Category Archives: Cryptography

More musings on Bitcoin….

Recently a journalist writing about Bitcoin contacted me.  I spent a fair amount of time composing a complete response, and I thought it was rather good writing, so I thought I’d share it with my few Blog readers (I know you guys are out there somewhere….)

> I’ve
> been reading Satoshi Nakamoto’s original paper and noticed that you
> appear to have been one of the first people to offer a response – and
> your response does seem to describe some of what’s happened with Btc.

Honestly, I didn’t understand it completely at the time, and now I see my initial response as pretty badly uninformed.  I was blinded by preconceptions to what the paper was actually saying, and interpreted it as being “incomplete” because it didn’t explain how the things I _assumed_ had to be part of it were done. So I was trying to fill in details about things that, in reality, simply weren’t part of the system.

One thing that’s true of Bitcoin is that the first six times you think you understand it, you don’t.

I had read the paper in a cursory way; it wasn’t by any means the first attempt at creating digital cash, and bluntly speaking all the previous attempts had failed badly.  To put it mildly, when a completely unknown person with no reputation as a cryptographer claims to have created something that has stumped the best professional cryptographers in the world for years, expectations are low.  Cryptographers had been seeing such claims made by random people (and debunking them) for years.

Hal Finney, as I recall, was the first real pro who fully examined Nakamoto’s paper and proved that it was sound. I didn’t read it closely until Hal pronounced an opinion that it was worthwhile to read.

All cryptocurrency schemes up to that point relied on a central authority for security. Such authorities are often trusted, which is a very bad thing.  It means they can be compromised, or attacked, or fail in their duties in a way that causes the users to lose.  The best minds in the world had been working on this for more than a decade. We’d come up with ways to reduce trust. We’d built ways to check that the central authority wasn’t engaging in malfeasance, we’d come up with schemes that diminished the role of the central authority or closed opportunities for the central authority to steal – but nobody had eliminated the need for a central authority.

I’d even had a go at it myself; my term paper in a graduate networking class in University outlined a digital-cash protocol in which forgery-resistant notes could pass from hand to hand away from the central authority, and the identities of the hands would remain unknown to each other, or the central authority, unless one of them attempted to cheat.  The identity of the cheater would be revealed by any attempt to double spend but was otherwise cryptographically secure.  And the actions of the central authority could be checked by the users. It was a refinement of Chaum’s scheme, because Chaum’s scheme didn’t allow the notes to pass from hand to hand, nor provide for anonymity to the sellers as well as the buyers. Chaum’s e-cash could only go back to the bank after spending once, and then must be redeemed by an authenticated identity.

But my scheme still had a fatal flaw; it required central authority to issue the identities themselves.  That crucial “is an account holder who can be held accountable for cheating” credential had been a necessary part of every cryptocurrency scheme up to Nakamoto’s.  And by nature, such a credential could only be issued by a central authority.

And that “universal” feature of cryptocurrency systems made me very confused after that first reading of Nakamoto’s paper.  I was looking for something that wasn’t there; the idea that a cheater would get caught and identified.

Nakamoto’s big invention was a way of reaching a “consensus” view of history; a double spend transaction simply couldn’t happen because the two transactions could only appear in mutually exclusive versions of history, and as soon as one of those versions of history became accepted by more participants than the other, then the other version simply didn’t exist anymore.

His protocol is designed to ensure that one version of history quickly becomes accepted as “THE” real history, so anyone who attempts a transaction that is not consistent with that history (like spending the same coins more than once) finds that only one of these transactions actually becomes part of the “real” history.  Within minutes, the other transactions are simply discarded as inconsistent, because the respective versions of history that include them simply failed to ‘win’ the race to being accepted by the community.

With a consensus history that could detect (or more accurately ignore) fraud without requiring (prosecutable) identities, Bitcoin was the first cryptocurrency that could provide security without requiring a central authority – or, for that matter, requiring any means of linking legal identities with transactions.

And that was a massive advance over everything that had been done up to that point.  Bitcoin required obscene compute resources for proof-of-work that the rest of us had never imagined (except for Adam Back, who came up with HashCash) as being feasible.  But it provided a way to solve the problem that up to that time had been the Bête noire of all cryptocurrency systems.  On one level, he was “just” putting together Adam Back’s hashcash work and Schneier’s proof chains and timestamps, but he put them together in a way no one else had considered.

> This being the case, I wondered how you viewed the rise of 
> the crypto-currency since that time?

It has been an interesting trip.  Since Bitcoin has come out, further protocol improvements have been considered and published.  In particular I’m interested in Proof-of-stake as opposed to Proof-of-work — a way of eliminating (or anyway, reducing to the level of a “normal” application) the enormous compute resources that characterize Bitcoin.  Finney at first declared that it couldn’t work, because someone could use proof-of-stake to simultaneously contribute support to multiple incompatible versions of history.  And that was true of proof-of-stake as proposed in the earliest papers.  But then the GHOST protocol was invented, and provided a way to subvert any effort to take advantage of that.  GHOST was first proposed as a way of counteracting the contributions of proof-of-work dedicated to incompatible versions of history, thus more effectively sorting out conflicting claims ensuring a convergence.  But I see its major contribution as subverting attempts to use proof-of-stake to support more than one version of history, because that is another (and IMO more important) application of it.

Another interesting improvement on the protocol has been the development of ‘Zerocoin’, a method of cryptographically rendering it impossible to trace transactions through the shared history and link the receipt of funds with their later spending, which is another feature of Bitcoin.  In the presence of data mining, Bitcoin doesn’t actually provide much in the way of financial privacy without some fairly difficult efforts by the participants.

Zerocoin drastically improves financial privacy, but there are two problems. First, it makes the data requirements per transaction enormous.  Possible, possibly even successful, in the same way that Nakamoto’s proof-of-work requirements were possible and proved successful.  But it would put a strain on the storage capabilities and bandwidth constraints of the participants.  Second, much more important as a question is, do we *REALLY* want absolute protection for financial privacy?
Of course the libertarian-inclined community screams “YES, WE DO!” because we have seen every instance of less-than-absolute protection subverted by various abusers, including criminals, foreign powers, a domestic intelligence agency whom we Americans are collectively ashamed of, and business interests who want to spy on people so they can target advertising more precisely.  The people who have been truly paying attention to matters of privacy and trust have felt increasingly invaded, abused and offended, and no longer trust those who are supposed to protect our interests.

On the other hand….  Go read Jim Bell’s paper and then ask yourself if we really want to live in the world he advocates.  Virtually all public figures would have the life expectancy of gerbils.  And the Zerocoin protocol makes that world possible.
It also brings up more prosaic concerns that our governments are capable of understanding in terms of current paradigms, such as hiding criminal financial activity, tax evasion, organized crime’s need for money laundering, and a host of other problems — all of them relatively petty compared to Bell’s nightmare vision, but possible for governments to comprehend at present.  Nobody in government who has read and fully understood the implications of Bell’s paper is being taken seriously yet, because nothing so simple, so pervasive and so brutal is as yet within their experience.

So it really comes down to a question of trust.  If the people do not trust that the information will be protected and not abused, then they have the means available to destroy the ability of others to trust that such information is available, even under lawfully issued search warrant, or that financial activities of any kind are not criminal.  And in so doing, although they don’t yet realize it, they would also be destroying their own ability to trust that any public figure might not be murdered tomorrow, or more centrally that their own nation and institutions could continue to function.
And that is a crucial question.  In  light of the Snowden papers, trust in all authorities and all companies to treat private information as private, or even trust that honest manufacturers will be allowed to make hardware that can be trusted to do what it is supposed to in terms of security, has been destroyed on a scale never previously imagined.  With Zerocoin and Bell’s paper in the background, the implications at this tipping point are disturbing.

Nations and Governments have been an interesting and useful stage of civilization’s development.  I wonder what will replace them, and I fear that it will not be even as benign as they have been.  But, as bleak as the above appears, it might also be better.

Humanity lives in a way that is trending toward less violence and death and torture as the centuries wear on.  The ancient and horrific crimes still exist, of course; theft, murder, rape, enslavement, and torture are still perpetrated by the application of subterfuge and brute force.  But in this age, virtually all other crimes – the new crimes that are most corrosive to our new civilization – are crimes of information.

What did Jim Leeson do when he brought down Barents Bank and precipitated a massive European financial crisis?  He falsified information.  What did Bernard Madoff do when he destroyed the retirement funds of millions of Americans at the height of one of  the worst financial crises in history?  He falsified information.  What, in fact, were hundreds or thousands of mortgage bankers across the USA *and* the world doing when they brought about that same horrible financial crisis, the depths of which our respective nations have not yet escaped?  They were falsifying information.  What constitutes virtually all theft of money in this era, save the petty thuggery of the same class of hapless, stupid thieves that have been with us from time immemorial?  The falsification of information.  What allows wrongdoers of virtually all walks of life to evade justice? The falsification of information.

And what does this have to do with the Bitcoin protocol?  Remember, Nakamoto’s big invention was a way to quickly reach a consensus history consistent with all recorded information.  When someone attempts to falsify information about a Bitcoin transaction, the falsification is simply rejected as being inconsistent with accepted history.  If that alternate view of history lasts long enough that others make transactions based on it, then those transactions made by others are erased from the consensus history along with the falsification that precipitated them.  Nakamoto has developed a little restricted universe of financial transactions, in which falsification as such no longer matters.  In fact, save for a few minutes at a time, it is no longer possible.  And that is, at the very least, an interesting counterpoint to our civilization which is so very vulnerable to falsification.

So what if a Jim Leeson or a Bernard Madoff had been forced to work within such a system?  What if their claims about the rates of return they were making could have been instantly and automatically checked by every investor in the same way that  every claim about Bitcoin transactions are instantly and automatically checked?  What if, for that matter, the labyrinthine financial documents filed by fiscally malfeasant entities like Enron in the few years before it collapsed had been in the form of a provable record of transactions?

In short, accountants and financial auditors could, with sufficient extensions to the Nakamoto protocol, be made redundant.  And furthermore, the rest of us would live with the benefits of having those jobs done perfectly, instantly, and automatically.  That is, at the very least, an interesting and desirable possibility.

The financial information of ordinary citizens could be protected by cryptographic keys, while the financial information of any entity making transactions in sufficiently large scale were revealed.  We already know how to do that; it’s a secret-sharing scheme, in which the small transactions don’t reveal sufficient shares to recover the secret but the large ones do.

Bitcoin is something like “programmable money.”  The people participating are committed to a set of rules about what kind of transactions are and are not allowed to become a part of their recorded history, and the protocol enforces those rules.  Bitcoin users assert things about the way the cryptocurrency works, and the code they run refuses to permit transactions that fail to meet those rules to exist in their view of the shared history.  This hasn’t been paid much attention because the rules they are enforcing are essentially those of “money” which is a familiar enough concept to most of is that it escapes our notice.

But the rules of a consensus-history  system could, in principle, be as minimal or as complete as we  are able to express in a programming language.  It is possible,  therefore, to extend the idea of a universally consistent history in which attempts to misrepresent simply fail, much further than simply recording monetary transactions.

Can you imagine a society in which most forms of falsification simply and immediately fail?  From the rantings of fringe politicians about how this or that class of immigrants is part of some conspiracy, to the propaganda of totalitarian systems explaining the reasons why a war is necessary, to the pronouncements of people like Emperor Bokassa I or Robert Mugabe, who despite being insane spent many years in power?  And yes, even the pronouncements of a Jim Leeson or a Bernard Madoff, all the way down to the guy at the pub who claims to be a millionaire in order to get dates with pretty but shallow women.  Such people could be simply asked for a cryptographic key that would prove their claim.  And there’d be no plausible reason for them not to give it out, because it needn’t reveal anything else.

We can’t build that yet.  But with Nakamoto’s protocol, we are starting to see how such a thing could be built.  And that calls into question the role of the state and government itself. We will always need some local agency empowered to prevent and  prosecute the crimes of common thugs.  But all of the crimes of information, the detection and prevention of which account for most of the activities of modern government, could in principle  be made to simply fail, requiring no detection or enforcement whatsoever.

When I said in the first part of this article that nations and governments have been useful but I wondered what would replace them, I did not consider chaos and anarchy as the only possible answers. They are always possible answers, but rarely the only ones.  There is also the possibility of a world mostly at peace in a largely post-national era, requiring no “government” on a scale larger than individual towns.

The rules that people choose as part of their ‘consensus history’ protocol are up to the people.  It is possible that there will be no agreement on many points.  But whatever else happens, if they develop this idea of consensus history, then it will become impossible to deceive them about which rules are being enforced, or to count on a general failure to notice an inconsistent or changed account of history.  It would become impossible to develop most conspiracy theories or untrue propaganda in a way that wasn’t obviously false.  Crimes motivated by mistaken beliefs about the past wouldn’t entirely stop, humans being what they are, but they could at least be restricted to those so irrational as to never even try to fact check.  That is at least the possibility of significant progress in the human condition.

It all comes down to whether the will of people to create works more swiftly or more slowly than the will of people to destroy.  And that, as I see it, has been one of the fundamentals underlying all human progress (and, unfortunately, occasional regress) from time immemorial.