In the previous post, we pointed out that there are two main problems with using a ledger hosted by a trusted third party:
The third party could delete a transaction, reversing history.
The third party could censor a transaction, refuse to enter it into the ledger.
Satoshi’s hash-based proof-of-work beautifully solves the second problem. It is also designed to solve the first; bitcoin transactions are designed for irreversibility. And when bitcoin is cast in the role of distributed ledger platform for X (eg securities settlement), people are fond of describing the bitcoin blockchain as an “append-only distributed ledger for X”.
But this is only a design goal, and because it is a design goal that has been subordinated to censorship resistance, the bitcoin protocol can provide no guarantees that this supposed “append-only” distributed ledger doesn’t actually have a delete button accessible to an attacker who has a sufficient incentive and resources to attack the network and reverse blocks of transactions with impunity. Satoshi himself points this out in the abstract: “As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they’ll generate the longest chain and outpace attackers.” But if an attacker has access to more than 50% (actually, closer to to 30%) of the network’s computing power, all bets are off.
A couple of months ago Cornell comp-sci professor Emin Gün Sirer tweeted:
Emin is right. And this benign state of affairs is unlikely to persist if the bucket shops that are today the only avenue for shorting BTC are eventually replaced by professional derivatives markets. And, it will certainly go away if billions of dollars worth of securities are represented through meta protocols on the bitcoin blockchain as some have eagerly extrapolated from the Nasdaq announcement. For then attackers will have a way of constructing a scalable payoff for attacking the network: shorting the market in size. Acquiring a substantial portion of the network’s hashing power is not an insurmountable goal. What’s required is a sufficiently large monetary incentive to execute the attack. Putting billions of dollars worth of financial assets on the bitcoin blockchain materially changes an attacker’s incentives.
Bitcoin transactions can be reversed if the attacker is willing to make the capital outlay to acquire the hardware and expertise and pay the electricity bill required to pull it off (bribing a couple of large mining pools is probably the path of least resistance). If the attacker is successful, the attack in theory costs nothing, as the attacker collects the mining award of the blocks he solved that “replaced” the original transaction history, blocks that he made into a fork that is now the chain with the most work behind it.
It might seem crazy to the uninitiated that this ostensibly “append-only” distributed ledger that is the bitcoin blockchain contains an avenue for deleting history. After all, everyone saw those blocks of transactions before they were overtaken by the attacker’s fork. Nobody will be fooled that the protocol’s “network timestamp” corresponds to the ordering of transactions that actuallyoccurred. But that’s how the protocol works: the bitcoin blockchain is the chain of blocks with the most work behind it. This is the price you pay for the censorship-resistant design.
(When Satoshi says that the longest chain “serves as proof of the sequence of events witnessed”, I’m inclined to think he should have used the word “evidence” rather than “proof”.)
So what about securities settlement?
But the idea that we should “colour” nominal quantities of bitcoin to represent security interests and piggy back a distributed ledger of financial assets on top of a politically decentralised digital cash system is completely mad. Now that we’ve “looked under the hood” of the bitcoin protocol, we can see why.
To serve as a replacement for the legacy technology implementing registered, book-entry assets, a distributed ledger of financial assets will have to ensure a tight correspondence between what the ledger and the law say is the state of who-owns-what. This is obviously incompatible with a protocol based on anonymous transaction validators; the law will not treat a ledger record as authoritative if everyone knows that the current longest chain contains blocks generated by an anonymous attacker who replaced a bit of history that was chronologically prior. But the bitcoin protocol has no mechanism for dealing with this scenario, no mechanism for bringing ledger state and legal state back into alignment. How could it…remember Satoshi’s design goal.
The financial system and its regulators go to great lengths to ensure that something called settlement finality takes place. There is a point in time in which a trade brings about the transfer of ownership–definitively. At some point settlement instructions are irrevocable and transactions are irreversible. This is a core design principle of the financial system because ambiguity about settlement finality is a systemic risk. Imagine if the line items of financial institution’s balance sheet were only probabilistic. You own … of … with 97.5% probability. That is, effectively, what a proof-of-work based distributed ledger gives you. Except that you don’t know what the probabilities are because the attack vectors are based not on provable results from computers science but economic models. Do you want to build a settlement system on that edifice?
Of course not. And you don’t have to because there are many ways to design distributed, shared ledgers, depending on your goals. And I’ll venture to guess that censorship resistant securities transactions is not the reason why financial institutions are looking at distributed consensus tech. Their goals are rather different from Satoshi’s. Increased transparency is one, largely driven by the belief that regulators will grant concessions on capital charges for trades cleared through settlement systems that offer this. Efficiency through automating the back office is another. But probably the main goal is increasing the speed of trade settlement.
On my experience, this motivation perplexes many engineers, who understand well that distributed consensus technology is much slower than database tech. Proof-of-work protocols like bitcoin’s are the slowest of the lot by far (and with only probabilistic ledger state to boot… censorship-resistance is expensive). But even far more efficient consensus algorithms will under-perform the most basic relational database technology.
And yet it takes days to settle trades in book entry assets. This fact is only puzzling to those labouring under the mistaken assumption that custody accounting in the financial system is somehow centralised. It’s not. Records are distributed throughout the system by thousands of different institutions, each maintaining their own siloed accounts and constantly reconciling against each other to come to agreement on the global state of who-owns-what, or who-owes-what-to-whom. It is, in a sense, a form of distributed consensus: consensus-by-reconciliation. And consensus-by-reconciliation is very slow, expensive, and hard to automate. It is this technological infrastructure of consensus-by-reconciliation that the bankers, quite rightly, see being replaced by distributed, shared ledgers. This is a different problem from the one Satoshi tried to solve, as a careful reading of Satoshi’s abstract alone makes perfectly clear.