James Grant invited me to address the annual conference of
Grant's Interest Rate Observer. This was an intimidating prospect, the previous year's conference featured billionaires
Scott Bessent and
Bill Ackman. As usual, below the fold is the text of my talk, with the slides, links to the sources, and additional material in footnotes. Yellow background indicates textual slides.
The Gaslit Asset Class
Before I explain that much of what you have been told about cryptocurrency technology is gaslighting, I should stress that I hold no long or short positions in cryptocurrencies, their derivatives or related companies. Unlike most people discussing them, I am not "
talking my book".
To fit in the allotted time, this talk focuses mainly on Bitcoin and omits many of the finer points. My text, with links to the sources and additional material in footnotes, will go up on my blog later today.
Why Am I Here?
I imagine few of you would understand why a retired software engineer with more than forty years in Silicon Valley was asked to address you on cryptocurrencies
[1].
I was an early employee at
Sun Microsystems then
employee #4 at Nvidia, so I have been long Nvidia for more than 30 years. It has been a
wild ride. I quit after 3 years as part of fixing Nvidia's first near-death experience and immediately did 3 years as employee #12 at another startup, which also IPO-ed. If you do two in six years in your late 40s you get seriously burnt out.
So my wife and I started a program at Stanford that is still running 27 years later. She was a career librarian at the Library of Congress and the Stanford Library. She was part of the team that, 30 years ago, pioneered the transition of academic publishing to the Web. She was also the person who
explained citation indices to Larry and Sergey, which led to Page Rank.
The academic literature has archival value. Multiple libraries hold complete runs on paper of the
Philosophical Transactions of the Royal Society starting 360 years ago
[2].
The interesting engineering problem we faced was how to enable libraries to deliver comparable longevity to Web-published journals.
Five Years Before Satoshi Nakamoto
I worked with a group of outstanding Stanford CS Ph.D. students to design and implement
a system for stewardship of Web content modeled on the paper library system. The goal was to make it extremely difficult for even a powerful adversary to delete or modify content without detection. It is called
LOCKSS, for Lots Of Copies Keep Stuff Safe; a decentralized peer-to-peer system secured by Proof-of-Work. We won a
"Best Paper" award for it five years before Satoshi Nakamoto published his
decentralized peer-to-peer system secured by Proof-of-Work. When he did, LOCKSS had been in production for a few years and we had learnt a lot about how difficult decentralization is in the online world.
Bitcoin built on more than
two decades of research. Neither we nor Nakamoto invented Proof-of-Work,
Cynthia Dwork and Moni Naor published it in 1992. Nakamoto didn't invent blockchains,
Stuart Haber and W. Scott Stornetta patented them in 1991. He was extremely clever in assembling well-known techniques into a cryptocurrency, but his only major innovation was the
Longest Chain Rule.
Digital cash
The fundamental problem of representing cash in digital form is that a digital coin can be endlessly copied, thus you need some means to prevent each of the copies being spent. When you withdraw cash from an ATM, turning digital cash in your account into physical cash in your hand, the bank performs an atomic transaction against the database mapping account numbers to balances. The bank is trusted to prevent multiple spending.
There had been several attempts at a cryptocurrency before Bitcoin. The primary goals of the
libertarians and cypherpunks were that a cryptocurrency be as anonymous as physical cash, and that it not have a central point of failure that had to be trusted. The only one to get any traction was David Chaum's
DigiCash; it was anonymous but it was centralized to prevent multiple spending and it involved banks.
Nakamoto's magnum opus
Bitcoin claims:
- The system was trustless because it was decentralized.
- It was a medium of exchange for buying and selling in the real world.
- Transactions were faster and cheaper than in the existing financial system.
- It was secured by Proof-of-Work and cryptography.
- It was privacy-preserving.
When in November 2008 Nakamoto published
Bitcoin: A Peer-to-Peer Electronic Cash System it was the peak of the
Global Financial Crisis and people were very aware that the financial system was broken (and it still is). Because it solved many of the problems that had dogged
earlier attempts at electronic cash, it rapidly attracted a clique of enthusiasts. When Nakamoto went silent in 2010 they took over proseltyzing the system. The main claims they made were:
- The system was trustless because it was decentralized.
- It was a medium of exchange for buying and selling in the real world.
- Transactions were faster and cheaper than in the existing financial system.
- It was secured by Proof-of-Work and cryptography.
- It was privacy-preserving.
They are all either false or misleading. In most cases Nakamoto's own writings show he knew this. His acolytes were gaslighting.
Trustless because decentralized (1)
Assuming that the Bitcoin network consists of a large number of roughly equal nodes, it randomly selects a node to determine the transactions that will form the next block. There is no need to trust any particular node because the chance that they will be selected is small.
[3]
At first, most users would run network nodes, but as the network grows beyond a certain point, it would be left more and more to specialists with server farms of specialized hardware. A server farm would only need to have one node on the network and the rest of the LAN connects with that one node.
Satoshi Nakamoto 2nd November 2008
The current system where every user is a network node is not the intended configuration for large scale. ... The design supports letting users just be users. The more burden it is to run a node, the fewer nodes there will be. Those few nodes will be big server farms. The rest will be client nodes that only do transactions and don’t generate.
Satoshi Nakamoto: 29th July 2010
But only three days after publishing his white paper, Nakamoto understood that this assumption would become false:
At first, most users would run network nodes, but as the network grows beyond a certain point, it would be left more and more to specialists with server farms of specialized hardware.
He didn't change his mind. On 29
th July 2010, less than five months before he went silent, he made the same point:
The current system where every user is a network node is not the intended configuration for large scale. ... The design supports letting users just be users. The more burden it is to run a node, the fewer nodes there will be. Those few nodes will be big server farms.
"Letting users be users" necessarily means that the "users" have to trust the "few nodes" to include their transactions in blocks. The very strong economies of scale of technology in general and "big server farms" in particular meant that the centralizing force described in W. Brian Arthur's 1994 book
Increasing Returns and Path Dependence in the Economy resulted in there being "fewer nodes". Indeed, on 13
th June 2014 a single node controlled 51% of Bitcoin's mining, the
GHash pool.
[4]
Trustless because decentralized (2)
In June 2022
Cooperation among an anonymous group protected Bitcoin during failures of decentralization by Alyssa Blackburn
et al showed that it had not been decentralized from the very start. The same month a DARPA-sponsored report entitled
Are Blockchains Decentralized? by a large team from the
Trail of Bits security company examined the economic and many other centralizing forces affecting a wide range of blockchain implementations and concluded that the answer to their question is "No".
[5]
The same centralizing economic forces apply to Proof-of-Stake blockchains such as Ethereum. Grant's
Memo to the bitcoiners explained the process last February.
Trustless because decentralized (3)
Another centralizing force drives pools like GHash. The network creates a new block and rewards the selected node about every ten minutes. Assuming they're all state-of-the-art, there are currently about 15M rigs mining Bitcoin
[6]. Their
economic life is around 18 months, so only 0.5%% of them will ever earn a reward. The owners of mining rigs pool their efforts, converting a small chance of a huge reward into a steady flow of smaller rewards. On average GHash was getting three rewards an hour.
A medium of exchange (1)
Quote from: Insti, July 17, 2010, 02:33:41 AM
How would a Bitcoin snack machine work?
- You want to walk up to the machine. Send it a bitcoin.
- ?
- Walk away eating your nice sugary snack. (Profit!)
You don’t want to have to wait an hour for you transaction to be confirmed.
The vending machine company doesn’t want to give away lots of free candy.
How does step 2 work?
I believe it’ll be possible for a payment processing company to provide as a service the rapid distribution of transactions with good-enough checking in something like 10 seconds or less.
Satoshi Nakamoto: 17th July 2010
Bitcoin's ten-minute block time is a problem for real-world buying and selling
[7], but the problem is even worse. Network delays mean a transaction isn't final when you see it in a block. Assuming no-one controlled more than 10% of the hashing power, Nakamoto required another 5 blocks to have been added to the chain, so 99.9% finality would take an hour. With a more realistic 30%, the rule should have been 23 blocks, with finality taking 4 hours
[8].
Nakamoto's 17
th July 2010 exchange with Insti shows he understood that the Bitcoin network couldn't be used for ATMs, vending machines, buying drugs or other face-to-face transactions because he went on to describe how a payment processing service layered on top of it would work.
A medium of exchange (2)
assuming that the two sides are rational actors and the smart contract language is Turing-complete, there is no escrow smart contract that can facilitate this exchange without either relying on third parties or enabling at least one side to extort the other.
two-party escrow smart contracts are ... simply a game of who gets to declare their choice first and commit it on the blockchain sooner, hence forcing the other party to concur with their choice. The order of transactions on a blockchain is essentially decided by the miners. Thus, the party with better connectivity to the miners or who is willing to pay higher transaction fees, would be able to declare their choice to the smart contract first and extort the other party.
Amir Kafshdar Goharshady, Irrationality, Extortion, or Trusted Third-parties: Why it is Impossible to Buy and Sell Physical Goods Securely on the Blockchain
The situation is even worse when it comes to buying and selling real-world objects via programmable blockchains such as Ethereum
[9]. In 2021
Amir Kafshdar Goharshady showed that[10]:
assuming that the two sides are rational actors and the smart contract language is Turing-complete, there is no escrow smart contract that can facilitate this exchange without either relying on third parties or enabling at least one side to extort the other.
Goharshady
noted that:
on the Ethereum blockchain escrows with trusted third-parties are used more often than two-party escrows, presumably because they allow dispute resolution by a human.
And goes on to show that in practice trusted third-party escrow services are essential because two-party escrow smart contracts are:
simply a game of who gets to declare their choice first and commit it on the blockchain sooner, hence forcing the other party to concur with their choice. The order of transactions on a blockchain is essentially decided by the miners. Thus, the party with better connectivity to the miners or who is willing to pay higher transaction fees, would be able to declare their choice to the smart contract first and extort the other party.
The choice being whether or not the good had been delivered. Given the current enthusiasm for
tokenization of physical goods the market for trusted escrow services looks bright.
Fast transactions
Actually the delay between submitting a transaction and finality is unpredictable and can be much longer than an hour. Transactions are validated by miners then added to the
mempool of pending transactions where they wait until either:
- The selected network node chooses it as one of the most profitable to include in its block.
- It reaches either its specified timeout or the default of 2 weeks.
This year the demand for transactions has been low, typically under 4 per second, so the backlog has been low, around 40K or under three hours. Last October it peaked at around 14 hours worth.
The distribution of transaction wait times is highly skewed. The median wait is typically around a block time. The proportion of low-fee transactions means the average wait is normally around 10 times that. But when everyone wants to transact the
ratio spikes to over 40 times.
Cheap transactions
There are two ways miners can profit from including a transaction in a block:
- The fee to be paid to the miner which the user chose to include in the transaction. In effect, transaction slots are auctioned off.
- The transactions the miner included in the block to front- and back-run the user's transaction, called Maximal Extractable Value[11]:
Maximal extractable value (MEV) refers to the maximum value that can be extracted from block production in excess of the standard block reward and gas fees by including, excluding, and changing the order of transactions in a block.
The block size limit means there is a fixed supply of transaction slots, about 7 per second, but the demand for them varies, and thus so does the price. In normal times the auction for transaction fees means they are much smaller than the block reward. But when everyone wants to transact they suffer
massive spikes.
Secured by Proof-of-Work (1)
In cryptocurrencies "secured" means that the cost of an attack exceeds the potential loot. The security provided by Proof-of-Work is linear in its cost, unlike techniques such as encryption, whose security is exponential in cost. It is generally believed that it is impractical to reverse a Bitcoin transaction after about an hour because the miners are wasting such immense sums on Proof-of-Work. Bitcoin pays these immense sums, but it doesn't get the decentralization they ostensibly pay for.
Monero, a privacy-focused blockchain network, has been undergoing an attempted 51% attack — an existential threat to any blockchain. In the case of a successful 51% attack, where a single entity becomes responsible for 51% or more of a blockchain's mining power, the controlling entity could reorganize blocks, attempt to double-spend, or censor transactions.
A company called Qubic has been waging the 51% attack by offering economic rewards for miners who join the Qubic mining pool. They claim to be "stress testing" Monero, though many in the Monero community have condemned Qubic for what they see as a malicious attack on the network or a marketing stunt.
Molly White: Monero faces 51% attack
The advent of "mining as a service" about 7 years ago made 51% attacks against smaller Proof-of-Work alt-coin such as
Bitcoin Gold endemic. In August
Molly White reported that
Monero faces 51% attack:
In 2018's
The Economic Limits Of Bitcoin And The Blockchain Eric Budish of the Booth School analyzed two versions of the 51% attack. I summarized his analysis of the classic multiple spend attack
thus:
Note that only Bitcoin and Ethereum among cryptocurrencies with "market cap" over $100M would cost more than $100K to attack. The total "market cap" of these 8 currencies is $271.71B and the total cost to 51% attack them is $1.277M or 4.7E-6 of their market cap.
His key insight was that to ensure that 51% attacks were uneconomic, the reward for a block, implicitly the transaction tax, plus the fees had to be greater than the maximum value of the transactions in it. The total transaction cost (reward + fee) typically peaks around 1.8% but is normally between 0.6% and 0.8%, or around 150 times less than Budish's safety criterion. The result is that a conspiracy between a few large pools could find it economic to mount a 51% attack.
Secured by Proof-of-Work (2)
However, ∆
attack is something of a “pick your poison” parameter. If ∆
attack is small, then the system is vulnerable to the double-spending attack ... and the implicit transactions tax on economic activity using the blockchain has to be high. If ∆
attack is large, then a short time period of access to a large amount of computing power can sabotage the blockchain.
Eric Budish: The Economic Limits Of Bitcoin And The Blockchain
But everyone assumes the pools won't do that. Budish further analyzed the effects of a multiple spend attack. It would be public, so it would in effect be sabotage, decreasing the Bitcoin price by a factor ∆
attack. He
concludes that if the decrease is small, then double-spending attacks are feasible and the per-block reward plus fee must be large, whereas if it is large then access to the hash power of a few large pools can quickly sabotage the currency.
The implication is that miners, motivated to keep fees manageable, believe ∆
attack is large. Thus Bitcoin is secure because those who could kill the golden goose don't want to.
Secured by Proof-of-Work (3)
The following year, in
Beyond the doomsday economics of “proof-of-work” in cryptocurrencies, Raphael Auer of the Bank for International Settlements showed that the problem Budish identified was inevitable
[12]:
proof-of-work can only achieve payment security if mining income is high, but the transaction market cannot generate an adequate level of income. ... the economic design of the transaction market fails to generate high enough fees.
In other words, the security of Bitcoin's blockchain depends upon inflating the currency with block rewards. This problem is excerbated by Bitcoin's regular "halvenings" reducing the block reward. To maintain miner's current income after the next halvening in less than three years the "price" would need to be over $200K; security depends upon the "price" appreciating faster than 20%/year.
Once the block reward gets small, safety requires the fees in a block to be worth more than the value of the transactions in it. But everybody has decided to ignore Budish and Auer.
Secured by Proof-of-Work (4)
In 2024 Soroush Farokhnia & Amir Kafshdar Goharshady's
Options and Futures Imperil Bitcoin's Security:
showed that (i) a successful block-reverting attack does not necessarily require ... a majority of the hash power; (ii) obtaining a majority of the hash power ... costs roughly 6.77 billion ... and (iii) Bitcoin derivatives, i.e. options and futures, imperil Bitcoin’s security by creating an incentive for a block-reverting/majority attack.
They assume that an attacker would purchase enough state-of-the-art hardware for the attack. Given Bitmain's dominance in mining ASICs, such a purchase is unlikely to be feasible.
Secured by Proof-of-Work (5)
But it would not be necessary. Mining is a very competitive business, and power is the major cost
[13]. Making a profit requires both cheap power and early access to the latest, most efficient chips. So it wasn't a surprise that Ferreira
et al's
Corporate capture of blockchain governance showed that:
As of March 2021, the pools in Table 1 collectively accounted for 86% of the total hash rate employed. All but one pool (Binance) have known links to Bitmain Technologies, the largest mining ASIC producer.
[14]
Secured by Proof-of-Work (6)
Bitmain, a Chinese company, exerts significant control of Bitcoin. China has firmly suppressed domestic use of cryptocurrencies, whereas the current administration seems intent on integrating them (and their inevitable grifts) into the US financial system. Except for Bitmain, no-one in China gets eggs from the golden goose. This asymmetry provides China with an way to disrupt the US financial system.
It would be important to prevent the disruption being attributed to China. A necessary precursor would therefore be to obscure the extent of Bitmain-affiliated pools' mining power. This has been a significant trend in the past year, note the change in the "unknown" in the graphs from 38 to 305. There could be other explanations, but whether or not intentionally this is creating a weapon.
[15]
Secured by cryptography (1)
The dollars in your bank account are simply an entry in the bank's private ledger tagged with your name. You control this entry, but what you own is a claim on the bank
[16]. Similarly, your cryptocurrency coins are effectively an entry in a public ledger tagged with the public half of a key pair. The two differences are that:
- No ownership is involved, so you have no recourse if something goes wrong.
- Anyone who knows the secret half of the key pair controls the entry. Since it is extremely difficult to stop online secrets leaking, something is likely to go wrong[17].
The secret half of your key can leak via what Randall Munro depicted as a "
wrench attack", via phishing, social engineering,
software supply chain attacks[18], and other forms of malware. Preventing these risks requires you to maintain an
extraordinary level of operational security.
Secured by cryptography (2)
Even
perfect opsec may not be enough. Bitcoin and most cryptocurrencies use two cryptographic algorithms,
SHA256 for hashing and ECDSA for signatures.
Quote from: llama on July 01, 2010, 10:21:47 PM
Satoshi, That would indeed be a solution if SHA was broken (certainly the more likely meltdown), because we could still recognize valid money owners by their signature (their private key would still be secure).
However, if something happened and the signatures were compromised (perhaps integer factorization is solved, quantum computers?), then even agreeing upon the last valid block would be worthless.
True, if it happened suddenly. If it happens gradually, we can still transition to something stronger. When you run the upgraded software for the first time, it would re-sign all your money with the new stronger signature algorithm. (by creating a transaction sending the money to yourself with the stronger sig)
Satoshi Nakamoto: 10th July 2010
On 10
th July 2010 Nakamoto addressed the issue of what would happen if either of these algorithms were compromised. There are three problems with his response; that compromise is likely in the near future, when it does Nakamoto's fix is inadequate, and there is a huge incentive for it to happen suddenly:
Secured by cryptography (3)
Divesh Aggarwal
et al's 2019 paper
Quantum attacks on Bitcoin, and how to protect against them noted that:
the elliptic curve signature scheme used by Bitcoin is much more at risk, and could be completely broken by a quantum computer as early as 2027, by the most optimistic estimates.
Their "most optimistic estimates" are likely to be correct;
PsiQuantum expects to have two 1M qubit computers operational in 2027
[19]. Each should be capable of breaking an ECDSA key in under a week.
Bitcoin's transition to post-quantum cryptography faces a major problem because, to transfer coins from an ECDSA wallet to a post-quantum wallet, you need the key for the ECDSA wallet. Chainalysis
estimates that:
about 20% of all Bitcoins have been "lost", or in other words are sitting in wallets whose keys are inaccessible
An example is the notorious
hard disk in the garbage dump. A sufficiently powerful quantum computer could recover the lost keys.
The incentive for it to happen suddenly is that, even if Nakamoto's fix were in place, someone with access to the first sufficiently powerful quantum computer could transfer 20% of all Bitcoin, currently worth $460B, to
post-quantum wallets they controlled. This would be a 230x return on the investment in PsiQuantum.
Privacy-preserving
privacy can still be maintained by breaking the flow of information in another place: by keeping public keys anonymous. The public can see that someone is sending an amount to someone else, but without information linking the transaction to anyone.
As an additional firewall, a new key pair should be used for each transaction to keep them from being linked to a common owner.
Some linking is still unavoidable with multi-input transactions, which necessarily reveal that their inputs were owned by the same owner. The risk is that if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner.
Satoshi Nakamoto: Bitcoin: A Peer-to-Peer Electronic Cash System
Nakamoto addressed the concern that, unlike DigiCash, because Bitcoin's blockchain was public it wasn't
anonymous:
privacy can still be maintained by breaking the flow of information in another place: by keeping public keys anonymous. The public can see that someone is sending an amount to someone else, but without information linking the transaction to anyone.
This is true but misleading. In practice, users need to use exchanges and other services that can tie them to a public key.
There is a flourishing ecosystem of companies that deanonymize wallets by
tracing the web of transactions. Nakamoto
added:
As an additional firewall, a new key pair should be used for each transaction to keep them from being linked to a common owner.
This advice is just unrealistic. As
Molly White wrote[20]:
funds in a wallet have to come from somewhere, and it’s not difficult to infer what might be happening when your known wallet address suddenly transfers money off to a new, empty wallet.
Nakamoto
acknowledged:
Some linking is still unavoidable with multi-input transactions, which necessarily reveal that their inputs were owned by the same owner. The risk is that if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner.
For more than a decade
Jamison Lopp has been tracking what happens when a wallet with significant value is deanonymized, and it is a
serious risk to life and limbs[21].
One more risk
I have steered clear of the financial risks of cryptocurrencies. It may appear that the endorsement of the current administration has effectively removed their financial risk. But the technical and operational risks remain, and I should note another technology-related risk.
Equities are currently being
inflated by the AI bubble. The AI platforms are
running the drug-dealer's algorithm, "the first one's free", burning cash by offering their product free or massively under-priced. This cannot last; only
8% of their users would pay even the current price.
OpenAI's August launch of GPT-5, which was about
cost-cutting not better functionality, and
Anthropic's cost increases were both panned by the customers who do pay. AI may deliver some value, but it doesn't come close to the cost of delivering it
[22].
There is likely to be an epic AI equity bust.
Analogies are being drawn to the
telecom boom, but
The Economist reckons[23]:
the potential AI bubble lags behind only the three gigantic railway busts of the 19th century.
History shows a fairly strong and increasing correlation between equities and cryptocurrencies, so they will get dragged down too. The automatic liquidation of leveraged long positions in DeFi will start, causing a self-reinforcing downturn. Periods of heavy load such as this tend to reveal bugs in IT systems, and especially in "smart contracts", as their assumptions of adequate resources and timely responses are violated.
Experience shows that Bitcoin's limited transaction rate and the fact that the Ethereum computer that runs all the "smart contracts" is 1000 times slower than a $50 Raspberry Pi 4
[24] lead to major slow-downs and fee spikes during panic selling, exacerbated by the fact that the panic sales are public
[25].
Conclusion
The fascinating thing about cryptocurrency technology is the number of ways people have developed and how much they are willing to pay to avoid actually using it. What other transformative technology has had people desperate not to use it?
The whole of TradFi has been erected on this much worse infrastructure, including exchanges,
closed-end funds, ETFs,
rehypothecation, and derivatives. Clearly, the only reason for doing so is to escape regulation and extract excess profits from what would otherwise be crimes.
Footnotes
Acknowledgments
This talk benefited greatly from critiques of drafts by Hilary Allen, David Gerard, Jon Reiter, Joel Wallenberg, and Nicholas Weaver.
Log in
