The hole in Bitcoin
4 November 2013
Over the past few weeks, our more observant readers may have noticed increasing media coverage of Bitcoin, the decentralised cryptocurrency designed (or should we say, "coined") by a clever developer known pseudonymously as Satoshi Nakamoto (anagram solutions welcome). We've yet to find an article which combines a grounding in the technology and economic analysis that a layperson can grasp, so this is our attempt to explain what all the fuss is about, and why you are probably looking at one big, energy-consuming bubble.
The domain bitcoin.org was registered on 18-Aug-2008. According to the history on the Bitcoin wiki, the original paper proposing Bitcoin was published on 31-Oct-2008. The first chunk of Bitcoins (the "genesis block") was "mined" on 3-Jan-2009. The earliest capture of the bitcoin.org web site in the internet archive is on 31-Jan-2009. It contains fluent English text written in the first person, indicating this is likely the work of a single developer rather than a group, and probably a native-English speaker.
Concept & method
The concept of Bitcoin is to create a digital currency not issued by any Government, and with no central registrar to authorise its issuance or keep track of transactions - both of those functions are distributed across a network of computers. The key features are:
- Bitcoins are created, or "mined", by computers or nodes, all competing to solve a mathematical problem based on a block of data, with Bitcoins as a reward for the first node to find a solution. This is known as a Proof-of-work system.
- When a node finds a solution to a block, this is broadcast to the other nodes, which quickly verify the result and add the block to the blockchain, which includes all previous blocks. Each of those nodes then starts working on the next block, incorporating the result of the previous block.
- Once coins enter circulation, transactions occur by the payer sending coins to the payee using public key cryptography. The payer digitally signs the coins with her private key, and encrypts the coins using the payee's public key. The payee verifies the coins with the payer's public key, and he can spend them using his own private key. This is the same technology behind digitally signed and encrypted e-mails. Fractions of coins can be sent and received in change.
- To prevent a holder spending the same coin twice, the transactions are broadcast to all the nodes, and are incorporated into the next block that a node works on, and hence the sequence in which a coin is passed around becomes part of the blockchain. If a coin is spent twice by the same person, the first transaction to enter the blockchain and survive prevails. Each block consists of one special coinbase transaction to create the coins for the winning miner, plus the bundle of reported transactions.
- Two (or more) nodes could separately find solutions to a block at practically the same time, sending their result out to other nodes and resulting in two or more competing blockchains (known as a "fork" in the chain), but the nodes will always work on the longest blockchain, so the one which gets extended first in the next round will get broadcast to all the other networks, will prevail and the other one(s) will be dropped. For that reason, it is wise to wait for a few blocks to be added to the chain as "confirmations" before you can be very confident that a transaction will remain valid.
- The difficulty of the proof-of-work problem is automatically adjusted after every 2016 blocks to target a constant block solution rate of 1 block per 10 minutes, based on the time it took to solve the previous set, so in theory, the rate is adjusted every 2 weeks (20,160 minutes), although this happens faster if processing power is added to the network during the period.
- The mining reward, which started at 50 Bitcoins or BTC per block, is halved after every 210,000 blocks, corresponding to a 4-year mining period. In fact, after a slow start, the first cut at block 210,000 was achieved a month early on 28-Nov-2012. So there were 10.5m BTC from the first tranche, and there will never be more than 21m in total.
- Miners can get transaction fees for the transactions recorded in the block they solve, but these fees currently only account for a small proportion of the reward, at about 0.07 BTC per block, or 0.28% of the total.
An attacker could try to alter the history, retrieving his spent Bitcoins by altering the blockchain and paying the Bitcoins to himself. However, to do this, he would need enough processing power to extend the blockchain faster than the rest of the network and, in the case of older transactions, to catch up with the growth of the blockchain. This is commonly known as a "51% attack", because if you have over 50% of the power then you can certainly do this given enough time. However, the attacker would still stand a chance of achieving dominance with a smaller share of global processing power, if his machines solved the problems faster than average. As the network grows, it becomes more expensive to achieve this, unless he is able to somehow hijack other machines.
Addendum, 6-Nov-2013: when we said that an attacker could achieve dominance with less than 50%, this was a reference to the Byzantine Generals' Problem, which says that a group of N separate generals who communicate by messages that may be corrupted by treacherous generals, can only agree on when to attack the fort if the number of traitors T among them is less than one third, that is, N > 3T+1. This problem was explained in a 1982 paper by Leslie Lamport, Robert Shostak and Marshall Pease. The problem was actually mentioned on the original Bitcoin site. Coincidentally on the day this article was published two professors published an article noting, via a different approach, the same vulnerability, which can only be mitigated by tweeks, not removed. Also, with reference to Robert Shostak, who is now CEO of Vocera Communications, we note that Satoshi Nakamoto is an anagram of "I am onto a Shostak". Make of that what you will, if anything.
Addendum, 15-Nov-2013: Robert Shostak kindly responded to a Webb-site query as follows: "The relationship of Bitcoin to the original Byzantine problem is very cool. That paper, incidentally, recently won the Jean-Claude Laprie Award in dependable computing - unfortunately, Marshall Pease, a colleague of mine at SRI who co-authored the paper and proved the hard direction of the main result, passed away long before he received any recognition for it... your anagram is brilliant, even if totally coincidental." So the hunt for Satoshi Nakamoto continues.
What the mining machines are doing is performing a "hash" calculation with a block of transaction data (including the coinbase transaction) plus a chosen number as the input. For a given block, the result of that calculation depends on the chosen number, and the chosen number cannot be found from the result without a "brute force" trial-and-error effort, rather like trying to guess the combination number of a safe by trying repeatedly. Bitcoin uses SHA-256, a "Secure Hash Algorithm" designed by our friends at the NSA, which produces a 256-bit result. In decimal, that is a range from zero up to about a 1 followed by 77 zeroes. There are only about 10^80 atoms in the universe, to give you some idea of how big that number is.
The "difficulty" in Bitcoin mining is set by requiring that the hash result be below a certain "target" threshold in the range of possible results. The lower the threshold, the lower the chance of any given input producing a hash below that threshold, so the more hashes you have to try before you find an input that works. Difficulty is expressed as the ratio of the maximum target to the current target. In the early days, these were the same, so the "difficulty" was 1. The maximum target has 32 leading zeroes in binary, and so on average it required 2^32 or about 4.3 billion hashes to find a winning solution. That was probably chosen based on the estimated hashing power of the developer's single PC over 10 minutes.
The difficulty did not begin to increase until block 32256 on 30-Dec-2009, so it is fair to assume that until the middle of December 2009, there was only one miner mining, probably the founder. Up to that point, 1,612,800 Bitcoins had been mined. The latest adjustment to difficulty was on 26-Oct-2013, when the difficulty was set at 390,928,787.64. That, plus the fact that each block only earns coins at half the original rate, means that it now takes about 782 million times more hashes to produce a Bitcoin than it originally did.
The arms race
Originally, miners were using the CPUs in normal PCs, but it wasn't long before they were overtaken by Graphics Processing Units running the same algorithms much faster. Then they moved on to Field Programmable Gate Arrays, which can be configured to run the algorithm, and recently, these are being overtaken by Application Specific Integrated Circuits which are hardwired in the foundry to carry out the algorithm, and so are even faster. Such is the state of this crypto-arms race that firms are taking pre-orders of products they cannot yet ship. Brands include Avalon, Bitmine, Butterfly Labs, CoinTerra, Hashfast, KnCminer, Terrahash and Virtual Mining Corp.
The key point to note on this is that the more machines are plugged into the network, the greater the competition to win the next block, and therefore the higher the difficulty must be set, and the more hashes it will take (on average) to discover a solution to each block. At a given level of technology, each hash will take a certain amount of energy to calculate, and as the technology improves, the difficulty will also be raised to ensure that steady output of 1 block every 10 minutes. There is a virtual gold rush going on for people to plug in mining machines and grab a diminishing share of the return.
To spread their risk, rather like groups of people entering a lottery by sharing tickets, there are mining pools, where miners share the reward if one of them comes up with a solution to the next block.
Rationally, however much money you have spent on your mining equipment, you are not going to run it if your energy cost is greater than the market value of Bitcoins you expect to produce. Some people are getting "free" electricity from their parent's home, their college dorms or their office, and therefore can run obsolete mining machines without caring about the energy consumption, but they probably only have a small share of the overall hashing capacity. Currently the global capacity is about 4 petahashes per second (4 x 10^15), and it has been growing exponentially as new machines come online.
At 6 blocks, or 150 Bitcoins, per hour, with a current exchange value of about US$220 per Bitcoin, the hourly supply is worth about US$33,000. If the mining market is rational, people will keep adding capacity until the energy cost is that much. Some will continue beyond the point when their machines are uneconomic, because they haven't seen the size of their bill yet, or because they are gambling on winning the block lottery for the next 25 Bitcoins (currently worth about US$5500), even though they have a negative expected return. That's the nature of lottery tickets.
If energy in the cheapest parts of the world (particularly the USA) is about $0.12 per kWh, then a breakeven mining market would imply a power load of about 275MW. That's enough to power about 214,000 average US households, or about two-thirds of households in San Francisco City & County. The annual energy use would be 2.409 billion kWh, equivalent to about 0.06% of US electricity consumption. That compares with about 1.5%-2% for data centres, so it is equivalent to about 3-4% of data centre usage.
Of course, if you live in a cold climate and were going to heat your home anyway this winter, then at least for the next few months you could substitute the heating by running Bitcoin mining machines, if you can tolerate the noise.
If (or rather, when) the value of Bitcoins collapses, miners will have to switch off their machines and there will be a lot of redundant hardware around, custom built with ASICs to do only one thing. At least those with GPUs can do something more useful to society, like protein-folding or running the SETI app to keep you warm at night.
You can't lose digital Bitcoins down the back of your sofa or drop them through a hole in your pocket, but if you lose your private keys, or forget the password to access them, then you've achieved the same thing. The holder will be unable to spend or transfer them. So people who rely on their hard drives or their memory and don't have backups will gradually take some Bitcoins out of circulation forever. Similarly, people who die with Bitcoins in their digital wallet without divulging the password will also lose them. For that reason, if Bitcoin survives, then the number of outstanding BTC will not reach 21 million, but will start to decline when at some point they are being lost faster than they are mined.
If Bitcoin survives, then virtual banks could be established which would borrow your Bitcoins as "deposits", and lend them, at risk, to other people or businesses, increasing the velocity of circulation of Bitcoins and broadening the amount of economic activity that can be handled without necessarily inflating the value of BTC. In the quantity theory of money, the amount of money (M) multiplied by the number of times it changes hands in a period (the velocity, V) is equal to the value of all transactions T at their price P, that is MV=PT. So increasing V allows more T. Indeed, one simulation of a BTC bank is already online at coinlenders.com.
For BTC banks to work, depositors (lenders) would have to transfer BTC to the bank with no guarantee that they would get it back. BTC banks could credit interest on deposits and charge it on loans, keeping a spread to cover loan losses and profits. BTC banks could make bad loans, and BTC banks could go bust - particularly if there is no oversight, no capital adequacy regime.
Banks could self-regulate and promise to keep a certain proportion of Bitcoins on hand to cope with withdrawals, having their accounts audited regularly and stacking up the virtual cash in their virtual window by displaying an amount of BTC that bears their digital signature to deter bank runs. In the real world, this is known as a "reserve" and the system is called fractional reserve banking, as a fraction of all deposits is kept in reserve rather than lent out.
We doubt that the world's governments would allow Bitcoin banks to evolve without bringing them under supervision to try to protect depositors, and they would develop the same regulatory overhead costs as existing banks. If Bitcoin survived, existing banks would also get in on the act, as they have well-established infrastructures for assessing credit and making loans, which start-up BTC banks would lack.
But, given a fixed supply of Bitcoins, and a given reserve ratio, there is still a limit on the amount of Bitcoins plus deposits that can be created - for example, at a 5% reserve ratio, the deposit base could not exceed 420m BTC, 20 times the maximum number of Bitcoins. And that brings us on to...
The hole in Bitcoin
We love the science behind Bitcoin (your editor is a mathematician and programmer of the 1980s era, so it brings out his inner geek), but here is the biggest flaw: the economics of it. For Bitcoin to succeed, it has to become a transaction currency, widely-accepted by the real world for goods and services. With a cap of 21 million Bitcoins, the accepted wisdom driving prices is that spreading the limited supply of Bitcoins over all these real-world transactions, even with fractional reserve banking, would necessitate a high valuation per Bitcoin.
Unfortunately, most of the people getting into Bitcoin, either with cash, goods and services or by buying and running mining rigs, are just hoarding the Bitcoins, either expecting the price to go up because they believe in this transactional utility, or expecting the price to go up because other people will - people like the Winklevoss twins, who proposed setting up an ETF to hoard Bitcoins (SEC filing), rather like the SPDR Gold Trust.
The flaw then is that most Bitcoin owners are hoarding something which they expect to become a widely-used transaction currency, and if everyone holds on to their Bitcoins, then it won't become a transaction currency. Eventually, enough participants will look around the room, see that nobody is spending anything, and head for the exit, seeking to cash out. This will crash the price of BTC, and destroy any confidence in it as a transactional currency, taking it to zero - worthless bits on a disk. At least with Gold you can turn it into jewellery or use it in electrical contacts, and it is shiny. Don't ask us to predict the timing of this; avalanches cannot be predicted, but right now, the entire stock of Bitcoins is valued at about US$2.6bn - that's an awful lot of snow on the mountain.
Very few vendors are accepting Bitcoins for real goods or services, other than as promotional gimmicks. Those who sell mining rigs for BTC are converting the cash it cost to build the rigs into Bitcoins. Those who run the mining rigs are converting the cost of energy into Bitcoins. A certain amount of real cash is exchanged for Bitcoins outside of traditional payment networks, by people meeting offline (see LocalBitcoins.com for example), sucking people into the scheme, but that could be brought to a near-halt if governments start applying existing legislation governing money-changing to individuals who are doing this as a business.
In the US, the Treasury's Financial Crimes Enforcement Network (FinCEN) issued a Guidance Note on 18-Mar-2013 warning that exchange services such as MtGox, a Japan-based firm which was accepting real money in the US, are Money Services Businesses. This was followed in May by the seizure of US$5m of balances held by a subsidiary of MtGox in the US banking system. MtGox, you should note, claims to be "the world's largest Bitcoin exchange!" so goodness knows what the others are like.
There are so many well-established and potential future ways to pay for things online. Paypal lets you send money to pals without charge, although they charge fees to merchants. Outfits like Amazon, Apple, Google and Microsoft all have the capacity to set up payment networks between users, denominated in real-world currencies such as the US dollar, and linked to bank accounts. Google has done this for the USA with Google Wallet.
Transaction fees - the second hole
Even if we are wrong and Bitcoin becomes a widely-accepted transaction currency, the second flaw in Bitcoin is this: when the rate of coin production is reduced towards zero, the only economic incentive the nodes will have to convert electricity into blocks (and heat and noise) is the transaction fees. So far, these are very low, but if the people who control the Bitcoin specification don't increase the fees to a commercial level then the amount of machines running the algorithm will plunge for lack of reward, and it will become much less expensive to take control of the network by holding more than 50% of the hashing power. However, if fees become a significant part of transaction values, then a lot of users (not seeking illegal goods and services) will wonder why they don't just use traditional payment networks denominated in real currencies. So there's the conundrum: charge too little, and someone will put in enough capital to take over the network and turn it, in effect, into just another MasterCard, Paypal or Visa. Charge too much, and people will use other payment networks.
This problem is inherent in Bitcoin's design to use a proof-of-work distributed system rather than a central registrar. The system depends on the proof being expensive enough, and hence the fees being high enough, that nobody will find it worthwhile to take control.
Miners are currently generating about US$33k per hour in value of new Bitcoins; that's US$289m per year. Is the world willing to pay that much per year, or more, to settle Bitcoin transactions?
© Webb-site.com, 2013