
Bitcoin is "Worse is Better" - r11t
http://www.gwern.net/Bitcoin%20is%20Worse%20is%20Better
======
tptacek
The logic in this post appears to be:

1\. "Notice how Bitcoin has a minimal-to-nonexistent cryptographic pedigree".

2\. "Here are many criticisms of the system ranging from 'it is difficult to
scale' to 'it is completely meaningless as a currency', many of them from
cryptographers who have studied cryptocurrencies for over a decade".

3\. "Notice how Bitcoin is currently popular".

4\. "Therefore, Bitcoin is worse-is-better".

It helps at this point to understand that "worse-is-better" --- a casual essay
by Richard Gabriel --- describes how Unix took over the world not based on
merit but on its viral characteristics. By implication, this article suggests
that Bitcoin is also poised to take over the world virally.

The issue here is that Unix was _also a functioning operating system_. Nobody
criticizes Unix as "completely unworkable"; they just think it's inelegant.

Gwen recognizes this, and uses "elegance" as a straw-man argument to bucket
Bitcoin critiques into and to make it fit the pattern of "worse-is-better".
But the most damning criticisms of Bitcoin --- criticisms he himself cites in
this very article --- aren't that it's inelegant.

Instead, the most damning critiques of Bitcoin are instead that it almost
totally fails to achieve its security objectives, that it exploits a
misperception about anonymity to handwave away the fact that for most users it
is not anonymous, that it is reliant on centralized infrastructure ("Bitcoin
is peer to peer in the sense of the British Peerage System"), and (most
importantly) that it is meaningless as a currency: "I have taken $100 and set
it on fire; I will sell you a certificate representing the smoke for $101".

These aren't elegance critiques. This isn't "worse-is-better"; to make a
similar argument fly, you have to come up with "worthless-is-better".
Unfortunately, the greater fool theory floats that argument too, at least
until Esquire writes the postmortem on Bitcoin and all the fools who lost
money to it.

~~~
gwern
Thanks for reading; your summary is pretty decent.

But obviously I differ about the elegance and following. Elegance is not
optional; elegance is useful; elegance has important practical consequences.

Go back to rpg's original paper and one of his examples - the difference
between ITS and Unix in system calls was _not_ one of mere aesthetic elegance,
but a case where Unix programs were incorrect and could, and did, fail! Like
freeing memory in memory management, it's easy to omit the check whether the
system call failed.

This applies to each of your points:

\- the anonymous vs pseudonymous distinction - you _can_ build anonymity on
top of the pseudonymity (I spent a couple links and cites establishing this
with the mix material!) but you can easily _not_ succeed in getting the
anonymity you wanted. Just like you can easily not check system call success
on Unix.

\- the centralized infrastructure: anyone who wants to be a full miner peer
can... they just have to buy the GPU power. Like writing a secure & bug-free
Unix C program, it'll cost you. (One in money, the other in time & skill.)

\- meaningless as currency: I am actually not sure how elegance plays into
that at all, so I have no cute analogy to rpg's Unix/ITS system calls. The
wasted computing power is inherent to the system of avoiding double-spending
(I also spent some time discussing this), but that's not related to Bitcoin
being worthless or not as a currency. Any damn thing can be currency, after
all; currencies are as currencies do.

~~~
tptacek
The point Ben is making is not simply that Bitcoin is wasteful, although it
is.

The point is that a $101 certificate for the smoke from $100 in burnt five
dollar bills isn't worth $101. Or $100. Or $5. Or $0.01.

You can declare by fiat that as a proof of effort, the smoke certificate is
worth something. You can try to convince people that certificates representing
smoke function as a medium of exchange. But as a medium of exchange, it must
reside on a continuum with all the other media of exchange, ranked by the
certitude that it will in the long run be convertible to other media. And in
that ranking, "smoke from burnt dollar bills" fares poorly.

There are obviously many types of Bitcoin advocates. The ones we see most
often on HN are of the nerd clade. Nerdly Bitcoin advocates are fixated on the
fact that "any damn thing can be a currency". This fixation presupposes that
_being a currency_ is interesting. The problem is, it isn't interesting.
Toenails can be a currency. Belly button lint can be a currency. Burnt dollar
bill certificates can be a currency. What's interesting is, what are _good_
currencies.

Here the nerdly Bitcoin advocate handwaves around the fact that we actually
have notions of what it means to be a "good" or "bad" currency. Dollar bills
are highly liquid and have a relatively predictable valuation over time. To a
lesser extent, so does gold. Bitcoin does not. It's volatilee, it has illusory
liquidity (it is liquid only so long as the "exchanges" on which it trades
decide to keep trading Bitcoins --- or decide not to succumb to their numerous
security flaws), and it is in no place a native medium of exchange, such that
some person somewhere will ever need it to e.g. pay their taxes.

To all that, add the critiques you sourced of Bitcoin; that while it has
impressive virality, it largely fails at its security goal by making the cost
to defend transaction integrity greater than the cost of attacking it; that it
largely fails at its anonymity goal by requiring a complete audit log be made
available to everyone simply in order to function; that it largely fails at
its decentralization goal by requiring resources comparable to that of a Visa
or a Mastercard just to scale.

What are you left with? Colorless, odorless tulips.

~~~
gwern
Your economic points seem to be just reiterating the claim 'currencies must
have a backing!', which is something people can disagree on and not relevant
to the essay. (If some random country adopted Bitcoin as its currency, would
it suddenly cease to be Worse is Better and just be Better is Better? Or vice
versa? If not, then the tough economics/philosophy question of whether a
currency needs backing to be a 'currency' is not relevant.)

> To all that, add the critiques you sourced of Bitcoin; that while it has
> impressive virality, it largely fails at its security goal by making the
> cost to defend transaction integrity greater than the cost of attacking it;
> that it largely fails at its anonymity goal by requiring a complete audit
> log be made available to everyone simply in order to function; that it
> largely fails at its decentralization goal by requiring resources comparable
> to that of a Visa or a Mastercard just to scale.

It's true that the cost of defense is similar to attack, the audit log is
public, and the scaling story is not good. But does it _fail_? That's the
question, and so far it seems to bumble along, with all the major problems
being in things surrounding Bitcoin (MtGox, MyBitcoin, that Polish exchange)
but not actually Bitcoin. Bitcoin fails on a lot of properties, but it's still
there. Unix failed at a lot of things too, but somehow it's still around.

That's kind of the essence of Worse is Better - maybe those security
properties or software properties are not as important and valuable as people
judging the elegance thought that they were.

------
stygianguest
Worse is better does not apply to bitcoin as a cryptographic system, only as a
monetary system. As a cryptographic system it makes a clear choice for more
features over simplicity.

Make no mistake, bitcoin is a very complicated system. Not for a piece of
software, but for a cryptographic system. One that aims to replace the
fundaments of our economic system. With such ambition, "it seems to work," is
not good enough.

As someone who has spend some time hacking the bitcoin code, I have little
confidence. Although I have not found any outright errors, the quality of the
code shocked me. The code does nothing to provide structure and/or insight to
the already complicated protocol. Basic protocol is mixed with parsing of
messages and parallelism of the code. I for one, fully expect major and near
fatal errors to be found in bitcoin.

~~~
gwern
> As someone who has spend some time hacking the bitcoin code, I would say I
> have little confidence.

There are a lot of differing opinions on this. I quoted Kaminsky at length as
someone with major security credentials who is saying the opposite of you.

~~~
tptacek
You are citing as an authority on code quality someone who says Bitcoin should
use Bcrypt instead of SHA-256 because Bcrypt is less amenable to hardware
optimization.

I hope to make the starburst of applicable points that follow from this by
implication instead of explicit argument.

~~~
gwern
I'm afraid you're going to have to be explicit, because the idea of using
Bcrypt for that reason makes perfect sense to me - the logic that makes Bcrypt
better than SHA-256 for passwords seems to apply nicely to Bitcoin. Hardware
optimization privileges the few who can invest in the hardware over the many
who are able to run more commodity hardware, and is exactly contrary to the
P2P Bitcoin ethos.

(A similar point applies to time-lock puzzles: <http://www.gwern.net/Self-
decrypting%20files> Why were Rivest/Shamir/Wagner unhappy with brute-force
decrypting? Because it's so amenable to hardware optimization. Why were
subsequent researchers unhappy with successive squaring and looked for memory-
bound hashes? Because squaring is still implementable in hardware.)

~~~
asdfaoeu
Bcrypt isn't specifically harder to compute on GPUs. It just has an adjustable
amount of work it has to do which increases the load. Bitcoin effectively has
the same thing with the difficulty.

~~~
gwern
...Not really. The point is not that you can make it harder, as you say both
Bcrypt and zero-finding in SHA hashes can be adjusted and made harder. The
point is that the constant factor speedups available from specialty hardware
are greater for SHA than they are for Bcrypt.

~~~
tptacek
First, I don't think your specific point is true. Second, and more
importantly, the benefit of hardware isn't that it changes the constant
factors; it's that it parallelizes the search. The whole point of scrypt is to
create a state explosion that prevents that parallelization.

~~~
gwern
Parallelization _is_ a constant factor. If you have 1000 processors, you get a
constant-factor one-time speedup of 1000x (or less). No complexity class
changes.

