Thursday, 29 September 2011

Bitcoin Transaction Mining

In the long-term (when all the bitcoins have been mined), the security of bitcoin comes from the revenues generated from transactions. How much revenue is that? Basically no one has any clue how many transactions there will be in ten or twenty years time, nor how much revenue will come from them.

But perhaps we can look at the real world for some kind of guidance. Visa has an annual revenue of $8 billion. Assuming that bitcoin will have to process transactions significantly cheaper - lets say 10% of the cost - to gain traction, that means an annual transaction revenue of around $80 million, assuming bitcoin grabs 10% market share from Visa.

The problem here is one of old-fashioned competition. Assuming there is no mining monopoly, miners mine independently of each other, and are free to charge whatever transaction fee they like, in the sense that they are free to include or exclude whatever (valid) transactions they like, irrespective of fee. Because incorporating an extra transaction into a block has zero (or close to zero) marginal cost, economically rational miners will choose to accept any and all transactions that have a non-zero fee. Miners that refuse low-fee transactions will make less money than miners who accept them and eventually will get squeezed out of the market. Note that the marginal cost of transactions is unrelated to how many hashes you had to do to solve the block - once you've solved a block you can add as many transactions as you like.

Effectively, competition will force the transaction fee down to the marginal cost of adding a transaction to a block. That cost is virtually zero (in fact the cost of bandwidth for sending the solved block to your peers), so fees become virtually zero. With super-low fees, you have insufficient revenue to secure the blockchain from attack.

Suppose then, that the miners 'unionize' and enforce a minimum average transaction fee. They could do this by collectively agreeing not to accept blocks that have fees less than the minimum agreed value. A miner whose block contains a transaction below the threshold would lose the fees from all the valid transactions as well, so it would be strongly in a miner's interest to only accept transactions above that fee threshold. However, a miner could then agree (off-network) to give a partial refund on all transactions. Superficially the transaction would appear to be valid, but the real net fee would be far smaller. They wouldn't be able to send the fee-discount back in bitcoins due to the minimum-fee rule, but presumably they would be able to use some other medium of transactions. For example, they could return some digital cash using Open-Transactions.

And this really leads to the big problem. Bitcoin will not be competing against Visa and Mastercard, Bitcoin will be competing against other digital currencies, including ones with no lower bound on the transaction cost. It will not be long before you can issue Bitcoins onto an Open Transactions Processor, which will be able to handle the transactions of an unlimited number of other currencies. Other currencies that do not require (comparatively) high transaction fees to pay for the (comparitively) high security costs of the issuance will be at an economic advantage and will undercut bitcoin. Why send money through raw BitCoin when you can send it over OT (either as bitcoin or as some other currency) and pay a hundredth of the charge? As a merchant, why install BitCoin technology which only supports BitCoin when you can install OT technology and support all digital currencies simultaneously and at no extra cost?

Monday, 26 September 2011

Implications of Merged Mining

In case you haven't come across it already, merged mining (also summarized here) is a way of simultaneously mining multiple blockchains. If all miners support merged mining, then the global hashrate of any of the alternative blockchains becomes the same as the global hashrate of bitcoin. There is always an incentive for a miner to merge because he will start collecting coins from alternative blockchains at no extra cost.

It is to be tried first with NameCoin, with the intended goal of securing it by reusing the hashing power of bitcoin. I think that given the upside with no downside, it will be only a matter of time before all miners support merged-mining.

So what are the long-term implications of merged-mining?

For one thing, it massively reduces the barrier-to-entry for a new blockchain. Prior to merged mining, a new blockchain was vulnerable to attack because there was insufficient mining power available to secure it from attack. There was no real incentive to mine it because not only did the coins have low or no value, but the low global hashrate meant that the whole chain was vulnerable. A 'chicken and egg' type scenario, or 'network effect' if you like.

But now (or at least shortly), alternative blockchains will, almost from inception, be as secure as the main blockchain. Here's a first draft at how to start up your own chain:

  1. Think about how much money you're going to plough into it. Lets say it's $1 million.
  2. Start your own blockchain with exactly the same characteristics as bitcoin but with a far lower level for maxcoins. How low is dependent on how much startup capital you decided above.
  3. Mine it for a while on your own to build up a hefty warchest W of newcoins.
  4. Declare publicly that newcoins will be exchangeable 1 for 1 with bitcoins. On your favourite exchange, put in $1M worth of bid at 0.95 and W worth of offer at 1.05. Keep it there.
  5. Advertise your new blockchain for merged-mining with bitcoin mining pools. This shouldn't be hard, as it's free profit for them.
  6. Advertise your new blockchain with merchants. Since merchants already use bitcoin there's little or no setup cost in allowing them to accept newcoins, especially with the fixed exchange rate you have imposed.
  7. Advertise your new blockchain with the public. It helps if you are Justin Bieber, or Facebook, or a sovereign nation.
  8. For as long as you can, maintain the 1:1 price ratio between bitcoins and newcoins. Eventually newcoins will gain acceptance as being as valid as bitcoins, since they are after all feature-identical and interchangeable with bitcoins, at which point you gradually sell off your warchest.
So what are you waiting for!?

Bitcoin Bonds and "Too Big To Fail"

One aspect of the financial system crucial to the capitalist system is borrowing. Companies borrow money so they can invest. This might be for example to build a new factory or develop new technology. Ignoring equities for now, money borrowed is usually in the form of bonds or loans; Alice gives $1000 to Bob on the condition that Bob pays her back the $1000 at a specified later date as well as $20 each year as an incentive for Alice to put up the cash.

Bonds are big. According to wikipedia the net value of outstanding bonds is $82 trillion. In 2010, $3 trillion worth of corporate bonds were issued. Bloomberg reported in Dec 2010 that GE Capital alone planned on issuing $25 billion through 2011. AT&T will be required to pay back (or rollover) $10 billion worth of bonds as they come due in 2011.

The question is, could bonds denominated in bitcoin be issued? Technologically, there's good reason to believe that the Open Transactions project will enable the issuing of bonds and other contracts that can be subsequently traded in a cryptographically secure manner. Since OT allows anyone to be the issuer of their own contracts, bonds could in principle be issued in bitcoins.

However, there a problems of large bitcoins debts. Since the cost of trashing the blockchain is both finite and easily calculable from the current difficulty level and market price of electricity, this places an upper bound on the size of a bond that can be safely issued. If BadCorp were to find themselves in a situation where their total bond issuance is substantially higher than the 'attack price', it would make economic sense for them to do the following:

  1. Buy access to (possibly by buying the hardware) a mining pool with 50% of the global hashrate.
  2. Continually harass the blockchain by reverting blocks, enabling double-spend attacks and so on so that
  3. Everyone else loses trust in the blockchain leading to
  4. Market crash in the value of bitcoins.
  5. Now bitcoins are worth a small fraction of what they were, buy them up and pay back your debt.
Now one criticism of this fraud would seem to be that since it's highly illegal and pretty obvious, the bitcoin economy could rely on meatspace police to stop this market manipulation / fraud. But when you think about it, it's not that easy since there's nothing to link BadCorp to the blockchain destruction that happened. They would outsource 1 and 2 above to some criminal gang, and probably no one would even suspect, far less be able to prove, that BadCorp had anything to do with it. BadCorp would be indistinguishable from any other company that happened to denominate their bonds in bitcoin who also benefited from being able to pay back their debts cheaply. This kind of situation happens in the real world whenever a currency experiences hyper-inflation - debtors prosper.

The key problem here is not that the bondholder doesn't get paid; corporate defaults happen all the time. The problem is that the bond issuer has a financial incentive to trash the entire system. So one bond issuance from the wrong company could end in disaster for everyone. The same potential problem exists in the real world to the extent that a bondholder can manipulate the real currency. The reason this doesn't happen is that it's far, far harder to attack a real currency.

One implication of the above is that no potential bond buyers can trust a bond issued in excess of the bitcoin attack price. At today's levels, multimillion dollar-equivalent bitcoin bond issues will not happen, since investors would be sowing the seeds of their own destruction.

Are there more subtle problems? Probably, yes. For example what if a group of highly indebted entities conspire to bring down bitcoin? You could argue that bank bailouts during the credit crunch were a real-world form of this attack. "Too big to fail" was the attack vector used to devalue the currency and hence the debts. But while in the real world the attack price is measured in trillions of dollars, in bitcoin it is measured in millions of dollars.

Thursday, 22 September 2011

How To Do Instant Transactions?

In my last post, the idea of using zero-confirm bitcoin transactions as a point-of-sale device in the real-world was well and truly crushed. If ZCT ever became popular, then (I claim) merchants would lose money and the bitcoin network would be compromised.

But this does not mean that bitcoin can never be used in POS, it just means it needs a better delivery mechanism. There are several ideas and projects in this direction, so lets have a look.

GOX Codes
I was not sure whether to include this, but since it's probably the most prevalent instant transaction device in use today within the bitcoin community, I probably should.

The system is very simple. You deposit your BTC into MtGOX, then when you want to send money you request a code from MtGOX for a certain amount of currency and give that code to the person you want to send the money to. Since everyone in the known universe trusts MtGOX with their mother's life, the system works quite nicely.

But obviously it is a complete hack - what's so special about MtGOX? What's the point in a super-secure crypto-currency if we all just pile our cash into MtGOX anyway? What if MtGOX gets hacked again? What if MtGOX runs away with our money? What if I get banned from MtGOX because I'm little-endian, or because I 'dissed his family, or some other trivia? What if MtGOX gets shut down by the gubermint? What if MtGOX gets DDoSed by anonymous?

Green Addresses
This is a technique already being used by InstaWallet. Again, a very simple concept where this time people decide to trust certain bitcoin addresses as not being malicious.

This is a slight improvement over GOX codes because it doesn't require a whole new protocol to operate; at its simplest it just requires a simple lookup table of non-malicious addresses. It's also not GOX-centric, you can greenlist whoever you like. Note that you don't have to trust that the green address has the funds available - you can do that using (currently non-standard) blockchain techniques - you just have to trust that the green address isn't attempting a double spend or discount scheme.

One temporary hiccup is that the current bitcoin client (and daemon) do not tell you where an incoming transaction came from, so to use green addresses right now you have to code it yourself or use a dev build of something, or request the data from blockexplorer.

Another problem is that there is no infrastructure around obtaining a reliable list of green addresses. It's unreasonable to expect merchants to keep their own greenlists up-to-date.

Also if you are in possession of a greenlisted address, you need to use a specialized client to ensure that when you send bitcoins, they do come from the green address and not some other address randomly generated by your client.

Finally, to use a green-address anonymously, you need to do it through a third-party like InstaWallet, which runs into the trust problems as with GOX codes.

Ripple is a P2P network of credit-lines. It is entirely trust-based, and works on the principle of the transferable IOU. For example, A trusts B and B trusts C. Therefore A trusts C as long as the transaction is routed through B. Anyone can extend credit to anyone else, and your spending power is limited to how much credit has been extended to you by your neighbours. I've written a little about it here.

Ripple is currency agnostic, and so can be used for bitcoin. A simple setup might run as follows:
Bob deposits bitcoins at various institutions he trusts. 3 BTC at GOX, 1 BTC at InstaWallet and so on. In return, these institutions extend him equal amounts of credit through ripple. In addition, Bob's friends and colleagues also extend him credit.

Bob goes shopping in Alice's store and buys a t-shirt for 5 BTC. While Alice doesn't know or trust Bob, she does trust GOX and Instawallet. She also happens (by coincidence) to trust Bob's friend Chris who has extended Bob 2 BTC credit. This transaction can now proceed because Alice scoops up 5 BTCs worth of IOUs from people she trusts. Bob is happy because he doesn't have all his eggs in one basket - he stored some of his BTC at GOX and some at InstaWallet. Moreover, because his friends extended him credit, he can do some transactions without having to store his bitcoins in any institution at all.
An additional benefit of Bitcoin over Ripple is that the technology he installs into his POS system does not tie him in to only accepting bitcoins. Because Ripple is currency agnostic, it is very simple to add support for Euros or Yen or SolidCoin or BeenieBabies or whatever. This might not seem like a good thing for bitcoin (in fact it is), but it's certainly a good thing for the merchant.

AFAIK, Ripple transactions are instant, although I'm currently a billy-no-mates with no credit extended to me so I'm not sure! is my ripple address, if you fancy it.

Open Transactions
OT is the holy grail of virtual currencies. It is a library, protocol and app that provides support for a dazzling array of funky contracts such as cheques, bonds, payment plans, equities, derivatives and so on. There is a clear divide between currency issuers and transaction processors, allowing transaction processing to be a low-trust operation. This in turn means that it is safe to have transaction servers without having to trust them with your actual assets, and leaves transaction servers to focus on processing transactions rather than breaking rocks (or mining).

Like Ripple, OT is currency neutral so a POS built using OT would extend to other currencies in a simple manner.

OT - or something similar - is clearly the long term solution, but it is a huge project that is not yet ready for use in the real-world.

Wednesday, 21 September 2011

The Bitcoin Discount Scheme

Welcome to BDS, the premier place to get 10% discount on all bitcoin purchases made at participating* stores. Signup is free! All you need to do is download BDS-Client, our specialized android bitcoin client and go shopping in meat-space.

How Does It Work?

Every time you make a transaction with the BDS-Client, it will also make a secure connection to our rather large mining pool, BDS-Pool, and give it a secondary signed transaction, one which would send the same bitcoins not to the shop but to our own BDS-Account instead. If BDS-Pool happens to solve the next block in the block-chain, we will ignore the shop transaction and instead write the secondary transaction, sending the bitcoins you were charged into our own account.

Since BDS-Pool in fact owns 11% of the network (thanks to our VC startup capital of 1M USD), this means that 11% of your transactions will randomly be redirected to our accounts. This is what allows us to give you a 10% payback every time regardless of whether a particular redirection was successful.

Of course, the money hasn't come from nowhere, it has actually come from the shop owners who had their payments stolen. But, that's their own fault for being dumb enough to accept zero-confirm bitcoin transactions. Lulz.

* participating stores are any that accept zero-confirm transactions.

The Cost of Destroying Bitcoin

As is fairly well accepted, if you own half of the global bitcoin mining power, you are in a position to do all sorts of terrible things such as performing double spends with arbitrarily many confirmations. Fortunately, the existing computation power is truly vast, so this attack would be completely infeasible, it is said. But exactly how much does it actually cost?

The Numbers

Currently the compute power of the network is 13.5 THash/s, according to bitcoincharts. Looking at the hardware comparison page on, a good all-round graphics card with "easy" availability is the 6950, which will give you 1.4 MHash/s per dollar spent on the hardware. So assuming there's a really big supply of them, it will cost you around 10M USD to buy the 40k graphics cards to equal the global hashrate. Maybe you'll get some kind of discount on a bulk purchase. On the other hand, you've got to plug them all together and find a big shed in Siberia to house them, so lets for arguments sake just call it 10M USD total.

Some Silliness

How many people have that much money? According to wikipedia there are around 40M millionaires and 1,000 billionaires. Doing a log-log interpolation, I reckon there are around 30,000 people in the world with access to enough capital to bring down bitcoin. But no one except the completely insane would spend their entire fortune on killing some unknown geek project, so perhaps this doesn't matter. However, for the 1,000 billionaires in the world it would only cost 1% of their net wealth.

For context, here are a few things bought over the years by billionaires:

  • David Brooks spent 10M USD on his daughter's 13th birthday party
  • Paul Allen's yacht: 100M USD
  • Roman Abramovic bought Ukrainian footballer Andriv Shevhenko for 30M EUR a few years back despite the Chelsea manager not even wanting him.
  • The domain name was bought for 10M USD
  • 10M USD will buy a middle-of-the-road private jet.
If you're the kind of person who suspects that certain governments would dearly love to put a stop to bitcoin, how about these numbers:
  • F-22 Raptor apparently costs 150M USD. Even a bargain-basement Saab Gripen will set you back 35M USD.
  • 10M USD will buy about 15 cruise missiles.
  • 20M EUR is the amount Robert Bourgi claims to have delivered to Jacques Chirac in duffle bags over the years from african dictatorships.
  • NSA plans to spend 1B USD on a new data centre.
  • etc etc
More Numbers

I believe you can do better than this. At the current difficulty, a 6950 will mine a new bitcoin every 4 days, or 90 in a year. Subtract electricity costs and assume the current bitcoin price continues, you'll make $2 / btc after electricity, meaning that each 6950 will have mined back all of its purchase cost in just over a year. The big question here is how profitable will mining be as you add more and more nodes. Will less efficient miners drop out as you raise the difficulty bar, or will they cling-on regardless? Perhaps by the combination of a slight price rise, say to $8 / bitcoin combined with some thinning-out of creaky old mining rigs, your investment in graphics cards would have actually paid for itself in a year and a half, leaving you free to trash the blockchain at zero cost.

I, for one, am quite concerned about all this.

Bitcoin Confirmation Honeypot


In a previous post I discussed long confirmation delays being a major obstacle to adoption, especially for bricks-and-mortar shops where the customer expects to walk away with his purchase immediately.

An interesting reply linked to a comment made by Satoshi on bitcointalk:
I believe it'll be possible for a payment processing company to provide as a service the rapid distribution of transactions with good-enough checking in something like 10 seconds or less.
which then went on to discuss the technicalities. The obvious question this raises is then:
"If this is the case, then why do most big players in the bitcoin economy require multiple confirms?"
MtGOX asks for several hours, TradeHill estimates one hour, VirtEx requires 6 confirms, not sure how long BritCoin requires after their makeover but it used to be 6 confirms. Are they being unnecessarily cautious, or has the technology Satoshi refers to not arrived yet? If so, when can we expect that? These aren't rhetorical questions, I think a lot of people would really like to know if zero-confirm transactions can indeed be made relatively secure.

Other replies point out that since the existing credit card infrastructure allows chargebacks, and chargebacks can happen months after the initial transaction, bitcoin is still superior to CC. However, CC chargeback is a somewhat known quantity; CyberSource’s Annual Online Fraud Report claims that about 40% of retailers have a chargeback rate of 1% or more, according to this blog. This means that as a business you should expect your CC transactions to cost a percentage point more than your payment provider claims.  Annoying, but not something that's going to kill you. And since credit cards have been around for a while, it's unlikely to get orders-of-magnitude worse.

I view the confirmation characteristics as being a probability as a function of time. The longer you wait, the more certain you are of a valid transaction. In the case of credit cards you have to wait 2 months for a complete guarantee, whereas for bitcoin you might have to wait up to an hour based on what the big exchanges are telling us, although according to Satoshi it may be far less than an hour. The following diagram depicts the datapoints we have:

The blocks are known values, whereas the wiggly connecting lines are where we are missing data. The probabilities are normalised by a factor k, which is the unconditional probability of a transaction being bogus (which includes mundane factors like wrong PIN, insufficient funds etc as well as the probability of attempted fraud). It illustrates that bitcoin is clearly the better choice if you wait an hour, and that they are both equivalent if you wait 2 months. Which is better after 5s is the big unknown; we know that CC has about a 1% rejection rate after 5s but not much is known about the bitcoin rejection rate at that point.

The Honeypot

What I propose is that we setup a honeypot to find out more about the properties of the bitcoin validity curve in this region. It would work like a security honeypot - if you can have a transaction rejected after 5 seconds then you win a prize. Of course we want to know all the data-points, so we would have multiple prizes, one for each duration we're interested in. The process would work like this:

  1. Whitehat sends bounty to honeypot address.
  2. Honeypot waits 5s and sends the money back if transaction is still valid at this point.
  3. If whitehat manages to reverse his original payment, then he keeps his original bitcoins from 1. and also wins the bounty from 2. Otherwise, he just gets his money back from 2.
The website would display a table of what has been hacked so far and what the current bounties are, something like this (not sure what the actual bounties should be):
Or perhaps you could start all bounties off at 1 BTC, and then let each one grow daily until someone manages to hack them. That way you don't have to make decisions about the relative difficulties of different rejections, you just find out over time.

If someone builds this, I will fund bounties as a service to the bitcoin community.