Wednesday, April 12, 2023

A systematic critique of Bitcoin's value proposition

1. Introduction

This essay was originally entitled "Bitcoin's design contains the seeds of its own destruction".  The thesis was going to be that Bitcoin's security depends entirely on consuming vast quantities of energy, and so any value it might offer is outweighed by its inherent costs.  But when I did the math, that turns out not to be true.  Bitcoin does use a lot of energy, but not nearly as much as I initially thought.  Unfortunately, this is not necessarily good news.  Bitcoin's security is directly proportional to the cost of mining, so the less energy it uses, the less secure it is.  It turns out that there is a plausible attack against bitcoin that could be carried out for just a few million dollars, a sum which is easily within reach not just for state actors and corporations, but also many high-net-worth individuals.

This essay is divided into four sections.  In the first I'm going to review what Bitcoin's value proposition was intended to be.  In the second, I review how bitcoin works.  If you are already familiar with Bitcoin you will find nothing new here.  In the third section I analyze its security model, specifically the cost of mounting a 51% attack on the assumption that hash power is available for rent and doesn't need to be purchased by the attacker.  In the fourth section I discuss the plausibility of carrying out such an attack in the real world, and various counter-arguments that have been presented to me in private discussions.  The bottom line is that when push comes to shove, bitcoin's security ultimately rests on the same foundation as fiat currencies: social cooperation.  The idea that Bitcoin is something fundamentally new, i.e. a currency whose integrity rests on mathematical algorithms and the laws of physics and economics, is thus called into question.

2. Bitcoin's ostensible value proposition

Bitcoin was the first so-called "cryptocurrency", a particular kind of digital currency that relies on cryptographic algorithms rather than a trusted third party to maintain its integrity.  The original Bitcoin paper by Satoshi Nakamoto (a pseudonym whose real identity remains a closely guarded secret) set forth the following rationale for its creation:

"Commerce on the Internet has come to rely almost exclusively on financial institutions serving as trusted third parties to process electronic payments. While the system works well enough for most transactions, it still suffers from the inherent weaknesses of the trust based model. Completely non-reversible transactions are not really possible, since financial institutions cannot avoid mediating disputes. The cost of mediation increases transaction costs, limiting the minimum practical transaction size and cutting off the possibility for small casual transactions, and there is a broader cost in the loss of ability to make non-reversible payments for non- reversible services. With the possibility of reversal, the need for trust spreads. Merchants must be wary of their customers, hassling them for more information than they would otherwise need. A certain percentage of fraud is accepted as unavoidable. These costs and payment uncertainties can be avoided in person by using physical currency, but no mechanism exists to make payments over a communications channel without a trusted party."

In other words, the usual methods of mediating electronic commerce using a trusted third party (TTP) are deficient because 1) transactions can be reversed, 2) the cost of the TTP is too high, 3) TTP's cannot eliminate fraud, and, as a result, 4) small transactions are not economical.

There is an additional feature of Bitcoin which is described in section 6 of Satoshi's paper.  That section is only three paragraphs long, but its importance vastly outstrips its length.  I quote it here in its entirety:

"By convention, the first transaction in a block is a special transaction that starts a new coin owned by the creator of the block. This adds an incentive for nodes to support the network, and provides a way to initially distribute coins into circulation, since there is no central authority to issue them. The steady addition of a constant of amount of new coins is analogous to gold miners expending resources to add gold to circulation. In our case, it is CPU time and electricity that is expended.

"The incentive can also be funded with transaction fees. If the output value of a transaction is less than its input value, the difference is a transaction fee that is added to the incentive value of the block containing the transaction. Once a predetermined number of coins have entered circulation, the incentive can transition entirely to transaction fees and be completely inflation free.

"The incentive may help encourage nodes to stay honest. If a greedy attacker is able to assemble more CPU power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to generate new coins. He ought to find it more profitable to play by the rules, such rules that favour him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth."

(Side note: the British spelling of "favour" might be a clue to Satoshi's identity :-)

So Bitcoin ostensibly offers the following value proposition: 1) a non-inflatable currency with 2) irreversible transactions, leading to 3) reduced fraud and 4) lower transaction costs (because you no longer need to pay a TTP) and, as a corollary 5) making practical small transactions which are too costly under the TTP model.

I believe that all of these claims can be called into question, but I'm going to save most of my critique to the end and focus first on Bitcoin's security because that dominates all other considerations.  If Bitcoin is not secure, if it is vulnerable to an attack that undermines the integrity of the block chain, that dominates all other considerations.  Even if all of the other claims are true, it doesn't much matter if the whole system can be blown to smithereens at any time.

I'm going to start by briefly reviewing Bitcoin's security model for the benefit of my less-technical readers.  If you are already familiar with how Bitcoin works under the hood feel free to skip the following section.  You will find nothing new there.

3. The Security Model

Without a TTP, how do you insure the integrity of the system?  Specifically, how do you guarantee that everyone agrees how many bitcoins each participant in the system owns, and how do you enforce the limit on creating new coins?

Bitcoin's answer to this consists of three main components: digital signatures, a block chain (also known as a Merkle tree), and mining.

A digital signature is a little snippet of data that is associated with a document and another little snippet of data called a secret key.  Digital signatures have two key (no pun intended) properties: first, they are easy to generate, but only if you know the secret key, otherwise it is essentially impossible.  And second, it is easy for anyone to verify that a signature was in fact generated by someone who knows the secret key.  Furthermore (and this is the real magic) they can do this verification without knowing the secret key.  This technology dates back to the 1970s, though the particular version used by Bitcoin is more recent.

Bitcoin transactions are authorized by digital signatures.  You can think of a secret key as corresponding to a checking account – in bitcoin-speak these are called "wallets".  A bitcoin transaction is a digital document that says "Move X coins from wallet X to wallet Y" and is signed using the secret key corresponding to wallet X.  The important upshot of this is that control of the coins in a wallet is determined entirely by knowing the secret key.  If someone steals the secret key, they can (and almost certainly will) steal the coins in that wallet.  Likewise, if a secret key is lost, any coins in the corresponding wallet are irretrievably lost.

Digital signatures by themselves are not enough to insure the integrity of the system because nothing prevents someone from signing transactions on a wallet that total more money than it contains.  This is the so-called "double-spend" problem, though this is a bit of a misnomer.  A more accurate name would have been the "overdraft" problem, but double-spend is firmly established terminology, so I will use it here.

To prevent double-spending, bitcoin transactions are assembled into a ledger that sorts the transactions into a (partial) order.  This ledger is the so-called block-chain, and it is called that because transactions are first collected into batches called "blocks" and then the blocks are strung together in a chain.  If someone wants to verify that a transaction is valid, i.e. that the wallet that the transaction sources its funds from actually contains those funds, they can consult the block chain to see that wallet's current balance.  Again, there are cryptographic protocols in place to insure that no one can meddle with the block chain once it is established.  Like digital signatures, this is not new.  The technical term for a block chain is a Merkle tree, after Ralph Merkle who first published the idea in 1979.

The main innovation in Bitcoin's design is mining, which was derived from an earlier scheme called HashCash.  The details don't matter much.  The name derives from the fact that it involves a particular kind of computation called "hashing", which allows you to construct computational problems that are very hard to solve, in fact, so hard that the most effective way of solving them is to simply try solutions more or less at random until you happen to stumble on one that works.  Once you have a solution in hand, it is easy for anyone to verify that it is in fact a solution.  The puzzles can be constructed in a way that is specific to a particular document, so if you have a solution to one of these puzzles for a document, it proves that you (or someone) spent a lot of computing power constructing it.

The original idea behind HashCash was to use it as an anti-spam measure: email senders would include a solution to a difficult-to-solve puzzle bound to the contents of the email they were sending as proof that they had expended a lot of computational effort to send that email, and so it was less likely to come from a spammer.  Bitcoin's innovation is to take this idea and turn it into a digital lottery: whoever is the first to solve one of these difficult puzzles wins the lottery, and gets to decide which block of transactions become the next official block in the block chain.  They also get to include a transaction that creates some bitcoins out of thin air and deposits them in a wallet of their choice (presumably one whose secret key they control).  Anyone can participate in this lottery.  The more computing power they throw at it the more likely they are to win.  Conversely, the more computing power everyone else throws at it, the less likely they are to win.  In this way, the decisions about which transactions to include are (one hopes) made by different entities at different times, and no one party ever has the power to pull shenanigans, at least not for very long.

It should be noted that although distributing the block chain in this way is bitcoin's central innovation, most of bitcoin's claimed benefits accrue not because the block chain is distributed but rather because it is public.  A TTP could maintain a public block chain, and this would have almost all of the benefits of a distributed block chain.  Transactions would still be irreversible, the currency could be made non-inflatable, etc.  The only power that a TTP maintaining a public block chain would have is the ability to censor transactions, i.e. to refuse to record them.  But even this could be addressed by having a side-channel for publishing transactions which, if they lingered too long without being recorded, would damage the TTP's reputation.  Bitcoin actually has a similar feature built in called the "mempool", a collection of all transactions that have been submitted but not yet mined.

The only remaining problem with a TTP is how to compensate them for their services.  A TTP managing a block chain is necessarily a monopoly and deciding who gets to control that monopoly is a thorny political problem.  But censorship and compensation are the only two problems that mining actually solves.

4. Fifty-one-percent attacks

It is possible (though extremely unlikely) for two people to win the bitcoin lottery at more or less the same time.  In a situation like that the conflict is resolved in the next round of the lottery.  Every time you buy a bitcoin lottery ticket you have to decide ahead of time which of several possible competing blocks in the ledger you want to extend.  Conflicts are eventually resolved by a simple rule: among sets of competing blocks, the longest chain of blocks is the One True Chain.  So even if by chance two (or more) people should get winning tickets at more or less the same time, the odds of this happening again on the next round are very small, and the odds of it happening over an extended period of time by pure chance asymptotically approach zero.  Sooner or later, an unambiguous winner will emerge.  In actual practice, the system is designed to produce a winner (and hence a new block) about every ten minutes.  If there is any doubt about which of several competing chains is the One True Chain, that will almost certainly resolve itself within an hour or so.  This is the reason you will often see references to how many confirmations a bitcoin transaction has to have before it is considered valid.  The more confirmations, i.e. the deeper a transaction is in the chain, the more likely it is to be part of what ultimately turns out to be the One True Chain.

There is, however, a fly in the ointment.  Someone could attempt to intentionally disrupt the system by deploying enough computing power to extend an alternate chain.  This is called a "51% attack" because the attacker would have to control at least 51% of the computing power being devoted to buying bitcoin lottery tickets around the world, and this would be very expensive.  How expensive?  That turns out to be the crux of the matter.

The bitcoin algorithm is very cleverly designed to keep the cost of lottery tickets and the odds of winning very carefully balanced so that a winning ticket appears about every ten minutes, independent of how much computing power is being thrown at it around the world.  If, on any given round, a winner appears much sooner than the target ten minutes, the odds of winning the next round are adjusted to make it harder to win.  Likewise, if it takes much longer than ten minutes, the odds are dialed back down.

Because bitcoins can be traded for actual goods and services, including traditional fiat currencies, buying bitcoin lottery tickets can be a profitable enterprise.  As of this writing (April 2023), one bitcoin is worth about $27,000 and a winning lottery ticket gives you 6.25 of them, or about $170,000.  That amount is awarded every ten minutes on average, so there is some pretty serious money at stake.  If someone can mount a 51% attack for less than $170,000/ten minutes or $1M/hour, it becomes a profitable enterprise.  That is not a huge sum by the standard of governments, large corporations, and many high-net-worth individuals.

However, to mount an attack you not only need to pay the on-going operating cost of the computing hardware (which is mostly the cost of electricity), but you need to *acquire* that hardware.  The capital expenditure of buying enough hardware to mount a 51% attach is around 25 billion USD at current rates, and that is an amount that cannot be casually spent even by affluent governments.  However, it should give one a certain amount of pause because if, say, the Chinese or US government decided to squash Bitcoin, they absolutely could.

(Aside: one of the main uses of bitcoin is to move large sums out of countries that restrict the outflow of capital, e.g. China.  So it is not at all out of the question that the Chinese government might some day decide to take some decisive action to stop this.  Indeed, China has already taken steps in this direction, though to date they have been mostly ineffective.)

5. Rental attacks

The cost of a 51% attack drops dramatically if you can rent the necessary hardware rather than buy it.  Bitcoin mining hardware is available for rent.  Would carrying out a 51% attack on rented hardware be possible?  Would it be practical?  A back-of-the-envelope calculation indicates that the answer to both of these questions is "yes", indeed, that it might be even worse than possible and practical, it might even be profitable.

I'm going to describe that calculation here in broad brushstrokes, but to make it more concise I'm going to revert to technical terminology and talk about "hashes" rather than lottery tickets.  The crucial number that determines the difficulty of a 51% attack is the "hash-rate", the number of lottery tickets being "purchased" by expending computational power.  The numbers are quite staggering by comparison to a normal lottery.  Over the past year the hash rate has ranged between roughly 200 and 350 TH/s (trillion hashes per second).  Multiply that by 600 seconds (ten minutes) and you get between 120 and 210 quadrillion hashes per block.  Let's just round that off and call it 10^14.

The market price of bitcoin over the past year has ranged from about 16 to 45 kUSD, but that is neither here nor there because you can rent bitcoin mining equipment and pay in bitcoin.  Picking a random data point from we can rent a rig with a claimed hash rate of 3.3 GH/s for 5.636683E-4 BTC/hr.  To get 100 TH/s, enough to mount a 51% attack even when the hash rate is at the upper end of last year's range, would cost (10^14 / 3.3 x 10^9)*5.636683E-4 BTC/hr = 17 BTC/hr = 2.8 BTC/block.  The block reward is currently 6.25 BTC/block, so this would not only be profitable, it would be wildly profitable.

Of course, there are obviously some limiting factors we have not taken into account here because if arbitraging bitcoin were this easy someone would have done it already.  The main limiting factor is that to carry out the attack you need to rent 30,000 of the 3.3 GH/s units that we used as our data point, and that number probably doesn't even exist, let alone available for rent.  Nonetheless, this analysis does demonstrate a crucial point: the thing that protects bitcoin from attack is not fundamental economics, because if 51% of the bitcoin network were available for rent at current market rates then a rental attack would be profitable.

Of course, the supply of bitcoin mining hardware is far from perfectly elastic.  Even under idealized assumptions, if someone were to try to rent 30,000 mining rigs, the price would surely rise to meet the dramatically increased demand, and (again under idealized assumptions) it should rise enough to eliminate the profit margin.

However, the block reward is not the only possible way to monetize such an attack.  A successful 51% attack, indeed even a credible threat of such an attack succeeding, would almost certainly sow fear and uncertainty in a wide range of public markets.  An attacker could leverage this because they would have a certain amount of control over when news of the attack broke, so they could (for example) take a short position on a portfolio of financial stocks before launching the attack.  From start to finish, the attack itself would take only a few hours, so the exposure to upside risk would be minimal.  This strategy is not a slam-dunk, but it seems to me like a potentially attractive business proposition with no more than the usual risks and caveats.  Notably, there would be nothing illegal about it (AFAICT, IANAL).

In private discussions I have heard three counter-arguments, none of which I accept (if I did I wouldn't be writing this) but I'll list them here along with my responses just for completeness.

The first is that there is not enough rental capacity to mount a 51% attack, and never will be.  The person who raised this argument didn't provide any data to back it up, but for the sake of argument I will stipulate that the first part is probably true.  However, just because there isn't enough rental capacity today is no guarantee that there won't be enough tomorrow, especially if an attacker starts to buy up the existing capacity and drives the price up to the point where renting is more profitable (on the selling side) than mining.

The second is that, even if this attack succeeds, the worst-case scenario is a chain split.  Bitcoin has had a chain split before (resulting in the creation of bitcoin cash) and survived, so it could survive another one.  The difference here is that the bitcoin-cash split was not caused by an attack, it was caused by a technical disagreement in the bitcoin community.  It was an amicable divorce executed under controlled circumstances.  A split resulting from an attack would have a very different dynamic and likely very different consequences.  In particular, if such an attack turned out to be profitable then that would provide a powerful incentive for it to be repeated.  Even if the first attack failed, someone might try it again using the lessons of the failed first attack to refine their strategy.  At best the result would be a great deal of uncertainty, which would likely result in reduced confidence, which is ultimately the stock in trade of any currency.

The third response is that the mining community would band together to thwart such attacks if one were ever to be mounted.  I am happy to stipulate that this very well might happen, but it is important to note what this implies for bitcoin's security: it means that bitcoin is ultimately not, as is often claimed, protected by mathematics or physics or even economics, but rather by the social cohesion, cooperation, and (dare I say it?) trustworthiness of the mining community.  In other words, at root, bitcoin is not fundamentally different from a TTP, it's just that the TTP is a self-selected group rather than an elected or appointed one.  (And, it is worth noting, you can't just decide to become part of this group, you have to literally buy your way in.  Bitcoin's governance structure is, by design, a plutocracy.)

I want to stress that my argument does not depend on whether a rental attack would succeed.  It suffices that it might succeed.  The strategy I've sketched above is (I claim) prima facie plausible.  There might be something that would prevent someone from actually pulling it off, but it is not immediately evident what that thing would be.  But whatever it is, that is the thing that is currently defending bitcoin against this attack, and that means that the thing that is defending bitcoin against this attack is not currently known.  And that should be deeply worrying to anyone taking a long position on bitcoin's future.

6. Discussion

As long as I'm tearing bitcoin apart I might as well go all the way and critique its other claimed benefits.  To review, those are:

  1. Non-inflatable
  2. Irreversible transactions
  3. Reduced fraud
  4. Lower transaction costs
  5. Practical small transactions

I'll address each of these in turn.

6. 1 Inflation

Bitcoin can be inflated through chain splits and also by policy.  Neither are likely any time soon (notwithstanding that one chain split has already occurred) but both are possible.  There is a strong ideological predisposition against inflation among current bitcoin enthusiasts but it is not clear that this will hold forever.  In particular, as the block reward tends towards a smaller and smaller share of the total market cap, political pressure towards inflation could mount, just as it tends to do with fiat currencies.  Also, if bitcoin ever achieves the goal that some of its adherents aspire to of making it the world's reserve currency, then the outsized holdings of early adopters will become harder to justify and the political pressure towards inflation will increase.  Satoshi Nakamoto, for example, is believed to hold about 1.1 million bitcoins, or just over 5% of the total market cap.  His keys have not been used in many years and are believed lost, but is any sane person really willing to bet the financial well-being of the planet on that?  Are future generations going to be willing to accept that decision made by their distant ancestors, or will they decide, as many before them, that a little inflation might actually be beneficial?

Bitcoin might be inflation-free at the moment, but only for the same reason that some fiat currencies are inflation-free: because the people who control them have decided as a matter of policy that inflation is undesirable.  The only thing that distinguishes bitcoin is that its policy-making is based on one-hash-one-vote.

6. 2 Irreversible transactions

This is probably bitcoin's strongest claim.  Reversing a bitcoin transaction is in fact impossible as a practical matter, and will be under all reasonable future scenarios.

However, irreversibility is very much a double-edged sword.  People make mistakes, or lose their keys, or have them stolen.  Under those circumstances the ability to reverse a transaction can be very desirable.  Of course that does open the Pandora's box of having to adjudicate disputes, which bitcoin mostly eliminates -- by eliminating the possibility of correcting mistakes and restoring stolen coins to their rightful owners by force.  This is not the place to engage in that policy debate.  I think you can probably guess which side I come down on.  I'll just point out that irreversibility is no panacea.  If it were, it would be universally adopted as the de facto standard.  There is a reason that no other irreversible monetary system has ever been widely adopted.  It's not because they are hard to build.

6.3 Reduced fraud

By adopting digital signatures to authenticate transactions bitcoin does eliminate one currently common kind of fraud.  But digital signatures can be adopted to eliminate that fraud without adopting the rest of bitcoin.  Indeed, this has been done throughout most of the world now with the introduction of chip cards to replace magstripes.  (The chips contain secret keys and produce digital signatures using them.)  The only arena where digital signatures are not yet widespread is on-line purchases.  There is no technical impediment to adopting them there, it's just a matter of agreeing on a standard protocol.  (I attempted to do this about ten years ago and failed, but that's another story.)

However, there is a dark side here as well.  Bitcoin eliminates one kind of fraud but replaces it with others.  In particular, if you lose your keys, or entrust them to a third party who decides to defect, then you have no recourse.  Furthermore, the irreversibility of transactions makes coercion more lucrative, leading to the rise of ransomware.  In fact, it is arguable that the rise of bitcoin was the catalyst that birthed ransomware as a global industry.  A thief can now steal your money with impunity from the comfort of their own living room.  It is no wonder so many people are choosing to make a career out of this, especially ones who live in places with lax enforcement.

6.4 Lower transaction costs

This is a theoretical possibility as long as bitcoin's value in terms of its purchasing power continues to rise.  But as soon as this stops, the value of the block reward asymptotically approaches zero, and the only way to fund mining after that (assuming the inflation policy does not change) is fees.  How this will shake out in terms of actual costs is anyone's guess because we are very far from reaching steady-state on that, but there are two things inherent in bitcoins design that will tend to drive fees up.  First, all that electricity that is used to keep the system secure has to be paid for somehow.  And second, the capacity of the network is limited by design.  It is technically possible to change this, but politically it is very difficult.  The last time someone tried the result was the bitcoin-cash chain split.

Even now, when the mempool of pending transactions is large, people sometimes have to pay quite exorbitant fees to get transactions mined in a timely manner (minutes instead of hours or days).  It is unrealistic to expect any commodity whose supply has a hard cap on it to be cheap.

6.5 Practical small transactions

This, I think, is Bitcoin's biggest broken promise, and again, it was foreseeable.  By design, bitcoin transactions take a long time to process, and the smaller the transaction, the less likely it is to be mined in a timely manner.  Furthermore, as noted above, the capacity of the system to process transactions has a hard limit on it which is woefully inadequate for handling the volume of small transactions that occur regularly throughout the world.  Using Bitcoin to buy a coffee at Starbucks was an intriguing novelty at one time, but it was never realistic for large numbers of non-technically-savvy people to use it for day-to-day retail transactions.

7. Conclusion

So does Bitcoin have any actual value?  I'm not sure.  It certainly is not suitable for its original stated purpose of replacing fiat currencies for day-to-day transactions.  This is evident in the fact that the value of Bitcoin is still measured in terms of how many US dollars it takes to buy one.

On the other hand, as I write this, that number stands at just about $30,000, which I find staggering.  Somewhere in my house I have an ancient laptop computer that has somewhere on its hard drive the keys to a wallet containing 0.05 bitcoins that someone gave me for free back in 2009 when bitcoin was first launched.  I noodled around with it for a while, and even tried mining for a few hours, but got tired of hearing the fan on my laptop screaming at me all the time.  So clearly I got something very badly wrong back then and it's entirely possible that I've got something very badly wrong now.  My track record of predicting the future is not great.

I think the main value of Bitcoin in the long run will be as a store of value, comparable to precious metals but easier to move around.  Allowing you to reliably store value without having to physically store and protect an artifact (other than a secret key) has real value, and that might well be enough to sustain bitcoin over the long run.  But if bitcoin offers anything of value as a medium of exchange, I don't see it.


Thanks to Ryan Orr, Joel Dietz, Nemo Semret, and Adam Wildavsky for interesting discussion and feedback on this article.


Satoshi said...

The current hashrate of the bnitcoin network is 300-400ExaHash, not TH as you mentioned, it's million times more then what you calculated..

Satoshi said...

The current hashrate of the bnitcoin network is 300-400ExaHash, not TH as you mentioned, it's million times more then what you calculated..

Satoshi said...

The current hashrate of the bnitcoin network is 300-400ExaHash, not TH as you mentioned, it's million times more then what you calculated..

Ron said...

Yep, you're right. I screwed up. But apparently that's not the only thing I screwed up, and some of my other screwups cancelled out that screwup. Stand by for a full post-mortem, this is going to take a while to untangle.

(How can you be on blogger for 11 years and only have 4 profile views???)