Making Lemonade out of Lemons: Squeezing utility from a proof-of-work experiment

1. Squeezing utility from a proof-of-work experiment

2.  Where decentralized consensus technology can and can not add value?  What real problems does it solve?  What assumptions does it make about the world?  Against what threats/scenarios/problems does it protect?  How you could implement securities issuance, derivatives processing or even fiat-payments on top of it?  Differences between a trusted network and untrusted?  Are blockchains being built in a vacuum?  What are the total costs of operating them?

3.  Ferdinando Ametrano: “Hayek Money: The Cryptocurrency Price Stability Solution”  “Price Stability Using Cryptocurrency Seigniorage Shares”  Massimo Morini: “Investor/Saver Wallets and the Role of Financial Intermediaries in a Digital Currency”  Byron Gibson: Dual currency Beta/Gamma solution, tx rate as blockchain-intrinsic money demand proxy (unpublished)  Dominic Williams: Pebble (forthcoming)  Robert Sams: “A Note on Cryptocurrency Stabilisation: Seigniorage Shares”

4.  Meher Roy’s IoM proposal  A Decentralized Exchange Protocol (DEP) for exchanges between 2 ledgers  A Real Time Gross Settlement Protocol (RTGSP) for transfers between 2 ledgers  A Deferred Net Settlement Protocol (DNSP) also for transfers between 2 ledgers

5.  Recall that: ◦ “Cryptocurrency” – a type of asset (commodity, currency)  Digicash, Flooz, Beenz ◦ “Decentralized consensus” – is a “voting” process used by Bitcoin and others  The Bitcoin proof-of-concept fuses scarcity onto a nominally trustless ledger (“watermarked” to be more than a currency)  This has led to other proposals (dubbed “2.0”) which include:  Asset tracking / management (via “smart contracts”)  Trustless Multiparty Monetary Computation  Notary services  Consensus as a service / Crypto ledger as a service (CaaS / CLaaS)

6.  Bitcoin and its derivatives use hash-based proof-of-work  Many others are attempting to build other alternative consensus enforcement mechanisms that are less capital intensive, including proof-of-stake (POS)  In practice, most, if not all pure POS system end up centralized but that has not stopped proposed solutions such as DPOS [Note: not an endorsement]

7.  Top 2 platforms through 2014 are: ◦ Ripple (Stellar used a similar consensus ledger) ◦ Counterparty (also has spin-off called “Medici”)  NXT (problems found by Garzik?)  Mastercoin (little traction relative to XCP)  Bitshares (Invictus)  Open Transactions (not fully released)  Coloredcoins (Coinprism, Chromaway)

8.  Ethereum (Proof of Stake?)  Tezos (POS)  Tendermint (POS, DC ledger)  Pebble (Proof of Processing, DC ledger)  Nimblecoin (Merged Mining)  Eris (blockchain-esque)  Factom, formerly Notarychains (POE/MSC)  SKUChain (DPOS/DPOW)  Hyperledger (PBFT)  Filecoin (~Bitcoin, see also Permacoin)  Treechains/Sidechains/PeerNova  Several “stealth” projects (Vpal, Zerocash)

9.  Cross Border Settlement / B2B international transfers ◦ Rebuilding SWIFT (PayWise) ◦ Can use a blockchain/CaaS to move in seconds/minutes ◦ Biggest challenges are liquidity/settlement with market makers as well as compliance in jurisdictions  Central clearing (e.g., derivative clearing) ◦ Prime case for “multi-party payments” and netting/clearing. Could be on a ledger (autonomous) but if participants “fail” then move to centralize the credit risk which was the purpose of CCPs in the first place ◦ Complying with existing laws such as Dodd-Frank are a hurdle/challenge  Mortgages ◦ The ability to have a vehicle that can be used equally by many parties and “self execute.” It need not be block chain if a single bank is trusted. Hence powerful only really when banks (the lenders) or new 3rd party is not trusted to fairly register say installment payments. May be more relevant for CDOs.

10.  CDO/CLO/CMO/ABS ◦ Smart contracts based on assumption that banks are not to be trusted to pass on all cash flows received in the “waterfall.” Alternatively, build competing platforms where you set up “smart contract” (special purpose vehicle) that automatically pay through waterfall. Problem is on enforcement of loans in case of non-payment.  Collateralized / Guaranteed Lending ◦ A bank, borrower and potentially a 3rd party providing collateral or guarantee. Though without identity, credit checks/worthiness the promise of decentralization may not do much.  Letter of Credit ◦ Multiple parties involved, trust is low, cost is high. Incumbents are strong, little incentive to change, requires central changing (with “crossing the chasm” problem) and most importantly multiple jurisdictions.  Crowd Funding ◦ Borrowers may request money on multiple platforms but also making investment fungible. Challenges involve legal constraints such as SEC regulations.

11. Better uses of blockchains/CaaS: ◦ Business lines such as Investment Banking/Corporate Banking/Private Banking/Retail Banking/Micro Lending ◦ Securities issuance ◦ Escrow accounts ◦ Factoring / Trade finance ◦ Consumer lending (car loans)  Note dependencies: immediate readiness, core bank vs ancillary, legal enforceability  Not so much: ◦ POW based blockchains and nominally decentralized mining as it relates to anything requiring fast settlement such as ISDA derivatives (CCP) and securities trading due to latency

12.  Xeroclear (forthcoming from Robert Sams’ team)  Eris (Preston Byrne-led team unveiling December 17)  Hyperledger (early beta)  Medici (uses Counterparty, early beta, assuming it is not based on Bitcoin)  Other consensus ledgers (Ripple/Stellar via Codius/Trustlines)  Stellar had a forking issue recently (new version Q1 from David Mazières)  Other proof-of-stake protocols  Tezos, Purchasechain (from SKUChain), Tendermint, Ethereum (based on Serpent POC), DPOS from Invictus  Other solutions (Pebble, Blockstream)

13.  Ladislaus Bortkiewicz studied the number of soldiers killed annually by horse kicks of 10 corps in Prussian cavalry over 20 years  Question:  ‘In most years in most corps, no one dies from being kicked; in one corp in one year, four men were kicked to death. Does this mean something was amiss in this particular corp?’  No, just unlucky  Bitcoin uses an inhomogenous Poisson process for block discovery

14.  Make it artificially expensive for people to cast “votes” for a consensus  The necessity to make casting “votes” in the consensus artificially high since we cannot know who is participating in the “vote” (e.g., it is an untrusted network) ◦ E.g., it costs you $1 million to undo a $1 million of value  The cost of an attack where someone tries to mess with the consensus is equal to 0.5*MC (marginal cost)  Brute force (by hashrate) the Maginot line (in theory) is roughly $2.55 billion today  In practice cost several orders less to successfully attack and impact (e.g. out-of-band)

15.  Arriving at distributed consensus (Dijkstra prize) and simultaneously preventing Sybil attacks require an investment level (capex/opex) that is different than traditional centralized solutions  “Frontal assault” attack vectors in blockchains theoretically make it expensive to overturn and compromise as – at least in 2009 – no single- point-of-failure  Centralized solutions, while providing faster confirmations and lower up-front economic costs, have trade-offs:  Pro: Trusted networks do not require same (if at all) type of Sybil protection  Con: Social factors have leveraging abilities, single-points-of-failure, easier to collude

16.  Between July 2010 and July 2014 lower bound cost estimate for Bitcoin mining was $764 million ◦ Upperbound 2-3x due to externalities primarily from botnets and “cycle” theft  Seigniorage went to miners and therefore into utility companies and semiconductor fabrication instead of maintaining purchasing power stability or software development

17.  What we have today is not Bitcoin circa 2009 ◦ Finality is no longer final (‘reversibility’ has occurred)  “Rolling back” transactions (e.g., March 2013 fork), taint/validation  Can happen with alts too, see Vericoin  TTP and freezing of assets  “Trust” used 11 times in main body of WP but in practice consumer behavior trends towards continual reliance of TTP  Mediation and transaction costs add costs to a network with already high opex  “A $700 million payments network that is rarely used for payments”  ArtForz de-decentralized mining via GPU (summer 2010) led later to ASIC scaling

18.  Real S-curve due to fabrication; hashrate will eventually taper off even if market value quadruples from current level  Assumes that ASICs will improve incrementally every day to deliver 2x more hashing every 2 years (untrue)  Predict that the power consumption per hash will reduce by 50% in the same 2 years (untrue)  “Be your own” textile factory or data center did not occur with commoditization of those tools, may not here

19.  65% drop in token value reduces incentive to add more capex  Marginal increase in performance from fabrication generation  E.g., performance leap from 130nm to 65 much larger than 40 to 20  ‘As the features get smaller then transistor sizing no longer dominates and the scaling doesn't hold the same way’

20.  Sams: Because txs exist within blocks, which are scarce resource that are financed via seingiorage, in order to calculate the cost of a single tx you have to include the total cost of hashing a block  ~$15 as of today

21.  Long-term theory: it costs a bitcoin to make a bitcoin  Zhou: Slowdown shows that the amount of mining hardware being added onto the network by profitable miners are nearing equilibrium with the amount of mining hardware being taken off the network by now unprofitable miners  ASICs hitting a saturation point in the network where for a lot of miners the marginal cost of producing a bitcoin is now equal to or above the price of a bitcoin  The network generates about 62 fewer blocks / day than last October ◦ Flip side: this is equivalent to 1550 BTC less influx in bitcoin supply per day which means less selling pressure in the market

22.  June 2014, Kerem Kaskaloglu illustrated the “ideal scenario” of the seamless switch from block rewards (seigniorage subsidy) to transaction fees (donations)  As of December 2014, the very opposite has occurred, fees to miners has declined which is “not ideal”  Leads to “dark hashing inventory” after block halving

23.  Despite a 10x decrease in “fees” and 4x increase in merchants in 2014, there has not been a corresponding amount of commercial activity ◦ Retail commerce transactions likely represent less than 20% of all transactions  Majority of bitcoin holders are acting rational: ◦ Either ‘underwater’ on previous purchases ◦ Expect the value of the token to appreciate beyond the short term utility gained from using a bitcoin (e.g., low time preference) ◦ Other reasons and explanation of on-chain activity on Slide 45  Based on this pattern of consumer behavior it is unlikely that on- chain transaction volume will be able to replace seigniorage to incentivize mining

24.  In any given week, Poisson process effectively “delays” one block to over an hour confirmation  Later as block space becomes scarcer, delay becomes problematic for time sensitive financial instruments  Dave Hudson may have incentive compatible solution, Blockstream does not (yet) publicly

25.  Hudson: Due to variance in rewards, rational activity is to pile on the largest pools for higher probability of reward (regular, steady ROI)  Also lowers orphan rate

26.  YG: China farms ~$450 per TH/s ◦ Takes about 5-6 months to breakeven at current difficulty (0.377 BTC / month) once operating costs taken into account ($44/month of electricity, administration, maintenance, etc.) ◦ On the face of it, rational actors would turn off machines and just buy coins on open market  But other factors:  1. Sunken costs (fallacy): they put the money down awhile ago  2. Converting RMB to USD at no limitations (e.g., capital controls) ◦ They may do this even at a lost because it may be cheaper than converting RMB to USD  3. Believe the price of coins will go up, “but there won't be any more coins” ◦ Makes sense due to lack of transparency at China-based exchanges, doesn’t leave paper trail  4. Tax reasons: Bob can justify buying a bunch of computer related parts and report this without a problem to the boss/government, but Bob can't receive permission to directly buy bitcoins  5. Relatively cheap land / labor and the factories assembling the miners themselves are located in China, giving Chinese miners advantage in terms of lead-time  Note: with hashrate forensics it is unlikely that Chinese miners represent more than 40% as of this presentation

27.  Because of increased centralization much easier to use other techniques to disrupt participation ◦ Blatant bribery / hacking of pool ◦ ‘An attacker can sniff the cleartext credentials in the “mining.authorize” message, credentials may be used elsewhere across the internet and may lead to account compromise’ ◦ Canadian router hacked via Border Gateway Protocol fooling miners ($84k)  (Nearly) all large mining farms and pools are known, making them vulnerable to social pressures including “censorship” (see OP_RETURN and Eligius)  Bitcoin Relay Network (propagation is nominally decentralized)

28. ◦ Hudson: On any given day mean block size is in the range of 300 - 400 KB, a much smaller number (~5%) that are nearly full ◦ Once block size is increased or “floated” this will continue to require more bandwidth

29.  Mining rewards  Some pools like Eligius payout directly from coinbase reward creating extra transactions  Mixing / laundering of funds  CoinJoin / CoinShuffle / DarkWallet / SharedSend  Blocksign / Proof of existence  P2SH (multisig)  Counterparty (XCP) and Mastercoin (MSC)  Crowdsales on these platforms (e.g., ‘Gems’ sale)  OP_RETURN  Chromaway and Coinprism  Advertisement spam (see pics)  Since no one actor owns the blockchain to restrict “spam” or “bloat”  Creation of “dust” level (546 satoshi) and preliminary discussion of “censorship”

30.  ‘Created in 2012 to let a spender create a pubkey script containing a hash of a second script, the redeem script’  January 2014: 0.014% of all bitcoins are stored using P2SH  December 2014: 5.45%  Reasons why: ◦ USMS (Bitcoin Investment Trust), Xapo and Ripdice (?) recently switched to P2SH for cold storage  Note: Counterparty uses “old school” method of multisig

31.  Metaprotocols that utilize and sit on top of Bitcoin blockchain provide disproportional rewards ◦ XCP/MSC are effectively piggy backing and free riding off seigniorage rewards ◦ Also happens with colored coins and Dogeparty ◦ E.g., Apple shares (total market cap = $675 billion USD) issued as metacoin. Will Bitcoin security suffice to keep the market in Apple shares trading secure?  In long run, miners are probably not destroying enough capital to ultimately secure metacoin assets, making the network less secure

32.  Because of the continual volatility of coin value (e.g., present-day prices reflect expectations of future demand), this impacts the security of the network long-term and “currency” will likely remain a niche  Coupled with mining centralization (due to Poisson process), which also creates vulnerabilities and attack vectors, make it less than optimal application for property tracking and securities

33.  As an institution you care about something that works for more than 5-6 additional years: you do not want to have to worry about the integrity of your financial instruments  Permissionless consensus ledgers maintained by miners lack any governance structure, incompatible with financial regulation (see European Banking Authority report)  Thus the current Bitcoin protocol is probably not an immediate threat to most G10 banks or financial institutions  Perhaps “2.0” might be able to finish what Bitcoin started

34.  tswanson@gmail.com  @ofnumbers  OfNumbers.com

35. ◦ Thanks to the following individuals for their data and constructive feedback:  Dave Babbitt, Anton Bolotinsky, Richard Brown, “Dexx,” YG, Dave Hudson, Izabella Kaminska, Jeremy Lam, Mikkel Larsen, David Lee, Jonathan Levin, Atif Nazir, Meher Roy, Robert Sams, David Shin, Koen Swinkels, Ernie Teo, Simon Trimborn, Jack Wang, John Whelan  Research conducted in collaboration with the Sim Kee Boon Institute for Financial Economics in Singapore

36.  The variability (Poisson process) of hash-based proof of work (POW) along with the current block reward model and KYC/AML make the current Bitcoin blockchain – and those that are similar – not necessarily a good candidate for a property / ownership tracking system  They may be okay for certain applications and may still grow beyond current niches

37.  Useful innovations that will come from this space and not dependent on POW or blockchain: ◦ Multisig / Keyless trading / Proof of reserves ◦ Trustless Multiparty Monetary Computation (‘Smart contracts’)  Note: some proposed applications can probably be done with an Oracle ◦ Other types of consensus models (Consensus-as-a-service)  An emerging trend: people sign the coinbase transaction to gain “transparency” and answer ‘who is getting all this money.’ Does not need to be the case, we do not need to know. Courts do?

38.  US CRS as of July 15, 2014, “Bitcoin daily transaction volume [in 2014] fluctuated in a range of between $40 million and $50 million, representing between 40,000 to 80,000 daily transactions  Visa averages around $16.5 billion per day, “with an average number of daily individual transactions of near 24 million”  These ratios will continually change over time but the claim that Bitcoin is currently more efficient – in terms of what the native protocol can do – does not hold up to empirical evidence

39.  Fully validating nodes: ◦ September 2011 – 13,000 ◦ May 2012 – 3,000 ◦ November 2012 – 4,000  Another increase then decrease: ◦ Early March 2014 – 10,000 ◦ April 2014 – 8,000 ◦ Flat last three months and as of December 2014 - 6,800

40.  Increased bandwidth / hard drive space requirements ◦ In April 2013, compressed blockchain was 9 GB ◦ December 2014 it is 25 GB  195 GB uncompressed & indexed (Chain.so)  250 GB uncompressed & indexed (Toshi)  Someone has to pay for this, resources are not free  Public goods problem: how to incentivize the externalization of propagation and verification?  Proposed: “Adopt-a-node” which is donation driven

41.  If implemented with specific manufacturing partners, could move the ecosystem back towards “trusted hardware” and a single point of failure  Billed as allowing one person to own hardware at one time (e.g., prove ownership of specific hardware within a farm or pool)  Ironically if this happens, Bitcoin will have inadvertently invented something akin to Hyperledger  "The companies which disclose their hashing power could be awarded a 'Trusted Transparency' sign, the quality and transparency award, so to speak. This will help recognize the companies that openly disclose their numbers and will alleviate the 51% threat.”  Valery Vavilov, CEO of BitFury

42.  Agent-based modeling results using historical data

43.  According to Ernie Teo (2014): ◦ The results are consistent with the original simulation ◦ We observe a steep drop in miners recently due to the large jumps in difficulty ◦ Mining pools will become dominant if this continues ◦ The network becomes centralized as a result

Making Lemonade out of Lemons: Squeezing utility from a proof-of-work experiment

Tim Swanson

Making Lemonade out of Lemons: Squeezing utility from a proof-of-work experiment