Bitcoin has some promising technical aspects but faces significant scalability issues that threaten its core properties over time. While it currently works as a decentralized system, the need to process vast amounts of data means nodes will consolidate into "supernodes" that effectively function like centralized banks. This transition would compromise Bitcoin's anonymity and censorship-resistance as identities become linked and certain transactions could be blocked. Overall Bitcoin shows innovation but may not retain its present security model if it aims to seriously compete with mainstream payment networks in transaction volume.

1. Some Thoughts On BitcoinDan Kaminsky

2. If You’re SmartLeave the room right now“Bitcoin turns nerd forums into libertarian forums”This is trueBitcoin is a particularly effective DoS against security professionalsWhy?

3. Security InversionNormal CodeLooks like it might be OK up frontScratch the surface, it’s actually really badBitCoinLooks really bad up frontScratch the surface, it’s actually surprisingly goodWe aren’t used to systems with these characteristicsThis code has the mark of having been audited by People Like UsAnd quants

4. The basic summaryBitCoin is absolutely not anonymousBitCoin clearly does not scaleIn the long termIt does work for now thoughThis isn’t 0day stuff, this is basically declared almost entirely up front

5. What Is BitCoinA really strange use of cryptography“Strange” is not a sufficient, interesting, or even vaguely competent way to mark a system as insecureIt’s a decent way to say “this is not the normal way things are put together”Two systems mated togetherA peer to peer network that does a best case effort to synchronize data (loose “transactions” and solved “blocks”) across as many nodes as possibleA Chinese Lottery that canonicalizes subsets of synchronized data, using the difficulty of finding partial hash collisions

6. The Basic Idea (In A Nutshell)1) I’m hearing about all these transactions going on – Alice is paying Bob, Bob is paying Charlie, etc2) I hash all the transactions I’ve heard about, with some random information, and the hash of the last time someone did that, until there’s a partial collisionFirst n bits equals 0N is automatically determined based on how hard it has to be for one block to be found about every 10 minutesThis is a block3) I send everyone my “block” – transactions plus hash of previous block plus random data. This gives me 50 bitcoins (for now).4) I can now “sign over” those bitcoins, from my private key, to other people’s (or my) public key.5) Repeat until there’s lots of people with lots of BitCoinsPossibly purchased instead of “mined”

7. Interesting TraitsThe basic concept is actually relatively solidAssuming partial collisions are predictably hard to findAssuming ECDSA worksBasic Idea 1: Money can’t be created from nothing – hashing is neededBasic Idea 2: Transactions can’t be blocked or reversed by a central entity – “is none”It makes security engineers talk like monetary scientistsThat’s sort of OK, economists pretend to do that too…Seriously, that’s silly– lets just talk tech, OK?

8. Epic Scalability Quote 1(https://en.bitcoin.it/wiki/Scalability)“The core BitCoin network can scale to very high transaction rates assuming a distributed version of the node software is built. This would not be very complicated.”Because there’s nothing easier to do, than make a system distributedThis is totally not one of the Hard Problems Of Computer ScienceBy “Distributed” they mean “Centralized”WhyBitCoin is uniquely hard to auditIt claims the advantages of its present architecture, and its future architecture, while rebutting the disadvantages of one with the advantages of the otherInstead of saying, “We don’t do that”, they say “Something else could do that”

9. Scalability Costs: Network Bandwidth“Let's assume an average rate of 2000tps, so just VISA…. Shifting 60 gigabytes of data in, say, 60 seconds means an average rate of 1 gigabyte per second, or 8 gigabits per second.”:O

10. Up and DownGoing up“Let's take 4,000 tps as starting goal. Obviously if we want BitCoin to scale to all economic transactions worldwide, including cash, it'd be a lot higher than that, perhaps more in the region of a few hundred thousand transactions/sec.” And the need to be able to withstand DoS attacks (which VISA does not have to deal with) implies we would want to scale far beyond the standard peak rates.TB/secGoing downEven at 1/100th of VISA, that’s still 10MB/sec

11. Are There Future Optimizations?“Because nodes are very likely to have already seen a transaction when it was first broadcast, this means the size of a block to download would be trivial (80 bytes + 32 bytes per transaction). If a node didn't see a transaction broadcast, it can ask the connected node to provide it.”Potential 50% savings!Could go from 1GB to 500MB/sec

12. What About Storage?In order to validate a transaction, you need all blocks up to the present oneJoining BitCoin today == downloading 200+MB history all the way to the start of timeThat only increases“ A 3 terabyte hard disk costs less than $200 today and will be cheaper still in future, so you'd need one such disk for every 21 days of operation (at 1gb per block).”So you get to participate directly in BitCoin, at the low low cost of $200 a monthAssuming zero costs of running a storage array

13. CPU? ”A network node capable of keeping up with VISA would need roughly 50 cores + whatever is used for mining (done by separate machines/GPUs).”In the long run, that’s what it takes to participate (assuming no DoS, which would take 5000 cores)(You actually need to validate all historical transactions too)

14. OK, so you end up with supernodes and normal nodesWhat are the characteristics of supernodes?They’re banks“Welcome to the new boss, who looks suspiciously like the old boss”I’m not saying banks are bad or anythingThe “peer to peer” model of BitCoin eventually goes away; as soon as the thing gets big, the entire thing switches to a banking model

15. Reality of BankingAs the network gets bigger, fewer and fewer nodes can be banksOnly so many parties can exchange a gigabyte a second.The 50% threshold is inevitableBitCoin banks still can’t gin up moneyBitCoin banks can’t forcibly take moneyUnless they hold the private keys for the user, which they mightBitCoin banks can refuse to accept blocks with “undesirable” transactionsDon’t need 50% -- just need enough to inconvenience 50% to accept your opinionCan block undesirable transactionsCan recompute blocks w/o certain transactions (reversal)This offers a host of ugly semantics

16. Already Suffering ThisBitCoin’s security model is base on the idea that nobody can control more than 50% of the networkExact PetaFlop count unclear, but >40 and <200Weird metric, given that crypto uses integer operations when FLOPS are floating pointSeveral times more than largest supercomputerPools are breaking this#1 pool has 41%#2 pool has 30%“Security through ostracism” to Pitchfork SecurityDDoS against #1 pool

17. Bad Choice Of Hash StandardExisting model can be accelerated massively with GPUsJust 2x SHA-256Could have been bcrypt or the like, in which performance does not scale with pure processing speedBasically adds memory and serialization dependenciesWasn’t implemented, so now we have shortages of GPUs…

18. What About Anonymity?The full worldwide transaction history is stored and shared, forever and everEveryone has names like:1MQbbWUi2scKdZ4KtMMSUSvVmxi6XtEeaCHow do you know who you’re paying? You don’tEveryone is encouraged to make up new names for every transactionActually how you can tell why someone is paying youOut of band, you tell someone “to pay me, pay this address”When that address is paid, you can dereference to your own private transactionDo lots of random names equal anonymity?

19. Names Are Linkable (see blockexplorer.com)All FROM sources are effectively the same person (or linked IDs)Almost all TO destinations are payee and payor

20. Reality of AnonymityAs BitCoin “fights fragmentation”, it merges identitiesAs it merges identities, it…well, merges identitiesThere are other models of using BitCoin in which money goes in, stays, and then presumably goes back outAgain, it’s amazing how much this looks like a bank.Not saying banks are bad, just don’t tell me BitCoin doesn’t morph into the banking system

21. So, with this all being saidBitCoin is working, todayThat counts for a lotIt will not work this way foreverIt will not have today’s security properties foreverIf you define the loss of today’s properties a serious loss of value, then there are Ponzi-ish characteristics in plain viewI’m not going to make that claim, however

22. ConclusionThis was just a quick summaryBitCoin is actually well designed, if you accept that anonymity and scaling forces the entire present model to be shifted into something that effectively looks like bankingI’ll talk about more another time