Squeezing utility from a proof-of-work experiment
Where decentralized consensus technology can and can not add value?
What real problems does it solve?
What assumptions does it make about the world?
Against what threats/scenarios/problems does it protect?
How you could implement securities issuance, derivatives processing or even fiat-payments on top of it?
Differences between a trusted network and untrusted?
Are blockchains being built in a vacuum?
What are the total costs of operating them?
Ferdinando Ametrano: “Hayek Money: The CryptocurrencyPrice Stability Solution”
“Price Stability Using Cryptocurrency Seigniorage Shares”
Massimo Morini: “Investor/Saver Wallets and the Role of Financial Intermediaries in a Digital Currency”
Byron Gibson: Dual currency Beta/Gamma solution, tx rate as blockchain-intrinsic money demand proxy (unpublished)
Dominic Williams: Pebble (forthcoming)
Robert Sams: “A Note on Cryptocurrency Stabilisation: Seigniorage Shares”
Meher Roy’s IoM proposal A Decentralized Exchange
Protocol (DEP) for exchanges between 2 ledgers
A Real Time Gross Settlement Protocol (RTGSP) for transfers between 2 ledgers
A Deferred Net Settlement Protocol (DNSP) also for transfers between 2 ledgers
Recall that: ◦ “Cryptocurrency” – a type of asset (commodity, currency)
Digicash, Flooz, Beenz
◦ “Decentralized consensus” – is a “voting” process used by Bitcoin and others
The Bitcoin proof-of-concept fuses scarcity onto a nominally trustless ledger (“watermarked” to be more than a currency)
This has led to other proposals (dubbed “2.0”) which include: Asset tracking / management (via “smart contracts”)
Trustless Multiparty Monetary Computation
Notary services
Consensus as a service / Crypto ledger as a service (CaaS / CLaaS)
Bitcoin and its derivatives use hash-based proof-of-work
Many others are attempting to build other alternative consensus enforcement mechanisms that are less capital intensive, including proof-of-stake (POS)
In practice, most, if not all pure POS system end up centralized but that has not stopped proposed solutions such as DPOS [Note: not an endorsement]
Top 2 platforms through 2014 are:◦ Ripple (Stellar used a similar consensus ledger)
◦ Counterparty (also has spin-off called “Medici”)
NXT (problems found by Garzik?)
Mastercoin (little traction relative to XCP)
Bitshares (Invictus)
Open Transactions (not fully released)
Coloredcoins (Coinprism, Chromaway)
Ethereum (Proof of Stake?) Tezos (POS) Tendermint (POS, DC ledger) Pebble (Proof of Processing, DC ledger) Nimblecoin (Merged Mining) Eris (blockchain-esque) Factom, formerly Notarychains (POE/MSC) SKUChain (DPOS/DPOW) Hyperledger (PBFT) Filecoin (~Bitcoin, see also Permacoin) Treechains/Sidechains/PeerNova Several “stealth” projects (Vpal, Zerocash)
Cross Border Settlement / B2B international transfers◦ Rebuilding SWIFT (PayWise)◦ Can use a blockchain/CaaS to move in seconds/minutes◦ Biggest challenges are liquidity/settlement with market
makers as well as compliance in jurisdictions
Central clearing (e.g., derivative clearing)◦ Prime case for “multi-party payments” and
netting/clearing. Could be on a ledger (autonomous) but if participants “fail” then move to centralize the credit risk which was the purpose of CCPs in the first place
◦ Complying with existing laws such as Dodd-Frank are a hurdle/challenge
Mortgages◦ The ability to have a vehicle that can be used equally by
many parties and “self execute.” It need not be block chain if a single bank is trusted. Hence powerful only really when banks (the lenders) or new 3rd party is not trusted to fairly register say installment payments. May be more relevant for CDOs.
CDO/CLO/CMO/ABS◦ Smart contracts based on assumption that banks are not to be trusted to pass on all cash
flows received in the “waterfall.” Alternatively, build competing platforms where you set up “smart contract” (special purpose vehicle) that automatically pay through waterfall. Problem is on enforcement of loans in case of non-payment.
Collateralized / Guaranteed Lending◦ A bank, borrower and potentially a 3rd party providing collateral or guarantee. Though
without identity, credit checks/worthiness the promise of decentralization may not do much.
Letter of Credit ◦ Multiple parties involved, trust is low, cost is high. Incumbents are strong, little incentive
to change, requires central changing (with “crossing the chasm” problem) and most importantly multiple jurisdictions.
Crowd Funding◦ Borrowers may request money on multiple platforms but also making investment fungible.
Challenges involve legal constraints such as SEC regulations.
Better uses of blockchains/CaaS: ◦ Business lines such as Investment Banking/Corporate Banking/Private
Banking/Retail Banking/Micro Lending
◦ Securities issuance
◦ Escrow accounts
◦ Factoring / Trade finance
◦ Consumer lending (car loans)
Note dependencies: immediate readiness, core bank vs ancillary, legal enforceability
Not so much: ◦ POW based blockchains and nominally decentralized mining as it relates to
anything requiring fast settlement such as ISDA derivatives (CCP) and securities trading due to latency
Xeroclear (forthcoming from Robert Sams’ team)
Eris (Preston Byrne-led team unveiling December 17)
Hyperledger (early beta)
Medici (uses Counterparty, early beta, assuming it is not based on Bitcoin)
Other consensus ledgers (Ripple/Stellar via Codius/Trustlines) Stellar had a forking issue recently (new version Q1 from David Mazières)
Other proof-of-stake protocols Tezos, Purchasechain (from SKUChain), Tendermint, Ethereum (based on
Serpent POC), DPOS from Invictus
Other solutions (Pebble, Blockstream)
Ladislaus Bortkiewicz studied the number of soldiers killed annually by horse kicks of 10 corps in Prussian cavalry over 20 years
Question:
‘In most years in most corps, no one dies from being kicked; in one corp in one year, four men were kicked to death. Does this mean something was amiss in this particular corp?’
No, just unlucky
Bitcoin uses an inhomogenous Poisson process for block discovery
Make it artificially expensive for people to cast “votes” for a consensus
The necessity to make casting “votes” in the consensus artificially high since we cannot know who is participating in the “vote” (e.g., it is an untrusted network)◦ E.g., it costs you $1 million to undo a $1 million of value
The cost of an attack where someone tries to mess with the consensus is equal to 0.5*MC (marginal cost)
Brute force (by hashrate) the Maginot line (in theory) is roughly $2.55 billion today
In practice cost several orders less to successfully attack and impact (e.g. out-of-band)
Arriving at distributed consensus (Dijkstra prize) and simultaneously preventing Sybil attacks require an investment level (capex/opex) that is different than traditional centralized solutions
“Frontal assault” attack vectors in blockchains theoretically make it expensive to overturn and compromise as – at least in 2009 – no single-point-of-failure
Centralized solutions, while providing faster confirmations and lower up-front economic costs, have trade-offs:
Pro: Trusted networks do not require same (if at all) type of Sybil protection
Con: Social factors have leveraging abilities, single-points-of-failure, easier to collude
Between July 2010 and July 2014 lower bound cost estimate for Bitcoin mining was $764 million◦ Upperbound 2-3x due to
externalities primarily from botnets and “cycle” theft
Seigniorage went to miners and therefore into utility companies and semiconductor fabrication instead of maintaining purchasing power stability or software development
What we have today is not Bitcoin circa 2009◦ Finality is no longer final (‘reversibility’ has
occurred) “Rolling back” transactions (e.g., March 2013
fork), taint/validation Can happen with alts too, see Vericoin TTP and freezing of assets “Trust” used 11 times in main body of WP but
in practice consumer behavior trends towards continual reliance of TTP
Mediation and transaction costs add costs to a network with already high opex
“A $700 million payments network that is rarely used for payments”
ArtForz de-decentralized mining via GPU (summer 2010) led later to ASIC scaling
Real S-curve due to fabrication; hashrate will eventually taper off even if market value quadruples from current level
Assumes that ASICs will improve incrementally every day to deliver 2x more hashing every 2 years (untrue)
Predict that the power consumption per hash will reduce by 50% in the same 2 years (untrue)
“Be your own” textile factory or data center did not occur with commoditization of those tools, may not here
65% drop in token value reduces incentive to add more capex
Marginal increase in performance from fabrication generation
E.g., performance leap from 130nm to 65 much larger than 40 to 20
‘As the features get smaller then transistor sizing no longer dominates and the scaling doesn't hold the same way’
Sams: Because txsexist within blocks, which are scarce resource that are financed via seingiorage, in order to calculate the cost of a single tx you have to include the total cost of hashing a block
~$15 as of today
Long-term theory: it costs a bitcoin to make a bitcoin
Zhou: Slowdown shows that the amount of mining hardware being added onto the network by profitable miners are nearing equilibrium with the amount of mining hardware being taken off the network by now unprofitable miners
ASICs hitting a saturation point in the network where for a lot of miners the marginal cost of producing a bitcoin is now equal to or above the price of a bitcoin
The network generates about 62 fewer blocks / day than last October◦ Flip side: this is equivalent to 1550 BTC
less influx in bitcoin supply per day which means less selling pressure in the market
June 2014, Kerem Kaskalogluillustrated the “ideal scenario” of the seamless switch from block rewards (seignioragesubsidy) to transaction fees (donations)
As of December 2014, the very opposite has occurred, fees to miners has declined which is “not ideal”
Leads to “dark hashing inventory” after block halving
Despite a 10x decrease in “fees” and 4x increase in merchants in 2014, there has not been a corresponding amount of commercial activity◦ Retail commerce transactions likely represent less than 20% of all transactions
Majority of bitcoin holders are acting rational:◦ Either ‘underwater’ on previous purchases◦ Expect the value of the token to appreciate beyond the short term utility
gained from using a bitcoin (e.g., low time preference)◦ Other reasons and explanation of on-chain activity on Slide 45
Based on this pattern of consumer behavior it is unlikely that on-chain transaction volume will be able to replace seigniorage to incentivize mining
In any given week, Poisson process effectively “delays” one block to over an hour confirmation
Later as block space becomes scarcer, delay becomes problematic for time sensitive financial instruments
Dave Hudson may have incentive compatible solution, Blockstreamdoes not (yet) publicly
Hudson: Due to variance in rewards, rational activity is to pile on the largest pools for higher probability of reward (regular, steady ROI)
Also lowers orphan rate
YG: China farms ~$450 per TH/s ◦ Takes about 5-6 months to breakeven at current difficulty (0.377 BTC / month) once operating costs
taken into account ($44/month of electricity, administration, maintenance, etc.)◦ On the face of it, rational actors would turn off machines and just buy coins on open market
But other factors:
1. Sunken costs (fallacy): they put the money down awhile ago 2. Converting RMB to USD at no limitations (e.g., capital controls)
◦ They may do this even at a lost because it may be cheaper than converting RMB to USD
3. Believe the price of coins will go up, “but there won't be any more coins”◦ Makes sense due to lack of transparency at China-based exchanges, doesn’t leave paper trail
4. Tax reasons: Bob can justify buying a bunch of computer related parts and report this without a problem to the boss/government, but Bob can't receive permission to directly buy bitcoins
5. Relatively cheap land / labor and the factories assembling the miners themselves are located in China, giving Chinese miners advantage in terms of lead-time
Note: with hashrate forensics it is unlikely that Chinese miners represent more than 40% as of this presentation
Because of increased centralization much easier to use other techniques to disrupt participation◦ Blatant bribery / hacking of pool◦ ‘An attacker can sniff the cleartext
credentials in the “mining.authorize” message, credentials may be used elsewhere across the internet and may lead to account compromise’
◦ Canadian router hacked via Border Gateway Protocol fooling miners ($84k)
(Nearly) all large mining farms and pools are known, making them vulnerable to social pressures including “censorship” (see OP_RETURN and Eligius)
Bitcoin Relay Network (propagation is nominally decentralized)
◦ Hudson: On any given day mean block size is in the range of 300 - 400 KB, a much smaller number (~5%) that are nearly full
◦ Once block size is increased or “floated” this will continue to require more bandwidth
Mining rewards Some pools like Eligius payout directly from coinbase
reward creating extra transactions
Mixing / laundering of funds CoinJoin / CoinShuffle / DarkWallet / SharedSend
Blocksign / Proof of existence P2SH (multisig) Counterparty (XCP) and Mastercoin (MSC)
Crowdsales on these platforms (e.g., ‘Gems’ sale)
OP_RETURN Chromaway and Coinprism Advertisement spam (see pics)
Since no one actor owns the blockchain to restrict “spam” or “bloat”
Creation of “dust” level (546 satoshi) and preliminary discussion of “censorship”
‘Created in 2012 to let a spender create a pubkey script containing a hash of a second script, the redeem script’
January 2014: 0.014% of all bitcoins are stored using P2SH
December 2014: 5.45%
Reasons why:◦ USMS (Bitcoin Investment Trust), Xapo
and Ripdice (?) recently switched to P2SH for cold storage Note: Counterparty uses “old school”
method of multisig
Metaprotocols that utilize and sit on top of Bitcoin blockchain provide disproportional rewards◦ XCP/MSC are effectively piggy backing and
free riding off seigniorage rewards◦ Also happens with colored coins and
Dogeparty◦ E.g., Apple shares (total market cap = $675
billion USD) issued as metacoin. Will Bitcoin security suffice to keep the market in Apple shares trading secure?
In long run, miners are probably not destroying enough capital to ultimately secure metacoin assets, making the network less secure
Because of the continual volatility of coin value (e.g., present-day prices reflect expectations of future demand), this impacts the security of the network long-term and “currency” will likely remain a niche
Coupled with mining centralization (due to Poisson process), which also creates vulnerabilities and attack vectors, make it less than optimal application for property tracking and securities
As an institution you care about something that works for more than 5-6 additional years: you do not want to have to worry about the integrity of your financial instruments
Permissionless consensus ledgers maintained by miners lack any governance structure, incompatible with financial regulation (see European Banking Authority report)
Thus the current Bitcoin protocol is probably not an immediate threat to most G10 banks or financial institutions
Perhaps “2.0” might be able to finish what Bitcoin started
◦ Thanks to the following individuals for their data and constructive feedback:
Dave Babbitt, Anton Bolotinsky, Richard Brown, “Dexx,” YG, Dave Hudson, Izabella Kaminska, Jeremy Lam, Mikkel Larsen, David Lee, Jonathan Levin, Atif Nazir, Meher Roy, Robert Sams, David Shin, Koen Swinkels, Ernie Teo, Simon Trimborn, Jack Wang, John Whelan
Research conducted in collaboration with the Sim Kee Boon Institute for Financial Economics in Singapore
The variability (Poisson process) of hash-based proof of work (POW) along with the current block reward model and KYC/AML make the current Bitcoin blockchain – and those that are similar – not necessarily a good candidate for a property / ownership tracking system
They may be okay for certain applications and may still grow beyond current niches
Useful innovations that will come from this space and not dependent on POW or blockchain:◦ Multisig / Keyless trading / Proof of reserves
◦ Trustless Multiparty Monetary Computation (‘Smart contracts’)
Note: some proposed applications can probably be done with an Oracle
◦ Other types of consensus models (Consensus-as-a-service)
An emerging trend: people sign the coinbasetransaction to gain “transparency” and answer ‘who is getting all this money.’ Does not need to be the case, we do not need to know. Courts do?
US CRS as of July 15, 2014, “Bitcoin daily transaction volume [in 2014] fluctuated in a range of between $40 million and $50 million, representing between 40,000 to 80,000 daily transactions
Visa averages around $16.5 billion per day, “with an average number of daily individual transactions of near 24 million”
These ratios will continually change over time but the claim that Bitcoin is currently more efficient – in terms of what the native protocol can do – does not hold up to empirical evidence
Fully validating nodes:◦ September 2011 – 13,000
◦ May 2012 – 3,000
◦ November 2012 – 4,000
Another increase then decrease:◦ Early March 2014 – 10,000
◦ April 2014 – 8,000
◦ Flat last three months and as of December 2014 - 6,800
Increased bandwidth / hard drive space requirements◦ In April 2013, compressed blockchain was 9 GB
◦ December 2014 it is 25 GB
195 GB uncompressed & indexed (Chain.so)
250 GB uncompressed & indexed (Toshi)
Someone has to pay for this, resources are not free
Public goods problem: how to incentivize the externalization of propagation and verification?
Proposed: “Adopt-a-node” which is donation driven
If implemented with specific manufacturing partners, could move the ecosystem back towards “trusted hardware” and a single point of failure
Billed as allowing one person to own hardware at one time (e.g., prove ownership of specific hardware within a farm or pool)
Ironically if this happens, Bitcoin will have inadvertently invented something akin to Hyperledger
"The companies which disclose their hashing power could be awarded a 'Trusted Transparency' sign, the quality and transparency award, so to speak. This will help recognize the companies that openly disclose their numbers and will alleviate the 51% threat.”
Valery Vavilov, CEO of BitFury
Agent-based modeling results using historical data
According to Ernie Teo (2014):
◦ The results are consistent with the original simulation
◦ We observe a steep drop in miners recently due to the large jumps in difficulty
◦ Mining pools will become dominant if this continues
◦ The network becomes centralized as a result