Bitcoin Is Worse Is Better (2011 gwern.net)
republished from https://www.gwern.net/Bitcoin-is-Worse-is-Better
The genius of Bitcoin, in inventing a digital currency successful in the real world, is not in creating any new abstruse mathematics or cryptographic breakthrough, but in putting together decades-old pieces in a semi-novel but extremely unpopular way. Everything Bitcoin needed was available for many years, including the key ideas.
However, the sacrifice Bitcoin makes to achieve decentralization is-however practical-a profoundly ugly one. Early reactions to Bitcoin by even friendly cryptographers & digital currency enthusiasts were almost uniformly extremely negative, and emphasized the (perceived) inefficiency & (relative to most cryptography) weak security guarantees. Critics let ‘perfect be the enemy of better’ and did not perceive Bitcoin’s potential. However, in an example of ‘Worse is Better’, the ugly inefficient prototype of Bitcoin successfully created a secure decentralized digital currency, which can wait indefinitely for success, and this was enough to eventually lead to adoption, improvement, and growth into a secure global digital currency.
Satoshi published the first public version of his white paper on 2008–11–01 after earlier private discussions and the whitepaper was further edited afterwards, but if you look at the cryptography that makes up Bitcoin, they can be divided into:
- Cryptographic signatures
- Cryptographic hash functions
- Hash chain used for proof-of-work
- cryptographic time-stamps
- resilient peer-to-peer networks
But with the benefit of this hindsight, one can wonder-why this delay?
If the idea is (relatively) easy to understand and uses basic ideas, if it is very far from the cutting-edge of cryptography, then there’s no reason it would not be seriously tried. Certainly the cypherpunks of the ’90s were wildly creative, inventing everything from Cypherpunk/ Mixmaster to MojoNation to assassination markets to data havens (memorably depicted in ). We have already seen 2 of their proposed cryptocurrencies, and proof-of-work was one of the most common proposals to deal with the rising tsunami of spam. Why did Bitcoin take a decade to be born? The problem of timing nags at me-similar to the historical question of why England experienced the Industrial Revolution and grew to empire, and not China, which seems better equipped in every respect. Where does innovation come from? There must be an answer. (And it may be similar to VR.)
Is the problem one of resources? In the whitepaper, Satoshi remarks:
A block header with no transactions would be about 80 bytes. If we suppose blocks are generated every 10 minutes, 80 bytes * 6 * 24 * 365 = 4.2MB per year. With computer systems typically selling with 2GB of RAM as of 2008, and Moore’s Law predicting current growth of 1.2GB per year, storage should not be a problem even if the block headers must be kept in memory.
That’s fine to say in 2008, after many doublings. Would memory be a problem in the 1990s? It doesn’t have to be. The difficulty of bitcoin mining is adjustable, so the problem boils down to:
- disk usage
- With a smaller hash like SHA1, the 80 bytes can be shrunk
- 10 minutes is not graven in stone; why not 20 minutes? Right there we have halved the transaction overhead
- the hash tree can be ‘garbage collected’ and shrunk
- it is only necessary to maintain a full hash tree if one is paranoid.
- In practice, like many programs of the era such as mail or Usenet clients, the default could simply be to hold onto the last n blocks/ hashes (Satoshi estimates ); this would consume a limited amount of disk space.
2. network connectivity is solvable by solutions to #1
- A function of the existing hash tree size
- And frequency of new transactions
It’s worth pointing out that it’s generally expected that at some point ordinary desktop users like you or me are expected to stop being full-fledged nodes and bitcoin miners and will instead make use of some specialist service running powerful servers of its own; in a counterfactual universe where Bitcoin was begun in the early 1990s, the changeover would simply have occurred sooner. (And with all the investment money desperately investing in the first Internet bubble, it would be quite easy to start such a service regardless of the technical demands.)
As well, few of the objections to cryptocurrencies seem to have been “computers which can run it are fantastically expensive”. In computing, applications and techniques are often invented many decades before Moore’s law makes them practically useful, but this does not seem to have happened with Bitcoin. A similar objection obtains with patents or published papers; if Bitcoin was a known idea, where are they? I have yet to see anybody point out what patents might have deterred cryptography researchers & implementers; the answer is that there were none. Because there was no investor interest? Not that Satoshi needed investors, but there were a tremendous number of online payment services started in the ’90s, each searching for the secret sauce that would let them win ‘mindshare’ and ride ‘network effects’ to victory; DigiCash again comes to mind. Even in the ’90s, when the Internet seems embryonic to us of the 2010s, there were still many millions of people on the Internet who could have used a digital cash.
So if the basic idea is accessible, and it’s useful on consumer-grade hardware for the last 20 years or so, then what’s the problem?
I think it’s instructive to look at Satoshi’s on the Cryptography newsgroup/ mailing list; particularly the various early criticisms:
Nick Szabo summarizes the early reaction:
Bitcoin is not a list of cryptographic features, it’s a very complex system of interacting mathematics and protocols in pursuit of what was a very unpopular goal. While the security technology is very far from trivial, the “why” was by far the biggest stumbling block-nearly everybody who heard the general idea thought it was a very bad idea. Myself, Wei Dai, and Hal Finney were the only people I know of who liked the idea (or in Dai’s case his related idea) enough to pursue it to any significant extent until Nakamoto (assuming Nakamoto is not really Finney or Dai). Only Finney () and Nakamoto were motivated enough to actually implement such a scheme.
As well, let’s toss in some blog posts on Bitcoin by the cryptographer Ben Laurie and Victor Grischchenko; Laurie particularly criticizes the hash-contest which guarantees heavy resource consumption:
- “Bitcoin”
- “Bitcoin 2”
- “Bitcoin is Slow Motion”
- “Decentralised Currencies Are Probably Impossible: But Let’s At Least Make Them Efficient”
- “Bitcoin?”, Victor Grischchenko
What’s the common thread? Is there any particular fatal flaw of Bitcoin that explains why no one but Satoshi came up with it?
No! What’s wrong with Bitcoin is that it’s ugly. It is not elegant. It’s clever to define your bitcoin balance as whatever hash tree is longer, has won more races to find a new block, but it’s ugly to make your network’s security depend solely on having more brute-force computing power than your opponents, ugly to need now and in perpetuity at least half the processing power just to avoid double-spending. It’s clever to have a P2P network distributing updated blocks which can be cheaply & independently checked, but there are tons of ugly edge cases which Satoshi has not proven (in the sense that most cryptosystems have security proofs) to be safe and he himself says that what happens will be a “coin flip” at some points. It’s ugly to have a hash tree that just keeps growing and is going to be gigabytes and gigabytes in not terribly many years. It’s ugly to have a system which can’t be used offline without proxies and workarounds, which essentially relies on a distributed global clock, unlike Chaum’s elegant solution. It’s ugly to have a system that has to track all transactions, publicly; even if one can use bitcoins anonymously with effort, that doesn’t count for much-a cryptographer has learned from incidents like anon.penet.fi
and decades of successful attacks on pseudonymity. And even if the money supply has to be fixed (a bizarre choice and more questionable than the irreversibility of transactions), what's with that arbitrary-looking 21 million bitcoin limit? Couldn't it have been a rounder number or at least a power of 2? (Not that the bitcoin mining is much better, as it's a massive give-away to early adopters. Coase's theorem may claim it doesn't matter how bitcoins are allocated in the long run, but such a blatant bribe to early adopters rubs against the grain. Again, ugly and inelegant.) Bitcoins can simply disappear if you send them to an invalid address. And so on.
The basic insight of Bitcoin is clever, but clever in an ugly compromising sort of way. Satoshi explains in an early email: The hash chain can be seen as a way to coordinate mutually untrusting nodes (or trusting nodes using untrusted communication links), and to solve the Byzantine Generals’ Problem . If they try to collaborate on some agreed transaction log which permits some transactions and forbids others (as attempted double-spends), naive solutions will fracture the network and lead to no consensus. So they adopt a new scheme in which the reality of transactions is “whatever the group with the most computing power says it is”! The hash chain does not aspire to record the “true” reality or figure out who is a scammer or not; but like Wikipedia, the hash chain simply mirrors one somewhat arbitrarily chosen group’s consensus:
…It has been decided that anyone who feels like it will announce a time, and whatever time is heard first will be the official attack time. The problem is that the network is not instantaneous, and if two generals announce different attack times at close to the same time, some may hear one first and others hear the other first.
They use a proof-of-work chain to solve the problem. Once each general receives whatever attack time he hears first, he sets his computer to solve an extremely difficult proof-of-work problem that includes the attack time in its hash. The proof-of-work is so difficult, it’s expected to take 10 minutes of them all working at once before one of them finds a solution. Once one of the generals finds a proof-of-work, he broadcasts it to the network, and everyone changes their current proof-of-work computation to include that proof-of-work in the hash they’re working on. If anyone was working on a different attack time, they switch to this one, because its proof-of-work chain is now longer.
After two hours, one attack time should be hashed by a chain of 12 proofs-of-work. Every general, just by verifying the difficulty of the proof-of-work chain, can estimate how much parallel CPU power per hour was expended on it and see that it must have required the majority of the computers to produce that much proof-of-work in the allotted time. They had to all have seen it because the proof-of-work is proof that they worked on it. If the CPU power exhibited by the proof-of-work chain is sufficient to crack the password, they can safely attack at the agreed time.
The proof-of-work chain is how all the synchronisation, distributed database and global view problems you’ve asked about are solved.
In short, Bitcoin is a perfect example of Worse is Better ( original essay). You can see the tradeoffs that Richard P. Gabriel enumerates: Bitcoin has many edge cases; it lacks many properties one would desire for a cryptocurrency; the whitepaper is badly under-specified; much of the behavior is socially determined by what the miners and clients collectively agree to accept, not by the protocol; etc.
The worse-is-better philosophy is only slightly different: […]
Completeness-the design must cover as many important situations as is practical. All reasonably expected cases should be covered. Completeness can be sacrificed in favor of any other quality. In fact, completeness must be sacrificed whenever implementation simplicity is jeopardized. Consistency can be sacrificed to achieve completeness if simplicity is retained; especially worthless is consistency of interface.
…The MIT guy did not see any code that handled this [edge] case and asked the New Jersey guy how the problem was handled. The New Jersey guy said that the Unix folks were aware of the problem, but the solution was for the system routine to always finish, but sometimes an error code would be returned that signaled that the system routine had failed to complete its action. A correct user program, then, had to check the error code to determine whether to simply try the system routine again. The MIT guy did not like this solution because it was not the right thing… It is better to get half of the right thing available so that it spreads like a virus. Once people are hooked on it, take the time to improve it to 90% of the right thing.
Guarantees of Byzantine resilience? Loosely sketched out and left for future work. Incentive-compatible? Well… maybe. Anonymity? Punted on in favor of pseudonymity; maybe someone can add real anonymity later. Guarantees of transactions being finalized? None, the user is just supposed to check their copy of the blockchain. Consistent APIs? Forget about it, there’s not even a standard, it’s all implementation-defined (if you write a client, it’d better be “bugward compatibility” with Satoshi’s client). Moon math? Nah, it’s basic public-key crypto plus a lot of imperative stack-machine bit-twiddling. Space efficiency? A straightforward blockchain and on-disk storage takes priority over any fancy compression or data-structure schemes. Fast transactions? You can use zero-conf and if that’s not good enough for buying coffee, maybe someone can come up with something using the smart contract features. And so on.
But for all the issues, it seems to work. Just like Unix, there were countless ways to destroy your data or crash the system, which didn’t exist on more ‘proper’ OSs like , and there were countless lacking features compared to systems like or the Lisp machine OSs. But like the proverbial cockroaches, Unix spread, networked, survived-and the rest did not. And as it survives and evolves gradually, it slowly becomes what it “should” have been in the first place. Or HTML vs Project Xanadu .
Paul Ford in 2013 has stumbled onto a similar view of Bitcoin:
The Internet is a big fan of the worst-possible-thing. Many people thought Twitter was the worst possible way for people to communicate, little more than discourse abbreviated into tiny little chunks; Facebook was a horrible way to experience human relationships, commodifying them into a list of friends whom one pokes. The Arab Spring changed the story somewhat. (BuzzFeed is another example-let them eat cat pictures.) One recipe for Internet success seems to be this: Start at the bottom, at the most awful, ridiculous, essential idea, and own it. Promote it breathlessly, until you’re acquired or you take over the world. Bitcoin is playing out in a similar way. It asks its users to forget about central banking in the same way Steve Jobs asked iPhone users to forget about the mouse.
But he lacks the “worse is better” paradigm (despite being a programmer) and doesn’t understand how Bitcoin is the worst-possible-thing. It’s not the decentralized aspect of Bitcoin, it’s how Bitcoin is decentralized: a cryptographer would have difficulty coming up with Bitcoin because the mechanism is so ugly and there are so many elegant features he wants in it. Programmers and mathematicians often speak of “taste”, and how they lead one to better solutions. A cryptographer’s taste is for cryptosystems optimized for efficiency and theorems; it is not for systems optimized for virulence, for their sociological appeal. Centralized systems are natural solutions because they are easy, like the integers are easy; but like the integers are but a vanishingly small subset of the reals, so too are centralized systems a tiny subset of decentralized ones. DigiCash and all the other cryptocurrency startups may have had many nifty features, may have been far more efficient, and all that jazz, but they died anyway. They had no communities, and their centralization meant that they fell with their corporate patrons. They had to win in their compressed timeframe or die out completely. But “that is not dead which can eternal lie”. And the race may not go to the swift, as Hal Finney also pointed out early on:
Every day that goes by and Bitcoin hasn’t collapsed due to legal or technical problems, that brings new information to the market. It increases the chance of Bitcoin’s eventual success and justifies a higher price.
It may be that Bitcoin’s greatest virtue is not its deflation, nor its microtransactions, but its viral distributed nature; it can wait for its opportunity. “If you sit by the bank of the river long enough, you can watch the bodies of your enemies float by.”
Nick Szabo and Zooko Wilcox-O’Hearn disagree strongly with the thesis that “Bitcoin is Worse is Better”. They contend while there may be bad parts to Bitcoin, there is a novel core idea which is actually very clever-the hash chain is a compromise which thinks outside the box and gives us a sidestep around classic problems of distributed computing, which gives us something similar enough to a trustworthy non-centralized authority that we can use it in practice.
Gwern’s post fails to appreciate the technical advances that BitCoin originated. I have been trying, off and on, to invent a decentralized digital payment system for fifteen years (since I was at DigiCash). I wasn’t sure that a practical system was even possible, until BitCoin was actually implemented and became as popular as it has. Scientific advances often seem obvious in retrospect, and so it is with BitCoin.
Nick Szabo thinks that the main blocking factors were:
- ideological beliefs about the nature of money (liberals not interested in non-state currencies, and Austrians believing that currencies must have intrinsic value)
- obscurity of bit gold-like ideas
- “requiring a proof-of-work to be a node in the Byzantine-resilient peer-to-peer system to lessen the threat of an untrustworthy party controlling the majority of nodes and thus corrupting a number of important security features”
- some simplification (not markets for converting “old” & harder-to-mine bitcoins to “new” & easier-to-mine bitcoins, but a changing network-wide consensus on how hard bitcoins must be to mine)
My own belief is that #1 is probably an important factor but questionable since the core breakthrough is applicable to all sorts of other tasks like secure global clocks or timestamping or domain names, #2 is irrelevant as all digital cryptographic currency ideas are obscure (to the point where, for example, Satoshi’s whitepaper does not cite bit gold but only b-money, yet Wei Dai does not believe his b-money actually influenced Bitcoin at all!), and #3–4 are minor details which cannot possibly explain why Bitcoin has succeeded to any degree while ideas like bit gold languished.
- -(use and economic philosophy of the Silk Road 1 marketplace)
- ; -(a similar solution by resort to proof-of-work)
Originally published at https://www.gwern.net.