Now, that whitepaper. The first two sentences of Satoshi’s abstract make clear the design objectives behind bitcoin.

A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending.

It has been known for a long time (because it’s kinda obvious) that cryptographic signatures and public keys can be chain-linked to form an unforgeable record of transactions for, say, digital cash (or any ledger record for that matter). Crypto proof replaces the notary. Counterfeiting ledger assets is impossible, and theft or misappropriation cannot happen without gaining access to the asset owner’s private key.

But you still need an authoritative record of these transactions somewhere, like a database, or else there is no way to prevent someone from spending his digital cash more than once (a “double-spend”). If I give you a crypto-proof that some asset belongs to me and that I just transferred it to you, you have no way of knowing that I haven’t already done that with someone else, unless we can both refer to a definitive ledger of timestamped and crypto-signed transactions. Let’s say this ledger is maintained as a database hosted by some trusted third-party. The third-party cannot forge any ledger entries, so what’s the problem with this setup? According to Satoshi, which “main benefits” are lost?

There are two problems:

• The third party could delete a transaction, reversing history
• The third party could censor a transaction, refuse to enter it into the ledger.

And it’s not just the third party itself who has this power, it’s also the government who regulates him, or the hacker who infiltrates him. For Satoshi, using a trusted third party for this task loses some of the “main benefits” of the crypto setup because third parties have a real-world identity (a registered business, an IP address, …) and if known, these third parties can be censored by governments, hacked, shutdown. One of the key design goals behind bitcoin is censorship resistant digital cash.

So, with this design goal in mind, how can we create a record of crypto-signed transactions that is both authoritative (in the sense that there is consensus on its veracity) and censorship resistant? Satoshi gives us a solution to this problem, which brings us to the next part:

We propose a solution to the double-spending problem using a peer-to-peer network. The network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work. The longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power.

First, bitcoin is a peer-to-peer network. It’s flat. It is architecturally decentralised. There’s no “bitcoin server” where those chain-linked blocks of transactions (transactions that are themselves also chain-linked via crypto signature) are stored. Instead, the transaction record is stored redundantly by many nodes on the network. Anyone can be a node on the network anonymously. This is what’s meant when people say that bitcoin is a “permissionless” network.

What does Satoshi mean by “the network timestamps transactions”? Most people (esp people in financial markets) understand a timestamp to mean something generated by an accurate clock. But this, remember, is a peer-to-peer network, so it doesn’t have a clock. The nodes on the network have clocks, but since these nodes could be anyone, you can hardly trust the timestamp of any given node. So how does exactly does the network “timestamp transactions”?

What Satoshi means by ‘timestamp’ here is something more coarse: the ordering of blocks of transactions. This block of transactions came immediately after that block of transactions. That sort of time. Ordinal time. It is in this sense that the “network timestamps transactions”. And how it does this is ingenious, “by hashing them into an ongoing chain of hash-based proof-of-work.”

And this is where many people get lost. But the basics are actually rather simple, we just need to understand some preliminary concepts first. A “hash-based proof-of-work” is a solution to a problem, a hash problem. The “hash” refers to a branch of mathematical functions called “cryptographic hash functions”. They have this neat feature that whatever data you put into one of these functions, they return a pseudo-random number of the same bit size. You can’t really predict what the function will return given a certain input, without actually computing the function. Between inputs and outputs, there is no pattern.

For example, here is the SHA256 hash (the same hash function used by the bitcoin protocol) of the string Goldman Sachs:

b0aad912e3a3d9c1be503c154c0580531709862a  -

Change that string by just one character and you get something entirely different, here is the hash of Goldman Suchs:

a0b9a202da83ea581e0306f28115b7c6e10c8483  -

So in bitcoin the hash problem is something like “input into the hash function a (1) bunch of transactions along with (2) the hash of the previous block of transactions and (3) an arbitrary number N; if the hash function returns a value below some number D, problem solved, if not, increment N and repeat.” There’s no way to solve this problem except through iteration. So you set your computer to the task of running billions of hash computations until you solve the hash problem.

And that’s why it’s called “proof-of-work”. The problem was hard to solve, it required work (burning electricity). But once it’s solved, you can prove to someone else that you did the work to solve it. Just show them the data (a bunch of transactions plus the hash of the last block) and that winning number N and let them calculate the hash. If the hash value is the same below-D number that you say it is, you’ve proved that you solved the problem. The problem is hard-to-solve but the solution is easy for others to verify.

Still with me? So this is how the bitcoin network timestamps transactions. The nodes on the network (“miners”) collect transactions that bitcoin senders broadcast and each works at solving the hash problem over a set of transactions. Whenever a node solves the hash problem, it broadcasts the block of transactions along with the proof-of-work. The other nodes verify the work and start hashing on top of that block (i.e., including its hash in the input of the hash problem).

And this is what Satoshi means by “forming a record that cannot be changed without redoing the proof-of-work.” Nodes on the network build on top of the “longest chain” of blocks. If an attacker wanted to reverse the history, say, 5 blocks back, he would have to redo the proof-of-work of those 5 blocks before other nodes would start accepting that his version of history is the version (because it’s the longest chain). And that’s no mean feat. In fact:

The longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power. As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they’ll generate the longest chain and outpace attackers.

This is a neat result. If every node follows the rule that the chain-linked set of blocks with the most work behind it is the blockchain, then every node’s local copy of the blockchain will be exactly the same. And if an attacker wished to maliciously replace part of the “sequence of events witnessed” by the network (eg, one where he made a big payment to someone) with an alternative version of history (eg, one where he didn’t make that payment), he would have to redo the latest work of the longest chain, and do this work at a faster rate than the rest of the network. Hence, he would need to control over 50% of the network’s CPU power.

And that, in a nutshell, is Bitcoin’s security guarantee. If you’re comfortable believing that an attacker is unlikely to ever pull together more than half of the network’s computing power, you can trust the veracity of the blockchain’s record of transactions. Unlike with the case of a database hosted by a third-party, there’s no easy way for record entries to get “deleted” from the blockchain.

(In actual fact, researchers have demonstrated that it is possible in theory to attack the bitcoin network with less than half of the network’s computing power… the threshold is closer to 1/3 instead of 1/2.)

And here’s a really important point to remember. All those hash problems that are being solved.. the enormous amount of computational power that is “securing the network”, as it is popularly described, is not securing the network in the way that, say, a computer that encrypts a message secures its contents from preying eyes. There is no fancy math behind the security of bitcoin. The only reason that a cryptographic hash function is used is that a hash-based proof-of-work problem has the property of being hard-to-solve-but-easy-to-verify. You need that asymmetry in solution/proof; the network would grind to a halt if everyone had to redo everyone else’s work. That’s why bitcoin miners aren’t spending all that computational power on something useful like, e.g., genome sequencing. With most useful computations, you generally have to trust that the computer did them correctly, the computer can’t prove to you that it computed correctly. But with a hash problem you can easily prove that you did the computational work to solve it, even though the solution is utterly useless math.

So the security behind proof-of-work isn’t “based on math” (as some misleadingly say). Those hash computations are there for one simple reason: to make it expensive to offer a block of transactions to the network that the other nodes on the network will accept as valid. This is an economic model of security, not a cryptographic one. Proof-of-work requires an attacker to make a substantial capital outlay to have any chance of pulling it off. You have to buy the computing gear and pay the electric bill.

So Satoshi envisioned a distributed, shared ledger of transactions based on principle of one-CPU-one-vote (Well, today you need dedicated sha256 hardware, so it’s more more like a computing oligarchy than a computing democracy, but we’ll ignore that for now). Why not have a similar set-up but use instead use the principle of one-node-one-vote? That way you could ditch the expensive and wasteful proof-of-work.

The answer to that question is the single most important idea to take away from the bitcoin protocol. One-node-one-vote works only if you have a way of authenticating the real-world identity of the node, for otherwise a single attacker could just masquerade as a bunch of different identities and gain control of the network, which can’t tell whether 1000 nodes are really 1000 different people/entities or just one guy behind them all pulling the strings. This is called a Sybil attack in the comp-sci literature, and authenticating node identity is one way of mitigating that attack vector. But Satoshi settled on a more ingenious solution, the hash-based proof-of-work that we explained above.

Remember Satoshi’s design goal: the creation of censorship-resistant digital cash. Prior to Bitcoin’s popularity, privately created electronic money existed in a hostile political environment, to put it mildly. Authentication wasn’t an option, because if the real identities of the nodes are known to all, governments could compel those nodes to censor transactions and KYC/AML transaction senders.. or just criminalise the whole thing and indict the operators behind the nodes. The one-CPU-one-vote idea behind hash-based proof-of-work is a solution that addresses the Sybil attack without relying on identity authentication. Instead of proving to the network that you’re a unique flesh-and-blood so-and-so, you can prove to the network (without revealing your identity) that you’ve spent allot of electricity brute-forcing a solution to a meaningless math problem.

So the bitcoin protocol is not only architecturally decentralised, it is also politically decentralised. The network has no gatekeepers, you don’t need permission to join. The only admission criterion to contributing to the network’s consensus is access to computational power.

At the beginning of this post, we pointed out that there are two main problems with using a ledger hosted by a trusted third party:

• The third party could delete a transaction, reversing history
• The third party could censor a transaction, refuse to enter it into the ledger.

Satoshi’s hash-based proof-of-work beautifully solves the second problem. It is also designed to solve the first; bitcoin transactions are designed for irreversibility. And when bitcoin is cast in the role of distributed ledger platform for X (eg securities settlement), people are fond of describing the bitcoin blockchain as an “append-only distributed ledger for X”.

But this is only a design goal, and because it is a design goal that has been subordinated to censorship resistance, the bitcoin protocol can provide no guarantees that this supposed “append-only” distributed ledger doesn’t actually have a delete button accessible to an attacker who has a sufficient incentive and resources to attack the network and reverse blocks of transactions with impunity. Satoshi himself points this out in the abstract: “As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they’ll generate the longest chain and outpace attackers.” But if an attacker has access to more than 50% (actually, closer to to 30%) of the network’s computing power, all bets are off.

A couple of months ago Cornell comp-sci professor Emin Gün Sirer tweeted:

The #Bitcoin protocol is neither perfect nor anti-fragile. The main protecting force has been people’s good will and lack of sophistication.

— Emin Gün Sirer (@el33th4xor) March 15, 2015

Emin is right. And this benign state of affairs is unlikely to persist if the bucket shops that are today the only avenue for shorting BTC are eventually replaced by professional derivatives markets. And, it will certainly go away if billions of dollars worth of securities are represented through meta protocols on the bitcoin blockchain as some have eagerly extrapolated from the Nasdaq announcement. For then attackers will have a way of constructing a scalable payoff for attacking the network: shorting the market in size. Acquiring a substantial portion of the network’s hashing power is not an insurmountable goal. What’s required is a sufficiently large monetary incentive to execute the attack. Putting billions of dollars worth of financial assets on the bitcoin blockchain materially changes an attacker’s incentives.

Bitcoin transactions can be reversed if the attacker is willing to make the capital outlay to acquire the hardware and expertise and pay the electricity bill required to pull it off (bribing a couple of large mining pools is probably the path of least resistance). If the attacker is successful, the attack in theory costs nothing, as the attacker collects the mining award of the blocks he solved that “replaced” the original transaction history, blocks that he made into a fork that is now the chain with the most work behind it.

It might seem crazy to the uninitiated that this ostensibly “append-only” distributed ledger that is the bitcoin blockchain contains an avenue for deleting history. After all, everyone saw those blocks of transactions before they were overtaken by the attacker’s fork. Nobody will be fooled that the protocol’s “network timestamp” corresponds to the ordering of transactions that actually occurred. But that’s how the protocol works: the bitcoin blockchain is the chain of blocks with the most work behind it. This is the price you pay for the censorship-resistant design.

(When Satoshi says that the longest chain “serves as proof of the sequence of events witnessed”, I’m inclined to think he should have used the word “evidence” rather than “proof”.)

But the idea that we should “colour” nominal quantities of bitcoin to represent security interests and piggy back a distributed ledger of financial assets on top of a politically decentralised digital cash system is completely mad. Now that we’ve “looked under the hood” of the bitcoin protocol, we can see why.

To serve as a replacement for the legacy technology implementing registered, book-entry assets, a distributed ledger of financial assets will have to ensure a tight correspondence between what the ledger and the law say is the state of who-owns-what. This is obviously incompatible with a protocol based on anonymous transaction validators; the law will not treat a ledger record as authoritative if everyone knows that the current longest chain contains blocks generated by an anonymous attacker who replaced a bit of history that was chronologically prior. But the bitcoin protocol has no mechanism for dealing with this scenario, no mechanism for bringing ledger state and legal state back into alignment. How could it…remember Satoshi’s design goal.

The financial system and its regulators go to great lengths to ensure that something called settlement finality takes place. There is a point in time in which a trade brings about the transfer of ownership–definitively. At some point settlement instructions are irrevocable and transactions are irreversible. This is a core design principle of the financial system because ambiguity about settlement finality is a systemic risk. Imagine if the line items of financial institution’s balance sheet were only probabilistic. You own … of … with 97.5% probability. That is, effectively, what a proof-of-work based distributed ledger gives you. Except that you don’t know what the probabilities are because the attack vectors are based not on provable results from computers science but economic models. Do you want to build a settlement system on that edifice?

Of course not. And you don’t have to because there are many ways to design distributed, shared ledgers, depending on your goals. And I’ll venture to guess that censorship resistant securities transactions is not the reason why financial institutions are looking at distributed consensus tech. Their goals are rather different from Satoshi’s. Increased transparency is one, largely driven by the belief that regulators will grant concessions on capital charges for trades cleared through settlement systems that offer this. Efficiency through automating the back office is another. But probably the main goal is increasing the speed of trade settlement.

On my experience, this motivation perplexes many engineers, who understand well that distributed consensus technology is much slower than database tech. Proof-of-work protocols like bitcoin’s are the slowest of the lot by far (and with only probabilistic ledger state to boot… censorship-resistance is expensive). But even far more efficient consensus algorithms will under-perform the most basic relational database technology.

And yet it takes days to settle trades in book entry assets. This fact is only puzzling to those labouring under the mistaken assumption that custody accounting in the financial system is somehow centralised. It’s not. Records are distributed throughout the system by thousands of different institutions, each maintaining their own siloed accounts and constantly reconciling against each other to come to agreement on the global state of who-owns-what, or who-owes-what-to-whom. It is, in a sense, a form of distributed consensus: consensus-by-reconciliation. And consensus-by-reconciliation is very slow, expensive, and hard to automate. It is this technological infrastructure of consensus-by-reconciliation that the bankers, quite rightly, see being replaced by distributed, shared ledgers. This is a different problem from the one Satoshi tried to solve, as a careful reading of Satoshi’s abstract alone makes perfectly clear.

Nothing in what I have said here is meant to take away from the inspired, brilliant solution that Satoshi implemented for censorship resistant digital cash. And, furthermore, that design goal is IMHO a worthy one. Society should have a digital cash that replicates the same anonymous and permissionless properties that we already enjoy with physical currency.

But a proof-of-work blockchain is only suitable as a distributed ledger for value that society is prepared to treat as a bearer asset. Physical cash is (almost) like this. A shop owner doesn’t due dil his customer to make sure that the £10 note the customer is about to hand over rightfully belongs to him. In practice, when it comes to physical cash, possession-is-ownership.

Ditto the bitcoin blockchain. Possession (of a private key) is ownership (at least in the anarchic, code-is-law jurisprudence of the bitcoin protocol), regardless of how one came into possession, for there is no way for the blockchain to discriminate among spend transactions of coins obtained through legitimate trade, defrauding a counterpart (eg, via a double-spend), or theft of someone’s private key.

But the proposition that security interests and other property titles should also be cast in the same bearer asset mould will go nowhere. Few actually want this, and, anyway, few jurisdictions will actually allow it. (In fact, it’s looking increasingly likely that few jurisdictions will even grant bitcoins bearer asset status.) This is not a serious idea.

Now, I am sure that the advocates of putting property titles on the bitcoin blockchain will object at this point. They will say that through meta protocols and multi-key signatures, third party authentication of transaction parties can be built-in, and we can create a registered asset system on top of bitcoin. This is true. But what’s the point of doing it that way? In one fell swoop a setup like that completely nullifies the censorship resistance offered by the bitcoin protocol, which is the whole raison d’etre of proof-of-work in the first place! These designs create a centralised transaction censoring system that imports the enormous costs of a decentralised one built for censorship-resistance, the worst of both worlds.

If you are prepared to use trusted third parties for authentication of the counterparts to a transaction, I can see no compelling reason for not also requiring identity authentication of the transaction validators as well. By doing that, you can ditch the gross inefficiencies of proof-of-work and use a consensus algorithm of the one-node-one-vote variety instead that is not only thousands of times more efficient, but also places a governance structure over the validators that is far more resistant to attackers than proof-of-work can ever be.