Bitcoin: The Trust Anchor in a Sea of Blockchains

shutterstock_56610454-e1469033911875-scaled
23 July 2016

Bitcoin has a number of properties that give it utility (and thus value)  such as  trustlessness, permissionlessness, transparency, and immutability.

When you broaden your perspective of bitcoin from a currency and payment system to that of a secure historical ledger, it becomes clear that these properties, in conjunction with each other, can enable powerful applications.

As the “blockchain but not bitcoin” buzz continues to intensify, we can see that this is because many existing business and financial use cases don’t see a need for trustlessness and permissionlessness. Traditional financial institutions already have semi-trusted permissioned relationships that they have been established over many decades and their goal is to reestablish these relationships with new technology that makes coordination more efficient and robust. Public ledgers like bitcoin have been problematic for financial institutions because transaction validation is performed by a group of potentially unknown parties while financial institutions are often legally required to vet every transaction going through them.

Some of bitcoin’s properties are difficult to describe comprehensively.

While permissionlessness (anyone can use the system without asking permission or fear of being censored) and transparency (anyone can audit the ledger) are straightforward, trustlessness and immutability are more complex.

Bitcoin advocates often distill trustlessness as meaning “you don’t have to trust anyone”, but this is an oversimplified perspective.

A consensus system such as bitcoin distributes the power to dictate how the system operates across a large set of people – developers, miners, merchants, users, etc. A reasonably decentralized system will make it very difficult to enact any changes that are not beneficial to an overwhelming portion of its participants. But at the root of the system, there is still trust involved – you must trust that most of the power held in the system belongs to users with your same sense of morality and rationality.

Immutability is also a complex property to define.

Bitcoin advocates often simplify it as “no one has the power to reverse the blockchain’s history” though a nuanced view has caveats similar to those involving trustlessness.

Let’s delve into the factors that affect immutability.

Proof of Immutability

Bitcoin is the strongest permissionless blockchain in terms of computational security because it has the most resources being expended in order to secure it via a process known as proof of work (PoW.)

While PoW critics will point to the extreme “inefficiency” of the algorithm, the inefficiency is the entire point. PoW makes it extremely expensive to attack the bitcoin protocol’s consensus mechanism, which makes its history highly trustworthy, and effectively immutable.

Unfortunately, it’s very difficult to quantitatively compare different consensus algorithms in order to rank them and find the “best” one.

As Rootstock developer Sergio Demian Lerner put it:

Nonetheless, a handful of reputable minds have made valiant efforts to do so over the years.

Andrew Poelstra defends PoW in this publication about “Dynamic Membership Multiparty Signatures,” AKA distributed consensus algorithms where anyone can participate.

Poelstra defines DMMS algorithms as having three components:

  • A cost function
  • A signing function
  • A verification function

Poelstra goes on to argue that the most secure (and fair) DMMS is one for which there is no better signing algorithm than to simply execute the signing function repeatedly. In bitcoin’s case, the cost function is defined as “number of hash function calls,” which is a direct result of energy expenditure (a scarce resource,) a cost that is external to the system being secured.

He writes:

“Because bitcoin’s DMMS is computationally, and therefore thermodynamically, very expensive, alternatives have been proposed which seek to be economically and environmentally more efficient. One popular alternative, proof-of-stake, is frequently proposed as a mechanism for a cheap distributed consensus.”

Proof of Stake (PoS) is the use of cryptographic signatures to show that the owner holds a vested interest in the system and has thus theoretically “paid a cost” at some point in the past in order to obtain tokens.

PoS has issues with its cost function, according to Poelstra.

This is primarily an issue of time: blockchains don’t have a sense of time, thus if you’re presented with a historical blockchain that appears to be valid, you can’t be sure that it isn’t merely one of many blockchains that were generated by an attacker. This is because it’s relatively cheap for an attacker to recreate an entire PoS chain on their own – all they need are private keys valid for staking at any point in the blockchain’s history.

This presents a security flaw.

The result is that a new node joining the network can’t trust just any valid chain that is presented to it, because there could be innumerable valid chains. Instead, the node must check with its peers to ensure that it is on the same chain as them, which opens a vulnerability to Sybil attacks. This contrasts with bitcoin’s security model, where a new node only needs to connect to a single honest peer because the chain with the most cumulative proof of work is clearly the legitimate chain.

Bitfury also published an in-depth analysis of PoW vs PoS, noting that naïve PoS suffers from the “nothing at stake” problem – if a staker is aware of multiple blockchain forks, the rational thing to do is to mine on every fork, because it doesn’t cost more to do so. Recall that PoW miners spend electricity, a resource that is “external” to the network.

PoS miners, on the other hand, use an “internal” resource, namely their account balance, and spend far fewer “external” resources. This makes PoS systems inherently untrustworthy in the eyes of many cryptocurrency enthusiasts. An attacker can try to fork the blockchain, i.e. create a longer blockchain than the current one, spending little “real” resources, and he can even be aided by other miners since they don’t spend any “real” resources either.

By forking, an attacker can invalidate certain transactions and execute double-spends.

Attacks can be roughly broken down into two categories: short-range and long-range. In short-range attacks, the most recent blocks are replaced, in long-range the attacker goes deeper, trying to replace the history of the network, potentially as far back as the genesis block.

Bitfury PoW Analysis

“Pure proof of stake approaches pose substantial security threats that cannot be recreated in PoW systems. These problems are inherent to PoS algorithms, as PoS consensus is not anchored in the physical world.”

Ethereum creator Vitalik Buterin explained several years ago why he likes PoS and proposes several modifications to PoS that would disincentivize both short- and long-range chain rewriting attacks.

He argues that these protections are good enough for everyone except new nodes joining the system, who would need to get a blockchain checkpoint from a trusted entity, possibly someone in their social network. From his viewpoint, this is acceptable because consensus algorithms are just automating the existing human consensus process, which is based upon social networks.

With Casper, Ethereum’s proposed future PoS algorithm, Buterin argues that neither PoW nor PoS can offer perfect “settlement finality”(immutability) but that Casper offers “economic finality”.

He writes:

“We can’t guarantee that ‘X will never be reverted’, but we can guarantee the slightly weaker claim that ‘either X will never be reverted or a large group of validators will voluntarily destroy millions of dollars of their own capital.'”

Interestingly, Buterin states:

“One of the main ideological grievances that has led to cryptocurrency’s popularity is precisely the fact that centralization tends to ossify into nobilities that retain permanent power.”

In another post, Buterin wrote:

“All ‘pure’ PoS systems are ultimately permanent nobilities where the members of the genesis block allocation always have the ultimate say. No matter what happens 10 million blocks down the road, the genesis block members can always come together and launch an alternate fork with an alternate transaction history and have that fork take over.”

Daniel Larimer reviewed Casper, arguing:

“Anyone without sufficient stake would be unable to participate profitably. Furthermore, those with the most stake will have the highest margins. The end result of this economic arrangement is that participating in Casper will only be profitable for a small subset of whales, likely a dozen or less.”

This certainly sounds like the “nobility problem” to which Buterin has referred on several occasions. While a similar argument could be made about bitcoin, I have written previously about why bitcoin’s mining centralization is likely a short-term phenomenon.

Paul Sztorc provided a unique perspective in which he argues that PoW is actually cheaper than PoS. According to Sztorc, all versions of PoS are simply obscured versions of PoW – there is always some sort of work that can be performed to increase one’s revenue. Thus, unless the consensus algorithm is totally independent of all possible human activities, it will inevitably become a form of PoW.

Sztorc argues the same of Delegated Proof of Stake:

“DPoS is a plutocracy where people use (but, neither spend {‘democracy’}, nor risk {‘capitalism’}) their money to elect 100 senators, who sign blocks in a sequence and thus secure a nearly-P2P network. If learning who to vote for takes ‘work’, then, even absent bribes, voters will always be susceptible to ‘work’-based influence.”

In permissionless consensus systems, a validation algorithm is needed to introduce scarcity.

PoW is rooted in physics and is quite similar to the process of mining physical resources such as gold, silver, and iron. One could argue that the scarcity of many such natural resources is regulated by the difficulty involved in acquiring them.

As such, natural resources are a proof of work; it’s a mechanism that has been recognized as valuable by humans for thousands of years.

Mining of physical resources is labor intensive; the product is a proof of work.Mining of physical resources is labor intensive; the product is a proof of work.

Is PoS dead on arrival? Probably not, since a number of smart developers keep working on advancing this concept – it may be “good enough” for certain uses.

When Bitcoin Core developer Gregory Maxwell was asked about his thoughts on PoS, he wouldn’t go as far as saying it can never work, but he did say that “it’s clear that you don’t get the same [security model] as bitcoin, but it’s not clear if what you get is actually useful”.

The Cost of Immutability

Permissionless and permissioned blockchains have very different security models. However, permissioned blockchains tend to have a federation of fewer than a hundred validators while popular permissionless blockchains have orders of magnitude more. From a validator attack vector, permissionless blockchains have superior security because it would take more resources to compromise or overwhelm a sufficient number of validators.

  • At time of writing, to purchase enough new hashing power to own 50% of the bitcoin network (1,487,398 TH/S) would cost approximately 114,415 Antminer S9 (13 TH/S) units at $2,500, or $286m in hardware costs and 1.4 KW * 114,415 * $0.08 KW/H, or $12,815 an hour in electricity costs.
  • To purchase 50% of ethereum’s network hashrate (3,700 GH/S), you would need 142,307 AMD Radeon R9 390 (26 MH/S) at $300 or $42m in hardware costs, and 0.3 KW * 142,307 * $0.08 KW/H, or $3,415 an hour in electricity costs.
  • To purchase 50% of litecoin’s network hashrate, the necessary resources would be (1,362 GH/S) 45,400 Zeusminer Thunder X3 30 Mh/s at $250, or $11.3m in hardware costs, and (1 KW * 45,400 * $0.08 KW/H) or $3,632 an hour in electricity costs.

This is a naïve model because it’s probably not even possible to purchase than many units of ASICs and GPUs.

There are also plenty of other costs that aren’t covered in this model, such as hosting infrastructure, cooling, and human administrative costs. For the sake of simplicity, let’s assume that those costs scale similarly with the number of hashing units under management. Electricity costs can also vary, but would change each result proportionally.

From the numbers it’s clear that bitcoin is far more secure from a resource attack against its consensus algorithm than even the next most popular cryptocurrencies. However, this doesn’t mean bitcoin is perfectly immutable.

While cost of a computational attack prices out all but the wealthiest entities in the world from ever considering it, the human layer of consensus must also be considered when evaluating a blockchain’s immutability.

Immutability and social consensus

The immutability of a blockchain is secured by more than just the resources required to mount an attack against its consensus algorithm. There is also a political and philosophical component.

For an example, see the recent DAO exploit that drove the ethereum community to perform a hard fork in order to prevent an attacker from absconding with a significant portion of all ether.

This would likely never be proposed by bitcoin developers due to their perspectives on immutability and fungibility, but Buterin’s view of consensus as a social mechanism means that ethereum will evolve from a different set of principles. As a result, more ethereum developers find it to be acceptable if the community wants to agree to change the state of the ledger for the common good.

Many people have claimed that forking ethereum at the protocol layer to counter an attack at the app layer is setting a terrible precedent that will forever damage ethereum’s promise of immutability.

I think this claim is flawed for several reasons:

  • Every blockchain is based on some form of social consensus. That is, humans must first decide what protocol to run before the machines can enforce it. As such, humans can always decide to change that protocol if there is meatspace consensus to do so.
  • A distributed consensus protocol can be forked for any reason – it could be in response to a problem at the protocol layer, in response to a problem a layer above or below the protocol, or in response to a problem completely external to the system.
  • The world of public distributed consensus is rooted in crypto anarchy – there is no institution that must abide by precedents. Every situation will be judged uniquely and quite possibly by completely different sets of humans depending upon who is participating in the system at the time. Past performance is not indicative of future results.
  • If you want to get pedantic, a blockchain fork is not a group of people who are stealing from others by force. Rather, it is what occurs when much of the user base decides that they do not find the current state of the blockchain to be in the best interest of the system, so they leave that blockchain voluntarily for one with a more desirable state.

Bitcoin itself has forked in response to flaws in the past:

  • A hard fork was implemented in Bitcoin 0.1.0 to change the “best chain” logic from using the longest chain to the chain with the most cumulative proof of work.
  • A soft fork (and 5-hour chain reorganization) was implemented on 15th August, 2010 when someone exploited a value overflow bug and created 184bn BTC.
  • A machine consensus failure caused an unintentional fork in March 2013 and social consensus was quickly employed in order to reorganize the blockchain back onto the original chain fork.

Bitcoin, NXT, vericoin, and ethereum have all found themselves faced with the same dilemma of a massive theft and each community responded differently. Bitcoin, having experienced many major thefts, has never considered forking in order to reverse a theft.

While its exchange rate dropped after many of these incidents, it always recovered.

A list of major bitcoin theftsA list of major bitcoin thefts

Nearly 30% of all vericoins worth about $2m were stolen in the hack of the MintPal exchange in July 2014.

As a result, the Vericoin developers implemented a hard fork to move the stolen coins back to MintPal’s control.

The exchange rate did not perform very well afterward.

Vericoin / USD exchange rate

In October 2014, BTer was hacked and lost 50m NXT worth about $1.75m; 5% of the money supply.

The developers and community chose not to perform a hard fork. The exchange rate also did not perform very well afterward.

NXT / USD exchange rate

On 17th June, 2016, The DAO’s smart contract was exploited and nearly 4m ETH worth tens of millions of dollars were drained; in the following days the exchange rate was cut in half.

A hard fork was executed on 20th July to return funds to their original owners; the exchange rate subsequently rose by 15% in the next few days.

History shows that there is no clear answer to how emergency hard forks affect the faith (and value) that users have in a cryptocurrency.

I suspect that an emergency situation merely reveals the robustness of the human consensus behind a given blockchain. If the humans are a cohesive group, they can fork or not fork and remain in consensus. Otherwise, they may fork contentiously (note: the definition of “contentious” is debatable) and end up damaging the machine consensus.

Marc Andreessen once predicted that “the libertarians will turn on bitcoin. He said this due to the initial misconceptions many people held about bitcoin’s privacy. I think Andreessen’s prediction may come true, but for a different reason.

Cypherpunks will continue to improve bitcoin’s privacy; this will keep libertarians interested. However, as bitcoin becomes more mainstream, the social consensus around what bitcoin should be may change.

If this occurs, we may not see the libertarians turn on bitcoin so much as bitcoin turn on the libertarians. It is for this reason that I believe it is incredibly important that we teach bitcoin users the history behind cryptocurrency in order to instill Cypherpunk values in them.

The Benefits of Immutability

While bitcoin is still mainly seen as digital currency, it’s essentially a timestamped log with special properties.

As such, it can be utilized for far more things than payments and store of value. I presented some of the alternative uses several years ago and the list continues to grow.

Brian Deery, chief scientist at Factom, wrote an excellent history of timestamping, in which he argues that a secure timestamped record wasn’t feasible before the existence of secure digital value.

Deery writes:

“There needed to be a way to entice people to brute force hash chains. A good way of doing that would be to give them money.”

While some purists may claim that bitcoin is only a currency and shouldn’t be used for non-currency purposes, the system itself is agnostic. From the protocol’s view, there is no such thing as a spam transaction as long as a competitive fee is attached by the user in order to “purchase” the limited block space for its confirmation.

The rise in timestamping service popularity can be seen on http://opreturn.org/

You can easily harness this timestamping functionality via user-friendly services such as Eternity Wall, Virtual Notary, Proof of Existence and BlockNotary.

Moving beyond the concept of simple timestamping of documents, more complex services are anchoring to bitcoin’s blockchain in order to benefit from its immutability. Anchoring essentially means that a service takes every piece of meaningful data in its system and computes a single hash that can be used to verify the system’s state, given all of the original data.

This hash is then stored in bitcoin’s blockchain at periodic intervals. The hash can be generated in any number of different ways, though one common method is to build Merkle tree of all the data and then store the Merkle root as the anchor.

Building a Merkle Tree - the "Top Hash" is the Merkle RootBuilding a Merkle Tree – the “Top Hash” is the Merkle Root

It’s worth noting that anchoring does not automatically make a service’s data as immutable as bitcoin’s data, but it does provide a strong guarantee that any tampering will be evident. A recommended best practice for these services is to provide easy-to-use tools for users to verify the anchors against the state of the system.

Why is this so important? I think Paul Snow, CEO of Factom, stated it best:

“One of the things about immutable ledgers is they tend to be honest because it’s very hard to know today what lie I want to tell tomorrow. And if the lie has to be in the ledger and I don’t know what the lie is going to be until tomorrow then basically my ability to lie is dramatically reduced.”

Some of the services that are anchoring to bitcoin:

Keybase account - identity and key associationsKeybase account – identity and key associations

Keybase is a great example for efficient use of bitcoin anchoring – as it allows you to associate numerous identities around the web with your PGP key, which is then associated with your Keybase key. Then, the service builds a Merkle tree of all the Keybase keys and stores the root in the bitcoin blockchain every six hours. You can see the transactions here.

Blockstack (formerly Onename) originally used namecoin’s blockchain as an anchor, but switched to bitcoin because they decided that no other blockchain even comes close to bitcoin in terms of security.

Sidechains also anchor to bitcoin to facilitate completely new blockchains that have their value cryptographically linked to bitcoin.

You can even theoretically create sidechains of sidechains, essentially building a “tree” of cryptocurrency pegs.

sidechains

Rootstock is going to anchor to bitcoin as a sidechain via a hybrid two-way peg in order to bring smart contracts to Bitcoin. Liquid is a bitcoin sidechain that enables faster, private settlement between bitcoin exchanges.

John Light summed up the aforementioned projects in a very ‘bitcoin maximalist’ tweet:

It makes more sense for many institutions to build their own blockchains rather than leaving low-level development in the hands of the bitcoin developers. The immutability of the settlement layer of bitcoin has value for these institutions, but they may find little value in bitcoin’s other properties. Thanks to anchoring, they can have both!

First the hype was around bitcoin, now it’s around blockchain technology, but eventually the distinction between public and private chains will blur. Private chains that wish to improve their reputation will cross-Merkelize neighboring chains, indirectly creating an absolute order of global state transitions.

Immutability is as immutability does

The strength of a distributed consensus system is dependent upon its anchors.

The primary anchor must be the consensus algorithm that is going to handle the bulk of the work to hold the system together. An algorithm based on PoW is preferable because it anchors the blockchain to the external world via consumption of external resources. The secondary anchor for a distributed consensus system is its community and governance structure. This serves as a foundation for the system to fall back onto if the machine consensus fails (or is about to fail, or needs to be upgraded) for any reason.

Immutability is impossible to measure precisely.

When we describe a blockchain as “immutable”, we are broadly claiming that there is a guarantee that the contents will never be changed.

However, from a machine consensus standpoint this is a probabilistic guarantee that can never reach 100%. From a social standpoint, we can only gauge a blockchain’s immutability by its history and make an educated guess about its future based upon the values held by its community.

With a strongly anchored blockchain to use as a foundation, an ecosystem of many chains can develop.

As such, bitcoin can be the “one chain to rule them all while simultaneously fostering a diverse array of blockchains. If you need a strong proof of your service’s data integrity, don’t choose second best – anchor to the most trustworthy chain.