements (for any weirdo who for whatever reason feels like they need to collect the WHOLE database in one place, and why would anybody do that?) by a factor of seven.

And I keep thinking I’m going to do it, because it’s INTERESTING! And I ought to do it, because it’s VALUABLE!  But then I think about the current state of the cryptocurrency world and the quality of the people it would bring me into contact with and the ways people would try to scam with it and the number of people who’d find reasons to lie to me or about me, and then I get a sour stomach and go on to do something ELSE!

And feel vaguely guilty for not doing it, because it actually would be valuable.

It’s really hard for me to be motivated or enthusiastic about a cryptocurrency project, until the whole field is more full of people I’d be happy to interact and exchange ideas with and less full of ….  um.

The words that come to mind really shouldn’t be printed.  [This is fine meme]  I don’t mind if people know I’m sort of upset with the conditions and business ethics out there, or even that being so upset is literally preventing me from doing something useful.  But I’d rather not have it expressed in terms that are an incitement to violence.

Anyway, moving on;  In order to mine, someone would have to be able to see seven of the previous blocks; a different set of seven every time. But if I thought bandwidth was going to waste, that doesn’t even START to address the costs of hashing!  Deploying something that saves bandwidth without also figuring out a way to save hashing would fail to address a critical point.

So, I’ve had a bunch of thoughts about mining.  Most of which aren’t as interesting or valuable as the thought about how to organize the history database.  In favor of mining, it’s good that someone is able to join the network permissionlessly, help secure it, get paid, and initially get coin into circulation going from “none” to “some”.

My thoughts for securing a chain without proof-of-work are something I suppose I ought to call “Proof-of-Total-Stake.”

Congratulations!  This conversation with you got me to name it!  I had been calling it “proof-of-activity” but I see that name has acquired a much more specific meaning than it had when I started calling this by it, and no longer fits.

I still need to figure out what to call my revised structure for the block history database though.

Proof-of-Total-Stake  means measuring the priority of a fork by the total value of TxOuts that existed BEFORE the fork that have been spent AFTER the fork.  In other words, the total stake: how much of EVERYBODY’s money the blocks formed after the fork represent.  That is a well-founded mechanism for security that doesn’t involve trusted parties nor burning hashes.  It’s the only one I’ve come up with.  In the long run, unless somebody comes up with another fundamentally new idea, or accepts the idea at least of trusted block signers, that’s what I think a proper cryptocurrency would have to wind up with.

But there’s a problem with it.

Proof-of-Total-Stake, by itself, doesn’t provide an obvious way to determine who gets to form the next block – which can be a CRUCIALLY important security concern.

And Proof-of-Stake, including Proof-of-Total-stake, doesn’t handle the initial, permissionless, distribution of coins.  They can’t go from “none” to “some.”  They can only go from “some” to “some more.”

So I think it could only be deployed along with some kind of mining.

Q6: We first started interacting some four years ago when I was doing some research on dead cryptocurrencies, most of which were just direct clones or copies of Bitcoin.  At the time you were doing the heavy lifting categorizing how they died in a BitcoinTalk thread.  Today sites like Deadcoins.com have tried to do something similar.  Even though loud advocates at events like to claim blockchains ” live immutably forever” empirically there are probably just as many dead blockchains than living blockchains.  What do you think the top reason for why so many blockchains lose support to the point of death and do you think those reasons will change much in the future?

A6: By far the vast majority of those people were not doing anything INTERESTING!  A lot of the honest ones discovered that it was a lot of work and had other commitments in life.  A lot of the dishonest ones made their money and walked away leaving the  suckers behind.  A lot of people discovered that maintaining a codebase needed more programming chops than they actually possessed, and quietly withdrew from the field. A fair number ran into scammers and crooks whose utterly disgusting behavior left them convinced they wanted to do something else rather than meeting any more of those guys.

But the most important point? Hardly any of those coins was ever used in any transaction for an actual thing – not even an initial experiment like Laszlo’s Pizza.

Most of them were only ever mined by people who intended absolutely nothing beyond immediately converting them into Bitcoin, and only ever held by people who daily watched their value trying to guess the right time to sell them for Bitcoin.

It’s not so much that most of them *failed* – it’s more the case that the vast majority never even remotely began to *succeed*. There was no economic activity, meaning sales of merchandise or payment for work, that they facilitated.  Put bluntly, they just didn’t do anything beyond providing a temporary and completely discardable medium for speculation and scamming.  And, as surely as atomic decay, they got used, for that purpose only, and discarded.

Q7: Based on the original white paper, the intent of Bitcoin was to be an e-cash  payment system which could be utilized without needing to disclose a real identity to an administrator.  It seems that over time several different tribes have popped up, including those who market Bitcoin as a form of “e-gold.”  What do you think of the visible fracture that has occurred between the various Bitcoin tribes?  Does proof-of-work really act as a type of DRM for coin supply or do all the forks we have seen turn the advertised “digital scarcity” and “digital gold” into an oxymoron?

A7: That endless fight, starting with the block size fight, with everybody yelling and nobody listening, pretty much convinced me that the “community” which had grown around Bitcoin was in deep trouble.

The differences between the various proposed technical changes to the block chain, are far less important to the futures of those forks, than the integrity of the people who support and do business using them.

But the technical merits were never discussed by most. Instead, repetitive sound bites and slogans about them containing absolutely no new information were shouted.  Integrity was seldom displayed either. Instead, the fight was carried forward almost exclusively by partisans who had already decided what was the only possible solution that they would accept, and in many cases using tactics that inspire an absolute refusal to support their interests, or even participate in the communities where they are found.

If someone hires a troll army to attack a community by astroturfing fake support for something, can you respect that person?  If someone drives people who disagree away with personal abuse, is that a reasonable method for coming to an agreement about a protocol?  Is it a valid form of technical reasoning to launch a sabotage against a block chain based consensus mechanism?  What can you say about someone who buys existing accounts of users whom others trust in order to fake trusted support for their agenda? How about when it happens after those users whom others trust have been driven away or left in disgust?  Is it a respectful negotiator interested in the insights of others in solving a problem, whose negotiating skills include locking the damn doors and refusing to let someone leave the room until they get his signature on an “agreement” that they wrote without his knowledge before he even got there?

Is someone who would participate in a fight, on those terms, someone whose agenda or business interests you really want to support?  Hint: You already know that people who fake support for their agenda, or tell lies about other in order to discredit them, or who deliberately deceive others about the merits of their own proposal or others’ proposals, are doing business by means of fraud.  Do you want to carry on until the fraud is financial and the victim is you?

These factions had no interest whatsoever in reaching a consensus.  And nothing prevented each from implementing their idea and launching, with no hard feelings from anybody and no fight.  The only thing they were really fighting over was the name “Bitcoin,”  which was absolutely unrelated to the technical merit of any proposal.  And, to a first approximation, the other merits of having the name is a thing that none of them even mentioned during the fight.

Technically speaking, there is not much wrong with any of these forks. They address certain problems in different ways slightly favoring the interests of different groups, but not seriously to anyone’s disadvantage.  None of them was entirely without technical merit.

On the other hand none of them make more than a tiny amount of difference.  None helped with the bandwidth or transaction volume by anything more than a small constant factor, so the problem they were supposedly about solving was not in fact solved, nor even very much affected.

So while none of the proposed changes were objectionable in themselves, there was really no *very* compelling reason for any of them to be implemented.  Each of those ideas is merely a stopgap that pushes the rock down the road another foot or two without moving it out of the way. If you want to move that rock out of the road, you will need a much more powerful idea.

Q8: You’ve mentioned that limited supplies simply incentivizes hoarding which leads to low economic activity.  You have proposed a type of “proof-of-activity” replacement.  Can you expand more on either of these views?

A8: Suppose you have an economy that’s growing (more value is being created) but has a constant supply of coins.

In that case your coins represent, let’s say, one-millionth or so of the money that’s in circulation.

And, as the economy continues to grow, your coins will continue to represent one-millionth or so of the money that’s in circulation.  But that will be one-millionth or so of a lot more actual wealth.  In fact, your money, just sitting there in your wallet, is GUARANTEED to rise in value by the same fraction that the economy is growing by.  In our terms, this would be exactly the market average, as though you were holding stocks invested in ALL the businesses in your economy in proportion according to their  capitalization.  This is what index funds and IRAs make, mostly, but it’s making it with no risk.

Now, if you offer any investor a risk-free investment that’s guaranteed to make the same return as the market average, that investor would be mad to pass it up.  No investor is confident that she’ll beat the market average in any given year.  That’s why they call it “AVERAGE!”  And volatility – variance in return – is an unqualified bad thing because it will always take an 11% gain to make up for a 10% loss.  That money sitting right there in her wallet is the best investment she could possibly make.  There might be things that would make as much or more money, but all of them involve risk out of proportion to their marginal return.  Let other investors do that; they’re suckers and she’ll make the same money they do.

The problem with that is that the other investors are looking at the same question.  And reaching the same conclusion.  Why invest in companies doing anything productive, and expose yourself to risk, when you can make the same money just by holding your investment in your wallet?

And then who invests in the businesses that, if they were working, would actually create the value these people all intend to have some share in?

… (sound of crickets chirping) …  Suckers.

Suckers who lose more often than they win, because it takes an 11% gain to recover a 10% loss.  And the money the lose? Eventually trickles into the hands of the people who are hoarding it.

With no reason for investors to invest in business, the businesses eventually starve and the economy shrinks.  And all those coins that represent one-millionth of the economy’s wealth start representing one-millionth of less and less actual value.

This is what happened to ancient Rome.  They used metals (gold and silver and bronze) as currency, and their economy collapsed WHILE people had plenty enough money to keep it going!  Everybody stashed all their coins expecting to benefit later from prospering businesses, and the businesses, for want of capital, did not prosper.

Then the death spiral started: everybody stashed their coins waiting for the economy to come back so the coins would be worth their “real” value, and the economy never came back.  The coins were never worth their “real” value, until the people who remembered where the coins were buried had also been buried.

It’s a millennium-and-a-half later and we are STILL finding stashes of Roman coins!  The people who could have gotten their economy moving again, if they had EVER supported a business, instead buried their money in sacks.

The government tried to get it moving again, or pretend for a while that it hadn’t collapsed, making coins with increasingly ridiculous adulterated alloys.  But that didn’t change the underlying dynamic.

The Gold bugs of course have all told each other a different version of this story, where the adulterated coins were the cause of the collapse rather than the increasingly desperate attempt to recover from it.  And it’s pointless to try to convince them otherwise; they believe they already know the only possible truth. But for those actually motivated to investigate, the chronology of the events is reasonably clear.

===============================================================

The next thing is about “Proof-of-Total-Stake”, which I guess is what I’m going to call this idea for securing the chain.

The fundamental idea behind Proof-of-Total-Stake is that the priority of any branch of a fork is the total amount of EVERYBODY’s money which that fork represents.  That means, coins generated in that fork and pre-existing coins brought into the fork by transactions.

Coins generated in a fork are the coinbase transactions; Coins moved into the fork from earlier parts of the chain are TxOuts from earlier in the block chain that have been spent during the fork.

But we have to know which BRANCH of the fork they were spent into. ie, someone trying to create a fork should not be able to stick transactions from the valid branch of the chain into it, or they can match the txOut spending from earlier in the chain.  This is the basic problem with most implementations of proof-of-stake, which some writers have called “nothing at stake.”   Whatever resource you are using to secure the chain is meaningless when it can be used to secure *BOTH* forks of the chain.

In order to prevent the replay attack, each transaction would have to “stake” a recent block, making a commitment to supporting only forks which include that block.  This adds a field to each transaction.

The new field would give the (hash) ID of a block, indicating that this particular transaction is not valid in any branch of the chain which does not include the staked block.

So, let’s say that two transactions “coffee” and “eggs” are made at the same time,  after the chain forks at block 50.  “Coffee” stakes block 48 and “eggs” stakes block 51A.

When “coffee” appears in block 51B, the total stake of fork B is increased by that amount; its weight counts toward that resolution of the fork.

Then “eggs” is added to block 52A, and can’t be placed in chain B because it staked a block doesn’t exist in chain B.  Now “eggs” counts as stake in favor of the A branch and “coffee” counts as stake in favor of the B branch.

But then “coffee” appears in branch 53A, where it is also valid because the same block 48 is behind both branches.  This cancels out its support for branch B, just by being equal – revealing that stake which can be used in favor of both chains counts for nothing.

Security happens because some finite resource (coins created before the branch point and spent in transactions that are staked after the branch point) is committed detectably and irrevocably to the support of one branch (by staking after the branch point), and cannot be used to support any other.

This is exactly what Bitcoin does with hashes:  Hashes per second and number of seconds spent hashing are finite.  Hashes are irrevocably used in support of one branch (because the hash preimage can never be made to match a different block).  And the fact that they are used to support a particular branch is detectable.

Well, strictly speaking there’s only one “detectable” hash in each block. All we know about the others is, on average, how rare that one “detectable” one was and therefore, on average, how many they must have been.

But it’s still the same basic criteria.  Some finite resource, committed detectably and irrevocably to the support of one branch, which cannot be used to support conflicting branches.  And proof-of-total stake says that resource is the amount of EVERYBODY’s coins that branch represents.

With transactions supporting the basic security of the chain, and the idea behind coinbases being that they are payment for providing chain security, we want our “coinbases” to reward the people who make transactions that stake recent blocks.

PoTS is strong in the long run, or when the chain is seeing a high volume of legitimate transactions, but has its own problems.

Transactions in most cryptocurrencies are a very bursty use of something with long latent periods.  Absent heavy transaction volume, you can’t really expect PoTS to definitively reject a branch in such a way that a crook couldn’t resurrect it with a very large spend.  If the crook has more coins than the difference in total-stake between the two forks, the crook could resurrect the “dead” fork.

This is why the “interest” payments (actually per-transaction coinbases of a particular sort) when a transaction staking a recent block are made. To encourage a fairly constant stream of transactions that support one particular version of the chain up to a very recent block.

But the peril with that is that you want to structure it in such a way that you don’t incentivize people to overwhelm your bandwidth by transferring every coin they own from their left pocket to their right every block either.  So the actual design would come down to some compromise between transaction fees, and interest payments on transactions staked in very recent blocks, where the breakevens represent the transaction volume you want.

And there are a couple of final things to address together.  First, PoTS, while it has a workable rule for figuring out which branch of forks is preferred, is pretty silent about who gets to form blocks and how.  Second, Interest on coins spent has the “nothing to something” problem where if you don’t have anything in the system to start with, you won’t have anything ever.  These are both classic problem with PoTS coins.  The final design has to include some additional kind of coin creation that doesn’t depend on previous holdings (even if it gets de-emphasized after a while) and some way to determine who forms the next block.

Q9: ICOs have been around in some form or fashion for about five years now.  What’s your view on these fundraising schemes?

A9: The SEC is bouncing on them pretty hard, and as far as I can see it’s pretty much deserved.  Everybody wants something they can freely trade on secondary markets, and sell on the basis of its future value, but they also want to lie about it by saying it isn’t a security.

It is a security.  If a security is sold by a company to raise money, but does not represent a bond (a promise to buy it back) nor a stock (a share in future earnings) then an investor is getting nothing for her money – except maybe a receipt for having made a donation.

Another investor (a “real” investor who knows and understands a broad market, not a speculator who made a lot of money by a couple of strokes of sheer luck) will not buy it from them, at any price.  Such a thing has only speculative value.

If something’s continued value depends on a company, but the company’s continued existence doesn’t depend on that thing having value, it would be an excellent thing to not buy.

And all of that, we can say without ever touching on ethics and business practices of the people who run them.  But when we do touch on the people who run them, the story gets worse.  Much worse.  Much, much worse.  In this most are following the path trod by Altcoins.  And racking up a very similar ratio of efforts that fail, or which never even start to succeed.

Q10: You have alluded to tokenized securities in the LinkedIn article as well as our correspondence, what is your take on this topic?  What are the advantages versus say, simply doing what Carta (formerly eShares) does?

A10: I would have to answer that admitting to some degree of ignorance about Carta.  As I remember eShares, it was very much a top-down stock and option management tool, in that a private company with (non-traded) shares typically uses it to keep track of who owns what – actually issuing assets or recording changes in their status, making info about them available for the holders but mostly just to view online.

What it does not do, as I understand it, is directly enable the shareholders to trade those shares or options with each other.  Nor does it handle securities involved with or created by more than one company at a time.  It is a management interface, not a market.

I envision a block chain – sigh, now I have to come up with a name again.  Phooey.  I never care about naming anything, and then someone wants me to talk about one of my ideas and I have to come up with a name for it on the spot.  Let’s go for the pun and call it the Stock Trading and Options CryptoAsset Keeper.  I could come up with  something even dumber, but for the sake of exposition, call it STOCK.

The idea is that STOCK would act both as a Transfer Agent (which Carta does) AND a market (which AFAIK Carta does not).   A company could issue securities such as stocks and bonds directly on the STOCK block chain (“cryptoassets”) and the block chain could record trades in those issues against its native cryptocurrency.  The benefit here is the clear record and history to keep track of all trades and the current disposition of all the different cryptoassets – the stocks, the bonds, and the “cash” used to trade in them, would all be on the chain.

As long as no off-chain assets like bushels of wheat or truckloads of sneakers need to be delivered, and dividends/prices/etc accruing to these instruments are paid out (or in) in the cryptocurrency, the block chain could then function directly as market, transfer agent, means of delivery, and payment channel.  The task of converting the cryptocurrency to and from actual fiat, and the heavily regulated business of delivering the fiat currency, could be left to already-established cryptocurrency markets.

Trading in stocks/bonds/etc is highly regulated, and debts (NEGATIVE amounts) can crop up unexpectedly when companies go south or options traders go bust. Stuff gets into the RealWorld quickly when someone has to be found for debt payments, served process, and/or prosecuted for fraud, etc.  So STOCK couldn’t be an  “anonymous/permissionless” chain, at least not for regulated trades.  Each person or entity authorized to actually make securities trades would have to have a vetted, verified ID as specified by KYC laws, and would have to sign each such transaction with a public/private key pair proving Identity.

From the point of view of investors, STOCK would be a very sluggish market – submit your trade, have a completely random execution window averaging ten minutes (or whatever) during which the price might change, then a whole block of transactions all fly past at once and everybody’s waiting for the next completely randomly-timed block.  On the other hand, you don’t need an agent, or a broker, or a company transfer agent, or a registrar, or a clearance period, or ANY of those people who normally collect fees on every trade.  You could actually have a market where the buyer and seller get the exact same price with no ‘float’ whatsoever.  And you don’t have to worry about what time it is.  NASDAQ closes at 5PM new york time, and then a whole bunch of “off-market,” “private,” and “over the counter”  trades that nobody but the insiders can participate in or see happen. But STOCK would go on making blocks twenty-four hours a day seven days a week.  Why should it ever stop?

The SEC would be all over it of course; they’d be sticking a microscope up the butts of everybody involved to make sure that there was absolutely no scamming the investors.  Which is, after all, their job. And they’d require KYC compliance, and a whole lot of other regulatory compliance.  But, y’know, that’s kind of how starting any _legitimate_ business in financial services works.  No need to feel special or particularly victimized about that.

And the regulators would need some privileged keys that could be used to “seize” assets when a court orders them to, as part of a settlement for fraud or theft or something.  And everything else.  There’s a great irony that they’re interested in nobody having the opportunity to scam the investors, but they structurally require, just to be able to do their fundamental mission, builtins to the protocol that if misused would allow somebody to scam the investors.

But once satisfied and functioning within the law, I think they’d welcome STOCK as something that puts down a visible, provable, inalterable, unfakeable history of all trades.

Q11: Is there any cryptocurrency you think could become widely used outside of geeks, cypherpunks, and ideologues?  If not, what would need to change and how?  Has any popular coin ossified to such an extent that it can’t meaningfully evolve?

A11: Homer Husband and Harriet Housewife want convenience and familiarity. Which is mostly about form factor and compatibility.  They do not want to deal with key management in any form.

To do that, you have to make a hardware wallet small enough to fit into a wallet or a purse.  It doesn’t have to be literally credit card sized, but couldn’t be much bigger.  It should be the size of a stack of five credit cards, at most.  Or maybe it gets stuck back-to-back onto their cell phone.  It has to have an end that acts like a chip card, or an edge that acts like a mag stripe, or both, so that it can interact with the grocery stores, auto shops, restaurants, etc that Homer and Harriet already do business with.

That’s very very important, because Homer and Harriet aren’t evangelists.  The mechanic they’ve been going to for fifteen years has never heard of cryptocurrency and is never going to deal with the inconvenience of getting set up to accept it.  He wants people to pay cash or pay with a card, and Homer and Harriet would NEVER consider arguing with him about it, don’t want to go to the effort of explaining it to him, and probably couldn’t explain it very well anyway.  If they have to do any of those things, that’s a deal-breaker.

After that you have to get your cryptocurrency onto the Plus or Cirrus network, using the same interface as a foreign fiat currency.  That would allow Homer and Harriet to automate the sale and exchange to whatever local people think is money, or the purchase and exchange to crypto, when they want to spend or accept stuff from that “card.”  This will mean that they get hit with some extra fees when they use it, but
those fees are both unavoidable if you want to be on those networks, and relatively familiar to them.

Finally, there’s that key management thing.  You could handle most of it by making the wallet do it.  But sooner or later, that hardware wallet is going to fall and bounce of the curb, and go crunch under the tires of a bus.  Or, you know, get dropped into the ocean accidentally, or just get lost.

Homer and Harriet are NOT willing to accept that this is not something they can recover.  The only thing that they accept not being able to recover, when they lose their wallet, is familiar, folding fiat currency.  And that’s why they don’t keep very much of folding fiat actually in their regular wallets.

If you do convince them that losing the wallet makes the funds unrecoverable, they will never want to have more than fifteen dollars on it, which will mean it isn’t useful.  So, your hardware wallet has to interact with SOMETHING that keeps enough information about what’s on it, to enable a new wallet to recover everything that got lost.

Q12: Mining farms, mining pools, and ASICs. Many accounts are that Satoshi did not anticipate the full industrial scale these would reach.  Do you agree with this?  What are your views on mining pools and ASICs as we know them know today (specifically as described by Eric Budish’s paper)?

A12: My first problem with ASICs is that they can be used for exactly two things:  Mining cryptocurrencies, and carrying out attacks on cryptocurrencies.

Every day of every year, people who own those enormous ASIC farms are deciding which is the most profitable use of them, on that day.

And the rewards for mining cryptocurrencies ratchet downward every couple of years.

That seems problematic.  I keep watching to see what emerges each time the reward ratchets down, but I haven’t seen evidence yet that any of the big ASIC farms have turned around on any large scale.

My second problem with ASICs is that they are sucking up ridiculous amounts of energy that can never be recovered or used for anything else. I don’t so much mind this when converting the energy into heat is actually useful – replacing electric heaters in the basement of a building with a bank of Antminers that use the same amount of power is
energy-neutral and helps secure the chain.

But that’s not what happens in huge ASIC farms.  All that heat is just waste. Nobody’s home is made more comfortable, no furnace’s power bill is alleviated, no greenhouses are enabled to grow food in the winter, nobody’s oven gets to bake bread with that heat, and all that energy is just plain gone.

The Bitcoin chain issues the same number of coins per day regardless of how much energy is spent; I’d like to think that spending a whole lot less of it, at least in ways where the heat produced isn’t useful, would be better.

But then we get back to the first problem;  If honest miners start spending a whole lot less on the energy costs of hashing, then there’s a whole lot of ASICs not being used, and the owners of those are going to be looking around making their daily decision about what’s more profitable….

So the logic finally does work out the same. Security requires the vast majority of those ASIC boxes to be in use mining.  It just seems such a colossal expenditure of power, and it might be that a different design could have achieved chain security without that global cost.

My third problem with ASICs is that they have become a way for their owners to steal money from the taxpayers in many nations.  Countries that mean to do a good thing for everybody, create “development zones” with subsidized electricity, paid for by the taxpayers of that country. And then people move in with ASIC farms to suck up that electricity which the public paid for, and convert it into bitcoins in their private possession.  These are business that employ very few people, drive the development of no other resources, and otherwise do pretty much nothing for the development of the local economy.  IOW, the taxpayers who paid for that electricity are definitely not getting their money’s worth in economic development.

My fourth problem with ASICs is that there really is no way to monitor centralization of hashing power.  People keep pretending that they’re tracking whether a 51% attack is underway, but I think most of them probably suspect, as I do, that what they’re really tracking is probably nothing more than whether or not the cabal of ASIC farm owners
remembered to configure that new warehouse full of machinery to use a different identifier.

In all fairness, this last thing results directly from anonymous, permissionless mining, which is something that was a very specific and very much desired part of Satoshi’s vision; he wanted anybody to be able to connect and participate, without any interference of a gatekeeper. But there can never be security from a Sybil attack when you don’t have any way of tracking RealWorld identities, and a “majority” can never be
relied on to be more than the front for some cabal or business interest, as long as a Sybil attack is possible.

And that was what Proof-of-work was supposed to prevent.  In those early days everyone was thinking of hashing power as a side effect of computing infrastructure that was likely to be there, or be useful, for other purposes when it wasn’t hashing.  And EVERYBODY has a use for warehouses full of computers, so it was easy to think that hashing power would remain at least somewhat distributed.  The idea that someone would amass enormous numbers of special-purpose machines which made every other kind of computer in the world utterly useless for mining and which are themselves utterly useless for any other job (except attacking the network), was not, I think, really considered.

Satoshi definitely understood, and planned, that there would probably be server farms devoted to mining and that economies of scale and infrastructure would eventually drive individuals with ordinary desktop machines out of the mining business by being more efficient and making it unprofitable for the less efficient machines.

But I’m pretty sure he didn’t think of miners in places with artificially low subsidized rates for electricity outcompeting all other miners because of that advantage, driving the concentration of the vast majority of hashing power into just one country where it’s subject to the orders and whims of just one government and a few businessmen who
pal around with each other.

So he probably figured, yes, there’d be a few dozen large-ish server farms and a couple hundred small-ish server farms, but I’m pretty sure he envisioned them being scattered around the planet, wherever people find it worthwhile to install server farms for other reasons.

I’m fairly sure Satoshi’s notion of the eventual centralization of hashing power didn’t really encompass todays nearly-complete centralization in a single country, owned by a set of people who are subject to the whims and commands of a single government, who very clearly know each other and work together whenever it’s convenient.

And I find it worrisome.

Those enormous mining farms, and the way economics drove them together, are a structural problem with converting electricity into security.

I am not comfortable with the implication that, for any Proof-of-Work block chain including Bitcoin, economics will eventually devolve to the point where, when Beijing says ‘jump’ the mining and security of that block chain says ‘how high?’

And that is one of the greatest reasons why I look around for a different means of securing block chains.

El Fin

Send to Kindle

How much electricity is consumed by Bitcoin, Bitcoin Cash, Ethereum, Litecoin, and Monero?

I recently created a thread that on Twitter regarding the lower-bound estimates for how much electricity the Bitcoin blockchain consumed using publicly available numbers.

The first part of this post is a slightly modified version of that thread.

The second part of this post, below part 1, includes additional information on Bitcoin Cash, Ethereum, Litecoin, and Monero using the same type of methodology.

Background

The original nested thread started by explaining why a proof-of-work (PoW) maximalist view tries to have it both ways.

You cannot simultaneously say that Bitcoin is – as measured by hashrate – the “most secure public chain” and in the same breath say the miners do not consume enormous quantities of energy to achieve that.  The fundamental problem with PoW maximalism is that it wants to have a free energy lunch.

All proof-of-work chains rely on resource consumption to defend their network from malicious attackers.  Consequently, a less resource intensive network automatically becomes a less secure network.1  I discussed this in detail a few years ago.

Part 1: Bitcoin

Someone recently asked for me to explain the math behind some of Bitcoin’s electricity consumption, below is simple model using publicly known numbers:

  • the current Bitcoin network hashrate is around 50 exahashes/sec
  • the most common mining hardware is still the S9 Antminer which churns out ~13 terahashes/sec

Thus the hashrate pointed at the Bitcoin network today is about 50,000,000 terashashes.

Dividing one from the other, this is the equivalent of 3,846,000 S9s… yes over 3 million S9s.

While there is other hardware including some newer, slightly more energy efficient gear online, the S9 is a good approximate.

Because the vast majority of these machines are left on 24/7, the math to estimate how much energy consumption is as follows:

  • in practice, the S9 draws about 1,500 watts
  • so 1,500 x 24 = 36kWh per machine per day

Note: here’s a good thread explaining this by actual miners.

In a single month, one S9 will use ~1,080 kWh.

Thus if you multiply that by 3,846,000 machines, you reach a number that is the equivalent of an entire country.

  • for a single day the math is: ~138.4 million kWh / day
  • annually that is: ~50.5 billion kWh / year

For perspective, ~50.5 billion kWh / year would place the Bitcoin network at around the 47th largest on the list of countries by electricity consumption, right between Algeria and Greece.

But, this estimate is probably a lower-bound because it doesn’t include the electricity consumed within the data centers to cool the systems, nor does it include the relatively older ASIC equipment that is still turned on because of local subsidies a farm might receive.

So what?

According to a recent Wired article:

In Iceland, the finance minister has warned that cryptocurrency mining – which uses more power than the nation’s entire residential demand – could severely damage its economy.

Recent analysis from a researcher at PwC places the Bitcoin network electricity consumption higher, at more than the level of Austria which is number 39th on that list above.  Similarly, a computer science professor from Princeton estimates that Bitcoin mining accounts for almost 1% of the world’s energy consumption.2

Or to look at it in a different perspective: the Bitcoin network is consuming the same level of electricity of a developed country – Austria – a country that generates ~$415 billion per year in economic activity.

Based on a recent analysis from Chainalysis, it found that Bitcoin – which is just one of many proof-of-work coins – handled about $70 million in payments processed for the month of June.  Yet its cost-per-transaction (~$50) is higher than at any point prior to November 2017.

You don’t have to be a hippy tree hugger (I’m not) to clearly see that a proof-of-work blockchains (such as Bitcoin and its derivatives) are currently consuming significantly more resources than they create. However this math is hand-waved away on a regular basis by coin lobbyists.

The figure also didn’t include the e-waste generated from millions of single-use ASIC mining machines that are useful for about ~12 months; or the labor costs, or building rents, or transportation, etc.  These ASIC-based machines are typically discarded and not recycled.

In addition to e-waste, many mining farms also end up with piles of discarded cardboard boxes and styrofoam (source)

Part 2: Bitcoin Cash

With Bitcoin Cash the math and examples are almost identical to the Bitcoin example above.  Why?  Because they both use the same SHA256 proof-of-work hash function and as a result, right now the same exact hardware can be used to mine both (although not simultaneously).3

So what do the numbers look like?

The BCH network hashrate has been hovering around 4 – 4.5 exahashes the past month. So let’s use 4.25 exahashes.

Note: this is about one order of magnitude less hashrate than Bitcoin so you can already guesstimate its electricity usage.  But let’s do it by hand anyways.

An S9 generates ~13 TH/s and 4.25 exahashes is 4.25 million terahashes.

After dividing: the equivalent of about 327,000 S9s are used.

Again, these machines are also left on 24/7 and consume about 36 kWh per machine per day.  So a single S9 will use ~1,080 kWh per month.

  • 327,000 S9s churning for one day: ~11.77 million kWh / day
  • Annually this is: ~4.30 billion kWh / year

To reuse the comparison above, what country’s total electricity consumption is Bitcoin Cash most similar to?

Around 124th, between Moldova and Cambodia.

How much economic activity does Moldova and Cambodia generate with that electricity consumption?  According to several sources, Cambodia has an annual GDP of ~ $22 billion and Moldova has an annual GDP of ~$8 billion.

For comparison, according to Chainalysis, this past May, Bitcoin Cash handled a mere $3.7 million in merchant payments, down from a high of $10.5 million in March a couple months before.

Also, the Bitcoin Cash energy consumption number is likely a lower-bound as well for the reasons discussed above; doesn’t account for the e-waste or the resources consumed to create the mining equipment in the first place.

This illustrates once again that despite the hype and interest in cryptocurrencies such as Bitcoin and Bitcoin Cash, there is still little real commercial “activity” beyond hoarding, speculation, and illicit darknet markets.  And in practice, hoarding is indistinguishable from losing a private key so that could be removed too.  Will mainstream adoption actually take place like its vocal advocates claim it will?

Discarded power supplies from Bitcoin mining equipment (source)

Part 3: Ethereum

So what about Ethereum?

Its network hashrate has been hovering very closely to 300 TH/s the past month

At the time of this writing, the Ethereum network is still largely dominated by large GPU farms. It is likely that ASICs were privately being used by a handful of small teams with the necessary engineering and manufacturing talent (and capital), but direct-to-consumer ASIC hardware for Ethereum didn’t really show up until this summer.

There are an estimated 10 million GPUs churning up hashes for the Ethereum network, to replace those with ASICs will likely take more than a year… assuming price stability occurs (and coin prices are volatile and anything but stable).

For illustrative purposes, what if the entire network were to magically switch over the most efficient hardware -the Innosilicon A10 – released next month?

Innosilicon currently advertises its top machine can generate 485 megahashes/sec and consumes ~ 850 W.

So what is that math?

The Ethereum network is ~300 TH/s which is around 300,000,000 megahashes /sec.

Quick division: that’s the equivalent of 618,557 A10 machines.

Again, each machine is advertised to consume ~850 W.

  • in a single day one A10 consumes: 20.4 kWh
  • in a month: ~612 kWh

So what would 618,557 A10 machines consume in a single day?
– about 12.6 million kWh / day

And annually:
– about 4.6 billion kWh / year

That works out to be between Afghanistan or Macau.  However…

Before you say “this is nearly identical to Bitcoin Cash” keep in mind that the Ethereum estimate above is the lowest of lower-bounds because it uses the most efficient mining gear that hasn’t even been released to the consumer.

In reality the total energy consumption for Ethereum is probably twice as high.

Why is Etherum electricity usage likely twice as high as the example above?

Because each of the ~10 million GPUs on the Ethereum network is significantly less efficient per hash than the A10 is. 4  Note: an example of a large Ethereum mine that uses GPUs is the Enigma facility.

For instance, an air-cooled Vega 64 can churn ~41 MH/s at around 135 W which as you see above, is much less efficient per hash than an A10.

If the Ethereum network was comprised by some of the most efficient GPUs (the Vega 64) then the numbers are much different.

Starting with: 300,000,000 MH/s divided by 41 MH/s.  There is the equivalent to 7.32 million Vega GPUs generating hashes for the network which is more in line with the ~10 million GPU estimate.

  • one Vega 64 running a day consumes ~3.24 kWh
  • one Vega 64 running a month: ~77.7 kWh

If 7.32 million Vega equivalent GPUs were used:

  • in a day: ~ 23.71 million kWh
  • in a year: ~8.65 billion kWh

That would place the Ethereum network at around 100th on the electricity consumption list, between Guatemala and Estonia.

In terms of economic activity: Guatemala’s GDP is around $75 billion and Estonia’s GDP is around $26 billion.

What is Ethereum’s economic activity?

Unlike Bitcoin and Bitcoin Cash, the stated goal of Ethereum was basically to be a ‘censorship-resistant’ world computer.  Although it can transmit funds (ETH), its design goals were different than building an e-cash payments platform which is what Bitcoin was originally built for.

So while merchants can and do accept ETH (and its derivatives) for payment, perhaps a more accurate measure of its activity is how many Dapp users there are.

There are a couple sites that estimate Daily Active Users:

  • State of the Dapps currently estimates that there are 8.93k users and 8.25K ETH moving through Dapps
  • DappRadar estimates a similar number, around 8.37k users and 8.57K ETH moving through Dapps

Based on the fact that the most popular Dapps are decentralized exchanges (DEXs) and MLM schemes, it is unlikely that the Ethereum network is generating economic activity equivalent to either Guatemala or Estonia.5

For more on the revenue Ethereum miners have earned and an estimate for how much CO2 has been produced, Dominic Williams has crunched some numbers.  See also this footnote.6

According to Malachi Salacido (above), their mining systems (in the background) are at a 2 MW facility, they are building a 10 MW facility now and have broken ground on a 20 MW facility. Also have 8 MW of facilities in 2 separate locations and developing projects for another 80 MW. (source)

Part 4: Litecoin

If you have been reading my blog over the past few years, you’ll probably have seen some of my Litecoin mining guides from 2013 and 2014.

If you haven’t, the math to model Litecoin’s electricity usage is very similar to both Bitcoin and Bitcoin Cash.  From a mining perspective, the biggest difference between Litecoin and the other two is that Litecoin uses a hash function called scrypt, which was intended to make Litecoin more “ASIC-resistant”.

Spoiler alert: that “resistance” didn’t last long.

Rather than diving into the history of that philosophical battle, as of today, the Litecoin network is composed primarily of ASIC mining gear from several different vendors.

One of the most popular pieces of equipment is the L3+ from Bitmain.  It’s basically the same thing as the L3 but with twice the hashrate and twice the power consumption.

So let’s do some numbers.

Over the past month, the Litecoin network hashrate has hovered around 300 TH/s, or 300 million MH/s.

Based on reviews, the L3+ consumes ~800 W and generates ~500 MH/s.

So some quick division, there are about 600,000 L3+ machines generating hashes for the Litecoin network today.

As an aggregate:

  • A single L3+ will consume 19.2 kWh per day
  • So 600,000 will consume 11.5 million kWh per day
  • An annually: 4.2 billion kWh per year

Coincidentally this is roughly the same amount as Bitcoin Cash does as well.

So it would be placed around 124th, between Moldova and Cambodia.

Again, this is likely a lower-bound as well because it assumes the L3+ is the most widely used ASIC for Litecoin but we know there are other, less efficient ones being used as well.

What about activity?

While there are a few vocal merchants and a small army of “true believers” on social media, anecdotally I don’t think I’ve spoken to someone in the past year who has used Litecoin for any good or service (besides converting from one coin to another).

We can see that — apart from the bubble at the end of last year — the daily transaction volume has remained roughly constant each day for the past 18 months.  Before you flame me with a troll account, consider that LitePay collapsed before it could launch, partly because Litecoin still lacks a strong merchant-adopting ecosystem.

In other words, despite some support by merchant payment processors, its current usage is likely as marginal as Bitcoin and Bitcoin Cash.

Genesis Mining facility with Zeus scrypt mining equipment (source)

Part 5: Monero

The math around Monero is most similar to Ethereum in that it is largely dominated by GPUs.

In fact, earlier this year, a large number of Monero developers convinced its boisterous userbase to fork the network to prevent ASICs from being used.  This resulted in four Monero forks and basically all of them are dominated by high-end GPUs.

For the purposes of this article, we are looking at the fork that has the highest hashrate, XMR.  Over the past month its hashrate has hovered around 475 MH/s.

Only 475 MH/s?  That may sound like a very diminutive hashrate, but it is all relative to what most CPU and GPU hashrate performance is measured in Monero and not other coins.

For example, MoneroBenchmarks lists hundreds of different system configurations with the corresponding hashrate.  Similarly there are other independent testing systems that provide public information on hashrates.

Let’s take that same Vega 64 used above from Ethereum.  For Monero, based on tweaking it generates around 2000 hashes/sec and consumes around 160 W.

So the math is as follows:

  • 475,000,000 hashes/sec is the current average hashrate
  • A single Vega 64 will generate about 2000 hashes/sec
  • The equivalent of 237,500 Vega 64s are being used
  • Each Vega 64 consumes about 3.84 kWh per day
  • So 237,500 Vega 64s consume 912,000 kWh per day
  • And in a year: 332 million kWh

The 332 million kWh / year figure is a lower-bound because like the Ethereum Vega 64 example above: it doesn’t include the whole mining system, all of these systems still need a CPU with its own RAM, hard drive, and so forth.

As a result, the real electricity consumption figure is much closer to Haiti than Seychelles, perhaps even higher.  Note: Haiti has a ~$8.4 billion economy and the GDP of Seychelles is ~$1.5 billion.

So what about Monero’s economic activity?  Many Monero advocates like to market it as a privacy-focused coin.  Some of its “core” developers publicly claimed it would be the best coin to use for interacting with darknet markets.  Whatever the case may be, compared to the four above, currently it is probably the least used for commercial activity as revealed by its relative flat transactional volume this past year.

A now-deleted image of a Monero mining farm in Toronto (source)

Conclusion

Above were examples of how much electricity is consumed by just five proof-of-work coins.  And there are hundreds of other PoW coins actively online using disproportionate amounts of electricity relative to what they process in payments or commerce.

This article did not dive into the additional resources (e.g., air conditioning) used to cool mining equipment.  Or the subsidies that are provided to various mining farms over the years.  It also doesn’t take into account the electricity used by thousands of validating nodes that each of the networks use to propagate blocks each day.

It also did not include the huge amount of semiconductors (e.g. DRAM, CPUs, GPUs, ASICs, network chips, motherboards, etc.) that millions of mining machines use and quickly depreciate within two years, almost all of which becomes e-waste.7 For ASIC-based systems, the only thing that is typically reused is the PSU, but these ultimately fail as well due to constant full-throttle usage.

In summation, as of this writing in late August 2018:

  • Bitcoin’s blockchain likely uses the same electricity footprint as Austria, but probably higher
  • Bitcoin Cash’s blockchain is at least somewhere between Moldova and Cambodia, but probably higher
  • Ethereum’s blockchain is at least somewhere between Guatemala and Estonia, but probably higher
  • Litecoin’s blockchain is at least somewhere between Moldova and Cambodia, but probably higher
  • One of Monero’s blockchains is at least somewhere between Haiti and Seychelles, but probably higher

Altogether, these five networks alone likely consume electricity and other resources at an equivalent scale as The Netherlands especially once you begin to account for the huge e-waste generated by the discarded single-use ASICs, the components of which each required electricity and other resources to manufacture.  Perhaps even higher when costs of land, labor, on-going maintenance, transportation and other inputs are accounted for.

The Netherlands has the 18th largest economy in the world, generating $825 billion per annum.

I know many coin supporters say that is not a fair comparison but it is.  The history of development and industrialization since the 18th century is a story about how humanity is increasingly more productive and efficient per unit of energy.

Proof-of-work coins are currently doing just the opposite.  Instead of being more productive (e.g., creating more outputs with the same level of inputs), as coin prices increase, this incentivizes miners to use more not less resources.  This is known as the Red Queen Effect.89

For years, proof-of-work advocates and lobbying organizations like Coin Center have been claiming that the energy consumption will go down and/or be replaced by renewable energy sources.

But this simply cannot happen by design: as the value of a PoW coin increases, miners will invest more capital in order to win those coins.  This continues to happen empirically and it is why over time, the aggregate electricity consumption for each PoW coin has increased over time, not decreased.  As a side-effect, cryptocurrency mining manufacturers are now doing IPOs.10

Reporters, if you plan to write future stories on this topic, always begin by looking at the network hashrate of the specific PoW coin you are looking at and dividing it by the most common piece of mining hardware.  These numbers are public and cannot be easily dismissed.  Also worth looking at the mining restrictions and bans in Quebec, Plattsburgh, Washington State, China, and elsewhere.

To front-run an example that coin promoter frequently use as a whataboutism: there are enormous wastes in the current traditional financial industry, removing those inefficiencies is a decades-long ordeal.  However, as of this writing, no major bank is building dozens of data centers and filling them with single-use ASIC machines which continuously generate random numbers like proof-of-work coins do.  That would be rightly labeled as a waste.

In point of fact, according to the Federal Reserve:

In the aggregate, U.S. PCS systems process approximately 600 million transactions per day, valued at over $12.6 trillion.

It shouldn’t take the energy footprint of a single country, big or small, to confirm and settle electronic payments of that same country.  The fact of the matter is that with all of its headline inefficiencies (and injustices), that the US financial system has — the aggregate service providers still manage to process more than three orders of magnitude more in transactional volume per day than all of the major PoW coins currently do.11 And that is just one country.

Frequent rejoinders will be something like “but Lightning!” however at the time of this writing, no Lightning implementation has seen any measurable traction besides spraying virtual graffiti on partisan-run websites.

Can the gap between the dearth of transactional volume and the exorbitantly high cost-per-transaction ratio be narrowed?  Does it all come down to uses?  Right now, the world is collectively subsidizing dozens of minuscule speculation-driven economies that in aggregate consumes electricity on par with the 18th largest real economy, but produces almost nothing tangible in exchange for it.

What if all mining magically, immediately shifted over to renewable energy?

Izabella Kaminska succinctly described how this still doesn’t solve the environmental impact issues:

Renewable is displacement. Renewable used by bitcoin network is still renewable not used by more necessary everyday infrastructure. Since traditional global energy consumption is still going up, that ensures demand for fossil continues to increase.

To Kaminska’s point, in April a once-shuttered coal power plant in Australia was announced to be reopened to provide electricity to a cryptocurrency miner.  And just today, a senator from Montana warned that the closure of a coal power plant “could harm the booming bitcoin mining business in the state.”

It is still possible to be interested in cryptocurrencies and simultaneously acknowledge the opportunity costs that a large subset of them, proof-of-work coins, are environmental black holes.12

If you’re interested in discussing this topic more, feel free to reach out.  If you’re looking to read detailed papers on the topic, also highly recommend the first two links listed below.

Recommended reading:

End notes

  1. If the market value of a coin decreases, then because hashrate follows price, in practice hashrate also declines.  See also a ‘Maginot Line’ attack []
  2. Another estimate is that Bitcoin’s energy usage creates as much CO2 as 1 million transatlantic flights. []
  3. There have been proposals from various developers over the years to change this hash function but at the time of this writing, both Bitcoin and Bitcoin Cash use the same one. []
  4. And because many of these mining systems likely use more-powerful-than-needed CPUs. []
  5. Note: Vitalik Buterin highlighted this discrepancy earlier this year with the NYT: The creator of Ethereum, Vitalik Buterin, is leading an experiment with a more energy-efficient way to create tokens, in part because of his concern about the impact that the network’s electricity use could have on global warming. “I would personally feel very unhappy if my main contribution to the world was adding Cyprus’s worth of electricity consumption to global warming,” Mr. Buterin said in an interview. []
  6. At 8.65 billion kWh * $0.07 / kWh comes to around $600 million spent on electricity per year.  Mining rewards as of this writing: 3 ETH * $267 / ETH * 6000 blocks / day equals to $4.8 million USD / day.  Or ~$1.7 billion per year.  This includes electricity and hardware.  Thanks to Vitalik for double-checking this for me. []
  7. Just looking at the hash-generating machines, according to Chen Min (a chip designer at Avalon Mining), as of early November 2017, 5% of all transistors in the entire semiconductor industry is now used for cryptocurrency mining and that Ethereum mining alone is driving up DRAM prices. []
  8. See Chapter 3 []
  9. As described in a Politico article this past spring: “To maintain their output, miners had to buy more servers, or upgrade to the more powerful servers, but the new calculating power simply boosted the solution difficulty even more quickly. In effect, your mine was becoming outdated as soon as you launched it, and the only hope of moving forward profitably was to adopt a kind of perpetual scale-up: Your existing mine had to be large enough to pay for your next, larger mine.” []
  10. Following the dramatic drop in coin prices since January, Nvidia missed its revenue forecast from cryptocurrency-related mining: Revenues from miners were $289 million in Q1, which was about 10% of Nvidia’s revenue. The forecast for Q2 was $100 million and the actual revenues ended up being $18 million. []
  11. On average, the Bitcoin network confirms about 300,000 transactions per day.  A lot of that is not commercial activity.  Let’s take the highest numbers from Chainalysis and assume that each major cryptocurrency is processing at least $10 million in merchant transactions a day.  They aren’t, but let’s assume that they are.  That is still several orders of magnitude less than what US PCS systems do each day. []
  12. The ideological wing within the cryptocurrency world has thus far managed to convince society that negative externalities are ‘worth the cost.’  This narrative should be challenged by both policy makers and citizens alike as everyone must unnecessarily bear the environmental and economic costs of proof-of-work blockchains.  See also the Bitcoin Energy Consumption Index from Digiconomist and also Bitcoin is not a good fit for renewable energy. Here’s why. []
Send to Kindle

How cryptocurrencies enable ransomware and how regtech can help counter it

Imagine for a moment that Alice, a hacker, was looking at various means for receiving payment for an illicit activity she just undertook.  She has two options to do so, which would she choose?

(1)  Bob built a payment network which was identity-free; it used pseudonyms so no legal identities were required to send transactions between its participants.  And that trying to stop or prevent payments was difficult because the computers running the payment network were widely distributed and run by multiple known and unknown participants across dozens of jurisdictions that were sometimes hard to track down.  Recourse is difficult and sometimes impossible.  Cryptocurrencies such as Bitcoin, Litecoin, and Ethereum are examples of such a network.

(2) Carol built a payment network which requires all users to provide a proof-of-identity, usually by scanning and storing of government-issued IDs or utility bills.  And that stopping, preventing, or even rolling back payments was possible because the computers running the payment network were run by legally identifiable participants who were often located in easy-to-find offices.  Recourse could be cumbersome, but almost always possible.  Wire transfer methods like ACH are examples of such a network.

Alice would probably choose number one and later try use some conversion tool or exchange to move her payment into number two.  How is this done?  See the (dated) flow-of-funds chart below.

While some cryptocurrencies, like Bitcoin, were probably not designed to serve as get-away vehicles – because of key design choices that make legal recourse difficult – they are increasingly used to shuffle ill-gotten gains around.1

For example, data kidnapping – commonly referred to as ransomware – has existed in some form for more than two decades.  But the current plight surrounding ransomware, and the white washing of the role cryptocurrencies have in this plight, have gone hand in hand over the past several years.

Why?

The core characteristics of cryptocurrencies – censorship resistance and pseudonymity – are some of the main reasons why ransomware has become increasingly commonplace.  And these cryptocurrencies need liquidity.

Liquidity into-and-out of fiat has fluctuated over time, with some exchanges being debanked and sometimes rebanked, but as an aggregate it has increased overall.  Liquidity is often done through venture-backed gateways and exchanges.

As explored in my previous post, as well as others, many of these gateways and platforms have inadequate and typically non-existent KYC and AML gathering processes.  This post won’t go into the details surrounding some of the investors and promoters of these platforms, but further research could dive deeper into that industry as well as the white washing that goes on to distract investigations.

We see this empirically: attackers do not ask for fiat or credit cards because these would be easily tracked and/or transactions would be halted.  Instead, they ask to be paid in some kind of cryptocurrency because they know the likelihood of getting caught and reprimanded is significantly lower.

This past Friday, WannaCry, a ransomware package, wreaked havoc on more than 200,000 victims across all times of organizations located in over 150 countries.  This included government services including NHS in the UK and the Interior Ministry in Russia.

Source: Twitter

The first-order of victims ranged from small startups that could quickly patch and restart their computers all the way to large hospital systems that were unable to access patient records and had to turn away patients.

This then leads to the second-order of victims: patients and customers of these institutions.  According to the Associated Press, the “cyberattack hit almost 20 percent of UK’s 248 public health trusts.”

While all of the impacted organizations already should have had a formal plan to upgrade and patch these types of vulnerabilities (e.g., create regular back-ups off-site), based on several news stories, many of them did not.

Will they all learn from this lesson?  Probably not.

Either way: none of the victims have a formal means of recourse against the hacker(s) involved in WannaCry because we do not know the identities of the hackers.  Some victims have even paid the ransom of ~$300, denominated in bitcoin, to have their files unlocked.  The hacker is using multiple (4+) bitcoin addresses to receive the ransom and as of this writing, has received more than $50,0002

Last year the FBI estimated that around $1 billion was paid to unlock ransomware and cyber extortion.  Cryptocurrencies, such as Bitcoin, were usually the preferred method of payment.

Two weeks ago, James Comey, former Director of FBI spoke before the Senate Judiciary Committee and noted that:

Some of our criminal investigators face the challenge of identifying online pedophiles who hide their crimes and identities behind layers of anonymizing technologies, or drug traffickers who use virtual currencies to obscure their transactions.

For Bitcoin, there are ways to remain fairly anonymous, like using mixers, however it requires a lot more work to.  But relatively few people are investigating, so the chance of getting caught is likely low.  Newer cryptocurrencies such as Monero and Zcash are designed to be anonymous which makes them harder to track.  Monero has been spotted in the wild alongside the Kirk Ransomware as well as research from Sophos (pdf).3  And Zcash has been used by a botnet to mine more Zcash on devices such as your phone.

And then there is Tor, a software program that enables anonymous communication by passing network traffic through various relays nodes that help conceal the location of the user.  WannaCry used Tor to preserve its “anonymity by proxying their traffic through the Tor network.”

How to bring some light into the darkness?

Solutions

I reached out to Adam Young who co-created “cryptoviral extortion” (what we call ransomware today).  In his view:4

In terms of the ransomware attack, people/organizations need to do a better job at patching and removing end-of-life systems, clearly. My larger concern is that cryptoviral extortion is the only cryptovirology attack that anyone seems to be paying attention to and there are many, many others.

I also spoke to Danny Yang, CEO of Blockseer who advised everyone to, “update your software, make sure you have latest security patches – that ransomware worked because  people didn’t update their Windows since March when that particular security vulnerability was patched.”5

My recent post looking at Bitfinex and regtech was quite popular.  It was viewed several thousand times and I received a number of calls from reporters looking to investigate some of the points raised.

Some people pointed out that the behavior by Bitfinex and other cryptocurrency exchanges is one of the reasons why a few banks in emerging markets have lost correspondent banking access: that they were de-risked because of what others perceive is a high-risk customer base.

According to research by Accuity, a global financial crime compliance, payments and KYC solutions provider:

Between 2009 and 2016, correspondent banking relationships, where one financial institution provides services on behalf of another in a different location to facilitate cross-border payments, have reduced globally by 25%.

Earlier this year, the People’s Bank of China, SAFE and other government bodies in China, investigated and froze cryptocurrency withdrawals at many, if not all, the cryptocurrency exchanges operating on the mainland.

Why?  Among other reasons: inadequate KYC and AML gathering and sharing processes.

According to Caixin, a notice of administrative punishment may be released in June that details the punishment and fines of these China-based exchange operators.

In addition to freezing and de-banking, what are some other solutions as well?

Companies such as Blockseer and Chainalysis provide tools for law enforcement, regulators, entrepreneurs and compliance teams to trace and track the flow-of-funds on cryptocurrency networks. I have written about them numerous times.

Angel List is tracking 96 startups involved in providing compliance-related software for SMB, hospitals, cloud providers, social media platforms and a handful of other verticals.  It also has job listings for 11 regulatory compliance startups.  There is an additional 2,878 startups listed under the broader category of big data analytics, some of whom who are also working in the regtech space.

While technology can help play a role in identifying participants on these types of networks (blockchains and distributed ledgers), it is also worth exploring the proposed strawman for setting up a Kimberley Process for cryptocurrencies.  Identity systems are critical to all property rights and financial networks.  Creating applications around data lineage, data provenance, KYC management, and standardized digital identities will help provide transparency into all markets.

If you’re interested in learning more about these tools and mechanisms, feel free to reach out or leave a comment below.

Endnotes

  1. In the original white paper, Nakamoto explained ways to route around trusted third parties, such as governments. []
  2. If you’re interested in learning more about how malware researchers identified and stopped it, Malware Tech has a detailed story as well as one from Brian Krebs. []
  3. AlphaBay, the largest darknet market by volume, announced that it was accepting Monero as a form of payment in August 2016. []
  4. Private correspondence, May 14, 2017.  Published with his permission. []
  5. Private conversation reused with permission.  May 13, 2017 []
Send to Kindle

Intranets and the Internet

It is early into 2017 and at fintech events we can still hear a variety of analogies used to describe what blockchains and distributed ledger technology (DLT) are and are not.

One of the more helpful ones is from Peter Shiau (formerly of Blockstack.io) who used an automobile analogy involving the Model T to describe magic internet chains:1

The Ford Motor Company is well known for its production engineering innovation that gave us the Model T. To this day, the Ford Model T is one of the best selling automobiles of all-time thanks to the sheer number produced and affordability for American middle class families.  And while it was remarkable that Ford was able to sell so many cars, it is well understood Ford’s true innovation was not the Model T but in fact the modern assembly line.

It was this breakthrough that enabled Ford to build a new car every 93 minutes, far more quickly than any of its competitors. Not unlike the Model T, cryptocurrencies like Bitcaoin, are every bit the product of a similar innovative process breakthrough that today we call a “blockchain.”

Carrying the analogy a little further, what is even more powerful about this modern equivalent of the assembly line is that it is not just useful for building cars but also vans and trucks and boats and planes. In just the same way, a blockchain is not just useful for creating a cryptocurrency, but can be applied to a many different processes that multiple parties might rely on to reach agreement on the truth about something.

Less helpful, but all the same plentiful, are the many red herrings and false equivalences that conferences attendees are subjected to.

Arguably, the least accurate analogy is that public blockchains can be understood as being “like the internet” while private blockchains “are like intranets”.

Why is this one so wrong and worthy of comment?

Because it is exactly backwards.

For example, if you want to use a cryptocurrency like Bitcoin, you have to use bitcoin; and if you want to use Ethereum, you have to use ether.  They are not interoperable.  You have to use their proprietary token in order play in their walled garden.

As described in detail below, the internet is actually a bunch of private networks of internet service providers (ISPs) that have legal agreements with the end users, cooperate through “peering” agreements with other ISPs, and communicate via a common, standardized routing protocols such as BGP which publishes autonomous system numbers (ASNs).

In this respect, what is commonly called “the Internet” is closer to interoperable private, distributed ledger networks sharing a common or interoperable communication technology than anarchic, public cryptocurrency blockchain networks, which behave more like independent isolated networks.

Or in short: by design, cryptocurrencies are intranet islands whereas permissioned distributed ledgers — with interoperability hooks (“peering” agreements) — are more like the internet.2

Sidebar

Let’s do a short hands-on activity to see why the original analogy used at fintech conferences is a false equivalence with implications for how we need to frame the conversation and manage expectations in order to integrate DLT in to our reference and business architecture.

If you are using a Windows-based PC, open up a Command window.  If you’re using a Mac or Android device, go to a store and buy a Windows-based PC.

Once you have your Command window open, type in a very simple command:

tracert: www.google.com

Wait a few seconds and count the hops as your signal traces the route through various network switches and servers until you finally land on your destination.  From my abode in the SF area, it took 10 hops to land at Google and 7 hops to land at Microsoft.

If you did this exercise in most developed countries, then the switches and servers your signal zigged and zagged through were largely comprised of privately owned and operated networks called ISPs.  That is to say, what is generally described as “the internet” is just a bunch of privately run networks connected to one another via several types of agreements such as: transit agreements, peering agreements, and interconnect agreements.

By far the most widely used agreement is still done via the proverbial “handshake.”  In fact, according to a 2012 OECD report, 99.5% of internet traffic agreements are done via handshakes.  There is also depeering, but more on that later.

What do all these agreements look like in practice?

According to the 2016 Survey of Internet Carrier Interconnection Agreements (pdf):

The Internet, or network of networks, consists of 7,557 Internet Service Provider (ISP) or carrier networks, which are interconnected in a sparse mesh. Each of the interconnecting links takes one of two forms: transit or peering. Transit agreements are commercial contracts in which, typically, a customer pays a service provider for access to the Internet; these agreements are most prevalent at the edges of the Internet, where the topology consists primarily of singly connected “leaf” networks that are principally concerned with the delivery of their own traffic. Transit agreements have been widely studied and are not the subject of this report. Peering agreements – the value-creation engine of the Internet – are the carrier interconnection agreements that allow carriers to exchange traffic bound for one another’s customers; they are most common in the core of the Internet, where the topology consists of densely interconnected networks that are principally concerned with the carriage of traffic on behalf of the networks which are their customers.

Colloquially it is a lot easier to say “I want to use the Internet” instead of saying “I want to connect with 7,557 ISPs interconnected in a sparse mesh.”

Back to topology, each ISP is able to pass along traffic that originated from other networks, even if these external networks and the traffic therein originate from foreign countries, because the physical systems can speak to one another via standardized transport protocols like TCP and UDP and route via BGP.3 4

Thus there is no such thing as a physical “internet rail,” only an amalgam of privately and publicly owned networks stitched together.

And each year there is inevitably tension between one more ISP and consequently depeering takes place.  A research paper published in 2014 identified 26 such depeering examples and noted that while depeering exists:

Agreements are very quite affair and are not documented for, they are mostly handshake agreements where parties mutually agree  without  any  on  record  documentation.  This  argument is supported by the fact that 141,512 Internet Interconnection Agreements out of 142,210 Internet Agreements examined till March 2011 were Handshake Agreements.

This is the main reason you do not hear of disputes and disagreements between ISPs, this also dovetails into the “net neutrality” topic which is beyond the scope of this post.

Intranets

Just as the internet is an imperfect analogy for blockchains and DLT in general, so is its offspring the “intranet” is a poor analogy for a permissioned blockchains.  As noted above, the internet is a cluster of several thousand ISPs that typically build business models off of a variety of service plans in both the consumer and corporate environments.

Some of these server plans target corporate environments and also includes building and maintaining “private” intranets.

What is an intranet?

An intranet is a private network accessible only to an organization’s staff. Generally a wide range of information and services from the organization’s internal IT systems are available that would not be available to the public from the Internet. (Source)

And while more and more companies migrate some portion of their operations and work flows onto public and private “clouds,” intranets are expected to be maintained given their continued utility.  From an infrastructure standpoint, notwithstanding that an intranet could be maintained one or more more servers through Software Defined Networks (SDNs), it is still a subset of a mash up of ISPs and mesh networks.

What does this have to do with magic internet chains?

A private blockchain or private distributed ledger, is a nebulous term which typically means that the validation process for transactions is maintained by known, identified participants, not pseudonymous participants.  Depending on the architecture, it can also achieve the level of privacy that is associated with an intranet while staying clear of the hazards associated with preserving true pseudonymity.

Why is the “intranet” analogy so misleading and harmful?

For multiple reasons.

For starters, it is not really valid to make a sweeping generalization of all identity-based blockchains and distributed ledgers, as each is architected around specific use-cases and requirements.  For instance, some vendors insist on installing on-premise nodes behind the firewall of an enterprise.  Some vendors setup and run a centralized blockchain, from one or two nodes, for an enterprise. Some others tap into existing operational practices such as utilizing VPN connections.  And others spin up nodes on public clouds in data centers which are then operated by the enterprise.

There are likely more configurations, but as noted above: from a topological perspective in some cases these private blockchains and distributed ledgers operate within an intranet, or on an ISP, or even as an extranet.

Fundamentally the biggest difference between using an ISP (“the internet”) and using an intranet is about accessibility, who has access rights.  And this is where identity comes into play: most ISPs require the account holder to provide identification materials for what is effectively KYC compliance.

Thus while you may be visit a coffee shop like Starbucks who provides “free” access, Starbucks itself is an identified account holder with an ISP and the ISP could remove Starbucks access for violating its terms of service.  Similarly, most coffee shops, airports, schools, etc. require users to accept a terms of service acknowledging that their access can be revoked for violating it.

Source: FireFox 51.0.1

In short, both the internet and intranet are in effect part of identity and permission-based networks.  There is no such thing as an identity-less internet, only tools to mask the users identity (e.g., Tor, Peerblock, Whisper).  In the same way that, “private” intranets are a fallacy.

Anarchic chains, which were designed to operate cryptocurrencies like Bitcoin, attempt to create an identity-less network on top of an identifiable network, hence the reason people involved in illicit activities can sometimes be caught.

Identity

Interestingly, where the internet analogy does hold up is in how public, anarchic blockchains are no less challenged by the effort and complexity of truly masking identity. I mentioned this in a footnote in the previous post, but it deserves being highlighted once more. Anarchic blockchains inspired by cryptocurrencies such as Bitcoin, used blocks because Satoshi wanted identity-free consensus (e.g., pseudonymity).  That implies miners can come and go at will, without any kind of registration, which eliminated the choice of using any existing consensus algorithm.

As a result, Satoshi’s solution was proof-of-work (PoW).  However, PoW is susceptible to collisions (e.g., orphan blocks).  When a collision occurs you have to wait longer to obtain the same level of work done on a transaction. Thus you want to minimize them, which resulted in finding a PoW on average every ten minutes.  This means that in a network with one minute propagation delays, not unlikely in a very large network (BGP sees such propagation times) then you waste ~10% of total work done, which was considered an acceptable loss rate in 2008 when Satoshi was designing and tweaking the parameters of the system.

Distributed ledgers such as Corda, use a different design and exist precisely as an identified network, where members cannot just come and go at will, and do have to register. With Corda, the team also assumes relatively low propagation times between members of a notary cluster.  One of the key differences between mere PoW (i.e. hashcash) and a blockchain is that in the latter, each block references the prior – thus PoWs aggregate.  It can be tough to do that unless all transactions are visible to everyone and there is a single agreed upon blockchain but if you do not, you will not get enough PoW to yield any meaningful security

When fintech panels talk about the notion of “open” or “closed” networks, this is really a red herring because what is being ignored is how identity and permission work and are maintained on different types of networks.

From the standpoint of miner validation, in practice cryptocurrencies like Bitcoin are effectively permission-based: the only entity that validates a transaction is effectively 1 in 20 semi-static pools each day.  And the miners/hashers within those pools almost never individually generate the appropriate/winning hash towards finding a block.  Each miner generates trillions of invalid hashes each week and are rewarded with shares of a reward as the reward comes in.

And if you want to change something or possibly insert a transaction, you need hashrate to do so.  Not just anyone running a validating node can effect change.

More to the point, nearly all of these pools and many of the largest miners have self-doxxed themselves.  They have linked their real world identities to a pseudonymous network whose goals were to mask identities via a purposefully expensive PoW process.  As a result, their energy and telecommunication access can be revoked by ISPs, energy companies, and governments.  Therefore calling anarchic or public blockchains “open” is more of a marketing gimmick than anything else at this stage.

Clarity

AOL and CompuServe were early, successful ISPs; not intranets.5  Conflating these terms makes it confusing for users to understand the core technology and identify the best fit use-cases. 6

Alongside the evolution of both the “cloud” and ISP markets, it will be very interesting to watch the evolution of “sovereign” networks and how they seek to address the issue of identity.

Why?

Because of national and supranational laws like General Data Protection Regulation (GDPR) that impacts all network users irrespective of origin.

For instance, Marley Gray (Principal Program Manager Blockchain at Microsoft) recently explained in an interview (above) how in order to comply with various data regulations (data custody and sovereignty), Microsoft acquired fiber links that do not interact with the “public” internet.  That is to say, by moving data through physically segregated “dark” networks, Microsoft can comply with requirements of its regulated customers.

And that is what is missing from most fintech panels on this topic: at the end of the day who is the customer and end-user.

If it is cypherpunks and anarchists, then anarchic chains are built around their need for pseudonymous interactions.  If it is regulated enterprises, then identity-based systems are built around the need for SLAs and so forth.  The two worlds will continue to co-exist, but each network has different utility and comparative advantage.

Acknowledgements: I would like to thank Mike Hearn, Stephen Lane-Smith, Antony Lewis, Marcus Lim, Grant McDaniel, Emily Rutland, Kevin Rutter, and Peter Shiau for their constructive feedback. This was originally sent to R3 members on March 31, 2017.

Endnotes

  1. His analogy is reused with permission. []
  2. From a network perspective, some of the integration and interop challenges facing DLT platforms could be similar to the harried IPv4 vs IPv6 coexistence over the past decade.  Who runs the validating nodes, the bridges — the links between the chains and ledgers — still has to be sorted out.  One reviewer noted that: If you equate IPv4 (TCP/UDP/ICMP) to DLTv4 where BGPv4 enables IPv4 networks to interact, we need an equivalent for BPGv4, say DLTGPv4 (DLT Gateway Protocol) for DLTv4 fabrics (ISPv4s) to interact and the same thing for IPv6 and DLTv6 where DLTv6 is a different DLT technology than DLTv4.  So the basic challenge here is solving integration of like DLT networks. []
  3. Venture capitalists such as Marc Andreessen and Fred Wilson have stated at times that they would have supported or invested in something akin to TCPIPcoins or BGPcoins.  That is to say, in retrospect the missing element from the “internet stack” is a cryptocurrency.  This is arguably flawed on many levels and if attempted, would likely have stagnated the growth and adoption of the internet, see page 18-19. []
  4. One reviewer noted that: Because of the IPv4 address restrictions (address space has been allocated – relying on auctions etc for organizations to acquire IPv4 addresses), some sites now only have an IPv6 address.  Most devices today are dual stack (support IPv4 and IPv6), but many ISPs and older devices still only support IPv4 creating issues for individuals to access IPv6 resulting in the development of various approaches for IPv4 to IPv6 (e.g. GW46 – my generic label).  I think, the question with DLTGW46 is whether to go dual stack or facilitate transformation between v4 and v6. []
  5. A reviewer who previously worked at AOL in the mid ’90s noted that: “In its early days, AOL was effectively a walled garden.  For example, it had its own proprietary markup language called RAINMAN for displaying content. And access to the internet was carefully managed at first because AOL wanted its members to stay inside where content was curated and cultural norms relatively safer — and also desirable for obvious business reasons.” []
  6. One reviewer commented: “In my opinion, the “internet” cannot be created by a single party. It is an emergent entity that is the product of multiple ISPs that agree to peer – thus the World Wide Web. DLT-based and blockchain-based services first need to develop into their own robust ecosystems to serve their own members. Eventually, these ecosystems will want to connect because the value of assets and processes in multiple ecosystems will increase when combined.” []
Send to Kindle

Chainwashing

I was recently talking with a friend who spent the past decade in an operations role at a large enterprise in the telecommunication sector.  He has a matter-of-fact personality that likes to cut through the smoke and mirrors to find the fire.

I explained to him my role of having to filter through the dozens of entities that my market research team at R3 speaks with each month. And the formal process that our small team uses to look and find organizations that would be a good fit for R3’s Lab project pipeline.

For instance, because we typically act as the first part of the funnel for our organization, we end up listening to a great deal of startup pitches. And we are continually bombarded by endless “blockchain” and DLT noise.  The first year alone we looked at and spoke to more than 300 entities, a number that has now reached about 400.

This is not to say that there are only 400 companies/vendors/organizations/projects billing themselves as “blockchain” related entities… unfortunately that nebulous term has ballooned to encompass everything from cryptocurrencies to big data to IoT and now probably numbers in the thousands.

If you’re working in capital markets, how to tell the pretenders from the real deal?

Should you seek advice from people who never interface with enterprises or institutions and get all their wisdom from social media?  Or listen to columnists whose only interaction with banks is the ATM or a cryptocurrency meetup?  Or to media outlets that do not disclose their (coin) holdings?  Before answering these, let’s look at a new phrase below.

Thirteen months ago I gave a short presentation talking about the “blockchain” hype cycle.

The month before that – in December 2015 – I mentioned how much of the enthusiasm surrounding “blockchains” seemed a bit similar to the exuberance around “gluten free” food: how most people at fintech conferences talking about “blockchains” really couldn’t explain why blockchains were great in much the same way that many people asking for “gluten-free” food couldn’t tell you why gluten is or is not good for you.

I explained this to my friend and he said that the euphoria surrounding blockchains – and its vertical rise on the Gartner hype cycle – is similar to what he observed and experienced in “the cloud” space earlier this decade.  And more specifically, to the phenomenon called “cloudwashing”:

Cloud washing (also spelled cloudwashing) is the purposeful and sometimes deceptive attempt by a vendor to rebrand an old product or service by associating the buzzword “cloud” with it. (Source)

So with that, I’d like to coin a new phrase: “chainwashing.”

I have personally seen dozens of decks from vendors along the entire spectrum of sizes during the current hype cycle.  And watched the evolution of “blockchain creep” — how over time the word “blockchain” would appear more frequently not just on each slide, but in scope and vertical.

For instance, there are couple dozen different startups that claim to have somehow built an enterprise-grade blockchain system without having to go through the arduous process of gathering the functional and non-functional requirements from the enterprises they intended to integrate with.  Magic!

While startup founders should shoulder the blame for these marketing gimmicks – as should the reporters that often own but do not disclose their (coin) holdings – investors are also to blame for not just talking their book, but also obfuscating their portfolio companies by pressuring them to rebrand retail-focused cryptocurrency products as bonafide “enterprise blockchain” platforms.  They are not the same thing.

So what are some evaluation criteria to help identity the signal from the noise?

If your job is to help filter vendors for financial institutions, governments, investment funds, or other large enterprises, then some of these questions may be helpful in determining whether or not your firm should engage with the vendor:

  • Why is the vendor using a blockchain?
  • What is the vendor’s definition of a blockchain?
  • Who has a problem that needs a blockchain in order to solve it: the vendor or the vendor’s customer?
  • What is it about a blockchain that solves a problem that couldn’t be solved with existing technoloogy?
  • If a blockchain-related infrastructure provides a solution to for the vendor, can it use any other existing technology to solve its needs?
  • Do the founders and management team have experience managing, building, and/or deploying enterprise-grade systems or critical infrastructure?
  • Does the vendor as a whole have the appropriate contacts and connections with institutions and regulators?
  • Does the vendor have enough run way to build through a long sales cycle?

By asking these types of questions our team has helped filter the 400 or so companies/projects into a much more manageable dozen.

We think the number of companies with legs will continue to increase over time but chainwashing will continue to be a noise pollution problem for the next few years in the enterprise world even after production systems have been integrated into institutions.

As a consequence, it is probably safe to assume vendors are trying to pull a fast one on you, especially if it involves needing your company to acquire a cryptocurrency or “permissioning off” an existing cryptocurrency.

Remember: cryptocurrencies in the vein of Bitcoin were intentionally not designed to integrate with and fulfill the requirements of regulated institutions (like settlement finality) any more than a helicopter was designed to handle long distance cargo hauling.  Chainwashing is the opposite of being fit-for-purpose and we see it with marketing gimmicks like “Layer 2,” the topic of the next post.

Update: see also Evolving Language: Decentralized Financial Market Infrastructure

Send to Kindle

DLT as FMI in Korea

Yesterday I gave a keynote talk at “The Future of Financial Payment Services Driven by Technology Innovation” organized and hosted by the Korea Finance Telecommunications & Clearings Institute (KFTC).

It was their 30th Anniversary Seminar and was held in Seoul, South Korea.

Below are the slides I presented on “Distributed Ledger Technology as Financial Market Infrastructure”:

Send to Kindle

Non-technical Corda whitepaper released

Earlier today our architecture team released its first public whitepaper on Corda.

The WSJ covered it here and here.

Consequently I am somewhat puzzled by news stories that still refer to a “blockchain” as “Bitcoin technology.”  After all, we don’t refer to combustion engines in cars as “horse-powered technology” or an airplane turbine engine as “bird-powered technology.”

A more accurate phrase would be to say something like, “a blockchain is a type of data structure popularized by cryptocurrencies such as Bitcoin and Ethereum.”  After all, chronologically someone prior to Satoshi could have assembled the pieces of a blockchain into a blockchain and used it for different purposes than censorship-resistant e-cash.  In fact, both Guardtime and Z/Yen Group claim to have done so pre-2008, and neither involves ‘proof-of-work.’

Fun fact: Corda is not a blockchain, but is instead a distributed ledger.

Send to Kindle

Code is not law

This past Sunday I gave a new presentation at the Palo Alto Ethereum meetup — it was largely based on my previous two blog posts.

Note: all of the references and citations can be found within the notes section of the slides.  Also, I first used the term “anarchic chain” back in April 2015 based on a series of conversations with Robert Sams.  See p. 27.

Special thanks to Ian Grigg for his constructive feedback.

Slides:

Video:

Send to Kindle

Archy and Anarchic Chains

[Note: the views expressed below are solely my own and do not necessarily represent the views of my employer or any organization I advise.]

Yesterday, at block height 1920000, many elements of the Ethereum community coordinated a purposeful hardfork.

After several weeks of debate and just over a couple weeks of preparation, key stakeholders in the community — namely miners and exchanges — attempted to create a smooth transition from Ethereum Prime (sometimes referred to as Ethereum Classic) into Ethereum Core (Ethereum One).1

Users of exchange services such as Kraken were notified of the fork and are now being allowed to withdraw ETH to Ethereum Core, which many miners and exchanges now claim as “mainnet.”

Was the hardfork a success?  To answer that question depends on which parallel universe (or chain) you resided on.  And it also depends on the list of criteria for what “failure” or “success” are measured by.

For instance, if you ended up with ETH on the “unsupported” fork (Classic), who was financially responsible for this and who could attempt to file a lawsuit to rectify any loses?

Maybe no one.  Why?  Because public blockchains intentionally lack terms of service, EULA, and service level agreements, therefore it is difficult to say who is legally liable for mistakes or loses.

For instance, if financial instruments from a bank were sent to miners during the transition phase and are no longer accessible because the instruments were sent to the “unsupported” chain, who is to blame and bears responsibility?  Which party is supposed to provide compensation and restitution?

De facto versus de jure

This whole hardfork exercise visualizes a number of issues that this blog has articulated in the past.

Perhaps the most controversial is that simply: there is no such thing as a de jure mainnet whilst using a public blockchain.  The best a cryptocurrency community could inherently achieve is a de facto mainnet.2

What does that mean?

Public blockchains such as Bitcoin and Ethereum, intentionally lack any ties into the traditional legal infrastructure.  The original designers made it a point to try and make public blockchains extraterritorial and sovereign to the physical world in which we live in.  In other words, public blockchains are anarchic.

As a consequence, lacking ties into legal infrastructure, there is no recognized external authority that can legitimately claim which fork of Bitcoin or Ethereum is the ‘One True Chain.’  Rather it is through the proof-of-work process (or perhaps proof-of-stake in the future) that attempts to attest to which chain is supposed to be the de facto chain.3

However, even in this world there is a debate as to whether or not it is the longest chain or the chain with the most work done, that is determines which chain is the legitimate chain and which are the apostates.4 5

And this is where, fundamentally, it becomes difficult for regulated institutions to use a public blockchain for transferring regulated data and regulated financial instruments.

For instance, in March 2013 an accidental, unintended fork occurred on what many participants claimed as the Bitcoin mainnet.

To rectify this situation, over roughly four hours, operators of large mining pools, developers, and several exchanges met on IRC to coordinate and choose which chain they would support and which would be discarded.  This was effectively, at the time, the largest fork-by-social-consensus attempted (e.g., proof-of-nym-on-IRC).

There were winners and losers.  The losers included: OKPay, a payment processor, lost several thousand dollars and BTC Guild, a large mining pool who had expended real capital, mined some of the now discarded blocks.

In the Bitcoin world, this type of coordination event is slowly happening again with the never ending block size debate.

One team, Bitcoin Classic, is a small group of developers that supports a hardfork to relatively, quickly increase the block size from 1 MB to 2 MB and higher.  Another group, dubbed Bitcoin Core, prefers a slower role out of code over a period of years that includes changes that would eventually increase the block size (e.g., segwit). 6

Yet as it lacks a formal governance structure, neither side has de jure legitimacy but instead relies on the court of public opinion to make their case.  This is typically done by lobbying well-known figureheads on social media as well as mining pools directly.  Thus, it is a bit ironic that a system purposefully designed for pseudonymous interactions in which participants were assumed to be Byzantine and unknown, instead now relies on known, gated, and trusted individuals and companies to operate.

Note: if the developers and miners did have de jure legitimacy, it could open up a new can of worms around FinCEN administrative requirements. 7  Furthermore, the miners are always the most important stakeholders in a proof-of-work system, if they were not, no one would host events just for them.

arthur twitter pow

Source: Twitter

Ledgers

With this backstory it is increasingly clear that, in the legal sense, public blockchains are not actual distributed ledgers.  Distributed, yes; ledgers, no.

As Robert Sams articulates:8

I think the confusion comes from thinking of cryptocurrency chains as ledgers at all. A cryptocurrency blockchain is (an attempt at) a decentralised solution to the double spending problem for a digital, extra-legal bearer asset. That’s not a ledger, that’s a log.

That was the point I was trying to make all along when I introduced the permissioned/permissionless terminology!9 Notice, I never used the phrase “permissionless ledger” — Permissionless’ness is a property of the consensus mechanism.

With a bearer asset, possession of some instrument (a private key in the cryptocurrency world) means ownership of the asset. With a registered asset, ownership is determined by valid entry in a registry mapping an off-chain identity to the asset. The bitcoin blockchain is a public log of proofs of instrument possession by anonymous parties. Calling this a ledger is the same as calling it “bearer asset ledger”, which is an oxymoron, like calling someone a “married bachelor”, because bearer assets by definition do not record their owners in a registry!

This taxonomy that includes the cryptocurrency stuff in our space (“a public blockchain is a permissionless distributed ledger of cryptocurrency”) causes so much pointless discussion.

I should also mention that the DLT space should really should be using the phrase “registry” instead of “ledger”. The latter is about accounts, and it is one ambition too far at the moment to speak of unifying everyone’s accounts on a distributed ledger.

As I have discussed previously, public blockchains intentionally lack hooks into off-chain legal identification systems.

Why?  Because as Sams noted above: a KYC’ed public blockchain is effectively an oxymoron.  Arguably it is self-defeating to link and tie all of the participants of the validation (mining) process and asset transfer process (users) to legal identities and gate them from using (or not using) the network services.  All you have created is a massively expensive permissioned-on-permissionless platform.

But that irony probably won’t stop projects and organizations from creating a Kimberely Process for cryptocurrencies.

I cannot speak on behalf of the plethora of “private chain” or “private ledger” projects (most of which are just ill-conceived forks of cryptocurrencies), but we know from public comments that some regulators and market structures might only recognize blockchains and distributed ledgers that comply with laws (such as domestic KYC / AML regulations) by tying into the traditional legal infrastructure.10 This means tying together off-chain legal identities with on-chain addresses and activity.

Why?

There are multiple reasons, but partly due to the need to reduce settlement risks: to create definitive legal settlement finality and identifying the participants involved in that process.11

Finality

As illustrated with the purposeful Ethereum One hardfork and the accidental Bitcoin fork in 2013, public blockchains by design, can only provide probablistic settlement finality.

Sure, the data inside the blocks itself is immutable, but the ordering and who does the ordering of the blocks is not.

What does this mean?  Recall that for both Ethereum and Bitcoin, information (usually just private keys) are hashed multiple times by a SHA algorithm making the information effectively immutable.12 It is unlikely given the length of time our star is expected to live, that this hash function can be reversed by a non-quantum computer.

However, blocks can and will be reorganized, they are not immutable.  Public blockchains are secured by social and economic consensus, not by math.

As a consequence, there are some fundamental problems with any fork on public blockchains: they may actually increase risks to the traditional settlement process.  And coupled with the lack of hooks for off-chain identity means that public blockchains — anarchic blockchains — are not well-suited or fit-for-purpose for regulated financial institutions.

After all, who is financially, contractually, and legally responsible for the consequences of a softfork or hardfork on a public blockchain?

  • If it is no one, then it might not be used by regulated organizations because they need to work with participants who can be held legally accountable for actions (or inactions).
  • If it is someone specifically (e.g., a doxxed individual) then you have removed the means of pseudonymous consensus to create censorship resistance.

In other words, public blockchains, contrary to the claims of social media, are not “law” because they do not actually tie into the legal infrastructure which they were purposefully designed to skirt.  By attempting to integrate the two worlds — by creating a KYC’ed public blockchain — you end up creating a strange hydra that lacks the utility of pseudonymity (and censorship resistance) yet maintains the expensive and redundant proof-of-work process.

These types of forks also open up the door for future forks: what is the criteria for forking or not in the future?  Who is allowed and responsible to make those decisions?  If another instance like the successful attack and counter-attack on The DAO takes place, will the community decide to fork again?  If 2 MB blocks are seen as inadequate, who bears the legal and financial responsibility of a new fork that supports larger (or smaller) blocks?  If any regulated institution lose assets or funds in this forking process, who bears responsibility?  Members of IRC rooms?

If the answers are caveat emptor, then that level of risk may not be desirable to many market participants.

Conclusions

Who are you going to sue when something doesn’t go according to plan?  In the case of The DAO, the attacker allegedly threatened to sue participants acting against his interests because he claimed: code is law.  Does he have legal standing?  At this time it is unclear what court would have accepted his lawsuit.

But irrespective of courts, it is unclear how smart contract code, built and executed on an anarchic platform, can be considered “legal.”  It appears to be a self-contradiction.

As a consequence, the fundamental need to tie contract code with legal prose is one of the key motivations behind how Richard Brown’s team in London approached Corda’s design.  If you cannot tie your code, chain, or ledger into the legal system, then it might be an unauthoritative ledger from the perspective of courts.13

And regulated institutions can’t simply just ignore regulations as they face real quantifiable consequences for doing so.  To paraphrase George Fogg, that’s akin to putting your head in the sand.

We continue to learn from the public blockchain world, such as the consequences of forks, and the industry as a whole should try to incorporate these lessons into their systems — especially if they want anyone of weight to use them.  Anarchic blockchains will continue to co-exist with their distributed ledger cousins but this dovetails into a conversation about “regtech,” which is a topic of another post.

Endnotes

  1. Rejecting Today’s Hard Fork, the Ethereum Classic Project Continues on the Original Chain: Here’s Why from Bitcoin Magazine []
  2. This doesn’t mean that regulators and/or financial institutions won’t use public blockchains for various activities; perhaps some of them will be comfortable after quantifying the potential risks associated with them. []
  3. Ethereum developers plan to transition Ethereum from proof-of-work to proof-of-stake within the next year. []
  4. See Arthur Breitman’s interview on Epicenter Bitcoin and Mike Hearn’s interview on Money & Tech []
  5. Philosophically when Bob connects to “The Bitcoin Network” — how does Bob know he is actually connected to the “real” Bitcoin network?  One method is to look at the block header: it should take a specific amount of time to recreate the hash with that proof-of-work. This proves which network has the most work done.  However, in the meantime, Bob might connect to other ‘pretenders’ claiming to be “The Bitcoin Network.”  At this time, there does not appear to be any legal recognition of a specific anarchic chain. []
  6. The Bitcoin Core fork, which is euphemistically called a softfork, is basically a hardfork spread over a long period of time. []
  7. See Section 3.4 []
  8. Personal correspondence: March 9, 2016 []
  9. See Blockchain Finance by Robert Sams []
  10. This is not to say that regulators, governments, and various market participants will not use public blockchains for other activity. []
  11. See Section 3.1 []
  12. For proof-of-work mining, Ethereum uses ethash instead of SHA256.  For hashing itself, Ethereum uses SHA-3 which is part of the Keccak family (some people use the terms interchangeably but that isn’t technically correct). []
  13. See Section 9 []
Send to Kindle

What’s the deal with DAOs?

[Disclaimer: I do not own any cryptocurrencies nor have I participated in any DAO crowdfunding.]

This post will look at the difference between a decentralized autonomous organization (DAO) and a project called The DAO.

Brief explanation

The wikipedia entry on DAOs is not very helpful.  However, Chapters 2 through 5 may be of some use (although it is dated information).

In terms of the uber hyped blockchain world, at its most basic kernel, a DAO is a bit of code — sometimes called a “smart contract” (a wretched name) — that enables a multitude of parties including other DAOs to send cryptographically verifiable instructions (such as a digitally signed vote) in order to execute the terms and conditions of the cloud-based code in a manner that is difficult to censor.

One way to think of a simple DAO: it is an automated escrow agent that lives on a decentralized cloud where it can only distribute funds (e.g., issue a dividend, disperse payroll) upon on receiving or even not receiving a digital signal that a task has been completed or is incomplete.

For instance, let us assume that a small non-profit aid organization whose staff primarily work in economically and politically unstable regions with strict capital controls, set up a DAO — an escrow agent — on a decentralized cloud to distribute payroll each month.

This cloud-based escrow agent was coded such that it would only distribute the funds once a threshold of digital signatures had signed an on-chain contract — not just by staff members — but also from independent on-the-ground individuals who observed that the staff members were indeed doing their job.  Some might call these independent observers as oracles, but that is a topic for a different post.1

Once enough signatures had been used to sign an on-chain contract, the escrow agent would automatically release the funds to the appropriate individuals (or rather, to a public address that an individual controls via private key).  The terms in which the agent operated could also be amended with a predetermined number of votes, just like corporate board’s and shareholder’s vote to change charters and contracts today.

The purported utility that decentralization brings to this situation is that it makes censoring transactions by third parties more difficult than if the funds flowed through a centralized rail.  There are trade-offs to these logistics but that is beyond the scope of this post.

The reason the DAO acronym includes the “organization” part is that the end-goal by its promoters is for it to provide services beyond these simple escrow characteristics such as handling most if not all administrative tasks such as hiring and firing.

Watch out Zenefits, the cryptocurrency world is going to eat your lunch!  Oh wait.

A short history

It is really easy to get caught up in the euphoria of a shiny new toy.  And the original goal of a DAO sounds like something out of science fiction —  but these undertones probably do it a disservice.

Prior to 2014 there had been several small discussions around the topic of autonomous “agents” as it related to Bitcoin.

For instance, in August 2013, Mike Hearn gave a presentation at Turing Festival (see above), describing what was effectively a series of decentralized agents that operated logistical companies such as an autonomous car service.

Several months later, Vitalik Buterin published the Ethereum white paper which dove into the details of how to build a network — in this case a public blockchain — which natively supported code that could perform complex on-chain tasks: or what he dubbed as a decentralized autonomous organization.

Timing

The impetus and timing for this post is based on an ongoing crowdsale / crowdfunding activity for the confusingly named “The DAO” that has drawn a lot of media attention.

Over the past year, a group of developers, some of whom are affiliated with the Ethereum Foundation and others affiliated with a company called Slock.it have created what is marketed as the first living and breathing DAO on the Ethereum network.

The organizers kicked off a month long token sale and at the time of this writing just over 10 million ether (the native currency of the Ethereum blockchain) — or approximately 13% of all mined ether — has been sent to The DAO.  This is roughly equivalent to over $100 million based on the current market price of ether (ETH).

In return for sending ether to The DAO, users receive an asset called a DAO Token which can be used in the future to vote on projects that The DAO wants to fund.2 It is a process that Swarm failed at doing.

An investment fund or a Kickstarter project?

I would argue that, while from a technical standpoint it is possible to successfully set up a DAO in the manner that The DAO team did, that there really isn’t much utility to do so in an environment in which censorship or the theft of funds by third parties will probably not occur.

That is to say, just as I have argued before that permissioned-on-permissionless is a shortsighted idea, The DAO as it is currently set up, is probably a solution to a problem that no one really has.3

Or in short, if you “invested” in The DAO crowdsale thinking you’re going to make money back from the projects via dividends, you might be better off investing in Disney dollars.

Why?

Putting aside securities regulations and regulators such as the SEC for a moment, most of the crowdsale “investors” probably don’t realize that:

  1. crowdfunding in general has a checkered track record of return-on-investment4
  2. crowdfunding in the cryptocurrency world almost always relies on the future appreciation of token prices in order to break-even and not through the actual creation of new features or tools (e.g., see Mastercoin/Omni which effectively flopped)
  3. that the funds, when dispersed to Slock.it and other “products,” could take years, if ever to return a dividend

Why would this pool of capital provide any better expected return-on-investment than others?

Or as Nick Zeeb explained to me:

My sense about The DAO is that it’s a fascinating experiment that I do not want to be part of. I also do not think that a committee of over 1,000 strangers will make wise investment decisions. Most good investment decisions are taken by courageous individuals in my opinion. Anything that can get past a big committee will probably not be the next Google. Imagine this pitch: “Hi I’m Larry and this is Sergey and we want to build the world’s 35th search engine.”

While it probably wasn’t the 35th search engine, tor those unfamiliar with the history of Google, Larry Page and Sergey Brin are the co-founders who created a search engine in what was then though a very crowded market.

So why the excitement?

I think part of it is quite simply: if you own a bunch of ether, there really isn’t much you can do with it right now.  This is a problem that plagues the entire cryptocurrency ecosystem.

Despite all the back-patting at conferences, the market is already filled with lots of different tokens. There is a glut of tokens which do not currently provide many useful things that you couldn’t already do with existing cash systems.5

Part of it also is that most probably think they will some become rich quick through dividends, but that probably won’t happen anytime soon, if at all.

With The DAO, only the development teams of projects that are voted and approved by The DAO (e.g., the thousands of users with DAO Tokens), will see any short term gains through a steady paycheck.  And it is only after they build, ship and sell a product that the original investors may begin seeing some kind of return.

Or in other words: over the past several weeks, the pooling of capital has taken place for The DAO.  In the future there will be various votes as to where that capital goes.  Shortly thereafter, some capital is deployed and later KPI’s will be assessed in order to determine whether or not funding should continue.  All the while some type of profit is sought and dividend returned.

Why, I asked another friend, would this pool of capital offer any better risk adjusted return-on-investment than other asset classes?

In his view:

The return might be high but so is the risk. Always adjust for risk. I think The DAO is better compared to a distributed venture capital firm. Whether that’s better or worse I don’t know — I mean you have the crowd deciding on investments. Or more realistically: nerds who know how to obtain ether (ETH) get to decide on investments.

Does that make them better VCs? Probably not. However, The DAO can decide to hire people with actual credentials to manage and select the investments, admitting its own weakness which would then turn into a strength. I think this can go either way but given the regulator is not prepared for any of this it will probably not work out in the short term.

Does the ‘design-by-giant-nerd-committee’ process work?

Over the past year we have already seen the thousands, probably tens-of-thousands of man-hours dropped into the gravity well that is known as the “block size debate.”  In which hundreds of passionate developers have seemingly argued non-stop on Slack, Twitter, reddit, IRC, conferences and so forth without really coming to an amicable decision any one group really likes.

So if block size-design-by-committee hasn’t worked out terribly well, will the thousands of investors in The DAO take to social media to influence and lobby one another in the future?  And if so, how productive is that versus alternative investment vehicles?

Redistributing the monetary base

Assuming Ethereum has an economy (which it probably doesn’t by most conventional measures), will The DAO create a deflationary effect on the Ethereum economy?

For instance, at its current rate, The DAO could absorb about 20% of the ether (ETH) monetary base.

Does that mean it permanently removes some of the monetary base?  Probably not.

For example, we know that there will be some disbursements to projects such as Slock.it, so there will be some liquidity from this on-chain entity.  And that future DAOs will spend their ether on expenses and development like a normal organization.

But we also know that there is a disconnect between what The DAO is, an investment fund, with what many people see it as: a large vault filled with gold laying in Challenger Deep that will somehow appreciate in value and they will be able to somehow extract that value.

Sure, we will all be able to observe that the funds exist at the bottom of the trench, but someone somewhere has to actually create value with the DAO Tokens and/or ether.

For the same reason that most incubators, accelerators and VC funds fail, that entrepreneur-reliant math doesn’t change for The DAO.  Not only does The DAO need to have a large volume of deal flow, but The DAO needs to attract legitimate projects that — as my friend point out above — have a better risk adjusted return-on-investment than other asset classes.

Will the return-on-investment of the DAO as an asset class be positive in the “early days”?  What happens when the operators and recipients of DAO funds eventually confront the problem of securities regulation?

So far, most of the proposals that appear to be geared up for funding are reminiscent to hype cycles we have all seen over the past couple of years.

Let’s build a product…

  • 2014: But with Bitcoin
  • 2015: But with Blockchain
  • 2016: But with DAO

Maybe the funds will not all be vaporized, but if a non-trivial amount of ETH ends up being held in this DAO or others, it could be the case that with sluggish deal flow, a large portion of the funds could remain inert.  And since this ether would not touching any financial flows; it would be equivalent to storing a large fraction of M0 in your basement safe, siloed off from liquid capital markets.

Ten observations

  1. Since the crowdsale / crowdfund began on April 30, the market price of ETH has increased ~30%; is that a coincidence or is there new demand being generated due to The DAO crowdsale?
  2. A small bug has been discovered in terms of the ETH to DAO Token conversion time table
  3. The DAO surpassed the Ethereum Foundation to become the largest single holder of ether (note: the linked article is already outdated)
  4. In terms of concentration of wealth: according to Etherscan, the top 50 DAO Token holders collectively “own” 38.49% of The DAO
  5. The top 500 DAO Token holders collectively “own” 71.39% of The DAO
  6. As of this writing there are over 15,000 entities (not necessarily individuals) that “own” some amount of a DAO Token
  7. Why is “own” in quotation marks? Because it is still unclear if controlling access to these private keys is the same thing as owning them.  See also: Watermarked Tokens as well as The Law of Bitcoin
  8. Gatecoin, which facilitated the crowdsale of both The DAO and DigixDAO was recently hacked and an estimated $2 million in bitcoins and ether were stolen
  9. Yesterday Gavin Wood, a co-founder of Ethereum, announced that he is stepping down as a “curator” for The DAO.  Curators, according to him, are effectively just individuals who identify whether someone is who they say they are — and have no other duties, responsibilities or authority.
  10. Three days ago, the Slock.it dev team — some of whom also worked on creating The DAO — did a live Q/A session that was videotaped and attempted to answer some difficult questions, like how many DAO Tokens they individually own.

Conclusion

About 17 months ago I put together a list of token crowdsales.  It would be interesting to revisit these at some point later this year to see what the return has been for those holders and how many failed.

For instance, there hasn’t really been any qualitative analysis of crowdsales or ICOs in beyond looking at price appreciation.6 What other utility was ultimately created with the issuance of say, factoids (Factom tokens) or REP (Augur tokens)?

Similarly, no one has really probed Bitcoin mining (and all POW mining) through the lens of a crowdsale on network security. Is every 10 minutes an ICO? After all, the scratch-off contest ties up capital seeking rents on seigniorage and in the long run, assuming a competitive market, that seigniorage is bid away to what Robert Sams has pointed out to where the marginal cost equals the marginal value of a token. So you end up with this relatively large capital base — divorced from the real world — that actually doesn’t produce goods or services beyond the need to be circularly protected via capital-intensive infrastructure.

Other questions to explore in the future include:

  • what are the benefits, if any, of using a centralized autonomous organization (CAO) versus decentralized autonomous organization (DAO) for regulated institutions?
  • how can a party or parties sue a decentralized autonomous organization? 7
  • what are the legal implications of conducting a 51% attack on a network with legally recognized DAOs residing on a public blockchain?8
  • will the continued concentration of ether and/or DAO Tokens create a 51% voting problem identified in the “Curator” section?

Still don’t fully understand what The DAO is?  Earlier this week CoinDesk published a pretty good overview of it.

[Special thanks to Raffael Danielli, Robert Sams and Nick Zeeb for their thoughts]

Endnotes

  1. Note: for the purposes of The DAO, “curators” are effectively identity oracles. []
  2. It appears that currently, once a quorum is achieved, a relatively small proportion of token holders can vote “yes” to a proposal to trigger a large payout. []
  3. The current line-up of goods and services are not based around solving for problems in which censorship is a threat, such as those facing an aid worker in a politically unstable region. []
  4. That is not to say that they all fail. In fact according to one statistic from Kickstarter, there was a 9% failure rate on its platform. Thus, it depends on the platform and what the reward is. []
  5. CoinGecko is tracking several hundred tokens. []
  6. ICO stands for “initial coin offering” — it is slight twist to the term IPO as it relates to securities. []
  7. An added wrinkle to identifying liable parties is: what happens when systems like Zcash launch? []
  8. This presupposes that a DAO will gain legal recognition and/or a public blockchain gains legal standing as an actual legal record. []
Send to Kindle

Self-doxxing, dynamic block making and re-decentralization of mining

There are currently two popular interrelated narratives on social media surrounding participation of the block making process on a public blockchain.  The stories are most pronounced within the Bitcoin community but are also reused by Litecoin, Ethereum and other cryptocurrencies too.

This includes the unchallenged statements that:

(1) anyone can still participate in block making, it is ungated and “permissionless”

(2) following a reward halving (“halvening”), networks become more decentralized because large, centralized farms and actors split apart due to economic pressures

This post looks at both of these and show that in practice neither is really true as of April 2016.

Named block makers

A year ago I reflected on some of the debate surrounding permissioned and permissionless blockchains.  Part of that post involved looking at how the mining market actually evolved in practice; not just based on the generalized claims made by enthusiasts at conferences.

For instance, based on block height below is a list of the first time a pool self-doxxed and signed a coinbase transaction, courtesy of Organ of Corti.  Only the first 50 are chronologically included:

Pool name                Block height                   Date
Eligius 130635 14-Jun-11
BitMinter 152246 7-Nov-11
BTC Guild 152700 10-Nov-11
Nmcbit.com 153343 15-Nov-11
YourBTC 154967 27-Nov-11
simplecoin.us 158291 20-Dec-11
Ass Penny Pool 161432 10-Jan-12
btcserv.net 163672 25-Jan-12
Slush 163970 27-Jan-12
BitLC 166462 12-Feb-12
pool.mkalinin.ru 170937 13-Mar-12
Bitclockers 173863 1-Apr-12
MaxBTC 174819 9-Apr-12
Triplemining 175144 11-Apr-12
CoinLab 180947 21-May-12
wizkid057 184148 12-Jun-12
Generated by General 194247 17-Aug-12
HHTT 197602 7-Sep-12
Ozcoin 207017 8-Nov-12
EclipseMC 208419 18-Nov-12
MTRed 219115 2-Feb-13
50BTC.com 219933 7-Feb-13
Bitparking 226272 17-Mar-13
Discus Fish 236494 17-May-13
ASICMiner 237050 20-May-13
ST Mining Corp 238456 29-May-13
Satoshi Systems 245445 8-Jul-13
GHash.IO 250205 5-Aug-13
175btc.com 253884 24-Aug-13
For Pierce and Paul 259214 21-Sep-13
Alydian5335 261051 1-Oct-13
Megabigpower 261530 4-Oct-13
GIVE-ME-COINS 267919 4-Nov-13
Polmine 282943 29-Jan-14
KoiSystems 285715 14-Feb-14
AntPool 286681 19-Feb-14
MMPool 294747 8-Apr-14
KNC Miner 300700 14-May-14
Bitfinex pool 306406 18-Jun-14
BitAffNet 309657 8-Jul-14
Bitfury 311333 18-Jul-14
Hashmine.io 313882 4-Aug-14
Solo.ckpool 319980 10-Sep-14
Kano.is 325306 14-Oct-14
BTCChina Pool 327211 27-Oct-14
Tangpool 339210 16-Jan-15
For Pyra 339547 19-Jan-15
BW Pool 341167 30-Jan-15
Huobi 341760 3-Feb-15
Dot pool 342104 6-Feb-15

Recall that even though it didn’t initially sign coinbase transactions, Slush began publicly operating at the end of November 2010.  Eligius was announced on April 27, 2011.  DeepBit publicly launched on February 26, 2011 and at one point was the most popular pool, reaching for a short period in July 2011, more than 50% of the network hashrate.

While many enthusiasts claim that “anyone can mine,” in practice, very few choose to for a number of reasons that will be discussed below.

But more to the point, the reason cryptocurrencies allegedly have a “permissionless” characteristic in the first place has to do exclusively with the fact that there is no administrative gating or vetting process for allowing actors on the network to participate in the block making process.  In 2009 there was no whitelist, blacklist, KYC or KYM (know your miner) process.

That is to say, those wanting to create a block did not need permission from a network administrator.1  That is the sole context of the term “permissionless.”

It is not related to developing other platforms that plug into the network.  It is not related to whether the network codebase is open source or not.  It is not related to being able to build software products that somehow utilize the network.  It is not related to being able to view or not view transactions.

Yet due to how the market evolved, today in 2016 while everyone is still paying for the high marginal costs to maintain a network designed for pseudonymous and anonymous interaction, few participants, specifically block makers, are actually capitalizing off of that utility.

For instance:

(1) Acquiring the necessary hardware to become a profitable miner invariably leaves a paper trail.  If instead you acquire the hardware on the second-hand market — in order to remain anonymous — you will still likely leave a paper trail with your legal identity in order to pay for the large energy bill and property taxes.  This is one of the reasons why miners in locations such as China do not publicize their fundraising activities or annual revenue: they don’t want to leave a paper trail to pay any extra taxes.2

(2) The other main mechanism for vetting miners now is through the use of data science itself.  Roughly 10 companies globally provide law enforcement, compliance teams and regulators access to relatively robust analytics tools to track provenance of bitcoins (or other cryptocurrencies) back to coin generation itself.  And in order to sell these mined bitcoins (e.g., to pay for the electricity and the mining hardware), nearly every bitcoin conversion to fiat marketplace now requires some compliance of local KYC and AML regulations.

While there are workarounds such as LocalBitcoins and SharedCoin, generally speaking the pseudonymous network itself in 2016 has largely become doxxed.  Yet the high costs of maintaining pseudonymity, via proof-of-work, still remain.

Hashrate distribution

Above is a pie chart that estimates the hashrate distribution among mining pools over the past 4 days (as of late April 2016).  The 10 largest pools collectively made 97% of the blocks during that time period.3

What about beyond 4 days?

Blocktrail

Source: Blocktrail

Above is the pool distribution of the past year based on coinbase data aggregated by Blocktrail.

The 10 largest pools collectively account for roughly 91.6% of all block making activity.  There is also a relatively long tail that includes roughly another 60 entities (some of whom do sign coinbase transactions) that represent the remaining 8.4% of all block making the past year.

Why do any actors sign transactions at all, after all, isn’t a core characteristic of a public blockchain pseudonymous consensus?  To my knowledge, no one has formally published a thorough explanation for the reasons why.  But one repeated rationale is that pools do so in order to prove to the miners (hashers) connected to the pool what the provenance of the block reward income is.

What does that mean?

For those who have never partaken in the mining process before, a quick history lesson: within the first two years of Bitcoin’s existence a division of labor arose in which block making became separated from hashing itself (e.g., generating proofs-of-work).

That is to say, the security of network security was outsourced to entities who create proofs-of-work and who are colloquially referred to as miners.4  Miners, in return for steady payouts of income, send their work to a pool operator who subsequently batches transactions together into blocks and pays workers based on a pre-arranged agreement (usually proportional, share-based).5

Today, if average Joe buys ASIC mining equipment, he typically does not connect them to his own pool but instead connects them to a pool run by Bob the devops professional.6  And how can Joe trust Bob not to shave off pennies from each share of work that Joe submits?

Block signing in theory provides some semblance of transparency: letting the hashers know if pool operators are skimming off the proceeds by not accurately reporting blocks found (e.g., income).

For instance, if a pool operator makes a block based off of the proof-of-work submitted by one of the hashers connected to a pool, such as Joe, but does not sign the coinbase, the pool operator can try to pretend that it didn’t win the block reward in the first place and therefore would not have to pay the workers (hashers).  This was allegedly more commonplace prior to 2013, before the advent of VC financed farms and pools.7 Now many of the medium and large hashing farm operators want to know the exact revenue number and hear good reasons for why some is missing or if the pool was just “unlucky.”8

Why doesn’t everyone become a block maker, after all, the process is billed as being “open” to all?

There are multiple reasons why, but the most important reason boils down to economics.  Dave Hudson has written about 10 different articles on the baked-in variance (inhomogenous Poisson process) that motivates individuals to continually pool  their mining effort versus solo mine.9 Spoiler alert: you are likely to be struck by lightning before you will ever create a block and reap a block reward by solo mining off of your laptop at home.

Other reasons for why few decide to become block-makers include: the added costs of providing DOS protection to your pool and the need to hire competent staff that can prevent and be on the lookout for problems like BGP hijacking which results in lost revenue.

This has not changed for multiple years and will likely not change for reasons discussed below.

Non-existent re-decentralization

With the upcoming Bitcoin block reward halving that is expected to take place in mid-July, there is a growing chorus of ‘hope’ that it will somehow lead to fewer large mining farms and pools.

This probably won’t occur for several simple reasons, namely due to economic incentives.

Recall that the major reasons why mining activity itself has gravitated to locations such as China isn’t due to conspiracy theories involving lizards but instead ancillary costs.

Specifically the following factors:

  • relatively low labor costs (e.g., professional hashing facilities need to be maintained by a workforce 24 x 7 and wages in China are lower than Russia and the US for this activity)
  • relatively low property costs (e.g., if you have good guanxi, you can utilize and own land at rates below those found in parts of Russia and the US)
  • lower energy costs; I and others have frequently written about this10
  • first-to-market with hardware; because a lot of the final assembly of hashing equipment takes place in southern China, in terms of logistics and transportation end-users have a lead-time advantage over other geographical regions
  • close personal connections with hardware manufacturers and fabrication plants in China and Taiwan; acquiring hardware for mining cryptocurrencies is just as relationship driven as other specialized non-commoditized industries.  Because medium and large miners know who the chip design teams are and what the ASIC roadmaps will be, they can stand in line at the front and acquire hardware before others.

What will happen after a block reward halving?

Just as oil producers with the highest marginal costs have been forced to exit the fracking market over the past couple of years, Bitcoin miners with the thinnest margins will likely exit the market immediately.

What this actually results in, at least the short run, is a more concentrated group of larger hashing farms and pools.

Why?

Because miners as a whole are effectively being given a 50% pay cut to provide the same utility as before.  And ceteris paribus, if Alice doesn’t currently have thick 50% margins, then she will likely exit the market.

In contrast, some of the most profitable miners in China and Republic of Georgia are now operating — even with the large difficulty rise over the past 6 months — with 50+% margins.  They may be squeezed, but they do not have to exit the market.

Basically, the less efficient players will be squeezed out and the more efficient players will remain.  Who is likely be be more efficient?  Larger farms in cheaper locations, or smaller pools made up of less sophisticated players with less capital?

But if the price of cryptocurrencies rise — in this case bitcoins — then won’t former miners come back into the market?

Maybe, but recall, we have seen this song and dance before and it is likely that the block reward halving is already factored into both the current market price and the hardware replacement cycle and as a result there probably will not be a doubling of the market price of bitcoins.  However, that is a topic for a different post.

Other public blockchains

What do mining pool distributions look like for other cryptocurrencies?

Above is the distribution of mining pools for Litecoin over the past day.  Interestingly, Coinotron — a pool I used when mining 3 years ago — currently represents 2.8% of the block making during that time frame.  Two years ago, in May 2014, it represented about 50%.

In August 2015, Litecoin underwent its first block reward halving.  Contrary to popular belief, its market price did not double.  In fact, nine months later the price of a litecoin measured in USD is just fifty cents higher than what it was pre-halving.11

Ethereum mining pool

Source: Etherchain

Above is the distribution of mining pools for Ethereum over the past day.

Interestingly Ethereum formally launched in August 2015 and has seen the same consistent pattern of 3-4 pools representing the majority of block making activity as other cryptocurrencies have witnessed.

In fact, Dwarfpool, despite its name, has flirted with the 50% threshold several times, most notably in March.  The Ethereum development team plans to transition the network from proof-of-work to proof-of-stake (Casper) later this year; it is unclear if the “staking” process will result in similar centralization.

Other cryptocurrencies continue to face similar pool centralization. This includes Namecoin which last year saw one pool, F2Pool provide more than 50% of the network hashrate for multiple months.  While it does not appear that F2Pool behaved maliciously, the fact that one block maker could potentially rewrite history by doing block reorgs motivated Onename to migrate away from Namecoin.

China

It is surprising that with the 60%+ hashrate located in China that there is scant detail in English about how that ecosystem works.  But there are reasons for this.

Recall that based on the current 25 BTC block reward, roughly $450 million in mining rewards has been divvied out over the past year to miners.  On paper that would mean that China-based miners received more than $270 million in revenue, which cements this industry as one of two that continually see large annual revenue flows (the second being exchanges themselves).

I contacted a mining operator in China that currently operates about 40 petahashes per second in equipment.  Note: miners use the abbreviated term ‘P’ and ‘PH’ to denote petahashes per second.

According to him:

“Our public hashing number is based on all our own hardware. This includes two facilities in western Sichuan plus a new Xinjiang site. All of these machines were originally S3’s from Bitmain but we have replaced them with S7’s.  We want to build larger operations than what we have today, but our goal is to maintain a specific percentage of the entire network.”

“Remember our electric rates changes from season to season: different time of year and that hydro power has problems in the winter because of less melt water which results in an energy price that is twice as the rate in the summer.”

“The land is basically free because it is in the mountains and no one is interested in buying property there. So all it takes is construction materials and labor. We hired 10 people last year. We intentionally hired more than we needed so we can build a team and send them places. Our front end operation probably only needs 4-5 people and we pay them $1,000 a month which is actually very competitive for that region.”

“We know a Chinese guy, Mr. LY.  He lives in Sichuan and was originally a hydroelectric operator but now owns his own hydro power station. He learned he could make more money mining than just running the station.”

“Why are people like us able to be competitive?  In Yunnan, Guizhou and Sichuan there was an overinvestment in hydropower last decade and now there is a surplus of electricity.12  Dam operators couldn’t sell the electricity generated so that’s where Bitcoin miners moved to. Also, in Liaoning, some people can free electricity because of the proximity to oil fields – they are given cheap electricity to local residents as compensation for confiscated land/polluting the environment — it is subsidized electricity.”

“No one really pays taxes because miners don’t generate something considered valuable. That’s to say from the perspective of taxpayer, miners don’t generate something of value, because the government doesn’t really recognize bitcoin. Bitcoin mining isn’t illegal, we still pay a small amount of taxes but it’s like running a company that doesn’t make money. Instead a miner just pays a small amount of taxes and all the profit is invisible to the law as it stands today.”

I also reached out to another mining operator based in southern China who explained that in practice, mining farms that produce 1 PH or more are usually not based in cities:

“Most of the time they are not in cities, more like in the middle of nowhere and it would be inaccurate to name towns.”

Instead he listed provinces where they are spread out including: Heilongjiang,Liaoning, Hebei, Sichuan, Tianjin, Anhui, Jiangsu, Ghuizhou, Inner Mongolia, Shanxi, Guangdong.  “Shenzhen for sure, there are testing facilities that are easily over 1P.”

What about ‘subprovincial’ locations?

“It is inaccurate to present information that way.  A lot of the time, the sites are between borders because it’s in the middle of nowhere.  And it normally spreads over lots of sites.  One place has nearly 200 sites crossing two provinces; a lot of small ones representing about 100KW of power each.  They are spread over several hundred kilometers; no economy of scale after a certain point.”

No service-level agreements

This type of self-doxxing, quasi-dynamic environment has led to another interesting phenomenon: ad hoc customer service via social media.

For example, two days ago, a user sent approximately 291.2409 bitcoins as a mining “fee.”13  A small pool called BitClub Network built the block that included this fee.  This fee is equivalent to about $136,000.

The community as a whole then began a crowdsourced investigation into who may have sent this fee and the motivations for doing so, with many believing it to be a mistake.  After all they reasoned, a typical “fee” that most mining pools require in order to be included in the next block is usually less than 25 cents on most days.

A user affiliated with BitClub has since publicly stated it would like to return the fee to the original entity that sent it, though it is unclear if he is speaking with any authority or if the whole thing was a ruse to begin with.

But, as I have argued before, this not only sets a bad precedent for miners as a whole due to a loss of revenue from the forthcoming ‘halvening,’ but the ability to contact a block maker sets a dangerous precedent for the core utility of the network: the disappearance of pseudonymous consensus.

Or as one redditor adroitly pointed out:

Or in other words, if block making was actually pseudoymous and decentralized, with 100+ unidentified pools creating blocks each day, it would be difficult if not impossible to locate and provide timely customer service to a user who made a mistake.

For instance, the most well-known block reorg occurred in March 2013 and it was only resolved when miners, including Slush and BTCGuild, contacted and coordinated with one another via IRC.  If the network was more decentralized and pseudonymous, this coordination would have been very difficult to do, and this was by design.

I pointed out this irony on Twitter earlier this week as well: that there are trade-offs with this approach and the downside of using a bearer asset-based system that had no service level agreement, no EULA, no terms of service results in a world in which users who make mistakes have to complain on social media and hope someone is charitable.

And this happens on a regular basis: earlier this month a user accidentally sent 13.65 bitcoins to the BTCC pool and used reddit as his customer service forum.

That type of friction is not what most consumers want.14  It is a poor user experience which has gradually led to the creation of ‘trusted’ intermediaries in this ecosystem which as described in previous posts, recreates the existing financial system but without the same level of oversight and financial controls.

The cryptocurrency community is learning the hard way why intermediaries exist, why SLAs exist, why legal identities are required for financial transactions, why consumer protection laws arose and so forth.  Pointing out these patterns is not malice or due to a lack of understanding of how cryptocurrencies work, but rather it serves as illustrations for why it has been hard to find real sustainable traction in the space.

How else is this visualized?

scaling bitcoin panel

Source: Jameson Lopp

This past December an event was held in Hong Kong called “Scaling Bitcoin.”

One of the sessions involved a panel comprised of the world’s largest mining farm and pool operators.

The individuals in the photo above allegedly represent about 90% of the network hashrate.

Thus, for all the hype around “trust anchors” tied into public blockchains such as Bitcoin, claims of decentralization and “trust-lessness” are empirically untrue.

In practice, due to centralization and identity leakage, the cost to successfully reorganize a block isn’t through a Maginot Line attack (e.g., via hashrate), but through cheaper out-of-band attacks, such as hosting events in which self-doxxed miners participate.  But that is also a topic for a different post.

Conclusion

16 months ago, Vitalik Buterin and others jokingly quipped that the trends towards centralization in Bitcoin mining (and other cryptocurrencies) resulted in a world where each coinbase transaction effectively arose from a multisig process.

To quote Buterin: “with Bitcoin, we’re paying $600 million a year on a 5-of-10 multisig.”

10 is roughly the amount of quasi-permanent block makers in a given day.  And $600 million was the amount of revenue that miners received at that time due to the higher market value of bitcoin.

In theory, anyone can turn on their computer and hope to become a block maker on a public blockchain — no one has to register with a “Blockchain Admin” because there is no admin.  However, in practice it requires a certain amount of technical knowledge and more importantly, capital, to profitably and sustainably operate a mining farm and pool.

And in order to scale this profitably, in practice, most miners at some point reveal their legal identities thereby negating the core characteristic of a public blockchain: pseudonymity.  How?  Miners, after having erected purpose-built facilities or to liquidate their holdings, may be required by external authorities to go through a gating / vetting process (such as KYC).

Ironically, a substantial increase in cryptocurrency prices may inevitably result in self-doxxing of all major farms. How?  As market prices increase, miners in turn expend more capital to increase their own hashrate to chase the seigniorage rents.

Because of the KYC requirements of utilizing resources like electricity at a hydroelectric dam and the subsequent identity leakage, this turns the block making process itself into a mostly known, permissioned activity.  Consequently, based on this past history, the term DMMS should probably be qualified with a “quasi” modifier in the front: QDMMS.

Similarly, while many enthusiasts have been led to believe a block reward halving will somehow re-decentralize the mining ecosystem, the fact of the matter is chip performance (as measured in hashrate efficiency) is only one factor in the total calculation that professional miners must account for.15

Furthermore, semiconductor engineering itself is effectively on a known, mature trajectory and which appears to be lacking any significant leaps in technological improvement.  The largest entities, such as Intel, see this relatively static path which is one of the reasons why they have formally abandoned their tick-tock roadmap and now plan to lay off 12,000 people.

In contrast, energy prices, land prices, labor costs and taxes are among other major components that professional mining operators look at as a whole and decide whether to stay in a market or not.  Even if there is some price increase after the halvening, home mining by amateurs outside of China will likely continue to remain unprofitable after July.

Thus a year from now the mining ecosystem will probably look a lot like it does today, with most farms and pools being self-doxxed and relatively centralized.16

[Special thanks to Antony Lewis for his constructive feedback]

Endnotes

  1. Censorship-resistance is an emergent property that arises from this design.  See also: Settlement Risks Involving Public Blockchains []
  2. There are other reasons too including not wanting to divulge any comparative advantage they might have that would incentivize new entrants to come into the market. []
  3. Note: it is believed that some large mining operators, such as Bitfury, may actually spread some of their hashers (workers) across multiple pools, in order to reduce their own pool percentage and thereby reduce the concerns over centralization.  This can only be proven with an on-site physical audit. []
  4. There has been research done on non-outsourceable block making. See Nonoutsourceable Scratch-Off Puzzles to Discourage Bitcoin Mining Coalitions by Miller et. al. []
  5. Analysis of Bitcoin Pooled Mining Reward Systems by Meni Rosenfeld []
  6. Most of the pools in operation do not require documentation of equipment or legal identification of miners. []
  7. Note: technically speaking nothing is stopping mining pools from signing blocks and in fact, some do it for advertising purposes. []
  8. There is also a term-of-art called “luck” which Organ of Corti and others analyze on a regular basis. []
  9. Incidentally for those wanting access to the block-making superhighway, to reduce orphan rates, there exists a centralized service: Bitcoin Relay Network. []
  10. See also Appendix B and Section 2 []
  11. Note: Dogecoin began to merge mine with Litecoin in September 2014 and in terms of hashrate the two have moved in tandem with one another ever since. []
  12. China’s water hegemony in Asia from Livemint []
  13. Note: a fee implies something that is mandatory.  The discussion surrounding what is and is not a fee or how it should be calculated and applied is a contentious topic in the cryptocurrency community. []
  14. Cryptocurrencies are effectively designed ‘for cypherpunks by cypherpunks.’  While caveat emptor may be desirable to certain demographics, others prefer consumer protection which bearer-based systems do not have. []
  15. Note: in terms of efficiency, 28nm chips are usually in the range of 0.25-0.35 watts/(gh/s), while the newer 14nm or 16nm ones are more likely 0.12 watts/(gh/s) or less. []
  16. See also: Permissioned-on-permissionless []
Send to Kindle

What did bitcoin movements look like in 2015?

[Note: opinions expressed below are solely my own and do not represent the views of my employer or any company I advise.]

Last April, May and August I wrote three posts that attempted to look at the flow of funds: where bitcoins move to throughout the ecosystem.

Thanks to the team at Chainalysis we can now have a more granular view into specific  transfer corridors and movements (not necessarily holdings) between miners, exchanges, darknet markets, payment processors and coin mixers.

The first three charts are backwards looking.

Bitcoin PieAbove is a simplified, color coded version of a tool that Chainalysis provides to its customers such as compliance teams at exchanges.  The thickness of a band accurately represents the volume of that corridor, it is drawn to scale.

What is the method used to generate the plot?

The chord-plot shows all bitcoin transactions in 2015 traced down all the way back to a known entity. This means that the connection between the entities can be any number of hops away.

So for instance, for the exchanges it will include direct arbitrage, but also the modus operandi for bitcoin: individuals buying bitcoins at an exchange and then doing peer-to-peer transfers.  Again this can be any number of hops and then perhaps later end at an exchange again where someone is cashing out.

According to Chainalysis, by hiding all the intermediate steps we can begin to learn how most of the Bitcoin ecosystem is put together (e.g., can it be split into sub systems?, is there a dark and a lit economy?, and what is bitcoin actually used for?).

Legend:

  • Blue: virtual currency exchanges
  • Red: darknet markets
  • Pink: coin mixers
  • Green: mining pools
  • Yellow: payment processors

Altogether there are 14 major exchanges tracked in blue including (in alphabetical order): Bitfinex, Bitreserve (now Uphold), Bitstamp, BitVC (subsidiary of Huobi), BTCC (formerly BTC China), BTC-e, Circle, Coinbase (most), Huobi, itBit, Kraken, LocalBitcoins, OKCoin and Xapo.

The identity of 12 exchanges were removed with the exception of BTC-e and LocalBitcoins.

  • BTC-e was founded in July 2011 and is one of the oldest operating exchanges still around.  It does not require users to provide KYC documentation nor has it implemented AML processes.  This has made it an attractive exchange for those wanting to remain anonymous.
  • LocalBitcoins was founded in June 2012 and is a combination of Craigslist and Uber for bitcoin transfers.  It enables users to post trade requests on its site and provides escrow and reputation services for the facilitation of those trades.  Like BTC-e, it does not require users to provide KYC documentation nor has it implemented AML processes.  As a result it is a popular service for those wanting to trade bitcoins anonymously.

sharedcoinSharedCoin (depicted in pink above) is a product / service from Blockchain.info that allows users to mix their coins together with other users.  It is one of about a dozen services that attempt to — depending who you talk to — delink the history or provenance of a bitcoin.

agoraFounded in the spring of 2013, Agora (depicted in red above) was the largest known darknet market operating in 2015.

Forward Tracing

For each of the entities labeled on the charts below there is a ‘send to self’ characteristic which in fact are the UTXOs that originate from that entity and ends in unspent funds without first hitting another service.  So it can be both cold storage owned by the service or someone hoarding (“hodling”) coins using that service.

Interestingly enough, the deposits held at one VC-backed intermediary almost all stay cold.

forward looking localbitcoinsAbove is LocalBitcoins.

forward looking btceAbove is BTC-e.

forward looking sharedcoinAbove is SharedCoin.

Questions and Answers

I also spoke with the Chainalysis team about how their clustering algorithm worked.

Q: What about all the transactions that did not go between central parties and intermediaries?  For instance, if I used my wallet and sent you some bitcoins to your wallet, how much is that in terms of total activity?

A: The analysis above is intended to isolate sub-economies, not to see who is directly trading with who. The Chainalysis team previously did a Chord of that roughly a year ago which shows the all-time history (so early days will be overrepresented) and it was based only on one hop away transactions and normalized to what the team can ascribe to a known service.

The new chord above is different as it continues searching backwards until it locates an identified entity – this means it could have passed through an other either unidentified or less perfectly described service – but as it is same for everything and we have the law of large numbers it will still give a pretty accurate picture of what subeconomies exist.  It was made to identify if the Bitcoin network had a dark economy and a lit economy (e.g. if the same coins were moving in circles e.g. dark-market->btc-e->localbitcoin->dark-market and what amount of that loop would include the regulated markets too).

So, for example, the transfers going between the regulated exchanges, many will be multihop transfers, but they start and end in regulated exchanges and as such could be described as being part of the lit economy.

Q: What specific exchange activity can you actually identify?

A: It varies per service but Chainalysis (and others) have access to some “full wallets” from clients.  Also newer deposits are often not known so the balance in a wallet will be underestimated due to how the current algorithms work.

Further, some services require special attention and special analytics to be well represented due to their way of transacting – this includes some of the regional dark markets and Coinbase (due to how the company splits and pools deposits, see below).  By looking at all the known entities and how many addresses they contain as a percentage of all addresses ever used for bitcoin in all time, Chainalysis has significant coverage and these are responsible for more than half of all transactions ever happened.

Q: And what was the motivation behind building this?

A: The initial purpose of the plot was to identify subsystems and pain points in the ecosystem – the team was at first uncertain of the possibility that every Bitcoin user simply bought bitcoins from exchanges to buy drugs but that does not seem to be the case.  Most drug buyers use LocalBitcoins and sellers cash-in via mixers on LocalBitcoins or BTC-e (for the larger amounts).

Q: How large is SharedCoin and other mixers?

A: SharedCoin is currently around 8 million addresses and Bitcoin Fog is 200,000 addresses; they are the two largest.1

Additional analysis

Based on the charts above, what observations can be seen?

  • With a forward tracing graph we can see where all the unspent bitcoins come from (or are stored).  One observation is that intermediaries, in this case exchanges, are holding on to large quantities of deposits.  That is to say that many users (likely traders) — despite the quantifiable known risks of trusting exchanges — still prefer to store bitcoins on virtual currency exchanges.  Or to look at it another way: exchanges end up with many stagnant bitcoins and what this likely means is that users are buying lots of bitcoins from that exchange and not moving them and/or the exchange itself is holding a lot of bitcoins (perhaps collected via transaction fees or forfeited accounts).2

  • A lot of the activity between exchanges (as depicted in blue lines) is probably based on arbitrage.  Arbitrage means if Exchange A is selling bitcoins for a higher price than Exchange B, Alice will buy bitcoins on Exchange B and transfer them to Exchange A where they are sold for a profit.
  • Despite the amount of purported wash trading and internal bot trading that several Chinese exchanges are believed to operate, there is still a lot of on-chain flows into and out of Chinese-based exchanges, most likely due to arbitrage.
  • An unknown amount of users are using bitcoin for peer-to-peer transactions.  This may sound like a truism (after all, that’s what the whitepaper pitches in its title), but what this looks like above is that people go to exchanges to transfer fiat currencies for virtual currencies.  Then users, using the P2P mechanic of bitcoin (or other virtual currencies), transfer their coins to someone else.  We can see this by counting hops between the exchanges.

A potential caveat

Because of how certain architectures obfuscate transactions — such as Coinbase and others — it can be difficult for accurate external data analysis.  However with their latest clustering algorithm, Chainalysis’s coverage of Coinbase now extends to roughly the same size of the size of Mt. Gox at its height.3

Why can this be a challenge?  Coinbase’s current design can make it difficult for many data analytics efforts to clearly distinguish bitcoins moving between addresses.  For instance, when Bob deposits bitcoins into one Coinbase address he can withdraw the deposit from that same address up to a limit.  After about two bitcoins are withdrawn, Bob then automatically begins to draw out of a central depository pool making it harder to look at the flow granularly.

Other secondary information also makes it unclear how much activity takes place internally.  For instance, in a recent interview with Wired magazine, Coinbase provided the following information:

According to Coinbase, the Silicon Valley startup that operates digital bitcoin wallets for over 2.8 million people across the globe, about 20 percent of the transactions on its network involve payments or other tasks where bitcoin is used as a currency. The other 80 percent of those transactions are mere speculation, where bitcoin is traded as a commodity in search of a profit.

In a subsequent interview with New York Business Journal, Coinbase stated that it “has served 2.9 million people with $3 billion worth of bitcoin transactions.”

It is unclear at this time if all of those transactions are just an aggregation of trades taking place via the custodial wallet or if it also includes the spot exchange it launched last January.

Future research

Publishing cumulative bitcoin balances and the number of addresses for different entities such as exchanges could help compliance teams and researchers better understand the flows between specific exchanges.  For instance, a chart that shows what percentage of the 15 million existing bitcoins everyone holds at a given moment over different time intervals.

This leads to the second area: rebittance, a portmanteau of remittance and bitcoin.  Last year it was supposed to be the “killer app” for cryptocurrencies but has failed to materialize due in part, to some of the reasons outlined by Save on Send.4 Further research could help identify how much of the flows between exchanges and the peer-to-peer economy is related to cross-border value transfer as it relates to rebittance activity.

And as the market for data analysis grows in this market — which now includes multiple competitors including Coinalytics, Blockseer, Elliptic and Scorechain — it may be worth revisiting other topics that we have looked at before including payment processors, long-chains and darknet markets and see how their clustering algorithms and coverage are comparable.

Conclusions

For compliance teams it appears that the continued flow between illicit corridors (darknet markets) is largely contingent on liquidity from two specific exchanges: BTC-e and LocalBitcoins.  In addition, coin mixing is still a popular activity: from this general birds-eye view it appears as if half of the known mixing is directly related to darknet market activity and the motivation behind the other half is unknown.

Based on the information above other economic activity is still dwarfed by arbitrage and peer-to-peer transactions. And lastly, based on current estimates it appears that several million bitcoins are being stored on the intermediaries above.

[Note: special thanks to Michael Gronager and the Chainalysis team for their assistance and feedback on this post.]

  1. There are many regional smaller projects in, for example, smaller European countries whose flows may be underrepresented as they are less known in part because they do not use commonly used languages. However most are likely a part of the long tail of coin distribution. []
  2. There is a spectrum of intermediaries in which bitcoins are stagnant (or active).  For instance, in an interview last May, Wences Casares, founder and CEO of Xapo stated:

    Still, Casares indicated that Xapo’s customers are most often using its accounts primarily for storage and security. He noted that many of its clientele have “never made a bitcoin payment”, meaning its holdings are primarily long-term bets of high net-worth customers and family offices.

    “Ninety-six percent of the coins that we hold in custody are in the hands of people who are keeping those coins as an investment,” Casares continued. []

  3. See also The missing MtGox bitcoins from WizSec []
  4. There are notable exceptions that have gained regional traction including: BitX, Coins.ph and Align Commerce. []
Send to Kindle

Anchor’s aweigh

One comment I have noticed continually re-appear on social media over the last couple months is roughly the following:

If you’re building a new blockchain you should regularly take a hash of the network state and “anchor” it (write it) into another blockchain, for redundancy purposes.

This “anchor” idea has appeared in public material from BitFury, Factom, Tierion, Gil Luria and now 21inc (a VC-backed botnet operator).

Part of the current popularity in the anchoring meme is that some cryptocurrency enthusiasts and Bitcoin maximalists in particular want other non-cryptocurrency distributed ledgers to rely on existing cryptocurrency networks — networks that some enthusiasts own tokens to and hope that price appreciation will take place in the event that the network is used.

Ignoring the hypothetical monetary incentives, let’s assume that writing/storing network states externally is useful and it is the goal of every blockchain designers such as Bob and Alice.  Are other blockchains the only relevantly secure places that all blockchain designers should look at using?

Probably not.

For instance, if the goal is to publish a hash of a state in a media that is difficult to censor and widespread enough to retrieve over time, then there are several “old school” newspapers and magazines that can be used for such purposes (which is what Guardtime does).

For instance:

  • There are half a dozen Japanese newspapers that each have over 2 million in circulation.
  • In the UK, both The Sun and Daily Mirror have a circulation of over 1.5 million
  • Similarly, in the US, there are three companies: USA Today, The New York Times and The Wall Street Journal that also have a circulation of over 1.5 million

The question for the paranoid is, what is more likely: someone deliberately destroying and/or replacing 1.5 million newspapers which contain the hash of the network state, or someone knocking out 5,728 network nodes?

While “anchoring” the hash of state into other media may be useful, leaving it in just one blockchain — such as the Bitcoin blockchain — does not fully reduce the risk of a well-funded attacker trying to revise history.  Safety in this case comes in numbers and if it is redundancy Bob and Alice are looking for (and paranoid about), it may be worth it to publish hashes in multiple venues and media.

Similarly, if sustainability is a key concern then public goods such as cryptocurrencies have a question mark on them as well. Why?  Because there are over 100 dead altcoins now.  Convincing users — and more importantly miners — to maintain a network when it is no longer profitable to do so is an uphill challenge.1

Lastly, a well designed network (or distributed ledger in this case) that is robust and mature should not necessarily rely on “anchoring” at all.  But this dovetails into a different conversation about how to design a secure network, a topic for another post.  Either way, hash-storage-as-service, is probably not the next big trillion dollar idea for 2016.

  1. It’s a challenge for any public good, not just Bitcoin, that eventually relies solely on altruism and charity. []
Send to Kindle

The evolving distributed ledger tech landscape

Yesterday I gave an abbreviated presentation based on R3CEV research first publicly shown at the GaiaX – Blockchain University event “Blockchain Summit” held in Tokyo.

[Japanese translation 日本語]

Note: below are the citations and notes for several of the slides:

  • Slide 3: The companies in the red square boxes are some of the startups that are primarily trying to create non-cryptocurrency distributed ledgers. (Source: Startup Management)
  • Slide 6: CB Insights
  • Slide 7: CNN|Money
  • Slide 9: Twitter
  • Slide 10: CoinDesk Venture Capital aggregation
  • Slide 13: The great pivot or just this years froth? and NY Post estimate
  • Slide 15: Field of Dreams image in reference to the model that you build it first with the hope that customers come
  • Slide 19: One example of this euphemism is from Adam Draper (and a similar reference point on Twitter).  Each of these five companies has a couple product lines, one of which focuses on cryptocurrencies in a non-marginal manner.
  • Slide 21: This list could include a number of others including Tezos (DLS) and a handful of other startups including a couple in Japan
  • Slide 22: Aite Group
  • Slide 23: Collective head count for these companies is just under 100 and total funding raised (that is publicly announced) is around $10 million.  There are still more companies trying to build foundational layers (some proprietary, others open) than teams building applications on top.   Legend in parenthesis: E=Ethereum, R=Ripple, CP=Counterparty, OA=OpenAssets, TM=Tendermint
  • Slide 24: Most of the large non-bank financial institutions such as clearing houses and exchanges all have working groups focused on distributed ledger technology (e.g., CLS, SWIFT, LSEG, CME, Nasdaq, Deutsche Borse, DTCC).  The Linux Foundation project is in its formative stage.
Send to Kindle

Watermarked tokens and pseudonymity on public blockchains

As mentioned a couple weeks ago I have published a new research paper entitled: “Watermarked tokens and pseudonymity on public blockchains

In a nutshell: despite recent efforts to modify public blockchains such as Bitcoin to secure off-chain registered assets via colored coins and metacoins, due how they are designed, public blockchains are unable to provide secure legal settlement finality of off-chain assets for regulated institutions trading in global financial markets.

The initial idea behind this topic started about 18 months ago with conversations from Robert Sams, Jonathan Levin and several others that culminated into an article.

The issue surrounding top-heaviness (as described in the original article) is of particular importance today as watermarked token platforms — if widely adopted — may create new systemic risks due to a distortion of block reorg / double-spending incentives.  And because of how increasingly popular watermarked projects have recently become it seemed useful to revisit the topic in depth.

What is the takeaway for organizations looking to use watermarked tokens?

The security specifications and transaction validation process on networks such as the Bitcoin blockchain, via proof-of-work, were devised to protect unknown and untrusted participants that trade and interact in a specific environment.

Banks and other institutions trading financial products do so with known and trusted entities and operate within the existing settlement framework of global financial markets, with highly complex and rigorous regulations and obligations.  This environment has different security assumptions, goals and tradeoffs that are in some cases opposite to the designs assumptions of public blockchains.

Due to their probabilistic nature, platforms built on top of public blockchains cannot provide definitive settlement finality of off-chain assets. By design they are not able to control products other than the endogenous cryptocurrencies they were designed to support.  There may be other types of solutions, such as newer shared ledger technology that could provide legal settlement finality, but that is a topic for another paper.

This is a very important issue that has been seemingly glossed over despite millions of VC funding into companies attempting to (re)leverage public blockchains.  Hopefully this paper will help spur additional research into the security of watermarking-related initiatives.

I would like to thank Christian Decker, at ETH Zurich, for providing helpful feedback — I believe he is the only academic to actually mention that there may be challenges related to colored coins in a peer-reviewed paper.  I would like to thank Ernie Teo, at SKBI, for creating the game theory model related to the hold-up problem.  I would like to thank Arthur Breitman and his wife Kathleen for providing clarity to this topic.  Many thanks to Ayoub Naciri, Antony Lewis, Vitalik Buterin, Mike Hearn, Ian Grigg and Dave Hudson for also taking the time to discuss some of the top-heavy challenges that watermarking creates.  Thanks to the attorneys that looked over portions of the paper including (but not limited to) Jacob Farber, Ryan Straus, Amor Sexton and Peter Jensen-Haxel; as well as additional legal advice from Juan Llanos and Jared Marx.  Lastly, many thanks for the team at R3 including Jo Lang, Todd McDonald, Raja Ramachandran and Richard Brown for providing constructive feedback.

Watermarked Tokens and Pseudonymity on Public Blockchains

Send to Kindle

Creative angles of attacking proof-of-work blockchains

[Note: the following views were originally included in a new paper but needed to be removed for space and flow considerations]

While most academic literature has thus far narrowly focused under the assumption that proof-of-work miners such as those used in Bitcoin will behave according to a “goodwill” expectation, as explored in this paper, there may be incentives that creative attackers could look to exploit.

Is there another way of framing this issue as it relates to watermarked tokens such as colored coins and metacoins?

Below are comments from several thought-leaders working within the industry.

According to John Light, co-founder of Bitseed:1

When it comes to cryptocurrency, as with any other situation, an attacker has to balance the cost of attacking the network with the benefit of doing so. If an attacker spends the minimum amount required to 51% attack bitcoin, say $500 million, then the attacker needs to either be able to short $500 million or more worth of BTC for the attack to be worth it, or needs to double spend $500 million or more worth of BTC and receive some irreversible benefit and not get caught (or not have consequences for getting caught), all while taking into consideration the loss of future revenues from mining honestly. When you bring meta-coins into the equation, things get even murkier; the cost is less dependent on the price of bitcoin or future mining revenues, and depends more on the asset being attacked, whether it’s a stock sale or company merger that’s being prevented, or USD tokens being double-spent.

There’s no easy answer, but based on the economics of the situation, and depending on the asset in question, it doesn’t seem wise to put more value on chain than the market cap of BTC itself (as a rough benchmark – probably not that exact number, but something close to it).

Not a single study has been publicly published looking at this disproportionalism yet it is regularly touted at conferences and social media as a realistic, secure, legal possibility.

According to Vitalik Buterin, creator of Ethereum:2

There are actually two important points here from an economics perspective. The first is that when you are securing $1 billion on value on a system with a cryptoeconomic security margin that is very small, that opens the door to a number of financial attacks:

  1. Short the underlying asset on another exchange, then break the system
  2. Short or long some asset at ultrahigh leverage, essentially making a coin-flip bet with a huge amount of money that it will go 0.1% in one direction before the other. If the bet pays off, great. If it does not pay off, double spend.
  3. Join in and take up 60%+ of the hashrate without anyone noticing. Then, front-run everyone. Suppose that person A sends an order “I am willing to buy one unit of X for at most $31”, and person B sends an order “I am willing to sell one unit of X for at least $30”. As a front-runner, you would create an order “I am willing to sell one unit of X for at least $30.999” and “I am willing to buy one unit of X for at most $30.001”, get each order matched with the corresponding order, and earn $0.998 risk-free profit. There are also of course more exotic attacks.

In fact, I could see miners even without any attacks taking place front-running as many markets as they can; the ability to do this may well change the equilibrium market price of mining to the point where the system will, quite ironically, be “secure” without needing to pay high transaction fees or have an expensive underlying currency.

The second is that assets on a chain are in “competition” with each other: network security is a public good, and if that public good is paid for by inflation of one currency (which in my opinion, in a single-currency-chain environment, is economically optimal) then the other currencies will gain market share; if the protocol tries to tax all currencies, then someone will create a funky meta-protocol that “evades taxes by definition”: think colored coins where all demurrage is ignored by definition of the colored coin protocol. Hence, we’ll see chains secured by the combination of transaction fee revenue and miner front running.

Unsolved economics question: would it be a good thing or a bad thing if markets could secure themselves against miner frontruns? May be good because it makes exchanges more efficient, or bad because it removes a source of revenue and reduces chain security.

Cryptoeconomics is a nascent academic field studying the confluence of economics, cryptography, game theory and finance.3

Piotr Piasecki, a software developer and independent analyst explained:4

If a malicious miner sees a big buy order coming into the market that would move the price significantly, they can engage in front running – the buy order could be pushed to the back of the queue or even left out until the next block, while the miner buys up all of the current stock and re-lists it at a higher price to turn a profit. Alternatively, when they see there is a high market pressure coming in, especially in systems that are inefficient by design, they can buy the orders up one by one by using their power to include any number of their own transactions into a block for free, and similarly re-list them for people to buy up.

Or in other words, because miners have the ability to order transactions in a block this creates an opportunity to front run. If publicly traded equities are tracked as a type of colored coin on a public blockchain, miners could order transaction in such a way as to put certain on-chain transactions, or trades in this case, to execute before others.

Robert Sams, co-founder of Clearmatics, previously looked at the bearer versus registered asset challenge:5

One of the arguments against the double-spend and 51% attacks is that it needs to incorporate the effect a successful attack would have on the exchange rate. As coloured coins represent claims to assets whose value will often have no connection to the exchange rate, it potentially strengthens the attack vector of focusing a double spend on some large-value colour. But then, I’ve always thought the whole double-spend thing could be reduced significantly if both legs of the exchange were represented on a single tx (buyer’s bitcoin and seller’s coloured coin).

The other issue concerns what colour really represents. The idea is that colour acts like a bearer asset, whoever possesses it owns it, just like bitcoin. But this raises the whole blacklisted coin question that you refer to in the paper. Is the issuer of colour (say, a company floating its equity on the blockchain) going to pay dividends to the holder of a coloured coin widely believed to have been acquired through a double-spend? With services like Coin Validation, you ruin fungibility of coins that way, so all coins need to be treated the same (easy to accomplish if, say, the zerocoin protocol were incorporated). But colour? The expectations are different here, I believe.

On a practical level, I just don’t see how pseudo-anonymous colour would ever represent anything more than fringe assets. A registry of real identities mapping to the public keys would need to be kept by someone. This is certainly the case if you ever wanted these assets to be recognised by current law.

But in a purely binary world where this is not the case, I would expect that colour issuers would “de-colour” coins it believed were acquired through double-spend, or maybe a single bitcoin-vs-colour tx would make that whole attack vector irrelevant anyway. In which case, we’re back to the question of what happens when the colour value of the blockchain greatly exceeds that of the bitcoin monetary base? Who knows, really depends on the details of the colour infrastructure. Could someone sell short the crypto equity market and launch a 51% attack? I guess, but then the attacker is left with a bunch of bitcoin whose value is…

The more interesting question for me is this: what happens to colour “ownership” when the network comes under 51% control? Without a registry mapping real identities to public keys, a pseudo-anonymous network of coloured assets on a network controlled by one guy is just junk, no longer represents anything (unless the 51% hasher is benevolent of course). Nobody can make a claim on the colour issuer’s assets. So perhaps this is the real attack vector: a bunch of issuers get together (say, they’re issuers of coloured coin bonds) to launch a 51% attack to extinguish their debts. If the value of that colour is much greater than cost of hashing 51% of the network, that attack vector seems to work.

On this point, Jonathan Levin, co-founder of Chainalysis previously explained that:6

We don’t know how much proof of work is enough for the existing system and building financially valuable layers on top does not contribute any economic incentives to secure the network further. These incentives are fixed in terms of Bitcoin – which may lead to an interesting result where people who are dependent on coloured coin implementations hoard bitcoins to attempt to and increase the price of Bitcoin and thus provide incentives to miners.

It should also be noted that the engineers and those promoting extensibility such as colored coins do not see the technology as being limited in this way. If all colored coins can represent is ‘fringe assets’ then the level of interest in them would be minimal.

Time will tell whether this is the case. Yet if Bob could decolor assets, in this scenario, an issuer of a colored coin has (inadvertently) granted itself the ability to delegitimize the bearer assets as easily as it created them. And arguably, decoloring does not offer Bob any added insurance that the coin has been fully redeemed, it is just an extra transaction at the end of the round trip to the issuer.

  1. Personal correspondence, August 10, 2015. Bitseed is a startup that builds plug-and-play full nodes for the Bitcoin network. []
  2. Personal correspondence, August 13, 2015. []
  3. See What is cryptoeconomics? and Formalizing Cryptoeconomics by Vlad Zamfir []
  4. Mining versus Consensus algorithms in Crypto 2.0 systems by Piotr Piasecki []
  5. As quoted in: Will colored coin extensibility throw a wrench into the automated information security costs of Bitcoin? by Tim Swanson; reused with permission. []
  6. This example originally comes from Will colored coin extensibility throw a wrench into the automated information security costs of Bitcoin? by Tim Swanson; reused with permission. []
Send to Kindle

A few known Bitcoin mining farms

[Note: the following overview on known Bitcoin mining farms was originally included in a new paper but needed to be removed for space and flow considerations]

Several validators on the Bitcoin network, as well as many watermarked token issuers, are identifiable and known.1 What does this mean?  Many Bitcoin validators are drifting usage outside the pseudonymous context of the original network due to their use of specialty equipment that creates a paper trail.  In other words, pseudonymity has given way to real world identity.  Soon issuers of color will likely follow because they too have strong ties to the physical, off-chain world.

For instance, on August 4, 2015, block 368396 was mined by P2Pool. This is notable for two reasons.

The first is that the block included a transaction sent from Symbiont.io, a NYC-based startup building “middleware” that enables organizations and financial institutions to create and use ‘smart securities’ off-chain between multiple parties and have the resulting transaction hashed onto a blockchain, in this case, the Bitcoin blockchain.2

Several weeks later, Symbiont announced that it would begin using their “stack” to provide similar functionality on a permissioned ledger.3 This follows a similar move by T0.com – a wholly owned subsidiary of Overstock.com – which initially used Open Assets to issue a $5 million “cryptobond” onto the Bitcoin blockchain, but have subsequently switched to using a “blockchain-inspired” system designed by Peernova.456

The second reason this was notable is that the block above, 368396, included at least one transaction from Symbiont which was mined by a small pool called P2Pool.7 Unlike other pools discussed in this paper, P2Pool is not continually operated in a specific region or city.

It is decentralized in that all participants (hashers) must run their own full Bitcoin nodes which stand in contrast with pools such as F2Pool, KnC mining pool and BTCC (formerly called BTC China), where the pool operator alone runs the validating node and the labor force (hashers) simply search for a mid-state that fulfills the target difficulty.8

Due to this resource intensive requirement (running a full node requires more bandwidth and disk space than merely hashing itself), P2Pool is infrequently used and consequently comprises less than 1% of the current network hashrate.

P2Pool’s users are effectively pseudonymous. Due to the intended pseudonymity it is also unclear where the transaction fees and proceeds of hashing go. For instance, do the hashers comprising this pool benefit from the proceeds of illicit trade or reside in sanctioned countries or who to contact in the event there is a problem? And unlike in other pools, there is no customer service to call and find out.

Bitcoin’s – and P2Pool’s – lack of terms of service was intentionally done by design (i.e., caveat emptor). And in the event of a block reversal, censored transaction or a mere mistake by end-users, as noted above there is no contract, standard operating procedure or EULA that mining pools (validators) must adhere to. This is discussed in section 3.

This pseudonymous arrangement was the default method of mining in 2009 but has evolved over the years. For example, there are at least two known incidents in which a miner was contacted and returned fees upon request.

Launched in late summer of 2012 and during the era of transition from GPUs and FPGA mining, ASICMiner was one of the first publicly known companies to create its own independent ASIC mining hardware. Its team was led by “FriedCat,” a Chinese businessman, who custom designed and integrated ASIC chips called Block Eruptors, ASICMiner operated their own liquid immersion facility in Hong Kong.9

At its height, ASICMiner (which solo-mined similar to KnC and BitFury do today) reached over 10% of the network hashrate and its “shareholders” listed its stock on GLBSE (Global Bitcoin Stock Exchange), GLBSE is a now defunct virtual “stock market” that enabled bitcoin users to purchase, trade and acquire “shares” in a variety of listed companies.10 GLBSE is notable for having listed, among other projects, SatoshiDice which was later charged by the Securities and Exchange Commission (SEC) for offering unregistered securities to the public.1112

While unregistered stock exchanges catering to cryptocurrency users and China-based mining pools may be common sights today, on August 28, 2013, a bitcoin user sent a 200 bitcoin fee that was processed by ASICMiner.13 Based on then-market rates, this was approximately worth $23,518.14 The next day, for reasons that are unknown, ASICMiner allegedly sent the errant fee back to the original user.15 At the time, one theory proposed by Greg Maxwell (a Bitcoin Core developer) was that this fee was accidentally sent due to a bug with CoinJoin, a coin-mixing service.16

Liquid Bitcoin

Liquid cooled hashing equipment at ASICMiner in 2013. Source: Xiaogang Cao

The second notable incident involved BitGo, a multisig-as-a-service startup based in Palo Alto and AntPool, a large China-based pool (which currently represents about 15% of the network hashrate) operated by Bitmain which also manufacturers Antminer hardware that can be acquired directly from the company (in contrast to many manufacturers which no longer sell to the public-at-large). On April 25, 2015 a BitGo user, due to a software glitch, accidentally sent 85 bitcoins as a mining fee to AntPool. Based on then-market rates, this was worth approximately $19,197.17

The glitch occurred in BitGo’s legacy recovery tool which used an older version of a library that causes a 32-bit truncation of values and results in a truncation of outputs on the recovery transaction.18 To resolve this problem, the user “rtsn” spent several days publicly conversing with tech support (and the community) on Reddit.19

Eventually the glitch was fixed and Bitmain – to be viewed as a “good member of the community” yet defeating the purpose of a one-way-only, pseudonymous blockchain – sent the user back 85 bitcoins.

May Bitcoin Fee

Fee to Bitmain (Antpool) highlighted in red on Total Transaction Fee chart.  Source: Blockchain.info

On September 11, 2015 another user accidentally sent 4.6 bitcoins (worth $1,113) as a fee to a mining pool, which in this instance was AntPool.20 Bitmain, the parent company, once again returned the fee to the user.

Do we know about other farms?21

HaoBTC is a newly constructed medium-sized hashing farm located in Kangding, western Sichuan, near the Eastern border with Tibet.22 It currently costs around 1.5 million RMB per petahash (PH) – or $242,000 – to operate per year. This includes the infrastructure and miner equipment costs. It does not include the operating costs which consists of: electricity, labor, rent and taxes (the latter two are relatively negligible).

The facility itself cost between $600,000 – $700,000 to build (slightly less than the $1 million facility BitFury built in 2014 in the Republic of Georgia) and its electrical rate of 0.2 RMB per kWh comes from a nearby hydroelectric dam which has a 25,000 kW output (and cost around $10 million to construct).23

In dollar terms this is equivalent to around $0.03 / kWh (during the “wet” or “summer” season). For perspective, their electric bill in August 2015 came in at 1.4 million RMB (roughly $219,000); thus electricity is by far the largest operating cost component.

When all the other costs are accounted for, the average rises to approximately $0.045 per kWh. The electricity rate is slightly more expensive (0.4 RMB or $0.06) during winter due to less water from the mountains. The summer rate is roughly the same price as the Washington State-based hashing facilities which is the cheapest in the US (note: it bears mentioning that Washington State partly subsidizes hydroelectricity).

HaoBTC

HaoBTC staff installing hashing equipment. Source: Eric Mu

At this price per joule it would cost around $105 million to reproduce “work” generated by the 450 petahash Bitcoin blockchain. Due to a recent purchase of second-hand ASICMiner Tubes, HaoBTC currently generates just over 10 PH and they are looking to expand to 12 PH by the end of the year.24 The key figure that most miners are interested in is that at the current difficulty level it costs around $161 for HaoBTC’s farm to create a bitcoin, giving them a nearly 100% margin relative to the current market price.

The ASIC machines they – and the rest of the industry uses – are single use; this hashing equipment cannot run Excel or Google services, or even bitcoind. Thus common comparisons with university supercomputers is not an apples-to-apples comparison as ASIC hashing cannot do general purpose computing; ASIC hashing equipment can perform just one function.25

There is also a second-hand market for it. For instance, hashing facilities such as HaoBTC actively look to capitalize off their unique geographical advantages by using older, used hardware. And there is a niche group of individuals, wanting to remain anonymous, that will also purchase older equipment.26

Although individual buyers of new hashing equipment such as Bob, do typically have to identify themselves to some level, both Bob can also resell the hardware on the second-hand market without any documentation. Thus, some buyers wanting to buy hashing equipment anonymously can do so for a relative premium and typically through middlemen.2728

While Bitbank’s BW mining farm and pool have been in the news recently29, perhaps the most well-known live visual of mining facilities is the Motherboard story on a large Bitcoin mining farm in Dalian, Liaoning:30

Incidentally, while Motherboard actually looked at just one farm, the foreigner helping to translate for the film crew independently visited another farm in Inner Mongolia which during the past year Bitbank apparently acquired.31

Are there any other known facilities outside of China?32

Genesis Mining

Source: Business Insider / Genesis Mining

Genesis Mining is a cloudhashing service provider that purportedly has several facilities in Iceland.33 According to a recent news story the company is one of the largest users of energy on the island and ignoring all the other costs of production (aside from electricity), it costs about $60 to produce a bitcoin.34 However, when other costs are included (such as hardware and staffing) the margin declines to — according to the company — about 20% relative to the current bitcoin price. At the time of the story, the market price of a bitcoin was around $231.

The four illustrations above are among a couple dozen farms that generate the majority of the remaining hashrate.

What does this have to do with colored coins?

The network was originally designed in such a way that validators (block makers) were pseudonymous and identification by outside participants was unintended and difficult to do.  If users can now contact validators, known actors in scenic Sichuan, frigid Iceland or rustic Georgia, why not just use a distributed ledger system that already identifies validators from the get go?  What use is proof-of-work at all? Why bother with the rhetoric and marginal costs of pseudonymity?

The social pressure type of altruism noted above (e.g,. Bitmain and BitGo returning fees) actually could set a nebulous precedent: once block rewards are reduced and fees begin to represent a larger percentage of miner revenue, it will no longer be an “easy” decision to refund the user in the event there is a mistake.35 If Bitmain did not send a refund, this backup wallet error would serve as a powerful warning to future users to try and not make mistakes.

While there have been proposals to re-decentralize the hashing process, such as a consumer-device effort led by 21inc which amounts to creating a large corporate operated botnet, one trend that has remained constant is the continued centralization of mining (block making) itself.3637 The motivation for centralizing block making has and continues to be about one factor: variance in payouts.38 Investors in hashing prefer stable payouts over less stable payouts and the best way to do that with the current Poisson process is to pool capital (much like pooling capital in capital markets to reduce risk).

Whether or not these trends stay the same in the future are unknown, however it is likely that the ability to contact (or not contact) certain pools and farms will be an area of continued research.

Similarly one other potential drawback of piggy backing on top of a public blockchain that could be modeled in the future is the introduction of a fat tail risk due to the boundlessness of the price of the native token.39 In the case of price spikes even if for short time can create price distortions or liquidity problem on the off-chain asset introducing a correlation between the token and the asset that theoretically was not supposed to be there.

  1. For instance, the staff of Let’s Talk Bitcoin issues LTBCoin on a regular basis to listeners, content creators and commenters. []
  2. Wall Street, Meet Block 368396, the Future of Finance from Bloomberg []
  3. On August 20, 2015, Symbiont announced it is also building a permissioned ledger product. See also the second half of Bitcoin’s Noisy Size Debate Reaches a Hard Fork from The Wall Street Journal, Why Symbiont Believes Blockchain Securities Are Wall Street’s Future from CoinDesk and Why Symbiont Believes Blockchain securities are Wall Street’s Future []
  4. The CoinPrism page for the specific token that Overstock.com initially used for the “cryptobond” can be viewed here; similarly the file on the T0 domain that verifies its authenticity can be seen here. See also: World’s First Corporate “Cryptobond” was issued using Open Assets []
  5. Overstock CEO Uses Bitcoin Tech to Spill Wall Street Secret from Wired and Overstock.com and FNY Capital Conclude $5 Million Cryptobond Deal from Nasdaq []
  6. One reviewer likened the Overstock “cryptobond” proof of concept as a large wash trade: ”Basically it’s a cashless swap of paper and thus no currency settlement. And the paper has no covenants and thus very easy to digitally code. Basically Overstock is paying FNY a spread of 4% for doing this deal. And if the bond and loan are called simultaneously, say in the next month, that means that Overstock paid FNY about $16,667.00 to do this trade. And since there was no cash exchanged, I am presuming, then this is smoke and mirrors. But they actually did it. However, I don’t see much of a business model where the issuer of a bond has to simultaneously fund the investor with a loan to buy the bond and pay him 33 basis points to boot!” []
  7. P2Pool wiki and P2Pool github []
  8. See Target, How Bitcoin Hashing Works and On Mining by Vitalik Buterin []
  9. ASICMINER: Entering the Future of ASIC Mining by Inventing It from Bitcoin Talk, Mystery in Bitcoinland…. the disappearance of FriedCat from Bitcoin Reporter; Chinese Mining mogul FriedCat has stolen more than a million in AM hash SCAM from Bitcoin Talk and Visit of ASICMINER’s Immersion Cooling Mining Facility from Bitcoin Talk []
  10. See 12.2 Pool and network miner hashrate distributions from Organ of Corti and Bitcoin “Stock Markets” – It’s Time To Have A Chat from Bitcoin Money []
  11. See SEC Charges Bitcoin Entrepreneur With Offering Unregistered Securities from SEC and the Administrative Proceeding order []
  12. In (Rosenfeld 2012) the author noted that one of the risks for running an “alternative to traditional markets” – such as GLBSE – were the regulatory compliance hurdles. Overview of Colored Coins by Meni Rosenfeld, p. 4. []
  13. Block 254642 and Some poor person just paid a 200BTC transaction fee to ASICminer. []
  14. According to the Coindesk Bitcoin Price Index, the market price of a bitcoin on August 28, 2013 was approximately $117.59. []
  15. Included in block 254769 []
  16. A thread discussed this theory: Re: CoinJoin: Bitcoin privacy for the real world (someday!) []
  17. According to the Coindesk Bitcoin Price Index, the market price of a bitcoin on April 25, 2015 was approximately $225.85. []
  18. The user “vytah” debugged this issue in a reddit thread: Holy Satoshi! Butter pays 85Btc transaction fees for a 16Btc transaction. Is this the largest fee ever paid? []
  19. Help! Losing Over 85 BTC Because of BitGo’s Flawed Recovery Process! on Reddit []
  20. To AntMiner, miner of block #374082. I did an accidental 4.6 BTC fee. on Reddit []
  21. Readers may be interested in a little more history regarding self-identification by miners: Slush, the first known pool, began publicly operating at the end of November 2010 and was the first to publicly claim a block (97838).   Eligius was announced on April 27, 2011 and two months later signed the first coinbase transaction (130635).   DeepBit publicly launched on February 26, 2011 and at one point was the most popular pool, reaching for a short period in May 2011, more than 50% of the network hashrate. See Deepbit pool owner pulls in $112* an hour, controls 50% of network and DeepBit pool temporarily reaches critical 50% threshold from Bitcoin Miner and What has been the reaction to permissioned distributed ledgers? []
  22. This information comes from personal correspondence with Eric Mu, July 7, 2015 as well as two other public sources: Inside a Tibetan Bitcoin Mine: The Race for Cheap Energy from CoinTelegraph and Three months living in a multi-petahash BTC mine in Kangding, Sichuan, China from Bitcoin Talk []
  23. Last summer BitFury quickly built a relatively cheap data center in Georgia partly due to assistance from the national government. See BitFury Reveals New Details About $100 Million Bitcoin Mine from CoinDesk []
  24. Personal correspondence with Eric Mu, August 10, 2015 []
  25. One common talking point by some Bitcoin enthusiasts including venture capitalists is that Google’s computers, if repurposed for mining Bitcoin, would generate only 1-2% of the network hashrate – that the Bitcoin network is “faster” than all of Google’s data centers combined. This is misleading because these Bitcoin hashing machines cannot provide the same general purpose utility that Google’s systems can. In point of fact, the sole task that ASIC hashing equipment itself does is compute two SHA256 multiplications repeatedly. []
  26. Some academic literature refers to miners on the Bitcoin network as “anonymous participants.” In theory, Bitcoin mining can be anonymous however by default mining was originally a pseudonymous activity. Participants can attempt to remain relatively anonymous by using a variety of operational security methods or they can choose to identify (“doxx”) themselves as well. See The Bitcoin Backbone Protocol: Analysis and Applications by Garay et al. []
  27. Thanks to Anton Bolotinsky for this insight. []
  28. This is similar to the “second-hand” market for bitcoins too: bitcoins originally acquired via KYC’ed gateways sometimes end up on sites like LocalBitcoins.com (akin to “Uber for bitcoins”) – where the virtual currency is sold at a premium to those wanting to buy anonymously. []
  29. The Unknown Giant: A First Look Inside BW, One of China’s Oldest and Largest Miners from Bitcoin Magazine []
  30. Inside the Chinese Bitcoin Mine That’s Grossing $1.5M a Month from Motherboard []
  31. Jake Smith, the translator, also wrote a short story on it: Inside one of the World’s Largest Bitcoin Mines at The Coinsman []
  32. While it is beyond the scope of this paper, there are a couple of general reasons why medium-sized farms such as HaoBTC have been erected in China. Based upon conversations with professional miners in China one primary reason is that both the labor and land near energy generating facilities is relatively cheap compared with other parts of the world. Furthermore, energy itself is not necessarily cheaper, unless farms managers and operators have guanxi with local officials and power plant owners.   And even though it is common to assume that due to the capital controls imposed at a national level – citizens are limited to the equivalent of $50,000 in foreign exchange per year – there have been no public studies as to how much capital is converted for these specific purposes. There are other ways to avoid capital controls in China including art auctions and pawn shops on the border with Macau and Hong Kong. See also How China’s official bank card is used to smuggle money from Reuters and What Drives the Chinese Art Market? The Case of Elegant Bribery by Jia Guo See On Getting Paid From China. Is There Really A $50,000 Yearly Limit? from China Law Blog and Bitcoins: Made in China []
  33. Look inside the surreal world of an Icelandic bitcoin mine, where they literally make digital money from Business Insider []
  34. It is unclear how much hashrate they actually operate or control, a challenge that plagues the entire cloudhashing industry leading to accusations of fraud. []
  35. And this is also a fundamental problem with public goods, there are few mechanisms besides social pressure and arbitrary decision making to ration resources. As described in (Evans 2014), since miners are the sole labor force, they create the economic outputs (bitcoins) and security, it is unclear why they are under any expectation to return fees in a network purposefully designed to reduce direct interactions between participants. See Economic Aspects of Bitcoin and Other Decentralized Public-Ledger Currency Platforms by David Evans []
  36. See 21 Inc Confirms Plans for Mass Bitcoin Miner Distribution from CoinDesk and What impact have various investment pools had on Bitcoinland? []
  37. In 2014 the state of New Jersey sued a MIT student, Jeremy Rubin, for creating a web-based project that effectively does the same thing as the silicon-based version proposed by 21inc. See Case Against Controversial Student Bitcoin Project Comes to Close from CoinDesk. In addition, the FTC, in its case against Butterfly Labs also looked at BFL not informing customers properly regarding difficulty rating changes. According to the FTC’s new release on this case: “A company representative [BFL] said that the passage of time rendered some of their machines as effective as a “room heater.” The FTC charged that this cost the consumers potentially large sums of money, on top of the amount they had paid to purchase the computers, due to the nature of how Bitcoins are made available to the public.” []
  38. This issue was cited in the CryptoNote whitepaper as one motivation for creating a new network. On p. 2: “This permits us to conjecture the properties that must be satisfied by the proof-of-work pricing function. Such function must not enable a network participant to have a significant advantage over another participant; it requires a parity between common hardware and high cost of custom devices. From recent examples [8], we can see that the SHA-256 function used in the Bitcoin architecture does not possess this property as mining becomes more efficient on GPUs and ASIC devices when compared to high-end CPUs. Therefore, Bitcoin creates favourable conditions for a large gap between the voting power of participants as it violates the “one-CPU-one-vote” principle since GPU and ASIC owners possess a much larger voting power when compared with CPU owners. It is a classical example of the Pareto principle where 20% of a system’s participants control more than 80% of the votes.” []
  39. I would like to thank Ayoub Naciri for providing this example. []
Send to Kindle

A dissection of two Bitfury papers

BitFuryBitfury, the Bitcoin mining company, recently published two papers:

The underlying motivations for writing them was that Bitfury is trying to assure the world that public blockchains can still be used in “proprietary contexts.” While they provide a good frame for the issue, there are several leaps in logic, or direct contradictions to established theory that necessarily weaken their argument.

Below is my discussion of them. Note: as usual, this only represents my opinion and does not necessarily represent the views of the organizations that I advise or work for.

Overall I thought the two papers did not seem to have been reviewed by a wider audience including lawyers: specifically they should have sent them to commercial and securities lawyers to see if any legal issues should be considered. Much of their pitch basically amounts to mining for the sake of mining.

One final note: for additional commentary I also reached out to Dave Hudson who is proprietor of HashingIt and an expert as it relates to Bitcoin mining analysis.  He is unaffiliated with Bitfury.

Notes for Part 1:

On p. 2, Bitfury wrote the following statement:

The key design element of blockchains – embedded security – makes them different from ordinary horizontally scalable distributed databases such as MySQL Cluster, MongoDB and Apache HBase. Blockchain security makes it practically impossible to modify or delete entries from the database; furthermore, this kind of security is enforced not through the central authority (as it is possible with the aforementioned distributed databases), but rather through the blockchain protocol itself.

Is this a problematic summary?

According to Dave Hudson:

As a network protocol engineer of many years I tend to find the concept of a “blockchain protocol” somewhat odd. Here’s a link to definitions of “protocol.”

What do we mean by protocol here? It’s not actually a network protocol because there is no “blockchain protocol”, there are many different ones (each altcoin has its own and there are many more besides). At best the idea of a “blockchain protocol” is more a meta-protocol, in that we say there are some things that must be done in order for our data to have blockchain-like characteristics. It’s those characteristics that provide for non-repudiation.

Also on p. 2, Bitfury uses the term “blockchain-based ledger.”  I like that because, as several developers have pointed out in the past, the two concepts are not the same — distributed ledgers are not necessarily blockchains and vice versa.

On p. 4 and 5 they list several objections for why financial institutions are hesitant to use a public blockchain yet leave a couple noticeable ones off including the lack of a service level agreement / terms of service between end users and miners.  That is to say, in the event of a block reorg or 51% attack, who calls who?

On p. 7, I don’t think that censorship resistance can be generalized as a characteristic for “all blockchains.”

In Dave Hudson’s view:

Moreover, censorship resistance makes absolutely no sense in many instances. Who would be censoring what?

I’m actually not convinced that censorship resistance is actually a “thing” in Bitcoin either. Plenty of well-formed transactions can be censored by virtue of them being dust or having non-standard scripts. If anything the only thing that Bitcoin does is provide a set of conditions in which a transaction is probabilistically going to be mined into blocks in the network.

For those interested, there are a handful of “standard’ transaction types that are usually accepted by most mining pools.

On p. 11, I disagree with this statement:

If a blockchain database is completely opaque for clients (i.e., they have no access to blockchain data), the security aspect of blockchain technology is diminished. While such system is still protected from attacks on the database itself, interaction with clients becomes vulnerable, e.g. to man-in-the middle attacks. As a built-in protocol for transaction authorization is one of core aspects of blockchain technology, its potential subversion in favor of centralized solutions could negatively influence the security aspect of the system. Additionally, as transactions are accessible to a limited set of computers, there exists a risk of human factor intervening into the operation of the blockchain with no way for clients to detect such interference. Thus, the opaque blockchain design essentially undermines the core aspects of blockchain technology:
• decentralization (absence of a single point of failure in the system)
• trustlessness (reliance on algorithmically enforced rules to process transactions with no human interaction required).

I think trustlessness is a red herring that cypherpunks and Bitcoiners have been perpetually distracted by. It may be an end-goal that many would like to strive for but trust-minimization is a more realistic intermediate characteristic for those operating within the physical, real world.

Why? Because existing institutions and legal infrastructure are not going to disappear tomorrow just because a vocal group of cryptocurrency enthusiasts dislikes them.

According to Dave Hudson:

As with so many things-Bitcoin, I think this is an implementation necessity being seen as a innately desirable characteristic. Bitcoin requires “trustlessness” because it’s non-permissioned, yet in truth it totally relies on trust to work. We trust that Sybil attacks aren’t happening and that network service providers are not colluding to support such attacks. We trust that a large body of miners are not colluding to distort the system. We trust that changes to the software (or updates to compilers and operating systems) have not rendered old, non-recently-used keys are still able to support signing of transactions. We trust that Satoshi (and other large holders) will not drop 1M, or worse 10M coins onto exchanges crashing the price to a few cents per coin! There’s no “too big to fail” here!

In truth real-world people actually like to trust things. They want to trust that their national governments will ensure services work and that invaders are kept out. They want to trust that law enforcement, fire and medical services will keep them safe. I’m not sure that I like the idea of a trustless Police force?

What people do like is the ability to verify that the entities that they actually do trust are in fact doing what they should. Blockchain designs allow us to do just this.

That last statement in particular succinctly summarizes some of the motivations for financial institutions looking to use a shared ledger that is not the Bitcoin blockchain.

On p. 12, I disagree with this statement:

While the permissioned nature of blockchains for proprietary applications may be a necessary compromise in the medium term because of compliance and other factors, read access to blockchain data together with the publicly available blockchain protocol would remove most of vulnerabilities associated with opaque blockchain designs and would be more appealing to the clients of the institution(s) operating the blockchain. As evidenced by Bitcoin, simplified payment verification softwarecan be used to provide a direct interface to blockchain data that would be both secure and not resource intensive.

The reason I disagree with this statement is because the term “opaque” is loaded and ill-defined.

For instance, several groups within the Bitcoin ecosystem have spent the last several years trying to delink or obfuscate transaction history via zk-SNARKs, stealth addresses, mixing via Coinjoin and Coinshuffle and other methods. This type of activity is not addressed by Bitfury — will they process Bitcoin transactions that are obfuscated?

Granular permissions — who is allowed to see, read or write to a ledger — is a characteristic some of these same Bitcoin groups are not fans of but is a needed feature for financial institutions. Why? Because financial institutions cannot leak or expose personal identifiable information (PII) or trading patterns to the public.

Securely creating granular permissions is doable and would not necessarily reduce safety or transparency for compliance and regulatory bodies. Operating a non-public ledger is not the same thing as being “opaque.” While hobbyists on social media may not be able to look at nodes run by financial institutions, regulators and compliance teams can still have access to the data.

It also bears mentioning that another potential reason some public blockchains have and/or use a token is as an anti-spam mechanism (e.g., in Ripple and Stellar a minute amount is burnt).1

On p. 13, I disagree with this statement:

The problem is somewhat mitigated if the access to block headers of the chain is public and unrestricted; however, convincing tech-savvy clients and regulators that the network would be impervious to attacks could still be a difficult task, as colluding operators have the ability to effortlessly reorganize the arbitrary parts of the blockchain at any given moment. Thus, the above consensus protocol is secure only if there is no chance of collusion among blockchain operators (e.g., operators represent ideal parties with conflicting interests). Proof of work provides a means to ensure absence of collusion algorithmically, aligning with the overall spirit of blockchain technology.

This is untrue. People run pools, people run farms. Earlier this year Steve Waldman gave a whole presentation aptly named “Soylent Blockchains” because people are involved in them.

As we have seen empirically, pool and farm operators may have conflicting incentives and this could potentially lead to collusion. Bitcoin’s “algorithms” cannot prevent exogenous interactions.

On p. 14 I disagree with this statement:

There is still a fixed number of miners with known identities proved by digital signatures in block headers. Note that miners and transaction processors are not necessarily the same entities; in the case that mining is outsourced to trusted companies, block headers should include digital signatures both from a miner and one or more processing institutions.

Having a “trusted company” run a proof-of-work mining farm is self-defeating with respect to maintaining pseudonymity on an untrusted network (which were the assumptions of Bitcoin circa 2009). If all miners are “trusted” then you are now operating a very expensive trusted network. This also directly conflicts with the D in DMMS (dynamic-membership multi-party signature).

According to Dave Hudson:

If the signing is actually the important thing then we may as well say there’s a KYC requirement to play in the network and we can scale it all the way back to one modest x86 server at each (with the 1M x reduction in power consumption). Of course this would kill mining as a business.

On p. 14 I think the Bitfury proposal is also self-defeating:

The proposed protocol solves the problem with the potentially unlimited number of alternative chains. Maintaining multiple versions of a blockchain with proof of work costs resources: electricity and hashing equipment. The hashing power spent to create a blockchain and the hashing power of every miner can be reliably estimated based on difficulty target and period between created blocks; an auditor could compare these numbers with the amount of hashing equipment available to operators and make corresponding conclusions.

The authors go into detail later on but basically they explain what we can already do today: an outside observer can look at the block headers to see the difficulty and guess how much hashrate and therefore capital is being expended on the hash.

On p. 15 they present their proposal:

Consequently, $10 million yearly expenses on proof of work security (which is quite low compared to potential gains from utilizing blockchain technology, estimated at several billion dollars per year [54]) correspond to the hash rate of approximately 38 PHash / s, or a little less than 10% of the total hash rate of the Bitcoin network.

This is entirely unneeded. Banks do not need to spend $10 million to operate hardware or outsource operation of that hardware to some of its $100 million Georgia-based hydro-powered facilities.

According to Dave Hudson:

Precisely; banks can use a permissioned system that doesn’t need PoW. I think this also misses something else that’s really important: PoW is necessary in the single Bitcoin blockchain because the immutability characteristics are derived from the system itself, but if we change those starting assumptions then there are other approaches that can be taken.

In section 3.1 the authors spend some time discussing merged mining and colored coins but do not discuss the security challenges of operating in a public environment. In fact, they assume that issuing colored coins on a public blockchain is not only secure (it is not) but that it is legal (probably not either).2

On p. 16 they mention “transaction processors” which is a euphemism that Bitfury has been using for over a year now. They dislike being called a mining company preferring the phrase “transaction processors” yet their closed pool does not process any kind of transactions beyond the Bitcoin variety.

On page 17 they wrote:

[M]aintenance of the metachain could be outsourced to a trusted security provider without compromising confidential transaction details.

If taken to the logical extreme and all of the maintenance was “outsourced” to trusted security providers they would have created a very expensive trusted network. Yet in their scenario, financial institutions would have to trust a Republic of Georgia-based company that is not fully transparent.

Also on page 17 they start talking about “blockchain anchors.” This is not a new or novel idea.  As other developers have spoken about the past and Guardtime puts anchors into newspapers like The New York Times (e.g., publishes the actual hashes in a newspaper).  And, again, this could easily be done in other ways too. Why restrict anchoring to one location? This is Bitcoin maximalism at work again.

On p. 20 they wrote:

Bitcoin in particular could be appropriate for use in blockchain innovations as a supporting blockchain in merged mining or anchoring due to the following factors: • relatively small number of mining pools with established identities, which allows them to act as known transaction validators by cooperating with institutions

This is self-defeating for pseudonymous interactions (e.g., Bitcoin circa 2008). Proof-of-work was integrated to fight Sybil attacks. If there are only a few mining pools with established identities then there are no Sybil’s and you effectively have an extremely expensive trusted network.

Notes on Part 2:

On p. 3 they wrote:

If an institution wants to ensure that related Bitcoin transactions are mined by accredited miners, it may send transactions over a secure channel directly to these miners rather than broadcasting them over the network; accepting non-broadcast transactions into blocks is a valid behavior according to the Bitcoin protocol.

An “accredited miner” is a contradiction.

On p. 4 the first paragraph under section 1.3 was well written and seems accurate. But then it falls apart as they did not consult lawyers and financial service experts to find out how the current plumbing in the back-office works — and more importantly, why it works that way.

On p.4 they wrote:

First, the transfer of digital assets is not stored by the means of the Bitcoin protocol; the protocol is unaware of digital assets and can only recognize and verify the move of value measured in bitcoins. Systems integrating digital assets with the Bitcoin blockchain utilize various colored coin protocols to encode asset issuance and transfer (see Section 2.2 for more details). There is nothing preventing such a protocol to be more adapted to registered assets.

Yes there is in fact things preventing Bitcoin from being used to move registered assets, see “Watermarked tokens and pseudonymity on public blockchains.”  And their methods in Section 1.6 are non-starters.

Also on page 4 they wrote:

Second, multisignature schemes allow for the creation of limited trust in the Bitcoin environment, which can be beneficial when dealing with registered assets and in other related use cases. Whereas raw bitcoins are similar to cash, multisignature schemes act not unlike debit cards or debit bank accounts; the user still has a complete control of funds, and a multisignature service provides reputation and risk assessment services for transactions.

This is the same half-baked non-sense that Robert Sams rightly criticized in May. This is a centralized setup. Users are not gaining any advantage for using the Bitcoin network in this manner as one entity still controls access via identity/key.

On p. 5 they wrote:

One of the use cases of the 2-of-3 multisignature scheme is escrow involving a mediator trusted by both parties. A buyer purchasing certain goods locks his cryptocurrency funds with a multisignature lock, which requests two of the three signatures: the buyer’s, the seller’s, and the mediator’s.

This is only useful if it is an on-chain, native asset. Registered assets represent something off-chain, therefore Bitcoin as it exists today cannot control them.

On p. 6 they talk about transactions being final for an entire page without discussing why this is important from a legal perspective (e.g., why courts and institutions need to have finality). This paper ignores how settlement finality takes place in Europe or North America nor are regulatory systems just going to disappear in the coming months.

On page 7 they mention that:

To prevent this, a protocol could be modified to reject reorganizations lasting more than a specified number of blocks (as it is done in Nxt). However, this would make the Bitcoin protocol weakly subjective [21], introducing a social-driven security component into the Bitcoin ecosystem.

There is already a very publicly known, social-driven security component: the Bitcoin dev mailing list. We see this almost daily with the block-size debate. The statement above seems to ignore what actually happens in practice versus theory.

On p. 7 and 8 they write:

The security of the Bitcoin network in the case of economic equilibrium is determined by the rewards received by block miners and is therefore tied to the exchange rate of Bitcoin. Thus, creating high transaction throughput of expensive digital assets on the Bitcoin blockchain with the help of colored coin protocols has certain risks: it increases the potential gain from an attack on the network, while security of the network could remain roughly the same (as there are no specific fees for digital asset transactions; transaction fees for these transactions are still paid in bitcoins). The risk can be mitigated if Bitcoin fees for asset transactions would be consciously set high, either by senders or by a colored coins protocol itself, allowing Bitcoin miners to improve security of the network according to the value transferred both in bitcoins and in digital assets.

There is no way to enforce this increase in fee. How are “Bitcoin fees for asset transactions … consciously set high”? This is a question they never answer, (Rosenfeld 2012) did not answers it, no one does. It is just assumed that people will start paying higher fees to protect off-chain securities via Bitcoin miners.

There is no incentive to pay more and this leads to a hold-up problem described in the colored coin “game” from Ernie Teo.

On p. 8 they wrote:

As there is a relatively small number of Bitcoin mining pools, miners can act as known processors of Bitcoin transactions originating from institutions (e.g., due to compliance reasons). The cooperation with institutions could take the form of encrypted channels for Bitcoin transactions established between institutions and miners.

This is silly. If they are known and trusted, you have a trusted network that lacks a Sybil attacker. There is no need for proof-of-work mining equipment in such a scenario.

On p. 8 they wrote:

In the ideal case though, these transactions would be prioritized solely based on their transaction fees (i.e., in a same way all Bitcoin transactions are prioritized), which at the same time would constitute payments for the validation by a known entity. Thus, this form of transaction processing would align with the core assumption for Bitcoin miningthat miners are rational economic actors and try to maximize their profit.

It cannot be assumed that miners will all behave as “rational economic actors.” They will behave according to their own specific incentives and goals.

On p. 9 they wrote:

Additionally, partnerships between institutions and miners minimize risk in case transactions should not be made public before they are confirmed.

Registered and identifiable miners is the direct anti-thesis of pseudonymous interactions circa Bitcoin 2008. That type of partnership is a win-lose interaction.

On p. 10 they wrote:

One of the interesting financial applications of colored coins is Tether (tether.to), a service using colored coins to represent US dollars for fast money transfer. Several cryptocurrencies such as Nxt and BitShares support custom digital assets natively.

As it exists today, Tether.to is similar in nature to a Ripple gateway such as SnapSwap: both are centralized entities that are subject to multiple regulatory and compliance requirements (note: SnapSwap recently exited its USD gateway business and locked out US-based users from its BTC2Ripple business).

tether msb

According to FinCEN’s MSB Registrant Search Web page, Tether has a registration number (31000058542968) and one MSB.  While they have an AML/CTF program in place, it is unclear in its papers how Bitfury believes the Bitcoin network (which Tether utilizes) can enforce exogenous claims (e.g., claims on USD, euros, etc.).

Furthermore, there has been some recent research looking at how the Federal Reserve and the Bank of England could use distributed ledgers to issue digital currency.3

If a central bank does utilize some kind of distributed ledger for a digital currency they do not need proof-of-work mining or the Bitcoin network to securely operate and issue digital currency.

Ignoring this possible evolution, colored coins are still not a secure method for exogenous value transfers.

On page 10 they wrote:

Colored coins are more transparent for participants and auditors compared to permissioned blockchains

This is untrue and unproven. As Christopher Hitchens would say, what can be asserted without evidence can be dismissed without evidence.

On page 10 they wrote:

As colored coins operate on top of permissionless blockchains, systems using colored coins are inherently resistant to censorship – restrictions on transactions are fully specified by a colored coins protocol instead of being enforced by a certain entity

This is also untrue. This is a bit like trying to have their cake and eat it too.

On page 11 they have a diagram which states:

Figure 2: Using colored coins on top of the Bitcoin blockchain to implement asset transactions. For compliance, financial institutions may use secure communication channels with miners described in Section 2.1 to place asset transactions on the blockchain

Again this is self-defeating. As the saying goes: be careful what you wish for. If Bitfury’s proposal came true, their pool(s) could become payment service providers (PSP) and regulated by FinCEN.

On page 12 and 13 they wrote:

Bitcoin and other public permissionless blockchains could be a part of the interconnected financial environment similarly to how cash is a ubiquitous part of the banking system. More concretely, cryptocurrencies could be used as: • one of the means to buy and sell assets on permissioned blockchains • an instrument that enables relatively fast value transfer among permissioned blockchains • an agreed upon medium for clearing operations among blockchains maintained by various institutions (Fig. 4).

Bitcoins as a permanent store-of-value are effectively a non-starter as they lack any endogenous self-stabilizing mechanism.4

According to Dave Hudson:

The systemic risks here just make this idea farcical. The Internet is somewhat immune to this because there are technology providers all over the world who can independently choose to ignore things in regulatory domains that want to do “bad things”. There is no such safety net in a system that relies on International distributed consensus (the Internet has no such problem, although DNS is a little too centralized right now). Even if it could somehow be guaranteed that things can’t be changed, fixed coin supply means artificial scarcity problems are huge (think Goldfinger trying to irradiate the gold in Fort Knox) – you wouldn’t need a nuclear weapon, just a good piece of malware that could burn coins (if they’re not stolen then there’s no way to trace who stole them). There’s also the 1M coins dropped onto exchanges problem.

The discussion over elastic and inelastic money supplies is a topic for another post.

On page 15 they wrote:

If a blockchain is completely opaque for its end users (e.g., a blockchain-based banking system that still uses legacy communication interfaces such as credit cards), the trustless aspect of blockchains is substantially reduced. End users cannot even be sure that a blockchain system is indeed in use, much less to independently verify the correctness of blockchain data (as there is no access to data and no protocol rules to check against). Human factor remains a vulnerability in private blockchain designs as long as the state of the blockchain is not solely based on its protocol, which is enforced automatically with as little human intervention as possible. Interaction based on legacy user authentication interfaces would be a major source of vulnerabilities in the case of the opaque blockchain design; new interfaces based on public key cryptography could reduce the associated risk of attacks.

While mostly true, there are existing solutions to provide secure verification. It is not as if electronic commerce did not or could not occur before Bitcoin came into existence. Some private entities take operational security seriously too. For instance, Visa’s main processing facility has 42 firewalls and a moat.

On page 15 they wrote:

Proprietary nature of private blockchains makes them less accessible; open sourced and standardized blockchain implementations would form a more attractive environment for developers and innovations. In this sense, blockchains with a public protocol are similar to open Internet standards such as IP, TCP and HTTP, while proprietary blockchain designs could be similar to proprietary Internet protocols that did not gain much traction. A proprietary blockchain protocol could contain security vulnerabilities that remain undiscovered and exploited for a long time, while a standardized open blockchain protocol could be independently studied and audited. This is especially true for protocols of permissionless blockchains, as users have a direct economic incentive to discover vulnerabilities in the system in order to exploit them.

This is just scaremongering. While some of the “blockchain” startups out there do in fact plan to keep the lower layers proprietary, the general view in October 2015 is that whatever bottom layer(s) are created, will probably be open-sourced and an open-standard. Bitcoin doesn’t have a monopoly on being “open” in its developmental process.

On page 15 they wrote:

As the Bitcoin protocol has been extensively studied by cryptographers and scientists in the field, it could arguably form the basis for the standardized blockchain design.

This is untrue, it cannot be the backbone of a protocol as it is not neutral. In order to use the Bitcoin network, users are required to obtain what are effectively illiquid pre-paid gift cards (e.g., bitcoins). Furthermore, an attacker cannot collect “51%” of all TCP/IP packets and take over the “internet” whereas with Bitcoin there is a real “majoritarianism” problem due to how network security works.

A truly neutral protocol is needed and there have been at least two proposals.5

On page 15 they wrote:

The key design element of blockchains is “embedded economy” – a superset of embedded security and transaction validation. Each blockchain forms its own economic ecosystem; a centrally controlled blockchain is therefore a centrally controlled economy, with all that entails.

This is untrue. If we are going to use real-world analogies: Bitcoin’s network is not dynamic but rather disperses static rewards to its labor force (miners). It is, internally, a rigid economy and if it were to be accurately labeled, it is a command economy that relies on altruism and VC subsidies to stay afloat.6

On page 16 they wrote:

It is not clear how the blockchain would function in the case validators would become disinterested in its maintenance, or how it would recover in the case of a successful attack (cf. with permissionless blockchains, which offer the opportunity of self-organization).

The statement above is unusual in that it ignores how payment service providers (PSPs) currently operate.  Online commerce for the most part has and likely will continue to exist despite the needed maintenance and profit-motive of individual PSPs.  There are multiple motivations for continued maintenance of maintenance transfer agreements — this is not a new challenge.

While it is true that there will likely be dead networks in the futures (just like dead ISPs in the past), Bitcoin also suffers from a sustainability problem: it continually relies on altruism to be fixed and maintained and carries with it an enormous collective action burden which we see with the block-size debate.

There are over a hundred dead proof-of-work blockchains already, a number that will likely increase because they are all public goods that rely on external subsidies to exist. See Ray Dillinger’s “necronomicon” for a list of dead alt coins.

If Bitfury’s proposal for having a set of “fixed” miners arises, then it is questionable about how much self-organization could take place in a static environment surrounding a public good.

Conclusion

Despite the broad scope of the two papers from Bitfury neither was able to redress some of the most important defects that public blockchains have for securing off-chain assets:

  • how is legal settlement finality resolved
  • how to incentivize the security of layers (such as colored coins) which distort the mining process
  • how to enforce the security of merged mining which empirically becomes weaker over time

If Bitfury is truly attempting to move beyond merely processing Bitcoin transactions in its Georgian facilities, it needs to address what constraints and concerns financial institutions actually face and not just what the hobbyist community on social media thinks.

  1. See also: Needing a token to operate a distributed ledger is a red herring and A blockchain with emphasis on the “a” []
  2. See also: Can Bitcoin’s internal economy securely grow relative to its outputs? and Will colored coin extensibility throw a wrench into the automated information security costs of Bitcoin? []
  3. This includes: Fedcoin—how banks can survive blockchains by Robin Winkler and Centrally Banked Cryptocurrencies by George Danezis and Sarah Meiklejohn []
  4. See Seigniorage Shares from Robert Sams []
  5. See: A Protocol for Interledger Payments by Stefan Thomas and Evan Schwartz and An architecture for the Internet of Money by Meher Roy []
  6. See also: Chapter 10 in The Anatomy of a Money-like Informational Commodity and Economic Aspects of Bitcoin and Other Decentralized Public-Ledger Currency Platforms by David Evans []
Send to Kindle

Integrating, Mining and Attacking: Analyzing the Colored Coin “Game”

[Note: Below is a guest post from Ernie Teo, a post-doctorate researcher at SKBI (where I am currently a visiting research fellow).  It is referenced in a new paper covering the distorted incentives for securing public blockchains.]

Integrating, Mining and Attacking: Analyzing the Colored Coin “Game”

By Ernie G. S. Teo, Sim Kee Boon Institute for Financial Economics,
Singapore Management University

The research in this post came about when Tim Swanson invited me to look at colored coin providers and their incentives from a game theory perspective. The results are based on a number of phone conversations with Tim; I would like to take the opportunity to thank Tim for his insights on the matter. For an introduction to what colored coins are, refer to Chapter 3 in Great Chain of Numbers.

The initial question Tim wanted to know was if colored coins can be identified will miners charge excessively high fees to include these transactions. The led to a discussion of the possibilities of the colored coin issuer becoming a miner; and of an attack on the network to take control of the colored assets.

The problem proved to be very interesting as there could be many implications on the success of the system given the potential costs and benefits. Entities or players within the “game” could strategically choose to sabotage themselves if the incentives were right. In this post, I will attempt to explain this using a “sequential game” format. I will explain the various stages where choices can be made and the players involved in each stage. This will be followed by an analysis of the various outcomes and the strategic choices of each party given the incentives involved.

Before we start, I would like to disclaim that the model that follows is a simplified version of the problem and helps us to think about the potential issues that could arise. They are based on various assumptions and in no way should the results be taken at face value.

Stage 1: Before the colored coin issuer (CCI) starts operations, we assume that they will consider if they will choose to become a miner (Assuming that they can include their own transactions into blocks if no one else would). The decision maker (or player) here is the CCI, the choices available are to integrate or to not integrate.

Stage 2a: When the CCI starts issuing colored coins, it would have to decide on the fees it would pay for the transaction. We assume that the CCI is a rational entity and will choose the optimal fees. However as there are two possibilities in stage 1, there will be 2 possible fees quoted; one for a CCI whom is also a miner (integrated) and another for a CCI whom is not a miner (non-integrated). The decision maker here is the CCI and the choice is the fee quoted.

Stage 2b: This is immediately followed by the miners deciding to include the transaction in the block or not. For simplicity’s sake, we assume that there is only one miner in this game (this can be the CCI). The decision maker here is the miner and the choice is to mine the transaction or not.

If the decision in Stage 2b is not to mine, the game ends (End 1).

Stage 3: We next assume that the miner can choose to fraudulently attack the system and transfers the colored coin to itself. The decision maker here is still the miner and the choice is to attack or not.

This gives us 2 alternative endings (End 2 and End 3). The game can be described by Figure 1.

Colored Coin Teo

Figure 1: The stages of the “game”

If we consider the game, there are only 2 decision makers or players: The CCI and the miner. Next, we consider what are the possible outcomes or payoffs for each possible ending described above. This is described in Figure 2 below, there are actually 6 possibilities as there are 2 types of CCIs, integrated and non-integrated. When there is integration, there is really only one player.

Colored Coin Teo 2

Figure 2: Payoffs of the game

Having setup the game and determined the payoffs, we analyze the possibilities of each outcome. This is subject to the comparative magnitude of each payoff. Let’s start with the non-integrated outcomes, there are 3 possibilities:

  1. Not Integrated. Mined. Attacked.
  2. Not Integrated. Mined. Not Attacked.
  3. Not Integrated. Not Mined.

An attack happens if M3>M2 (this will happen if the net benefit of the attack is positive).

If M3>M2, the transaction will be mined if M3>M1. This is because the miner expects the attack to take place, the miner will thus only mine the transaction if it the payoff from mining and attacking is better than not mining. Since we assumed that M1=0, M3 will be always larger than M1. Thus When M3>M2, mining always takes place and an attack happens.

If M2>M3, the attack will not happen (this would indicate that the net benefits of the attack is negative). The transaction will be mined if M2>M1 or if the transaction fees are positive.

The transaction will not be mined if M1≥M2. Since M2 (the transaction fee) has to be at least zero, if M2=0, the transaction will not be mined.

To summarize, there are 3 scenarios:

  1. M3>M2≥M1: The transaction is mined and an attack takes place. The CCI gets CC3NI.
  2. M2>M3 and M2>M1: The transaction is mined and an attack will not take place. Note that the inequality between M1 and M3 does not matter for this outcome. The CCI gets CC2NI.
  3. M1≥M2>M3: The transaction is not mined. The CCI gets CC1NI.

In stage 1, the CCI is making the decision to integrate. To analyze this, we need to compare the non-integrated outcomes with the integrated ones. We thus have to look at the integrated outcomes first before we discuss stage 1. The outcomes are:

  1. Mined. Attacked.
  2. Mined. Not Attacked.
  3. Not Mined.

An attack happens if CC3I>CC2I. (This again will happen if the net benefit of the attack is positive).

If CC3I>CC2I, mining will occur if CC3I>CC1I. Similar to the non-integrated case, CC3I is always larger than CC1I . In fact this case is stronger as CC1I is at most zero and is likely to be negative as it is a cost. Thus if the CCI is willing to launch an attack against itself, it will definitely mine the transaction.

If CC2I>CC3I, no attack happens. For mining to occur, CC2I≥CC1I (the CCI will prefer to mine if they are indifferent). CC2I will always be larger than CC1I unless mining fees are zero (in which case it is equal), mining will always occur if CC2I>CC3I.

For mining to not occur, CC1I>CC2I or CC1I>CC3I needs to hold. To summarize, there are 3 scenarios:

  1. CC3I>CC2I and CC3I>CC1I: The transaction will be mined and an attack occurs. CC3I is the final payoff.
  2. CC2I>CC3I and CC2I>CC1I: The transaction is mined and no attack happens. CC2I is the final payoff.
  3. CC1I>CC3I (we had determined that CC1I>CC2I could not be possible): No mining occurs. CC1I is the final payoff.

Note that we have determined that mining will always occur if the CCI chooses to integrate. Thus there are only 2 relevant scenarios instead of the 3 found in the non-integrated case. The main assumption is that the CCI miner will be able to get its transaction included on the blockchain; this could be either because it is the only miner or it has invested in sufficient computing resources to ensure it.

There are a total of 9 combinations of events detailed in Figure 3. Figure 3 also shows the conditions required for integration to occur under each scenario.

Colored Coin Teo 3

Figure 3: Analyzing the Integration Choice.

Colored Coin Teo 2

Figure 2: Payoffs of the game

Referring back to figure 2, we can make the following assumptions:

CC1NI is always larger than CC1I

CC2NI is always larger than CC2I

CC2NI is always larger than CC1I

Thus the 3 inequalities highlighted in red in Figure 4 are never possible, no integration will occur in scenario B+E, B+F and C+F.

In the other 6 scenarios, integration could occur given the right conditions. We can make some predictions on what is likely to occur.

  1. In all scenarios with event A (A+D, A+E and A+F) where the non-integrated miner attacks, it is likely that the CCI prefers to integrate.
  2. In scenario B+D, there are two possibilities. If the cost of attack is large, the CCI will not integrate. Otherwise, it will integrate and reap the benefits of launching an attack on itself.
  3. When event C occurs and no integration takes place, the transaction will not be mined and the CCI gets nothing. Integration will thus occur as long as the cost of integration is small enough. This will be relevant for scenario C+D and C+E as we has ruled out C+F earlier.

One may ask if the CCI would want to attack itself. Well, if the benefit of attacking is large, a colored coin issuer may want to attack the network to derive a onetime benefit even though the company will never be trusted afterwards. However, this is unlikely as the cost of integration has to be extremely large for the CCI to be able to successfully attack the network.

Finally to answer our initial question, let us consider the issue of whether a non-integrated miner (in the event that a colored coin transaction can be identified) will force the CCI to quote high fees in order to get the transaction included. This is only relevant in the scenarios where the CCI initially chooses not to integrate. However, if colored transactions can be identified, miners can choose not to include these transactions unless the transaction fees are high enough. The fee can only be so high that it does not force the CCI to choose integration instead. In general, we can say that this fee cannot be higher than the cost of integration (this would refer to the per transaction cost of integration on average).

Based on this “game”, will colored coins be able to exist on a network such as Bitcoin? If colored transactions can be identified, there could be 2 issues. 1. The colored assets are so valuable that the non-integrated miner would want to attack the system, 2. The fees do not incentivized non-integrated miners to include the transactions. To overcome these issues the CCI could chose to integrate (or become a miner with sufficient computing power to be able to ensure that its transactions gets recorded). However, if the cost of doing so is too high to be justifiable, the CCI is better off not operating at all.

Send to Kindle

Some housekeeping of events and interviews

It has been a little while since I posted the events, panels and presentations I have been involved with.  Below is some of the public activity over the past 5-6 months.

Interviews with direct quotes:

Indirect quotes:

Academic citations:

Presentations, panels and events:

Send to Kindle

Designing a Global Fabric for Finance (G3F)

Over the past two weeks there have been a number of news stories related to R3 — a fintech startup that I now work at.  The first of which was from the Financial Times, entitled Blockchain initiative backed by nine large investment banks.  Today we announced an additional 13 banks have joined our effort.

Although I cannot speak for the whole team, I can give you the vision I have with the aim of bringing clarity to the various bits of information that have been circulating.

Homework

Over the past year, the R3 team has spent copious amounts of time conducting due diligence on the greater “distributed ledger” or “shared ledger” space.  I joined as an advisor in January when they were already knee deep in the task; I am now Director of Market Research.

What I and several others on the team found is that while there were a number of orthogonally useful pieces floating around (such as multisig and ideas like Engima), none of the publicly available technology platforms that has been funded by venture capital provided a flexible, holistic base layer with the specific functional requirements for secure, scalable enterprise use.

This includes incorporating non-functionals that globally regulated financial institutions must adhere to such as: compliance, privacy, reporting and reconciliation.  Similarly, many of the venture funded projects also failed to address the business requirements of these same institutions.

In sportsball terms, the nascent industry is 0-for-2 in their current approach.

Some of that is understandable; for example, Bitcoin solves a set of problems for a niche group of individuals operating under certain security assumptions (e.g., cypherpunks not wanting to interface with banks or governments).  Regulated financial institutions do not operate under those assumptions, thus axiomatically Bitcoin in its current form is highly unlikely to be a solution to their problems at this time.  As a consequence, the technology solutions pitched by many of these startups are hammers looking for nails that do not exist in the off-chain world.

R3 is not a Bitcoin company nor a cryptocurrency company.  We are not seeking to build a “better” or even a different type of virtual currency.  Why not?  Instead of starting with a known solution, such as a spreadsheet, we are starting with the problem set which continually influences the customized solution.  This is one of the biggest reasons I was attracted to this specific effort: R3 is not a re-enactment of Field of Dreams.  Build it with the hopes that someone will come is the siren song, the motto even, for throngs of failed startups.

But weren’t the original shared ledgers — often called blockchains — robust enough to protect all types of assets and a legion of use-cases?

Many public ledgers were originally designed to secure endogenous, on-chain information (e.g., the native token) but in their current incarnations are not fit for purpose to handle off-chain titles.  For instance, Bitcoin was not initially designed to secure exogenous data — such as transmitting high-value off-chain securities — vis-a-vis pseudonymous miners.  And it appears all attempts to mutate Bitcoin itself into a system that does, ends up creating a less secure and very expensive P-o-P network.

What are we doing then?

Rather than try to graft and gerrymander our business requirements onto solutions designed for other problems, we are systematically looking at a cornucopia of challenges and cost-drivers that currently exist at financial institutions.  We will seek to address some of these drivers with a generalized agnostic fabric, with layers that fulfill the critical infrastructure specifications of large enterprises and with services that can be run on top in a compliant fashion.

What is a Global Fabric for Finance (G3F) then?  If you had the chance to build a new financial information network from scratch that incorporated some of the elements and learnings of the shared ledger world, what would it look like?

For starters, a fabric specifically built for and by trusted parties does not need something akin to mining or block rewards.  In fact, not only is there is no Sybil spoofing problem on a trusted network but there are already many known, existing methods for securely maintaining a transaction processing system.  Consequently, needing a block reward may (or may not) be a red herring and has likely been a costly, distracting sideshow to other types of utility that this technology represents.

If trust is not an issue, what use (as Arvind Narayanan and certain high profile enthusiasts have asked) is any part of the shared ledger toolkit?  There are a number of uses, many of which I touched on in a paper back in April.

What about specific use-cases?

While a number of ideas that have surfaced at conferences and media events over the past summer, R3 remains focused on an approach of exploration and ideation.

And while there will likely be some isolated tests on some use-case(s) in sand boxes in the coming year, it is important to reflect on the G3F vision which will be further elaborated on by Richard Brown (our head of technology) in the coming weeks.  If the fabric is only capable of handling one or two specific asset classes, it will fall short of the mandate of being a generalized fabric used to secure financial information for enterprises.

Why directly work with banks during this formative stage?  Why not just raise money and start building and shipping code?

To be frank, if financial institutions and regulatory bodies are not involved and engaged  from the beginning, then whatever fabric created will likely: 1) fail to be viewed as an authoritative and legal record of truth and 2) fall short of adequately address their exacting needs.  It would be a non-starter for a financial institution to use technology that is neither secure, or whose on-chain record is considered non-canonical by off-chain authorities.

What does that mean?

While some in the shared ledger community would like to believe that dry, on-chain code supersedes off-chain wet-code, the facts on the ground continue to contradict that thesis.  Therefore, if you are going to create a non-stealth fintech startup, it must be assumed that whatever products and services you create will need to operate under existing laws.  Otherwise you will spend most of your time hiding out in remote Caribbean islands or Thailand.

Growth

The R3 team is comprised of pragmatic thinkers and doers, experienced professionals who understand that a financial system cannot be built with up and down votes on reddit or whose transaction processors may reside in sanctioned countries.

standards

Source: XKCD

While nothing is finalized at the time of this writing, it is our aim at R3 to make the underlying base layer of this fabric both open sourced and an open standard.

After all, a foundation layer this critical would benefit from the collective eyeballs of the entire programming community.  It also bears mentioning that the root layer may or may not even be a chain of hashed blocks.

Furthermore, we are very cognizant of the fact that the graveyard for building industry standards is deep and wide.  Yet, as I mentioned to IBT, failing to create a universal standard will likely result in additional Balkanization, recreating the same silos that exist today and nullifying the core utility of a shared ledger.

It is a pretty exciting time in modern history, where being a nerd — even a cryptonerd — means you are asked to appear on stage in front of decision makers, policy makers, captains of industry and social media influencers.  Some even get to appear in person and not just as a telepresence robot.  Yet as neat as some of the moon math and cryptographic wizardry may be, failing to commercialize it in a sustainable manner could leave many of the innovative forks, libraries and github repos no more than starry-eyed science fair projects.

To that end, we are currently hiring talented developers keen on building a scalable, secure network.  In addition, rather than reinventing the wheel, we are also open to partnerships with existing technology providers who may hold key pieces to building a unified standard.  I am excited to be part of this mathematical industrial revolution, it’s time to strike while the iron is hot and turn good academic ideas into commercial reality.  Feel free to contact us.

Send to Kindle

What is permissioned-on-permissionless?

As of this writing, more than half of all VC funding to date has gone into building permissioned systems on top of a permissionless network (Bitcoin). Permissioned-on-Permissionless (PoP) systems are an odd hydra, they have all of the costs of Sybil-protected permissionless systems (e.g., high marginal costs) without the benefits of actual permissioned systems (e.g., fast confirmations, low marginal costs, direct customer service).

Thus it is curious to hear some enthusiasts and VCs on social media and at conferences claim that the infrastructure for Bitcoin is being rolled out to enable permissionless activity when the actual facts on the ground show the opposite is occurring.  To extract value, maintain regulatory compliance and obtain an return-on-investment, much of the investment activity effectively recreates many of the same permission-based intermediaries and custodians that currently exist, but instead of being owned by NYC and London entities, they are owned by funds based near Palo Alto.

For example, below are a few quotes over the past 18 months.

In a February 2014 interview with Stanford Insights magazine, Balaji Srinivasan, board partner at Andreessen Horowitz and CEO of 21inc, stated:

Thus, if the Internet enabled permissionless innovation, Bitcoin allows permissionless monetization.

In July 2015, Coinbase announced the winners of its hackathon called BitHack, noting:

The BitHack is important to us because it taps into a core benefit of Bitcoin: permissionless innovation.

Also in July 2015, Alex Fowler, head of business development at Blockstream, which raised $21 million last fall, explained:

At Blockstream, our focus is building and supporting core bitcoin infrastructure that remains permissionless and trustless with all of the security and privacy benefits that flow from that architecture.

Yet despite the ‘permissionless’ exposition, to be a customer of these companies, you need to ask their permission first and get through their KYC gates.

For instance, in Circle’s user agreement they note that:

Without limiting the foregoing, you may not use the Services if (i) you are a resident, national or agent of Cuba, North Korea, Sudan, Syria or any other country to which the United States embargoes goods (“Restricted Territories”), (ii) you are on the Table of Denial Orders, the Entity List, or the List of Specially Designated Nationals (“Restricted Persons”), or (iii) you intend to supply bitcoin or otherwise transact with any Restricted Territories or Restricted Persons.

Is there another way of looking at this phenomenon?

There have been a number of interesting posts in the past week that have helped to refine the terms and definitions of permissioned and permissionless:

Rather than rehashing these conversations, let’s look at a way to define permissionless in the first place.

Permissionless blockchains

permissionless blockchain
A couple weeks ago I gave a presentation at the BNY Mellon innovation center and created the mental model above to describe some attributes of a permissionless blockchain.  It is largely based on the characteristics described in Consensus-as-a-service.

DMMS validators are described in the Blockstream white paper.  In their words:

We  observe  that  Bitcoin’s  blockheaders  can  be  regarded  as  an  example  of  a dynamic-membership multi-party signature (or DMMS ), which we consider to be of independent interest as a new type of group signature. Bitcoin provides the first embodiment of such a signature, although this has not appeared in the literature until now. A DMMS is a digital signature formed by a set of signers which has no fixed size.  Bitcoin’s blockheaders are DMMSes because their proof-of-work has the property that anyone can contribute with no enrolment process.   Further,  contribution is weighted by computational power rather than one threshold signature contribution per party, which allows anonymous membership without risk of a Sybil attack (when one party joins many times and has disproportionate input into the signature).  For this reason, the DMMS has also been described as a solution to the Byzantine Generals Problem [AJK05]

In short, there is no gating or authorizing process to enroll for creating and submitting proofs-of-work: theoretically, validating Bitcoin transactions is permissionless.  “Dynamic-membership” means there is no fixed list of signatories that can sign (i.e. anyone in theory can).  “Multi-party” effectively means “many entities can take part” similar to secure multi-party computation.1

Or in other permission-based terms: producing the correct proof of work, that meets the target guidelines, permits the miner (block maker) to have full authority to decide which transactions get confirmed.  In other words, other than producing the proof-of-work, miners do not need any additional buy-in or vetting from any other parties to confirm transactions onto the blockchain. It also bears mentioning that the “signature” on a block is ultimately signed by one entity and does not, by itself, prove anything about how many people or organizations contributed to it.2

Another potential term for DMMS is what Ian Grigg called a Nakamoto signature.

Censorship-resistance, while not explicitly stated as such in the original 2008 white paper, was one of the original design goals of Bitcoin and is further discussed in Brown’s post above as well as at length by Robert Sams.

The last bucket, suitable for on-chain assets, is important to recognize because those virtual bearer assets (tokens) are endogenous to the network.  DMMS validators have the native ability to control them without some knob flipping by any sort of outside entity.  In contrast, off-chain assets are not controllable by DMMS validators because they reside exogenous to the network.  Whether or not existing legal systems (will) recognize DMMS validators as lawful entities is beyond the scope of this post.

Permissionless investments

What are some current examples of permissionless-related investments?

zooko permissionless

Source: Twitter

This past week I was in India working with a few instructors at Blockchain University including Ryan Charles.  Ryan is currently working on a new project, a decentralized version of reddit that will utilize bitcoin.

In point of fact, despite the interesting feedback on the tweet, OB1 itself, the new entity that was formed after raising $1 million to build out the Open Bazaar platform, is permission-based.

How is it permission-based when the DMMS validators are still permissionless?  Because OB1 has noted it will remove illicit content on-demand from regulators.

In an interview with CoinDesk, Union Square Venture managing partner, Brad Burnham stated that:

Burnham acknowledged that the protocol could be used by dark market operators, but stressed the OpenBazaar developers have no interest in supporting such use cases.  “They certainly won’t be in the business of providing enhanced services to marketplaces that are selling illegal goods,” he noted.

Based on a follow-up interview with Fortune, Brian Hoffman, founder of OB1 was less specific and a bit hand-wavy on this point, perhaps we will not know until November when they officially launch (note: Tor support seems to have disappeared from Open Bazaar).

One segment of permissionless applications which have some traction but have not had much (if any) direct VC funding include some on-chain/off-chain casinos (dice and gambling games) and dark net markets (e.g., Silk Road, Agora).  Analysis of this, more illicit segment will be the topic of a future post.

What are some other VC-funded startups that raised at least a Series A in funding, that could potentially be called permissionless?  Based on the list maintained by Coindesk, it appears just one is — Blockchain.info ($30.5 million).

Why isn’t Coinbase, Xapo or Circle?  These will be discussed below at length.

What about mining/hashing, aren’t these permissionless activities at their core?

Certain VC funded mining/hashing companies no longer offer direct retail sales to hobbyists, this includes BitFury and KnC Miner.  These two, known entities, through a variety of methods, have filed information about their operations with a variety of regulators.3  To-date BitFury has raised $60 million and it runs its own pool which accounts for about 16% of the network hashrate.  Similarly, KnC has raised $29 million from VCs and also runs its own pool, currently accounting for about 6% of the network hashrate.

What about other pools/block makers?  It appears that in practice, some require know-your-customer (KYC), know-your-business (KYB), know-your-miner (KYM) and others do not (e.g., selling custom-made hardware anonymously can be tricky).

  • MegaBigPower gathers KYC information.
  • Spondoolies Tech is currently sold out of their hardware but require some kind of customer information to fill out shipping address and customs details.  They have raised $10.5 million in VC funding.
  • GHash allows you to set up a pseudonymous account with throwaway email addresses (or via Facebook and Google+), but they have not published if they raised any outside funding
  • Most Chinese hashing and mining pools are privately financed.  For instance, Bitmain has not needed to raise funding from VCs (yet).  The also, currently, do not perform KYC on their users.  I spoke with several mining professionals in China and they explained that none of the big pools (Antpool, F2pool, BTC China pool, BW.com) require KYM at this time.  Over the past four days, these pools accounted for: 21%, 17%, 10% and 8% of the network hashrate respectively — or 56% altogether.  Update 7/29/2015: a representative at BTC China explained that: “Yes, we do KYC the members of our mining pool. We verify them the same way we KYC all registered users on BTCC.”
  • 21inc, not much more is known publicly at this time but if the idea of a “BitSplit” chip is correct, then what could happen is the following: as more chips are flipped on in devices, the higher the difficulty level rises (in direct proportion to the hashrate added).  As a result, the amount of satoshi per hash declines over time in these devices.  What this likely will lead to is a scenario in which the amount of satoshi mined by a consumer device will be less than “dust limit” which means a user will likely be unable to move the bitcoins off of the pool without obtaining larger amounts of bitcoin first (in order to pay the transaction fee).  Consequently this could mean the users will need to rely on the services provided by the pool, which could mean that the pool will need to become compliant with KYC/AML regulations.  All of this speculation at this time and is subject to changes.  They have received $121 million in VC funding.
  • As explained above, while individual buyers of hashing equipment, Bob and Alice, do typically have to “doxx” themselves up to some level, both Bob and Alice can resell the hardware on the second-hand market without any documentation.  Thus, some buyers wanting to pay a premium for hashing hardware can do so relatively anonymously through middlemen.4  This is similar to the “second-hand” market for bitcoins too: bitcoins acquired via KYC’ed gateways end up on LocalBitcoins.com and sold at a premium to those wanting to buy anonymously.

Notice a pattern?  There is a direct correlation between permissionless platforms and KYC/AML compliance (i.e., regulated financial service businesses using cryptocurrencies are permissioned-on-permissionless by definition).

Blockchain.info attempts to skirt the issue by marketing themselves as a software platform and for the fact that they do not directly control or hold private keys.5

This harkens back to what Robert Sams pointed out several months ago, that Bitcoin is a curious design indeed where in practice many participants on the network are now known, gated and authenticated except the transaction validators.

What about permissioned-on-permissionless efforts from Symbiont, Chain and NASDAQ?  Sams also discussed this, noting that:

Now, I am sure that the advocates of putting property titles on the bitcoin blockchain will object at this point. They will say that through meta protocols and multi-key signatures, third party authentication of transaction parties can be built-in, and we can create a registered asset system on top of bitcoin. This is true. But what’s the point of doing it that way? In one fell swoop a setup like that completely nullifies the censorship resistance offered by the bitcoin protocol, which is the whole raison d’etre of proof-of-work in the first place! These designs create a centralised transaction censoring system that imports the enormous costs of a decentralised one built for censorship-resistance, the worst of both worlds.

If you are prepared to use trusted third parties for authentication of the counterparts to a transaction, I can see no compelling reason for not also requiring identity authentication of the transaction validators as well. By doing that, you can ditch the gross inefficiencies of proof-of-work and use a consensus algorithm of the one-node-one-vote variety instead that is not only thousands of times more efficient, but also places a governance structure over the validators that is far more resistant to attackers than proof-of-work can ever be.

This phenomenon is something I originally dubbed “permissioned permissionlessness” for lack of a better term, but currently think permissioned-on-permissionless is more straightforward and less confusing.

What does this mean?

Permissioned-on-Permissionless

PoP blockchain
The Venn diagram above is another mental model I used at the BNY Mellon event.

As mentioned 3 months ago, in practice most block makers (DMMS validators) are actually known in the real world.

While the gating process to become a validator is still relatively permissionless (in the sense that no single entity authorizes whether or not someone can or cannot create proofs-of-work), the fact that they are self-identifying is a bit ironic considering the motivations for building this network in the first place: creating an ecosystem in which pseudonymous and anonymous interactions can take place:

The first rule of cypherpunk club is, don’t tell anyone you’re a cypherpunk.  The first rule of DMMS club is, don’t tell anyone you’re a DMMS.

The second bucket, neither censorship resistant nor trade finality, refers to the fact that large VC funded companies like Coinbase or Circle not only require identification of its user base but also be censor their customers for participating in trading activity that runs afoul of their terms of service.  Technically speaking, on-chain trade finality hurdles refers to bitcoin transactions not being final (due to a block reorg, a longer chain can always be found, undoing what you thought was a confirmed transaction).  This has happened several times, including notably in March 2013.

For instance, in Appendix 1: Prohibited Businesses and Prohibited Use, Coinbase lays out specific services that it prohibits interaction with, including gambling.  For example, about a year ago, users from Seals with Clubs and other dice/gambling sites noticed that they were unable to process funds from these sites through Coinbase and vice versa.

brian armstrong coinbase

Source: Twitter

The tweet above is from Brian Armstrong is the CEO of Coinbase, which is the most well-funded permissioned-on-permissionless startup in the Bitcoin ecosystem.  For its users, there is nothing permissionless about Bitcoin as they actively gate who can and cannot be part of their system and black list/white list certain activities, including mining (hashing) itself.6  It is not “open” based on common usage of the word.

In other words, contrary to what some Coinbase executives and investors claim, in an effort to extract value in a legally palatable manner, they must fulfill KYC/AML requirements and in doing so, effectively nullify the primary utility of a permissionless network: permissionlessness.  Furthermore, Coinbase users do not actually use Bitcoin for most transactions as they do not control the privkey, Coinbase does.  Coinbase users are not using Bitcoin on Coinbase, they are using an internal database.7 Or to use the marketing phrase: you are not your own bank, Coinbase is — which leads to a bevy of regulatory compliance questions beyond the scope of this post.8 However, once your bitcoins are out of Coinbase and into your own independent wallet where you control the private key, then you get the utility of the permissionless platform once more.

What are other permissioned-on-permissionless platforms?  Below are twenty-seven different companies that have raised at least a Series A (figures via CoinDesk) in alphabetical order:

  • Bitex.la: ($4 million)
  • BitGo: ($14 million)
  • BitGold: ($5.3 million)
  • Bitnet: ($14.5 million)
  • BitPay: ($32.5 million)
  • Bitreserve: ($14.6 million)
  • Bitstamp: ($10 million)
  • BitX: ($4.82 million)
  • BTC China ($5 million)
  • ChangeTip: ($4.25 million)
  • Chain: ($13.7 million)9
  • Circle: ($76 million)
  • Coinbase: ($106 million)
  • Coinplug: ($3.3 million)
  • Coinsetter: ($1.9 million)
  • Cryex: ($10 million)
  • GoCoin: ($2.05 million)
  • Huobi ($10 million)
  • itBit: ($28.25 million)
  • Korbit: ($3.4 million)
  • Kraken: ($6.5 million)
  • Mirror, formerly Vaurum: ($12.8 million)
  • OKCoin: ($11 million)
  • Ripple Labs ($37 million)
  • Vogogo ($21 million)
  • Xapo: ($40 million)

Altogether this amounts to around $492 million, which is more than half of the $855 million raised in the overall “Bitcoin space.”

What do these all have in common again?  Most are hosted wallets and exchanges that require KYC/AML fulfillment for compliance with regulatory bodies.  They require users to gain permission first before providing a service.

pie chart bitcoin funding
The chart above visualizes funding based on the schema’s explored in this post.  Based on a total venture capital amount of $855 million, in just looking at startups that have received at least a Series A, 57.5% or $492 million has gone towards permissioned-on-permissionless systems.  An additional $224 million, or 26.1% has gone towards mining and hashing.10

Permissionless-on-permissionless includes Blockchain.info, ShapeShift, Hive, Armory and a sundry of other seed-stage startups that collectively account for around $50 million or 5.8% altogether.  The remaining 10.6% include API services such as Gem and BlockCypher; hardware wallets such as Case and Ledger; and analytic services such as Tradeblock.  In all likelihood, a significant portion of the 10.6% probably is related to permissioned-on-permissionless (e.g., Elliptic, Align Commerce, Bonafide, Blockscore, Hedgy, BitPagos, BitPesa) but they have not announced a Series A (yet) so they were not included in the “blue” portion.

Ripple Labs

Why is Ripple Labs on that funding list above?  While Ripple is not directly related to Bitcoin, it is aggregated on the funding list by CoinDesk.

Is it permissioned or permissionless?  A few weeks ago I met with one of its developers, who said in practice, the validator network is effectively permissionless in that anyone can run a validator and that Ripple Labs validators will process transactions that include XRP.11

This past week, Thomas Kelleher tried to outline how Ripple Labs is some kind of “third way” system, that uses ‘soft permissions’ in practice.  There may be a case for granular permissions on a permissionless network, but it did not coherently arise in that piece.

For example, in early May, Ripple Labs announced that it had been fined by FinCEN for not complying with the BSA requirements by failing to file suspicious activity reports (SARs), including notably, on Roger Ver (who did not want to comply with its KYC requests).

In addition to the fine, Ripple Labs also implemented a new identification gathering process for KYC compliance, stating:

The Ripple network is an open network. No one, including Ripple Labs, can prevent others from using or building on the Ripple protocol as they desire. However, when Ripple Labs provides software, such as the Ripple Trade client, Ripples Labs may impose additional requirements for the use of the software. As such, Ripple Labs will require identification of Ripple Trade account holders.

We will ask you to submit personally identifiable information (PII) similar to what you would submit to open a bank account, such as full name, address, national ID number, and date of birth. Users may also be asked to upload their driver’s license or other identifying documents. We will use this information to verify your identity for compliance purposes. We take privacy seriously, so the information you provide during the customer identification process is encrypted and managed by Ripple Trade’s Privacy Policy.

In other words, Ripple Labs was just fined by FinCEN for doing the very thing that Kelleher wants you to believe he is not required to do.   All new Ripple Labs-based “wallets” (Ripple Trade wallets) require user info — this likely means they can control, suspend and block accounts.12  All eight of the main Ripple gateways are also obliged to gather customer information.  The current lawsuit between Jed McCaleb and Ripple Labs, over the proceeds of $1 million of XRP on Bitstamp, will probably not be the last case surrounding the identification and control of such “wallet” activity (e.g., specific XRP flagged).

Thus, while the Ripple network started out as permissionless, it could likely become permissioned at some point due to compliance requirements.  Why?  If you download and install rippled, in practice you are going to use the default settings which rely on Ripple Labs core nodes. In practice, “choose your own” means “choose the default” for 99% percent of its users, ergo Ripple Labs sets the defaults.13 In a paper recently published by Peter Todd, he explained there is no game theoretic advantage to selecting non-default configurations which were not discussed in Kelleher’s essay.

Bob cannot choose his own rules if he has to follow compliance from another party, Ripple Labs. The UNL set may converge on an explicit policy as nodes benefit from not letting other nodes validate (they can prioritize traffic).14

I reached out to Justin Dombrowski, an academic who has spent the past year independently studying different ledger systems for a variety of organizations.  In his view:

I have a hard time thinking of Ripple as anything but plain permissioned because I have a hard time thinking of a realistic circumstance under which an active user wouldn’t also have an account subject to KYC, or be indirectly connected to one. Sure, I can run a node for the purpose of experimenting with some Ripple app I’m developing, but at the end of the day I expect to be payed for that app. And I could mine for free—and yeah, in that case the network is permissionless for me—but that’s a atypical, trivial example I’d think. Ripple is theoretically permissionless, but practically not because incentives align only with permissioned uses.

As Dombrowski noted, things get taxonomically challenging when a company (Ripple Labs) also owns the network (Ripple) and has to begin complying with financial service regulations.  This trend will likely not change overnight and until it explicitly occurs, I will probably continue to put an asterisk next to its name.

Challenges for DMMS validators in a permissioned-on-permissionless world

Over the past month, I have been asked a number of questions by managers at financial institutions about using public / communal chains as a method for transferring value of registered assets.

For instance, what happens if Bank A pays a fee to a Bitcoin or Litecoin miner/mining pool in a sanctioned country (e.g., EBA concerns in July 2014)?

In February 2015, according to a story published by Free Beacon, Coinbase was on “the hot seat” for explicitly highlighting this use-case in an older pitch deck because they stated: “Immune to country-specific sanctions (e.g. Russia-Visa)” on a slide and then went on to claim that they were compliant with US Treasury and NY DFS requirements.

Another question I have been asked is, what if the Bitcoin or Litecoin miner that processes transactions for financial institutions (e.g., watermarked tokens) also processes transactions for illicit goods and services from dark net markets?  Is there any liability for a financial institution that continues to use this service provider / block maker?

Lastly, how can financial institutions identify and contact the miner/mining pool in the event something happens (e.g., slow confirmation time, accidentally sent the wrong instruction, double-spend attempt, etc.)?  In their view, they would like to be able to influence upgrades, governance, maintenance, uptime (i.e., typical vendor relationship).

Trade-offs

In the Consensus-as-a-service report I used the following chart showing trade-offs:permissioned tradeoffsI also used the following diagram to illustrate the buckets of a permissioned blockchain:

permissioned chains
Recall that the term “mintette” was first used by Ben Laurie in his 2011 paper describing known, trusted validators and was most recently used in Meiklejohn (2015).

The general idea when I published the report several months ago was that permissionless-on-permissioned (what effectively what Ripple sits) is untenable in the long-run: due to regulatory pressure it is impossible to build a censorship-resistant system on top of a permissioned network.

Ryan Shea pointed this out in his recent piece, noting that:

Permission-ed blockchains are useful for certain things but they are limited in what they can do. Fully decentralized, permission-less, censorship-resistant applications CANNOT be built on them, which for many is a deal-breaker.

What does this mean for your business or organization?  Before deciding what system(s) to use, it is important to look at what the organizations needs are and what the customer information requirements are.

Conclusions

As explored above, several startups and VC funds have unintentionally turned an expensive permissionless system into a hydra gated permissioned network without the full benefits of either.  If you are running a ledger between known parties who abide by government regulations, there is no reason to pay the censorship-resistance cost.  Full stop.15

fixing bitcoin

[The optics of permissioned-on-permissionless]

Most efforts for “legitimizing” or “fixing” Bitcoin involves counteracting features of Bitcoin that were purposefully designed such that it enables users to bypass third parties including governmental policies and regulations.  Businesses and startups have to fight to turn Bitcoin into something it isn’t, which means they are both paying to keep the “naughty” features and paying to hide them.  For example, if Satoshi’s goal was to create a permissioned system that interfaces with other permissioned systems, he would likely have used different pieces — and not used proof-of-work at all.

The commercial logic of this (largely) VC-backed endgame seems to be: “privatize” Bitcoin through a dozen hard forks (the block size fork is the start of this trend that could also change the 21 million bitcoin hard-cap).16

It seems increasingly plausible that some day we may see a fork between the “permissionless-on-permissionless” chain (a non-KYC’ed chain) and the “permissioned-on-permissionless” chain (a fully KYC’ed chain) — the latter comprising VC-backed miners, hosted wallets, exchanges and maybe even financial institutions (like NASDAQ).  The motivations of both are progressively disparate as the latter appears uninterested in developer consensus (as shown by the special interest groups wanting to create larger blocks today by ignoring the feedback from the majority of active core developers and miners).  At that point, there is arguably minimal-to-no need for censorship resistance because users and miners will be entirely permissioned (i.e. known by/to participating institutions and regulators).

When drilling down, some of the permissioned-on-permissionless investment appears to be a sunk cost issue: according to numerous anecdotes several of these VCs apparently are heavily invested in bitcoins themselves so they double down on projects that use the Bitcoin network with the belief that this will create additional demand on the underlying token rather than look for systems that are a better overall fit for business use-cases.17

This raises a question: is it still Bitcoin if it is forked and privatized?   It seems that this new registered asset is best called Bitcoin-in-name-only, BINO, not to be confused with bitcoin, the bearer asset.18

If the end game for permissionless systems is one in which every wallet has to be signed by something KYC/KYB approved, it appears then that this means there would be a near total permissioning of the ledger.  If so, why not use a permissioned ledger instead for all of the permissioned activity?

The discussion over centralized versus institutionalized will also be discussed in a future post.

[Acknowledgements: thanks to Richard Apodaca, Anton Bolotinsky, Arthur Breitman, Richard Brown, Dustin Byington, Justin Dombrowski, Thomas Kelleher, Yakov Kofner, Antony Lewis and John Whelan for their feedback.]

Endnotes

  1. See Does Smart Contracts == Trustless Multiparty Monetary Computation? []
  2. Thanks to Richard Brown for this insight. []
  3. In raising funds, they have “doxxed” themselves, providing information about founders and management including names and addresses.  They are no longer pseudonymous. []
  4. Thanks to Anton Bolotinsky for this insight. []
  5. Are there any other non-mining projects that are VC funded projects that do not require KYC?  A few notable examples include ShapeShift (which de-links provenance and does not require KYC from its users) and wallets such as Hive and Armory.  All three of these are seed-stage. []
  6. For more about know-your-miner and source of funds, see The flow of funds on the Bitcoin network in 2015 []
  7. Perhaps this will change in the future.  Coinbase users can now send funds both on-and-off-chain in a one-click manner. []
  8. Learning from the past to build an improved future of fintech and Distributed Oversight: Custodians and Intermediaries []
  9. Chain is working with NASDAQ on its new issuance program which requires KYC compliance.  In contrast, I created a new account for their API product today and it did not require any KYC/KYB. []
  10. See What impact have various investment pools had on Bitcoinland?  It bears mentioning that BitFury raised an additional $20 million since that post, bringing the publicly known amount to around $224 million. []
  11. Visited on July 2, 2015 []
  12. Using similar forensics and heuristics from companies like Chainalysis and Coinalytics, Ripple Labs and other organizations can likely gather information and data on Ripple users prior to the April 2015 announcement due to the fact that the ledger is public. []
  13. Two years ago, David Schwartz, chief cryptographer at Ripple Labs, posted an interesting comment related to openness and decentralization on The Bitcoin Foundation forum. []
  14. Thanks to Jeremy Rubin and Roberto Capodieci for their feedback. []
  15. Thanks to Arthur Breitman for this insight. []
  16. Thanks to Robert Sams for this insight. []
  17. Richard Apodaca, author of the forthcoming Decoding Bitcoin book, has another way of looking at VCs purchasing bitcoins, that he delves into on reddit twice. []
  18. One reviewer suggested that, “this would cease being bitcoin if the measuring stick is what Satoshi wanted.” []
Send to Kindle

Buckets of Permissioned, Permissionless, and Permissioned Permissionlessness Ledgers

A few hours ago I gave the following presentation to Infosys / Finacle in Mysore, India with the Blockchain University team.  All views and opinions are my own and do not represent those of either organization.

Send to Kindle