There is a series of posts forming in my head. I have no unifying theme nor particular audience in mind, so they will be even more rambling and incoherent than usual. Also I plan to have a drink or two before each just to complete the effect. You have been warned.
Let’s play a little game. You and I will be on the same team for a change. This is our asset:
It has 16-64 GB of storage, consumes 0.5 watts, and occupies 11.25 square inches.
On the bright side, we do have two of them. One each.
This is our adversary:
It has 3-12 exabytes of storage, consumes 65 megawatts, and occupies 100000 square feet. Also, it is operated by people smarter than you, smarter than me, and smarter than anybody either one of us has ever heard of.
The game is this. You and I will try to have a conversation over a great distance that is unintelligible to this adversary.
Now, perhaps it is just me — I still get excited by powered flight — but I find it awe inspiring that it might actually be possible for us to win. Not easily and not with certainty, but still.
That is what this series will be about. More or less.
…
Our story begins around 400 B.C. on the Greek island of Delos. Its citizens were suffering from internal strife threatening to tear the society apart. Or something. The island’s leaders consulted the Oracle at Delphi, who explained that Apollo was angry, and to appease him, the citizens had to construct a new altar double the size of their existing one.
Now, the ancient Greeks had far more rigorous minds than your typical modern engineer. To them, “construct” meant something very particular: Create something perfect using idealized versions of various masonry/carpentry tools. Extra credit for using only straightedge and compass.
(If you have never seen this game before, here are the rules. Given two points, you may use the straightedge to connect the points with a perfect line and extend it as far as you like. You may also set the compass to the distance between any two points, then draw a perfect circle with that radius centered on any other point. By starting with a few provided points and applying the straightedge and compass repeatedly, you generate new points at the intersections of all the lines and circles. That’s it. The ancient Greeks loved this stuff.)
Now, the altar to Apollo was a perfect cube. So the Delians started with a line segment AB having the same length as a side of the cube. Then they used a compass to draw a circle through A centered at B. Then they used the straightedge to extend AB to intersect the circle at C:
Since AC is twice AB, the Delians simply used that as the side of a new cubical altar.
But their problems only got worse. Eventually, they went back and asked the Oracle what was wrong. The Oracle explained that they had angered Apollo further by not following instructions, since they had created an altar not two times but eight times the original’s volume. Apparently, gods can be picky.
The Greeks eventually solved this problem by adding various interesting contraptions to their idealized toolkit. But the extra credit problem remained: Given a segment of length 1, can you construct one of length \(\sqrt[3]{2}\) using only straightedge and compass?
This problem stumped geometers and would-be geometers for several years. Two thousand, actually. That is how long humanity needed to develop the mathematical tools to solve this Delian problem, as it came to be known. What that solution was and how it relates to anything will be the topic for…
Next time: Gauss, Galois, et. al.
(I did try to warn you.)
I have lost my co-blogger.
Over the next few days, I will be removing her posts from this blog. I have already removed her contact information from the sidebar.
Q: “Why?”
A: Because she asked me to.
Q: “Why did she do that?”
A: I will not answer. I am not going to release any of our private correspondence, and I am certainly not going to put words in her mouth. So, seriously, don’t ask.
For my part, I am sorry to see her go. I have the deepest respect and appreciation for her on both a personal and a… whatever-co-blogging-is-al… level. She single-handedly increased my readership by a factor of #DIV/0!. Speaking of which, you should all unsubscribe now.
I honestly believe her decision was dictated by her conscience and her reason, just as my actions are dictated by mine.
I would welcome her back any time.
I will leave her posts up for a few days so readers can save copies of their favorites. Her self-evident.org Email address will continue to work until she asks me to shut it down.
Time to pay attention. (related video)
Quick background on my perspective: Stories about Snowden himself are boring. Stories about his girlfriend, stories about his politics, and even speculations about his being an agent of Russian intelligence… Boring.
More interesting are the revelations themselves, painting an NSA whose general goal appears to be the interception and permanent storage of all human communication. Everywhere.
But how are they doing it? By obtaining covert access to Google’s servers? By convincing Microsoft to change Skype’s protocol from peer-to-peer to peer-to-Microsoft? By forcing Web site operators to hand over their SSL keys?
How pedestrian. I mean, this is the agency created as a direct response to the Allied experience during World War II, where without the code breakers, we might have lost. This is the quasi-military organization absorbing billions of dollars per year while remaining “non-existent” for decades.
Speculating about NSA’s capabilities, especially cryptological capabilities, has been a hobby horse of mine for a long time. But none of the Snowden revelations shed any light whatsoever. Fair enough, I figured. Maybe NSA reserves the serious codebreaking for more important things than reading my Email. Maybe the good stuff was above his pay grade.
…or then again, maybe not.
N.S.A. Able to Foil Basic Safeguards of Privacy on Web
This is a jaw-dropping article. I am mildly paranoid, but things even I would have called dumb conspiracy theories are being reported as fact in the New York Times. (Ideas like NSA blackmailing Congress are still dumb, but even that I have been forced to upgrade from “laughable” to “very unlikely”.)
Let’s start with DNI Clapper’s response:
The fact that NSA’s mission includes deciphering enciphered communications is not a secret, and is not news
Compare that to the three essential claims in the NYT article:
- NSA has practical attacks against SSL/TLS.
- NSA has convinced / paid / forced U.S. manufacturers to insert deliberate vulnerabilities into both hardware and software security products.
- NSA has infiltrated and undermined Internet standardization bodies, encouraging widespread adoption of vulnerable algorithms and protocols.
With due respect to Gen. Clapper, all of this is most definitely news.
I have a lot more to say, including my own wild-eyed speculations about (1). But I think I will make this multiple posts.
I will mention that (3) has touched off a bit of a firestorm among academic and professional cryptographers. If NIST cannot be trusted, we have a problem… And NIST can no longer be trusted.
Story of the week, if not the year.
P.S. The NYT graphic and (redacted) raw documents deserve close scrutiny.
It has been a volatile month for the world’s most popular experimental currency:
As you can see(1), the U.S. dollar — measured in milli-bitcoins — has been highly unstable. In Felix Salmon’s words:
[The dollar] is clearly not an effective store of wealth — just look at how quickly that wealth can be evaporated. Neither is it a useful payments mechanism, given how fast its value can fluctuate.
I might be paraphrasing slightly.
Ryan Avent makes the same point more verbosely (and politely).
More recently, Izabella Kaminska accuses me of accusing her of… You know what? Never mind. For the 0 of you who care, listen to the audio, read the comments, and judge for yourself. I will make two quick points:
- With the possible exception of “shock jocks”, no journalist publicly expresses opinions significantly divergent from those of her sources or those of her organization, ever. This is not a conspiracy theory; it is common sense.
- Anyone who accuses me of “the skin in the game fallacy” is a moron.
Ahh, that feels better.
[Update, following evening]
In my apparently excessive free time, I had a little back-and-forth with Izabella today. Note that I made this post last night, well before today’s exchange, but if you read them in the opposite order it looks even more like I am attacking her in particular.
For what it is worth, that was not my intention. It’s just that all of the Bitcoin bashing from the FT seems to have her name attached to it.
To rephrase my earlier assertion: Journalists have no more license to express their true opinions in public than I do to express mine to my employer. The eagerness of mainstream financial journalism to run Bitcoin bashing articles — no matter how idiotic — does say something about the financial sector’s reaction to Bitcoin, in my view. I consider this obvious.
But I do regret making it personal.
My next post will be purely technical.
(1) I know, my gnuplot-fu is weak. But it serves the purpose.
(Warning: This time it was a couple of beers.)
If you are a post-doc in Economics, here is an idea for a paper: The economics of Bitcoin mining.
You can open with a little summary of the Bitcoin network, SHA-256 hashing, etc., just to show you did your homework.
Here is the deal. There is a bit of an arms race for mining Bitcoins. (As with any good gold rush, those most likely to profit are selling shovels. But I digress.) For a nice background, read this Business Insider article. Apart from the awful analogy of searching for primes and the author’s plagiarization of my tulip bulb example, it is a pretty good piece.
But briefly…
In the beginning, you could mine Bitcoins profitably on any workstation running simple software. You might find a new block in a few hours or days. Then software appeared that used multiple cores, vector instructions, etc., so the Bitcoin system adapted by increasing the difficulty. Then you had to have that new software, too, or it would take you months or years to find a block. And the cost of electricity alone makes that uneconomical.
Then implementations on graphics processing units (GPUs) appeared, and you had to get one of those to mine profitably. Then FPGA implementations supplanted GPUs. In the past month or two, custom ASICs have come on-line, and they are starting to supplant the FPGAs.
As a reminder, all of this hardware is devoted to one thing: Computing meaningless SHA-256 hashes over and over. Burn, baby, burn.
So, Dr. Econ, here is what I suggest. Build a mathematical model of this phenomenon and solve for the equilibrium state. That is what you people do, isn’t it?
Here is why it is interesting. A key assumption in Bitcoin’s design is that no one entity will control more than 50% of the computational power devoted to mining. But if it is cheaper for me to mine than for you, it seems to me my logical course of action is to scale up my mining operation until it is just barely profitable for me… Thus making it unprofitable for you. The stable state might be one entity controlling not 50% of the mining power, but 100% of the mining power. Lowest-cost Bitcoin producer wins? Show that any system like Bitcoin does (or does not) reach such an equilibrium state.
For extra credit, include some stochastic model for the price of electricity in Bitcoins, the probability that a SHA-256 break is discovered, and so forth.
Maybe somebody has already written such a paper. If so let me know so I can read it.
P.S. $2 billion.
[Addendum]
Groda asks how this differs from gold mining. Great question. Upon reflection, though, I think it is very different.
With gold mining, the low cost producer certainly can undercut the competition… for a while. But increasing your own mining production eventually depletes your mine, making everyone else’s mining job relatively easier.
With Bitcoin, increasing your own mining production raises the global difficulty level and your own share of the global computing power, thus making everybody else’s mining job relatively harder. This is the exact opposite dynamic from physical mining.
Has this dynamic ever existed before? I do not know. If so, then it probably applies to Bitcoin mining and might be worth a short paper. If not, then it might be worth a whole series of papers.
[Addendum addendum]
And it is not exactly like making widgets, either. When you increase your production of widgets, you also increase the global rate of supply. With Bitcoin, the global rate of supply is fixed by design; increasing your own production just increases your share of it.
This is a continuation of the previous installment on “proof of work”.
Obviously, Bitcoin “miners” do not actually know everything. What they do know is the same thing every Bitcoin client knows: what they hear from the Bitcoin network. Such peer-to-peer (P2P) networks are nothing new; if you ever used Napster or BitTorrent, you have the basic idea. If not, go read the Wikipedia article.
Definition: A running copy of the Bitcoin software is called a Bitcoin client.
To use Bitcoin, you must access a system that is part of the Bitcoin network. Any system, including the one on your desk, may join the Bitcoin network simply by running a Bitcoin client, whose initial action is always to locate and connect to a few neighbors (aka. peers) in the network. A system running a Bitcoin client is called a Bitcoin node.
The Bitcoin network’s function is to relay two types of messages: Transactions and blocks.
A transaction is a digitally signed instruction to transfer money between addresses, as described earlier.
A block is:
- A set of transactions
- A timestamp
- The 256-bit hash of the preceeding block
- A nonce sufficient to make the hash of the block not exceed the current target
By including the 256-bit hash of some other block, each block asserts its position in the block chain.
The Bitcoin network relays every valid transaction and every valid block to every node. When presented with a transaction or a block, a node will validate it before relaying it to the node’s neighbors. This prevents the network from being choked with garbage data. To validate a block, a node checks (among other things) that the block’s hash does not exceed the current target, that the timestamp inside the block is not too far in the future or the past, and that all transactions inside the block are valid. To validate a transaction, a node checks (among other things) that the signature is valid and that the input(s) to the transaction have not already been consumed by some earlier transaction.
To perform these validations, every node must maintain a complete copy of all transactions and all blocks, all the way back to Block #0 (the “genesis block”). This is a slight exaggeration, but not much… And yes, it does make Bitcoin’s scalability a serious concern. More about this in a later installment.
Bitcoin “miners” are clients that attempt to create new valid blocks. They do this by putting some transactions in a candidate block, picking a nonce, computing the hash of the resulting block, and repeating with different nonces until they find a block whose hash does not exceed the current target. Then they broadcast that block to the network, thus appending it to the block chain that every client sees.
Miners have a financial incentive: They can embed one coinbase transaction in each block they mine. A coinbase transaction has no input address and has an output address of the miner’s choice. The coinbase transaction includes new bitcoins (hence the term “mining”) and also any transaction fees associated with the transactions in the block. This incentive structure is an important feature of Bitcoin, and I hope to say more about it later.
The current target for the block chain is defined by a calculation, so any two clients looking at the block chain will calculate the same target. This calculation aims to adjust the target such that one block will be mined every ten minutes, no matter how much total computing power is devoted to mining. The target changes every 2016 blocks based on the timestamps within those blocks. Why 2016? Because the Bitcoin designer(s) decided two weeks was a good interval, and at 10 minutes per block, 2016 blocks will be mined every two weeks:
$$\frac{60\frac{\mathrm{min}}{\mathrm{hr}}*24\frac{\mathrm{hr}}{\mathrm{day}}*7\frac{\mathrm{day}}{\mathrm{week}}}{10\frac{\mathrm{min}}{\mathrm{block}}}
=\frac{2016}{2}\frac{\mathrm{block}}{\mathrm{week}}$$
(I admit it; I love MathJax. If the above looks like nonsense, you probably just need to click through to the post.)
When 2016 blocks take more than two weeks to mine, the target goes up to make mining easier; when they take less than two weeks, the target goes down to make mining harder. In symbols, if \(T_{prior}\) is the previous target and \(t_{prior}\) is the time it took to mine 2016 blocks using that target, then the updated target \(T_{current}\) is just:
$$T_{current}=T_{prior}*\frac{t_{prior}}{2\:\mathrm{weeks}}$$
(Aside: I am not well-versed in control theory, but this looks like an extraordinarily simple feedback loop for the internals of a major world currency. Did I mention that Bitcoin is still a bit of an experiment? Then again, what currency isn’t these days…)
(Aside #2: This actually is the formula used in the Bitcoin source code. But did you notice that, strictly speaking, there should be a “+1” and a “-1” in there somewhere? Because, for example, there are 11 numbers from 0 to 10. Fortunately, these values are on a scale where it does not matter. Still, this surprised me a bit, since most of the code is mathematically precise.)
The target is typically a huge number in excess of \(2^{200}\). Also it goes down as the total hashing power of the miners goes up. Consequently, interested humans usually think in terms of the difficulty instead. Definition: The Bitcoin difficulty is the average number of nonces you have to try to find a valid block — aka. the work — divided by \(2^{32}\) (roughly 4 billion). Mathematically:
$$D=\frac{work}{2^{32}}=\frac{2^{256}}{(T_{current}+1)*2^{32}}$$
Note that \(D\) is just a number for human consumption. It scales in direct proportion to the computational effort required for mining, so twice the difficulty means twice the effort.
If we know the current difficulty \(D\), we can estimate how fast all miners are hashing in aggregate. On average, it takes \(D*2^{32}\) hashes to find a nonce that works, and the target is selected to make that take 10 minutes, so:
$$\frac{\mathrm{hashes}}{\mathrm{second}}\approx\frac{D*2^{32}}{600}$$
You should find the “difficulty” and “hash rate” of the network, as reported by various Bitcoin sites, obey this formula.
Well, that pretty much wraps up my introduction to Bitcoin. There is quite a bit more to say; just off the top of my head:
- Economics and incentives
- The security (or lack thereof) of Bitcoin’s hash
- The threat (or lack thereof) from quantum computers
- Addresses, transactions, and scripts
- Scalability
…and so on. But there is no obvious order in which to cover them. So I think I will pause here and ask:
Any questions?
Want to see the most important line in the Bitcoin source code? Here it is:
return (CBigNum(1)<<256) / (bnTarget+1);
What this line does and why it matters is the topic of this installment.
...
Did you ever watch "Who Wants to Be a Millionaire"? They ask a sequence of questions, and as soon as you get one wrong, you lose. Along the way you get a few "lifelines", the most interesting of which is "Ask the Audience". The audience is almost always right.
Imagine you had an audience available to you in daily life, but with a few differences. First, you can ask all the questions you want. Second, every member of the audience knows absolutely everything. (They are all computer geeks or MIT grads or something.) Third, a few of them will deliberately lie to you because they are like that.
Oh, one more thing: You can only communicate with them over the Internet. You have no idea who any of them really are.
One problem with the Internet -- or feature, depending on your point of view -- is that one person can appear to be more than one person. Can you take a "majority vote" when a lying minority can pretend to be legion?
Yes! Well, sort of. You need a cryptographic hash function. And I need better notation. (If you are reading this via RSS, now would be a good time to click through to the post.)
Let \(H\) denote a cryptographic hash function. This just means you can give it any message \(\mathcal{M}\) as input, and it will compute a random number \(H(\mathcal{M})\) as output. For example, we can let \(H\) be SHA-256, which will produce random numbers from \(0\) to \(2^{256}-1\).
"Now wait a minute, Nemo", you say. "Earlier you told me that a cryptographic hash is just a collision resistant one-way function. Now you say it's a random function. Is that supposed to be the same thing? And what do you mean by 'random', anyway? A deterministic process specified by a U.S. Government standard is kind of the opposite of random."
Yes, you're very smart. Shut up.
Seriously, though, the notion of "cryptographic hash" firmly straddles the fault line between cryptography as practiced by academics and cryptography as practiced by... well, practitioners. This is actually an interesting topic of its own, and I will take a stab at writing about it some day. But not today. For now, just accept that \(H\) has the property that when anyone inputs a message \(\mathcal{M}\), it generates an output \(H(\mathcal{M})\) that is completely random, from their point of view, unless they have computed \(H\) for that exact same message before.
When you ask your audience a question, they will send you answers in the form of messages. But here is the twist: You will ignore any message \(\mathcal{M}\) whose hash \(H(\mathcal{M})\) is greater than some threshold. (Bitcoin calls this threshold a target.) For example, suppose your target is \(2^{224}-1\), and you receive two messages in response to your first question:
\(\mathcal{M}_1\) = "The answer to question 1 is Peru [xyzzy]"
\(\mathcal{M}_1^\prime\) = "The answer to question 1 is Iceland [plugh]"
If you calculate \(H(\mathcal{M}_1^\prime)\) and find it is greater than \(2^{224}-1\), you reject it immediately as invalid.
Next, you simply publish your target to your audience. Each message you receive has a nonsense word at the end called a nonce. You ignore the nonce, as it only exists to affect the hash. To create a valid message, a member of your audience must find one with \(H(\mathcal{M})\leq2^{224}-1\). Because \(H\) is a cryptographic hash function, anyone who sends you a valid message must have worked reasonably hard trying different nonces.
Or rather, their computer must have worked reasonably hard. As long as the honest audience members control most of the computing power, most of the valid messages you see will originate from them. And they do not even need to coordinate with each other. Each one can try different nonces at random, and as a group, they will generate valid messages at a faster rate than all of the dishonest people combined.
Now, if you imagine receiving a series of valid messages that look like this:
\(\mathcal{M}_1\) = "The answer to question 1 is Peru [xyzzy]"
\(\mathcal{M}_2\) = "I agree with \(H(\mathcal{M}_1)\), and the answer to question 2 is 42 [foobar]"
\(\mathcal{M}_3\) = "I agree with \(H(\mathcal{M}_2)\), and the answer to question 3 is Lucius Æmilius Paullus and Gaius Terentius Varro [quux]"
\(\mathcal{M}_4\) = "I agree with \(H(\mathcal{M}_3)\), and the answer to question 4 is Miss Scarlet in the Bedroom with the Rope [SqueamishOssifrage]"
...and so on, you get a pretty good idea what Bitcoin's block chain looks like. By mentioning the hash of another message, each of these messages asserts its position in the chain. Each message not only conveys an answer of its own but also attests to the accuracy of all previous messages in the chain.
If your target is \(T\), how many nonces does someone have to try, on average, to generate a message whose SHA-256 hash does not exceed \(T\)? Answer:
return (CBigNum(1)<<256) / (bnTarget+1);
...which is how you write \(\frac{2^{256}}{T+1}\) in C++.(1)
In Bitcoin, the "audience" is the miners, the "messages" are the blocks, and this line of code computes the work associated with each block. The Bitcoin software's Prime Directive is: When faced with conflicting versions of the block chain, the one with the greatest total sum of work is the Truth.
That last sentence is, to my knowledge, the sole original idea in Bitcoin's design.
More next time.
(1) Assuming you have a CBignum class with properly overloaded operator<< and operator/. Did I ever mention that by day I am a mild-mannered software engineer? Well, not that mild-mannered. But I digress.
The problem with this topic — unlike, say, how Bitcoin works — is that there’s just too much material to cover.
Let’s start with Felix (h/t Moldbug):
In reality, then, bitcoin doesn’t really behave like a currency at all. In terms of its market value, it looks much more like a highly-volatile commodity. That’s by design: bitcoins were created to be the most fungible commodity the world had ever seen — to the point at which they would effectively erase the distinction between a commodity and a currency.
Blah, blah, blah. Does it really take 5,000 words to say “Bitcoin is like gold and therefore cannot possibly function as money”? Or does it just sound too stupid when phrased that way?
But the best quote:
Because it turns out that financial-services companies are a very important part of any democracy.
It’s because we place so much trust in banks, after all, that they are forced to take on a great deal of responsibility. Banks and central banks are given an important job to do, are regulated and scrutinized, and can be held responsible for their actions. The population of the entire country, as represented by the government, stands behind bank deposits and promises to honor them even if the bank goes bust.
…
Bitcoin, in that sense, is anti democratic.
So there you have it: The government is the people, and to oppose mega-banks is to oppose democracy itself. Pretty sure I read that in the Federalist Papers.
Next, the sheer quantity of stupid emanating from the FT is mind-boggling. Izabella Kaminska writes a piece quoting a bunch of falsehoods from some moron at SocGen, then goes on to spout a bunch of her own. Seriously, I do not think she managed to get a single statement right in the entire piece. Just a couple of my favorites:
Yes, we still have some room to go, but given exponential dynamics, the fact that we’ve reached the “half-way point” in supply is no doubt meaningful.
Anyone who has the CPU power to create new coins, also has the power to hack existing coins
(She issued a correction for the latter.)
She ends by quoting another moron — at length — all of whose criticisms apply equally well to bitcoins, dollars, Euros, or gold.
She follows up with another article where, once again, approximately every statement is false. My favorite quote this time:
So how does Bitcoin self-regulate?
Unless you are a computer geek, an MIT grad or an algorithmic genius, it’s unlikely you will ever really understand.
Izabella — may I call you Izabella? — you really should get beyond the “math class is tough” thing and try to understand the subject. Preferably before you write about it.
OK, full disclosure: Strictly speaking, I am a computer geek and an MIT grad. But you do not have to be either to understand Bitcoin. When I wrote:
There are literally decades of cryptological research, including “digital cash” research, that Bitcoin simply ignores because it can.
…I was not exaggerating. Bitcoin relies on extremely elementary cryptography. Embarrassingly so, actually, if you are a cryptography researcher who spent decades designing cunning “digital cash” schemes that nobody will ever use. But I digress.
One more “money” quote (ha ha):
That said, it’s understandable why the darker elements in society might feel threatened by an economic system that’s trending towards a more equitable distribution of wealth by means of government-controlled fiat system. The threat is heightened further when governments are doing their best to counter the hoarding of wealth in concentrated pockets by means of “dilution” through processes such as quantitative easing.
Well, I guess that explains why Jamie Dimon launched his “End the Fed” campaign. If not for all that equitable wealth redistribution through quantitative easing and interest on excess reserves, he could be a truly rich man.
I will skip the definition of “fiat money” as the exact opposite of what everyone — including, say, the dictionary — thinks it means.
Another FT piece examines the Bitcoin “bubble”. I wonder, how would the Tulip Mania have played out if tulip bulbs were indestructible, had limited supply, were weightless and volumeless, could be broken into 100 million pieces and reassembled again at will, could be teleported around the planet instantly, and could not be stolen through any amount of force? Honestly, I have no idea. But we are going to find out.
The co-author of that piece tweeted: “Head trader tells me: ‘Even my PhDs can’t explain how you mine a bitcoin’.” So you see? The HEAD TRADER at an INVESTMENT BANK says his ECONOMICS PH.D.s can’t explain Bitcoin. Therefore, you can write about it all you want with zero comprehension and not look like an idiot, apparently.
One final quote from that piece:
“We are just one scandal away from Bitcoin collapsing entirely.”
That is kind of like saying “we are just one bank robbery away from the U.S. dollar collapsing entirely”. People writing breathlessly about attacks on Mt.Gox do not understand the difference between a currency and an exchange.
Look, I have no clue whether bitcoins will be worth $300 in a year, or $3. But I do know the financial journalists are in way over their heads here, their “sources” are useless, and you will learn less than nothing by reading them. Bitcoin is new, it is interesting, and it is under literally nobody’s control. (Thus any analogy to anything under somebody’s control is false.)
Do yourself a favor and try to understand it for yourself.
Part 9 this weekend.
[Update]
Izabella Kaminska responds.
She is being more gracious than I would be, so thanks for that. And if I overreached, I apologize. The media landscape is littered with bad reporting on Bitcoin, and these articles just happened to be recent ones at hand.
A few quick comments before I go back to strictly technical concerns. First, I am neither “for” nor “against” Bitcoin. I am nobody’s ally. (Were I to start over, I would probably choose “Amicus Neminis” as my pseudonym.) I do not own any bitcoins and never have. For now, I am quite happy to be an observer of, not a participant in, this massive and fascinating experiment.
Second, I do not see how anyone rational can have a strong opinion either way at this point. The Bitcoin true believers accuse the mainstream media of running hatchet jobs as a defense mechanism for the status quo. Frankly, a lot of what I see — some of it quoted above — makes it hard to rebut that. How can anyone have such a strong negative opinion about something they do not even understand? On the other side, how can anyone have such a strong positive opinion about something so new?
Third, it is true that my own politics are skeptical of the status quo, particularly regarding finance. I believe many people working in finance are paid ludicrous sums for producing literally nothing, and those sums are extracted as rents from the productive economy. I personally could increase my salary by multiples if I took such a job, but I would be unable to look myself in the mirror. I do not think this makes me a good person; I just think it makes me not a sociopath. While this perspective certainly colors my opinions and my language, it does not inform my criticisms here.
Fourth, of course Bitcoin has some attributes of a Ponzi. But gold has the exact same attributes. The main difference is whether the first mining happened thousands of years ago or thousands of hours. I think gold is probably the best analogy for thinking about the economics of Bitcoin — with all of the history and crackpottery that entails — but it is still an imperfect analogy because Bitcoin is something new. Bitcoin or its successors will be with us a for a while, I think, and they will be relevant. Even if this turns out to be a joke, the next one or next one or next one will not. So it is a good idea to slow down, pay attention, and get your head around the technology. If nothing else, it is all quite entertaining; I look forward to the Congressional speech that concludes, “you shall not crucify mankind upon a cross of one-way functions!”
Finally, I do not believe “that not being an MIT and algo nerd is indeed a bit of a crime”. I do believe writing hatchet pieces on something you do not understand is a bit of a crime. “It’s complicated” is never an excuse for speaking from ignorance, and doubly so in this case because it’s simply not that complicated. You can understand it. All of it. Yes, I mean you.
(Warning: Again I have indulged in a bit of wine.)
Before attempting to tackle the block chain, I feel the need to atone for the deadly sin of understatement. (You remember the seven deadly sins, right? Understatement, Exaggeration, False Analogy, Non Sequitur, Affirming the Consequent, Reification, and… Oh, crud, I always forget the last one.)
While numbers like “12” and “37” make for nice illustrative examples, they are so far from reality that I fear the very essence has been lost. And I want to fix that.
So, let me put it this way. Pick a number between 0 and 115792089237316195423570985008687907853269984665640564039457584007913129639935. That is, between 0 and . That is the range of output for SHA-256, the principal cryptographic hash function used by Bitcoin. The “256” means 256 bits of output, and a 256-bit value can be interpreted as an integer from 0 to 2256-1.
Go ahead, pick a number. Let me guess: You picked 37 just to annoy me, right? Fine, let’s run with it.
SHA-256 is considered “not broken”. That means nobody has ever found any value whose SHA-256 hash is equal to 37, and nobody has any clue how to find one. The SHA-256 hash of your name is not 37. The SHA-256 hash of your phone number is not 37. The SHA-256 hash of your age in seconds right now is not 37. The SHA-256 hash of the Declaration of Independence is not 37. The SHA-256 hash of the entire fourth season of “Sex in the City” on Blu-ray is not 37.
Take any idea you have, or ever had, or ever will have, encode it however you like, run it through SHA-256… and the result will not be 37.
Am I 100% certain all of these statements are true? In the strictest possible sense, no; in every practical sense, yes. The odds that any of the above are false are lower than the odds that you get struck by lightning on a clear day and then win the Powerball lottery. Twice. In fact, it’s not even close.
Ordinary experience and intuition simply do not prepare us for numbers on this scale. Finding a value whose SHA-256 hash is 37 would be a Ph.D.-worthy (if not tenure-worthy) result1. Of course, there is nothing special about 37. All of the statements above are true for absolutely any number you will ever imagine, unless your imagination involves computing the SHA-256 hash of something else. Indeed, finding any two numbers with the same SHA-256 hash is, as far as anyone knows, literally impossible by any practical definition.
So if I show you a number x, and you compute the SHA-256 hash of the fourth season of “Sex in the City” on Blu-ray and get x, then you will know I came up with x by computing the SHA-256 hash of the fourth season of “Sex in the City” on Blu-ray. You will know this as surely as you have ever known anything.
That is what “cryptographic hash function” means. And this property is the essence of the Bitcoin block chain, and therefore the essence of Bitcoin.
As we shall see next time.
1. and bad news for Bitcoin
(By a timely coincidence, the total value of all Bitcoins in the world first exceeded $1 billion this week.)
Enough intellectual wanderlust. Let’s build Bitcoin.
First, we need a digital signature scheme. This is just a template for creating individual, unique trapdoor one-way functions, where each unique function is defined by a value called its public key. Each public key has a corresponding private key that permits inversion of the function. For example, in the Rabin scheme (introduced in part 4 that you skipped), the template is , the public key is n, and the private key is the factorization of n.
There are many such beasts in the cryptological zoo. We will choose the “Digital Signature Algorithm over the Elliptic Curve secp256k1“. I did not invent the names, and the details are not important.
Hey, wake up!
What is important is that I can stop saying things like “You generate your personal trapdoor one-way function g(x) and announce it to the world”, and start saying “You generate your personal public/private key pair and announce the public key to the world”.
As we saw last time, digital signatures need a good cryptographic hash function. Here again, the cages in the cryptological zoo are crowded with them. We will use the NSA-sanctioned “Secure Hash Algorithm 2”. That is not important right now, either.
To summarize: A private key is just a number (or a few numbers) that let you generate digital signatures. The corresponding public key is just a number (or a few numbers) that let anyone verify those signatures.
Definition: A Bitcoin address is a public key.
Definition: A Bitcoin transaction is an instruction to transfer Bitcoins from one address to another, digitally signed using the private key corresponding to the “from” address.
(As usual, I am exaggerating a bit; both addresses and transactions are somewhat more elaborate than this. Especially transactions. We will revisit both later.)
If you like, you can think of a Bitcoin address as an “account”, and a transaction as a “signed check” drawing on that account. What makes these “accounts” so interesting, among other things, is that you can create them yourself — any time you want and as many as you want — without showing any ID to anybody. Assuming your private keys remain private (and, ahem, the digital signature scheme remains unbroken), it is literally impossible for anybody other than you to write a “check” against one of your “accounts”.
Suppose I want to transfer BTC 1.00 to you. How does that work? First, you give me one of your addresses; let’s call that “address #1”. Next, I need an address with some money in it; let’s call that “address #2”. I create an instruction that says “transfer 1.00 from address #2 to address #1”. I digitally sign the instruction using the private key for address #2, thus creating a transaction; let’s call that “Transaction A”. Remember an address is just a public key, so you can verify the signature using the public key.
Next, you check that there actually is BTC 1.00 associated with address #2. To prove that, I show you Transaction B, a properly signed transaction transferring 1.00 from address #3 to address #2. Then I show you Transaction C transferring 1.00 from address #4 to address #3. And so on…
…until we get all the way back to Transaction Z, a transaction that created BTC 1.00 from nothing and transferred it to address #26. We will come back to Transaction Z in a moment.
Notice that this scheme almost works. Each transaction (aside from Z) has one input (aka. “from address”) and one output (aka. “to address”). The input of each transaction is the output of a prior transaction. Only the person who controls the appropriate private key can transfer money from an address, but they can transfer money to any address they want. And anybody can verify the entire sequence of transactions without relying on any central authority.
Also, all of the addresses could belong to me, or all but #2 could belong to other people; you neither know nor care, because the transactions themselves contain all of the information you need to verify the signatures. This is a key feature of Bitcoin’s design: The separation of identity from account.
The only problem — other than that little detail about Transaction Z — is that this scheme permits double spending. I can sign one transaction transferring money to you, and another transferring the same money to someone else, and neither of you will know about the other.
Back in part 2, I mentioned that Bitcoin is ledger-based. This is why.
Bitcoin relies on a transaction ledger that is visible to the entire world. Until a transaction is on the ledger, it has not happened. In the example above, Transaction Z appears on the ledger first, then Transaction Y, and so on, all the way until Transaction A. Once Transaction A is on the ledger, you can be sure I have paid you, and that I cannot pay the same money to anyone else, because the ledger will reject any attempt to double-spend.
A transaction that creates money, like Transaction Z, is called a “coinbase transaction”. The Bitcoin ledger records ordinary transactions, coinbase transactions, and… that’s all.
We will see the details of the ledger soon enough. But first, what can someone do if they control the ledger? Well, they can create coinbase transactions, which means they can create money. That is obviously pretty important. Also they can add transactions, refuse to add transactions, or reverse (remove) transactions.
What they cannot do is spend other people’s money. Even complete control over the ledger does not allow anyone to create a valid transaction without knowing the private key for the transaction’s input.
I know, this installment was not my best. But at least now you know what appears on Bitcoin’s ledger. Up next is how the ledger itself gets maintained…
…after another brief detour.
|
|
