In the long-term (when all the bitcoins have been mined), the security of bitcoin comes from the revenues generated from transactions. How much revenue is that? Basically no one has any clue how many transactions there will be in ten or twenty years time, nor how much revenue will come from them.
But perhaps we can look at the real world for some kind of guidance. Visa has an annual revenue of $8 billion. Assuming that bitcoin will have to process transactions significantly cheaper - lets say 10% of the cost - to gain traction, that means an annual transaction revenue of around $80 million, assuming bitcoin grabs 10% market share from Visa.
The problem here is one of old-fashioned competition. Assuming there is no mining monopoly, miners mine independently of each other, and are free to charge whatever transaction fee they like, in the sense that they are free to include or exclude whatever (valid) transactions they like, irrespective of fee. Because incorporating an extra transaction into a block has zero (or close to zero) marginal cost, economically rational miners will choose to accept any and all transactions that have a non-zero fee. Miners that refuse low-fee transactions will make less money than miners who accept them and eventually will get squeezed out of the market. Note that the marginal cost of transactions is unrelated to how many hashes you had to do to solve the block - once you've solved a block you can add as many transactions as you like.
Effectively, competition will force the transaction fee down to the marginal cost of adding a transaction to a block. That cost is virtually zero (in fact the cost of bandwidth for sending the solved block to your peers), so fees become virtually zero. With super-low fees, you have insufficient revenue to secure the blockchain from attack.
Suppose then, that the miners 'unionize' and enforce a minimum average transaction fee. They could do this by collectively agreeing not to accept blocks that have fees less than the minimum agreed value. A miner whose block contains a transaction below the threshold would lose the fees from all the valid transactions as well, so it would be strongly in a miner's interest to only accept transactions above that fee threshold. However, a miner could then agree (off-network) to give a partial refund on all transactions. Superficially the transaction would appear to be valid, but the real net fee would be far smaller. They wouldn't be able to send the fee-discount back in bitcoins due to the minimum-fee rule, but presumably they would be able to use some other medium of transactions. For example, they could return some digital cash using Open-Transactions.
And this really leads to the big problem. Bitcoin will not be competing against Visa and Mastercard, Bitcoin will be competing against other digital currencies, including ones with no lower bound on the transaction cost. It will not be long before you can issue Bitcoins onto an Open Transactions Processor, which will be able to handle the transactions of an unlimited number of other currencies. Other currencies that do not require (comparatively) high transaction fees to pay for the (comparitively) high security costs of the issuance will be at an economic advantage and will undercut bitcoin. Why send money through raw BitCoin when you can send it over OT (either as bitcoin or as some other currency) and pay a hundredth of the charge? As a merchant, why install BitCoin technology which only supports BitCoin when you can install OT technology and support all digital currencies simultaneously and at no extra cost?
Thursday 29 September 2011
Monday 26 September 2011
Implications of Merged Mining
In case you haven't come across it already, merged mining (also summarized here) is a way of simultaneously mining multiple blockchains. If all miners support merged mining, then the global hashrate of any of the alternative blockchains becomes the same as the global hashrate of bitcoin. There is always an incentive for a miner to merge because he will start collecting coins from alternative blockchains at no extra cost.
It is to be tried first with NameCoin, with the intended goal of securing it by reusing the hashing power of bitcoin. I think that given the upside with no downside, it will be only a matter of time before all miners support merged-mining.
So what are the long-term implications of merged-mining?
For one thing, it massively reduces the barrier-to-entry for a new blockchain. Prior to merged mining, a new blockchain was vulnerable to attack because there was insufficient mining power available to secure it from attack. There was no real incentive to mine it because not only did the coins have low or no value, but the low global hashrate meant that the whole chain was vulnerable. A 'chicken and egg' type scenario, or 'network effect' if you like.
But now (or at least shortly), alternative blockchains will, almost from inception, be as secure as the main blockchain. Here's a first draft at how to start up your own chain:
It is to be tried first with NameCoin, with the intended goal of securing it by reusing the hashing power of bitcoin. I think that given the upside with no downside, it will be only a matter of time before all miners support merged-mining.
So what are the long-term implications of merged-mining?
For one thing, it massively reduces the barrier-to-entry for a new blockchain. Prior to merged mining, a new blockchain was vulnerable to attack because there was insufficient mining power available to secure it from attack. There was no real incentive to mine it because not only did the coins have low or no value, but the low global hashrate meant that the whole chain was vulnerable. A 'chicken and egg' type scenario, or 'network effect' if you like.
But now (or at least shortly), alternative blockchains will, almost from inception, be as secure as the main blockchain. Here's a first draft at how to start up your own chain:
- Think about how much money you're going to plough into it. Lets say it's $1 million.
- Start your own blockchain with exactly the same characteristics as bitcoin but with a far lower level for maxcoins. How low is dependent on how much startup capital you decided above.
- Mine it for a while on your own to build up a hefty warchest W of newcoins.
- Declare publicly that newcoins will be exchangeable 1 for 1 with bitcoins. On your favourite exchange, put in $1M worth of bid at 0.95 and W worth of offer at 1.05. Keep it there.
- Advertise your new blockchain for merged-mining with bitcoin mining pools. This shouldn't be hard, as it's free profit for them.
- Advertise your new blockchain with merchants. Since merchants already use bitcoin there's little or no setup cost in allowing them to accept newcoins, especially with the fixed exchange rate you have imposed.
- Advertise your new blockchain with the public. It helps if you are Justin Bieber, or Facebook, or a sovereign nation.
- For as long as you can, maintain the 1:1 price ratio between bitcoins and newcoins. Eventually newcoins will gain acceptance as being as valid as bitcoins, since they are after all feature-identical and interchangeable with bitcoins, at which point you gradually sell off your warchest.
So what are you waiting for!?
Bitcoin Bonds and "Too Big To Fail"
One aspect of the financial system crucial to the capitalist system is borrowing. Companies borrow money so they can invest. This might be for example to build a new factory or develop new technology. Ignoring equities for now, money borrowed is usually in the form of bonds or loans; Alice gives $1000 to Bob on the condition that Bob pays her back the $1000 at a specified later date as well as $20 each year as an incentive for Alice to put up the cash.
Bonds are big. According to wikipedia the net value of outstanding bonds is $82 trillion. In 2010, $3 trillion worth of corporate bonds were issued. Bloomberg reported in Dec 2010 that GE Capital alone planned on issuing $25 billion through 2011. AT&T will be required to pay back (or rollover) $10 billion worth of bonds as they come due in 2011.
The question is, could bonds denominated in bitcoin be issued? Technologically, there's good reason to believe that the Open Transactions project will enable the issuing of bonds and other contracts that can be subsequently traded in a cryptographically secure manner. Since OT allows anyone to be the issuer of their own contracts, bonds could in principle be issued in bitcoins.
However, there a problems of large bitcoins debts. Since the cost of trashing the blockchain is both finite and easily calculable from the current difficulty level and market price of electricity, this places an upper bound on the size of a bond that can be safely issued. If BadCorp were to find themselves in a situation where their total bond issuance is substantially higher than the 'attack price', it would make economic sense for them to do the following:
Bonds are big. According to wikipedia the net value of outstanding bonds is $82 trillion. In 2010, $3 trillion worth of corporate bonds were issued. Bloomberg reported in Dec 2010 that GE Capital alone planned on issuing $25 billion through 2011. AT&T will be required to pay back (or rollover) $10 billion worth of bonds as they come due in 2011.
The question is, could bonds denominated in bitcoin be issued? Technologically, there's good reason to believe that the Open Transactions project will enable the issuing of bonds and other contracts that can be subsequently traded in a cryptographically secure manner. Since OT allows anyone to be the issuer of their own contracts, bonds could in principle be issued in bitcoins.
However, there a problems of large bitcoins debts. Since the cost of trashing the blockchain is both finite and easily calculable from the current difficulty level and market price of electricity, this places an upper bound on the size of a bond that can be safely issued. If BadCorp were to find themselves in a situation where their total bond issuance is substantially higher than the 'attack price', it would make economic sense for them to do the following:
- Buy access to (possibly by buying the hardware) a mining pool with 50% of the global hashrate.
- Continually harass the blockchain by reverting blocks, enabling double-spend attacks and so on so that
- Everyone else loses trust in the blockchain leading to
- Market crash in the value of bitcoins.
- Now bitcoins are worth a small fraction of what they were, buy them up and pay back your debt.
Now one criticism of this fraud would seem to be that since it's highly illegal and pretty obvious, the bitcoin economy could rely on meatspace police to stop this market manipulation / fraud. But when you think about it, it's not that easy since there's nothing to link BadCorp to the blockchain destruction that happened. They would outsource 1 and 2 above to some criminal gang, and probably no one would even suspect, far less be able to prove, that BadCorp had anything to do with it. BadCorp would be indistinguishable from any other company that happened to denominate their bonds in bitcoin who also benefited from being able to pay back their debts cheaply. This kind of situation happens in the real world whenever a currency experiences hyper-inflation - debtors prosper.
The key problem here is not that the bondholder doesn't get paid; corporate defaults happen all the time. The problem is that the bond issuer has a financial incentive to trash the entire system. So one bond issuance from the wrong company could end in disaster for everyone. The same potential problem exists in the real world to the extent that a bondholder can manipulate the real currency. The reason this doesn't happen is that it's far, far harder to attack a real currency.
One implication of the above is that no potential bond buyers can trust a bond issued in excess of the bitcoin attack price. At today's levels, multimillion dollar-equivalent bitcoin bond issues will not happen, since investors would be sowing the seeds of their own destruction.
Are there more subtle problems? Probably, yes. For example what if a group of highly indebted entities conspire to bring down bitcoin? You could argue that bank bailouts during the credit crunch were a real-world form of this attack. "Too big to fail" was the attack vector used to devalue the currency and hence the debts. But while in the real world the attack price is measured in trillions of dollars, in bitcoin it is measured in millions of dollars.
Thursday 22 September 2011
How To Do Instant Transactions?
In my last post, the idea of using zero-confirm bitcoin transactions as a point-of-sale device in the real-world was well and truly crushed. If ZCT ever became popular, then (I claim) merchants would lose money and the bitcoin network would be compromised.
But this does not mean that bitcoin can never be used in POS, it just means it needs a better delivery mechanism. There are several ideas and projects in this direction, so lets have a look.
GOX Codes
I was not sure whether to include this, but since it's probably the most prevalent instant transaction device in use today within the bitcoin community, I probably should.
The system is very simple. You deposit your BTC into MtGOX, then when you want to send money you request a code from MtGOX for a certain amount of currency and give that code to the person you want to send the money to. Since everyone in the known universe trusts MtGOX with their mother's life, the system works quite nicely.
But obviously it is a complete hack - what's so special about MtGOX? What's the point in a super-secure crypto-currency if we all just pile our cash into MtGOX anyway? What if MtGOX gets hacked again? What if MtGOX runs away with our money? What if I get banned from MtGOX because I'm little-endian, or because I 'dissed his family, or some other trivia? What if MtGOX gets shut down by the gubermint? What if MtGOX gets DDoSed by anonymous?
Green Addresses
This is a technique already being used by InstaWallet. Again, a very simple concept where this time people decide to trust certain bitcoin addresses as not being malicious.
This is a slight improvement over GOX codes because it doesn't require a whole new protocol to operate; at its simplest it just requires a simple lookup table of non-malicious addresses. It's also not GOX-centric, you can greenlist whoever you like. Note that you don't have to trust that the green address has the funds available - you can do that using (currently non-standard) blockchain techniques - you just have to trust that the green address isn't attempting a double spend or discount scheme.
One temporary hiccup is that the current bitcoin client (and daemon) do not tell you where an incoming transaction came from, so to use green addresses right now you have to code it yourself or use a dev build of something, or request the data from blockexplorer.
Another problem is that there is no infrastructure around obtaining a reliable list of green addresses. It's unreasonable to expect merchants to keep their own greenlists up-to-date.
Also if you are in possession of a greenlisted address, you need to use a specialized client to ensure that when you send bitcoins, they do come from the green address and not some other address randomly generated by your client.
Finally, to use a green-address anonymously, you need to do it through a third-party like InstaWallet, which runs into the trust problems as with GOX codes.
Ripplepay
Ripple is a P2P network of credit-lines. It is entirely trust-based, and works on the principle of the transferable IOU. For example, A trusts B and B trusts C. Therefore A trusts C as long as the transaction is routed through B. Anyone can extend credit to anyone else, and your spending power is limited to how much credit has been extended to you by your neighbours. I've written a little about it here.
Ripple is currency agnostic, and so can be used for bitcoin. A simple setup might run as follows:
AFAIK, Ripple transactions are instant, although I'm currently a billy-no-mates with no credit extended to me so I'm not sure! newmeraire@gmail.com is my ripple address, if you fancy it.
Open Transactions
OT is the holy grail of virtual currencies. It is a library, protocol and app that provides support for a dazzling array of funky contracts such as cheques, bonds, payment plans, equities, derivatives and so on. There is a clear divide between currency issuers and transaction processors, allowing transaction processing to be a low-trust operation. This in turn means that it is safe to have transaction servers without having to trust them with your actual assets, and leaves transaction servers to focus on processing transactions rather than breaking rocks (or mining).
Like Ripple, OT is currency neutral so a POS built using OT would extend to other currencies in a simple manner.
OT - or something similar - is clearly the long term solution, but it is a huge project that is not yet ready for use in the real-world.
But this does not mean that bitcoin can never be used in POS, it just means it needs a better delivery mechanism. There are several ideas and projects in this direction, so lets have a look.
GOX Codes
I was not sure whether to include this, but since it's probably the most prevalent instant transaction device in use today within the bitcoin community, I probably should.
The system is very simple. You deposit your BTC into MtGOX, then when you want to send money you request a code from MtGOX for a certain amount of currency and give that code to the person you want to send the money to. Since everyone in the known universe trusts MtGOX with their mother's life, the system works quite nicely.
But obviously it is a complete hack - what's so special about MtGOX? What's the point in a super-secure crypto-currency if we all just pile our cash into MtGOX anyway? What if MtGOX gets hacked again? What if MtGOX runs away with our money? What if I get banned from MtGOX because I'm little-endian, or because I 'dissed his family, or some other trivia? What if MtGOX gets shut down by the gubermint? What if MtGOX gets DDoSed by anonymous?
Green Addresses
This is a technique already being used by InstaWallet. Again, a very simple concept where this time people decide to trust certain bitcoin addresses as not being malicious.
This is a slight improvement over GOX codes because it doesn't require a whole new protocol to operate; at its simplest it just requires a simple lookup table of non-malicious addresses. It's also not GOX-centric, you can greenlist whoever you like. Note that you don't have to trust that the green address has the funds available - you can do that using (currently non-standard) blockchain techniques - you just have to trust that the green address isn't attempting a double spend or discount scheme.
One temporary hiccup is that the current bitcoin client (and daemon) do not tell you where an incoming transaction came from, so to use green addresses right now you have to code it yourself or use a dev build of something, or request the data from blockexplorer.
Another problem is that there is no infrastructure around obtaining a reliable list of green addresses. It's unreasonable to expect merchants to keep their own greenlists up-to-date.
Also if you are in possession of a greenlisted address, you need to use a specialized client to ensure that when you send bitcoins, they do come from the green address and not some other address randomly generated by your client.
Finally, to use a green-address anonymously, you need to do it through a third-party like InstaWallet, which runs into the trust problems as with GOX codes.
Ripplepay
Ripple is a P2P network of credit-lines. It is entirely trust-based, and works on the principle of the transferable IOU. For example, A trusts B and B trusts C. Therefore A trusts C as long as the transaction is routed through B. Anyone can extend credit to anyone else, and your spending power is limited to how much credit has been extended to you by your neighbours. I've written a little about it here.
Ripple is currency agnostic, and so can be used for bitcoin. A simple setup might run as follows:
Bob deposits bitcoins at various institutions he trusts. 3 BTC at GOX, 1 BTC at InstaWallet and so on. In return, these institutions extend him equal amounts of credit through ripple. In addition, Bob's friends and colleagues also extend him credit.An additional benefit of Bitcoin over Ripple is that the technology he installs into his POS system does not tie him in to only accepting bitcoins. Because Ripple is currency agnostic, it is very simple to add support for Euros or Yen or SolidCoin or BeenieBabies or whatever. This might not seem like a good thing for bitcoin (in fact it is), but it's certainly a good thing for the merchant.
Bob goes shopping in Alice's store and buys a t-shirt for 5 BTC. While Alice doesn't know or trust Bob, she does trust GOX and Instawallet. She also happens (by coincidence) to trust Bob's friend Chris who has extended Bob 2 BTC credit. This transaction can now proceed because Alice scoops up 5 BTCs worth of IOUs from people she trusts. Bob is happy because he doesn't have all his eggs in one basket - he stored some of his BTC at GOX and some at InstaWallet. Moreover, because his friends extended him credit, he can do some transactions without having to store his bitcoins in any institution at all.
AFAIK, Ripple transactions are instant, although I'm currently a billy-no-mates with no credit extended to me so I'm not sure! newmeraire@gmail.com is my ripple address, if you fancy it.
Open Transactions
OT is the holy grail of virtual currencies. It is a library, protocol and app that provides support for a dazzling array of funky contracts such as cheques, bonds, payment plans, equities, derivatives and so on. There is a clear divide between currency issuers and transaction processors, allowing transaction processing to be a low-trust operation. This in turn means that it is safe to have transaction servers without having to trust them with your actual assets, and leaves transaction servers to focus on processing transactions rather than breaking rocks (or mining).
Like Ripple, OT is currency neutral so a POS built using OT would extend to other currencies in a simple manner.
OT - or something similar - is clearly the long term solution, but it is a huge project that is not yet ready for use in the real-world.
Wednesday 21 September 2011
The Bitcoin Discount Scheme
Welcome to BDS, the premier place to get 10% discount on all bitcoin purchases made at participating* stores. Signup is free! All you need to do is download BDS-Client, our specialized android bitcoin client and go shopping in meat-space.
How Does It Work?
Every time you make a transaction with the BDS-Client, it will also make a secure connection to our rather large mining pool, BDS-Pool, and give it a secondary signed transaction, one which would send the same bitcoins not to the shop but to our own BDS-Account instead. If BDS-Pool happens to solve the next block in the block-chain, we will ignore the shop transaction and instead write the secondary transaction, sending the bitcoins you were charged into our own account.
Since BDS-Pool in fact owns 11% of the network (thanks to our VC startup capital of 1M USD), this means that 11% of your transactions will randomly be redirected to our accounts. This is what allows us to give you a 10% payback every time regardless of whether a particular redirection was successful.
Of course, the money hasn't come from nowhere, it has actually come from the shop owners who had their payments stolen. But, that's their own fault for being dumb enough to accept zero-confirm bitcoin transactions. Lulz.
* participating stores are any that accept zero-confirm transactions.
How Does It Work?
Every time you make a transaction with the BDS-Client, it will also make a secure connection to our rather large mining pool, BDS-Pool, and give it a secondary signed transaction, one which would send the same bitcoins not to the shop but to our own BDS-Account instead. If BDS-Pool happens to solve the next block in the block-chain, we will ignore the shop transaction and instead write the secondary transaction, sending the bitcoins you were charged into our own account.
Since BDS-Pool in fact owns 11% of the network (thanks to our VC startup capital of 1M USD), this means that 11% of your transactions will randomly be redirected to our accounts. This is what allows us to give you a 10% payback every time regardless of whether a particular redirection was successful.
Of course, the money hasn't come from nowhere, it has actually come from the shop owners who had their payments stolen. But, that's their own fault for being dumb enough to accept zero-confirm bitcoin transactions. Lulz.
* participating stores are any that accept zero-confirm transactions.
The Cost of Destroying Bitcoin
As is fairly well accepted, if you own half of the global bitcoin mining power, you are in a position to do all sorts of terrible things such as performing double spends with arbitrarily many confirmations. Fortunately, the existing computation power is truly vast, so this attack would be completely infeasible, it is said. But exactly how much does it actually cost?
The Numbers
Currently the compute power of the network is 13.5 THash/s, according to bitcoincharts. Looking at the hardware comparison page on bitcoin.it, a good all-round graphics card with "easy" availability is the 6950, which will give you 1.4 MHash/s per dollar spent on the hardware. So assuming there's a really big supply of them, it will cost you around 10M USD to buy the 40k graphics cards to equal the global hashrate. Maybe you'll get some kind of discount on a bulk purchase. On the other hand, you've got to plug them all together and find a big shed in Siberia to house them, so lets for arguments sake just call it 10M USD total.
Some Silliness
Some Silliness
How many people have that much money? According to wikipedia there are around 40M millionaires and 1,000 billionaires. Doing a log-log interpolation, I reckon there are around 30,000 people in the world with access to enough capital to bring down bitcoin. But no one except the completely insane would spend their entire fortune on killing some unknown geek project, so perhaps this doesn't matter. However, for the 1,000 billionaires in the world it would only cost 1% of their net wealth.
For context, here are a few things bought over the years by billionaires:
For context, here are a few things bought over the years by billionaires:
- David Brooks spent 10M USD on his daughter's 13th birthday party
- Paul Allen's yacht: 100M USD
- Roman Abramovic bought Ukrainian footballer Andriv Shevhenko for 30M EUR a few years back despite the Chelsea manager not even wanting him.
- The domain name fund.com was bought for 10M USD
- 10M USD will buy a middle-of-the-road private jet.
If you're the kind of person who suspects that certain governments would dearly love to put a stop to bitcoin, how about these numbers:
- F-22 Raptor apparently costs 150M USD. Even a bargain-basement Saab Gripen will set you back 35M USD.
- 10M USD will buy about 15 cruise missiles.
- 20M EUR is the amount Robert Bourgi claims to have delivered to Jacques Chirac in duffle bags over the years from african dictatorships.
- NSA plans to spend 1B USD on a new data centre.
- etc etc
More Numbers
I believe you can do better than this. At the current difficulty, a 6950 will mine a new bitcoin every 4 days, or 90 in a year. Subtract electricity costs and assume the current bitcoin price continues, you'll make $2 / btc after electricity, meaning that each 6950 will have mined back all of its purchase cost in just over a year. The big question here is how profitable will mining be as you add more and more nodes. Will less efficient miners drop out as you raise the difficulty bar, or will they cling-on regardless? Perhaps by the combination of a slight price rise, say to $8 / bitcoin combined with some thinning-out of creaky old mining rigs, your investment in graphics cards would have actually paid for itself in a year and a half, leaving you free to trash the blockchain at zero cost.
I, for one, am quite concerned about all this.
I, for one, am quite concerned about all this.
Bitcoin Confirmation Honeypot
Background
In a previous post I discussed long confirmation delays being a major obstacle to adoption, especially for bricks-and-mortar shops where the customer expects to walk away with his purchase immediately.
An interesting reply linked to a comment made by Satoshi on bitcointalk:
Other replies point out that since the existing credit card infrastructure allows chargebacks, and chargebacks can happen months after the initial transaction, bitcoin is still superior to CC. However, CC chargeback is a somewhat known quantity; CyberSource’s Annual Online Fraud Report claims that about 40% of retailers have a chargeback rate of 1% or more, according to this blog. This means that as a business you should expect your CC transactions to cost a percentage point more than your payment provider claims. Annoying, but not something that's going to kill you. And since credit cards have been around for a while, it's unlikely to get orders-of-magnitude worse.
I view the confirmation characteristics as being a probability as a function of time. The longer you wait, the more certain you are of a valid transaction. In the case of credit cards you have to wait 2 months for a complete guarantee, whereas for bitcoin you might have to wait up to an hour based on what the big exchanges are telling us, although according to Satoshi it may be far less than an hour. The following diagram depicts the datapoints we have:
The blocks are known values, whereas the wiggly connecting lines are where we are missing data. The probabilities are normalised by a factor k, which is the unconditional probability of a transaction being bogus (which includes mundane factors like wrong PIN, insufficient funds etc as well as the probability of attempted fraud). It illustrates that bitcoin is clearly the better choice if you wait an hour, and that they are both equivalent if you wait 2 months. Which is better after 5s is the big unknown; we know that CC has about a 1% rejection rate after 5s but not much is known about the bitcoin rejection rate at that point.
The Honeypot
What I propose is that we setup a honeypot to find out more about the properties of the bitcoin validity curve in this region. It would work like a security honeypot - if you can have a transaction rejected after 5 seconds then you win a prize. Of course we want to know all the data-points, so we would have multiple prizes, one for each duration we're interested in. The process would work like this:
In a previous post I discussed long confirmation delays being a major obstacle to adoption, especially for bricks-and-mortar shops where the customer expects to walk away with his purchase immediately.
An interesting reply linked to a comment made by Satoshi on bitcointalk:
I believe it'll be possible for a payment processing company to provide as a service the rapid distribution of transactions with good-enough checking in something like 10 seconds or less.which then went on to discuss the technicalities. The obvious question this raises is then:
"If this is the case, then why do most big players in the bitcoin economy require multiple confirms?"MtGOX asks for several hours, TradeHill estimates one hour, VirtEx requires 6 confirms, not sure how long BritCoin requires after their makeover but it used to be 6 confirms. Are they being unnecessarily cautious, or has the technology Satoshi refers to not arrived yet? If so, when can we expect that? These aren't rhetorical questions, I think a lot of people would really like to know if zero-confirm transactions can indeed be made relatively secure.
Other replies point out that since the existing credit card infrastructure allows chargebacks, and chargebacks can happen months after the initial transaction, bitcoin is still superior to CC. However, CC chargeback is a somewhat known quantity; CyberSource’s Annual Online Fraud Report claims that about 40% of retailers have a chargeback rate of 1% or more, according to this blog. This means that as a business you should expect your CC transactions to cost a percentage point more than your payment provider claims. Annoying, but not something that's going to kill you. And since credit cards have been around for a while, it's unlikely to get orders-of-magnitude worse.
I view the confirmation characteristics as being a probability as a function of time. The longer you wait, the more certain you are of a valid transaction. In the case of credit cards you have to wait 2 months for a complete guarantee, whereas for bitcoin you might have to wait up to an hour based on what the big exchanges are telling us, although according to Satoshi it may be far less than an hour. The following diagram depicts the datapoints we have:
The Honeypot
What I propose is that we setup a honeypot to find out more about the properties of the bitcoin validity curve in this region. It would work like a security honeypot - if you can have a transaction rejected after 5 seconds then you win a prize. Of course we want to know all the data-points, so we would have multiple prizes, one for each duration we're interested in. The process would work like this:
- Whitehat sends bounty to honeypot address.
- Honeypot waits 5s and sends the money back if transaction is still valid at this point.
- If whitehat manages to reverse his original payment, then he keeps his original bitcoins from 1. and also wins the bounty from 2. Otherwise, he just gets his money back from 2.
The website would display a table of what has been hacked so far and what the current bounties are, something like this (not sure what the actual bounties should be):
Or perhaps you could start all bounties off at 1 BTC, and then let each one grow daily until someone manages to hack them. That way you don't have to make decisions about the relative difficulties of different rejections, you just find out over time.
If someone builds this, I will fund bounties as a service to the bitcoin community.
Tuesday 20 September 2011
On Ripple
Recently I discovered Ripple, an extremely interesting way of facilitating transactions without requiring any underlying currency. Effectively it is a network of transferable IOUs - people extend defined amounts of credit to their friends, then transactions can happen between two mutually-untrusting nodes by being 'routed' through the P2P network of credit lines. The introductory video is well worth watching. One quote that really caught my attention from the ripple-project FAQ:
It reminded me a little of first-order electronics. A network of ripplers extending credit to each other like a network of capacitors. While they don't allow a flow of money to pass through (c.f. DC voltage), they do allow money to go to-and-fro (c.f. AC voltage) as long as there is no net build-up. The 'impedance' of the network decreases as people extend more credit to each other. When the impedance is high, energy can only flow at high frequencies, or in Ripple when credit lines are small you require small, frequent transactions to have significant economic activity.
Interestingly, Ripple is not dependent on the underlying unit of account. The IOUs can be denominated in arbitrary currencies, and nodes are free to offer 'fx' if they choose. This means you are free to use a sovereign currency like USD or EUR, a crypto-currency like bitcoin or basically whatever you like.
Regarding barriers to adoption, Ripple nicely skirts the main problem BitCoin faces: it doesn't require you to have an obscure asset to be able to start trading, since you can trade in any currency (in fact it doesn't require you to have any currency at all, as mentioned above). Its big problem is of another kind. Transactions can happen only between members of the network that are connected by a trust credit-line (possibly via third parties). When the network is small it is hard for new-joiners to have credit extended to them because they don't happen to know anyone who both trusts them and happens to be part of the Ripple network. Compare with Bitcoin, where as long as you have Bitcoins in your account, it is equally trivial to send them to any address you like. Currently there are around 3,000 'Ripplers', so if there are say 20 people in the world who would extend me USD credit I guess that means there is currently a probability of 1:10,000 that I would get any credit on Ripple if I went looking for my friends.
But it's an interesting concept, so I will write more on this subject soon.
Ripple places control of monetary scorekeeping in the hands of the people around us, in our social circles and in your communities. It takes away the excuse, "we didn't have any money in our community," and lets us focus on more fundamental economic and social problems.It might seem paradoxical, but in fact you don't need actual money to be able to extend credit to someone else, all you need is for a third-person to have extended credit to you. So if you have a community where no individual has any money, but they each extend credit to those they trust, then transactions can still happen by trading the IOUs. It's a truly beautiful form of bootstrapping.
It reminded me a little of first-order electronics. A network of ripplers extending credit to each other like a network of capacitors. While they don't allow a flow of money to pass through (c.f. DC voltage), they do allow money to go to-and-fro (c.f. AC voltage) as long as there is no net build-up. The 'impedance' of the network decreases as people extend more credit to each other. When the impedance is high, energy can only flow at high frequencies, or in Ripple when credit lines are small you require small, frequent transactions to have significant economic activity.
Interestingly, Ripple is not dependent on the underlying unit of account. The IOUs can be denominated in arbitrary currencies, and nodes are free to offer 'fx' if they choose. This means you are free to use a sovereign currency like USD or EUR, a crypto-currency like bitcoin or basically whatever you like.
Regarding barriers to adoption, Ripple nicely skirts the main problem BitCoin faces: it doesn't require you to have an obscure asset to be able to start trading, since you can trade in any currency (in fact it doesn't require you to have any currency at all, as mentioned above). Its big problem is of another kind. Transactions can happen only between members of the network that are connected by a trust credit-line (possibly via third parties). When the network is small it is hard for new-joiners to have credit extended to them because they don't happen to know anyone who both trusts them and happens to be part of the Ripple network. Compare with Bitcoin, where as long as you have Bitcoins in your account, it is equally trivial to send them to any address you like. Currently there are around 3,000 'Ripplers', so if there are say 20 people in the world who would extend me USD credit I guess that means there is currently a probability of 1:10,000 that I would get any credit on Ripple if I went looking for my friends.
But it's an interesting concept, so I will write more on this subject soon.
The Current Problems of Bitcoin
These are the most serious obstacles Bitcoin faces, as I see it.
- Extreme volatility. Here's the chart of USD against various assets over the past 6 months.
I've initially normalized the price to 1 to compare. You can see that bitcoin is the odd one out here, it's volatility is in a completely different league to other assets. Based on these timeseries, I calculated the average daily vol against USD over this time-period.
Roughly speaking, while EUR will fluctuate against USD by about 0.5% per day on average, BTC will fluctuate by about 11% per day, i.e. BTC is 20 times more volatile than EUR, and this is during a period of notably high volatility for the Euro currency.Asset Daily Vol EUR 0.5% CHF 0.8% JPY 0.4% Oil 1.8% BTC 11.4%
This is an extremely serious problem for anyone who wishes to use BTC to transact real goods and services. Lets say you are a low-margin retailer of T-shirts. You buy wholesale in USD and sell online in BTC. Not only do you have to continually update your BTC prices throughout the day, you also have to ensure that as soon as the transaction takes place you convert your BTC back into USD - if you leave it just one day the BTC volatility could wipe out all your margin from the sale. There are also more subtle issues. If someone buys your T-shirt at 5 BTC, then a week later returns it and the price of BTC happens to have risen then you will lose out. The 5 BTC that was worth 25 USD is now worth 50 USD and you the retailer will have to cover the difference. Effectively you have sold a call option for free.
As far as I can see, there are no strong reasons to expect that this volatility will decrease dramatically in future. - Delayed confirmations. Usually when you make a transaction in the real-world the confirmation takes a few seconds to happen. With bitcoin, it takes something in the region of an hour. This means that in its current form, it is impossible to use it for any conventional retailing where the customer expects to walk away with the product immediately; no one is going to hang around for an hour waiting for his transaction to clear. As a retailer you could admit zero-confirmation transactions, but it's only a matter of time before thieves catch on and target you. There are various websites being setup to allow instant transactions, but then you are relying on them to keep your bitcoins secure. Not only have there been instances of large-scale fraud (or incompetence) with bitcoin banks, it somewhat defeats the purpose of a P2P crypto-currency.
- Client unwieldiness. When I downloaded the bitcoin client, it took about a day to download the whole blockchain from the network before I could start using it. The blockchain takes up something in the region of 1Gb disk-space, which can be very significant for portable devices.
- Blockchain vulnerability. I have posted before on this subject (and here and here). In summary, there is very little to stop a determined attacker from making fraudulent transactions. This is due to the interaction of three fundamental properties of the bitcoin economy:
- Open mining. Anyone can contribute to verifying transactions (or as it's currently called 'mining'), you just need to connect and let your GPU run.
- Free mining. To incentivise people to do it, you get paid to mine / verify transactions. This means the equilibrium state is that the costs and revenues from mining balance and it becomes free for anyone to add compute power.
- Computocracy. If you have access to more than half of the total compute power, you can fake your own transactions.
- Wallet security. It is assumed that someone's wallet file (and hence a person's bitcoins) is secure by virtue of it being on your own computer. This is only true in the case of a 'suitably sophisticated user' who is capable of securing their own system. Unfortunately, the majority of people in the world do not have a secure system and even in the tiny community of bitcoin early-adopters there have been huge problems of stolen wallets. Even the fifth-largest bitcoin exchange failed to secure their wallet. Trojans are now in the wild targeting wallet files. Sadly it seems that there are very very few 'suitably sophisticated users'. Even the most basic level of security - encypting the wallet - is not yet available in the standard client.
Monday 19 September 2011
Bitcoinica - at last we can short bitcoin
As if there weren't enough bitcoin exchanges already, bitcoinica went live on 8 September. However, this service really does differentiate itself by offering 5x leverage and the ability to short. In truth it is not really an exchange but a brokerage - the site will net out opposing positions that clients take before hedging the residual on another exchange (currently MtGOX, but soon TradeHill will be a target), meaning that many if not most trades will never actually hit the open market.
There is a downside, though. Since bitcoinica acts as a middle man and is vulnerable to market-manipulation attacks, it charges a hefty fee by way of bid-ask spread. Currently this seems to fluctuate at around 5% of the price, which is pretty chunky in comparison to 0.01%, or 1bp, that is typical on MtGOX.
It seems like forever that MtGOX have been promising margined trading and shorts, will this new competition spur them on?
There is a downside, though. Since bitcoinica acts as a middle man and is vulnerable to market-manipulation attacks, it charges a hefty fee by way of bid-ask spread. Currently this seems to fluctuate at around 5% of the price, which is pretty chunky in comparison to 0.01%, or 1bp, that is typical on MtGOX.
It seems like forever that MtGOX have been promising margined trading and shorts, will this new competition spur them on?
The economics of block-chain security in bitcoin
I posted this on reddit, but copying here
Supposing miners are economically rational, they will mine if the value they get from mining (btc + tx fees) outweighs the costs (capital + electricity). Whatever the price of btcs happens to be and whatever the transaction fees happen to be, miners will enter or exit the market until rough parity is achieved. If it's a loss-making exercise then miners will leave until the difficulty reduces and it becomes neutral again. If there are large profits available then miners will enter the market until the difficulty increases and the profits disappear.
One corollary of this is that it becomes effectively free (cost of epsilon in the limit epsilon->0) to build up an arbitrarily large network of miners, as long as you do this slowly. You add an extra node, the difficulty becomes epsilon higher, some other miner decides to leave as it's no longer economically viable and then the difficulty reverts to the previous level. In summary, each additional node is self-funding so it doesn't cost anything. Rinse, repeat, until you've eventually replaced all the nodes with your own nodes.
So, it's (almost) free to build a network with >50% of the comp power, at which point you can tell your mining network to allow you to double spend. It will only allow a double spend to exist for a finite period of time before it gets reorganised, but there's no upper bound on this time. You only need to make it force enough confirmations (6?) that your counterparty accepts your double-spend as a valid transaction.
There are a lot of simplifications in the outline above - you have to account for hardware costs as well as electricity which complicates the calculations as you have to amortize, some people will have access to better technology or cheaper electricity, some people will mine for non-economic reasons and so on.
But the general argument is strong - whatever the incentives are for a normal person to mine, a crook will have the added incentive of eventual double spends. Eventually economic gravity will take hold and the crook will take over the network.
Are there any real proposals for countering this problem?
Supposing miners are economically rational, they will mine if the value they get from mining (btc + tx fees) outweighs the costs (capital + electricity). Whatever the price of btcs happens to be and whatever the transaction fees happen to be, miners will enter or exit the market until rough parity is achieved. If it's a loss-making exercise then miners will leave until the difficulty reduces and it becomes neutral again. If there are large profits available then miners will enter the market until the difficulty increases and the profits disappear.
One corollary of this is that it becomes effectively free (cost of epsilon in the limit epsilon->0) to build up an arbitrarily large network of miners, as long as you do this slowly. You add an extra node, the difficulty becomes epsilon higher, some other miner decides to leave as it's no longer economically viable and then the difficulty reverts to the previous level. In summary, each additional node is self-funding so it doesn't cost anything. Rinse, repeat, until you've eventually replaced all the nodes with your own nodes.
So, it's (almost) free to build a network with >50% of the comp power, at which point you can tell your mining network to allow you to double spend. It will only allow a double spend to exist for a finite period of time before it gets reorganised, but there's no upper bound on this time. You only need to make it force enough confirmations (6?) that your counterparty accepts your double-spend as a valid transaction.
There are a lot of simplifications in the outline above - you have to account for hardware costs as well as electricity which complicates the calculations as you have to amortize, some people will have access to better technology or cheaper electricity, some people will mine for non-economic reasons and so on.
But the general argument is strong - whatever the incentives are for a normal person to mine, a crook will have the added incentive of eventual double spends. Eventually economic gravity will take hold and the crook will take over the network.
Are there any real proposals for countering this problem?
Subscribe to:
Posts (Atom)