Bitcoin, crypto, design

2011 essay on how Bitcoin’s long gestation and early opposition indicates it is an example of the ‘Worse is Better’ paradigm in which an ugly complex design with few attractive theoretical properties compared to purer competitors nevertheless successfully takes over a niche, survives, and becomes gradually refined.

finished ⁠certainty: likely ⁠importance: 8 ⁠backlinks⁠ ⁠bibliography⁠

• Pre-Requisites
• Dates
• Delay
• Impractical?
• Contemporary Objections
• Cryptographers’ Objections
• Aesthetics
• How Worse Is Better
• Objection: Bitcoin Is Not Worse, It’s Better
• See Also
• External Links
• Appendix
• Irreversible Transactions: Meta-Scams
• Footnotes
• Backlinks
• Bibliography

The genius of Bitcoin⁠, in inventing a digital currency successful in the real world, is not in creating any new abstruse mathematics or cryptographic breakthrough, but in putting together decades-old pieces in a semi-novel but extremely unpopular way. Everything Bitcoin needed was available for many years, including the key ideas.

The sacrifice Bitcoin makes to achieve decentralization is—however practical—a profoundly ugly one. Early reactions to Bitcoin by even friendly cryptographers & digital currency enthusiasts were almost uniformly extremely negative, and emphasized the (perceived) inefficiency & (relative to most cryptography) weak security guarantees. Critics let ‘perfect be the enemy of better’ and did not perceive Bitcoin’s potential.

However, in an example of ‘Worse is Better’, the ugly inefficient prototype of Bitcoin successfully created a secure decentralized digital currency, which can wait indefinitely for success, and this was enough to eventually lead to adoption, improvement, and growth into a secure global digital currency.

hat is the great accomplishment of the idea of Bitcoin? In discussing Bitcoin’s recent rise to $11$82011/₿ in 201113ya, many have been wondering who is the real man under the Satoshi Nakamoto⁠ mask; a hard question—how many genius libertarian cryptographers are there? But the interesting thing is, Satoshi could be anybody, and I believe this gives us an interesting clue to how Bitcoin has been able to bootstrap itself from nothing.

Satoshi could be anybody, Bitcoin involves no major intellectual breakthroughs of a mathematical/cryptographic kind, so Satoshi need have no credentials in cryptography or be anything but a self-taught programmer!

Pre-Requisites

Satoshi published the first public version of his white paper on ⁠2008-11-01⁠ after earlier private discussions⁠⁠1⁠ and the whitepaper⁠ was further edited afterwards, but if you look at the cryptography that makes up Bitcoin, they can be divided into:

• Public key cryptography⁠⁠2⁠
• Cryptographic signatures
• Cryptographic hash functions
• Hash chain used for proof-of-work
1. Hash tree
2. Bit gold⁠
• cryptographic time-stamps
• resilient peer-to-peer networks

Dates

So the first answer to Why Now? is simply ‘Because it’s time.’ I can’t tell you why it took as long for weblogs to happen as it did, except to say it had absolutely nothing to do with technology. We had every bit of technology we needed to do weblogs the day Mosaic⁠ launched the first forms⁠-capable browser. Every single piece of it was right there. Instead, we got Geocities⁠. Why did we get Geocities⁠ and not weblogs? We didn’t know what we were doing.

Clay Shirky⁠ (“A Group Is Its Own Worst Enemy”⁠, 200321ya)

The interesting thing is that all the pieces were in place for at least 8 years before Satoshi’s publication, which was followed more than half a year later⁠⁠3⁠ by the first public⁠⁠4⁠ prototype. If we look at the citations in the whitepaper and others, and then order the relevant technologies by year in descending order:

1. 2001: SHA-256⁠ finalized
2. 1999–present: Byzantine fault tolerance⁠ (PBFT etc.)
3. 1999–present: P2P networks⁠ (excluding early networks like Usenet⁠ or FidoNet⁠; ⁠MojoNation⁠ & BitTorrent⁠, Napster⁠, Gnutella⁠, eDonkey⁠, Freenet⁠, i2p⁠ etc.)
4. 1998: Wei Dai, B-money⁠⁠⁠5⁠
5. 1997: HashCash⁠; 1998⁠⁠6⁠: Nick Szabo, Bit Gold; ~2000: MojoNation/BitTorrent; ~2001–2200321ya, ⁠Karma⁠, etc
6. 1992–199331ya: Proof-of-work for spam⁠⁠7⁠
7. 1991: cryptographic timestamps⁠
8. 1980: public key cryptography⁠⁠⁠8⁠
9. 1979: Hash tree⁠

This lack of novelty is part of the appeal—the fewer new parts of a cryptosystem, the less danger⁠⁠9⁠. All that was lacking was a Satoshi to start a Bitcoin.

Delay

But with the benefit of this hindsight, one can wonder—why this delay?⁠⁠10⁠

If the idea is (relatively) easy to understand and uses basic ideas⁠⁠11⁠, if it is very far from the cutting-edge of cryptography⁠⁠12⁠, then there’s no reason it would not be seriously tried. Certainly the cypherpunks⁠ of the ’90s were wildly creative, inventing everything from Cypherpunk⁠/Mixmaster⁠ to ⁠MojoNation⁠ to assassination markets⁠ to data havens⁠ (memorably depicted in Cryptonomicon⁠). We have already seen 2 of their proposed cryptocurrencies, and proof-of-work was one of the most common proposals to deal with the rising tsunami of spam⁠⁠13⁠. Why did Bitcoin take a decade to be born? The problem of timing⁠ nags at me—similar to the historical question of why England experienced the Industrial Revolution and grew to empire, and not China, which seems better equipped in every respect⁠⁠14⁠. Where does innovation come from⁠? There must be an answer. (And it may be similar to VR.⁠⁠15⁠)

Impractical?

Is the problem one of resources? In the whitepaper, Satoshi remarks:

A block header with no transactions would be about 80 bytes. If we suppose blocks are generated every 10 minutes, 80 bytes * 6 * 24 * 365 = 4.2MB per year. With computer systems typically selling with 2GB of RAM as of 200816ya, and Moore’s Law predicting current growth of 1.2GB per year, storage should not be a problem even if the block headers must be kept in memory.

That’s fine to say in 200816ya, after many doublings. Would memory be a problem in the 1990s? It doesn’t have to be. The difficulty of bitcoin mining is adjustable, so the problem boils down to:

1. disk usage
• With a smaller hash like SHA1⁠⁠16⁠, the 80 bytes can be shrunk
• 10 minutes is not graven in stone; why not 20 minutes? Right there we have halved the transaction overhead
• the hash tree can be ‘garbage collected’ and shrunk⁠⁠17⁠
• it is only necessary to maintain a full hash tree if one is paranoid.

In practice, like many programs of the era such as mail or Usenet clients, the default could simply be to hold onto the last n blocks/hashes (Satoshi estimates ⁠12kb/day⁠); this would consume a limited amount of disk space.

2. network connectivity is solvable by solutions to #1
1. A function of the existing hash tree size
2. And frequency of new transactions

It’s worth pointing out that it’s generally expected that at some point ordinary desktop users like you or me are expected to stop being full-fledged nodes and bitcoin miners and will instead make use of some specialist service running powerful servers of its own; in a counterfactual universe where Bitcoin was begun in the early 1990s, the changeover would simply have occurred sooner. (And with all the investment money desperately investing in the first Internet bubble, it would be quite easy to start such a service regardless of the technical demands.)

Contemporary Objections

As well, few of the objections to cryptocurrencies seem to have been “computers which can run it are fantastically expensive”⁠⁠18⁠. In computing, applications and techniques are often invented many decades before Moore’s law makes them practically useful⁠⁠19⁠, but this does not seem to have happened with Bitcoin. A similar objection obtains with patents or published papers; if Bitcoin was a known idea, where are they? I have yet to see anybody point out what patents might have deterred cryptography researchers & implementers; the answer is that there were none. Because there was no investor interest? Not that Satoshi needed investors, but there were a tremendous number of online payment services started in the ‘90s, each searching for the secret sauce that would let them win ’mindshare’ and ride ‘network effects’ to victory; DigiCash⁠ again comes to mind. Even in the ’90s, when the Internet seems embryonic to us of the 2010s, there were still many millions of people on the Internet who could have used a digital cash.

So if the basic idea is accessible, and it’s useful on consumer-grade hardware for the last 20 years or so, then what’s the problem?

Cryptographers’ Objections

I think it’s instructive to look at Satoshi’s ⁠ANN thread⁠ on the Cryptography newsgroup/mailing list; particularly the various early criticisms:

• ⁠disk/bandwidth won’t scale⁠⁠⁠20⁠

Satoshi’s ⁠response⁠ was that he expected most Bitcoin users to eventually become second-class citizens as they switched to the thin client⁠ scheme he outlined in the whitepaper for only keeping part of the blockchain and delegating storage to the real peers. This doesn’t seem ideal.

• ⁠proposal is under-specified⁠ (omitting all the possible race conditions⁠ and ⁠de-synchronization attacks and scenarios in a distributed system) and details ⁠available only in ad hoc code⁠⁠⁠21⁠
• ⁠conflating transactions with bitcoin creation⁠ requires constant inflation
• it is ⁠very difficult⁠ to achieve consensus⁠ on large amounts of distributed data even without incentives to corrupt it or attacks
• ⁠domination of the hash tree⁠ by fast nodes and starvation of transactions
• ⁠pseudonymity & linkable transactions⁠⁠⁠22⁠ (irreversible transactions also implies ⁠double-spend⁠ must be very quickly detectable)

⁠Nick Szabo⁠ summarizes the early reaction:

Bitcoin is not a list of cryptographic features, it’s a very complex system of interacting mathematics and protocols in pursuit of what was a very unpopular goal. While the security technology is very far from trivial, the “why” was by far the biggest stumbling block—nearly everybody who heard the general idea thought it was a very bad idea. Myself, Wei Dai, and Hal Finney were the only people I know of who liked the idea (or in Dai’s case his related idea) enough to pursue it to any significant extent until Nakamoto (assuming Nakamoto is not really Finney or Dai). Only Finney (⁠RPOW⁠) and Nakamoto were motivated enough to actually implement such a scheme.

As well, let’s toss in some blog posts on Bitcoin by the cryptographer Ben Laurie⁠ and Victor Grischchenko; Laurie particularly criticizes⁠⁠23⁠ the hash-contest which guarantees heavy resource consumption:

1. ⁠“Bitcoin”⁠
2. ⁠“Bitcoin 2”⁠
3. ⁠“Bitcoin is Slow Motion”⁠
4. ⁠“Decentralised Currencies Are Probably Impossible: But Let’s At Least Make Them Efficient”⁠
5. ⁠“Bitcoin?”⁠, Victor Grischchenko

What’s the common thread? Is there any particular fatal flaw of Bitcoin that explains why no one but Satoshi came up with it?

Aesthetics

No! What’s wrong with Bitcoin is that it’s ugly. It is not elegant⁠⁠⁠24⁠. It’s clever to define your bitcoin balance as whatever hash tree is longer, has won more races to find a new block, but it’s ugly to make your network’s security depend solely on having more brute-force computing power ⁠than your opponents⁠⁠⁠25⁠, ugly to need now and in perpetuity at least half the processing power just to avoid double-spending⁠⁠26⁠. It’s clever to have a P2P network distributing updated blocks which can be cheaply & independently checked, but there are tons of ugly edge cases which Satoshi has not proven (in the sense that most cryptosystems have security proofs) to be safe and he himself says that what happens will be a “coin flip” at some points. It’s ugly to have a hash tree that ⁠just keeps growing⁠ and is going to be gigabytes and gigabytes in not terribly many years. It’s ugly to have a system which can’t be used offline without proxies and workarounds, which essentially relies on a distributed global clock⁠⁠27⁠, unlike Chaum’s elegant⁠ solution⁠⁠28⁠. It’s ugly to have a system that has to track all transactions, publicly; even if one can use bitcoins anonymously with effort⁠, that doesn’t count for much—a cryptographer has learned from incidents like anon.penet.fi⁠ and decades of successful attacks on pseudonymity⁠⁠29⁠. And even if the money supply has to be fixed (a bizarre choice and more questionable than the irreversibility of transactions), what’s with that arbitrary-looking 21 million bitcoin limit? Couldn’t it have been a rounder number or at least a power of 2? (Not that the bitcoin mining is much better, as it’s a massive give-away to early adopters. Coase’s theorem⁠ may claim it doesn’t matter how bitcoins are allocated in the long run, but such a blatant bribe to early adopters rubs against the grain. Again, ugly and inelegant.) Bitcoins can simply disappear if you send them to an invalid address. And so on.

The basic insight of Bitcoin is clever, but clever in an ugly compromising sort of way. Satoshi explains in an ⁠early email⁠: The hash chain can be seen as a way to coordinate mutually untrusting nodes (or trusting nodes using untrusted communication links), and to solve the Byzantine Generals’ Problem⁠. If they try to collaborate on some agreed transaction log which permits some transactions and forbids others (as attempted double-spends), naive solutions will fracture the network and lead to no consensus. So they adopt a new scheme in which the reality of transactions is “whatever the group with the most computing power says it is”! The hash chain does not aspire to record the “true” reality or figure out who is a scammer or not; but like Wikipedia, the hash chain simply mirrors one somewhat arbitrarily chosen group’s consensus:

…It has been decided that anyone who feels like it will announce a time, and whatever time is heard first will be the official attack time. The problem is that the network is not instantaneous, and if two generals announce different attack times at close to the same time, some may hear one first and others hear the other first.

They use a proof-of-work chain to solve the problem. Once each general receives whatever attack time he hears first, he sets his computer to solve an extremely difficult proof-of-work problem that includes the attack time in its hash. The proof-of-work is so difficult, it’s expected to take 10 minutes of them all working at once before one of them finds a solution. Once one of the generals finds a proof-of-work, he broadcasts it to the network, and everyone changes their current proof-of-work computation to include that proof-of-work in the hash they’re working on. If anyone was working on a different attack time, they switch to this one, because its proof-of-work chain is now longer.

After two hours, one attack time should be hashed by a chain of 12 proofs-of-work. Every general, just by verifying the difficulty of the proof-of-work chain, can estimate how much parallel CPU power per hour was expended on it and see that it must have required the majority of the computers to produce that much proof-of-work in the allotted time. They had to all have seen it because the proof-of-work is proof that they worked on it. If the CPU power exhibited by the proof-of-work chain is sufficient to crack the password, they can safely attack at the agreed time.

The proof-of-work chain is how all the synchronisation, distributed database and global view problems you’ve asked about are solved.

How Worse Is Better

In short, Bitcoin is a perfect example of Worse is Better⁠ (⁠original essay). You can see the tradeoffs that Richard P. Gabriel enumerates: Bitcoin has many edge cases; it lacks many properties one would desire for a cryptocurrency; the whitepaper is badly under-specified; much of the behavior is socially determined by what the miners and clients collectively agree to accept, not by the protocol; etc.

The worse-is-better philosophy is only slightly different: […]

• Completeness—the design must cover as many important situations as is practical. All reasonably expected cases should be covered. Completeness can be sacrificed in favor of any other quality. In fact, completeness must be sacrificed whenever implementation simplicity is jeopardized. Consistency can be sacrificed to achieve completeness if simplicity is retained; especially worthless is consistency of interface.

…The MIT guy did not see any code that handled this [edge] case and asked the New Jersey guy how the problem was handled. The New Jersey guy said that the Unix⁠ folks were aware of the problem, but the solution was for the system routine to always finish, but sometimes an error code would be returned that signaled that the system routine had failed to complete its action. A correct user program, then, had to check the error code to determine whether to simply try the system routine again. The MIT guy did not like this solution because it was not the right thing… It is better to get half of the right thing available so that it spreads like a virus. Once people are hooked on it, take the time to improve it to 90% of the right thing.

Guarantees of Byzantine resilience? Loosely sketched out and left for future work. Incentive-compatible? Well… maybe. Anonymity? Punted on in favor of pseudonymity; maybe someone can add real anonymity later. Guarantees of transactions being finalized? None, the user is just supposed to check their copy of the blockchain. Consistent APIs? Forget about it, there’s not even a standard, it’s all implementation-defined (if you write a client, it’d better be “bugward compatible” with Satoshi’s client). Moon math? Nah, it’s basic public-key crypto plus a lot of imperative stack-machine bit-twiddling. Space efficiency? A straightforward blockchain and on-disk storage takes priority over any fancy compression or data-structure schemes. Fast transactions? You can use zero-conf and if that’s not good enough for buying coffee, maybe someone can come up with something using the smart contract features. And so on.

But for all the issues, it seems to work. Just like Unix, there were countless ways to destroy your data or crash the system, which didn’t exist on more ‘proper’ OSs like OpenVMS⁠, and there were countless lacking features compared to systems like ITS⁠ or the Lisp machine⁠ OSs. But like the proverbial cockroaches, Unix spread, networked, survived—and the rest did not.⁠⁠30⁠ And as it survives and evolves gradually, it slowly becomes what it “should” have been in the first place. Or HTML⁠⁠31⁠ vs Project Xanadu⁠.

⁠Paul Ford⁠ in 201311ya has stumbled onto a similar view of Bitcoin:

The Internet is a big fan of the worst-possible-thing. Many people thought Twitter was the worst possible way for people to communicate, little more than discourse abbreviated into tiny little chunks; Facebook was a horrible way to experience human relationships, commodifying them into a list of friends whom one pokes. The Arab Spring changed the story somewhat. (BuzzFeed is another example—let them eat cat⁠ pictures.) One recipe for Internet success seems to be this: Start at the bottom, at the most awful, ridiculous, essential idea, and own it. Promote it breathlessly, until you’re acquired or you take over the world. Bitcoin is playing out in a similar way. It asks its users to forget about central banking in the same way Steve Jobs⁠ asked iPhone users to forget about the mouse.

But he lacks the “worse is better” paradigm (despite being a programmer) and doesn’t understand how Bitcoin is the worst-possible-thing. It’s not the decentralized aspect of Bitcoin, it’s how Bitcoin is decentralized: a cryptographer would have difficulty coming up with Bitcoin because the mechanism is so ugly and there are so many elegant features he wants in it. Programmers and mathematicians often speak of “taste”, and how they lead one to better solutions. A cryptographer’s taste is for cryptosystems optimized for efficiency and theorems; it is not for systems optimized for virulence, for their sociological appeal⁠⁠32⁠. Centralized systems are natural solutions because they are easy, like the integers are easy; but like the integers are but a vanishingly small subset of the reals, so too are centralized systems a tiny subset of decentralized ones⁠⁠33⁠. DigiCash and all the other cryptocurrency startups may have had many nifty features, may have been far more efficient, and all that jazz, but they died anyway⁠⁠34⁠. They had no communities, and their centralization meant that they fell with their corporate patrons. They had to win in their compressed timeframe or die out completely. But “that is not dead which can eternal lie”. And the race may not go to the swift, as ⁠Hal Finney also pointed out early on⁠:

Every day that goes by and Bitcoin hasn’t collapsed due to legal or technical problems, that brings new information to the market. It increases the chance of Bitcoin’s eventual success and justifies a higher price.

It may be that Bitcoin’s greatest virtue is not its deflation, nor its microtransactions, but its viral distributed nature; it can wait for its opportunity. “If you sit by the bank of the river long enough, you can watch the bodies of your enemies float by.”

Objection: Bitcoin Is Not Worse, It’s Better

Nick Szabo and Zooko Wilcox-O’Hearn disagree strongly with the thesis that “Bitcoin is Worse is Better”. They contend while there may be bad parts to Bitcoin, there is a novel core idea which is actually very clever—the hash chain is a compromise which thinks outside the box and gives us a sidestep around classic problems of distributed computing, which gives us something similar enough to a trustworthy non-centralized authority that we can use it in practice.

Gwern’s post fails to appreciate the technical advances that BitCoin originated. I have been trying, off and on, to invent a decentralized digital payment system for fifteen years (since I was at DigiCash). I wasn’t sure that a practical system was even possible, until BitCoin was actually implemented and became as popular as it has. Scientific advances often seem obvious in retrospect, and so it is with BitCoin.⁠⁠35⁠

Nick Szabo ⁠thinks⁠ that the main blocking factors were:

1. ideological beliefs about the nature of money (liberals not interested in non-state currencies, and Austrians believing that currencies must have intrinsic value)
2. obscurity of bit gold-like ideas
3. “requiring a proof-of-work to be a node in the Byzantine-resilient peer-to-peer system to lessen the threat of an untrustworthy party controlling the majority of nodes and thus corrupting a number of important security features”
4. some simplification (not markets for converting “old” & harder-to-mine bitcoins to “new” & easier-to-mine bitcoins, but a changing network-wide consensus on how hard bitcoins must be to mine)

My own belief is that #1 is probably an important factor but questionable since the core breakthrough is applicable to all sorts of other tasks like secure global clocks or timestamping or domain names, #2 is irrelevant as all digital cryptographic currency ideas are obscure (to the point where, for example, Satoshi’s whitepaper does not cite bit gold but only b-money, yet Wei Dai does not believe his b-money actually influenced Bitcoin at all⁠⁠36⁠!), and #3–4 are minor details which cannot possibly explain why Bitcoin has succeeded to any degree while ideas like bit gold languished.

Backlinks for ⁠“Contemporary Objections”⁠:

• Timing Technology: Lessons From The Media Lab⁠ (⁠full context⁠):

⁠[backlink context]

See Also

• Silk Road 1⁠ (use and economic philosophy of the Silk Road 1 marketplace)
• Cryptographic Timestamping of Files⁠
• Copyleft⁠
• Gall’s law⁠
• The Scaling Hypothesis⁠ (another unpopular brute-force paradigm)

External Links

• ⁠Original essay⁠ published on Bitcoin Weekly (7 comments)
• Reddit discussion: ⁠1⁠/⁠2⁠/⁠3⁠
• Hacker News discussion: ⁠1⁠, ⁠2⁠, ⁠3⁠
• “What Satoshi Did Not Know”⁠, Gavin Andresen2015
• ⁠“Bitcoin Theory (Byzantine Generals and Beyond)”⁠
• “Bitcoin: A Little Slice of Future Shock”
• ⁠“Squaring the Triangle: Secure, Decentralized, Human-Readable Names” (Aaron Swartz)
• ⁠“Nick Szabo: The Computer Science of Crypto-Currency”
• ⁠“Money, blockchains, and social scalability”⁠ (Nick Szabo)
• “A Prehistory of the Ethereum Protocol”⁠ (Vitalik Buterin)
• ⁠“Bitcoin—The Andromeda Strain of Computer Science Research” (Steven M. Bellovin)
• ⁠“The Eureka Moment That Made Bitcoin Possible: A key insight for the technology came to a physicist almost three decades ago at a Friendly’s restaurant in New Jersey”⁠
• ⁠“Grow-up and grow-down technologies”
• “Bitcoin bites the bullet: Some of its most puzzling tradeoffs explained”⁠
• ⁠“What’s Really Driving the Cryptocurrency Phenomenon?”, Dannen2018
• Butler Lampson on the WWW⁠

Appendix

Irreversible Transactions: Meta-Scams

The irreversibility of Bitcoin transactions makes for some unusual dynamics in exchanges, along with the entire altcoin ecosystem (probably the most interesting altcoin scam to me was the ⁠Bytecoin scam+anonymity innovation). I learned of an interesting example in May 201311ya, when a ⁠Reddit post⁠ introduced me to a Tor hidden site which offers you double your money back if you send it some bitcoins. A scam, right? Well, it is a scam, but it’s not quite the scam it looks like…

To start, there is a comment from someone claiming that they tried it and the way the scam worked was that it doubled your money the first time you sent it some bitcoins, but then kept anything you sent it subsequently; the idea being that the first transaction will be a ‘test’ by suspicious users, who will then send a ‘real’ transactions which can be stolen in toto. Specifically:

Oh dude. I actually tried this like 5 Days ago. I sent 0.5btc and got one back, so technically it works. However, when I sent my 1btc back (and emailed the guy about it) he kept it and didn’t respond at all. So it’s a scam, obviously, but the way it works is kind of interesting in that it actually works the first time, to lure you in and send even more. EDIT: I SHOULD PROBABLY ADD: DON’T SEND MONEY TO THIS GUY

This is reasonable enough—ponzis are careful to allow withdrawals early on, and runners of ponzis, like the classic 200618ya “Currin trading” EVE Online⁠ ponzi scheme (⁠part 1⁠, ⁠2⁠), record how people would do 1 or 2 test transactions and then deposit large ‘real’ sums with the ponzi.

Except… the person claiming it worked for them is an unused account, and so are the people expressing skepticism of him! It gets more interesting when you note that the scam as claimed is trivially exploitable (or scammed) by anyone who knows how it works (send a large amount the first transaction, and never send again), and more interesting still when you remember that Bitcoin transactions are public and so the first commenter could have partially proven that the scam worked as they claimed it worked for them yet has not provided any evidence despite being challenged to do so and given 9 days’ grace, and finally, we see 2 Redditors sending in token amounts and claiming they received nothing back.

So what are we looking at here? I can’t know this for sure, but this is what I think is going on.

We are looking at a meta scam: the scam is that you think it’s a scam that you can scam, but you get scammed as you try to scam the scam. The original scammer puts up a scam website, makes 4 shill accounts to claim it works and lay out the rules—send it X it sends you 2X back, and then the second time it keeps your money when you presumably sent it 2X+Y—but actually, the site simply keeps any money sent to it, and so the people who planned to scam the scam wind up being scammed.

If we think of deception as having levels, this is a little confusing; but the site will either return your money or not. The first level is that the site works as it claims: it returns your money, it doubles any money you send it. (This is understood by anyone who can read the page.) The second level is that level 1 is a lie: it does not return your money, it simply steals any money you send it. (This is understood by anyone with a brain who has read the page.) However, then we get to a third level: level 2 is not quite right, the site will either return your money or not, depending on how many transactions you’ve done—the site is a scam which will steal your money, but it will do so only after 1 successful transaction. (Understood by anyone who reads the Reddit comments and blindly trusts them.) The fourth level, the level originally above mine until I became more suspicious, is that level 3 is a lie too, and actually, level 2 was the real truth—the site simply steals your money.

Phew! How fascinating! Honestly, I almost feel like sending the dude a buck or two just for implementing such an interesting little scam for me to think about, although he could’ve done it a bit better and shuffled some bitcoins around on the blockchain 7 days in advance to match his shill account’s claims. (He didn’t invent the meta-scam, however, since it seems to have precedents like in ⁠Runescape⁠ as the ⁠“doubling money scam”⁠.)

An even more recent (2018) Ethereum⁠-based scam exploits Ethereum’s ‘gas’ transaction fees and smart contracts: the scammer pretends to accidentally post publicly in a chat room his private key to an address with a large amount of some asset in it and a smart contract, but the address happens to have insufficient ‘gas’ to allow immediate withdrawal; everyone stampeding to withdraw the asset has to send some gas to the address first to unlock it… except that smart contract, which they didn’t have time to inspect closely, merely receives all gas deposits & immediately transfers them away to another account, so everyone who sends gas loses it and the original assets remain in place.

So in a way, this scam embodies the old saw “you can’t cheat an honest man”⁠⁠37⁠. Well, of course in the real world honest men get cheated all the time, so I prefer to think of it as Nash equilibriums⁠:

‘Nash equilibrium strategy’ is not necessarily synonymous to ‘optimal play’. A Nash equilibrium can define an optimum, but only as a defensive strategy against stiff competition. More specifically: Nash equilibria are hardly ever maximally exploitative. A Nash equilibrium strategy guards against any possible competition including the fiercest, and thereby tends to fail taking advantage of sub-optimum strategies followed by competitors. Achieving maximally exploitative play generally requires deviating from the Nash strategy, and allowing for defensive leaks in one’s own strategy.

1. bitcoin.org was registered 2008-08-18, so presumably Satoshi had been developing the bitcoin idea at least as early as 200816ya. He refers to working on it earlier than that, but the earliest draft of the Bitcoin whitepaper appears to have been circulated privately sometime before 2008-08-22 when he contacted Wei Dai for comments⁠.
2. Although ⁠Bonneau & Miller2014⁠ describe a cryptocurrency design using just cryptographic hash functions (with commit-and-reveal) without any need for public key cryptography and pointedly note that “Bitcoin itself is something of a curiosity from an academic standpoint in that it was discovered decades after the requisite cryptographic primitives were available. Our work shows that it was in fact possible even before the discovery of public-key cryptography.”
3. The first revision in the Github repository⁠ is dated August 200915ya by sirius-m.
4. Satoshi claims that before he write the whitepaper, he ⁠wrote a prototype⁠.
5. In the same vein of ‘the network is a third party which keeps a copy of all signed transactions’, you could include Ian Grigg’s 200519ya paper ⁠“Triple Entry Accounting”.
6. I had a hard time figuring out when bit gold was first thought of; Szabo ⁠kindly blogged⁠ that he had written about it in 199826ya on a private mailing list
7. “Pricing via Processing, Or, Combating Junk Mail”⁠, , Dwork 199331ya, published in CRYPTO’92.
8. This is Satoshi’s citation date; Diffie-Hellman, the first published system⁠, was in 197648ya, not 198044ya.
9. In cryptography, new parts are guilty until proven innocent. ⁠Hundreds of past systems⁠ have been broken, sometimes after decades of study & use.
10. Another person or group to ask this same question is ⁠Barber2012⁠ (although this essay was posted in early 201113ya, so Barber et al 201212ya may not be entirely independent):
11. I am only a layman with an interest in cryptography, but I am not alone in seeing this lack of really novel primitives or ideas in the Bitcoin scheme; Ben Laurie expresses exactly this idea in an aside in ⁠a blog post⁠ attacking Bitcoin:
12. One thinks of the formidable mathematical difficulties surrounding the area of homomorphic encryption⁠ where one would expect any breakthrough to be from a bona fide genius, or at least a credentialed expert.
13. Although ironically, proof-of-work never seemed to go into widespread use because of general inertia and because to deter large amounts of spam, proof-of-work would also ⁠deter legitimate users⁠ under some models.

Spam seems to have been kept in check by better filtering techniques (eg. Paul Graham’s⁠ ⁠“A Plan for Spam”⁠ using Bayesian spam filtering⁠) and legal action⁠ against botnets & spammers.

14. For more on that history, see Wikipedia on Industrial Revolution#Causes in Europe⁠, Chinese_industrialization#Reasons_for_the_delay_in_industrialization⁠, the Great Divergence⁠; I recommend Gregory Clark’s⁠ A Farewell to Alms⁠.
15. “Voices From A Virtual Past: An oral history of a technology whose time has come again”⁠ (2014):
16. SHA-1, as of 201113ya, had not been cracked in practice⁠; it was defeated in 2017.
17. My understanding is that simply no one has bothered to program this functionality since 400MB is not that much space.
18. Or rather, the objections were that cryptocurrencies had to be mobile—usable on the contemporary PDAs and cellphones, with the computing power of a watch.
19. Garbage collection⁠ and most of artificial intelligence (or machine learning in particular) seem to have waited decades for sufficiently fast hardware. Indeed, I sometimes feel that Alan Kay’s⁠ entire career has essentially been sketching out what he could do if only he had some decent cheap hardware.
20. It probably will. Some⁠ ⁠informal⁠ projections have been made of what it would take to run millions of transactions worth trillions of dollars, and they tend to come in at comparable to the existing resource use of companies like Google (which ⁠fund⁠ ⁠their⁠ own power plants or monopolize convenient ⁠hydroelectric⁠ dams⁠ to run their datacenters).
21. Recent criticism, too, sometimes focuses on the ⁠quality⁠ of the C++ codebase and ad hoc nature of many of the choices; from an ⁠anonymous Facebook comment⁠:

Security expert Dan Kaminsky⁠ is similarly appalled at the bandwidth requirements to scale (“:0” was his emoticon) and predicts that the Bitcoin network will eventually turn into a quasi-bank-like oligarchy of supernodes (which changes the system and “offers a host of ugly semantics” since the supernodes “don’t need 50%—just need to inconvenience 50% to accept your opinion”). He comments that while “Normal Code” seems good but “Scratch the surface, it’s actually really bad”, the Bitcoin codebase “Looks really bad up front” but “Scratch the surface, it’s actually surprisingly good”. The New Yorker⁠ article’s “The Crypto-currency: Bitcoin and its mysterious inventor”⁠:

On a technical basis, he dislikes the use of SHA-256⁠ as opposed to slower time-lock crypto⁠ functions like bcrypt⁠, because SHA-256 “can be accelerated massively with GPUs” leading to GPU shortages and massive hashing disparities between peers, and his slides conclude “BitCoin is actually well designed, if you accept that anonymity and scaling forces the entire present model to be shifted into something that effectively looks like banking”. He reiterated his positive impression of Bitcoin in 201311ya—⁠“But the core technology actually works, and has continued to work, to a degree not everyone predicted.”⁠—and has begun to reconsider some of his earlier criticisms about the resource demands & gradual centralization of nodes. Another testimony to the protocol’s security comes from ⁠TechCrunch⁠:

Bruce Schneier ⁠mentions offhandedly⁠ that “I haven’t analyzed the security, but what I have seen looks good.”

22. Nick Szabo, discussing ⁠Chaumian ecash⁠ (“the greatest simple equation since e = mc2”), comments with almost palpable distaste of a hypothetical system akin to Bitcoin in this respect:

The most widely known, popular, and secure communications mix is probably Tor⁠; a number of flaws have been ⁠found in it over time, and Tor⁠ will never be very secure—it’s fundamentally difficult to impossible to have an anonymizing communications mix which is also near real-time. Some flaws can’t be removed by the Tor network, like the ability of exit nodes to snoop on traffic (as has been done many times, most memorably during the startup of Wikileaks⁠). Communications mixes are usually expensive in resources, so typically only make up a part of an overall network—and the rest of the network leaks considerable information, including in Bitcoin⁠.

These are not necessarily fatal objections from a practical point of view. A simple mix or laundry may well buy one all the anonymity one needs; they can be chained to substantially reduce risks; more elaborate and secure off-blockchain laundries can be constructed using secure multi-party computation⁠; and finally, there is always the hope that someone will figure out how to build upon the existing pseudonymous Bitcoin system to enable genuinely anonymous and untraceable transactions (which may have been accomplished in 201311ya with the proposed ⁠Zerocoin extension to the Bitcoin protocol).

23. ⁠Perry Metzger summarizes Laurie’s approach:
24. Not everyone agrees with me or those initial posters, though; ⁠“Bitcoins create truly democratic policy, followers say”⁠, Canada.com⁠:

From the New Yorker article:

⁠“The Rise and Fall of Bitcoin”⁠, Wired:

More recently, Wei Dai ⁠has said⁠:

25. Computing power is useful because it’s impossible to fake: you either can regularly bruteforce a hash or you cannot, assuming the hash is still secure. But strictly speaking there are other possible unfakeable properties which future digital cryptographic currencies may use; Szabo lists ⁠3 others⁠:

One proposed scheme for Bitcoin is Proof of Stake⁠:

26. ⁠“Decentralised Currencies Are Probably Impossible: But Let’s At Least Make Them Efficient”⁠, Ben Laurie:

Laurie points out that in practice, the Bitcoin community does depend on a centralized authority which periodically passes down ‘blessed’ block-chains—the Bitcoin developers periodically hardwire known-good states of the block-chain into the clients (which of course is a theoretical weakness).

27. Zooko Wilcox O’Hearn, ⁠2013-04-05 (in hidden comments):
28. Chaum pays a price for his systems’ ability to work offline / without directly processing transactions. Don’t take my word for it; see Tim May⁠ in section 12.6.6 of his early ’90s Cyphernomicon⁠ (not to be confused with Stephenson’s⁠ novel⁠):

Further contemporary description can be found in a declassified June 199628ya NSA review, “How to make a mint: the cryptography of anonymous electronic cash”.

The fate of Chaum blind signatures should keep technologists up at night. So many uses for privacy-preserving credentials like proving age or citizenship, and 4 decades of math/R&D later we use… next to none of it, because incentives. (Large entities want knowledge, not proof.)

29. For example, see some of the most recent research I linked in ⁠Death Note: L, Anonymity & Eluding Entropy⁠.
30. The UNIX-HATERS Handbook⁠, which contains many entertaining and often still-applicable descriptions of the fecklessness and sharp edges of Unixes, also contains an extremely funny ‘Anti-Foreword’ by Dennis Ritchie:
31. ⁠“Oral History of Butler Lampson”⁠, 200618ya:
32. Many ⁠anonymous commenters⁠ point this out because it makes Bitcoin smell like some sort of Ponzi scheme⁠ or multilevel marketing scheme⁠:

Or ⁠“The Rise and Fall of Bitcoin”⁠, Wired:

John Robb⁠, ⁠“More Thoughts on Bitcoin”:

Szabo is a little more generous in his explanation of why people were uninterested in Bitcoin-like strategies:

33. Decentralized systems are usually convertible into centralized systems easily, while the converse is not true. (Much like parallel⁠ versus serial programming—to make a parallel program serial, just insert a lot of blocking⁠.) For a simple example, consider cases where n = 2: imagine a BitTorrent⁠ swarm (a decentralized system) with one seed and one leech. Or take Distributed Revision Control Systems⁠ like Darcs⁠ or Git⁠; it’s a commonplace to point out that if a group really wants a ‘centralized’ workflow, they can just designate one particular repository the ‘master’ canonical repository and continue onwards with the DVCS as a more capable replacement for Apache Subversion⁠ or CVS⁠.
34. ⁠betterunix⁠ offers an interesting defense of DigiCash:
35. ⁠Zooko, May 31, 201113ya 6:42 PM
36. Wei Dai, ⁠2011-02-25⁠:

⁠Dai has also criticized⁠ the monetary policy built into Bitcoin:

Adam Back, ⁠2013-04-18⁠ (confirmed by ⁠Wei Dai⁠):

Backlinks for ⁠footnote 36⁠:

1. The Crypto-Currency: Bitcoin and its mysterious inventor⁠ (⁠full context⁠):
37. Which is a comforting lie scammers tell themselves and others to blame the victim—‘really, the victim deserved it, you can’t cheat an honest man!’—and which makes for funner fictional (ie. ‘not true’) stories. But I think the sordid reality looks more like simply good people being ripped off as they lose their life savings because they aren’t specialists in an area and trusted an expert. I think it’s relatively rare that you get a complicated setup like this scam, or like the Madoff scam in which people assumed Madoff was simply frontrunning the people he was trading for; although now that I think about it, only the savviest investors with Madoff understood the sheer impossibility of his returns and concluded he was scamming by frontrunning, most of the people who gave him money were just ordinary middle-upper-class folks.

Backlinks

Bibliography

⁠[Bibliography of links/references used in page]⁠

[Send Anonymous Feedback]

[Quote Of The Day]

[Site Of The Day]

[Annotation Of The Day]

[adblock public service announcement]