Bankers can be forgiven for being confused about blockchain technology. For months they’ve been told that blockchain and other distributed consensus technology can revolutionize the payments, clearing and settlement infrastructure of the financial system and that, no, the Bitcoin blockchain just won’t do. (Which suits bankers fine, as few were ever anything but dismissive of the world’s most popular cryptocurrency.)
But then earlier last week Nasdaq announced a project that will use.. that’s right, the bitcoin blockchain to “facilitate the issuance, transfer, and management of private company securities” on their Nasdaq Private Market platform.
What’s going on!?
No sooner had the press release circled around the small and sometimes befuddled group of financial types devoted (or at least instructed) to exploring this tech, IBM’s Richard Brown comes out with the warning to “ignore Bitcoin at your peril” (Richard, really?). And then on Friday, Chris Skinner writes a post suggesting that all the above is really just a case of the financiers having never understood the inner workings of Bitcoin in the first place.
So why would someone as intelligent and informed as Reid Hoffman – and Marc Andreessen, Richard Branson, Wence Cesares, Jon Matonis, et al – be so pro-bitcoin when the banks are not. My answer is that most of the people dissing bitcoin haven’t looked under the hood.
So here are two test questions for all of you reading this and thinking Bitcoin Bad, Blockchain Good.
One, have you actually read Satoshi Nakamoto’s white paper?
Two, can you explain to me exactly why the blockchain is good?
I don’t do this, as I don’t want to embarrass anyone, but I’m guessing that 99% of the Bitcoin Bad, Blockchain Good people would answer no to both questions.
Argumentum ad hominem, but hey, he’s probably right that most bankers would answer “no” to his two questions. But I’d also venture to guess that this also holds for the majority of bitcoin’s most vocal cheer leaders.. beyond a certain point, I’ve found that enthusiasm for bitcoin is inversely related to one’s understanding of it. Skinner then proceeds to the argumentum ad verecundiam and quotes the abstract of Satoshi’s famously elegant whitepaper:
A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending. We propose a solution to the double-spending problem using a peer-to-peer network. The network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work. The longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power. As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they’ll generate the longest chain and outpace attackers.
In this post we’re going to break down this abstract sentence-by-sentence and give a non-technical explanation of how bitcoin works, why it’s interesting, and then explain why the idea of using the bitcoin blockchain for securities settlements is completely barmy. This is not meant to knock Nasdaq for choosing a bitcoin meta-protocol for their project. It’s a good way for them to cut their teeth in this area without devoting much capex. But those who think that this news portends a future securities settlement architecture on the bitcoin blockchain couldn’t be more wrong.
A simple introduction to the bitcoin protocol
Now, that whitepaper. The first two sentences of Satoshi’s abstract make clear the design objectives behind bitcoin.
A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending.
It has been known for a long time (because it’s kinda obvious) that cryptographic signatures and public keys can be chain-linked to form an unforgeable record of transactions for, say, digital cash (or any ledger record for that matter). Crypto proof replaces the notary. Counterfeiting ledger assets is impossible, and theft or misappropriation cannot happen without gaining access to the asset owner’s private key.
But you still need an authoritative record of these transactions somewhere, like a database, or else there is no way to prevent someone from spending his digital cash more than once (a “double-spend”). If I give you a crypto-proof that some asset belongs to me and that I just transferred it to you, you have no way of knowing that I haven’t already done that with someone else, unless we can both refer to a definitive ledger of timestamped and crypto-signed transactions. Let’s say this ledger is maintained as a database hosted by some trusted third-party. The third-party cannot forge any ledger entries, so what’s the problem with this setup? According to Satoshi, which “main benefits” are lost?
There are two problems:
The third party could delete a transaction, reversing history
The third party could censor a transaction, refuse to enter it into the ledger.
And it’s not just the third party itself who has this power, it’s also the government who regulates him, or the hacker who infiltrates him. For Satoshi, using a trusted third party for this task loses some of the “main benefits” of the crypto setup because third parties have a real-world identity (a registered business, an IP address, …) and if known, these third parties can be censored by governments, hacked, shutdown. One of the key design goals behind bitcoin is censorship resistant digital cash.
So, with this design goal in mind, how can we create a record of crypto-signed transactions that is both authoritative (in the sense that there is consensus on its veracity) and censorship resistant? Satoshi gives us a solution to this problem, which brings us to the next part:
We propose a solution to the double-spending problem using a peer-to-peer network. The network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work. The longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power.
First, bitcoin is a peer-to-peer network. It’s flat. It is architecturally decentralised. There’s no “bitcoin server” where those chain-linked blocks of transactions (transactions that are themselves also chain-linked via crypto signature) are stored. Instead, the transaction record is stored redundantly by many nodes on the network. Anyone can be a node on the network anonymously. This is what’s meant when people say that bitcoin is a “permissionless” network.
What does Satoshi mean by “the network timestamps transactions”? Most people (esp people in financial markets) understand a timestamp to mean something generated by an accurate clock. But this, remember, is a peer-to-peer network, so it doesn’t have a clock. The nodes on the network have clocks, but since these nodes could be anyone, you can hardly trust the timestamp of any given node. So how does exactly does the network “timestamp transactions”?
What Satoshi means by ‘timestamp’ here is something more coarse: the ordering of blocks of transactions. This block of transactions came immediately after that block of transactions. That sort of time. Ordinal time. It is in this sense that the “network timestamps transactions”. And how it does this is ingenious, “by hashing them into an ongoing chain of hash-based proof-of-work.”
And this is where many people get lost. But the basics are actually rather simple, we just need to understand some preliminary concepts first. A “hash-based proof-of-work” is a solution to a problem, a hash problem. The “hash” refers to a branch of mathematical functions called “cryptographic hash functions”. They have this neat feature that whatever data you put into one of these functions, they return a pseudo-random number of the same bit size. You can’t really predict what the function will return given a certain input, without actually computing the function. Between inputs and outputs, there is no pattern.
For example, here is the SHA256 hash (the same hash function used by the bitcoin protocol) of the string Goldman Sachs:
Change that string by just one character and you get something entirely different, here is the hash of Goldman Suchs:
So in bitcoin the hash problem is something like “input into the hash function a (1) bunch of transactions along with (2) the hash of the previous block of transactions and (3) an arbitrary number N; if the hash function returns a value below some number D, problem solved, if not, increment N and repeat.” There’s no way to solve this problem except through iteration. So you set your computer to the task of running billions of hash computations until you solve the hash problem.
And that’s why it’s called “proof-of-work”. The problem was hard to solve, it required work (burning electricity). But once it’s solved, you can prove to someone else that you did the work to solve it. Just show them the data (a bunch of transactions plus the hash of the last block) and that winning number N and let them calculate the hash. If the hash value is the same below-D number that you say it is, you’ve proved that you solved the problem. The problem is hard-to-solve but the solution is easy for others to verify.
Still with me? So this is how the bitcoin network timestamps transactions. The nodes on the network (“miners”) collect transactions that bitcoin senders broadcast and each works at solving the hash problem over a set of transactions. Whenever a node solves the hash problem, it broadcasts the block of transactions along with the proof-of-work. The other nodes verify the work and start hashing on top of that block (i.e., including its hash in the input of the hash problem).
And this is what Satoshi means by “forming a record that cannot be changed without redoing the proof-of-work.” Nodes on the network build on top of the “longest chain” of blocks. If an attacker wanted to reverse the history, say, 5 blocks back, he would have to redo the proof-of-work of those 5 blocks before other nodes would start accepting that his version of history is theversion (because it’s the longest chain). And that’s no mean feat. In fact:
The longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power. As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they’ll generate the longest chain and outpace attackers.
This is a neat result. If every node follows the rule that the chain-linked set of blocks with the most work behind it is theblockchain, then every node’s local copy of the blockchain will be exactly the same. And if an attacker wished to maliciously replace part of the “sequence of events witnessed” by the network (eg, one where he made a big payment to someone) with an alternative version of history (eg, one where he didn’t make that payment), he would have to redo the latest work of the longest chain, and do this work at a faster rate than the rest of the network. Hence, he would need to control over 50% of the network’s CPU power.
And that, in a nutshell, is Bitcoin’s security guarantee. If you’re comfortable believing that an attacker is unlikely to ever pull together more than half of the network’s computing power, you can trust the veracity of the blockchain’s record of transactions. Unlike with the case of a database hosted by a third-party, there’s no easy way for record entries to get “deleted” from the blockchain.(In actual fact, researchers have demonstrated that it is possible in theory to attack the bitcoin network with less than half of the network’s computing power… the threshold is closer to 1/3 instead of 1/2.)
And here’s a really important point to remember. All those hash problems that are being solved.. the enormous amount of computational power that is “securing the network”, as it is popularly described, is not securing the network in the way that, say, a computer that encrypts a message secures its contents from preying eyes. There is no fancy math behind the security of bitcoin. The only reason that a cryptographic hash function is used is that a hash-based proof-of-work problem has the property of being hard-to-solve-but-easy-to-verify. You need that asymmetry in solution/proof; the network would grind to a halt if everyone had to redo everyone else’s work. That’s why bitcoin miners aren’t spending all that computational power on something useful like, e.g., genome sequencing. With most useful computations, you generally have to trust that the computer did them correctly, the computer can’t prove to you that it computed correctly. But with a hash problem you can easily prove that you did the computational work to solve it, even though the solution is utterly useless math.
So the security behind proof-of-work isn’t “based on math” (as some misleadingly say). Those hash computations are there for one simple reason: to make it expensive to offer a block of transactions to the network that the other nodes on the network will accept as valid. This is an economic model of security, not a cryptographic one. Proof-of-work requires an attacker to make a substantial capital outlay to have any chance of pulling it off. You have to buy the computing gear and pay the electric bill.
Remember the design goal
So Satoshi envisioned a distributed, shared ledger of transactions based on principle of one-CPU-one-vote (Well, today you need dedicated sha256 hardware, so it’s more more like a computing oligarchy than a computing democracy, but we’ll ignore that for now). Why not have a similar set-up but use instead use the principle of one-node-one-vote? That way you could ditch the expensive and wasteful proof-of-work.
The answer to that question is the single most important idea to take away from the bitcoin protocol. One-node-one-vote works only if you have a way of authenticating the real-world identity of the node, for otherwise a single attacker could just masquerade as a bunch of different identities and gain control of the network, which can’t tell whether 1000 nodes are really 1000 different people/entities or just one guy behind them all pulling the strings. This is called a Sybil attack in the comp-sci literature, and authenticating node identity is one way of mitigating that attack vector. But Satoshi settled on a more ingenious solution, the hash-based proof-of-work that we explained above.
Remember Satoshi’s design goal: the creation of censorship-resistant digital cash. Prior to Bitcoin’s popularity, privately created electronic money existed in a hostile political environment, to put it mildly. Authentication wasn’t an option, because if the real identities of the nodes are known to all, governments could compel those nodes to censor transactions and KYC/AML transaction senders.. or just criminalise the whole thing and indict the operators behind the nodes. The one-CPU-one-vote idea behind hash-based proof-of-work is a solution that addresses the Sybil attack without relying on identity authentication. Instead of proving to the network that you’re a unique flesh-and-blood so-and-so, you can prove to the network (without revealing your identity) that you’ve spent allot of electricity brute-forcing a solution to a meaningless math problem.
So the bitcoin protocol is not only architecturally decentralised, it is also politically decentralised. The network has no gatekeepers, you don’t need permission to join. The only admission criterion to contributing to the network’s consensus is access to computational power.