1.
Squeezing utility from a proof-of-work experiment

2.
 Where decentralized consensus technology can and can not
add value?
 What real problems does it solve?
 What assumptions does it make about the world?
 Against what threats/scenarios/problems does it protect?
 How you could implement securities issuance, derivatives
processing or even fiat-payments on top of it?
 Differences between a trusted network and untrusted?
 Are blockchains being built in a vacuum?
 What are the total costs of operating them?

3.
 Ferdinando Ametrano: “Hayek Money: The Cryptocurrency
Price Stability Solution”
 “Price Stability Using Cryptocurrency Seigniorage Shares”
 Massimo Morini: “Investor/Saver Wallets and the Role of
Financial Intermediaries in a Digital Currency”
 Byron Gibson: Dual currency Beta/Gamma solution, tx rate as
blockchain-intrinsic money demand proxy (unpublished)
 Dominic Williams: Pebble (forthcoming)
 Robert Sams: “A Note on Cryptocurrency Stabilisation:
Seigniorage Shares”

4.
 Meher Roy’s IoM proposal
 A Decentralized Exchange
Protocol (DEP) for exchanges
between 2 ledgers
 A Real Time Gross
Settlement Protocol (RTGSP)
for transfers between 2
ledgers
 A Deferred Net Settlement
Protocol (DNSP) also for
transfers between 2 ledgers

5.
 Recall that:
◦ “Cryptocurrency” – a type of asset (commodity, currency)
 Digicash, Flooz, Beenz
◦ “Decentralized consensus” – is a “voting” process used by Bitcoin and others
 The Bitcoin proof-of-concept fuses scarcity onto a nominally
trustless ledger (“watermarked” to be more than a currency)
 This has led to other proposals (dubbed “2.0”) which include:
 Asset tracking / management (via “smart contracts”)
 Trustless Multiparty Monetary Computation
 Notary services
 Consensus as a service / Crypto ledger as a service (CaaS / CLaaS)

6.
 Bitcoin and its derivatives use hash-based proof-of-work
 Many others are attempting to build other alternative
consensus enforcement mechanisms that are less capital
intensive, including proof-of-stake (POS)
 In practice, most, if not all pure POS system end up centralized but that
has not stopped proposed solutions such as DPOS [Note: not an
endorsement]

7.
 Top 2 platforms through 2014 are:
◦ Ripple (Stellar used a similar consensus ledger)
◦ Counterparty (also has spin-off called “Medici”)
 NXT (problems found by Garzik?)
 Mastercoin (little traction relative to XCP)
 Bitshares (Invictus)
 Open Transactions (not fully released)
 Coloredcoins (Coinprism, Chromaway)

8.
 Ethereum (Proof of Stake?)
 Tezos (POS)
 Tendermint (POS, DC ledger)
 Pebble (Proof of Processing, DC ledger)
 Nimblecoin (Merged Mining)
 Eris (blockchain-esque)
 Factom, formerly Notarychains (POE/MSC)
 SKUChain (DPOS/DPOW)
 Hyperledger (PBFT)
 Filecoin (~Bitcoin, see also Permacoin)
 Treechains/Sidechains/PeerNova
 Several “stealth” projects (Vpal, Zerocash)

9.
 Cross Border Settlement / B2B international
transfers
◦ Rebuilding SWIFT (PayWise)
◦ Can use a blockchain/CaaS to move in seconds/minutes
◦ Biggest challenges are liquidity/settlement with market
makers as well as compliance in jurisdictions
 Central clearing (e.g., derivative clearing)
◦ Prime case for “multi-party payments” and
netting/clearing. Could be on a ledger (autonomous) but
if participants “fail” then move to centralize the credit
risk which was the purpose of CCPs in the first place
◦ Complying with existing laws such as Dodd-Frank are a
hurdle/challenge
 Mortgages
◦ The ability to have a vehicle that can be used equally by
many parties and “self execute.” It need not be block
chain if a single bank is trusted. Hence powerful only
really when banks (the lenders) or new 3rd party is not
trusted to fairly register say installment payments. May
be more relevant for CDOs.

10.
 CDO/CLO/CMO/ABS
◦ Smart contracts based on assumption that banks are not to be trusted to pass on all cash
flows received in the “waterfall.” Alternatively, build competing platforms where you set up
“smart contract” (special purpose vehicle) that automatically pay through waterfall.
Problem is on enforcement of loans in case of non-payment.
 Collateralized / Guaranteed Lending
◦ A bank, borrower and potentially a 3rd party providing collateral or guarantee. Though
without identity, credit checks/worthiness the promise of decentralization may not do
much.
 Letter of Credit
◦ Multiple parties involved, trust is low, cost is high. Incumbents are strong, little incentive
to change, requires central changing (with “crossing the chasm” problem) and most
importantly multiple jurisdictions.
 Crowd Funding
◦ Borrowers may request money on multiple platforms but also making investment fungible.
Challenges involve legal constraints such as SEC regulations.

11.
Better uses of blockchains/CaaS:
◦ Business lines such as Investment Banking/Corporate Banking/Private
Banking/Retail Banking/Micro Lending
◦ Securities issuance
◦ Escrow accounts
◦ Factoring / Trade finance
◦ Consumer lending (car loans)
 Note dependencies: immediate readiness, core bank vs ancillary, legal enforceability
 Not so much:
◦ POW based blockchains and nominally decentralized mining as it relates to
anything requiring fast settlement such as ISDA derivatives (CCP) and
securities trading due to latency

12.
 Xeroclear (forthcoming from Robert Sams’ team)
 Eris (Preston Byrne-led team unveiling December 17)
 Hyperledger (early beta)
 Medici (uses Counterparty, early beta, assuming it is not
based on Bitcoin)
 Other consensus ledgers (Ripple/Stellar via Codius/Trustlines)
 Stellar had a forking issue recently (new version Q1 from David Mazières)
 Other proof-of-stake protocols
 Tezos, Purchasechain (from SKUChain), Tendermint, Ethereum (based on
Serpent POC), DPOS from Invictus
 Other solutions (Pebble, Blockstream)

13.
 Ladislaus Bortkiewicz studied the
number of soldiers killed annually by
horse kicks of 10 corps in Prussian
cavalry over 20 years
 Question:
 ‘In most years in most corps, no one
dies from being kicked; in one corp in
one year, four men were kicked to
death. Does this mean something was
amiss in this particular corp?’
 No, just unlucky
 Bitcoin uses an inhomogenous Poisson process
for block discovery

14.
 Make it artificially expensive for people to cast “votes” for a
consensus
 The necessity to make casting “votes” in the consensus
artificially high since we cannot know who is participating in
the “vote” (e.g., it is an untrusted network)
◦ E.g., it costs you $1 million to undo a $1 million of value
 The cost of an attack where someone tries to mess with the consensus is
equal to 0.5*MC (marginal cost)
 Brute force (by hashrate) the Maginot line (in theory) is roughly $2.55 billion
today
 In practice cost several orders less to successfully attack and impact (e.g.
out-of-band)

15.
 Arriving at distributed consensus (Dijkstra prize) and
simultaneously preventing Sybil attacks require an investment
level (capex/opex) that is different than traditional centralized
solutions
 “Frontal assault” attack vectors in blockchains theoretically make it
expensive to overturn and compromise as – at least in 2009 – no single-
point-of-failure
 Centralized solutions, while providing faster confirmations
and lower up-front economic costs, have trade-offs:
 Pro: Trusted networks do not require same (if at all) type of Sybil protection
 Con: Social factors have leveraging abilities, single-points-of-failure, easier
to collude

16.
 Between July 2010 and July
2014 lower bound cost
estimate for Bitcoin mining
was $764 million
◦ Upperbound 2-3x due to
externalities primarily from
botnets and “cycle” theft
 Seigniorage went to miners
and therefore into utility
companies and
semiconductor fabrication
instead of maintaining
purchasing power stability
or software development

17.
 What we have today is not Bitcoin circa
2009
◦ Finality is no longer final (‘reversibility’ has
occurred)
 “Rolling back” transactions (e.g., March 2013
fork), taint/validation
 Can happen with alts too, see Vericoin
 TTP and freezing of assets
 “Trust” used 11 times in main body of WP but
in practice consumer behavior trends towards
continual reliance of TTP
 Mediation and transaction costs add costs to a
network with already high opex
 “A $700 million payments network that is
rarely used for payments”
 ArtForz de-decentralized mining via
GPU (summer 2010) led later to ASIC
scaling

18.
 Real S-curve due to
fabrication; hashrate will
eventually taper off even if
market value quadruples
from current level
 Assumes that ASICs will improve
incrementally every day to
deliver 2x more hashing every 2
years (untrue)
 Predict that the power
consumption per hash will
reduce by 50% in the same 2
years (untrue)
 “Be your own” textile factory
or data center did not occur
with commoditization of
those tools, may not here

19.
 65% drop in token value
reduces incentive to
add more capex
 Marginal increase in
performance from
fabrication generation
 E.g., performance leap
from 130nm to 65 much
larger than 40 to 20
 ‘As the features get
smaller then transistor
sizing no longer dominates
and the scaling doesn't
hold the same way’

20.
 Sams: Because txs
exist within
blocks, which are
scarce resource
that are financed
via seingiorage, in
order to calculate
the cost of a single
tx you have to
include the total
cost of hashing a
block
 ~$15 as of today

21.
 Long-term theory: it costs a bitcoin to
make a bitcoin
 Zhou: Slowdown shows that the
amount of mining hardware being
added onto the network by profitable
miners are nearing equilibrium with
the amount of mining hardware being
taken off the network by now
unprofitable miners
 ASICs hitting a saturation point in the
network where for a lot of miners the
marginal cost of producing a bitcoin is
now equal to or above the price of a
bitcoin
 The network generates about 62 fewer
blocks / day than last October
◦ Flip side: this is equivalent to 1550 BTC
less influx in bitcoin supply per day which
means less selling pressure in the market

22.
 June 2014, Kerem Kaskaloglu
illustrated the “ideal scenario”
of the seamless switch from
block rewards (seigniorage
subsidy) to transaction fees
(donations)
 As of December 2014, the very
opposite has occurred, fees to
miners has declined which is
“not ideal”
 Leads to “dark hashing
inventory” after block halving

23.
 Despite a 10x decrease in “fees” and 4x increase in merchants in
2014, there has not been a corresponding amount of commercial
activity
◦ Retail commerce transactions likely represent less than 20% of all transactions
 Majority of bitcoin holders are acting rational:
◦ Either ‘underwater’ on previous purchases
◦ Expect the value of the token to appreciate beyond the short term utility
gained from using a bitcoin (e.g., low time preference)
◦ Other reasons and explanation of on-chain activity on Slide 45
 Based on this pattern of consumer behavior it is unlikely that on-
chain transaction volume will be able to replace seigniorage to
incentivize mining

24.
 In any given week,
Poisson process
effectively “delays” one
block to over an hour
confirmation
 Later as block space
becomes scarcer, delay
becomes problematic
for time sensitive
financial instruments
 Dave Hudson may have
incentive compatible
solution, Blockstream
does not (yet) publicly

25.
 Hudson: Due to
variance in rewards,
rational activity is to
pile on the largest
pools for higher
probability of reward
(regular, steady ROI)
 Also lowers orphan
rate

26.
 YG: China farms ~$450 per TH/s
◦ Takes about 5-6 months to breakeven at current difficulty (0.377 BTC / month) once operating costs
taken into account ($44/month of electricity, administration, maintenance, etc.)
◦ On the face of it, rational actors would turn off machines and just buy coins on open market
 But other factors:
 1. Sunken costs (fallacy): they put the money down awhile ago
 2. Converting RMB to USD at no limitations (e.g., capital controls)
◦ They may do this even at a lost because it may be cheaper than converting RMB to USD
 3. Believe the price of coins will go up, “but there won't be any more coins”
◦ Makes sense due to lack of transparency at China-based exchanges, doesn’t leave paper trail
 4. Tax reasons: Bob can justify buying a bunch of computer related parts and report this
without a problem to the boss/government, but Bob can't receive permission to directly
buy bitcoins
 5. Relatively cheap land / labor and the factories assembling the miners themselves are
located in China, giving Chinese miners advantage in terms of lead-time
 Note: with hashrate forensics it is unlikely that Chinese miners represent more than 40% as of this
presentation

27.
 Because of increased centralization
much easier to use other techniques to
disrupt participation
◦ Blatant bribery / hacking of pool
◦ ‘An attacker can sniff the cleartext
credentials in the “mining.authorize”
message, credentials may be used
elsewhere across the internet and may lead
to account compromise’
◦ Canadian router hacked via Border
Gateway Protocol fooling miners ($84k)
 (Nearly) all large mining farms and
pools are known, making them
vulnerable to social pressures
including “censorship” (see OP_RETURN
and Eligius)
 Bitcoin Relay Network (propagation is
nominally decentralized)

28.
◦ Hudson: On any given day mean block size is in the range of 300 - 400
KB, a much smaller number (~5%) that are nearly full
◦ Once block size is increased or “floated” this will continue to require
more bandwidth

29.
 Mining rewards
 Some pools like Eligius payout directly from coinbase
reward creating extra transactions
 Mixing / laundering of funds
 CoinJoin / CoinShuffle / DarkWallet / SharedSend
 Blocksign / Proof of existence
 P2SH (multisig)
 Counterparty (XCP) and Mastercoin (MSC)
 Crowdsales on these platforms (e.g., ‘Gems’ sale)
 OP_RETURN
 Chromaway and Coinprism
 Advertisement spam (see pics)
 Since no one actor owns the blockchain to
restrict “spam” or “bloat”
 Creation of “dust” level (546 satoshi) and preliminary
discussion of “censorship”

30.
 ‘Created in 2012 to let a spender
create a pubkey script containing a
hash of a second script, the
redeem script’
 January 2014: 0.014% of all
bitcoins are stored using P2SH
 December 2014: 5.45%
 Reasons why:
◦ USMS (Bitcoin Investment Trust), Xapo
and Ripdice (?) recently switched to
P2SH for cold storage
 Note: Counterparty uses “old school”
method of multisig

31.
 Metaprotocols that utilize and sit on
top of Bitcoin blockchain provide
disproportional rewards
◦ XCP/MSC are effectively piggy backing and
free riding off seigniorage rewards
◦ Also happens with colored coins and
Dogeparty
◦ E.g., Apple shares (total market cap = $675
billion USD) issued as metacoin. Will Bitcoin
security suffice to keep the market in Apple
shares trading secure?
 In long run, miners are probably not
destroying enough capital to
ultimately secure metacoin assets,
making the network less secure

32.
 Because of the continual volatility of coin
value (e.g., present-day prices reflect
expectations of future demand), this impacts
the security of the network long-term and
“currency” will likely remain a niche
 Coupled with mining centralization (due to
Poisson process), which also creates
vulnerabilities and attack vectors, make it
less than optimal application for property
tracking and securities

33.
 As an institution you care about something that works for
more than 5-6 additional years: you do not want to have to
worry about the integrity of your financial instruments
 Permissionless consensus ledgers maintained by miners lack
any governance structure, incompatible with financial
regulation (see European Banking Authority report)
 Thus the current Bitcoin protocol is probably not an
immediate threat to most G10 banks or financial institutions
 Perhaps “2.0” might be able to finish what Bitcoin started

34.
 tswanson@gmail.com
 @ofnumbers
 OfNumbers.com

35.
◦ Thanks to the following individuals for their data and constructive
feedback:
 Dave Babbitt, Anton Bolotinsky, Richard Brown, “Dexx,” YG, Dave Hudson,
Izabella Kaminska, Jeremy Lam, Mikkel Larsen, David Lee, Jonathan Levin,
Atif Nazir, Meher Roy, Robert Sams, David Shin, Koen Swinkels, Ernie Teo,
Simon Trimborn, Jack Wang, John Whelan
 Research conducted in collaboration with the Sim Kee Boon Institute for
Financial Economics in Singapore

36.
 The variability (Poisson process) of hash-based proof of work
(POW) along with the current block reward model and
KYC/AML make the current Bitcoin blockchain – and those
that are similar – not necessarily a good candidate for a
property / ownership tracking system
 They may be okay for certain applications and may still grow beyond
current niches

37.
 Useful innovations that will come from this space
and not dependent on POW or blockchain:
◦ Multisig / Keyless trading / Proof of reserves
◦ Trustless Multiparty Monetary Computation (‘Smart
contracts’)
 Note: some proposed applications can probably be done with an
Oracle
◦ Other types of consensus models (Consensus-as-a-service)
 An emerging trend: people sign the coinbase
transaction to gain “transparency” and answer ‘who
is getting all this money.’ Does not need to be the
case, we do not need to know. Courts do?

38.
 US CRS as of July 15, 2014,
“Bitcoin daily transaction volume
[in 2014] fluctuated in a range of
between $40 million and $50
million, representing between
40,000 to 80,000 daily
transactions
 Visa averages around $16.5
billion per day, “with an average
number of daily individual
transactions of near 24 million”
 These ratios will continually
change over time but the claim
that Bitcoin is currently more
efficient – in terms of what the
native protocol can do – does not
hold up to empirical evidence

39.
 Fully validating nodes:
◦ September 2011 – 13,000
◦ May 2012 – 3,000
◦ November 2012 – 4,000
 Another increase then
decrease:
◦ Early March 2014 – 10,000
◦ April 2014 – 8,000
◦ Flat last three months and as
of December 2014 - 6,800

40.
 Increased bandwidth / hard drive space
requirements
◦ In April 2013, compressed blockchain was 9 GB
◦ December 2014 it is 25 GB
 195 GB uncompressed & indexed (Chain.so)
 250 GB uncompressed & indexed (Toshi)
 Someone has to pay for this, resources are not
free
 Public goods problem: how to incentivize the
externalization of propagation and verification?
 Proposed: “Adopt-a-node” which is donation driven

41.
 If implemented with specific manufacturing partners, could move the
ecosystem back towards “trusted hardware” and a single point of failure
 Billed as allowing one person to own hardware at one time (e.g., prove
ownership of specific hardware within a farm or pool)
 Ironically if this happens, Bitcoin will have inadvertently invented something akin to
Hyperledger
 "The companies which disclose their hashing power could be awarded a
'Trusted Transparency' sign, the quality and transparency award, so to
speak. This will help recognize the companies that openly disclose their
numbers and will alleviate the 51% threat.”
 Valery Vavilov, CEO of BitFury

42.
 Agent-based
modeling results
using historical
data

43.
 According to Ernie Teo (2014):
◦ The results are consistent with the original simulation
◦ We observe a steep drop in miners recently due to the large jumps in
difficulty
◦ Mining pools will become dominant if this continues
◦ The network becomes centralized as a result