Hacker News new | comments | show | ask | jobs | submit login
Bitcoin's Academic Pedigree (acm.org)
306 points by kushti on Aug 30, 2017 | hide | past | web | favorite | 142 comments



This article correctly shows that virtually none of the ideas underpinning Bitcoin are new. They can all be traced to the academic literature going back decades.

Cryptographic signatures and public-key cryptography, cryptographic hash functions, cryptographic proof-of-work, time-stamping, Merkle trees, chains of transactions blocks, Byzantine fault tolerance, smart contracts -- all of these ideas were old when Bitcoin was invented.

Satoshi Nakamoto's achievement lays in the complex, ingenious way in which he (or she, or they) combined these ideas into a new distributed algorithm.[1]

--

[1] For those who don't know, Satoshi Nakamoto's paper, "Bitcoin: A Peer-to-Peer Electronic Cash System" proposed the first known solution to the double-spending problem in a peer-to-peer network (i.e., without centralized control), with Byzantine fault tolerance (i.e., in a manner resistant to fraudulent nodes attempting to game the rules), via a clever application of cryptographic proof-of-work. The paper is available at https://bitcoin.org/bitcoin.pdf


I've spent a lot of time reviewing the original Bitcoin codebase.

It's brilliant code. It's production-grade C++. There's nothing in it that hints at academic origins. Most people are either academics or professional coders -- to be both is a rare exception.

The codebase seemed to materialize out of nowhere. One of the earliest commits in the SVN repo contains 36 thousand lines of code. "Satoshi" (or this group of people) must have worked months or a year on this before putting it up on source control.

The code also uses irc to find seed nodes, which is amusing. It just connects to #bitcoin and assumes that some of the people in the channel are running bitcoin nodes. That's a cool way around the "What if all the hardcoded seed nodes fail?" problem. I know it's probably a standard tactic, but bitcoin integrates so many standard tactics so well in addition to its academic work.

Here it is as one gigantic file: https://gist.github.com/anonymous/b4d5d1ab333c5d6e238fdc2242...


> "Satoshi" (or this group of people) must have worked months or a year on this before putting it up on source control.

In one [0] of his emails to Mike Hearn [1] Satoshi Nakomoto wrote that he worked on Bitcoin for two years before releasing the paper and code:

> I must admit, this project was 2 years of development before release, and I could only spend so much time on each of the many issues.

His emails to Hearn and others make clear that his creative process consisted mainly of writing code until he was convinced things worked. In my opinion, Satoshi Nakomoto was a lone hacker.

0. https://pastebin.com/wA9Jn100

1. https://bitcointalk.org/index.php?topic=2080206.0


> It'd be worth implementing some kind of more robust auto update mechanism, or a schedule for the phase in of this [the block size], if only because when people evaluate "is BitCoin worth my time and effort" a solid plan for scaling up is good to have written down.

Prescient words from Mike Hearn.


I think I'm going to print this out and frame it on my wall.


Also, an unreliable narrator.


Hmm, I think this comment was taken little more negatively than I had intended. My fault of course for not expanding on the point, which is this:

Satoshi maintains anonymity, by choice. Therefore, any information about Satoshi's identity, directly stated or inferred from things said by them, logically have to be treated as unreliable. With the goal of remaining anonymous, Satoshi has nothing to gain and a lot to lose from providing true information about themselves. It is in their interest to not provide any information about themselves, and for any information that is provided them be inaccurate.

None of this casts any aspersions on either Bitcoin or Satoshi.

Ah heck, I sound like Vizzini. Maybe I should just drink the damn wine ;)


I recovered and archived version 0.1.0 (directly from Hal Finney): http://www.zorinaq.com/pub/bitcoin-0.1.0.tgz It has 19k lines of code. That's certainly a few months of work minimum.

Fun fact: I was contacted by the Computer History Museum in Mountain View since this tarball (and the .rar) hosted on my site is the earliest known public copy of the source code.


Notice how all the files use \r\n for newlines. Satoshi was a Windows programmer! They used Windows.

Anyone who has tried to do cross-platform development knows it's extremely difficult in C++. You can do it, but it's not a trivial thing. I guess it's no surprise that Satoshi used Visual Studio. If you start out writing code in not-Visual-Studio, it's far harder to go back and make it run on VS.

I vividly remember how maligned Windows programmers were in 2008. I felt like a black sheep getting my start in the gamedev industry, because if you wanted to do Big League Programming in gamedev, that meant one thing: Windows. Microsoft has finally made some inroads in hacker culture. It's far less common now to be dismissed as less talented just because you used Windows. But in 2008 this feeling was very much alive.


Bitcoin was originally a Windows only program. We used Wine to run it on Mac/Linux in the early days:

https://sourceforge.net/p/bitcoin/mailman/message/23827020/

I used to be a Wine developer so it didn't put me off when I first found the project, but I'm sure the fact that it was Windows only hurt the projects uptake in the first year. It wasn't until Bitcoin 0.2 that a Linux version was available.

If it helps, Satoshi was also an Outlook user ;)


Most CIA and NSA code that has been leaked has been developed on Windows using Visual Studio IIRC.

The bitcoin code looks and feels a lot like of their projects but could easily be some NSA programmers side project.

Any hacker can tell this was a one person project from looking at the code.


It's mostly posers who malign others for their choice of platform or tools. Show me what you built. Usually guys like that have never built shit, but still ruthlessly criticize others.


I'm curious as to why you consider brilliant, production ready code.

I also read through the original codebase and I came to a different conclusion. To me it looks like something that was hacked at for a year or so, and was all just glued together. It looked like the first iteration of a codebase, the thing that you usually don't release, but then re-work so it is presentable to the outside world and then release.

To me that says a couple of things. One is that Satoshi is one, normal, human. Another is that he is very human. For example, a lot of the OP codes have had to be disabled because they were totally insecure. In early versions of bitcoin there were bugs that allowed anyone to spend anyone's bitcoins, and so forth.

Not that I mean to attack Satoshi, he was a good coder who started what could become a revolution. But he was a human like the rest of us, and it shows.

What is it about his code that makes you consider it brilliant and production ready?


in a codebase of tens of thousands of non trivial C++ after 8 years there was found one critical protocol bug. one. if this doesn't blow your mind - i don't know what will.


There was more than one critical protocol bug. But yes, it was an impressive effort. It used the STL well, was tightly written, and of the security bugs that did exist none were buffer overflows, stack smashes or double frees from what I recall. There were some issues in the interpreter opcodes but I think they may have been crashes (DoS).

The code was clearly the work of one person though. There were not enough comments or other forms of code documentation for it to have been a team effort, even if the Satoshi personality was a composite. The idiosyncratic code is another hint: Windows only and Hungarian notation in 2008 is not something commonly seen. The early Bitcoin code gave me the feeling of an experienced developer who learned their craft in the 1990s and had probably been around for quite a long time, but who probably hadn't worked in large professional development teams in recent years. For example, there were no unit tests. Common in the 1990s, not so much in 2008.


Since you were around in the early days, how did you get involved with Bitcoin and how did Satoshi get people interested in it since he was anonymous and did not have any social media following or email list?

It's incredible that he has managed to stay anonymous for so long, how on earth did he manage to do that?

Any thoughts on the scaling debate?


I had a long term interest in internet money, from before Bitcoin existed. The path to Bitcoin was kind of convoluted.

About 20 years ago I was interested in environmentalism. I was persuaded by arguments that humanity was damaging the environment because of the system of money it used, in which sustainably managing a forest might be profitable at, say, interest rates of 2%, but if interest rates went up to 5% then the rational thing to do was clear cut the forest and invest the returns.

This led me to a book called The Future of Money by Bernard Leitaer. This book talked about "community currencies". The idea you could design currencies to achieve particular social goals was very interesting to me. The book referenced a publication called the International Journal of Community Currency Research. This organisation turned out to have a Yahoo Group, which I joined. I felt that if there were other people discussing this idea, they would surely be found on the internet.

One day the Yahoo Group received a mail talking about a project called Ripple. This was an initiative by Ryan Fugger to create a system that could locate and manage debt in a decentralised way. It proposed an economic system without cash, in which all payments were in the form of debt in whatever units people found convenient (dollars, hours of work, loaves of bread baked etc). So I joined the Ripple mailing list too, and engaged in much fruitful discussion with Ryan about the nature of money.

The Ripple mailing list eventually received a mail that pointed to the bitcoin website and suggested we check it out. This was a few months after the project was launched. I did so, and started emailing Satoshi.

I don't know how Satoshi remained anonymous for so long. I suspect that if his identity is ever revealed, people will think: it was so obvious? Why didn't anyone see that? When the operator of the Silk Road was revealed, it turned out he'd made basic and obvious errors very early on and anyone could have figured out the Dread Pirate's identity through basic web searches. But only the FBI actually bothered to do it. I suspect Satoshi hasn't been looked for as thoroughly as people tend to imagine.

I discussed Bitcoin's scaling extensively two years ago. You can find those discussions on my blog if you like. Nothing has changed and I have nothing further to say on the matter.


I'm just reading your blog now. The first article has this statement in it:

>The fundamentals are broken and whatever happens to the price in the short term, the long term trend should probably be downwards. I will no longer be taking part in Bitcoin development and have sold all my coins.

That was written back in January 2016. I think you were wrong about that.


No, I think that everything in my blog post was correct.

The statement about the price was deliberately vague ("long term", "should probably") because the Bitcoin price hasn't reflected the fundamentals for a very long time. You can't go straight from "this project is broken" to "thus the price will fall" because it's not an informed market, because of the large quantity of shady exchanges and so on. Take a look at what's been going on with Bitfinex to get a flavour.

If you assume that eventually, one day, reality re-asserts itself, then the price should come to reflect the systems actual utility, which is very low. But you know the old saying about how markets can remain irrational longer than you can remain solvent? I wouldn't try shorting BTC regardless of how much you know about it.


Do you think you might write about Bitcoin's development ecosystem in the future? Since XT, Unlimited, and Classic, there has now been 2X and Bitcoin Cash. It's probably too early yet to see if things have/will change substantively, but I would enjoy reading your thoughts if the time comes where you feel like writing.


Are you tempted into joining vastly superior solutions like MimbleWimble, with a blockchain that doesn't always grow?


http://satoshi.nakamotoinstitute.org/emails/cryptography/1/

He used the cryptography mailing list. Then the P2P forums.

I highly recommend reading through the archives. There are several good observations to make there, like how scaling was basically the first issue he addressed (or failed to address, depending on your view).

Another interesting thread: https://bitcointalk.org/index.php?topic=1347.msg15121#msg151...


interesting points, thanks. also thanks for your contributions to the project.

i wonder if stylometry could be (was?) applied to C++ code to have better evidence about authorship?



thanks, sounds promising. might toy around with that over weekend.


Only if other open code exists?

Most code produced is not open source.

But given he open sourced Bitcoin, he may have open sourced something else.

Code style does change over time, I know mine has. But I wonder if there are invariants as well. That would be a fascinating research project.


stylometry of just bitcoin source code could at least establish if there was one author or multiple.


Thank you for your contributions.


It's worth repeating: This is a C++ codebase. It listens to open ports on the public Internet. One single remote exploit and you lose all your money. The author basically threw code over the wall and the open source community where contributors come and go all the time took over. And one single remote exploit is all it takes.

(This causation is perhaps less true today when it is more common to use encrypted or even hardware wallets, but before that everyone just used the standard wallet.)

Yet none of this has happened. The odds of this seems vanishingly unlikely. Then there's the risk of consensus problems that would enable double spending, which is very difficult to test for.

At the same time original Bitcoin was far from perfect. Someone wrote up a summary of important changes Hal Finney did which I can't seem to find. He pointed out a lot of problems which would have made Bitcoin not work at all which resulted in some early redesigns and the removal of many opcodes.

Parts of Bitcoin also went nowhere, notably the marketplace, pay-to-IP and payment channels. The ideas live on as Openbazaar and Lightning but completely redesigned from the Satoshi origins.

In so many ways it is an enigma.


> One single remote exploit and you lose all your money.

That's not true. Few people use the wallet included in the Bitcoin node, most people use nodes indirectly to broadcast transactions and sync the blockchain.


Hence the sentence in parentheses. It used to be true for everyone. Now there are other options, but there's still a lot of people who use the standard one in absolute numbers. Plus all the exchanges, payment processors and other third party services which all rely on it.

Even if you don't personally keep your coins online, a hacker that scores a million coins on a zero day is enough to plunge the value for a long time. You still lose either way.

The point is that this hasn't happened. Even though it sort of should have. That's remarkable.


I'm super curious why C++ was chosen when the risks are so high. Performance?


Likely experience. Most would write something so large in a language they are comfortable in.


That's a really bad reason for something you'll be working on for a few years where a single bad bug could ruin it when it goes live. You'd think picking a language where buffer overflows and memory management bugs were impossible would be a minimum requirement. If you're good at C++ most other languages are a breeze in comparison as well.


Which is why I wouldn't be surprised if "Satoshi Nakamoto" turns out to be, not an individual, but a tightly-knit team of people, including BOTH professional coders who write software for a living AND computer scientists with strong academic backgrounds. Bitcoin is in my view too impressive an achievement to be the work of a single person working in isolation.


From my experience truly visionary project never comes from a group of "talented" people but a single person who had a laser focused vision and did whatever possible to make that happen. Having a focused vision is what drives the brilliant solution, not some group of smart people who try to come to a consensus.


"... not some group of smart people who try to come to a consensus."

You mean like the IETF?


IETF doesn't create the vision (and the results are embarrassing when they try); it standardizes stuff (and lets people add tons of optional complexity) after the initial prototype is done. IEEE and ECMA have similar attitudes while ISO seems to do more design-by-committee.


Couldn't have said it better myself.


Yes, like IETF. Not discrediting their contribution. Organizations like those are needed, just like how a non-founder operator CEO can be beneficial once a startup takes off.


The problem I see is when in their supposed wisdom they discredit the potential contribution of some lone visionary. And this goes back to your original premise, with which I strongly agree. History shows that sometimes one highly skilled programmer working alone has accomplished things that teams of programmers could not.



> too impressive an achievement to be the work of a single person working in isolation.

It's been done before... for example, djb


Wow, this was a path I did not expect this conversation to take. Thank you for mentioning this.


Could you explain what his accomplishment was in terms a non-cryptographer could understand?


First of all djb is https://en.wikipedia.org/wiki/Daniel_J._Bernstein and the accomplishment was releasing a secure email server (qmail), a secure webserver (publicfile), and a secure BIND server (djbdns). Both qmail and djbdns became widely used, and the main alternatives were projects supported by large teams.

It took 8 years before the first bug was found in these projects.

I highly recommend reading through the guidelines in https://cr.yp.to/qmail/guarantee.html for how to write secure software. In particular point 5, Don't Parse, is broadly applicable and under appreciated. A well-known class of bugs arising from this error are SQL injection attacks.


Or Linus and Linux?


I think it's very hard for a group of people to coordinate behind a pseudonym that's so high profile.


It's hard to tell though. It may well be a single person who was inspired by multiple people's work and ideas. I like to compare works of single individual work is with how amazing Lord of the Rings is. I'm impressed it took a single person to write the whole thing.


Careful analysis of the source code might offer some clues regarding whether it's the handiwork of a person or a group.


Monero's codebase uses an array of subdomains which return a list of other seed nodes in a GET response, and then the codebase appends the appropriate port number onto those

All the cryptocurrencies built on top of techniques that worked on other cryptocurrencies. I really like the iteration speed as well as how non-finite any limitation today is.


Since you seem familiar with Monero, I would like to ask what you think of it? I ask from the perspective of one who thinks the anonymous function of cash is a key factor bitcoin doesn't provide, and I've heard monero is one of a few options that does.


Monero, and all crypto-note infrastructure, is about 2 years behind transparent blockchain technology, and thus has a lot of growth as it becomes a viable option for more use cases.

For example:

Multisignature transactions are just becoming available. The lack of multisignature made it a non-starter for many applications, including on darknet marketplaces, because rudimentary escrow or deposits were needed. When the operator goes down, all your funds are on their server and are gone with it, but with multisignature as seen in bitcoin and ethereum, you always have control of your funds and they are never in limbo.

Meta-assets are not possible yet. Asset creation is one of the big tenants of Ethereum right now, and there are many assets on bitcoin as well for even longer. Many organizations use this as a way to raise capital, bringing in a lot more capital into the base currency's economies. Monero and crypto note doesn't have this capability yet, but being able to issue and hold balances of these privately, with audit capabilities, will be powerful.

2nd layer scaling solutions are not even on the roadmap yet in any crypto note network. Cryptonote has the same scaling problems as bitcoin or ethereum, but the key sizes accelerate that. Cryptonote coins have dynamic block sizes already, but it may react too slow to really help periods of many transactions. Monero already encounters this issue. Bitcoin style cryptocurrencies have Lightning Network via Segwit. Ethereum has Raiden on the roadmap.


Do you have an email I can reach you at? I have a quick question.

(HN hides the email field in your profile, so if you want to make it publicly visible you'll have to put it in your profile's "about" field.)


Zcash has opt-in private transactions which are computationally very expensive. So, they do work, but being opt-in they might as well not exist. In my opinion full privacy must be mandatory for all participants for it to be truly effective. Monero is currently the only project that fits this criteria.


Monero is the -only- option that offers fungible currency. Monero Research Lab is actively employing full time PHD researchers to asses and improve where needed the strength of the underlying crypto and the implementation thereof. Zcash is not an acceptable substitute, as is the common opinion- I mention this only because you say "monero is on of a few options".


Zerocash was developed by (and is still being improved by) full time academics.


Which is probably why they have no idea that the user experience is irreparably broken to ensure privacy.

The same criticisms exist as since Zerocash was just a white paper.

I will say that there is the possibility that they can make the optional opaque transactions the more ready option, but you can look at the blockchain and see that nobody uses those addresses. Zerocash is just a bitcoin clone if you don't use the opaque addresses.


There is ongoing work to speed up private transactions that should make it possible to make privacy the default. At that point Zerocash will essentially be a completely private version of Bitcoin.

And Zerocash wasn't just a white paper, it was peer reviewed and analyzed by security and cryptography experts.


What are the current limitations of private transactions, are they slower than the normal ones?

Not sure what you are trying to say about the papers. I saw they were academic and theoretical.


The current limitations of private transactions are essentially that they are slow and that they don't support things like multisig or timelocks. All of these limitations are being worked on.

The academic paper you refer to had both a theoretical construction and an implemented system.


Just chiming in to say your username gave me a chuckle. Big Monero fan as well.


:) lets educate them all


Just clicked to check it out and was reminded about how much I like the base-58 scheme they used for addresses.


There's so much like that. I'm going to try to write a blog post highlighting all the gems.

My favorite is:

    IMPLEMENT_SERIALIZE
    (
        READWRITE(prevout);
        READWRITE(scriptSig);
        READWRITE(nSequence);
    )
It's a C++ macro that implements reading and writing member variables to/from disk/network. It uses C++ templates to figure out the sizes of everything, so it winds up packing items efficiently. We used something similar in the gamedev industry, so this was a delightful surprise.

Ohh, no, I take it back. This is my favorite:

    //
    // Compact size
    //  size <  253        -- 1 byte
    //  size <= USHRT_MAX  -- 3 bytes  (253 + 2 bytes)
    //  size <= UINT_MAX   -- 5 bytes  (254 + 4 bytes)
    //  size >  UINT_MAX   -- 9 bytes  (255 + 8 bytes)
    //
    inline unsigned int GetSizeOfCompactSize(uint64 nSize)
    {
        if (nSize < UCHAR_MAX-2)     return sizeof(unsigned char);
        else if (nSize <= USHRT_MAX) return sizeof(unsigned char) + sizeof(unsigned short);
        else if (nSize <= UINT_MAX)  return sizeof(unsigned char) + sizeof(unsigned int);
        else                         return sizeof(unsigned char) + sizeof(uint64);
    }
When encoding an arbitrary value, if it's less than 253, it only uses 1 byte of space. When you read a byte off the network, if it's 253, you know there are two more bytes to read. 254 = 4 bytes, 255 = 8 bytes.

Again, it's a small thing -- very standard tactic. But there are dozens of tiny, effective decisions exactly like this all throughout the codebase.

There's a secure allocator for wiping your private key so that it doesn't hang out in memory, with hacks to work around MSVC8 problems. Which academics bother with MSVC8 hacks?

    //
    // Allocator that clears its contents before deletion
    //
    template<typename T>
    struct secure_allocator : public std::allocator<T>
    {
        // MSVC8 default copy constructor is broken
        typedef std::allocator<T> base;
        typedef typename base::size_type size_type;
        typedef typename base::difference_type  difference_type;
        typedef typename base::pointer pointer;
        typedef typename base::const_pointer const_pointer;
        typedef typename base::reference reference;
        typedef typename base::const_reference const_reference;
        typedef typename base::value_type value_type;
        secure_allocator() throw() {}
        secure_allocator(const secure_allocator& a) throw() : base(a) {}
        ~secure_allocator() throw() {}
        template<typename _Other> struct rebind
        { typedef secure_allocator<_Other> other; };

        void deallocate(T* p, std::size_t n)
        {
            if (p != NULL)
                memset(p, 0, sizeof(T) * n);
            allocator<T>::deallocate(p, n);
        }
    };
Another gem (note the comments):

   case OP_EQUAL:
   case OP_EQUALVERIFY:
   //case OP_NOTEQUAL: // use OP_NUMNOTEQUAL
   {
       // (x1 x2 - bool)
       if (stack.size() < 2)
           return false;
       valtype& vch1 = stacktop(-2);
       valtype& vch2 = stacktop(-1);
       bool fEqual = (vch1 == vch2);
       // OP_NOTEQUAL is disabled because it would be too easy to say
       // something like n != 1 and have some wiseguy pass in 1 with extra
       // zero bytes after it (numerically, 0x01 == 0x0001 == 0x000001)
       //if (opcode == OP_NOTEQUAL)
       //    fEqual = !fEqual;
       stack.pop_back();
       stack.pop_back();
       stack.push_back(fEqual ? vchTrue : vchFalse);
       if (opcode == OP_EQUALVERIFY)
       {
           if (fEqual)
               stack.pop_back();
           else
               pc = pend;
       }
   }
   break;

Bitcoin is worth N billion dollars right now, and this codebase really is a billion dollar codebase. Is this really the work of a single person?


I really hope you make that post highlighting your favorite parts of the C++ Bitcoin codebase; it is super interesting! Keep up the great work.


That was probably inspired by ASN.1 or other serialisation protocols.

The formatting of the code in that function also puzzles you for an instant, but then you realise just how much clearer it makes it over the "lame" but "consistently formatted" alternative of

    if ( )
    {
        ....
    }
    else if ( )
    {
        ...
    }
    ....


No those weren't the work of a single person. You're quoting versions of the code base that post date the public introduction of bitcoin. Some of the things you call out were written by others, and others were written in response to public review.


Even people working on bitcoin aren't fans of base58. Variable length serialization? Bignums in the serializer? Poor error detection? No error correction? Confused characters in alphabet? Case sensitivity? Lots of reasons to dislike.


>Poor error detection? No error correction?

It's implemented at a higher level. For bitcoin, a 32 bit check field is appended to the data to serve as a checksum. If you want parity, I'd imagine that could be done as well.

>Confused characters in alphabet? Case sensitivity?

Some look alike letters are excluded, hence why base58 rather than base62.


> Confused characters in alphabet?

That's really the only reason I was saying I liked base58. Because it removes those confusing characters compared to base64 or others.


Ah, but it doesn't do a very good job of that. It only removed a few pairings, and made some odd choices at that. Hence why I list it as one of the issues.


Interesting code. Some first impressions. 1. This gigantic file can be split into multiple smaller files. It takes even a while for my browser to render the whole source file. 2. There is inline assembly in the code. Is this for performance or some other purposes?


The code is in smaller files but that link was for demonstration purposes I guess.

Here is the most updated bitcoin repo: https://github.com/bitcoin/bitcoin


My impression being in the bitcoin community and talking to some core dev is the opposite. The code was rushed and rather amateurish that there were bugs professional developers should not make.


> This article correctly shows that virtually none of the ideas underpinning Bitcoin are new. They can all be traced to the academic literature going back decades.

Yes, the debts Satoshi owed to others were obvious right from the start. I made pretty much exactly the same argument as OP over 6 years ago in my then-widely-read essay "Bitcoin is Worse is Better" https://www.gwern.net/Bitcoin%20is%20Worse%20is%20Better - Bitcoin built on many established tools and concepts and its true contribution was putting them together in a way that was conceptually alien and disgusted people immediately on arrival. (Proof of Work still viscerally disgusts many people! _plus ça change, plus c'est la même chose_ eh? Anyone can invent something that everyone wants - everyone wants a cheaper or faster computer, for example - but it takes genius to invent something that everyone hates, thinks is useless, wasteful, evil, or all three simultaneously, and eventually wins grudging acknowledgement that it may actually be a good idea.)

It's nice that Arvind & Clark have gone into more detail about the predecessors, though, I suspect that most Bitcoiners these days have little idea about it (although I think they overstate a few of them - Satoshi didn't know about B-money until he was told by Back and so most accounts of Bitcoin's genesis overstate its influence).


Hey gwern, it's you! I remember reading "Bitcoin is Worse is Better" and forwarding to quite a few friends. Great article, really like the pieces you've written over the years. Keep up the good work.


If that counts as "not a new idea, but just a new combination of existing ideas" then it's hard for me to think of anything that does count as a "new idea."


This. True originality doesn't exist if you want to be reductionist. This is a game people use to minimize contributions of others.


Isn't everything built in top of previous work?


Many people don't know this. Bitcoin in particular is often portrayed as coming out of nowhere.


What I'm saying is that nothing comes out of nowhere, and plenty of things are portrayed as coming out of nowhere. Bitcoin isn't anything special. I believe all the hate it receives is simply because all of the extra attention it gets and the unsavory people that surround it, and not because it is any more or less of an achievement than anything else.


No


Examples?


The very first idea ever.


Everything is built on top of previous work which I do not intend to diminish here. But, Satoshi is a total genius. The complexity and ingenuity of Bitcoin are just amazing.


None of the ideas in PageRank were new either. We all stand on the shoulders of giants.


I view Bitcoin as a more impressive achievement.

As far as I understand it, PageRank reduces to "find the principal eigenvector of a stochastic matrix," in which matrix elements represent the probability of transition from each web page to every other web page. To me PageRank is a successful application of a well-known algorithm.

Bitcoin's peer-to-peer protocol, on the other hand, is a new distributed algorithm. Prior to Bitcoin, no distributed algorithm existed capable of maintaining an agreed-upon blockchain of transactions in perpetuity.

EDIT: Removed the word "kind of" in response to mayank's and axus's comments below.


From Eigenmorality (https://www.scottaaronson.com/blog/?p=1820):

“I was also impressed by a similar research project called PageRank, which was proposed later by two guys at Stanford named Sergey Brin and Larry Page. Brin and Page dispensed with Kleinberg’s bipartite hubs-and-authorities structure in favor of a more uniform structure, and made some other changes, but otherwise their idea was very similar. At the time, of course, I didn’t know that CLEVER was going to languish at IBM, while PageRank (renamed Google) was going to expand to roughly the size of the entire world’s economy.

In any case, the question I asked myself about CLEVER/PageRank was not the one that, maybe in retrospect, I should have asked: namely, ‘how can I leverage the fact that I know the importance of this idea before most people do, in order to make millions of dollars?’

Instead I asked myself: ‘what other “vicious circles” in science and philosophy could one unravel using the same linear-algebra trick that CLEVER and PageRank exploit?’ After all, CLEVER and PageRank were both founded on what looked like a hopelessly circular intuition: ‘a web page is important if other important web pages link to it.’ Yet they both managed to use math to defeat the circularity. All you had to do was find an ‘importance equilibrium,’ in which your assignment of ‘importance’ to each web page was stable under a certain linear map. And such an equilibrium could be shown to exist—indeed, to exist uniquely.”


I always thought it would be neat to use something similar to determine "UserRank" in order to solve Eternal September.


It's actually not a new kind of distributed algorithm:

1. Peer-to-peer algorithms: BitTorrent would like a word with you.

2. Distributed consensus: Paxos would like a word with you.

3. Proof of work: hashcash would like a word with you.

That said, I find the Bitcoin paper to be a delightful synthesis of a bunch of well known ideas.


The total is much more than the sum of the parts in this case. You get whole new dynamics that were unpredictable from the single parts.

Like saying that the first calculator was not a new kind of machine because valves existed and people made calculations before.


Prior to Bitcoin, there was NO distributed algorithm capable of maintaining an agreed-upon blockchain of transactions in perpetuity, in a manner resistant to attack by fraudulent nodes. Such an algorithm didn't exist prior to Bitcoin.


I think mayank wanted you to say "Bitcoin's peer-to-peer protocol, on the other hand, is a new distributed algorithm"


I can get on board with that :)


Me too. I updated my original comment to state exactly that.

I love HN :-)


The genius idea of bitcoin, afaik, is that Satoshi created a brilliant incentive scheme, which was the reason why the nodes decided to join the network. Without this factor it would have been impossible for bitcoin to grow this far.


That is known from the very beginning, Bitcoin is the culmination of years of research and prior work done in the fields of economy and cryptography.

What makes it special is that it was the first digital money that actually works.


You forgot an important word there that's also your username.

There were lots of digital money systems that worked but were centralized.


:-)

All money systems are digital money systems. Source: 20 years in FinTech.


The economic incentives underlying bitcoin mining, the Nakamoto consensus solution to the Byzantine fault tolerance problem, is new.


> This article correctly shows that virtually none of the ideas underpinning Bitcoin are new.

The same can be said for any good or bad idea.


To be 100% fair you should recognize that Wei Dai was very close.


Coauthor here. Here's some context for how this essay came about.

When we released a draft of the Princeton Bitcoin textbook [1], one piece of feedback was that we focused on cryptocurrency technology as it is today, and ignored the juicy and tumultuous history of how the ideas developed over the last few decades. So I invited Jeremy Clark, who's connected to some of this history, to write a preface to the book. If you're interested in the history, you might enjoy that chapter. [2]

Jeremy and I then got together to develop the ideas further, resulting in the present article, where we also provide some commentary on the current blockchain hype and draw lessons for practitioners and academics.

[1] http://bitcoinbook.cs.princeton.edu/

[2] https://d28rh4a8wq0iu5.cloudfront.net/bitcointech/readings/p...


Thank you for writing this, and for posting here.

We need more people like you to write about and help demistify Bitcoin, to counter the hype surrounding blockchain technology.

I hope you get an opportunity to write about this for a lay audience too, because mainstream media, with few exceptions, has done a poor job at covering the technology.


When you were researching the ledger part, I'm curious whether you've come across a DAG-based ledger. I've been reading the byteball [1] paper and still can't tell whether it's baloney or really the DAG is a consensus that does not require PoW... I suspect it's neither, there are trade offs, but I could not find much anything good on the subject to read.

[1] https://byteball.org/Byteball.pdf


A great DAGchain paper is "SPECTRE - Serialization of Proof-of-work Events: Confirming Transactions via Recursive Elections". Its peer reviewed and contains rigorous security proofs.

https://eprint.iacr.org/2016/1159.pdf


Interesting read, quite a unique perspective.

One thing found interesting about the conclusion of OP's article is the role of academia vs practical implementation.

> Many academic communities informally argued that Bitcoin couldn't work, based on theoretical models or experiences with past systems, despite the fact that it was working in practice.

It will be interesting to see the Academically based SPECTRE competing with another DAG based coin such as Byteball. Well measured research and a peer-reviewed foundation against practical implementation, first to market and continuous improvement.


Academia and industry both have filtering problems, how to tell good ideas from bad ideas.

The industry solution tends to be to try things and see what works in practice. This is extremely expensive in time and only a small number of ideas can be tried. Furthermore the success or failure depends on the execution and marketing. If Bitcoin had not had the developer commitment in the early stage it would be dead and forgotten despite the great ideas.

The academic solution is that ideas should come with detailed arguments about why the solution works, what its flaws are and how it compares to other work. This allows ideas to be compared and judged more quickly at a lower expense. However constructing these arguments is hard, requires rare knowledge and is not always possible.

Academics dismissed Bitcoin because it did not have these arguments. They had no way to know if it would work when it was running with real money on the line. Distributed systems ideas are very hard to get right and Bitcoin had all sorts quirks that Satoshi didn't foresee, however PoW turns out to be a very robust mechanism.


Thank you, this is what I was looking for. It'll probably take the whole upcoming weekend for me to grok this, but the first thing that caught my eye was that SPECTRE still has PoW, while byteball somehow claims that is isn't necessary... OR may be I'm misreading something. Thanks again.


The most fundamental question in any DAG chain is how they address conflicting transactions in two different paths.


After 12 years as an academic computer scientist, Bitcoin was the most impressive computer science research I saw.

And it came from outside the academy.


It's more than just science. I believe it changes the world more than anything in the last 30 years. I have been thinking of what the world would be without internet / computers / mobile phones, but having a great liquid store of value. If I had to choose only 1 of these technologies for my life, I would pick Bitcoin.


Agree it has the potential to be as disruptive to world society as the web or smartphone.

I mined a few satoshis in early 2014, stopped when hash difficulty got too hard and didn't pay Bitcoin much attention for the next few years.

A couple of months ago I decided to jump back in to the whole crypto coin ecosystem and check out what's going on and, honestly, it's staggering how fast this space is evolving. I'm getting the same feelings I had in 1997/1998 with the web: there's something big going on and it feels exciting.

Playing around with Ether Delta, watching smart contracts execute on etherscan, syncing my wallets up with blockchains, anonymously trading coins & tokens on exchanges, chatting to believers/trolls/curious peeps on forums. The whole vibe reminds me of geocities / audiogalaxy / slashdot in the late nineties.

I think the ideas (technical & political) Satoshi Nakamoto crystallised in to Bitcoin represent the beginning of something fundamentally transformative and can't wait to see where it ends up.


>The whole vibe reminds me of geocities / audiogalaxy / slashdot in the late nineties.

I get the same feeling, its as if we just discovered what we can do with Macromedia Flash after only having html and rudimentary JS + VBScript :)


You do realize you need internet / computers for Bitcoin to exist, right?


The p2p network could be implemented over radio and without computers we'd just have a far lower hashrate and probably a different PoW algorithm. I don't see any reasonable way we would have discovered cryptocurrencies before the internet and computers though.


Both of which have been around for more than 30 years. I agree that both were significantly greater inventions, but I wouldn't put Bitcoin far behind them.


Yes, I know how things work. I just imagined my life if none of the technologies were invented, except an amazing store of value + great currency at the same time.


I am not sure you read the article.


Its amazing to me it took 15 years to go from hashcash to Bitcoin. I think it speaks to the strangeness of Bitcoin, and its niche idealogical underpinnings. Bitcoin solved a problem that most of the people never thought about. Yet if you're looking to solve Bitcoin's problem set, calibrated hashcash to secure a ledger seems completely obvious.

I also thought that Bitcoin's asic-vulnerability (and thus mining centralization) would be fatal. It turned out to be not fatal (yet), but thats not something which could be determined on paper. It needed real-world use before people knew if it could work or not.


One of the points of the article is that the field wasn't idle during those 15 years; bit gold, b-money, and Finney's RPOW made incremental improvements on hashcash that led to Bitcoin.

Also, Bitcoin is kind of a "dirty" solution to the consensus problem; if all the academics were looking for an elegant solution it's not surprising that they didn't discover it.


I mentioned to an academic computer scientist that I worked with blockchains. He immediately asked "So these blockchains, how do they do consensus? Isn't it some kind of majority vote?" I said "Well, kind of, in combination with economic incentives to follow the longest chain." He just said "Well, come on! That's the whole problem! That's not a solution!" or something like that. Not impressed at all!


Bitcoin does not meet the requirements identified by the academic community for a usable digital currency. On the other hand, it works (while nothing that came out of academia in this area ever has). Infer from that what you will.

It would be nice if science had a term for its equivalent of "outsider art."


The repeated claim that Bitcoin came up with a totally new and unknown way of solving the problem always irks me.

Everyone keeping a complete history of all actions is, like, consensus 101.

Research is based around not having to do that.


That wasn't the key insight -- it was the idea that you could get a working solution under the assumption that 50%+1 of the hashing power is from honest nodes as long as those nodes agreed to coordinate on the ledger with the most proven work invested in it.


Hashcash was still missing a major piece: the idea of the blockchain as a solution to Byzantine fault tolerance.


Yes, this is the Satoshi idea. PoW to create consensus in an unpermissioned and open system.


"asic-vulnerability" is actually an asset. If Bitcoin were mined with CPUs or GPUs, any large organization or government could just point their computing power at Bitcoin and disrupt it.


Should I really explain why that doesn't make sense? With GPUs or CPUs individuals can outweigh large organizations. With ASICs, the 'many' are far less because the barrier to entry is so high, so the many can't easily outweigh the few and centralization occurs.


Don't be condescending. There are a couple more factors at play that make this more nuanced. First is that entering the ASIC field requires more time and economic outlay, so it's not something an attacker will do overnight. Also, it removes anonymity from an attacker as it's hard to hide the source of a large ASIC farm. Lastly, because of the investment in time and money, the existing well known players are not incentivized to turn their farms into attack vectors. I do recognize that the gov of China could force all miners there to do that, but I didn't claim that ASICs made BTC invulnerable, only that they are safer than CPU/GPU mining.


> it removes anonymity from an attacker as it's hard to hide the source of a large ASIC farm

This has already been shown to be untrue, an anonymous pool has mined both bitcoin cash and the segwit bitcoin chains.


CPU-, and to a certain extent, GPU-based mining is problematic because in the real world today all mining is concentrated in the hands of botnet operators.

That used to be a mounting problem in the Bitcoin world which began to fade away with the introduction of FPGA-based miners, but it's still a problem with a couple of altcoins. There are pros and cons with both compute-hard and memory-hard PoW but many seem to lean towards compute-hard being the less bad choice.


> all mining is concentrated in the hands of botnet operators

Do you have a source for this? I'm not even sure what CPU based currencies you are talking about. GPU based proof of work seems like even more of a stretch seeing as particular high end cards that are better with integers and bit shifting are usually used.


> any large organization or government

China is already well on their way to doing this, with Jihan Wu and the emergence of larger mining 'cartels'.


I loved reading this.

Bitcoin is truly something worth more than the sum of its parts. I don't feel that the creative combination and implementation of existing ideas diminishes the achievement one bit. (Not that the article made it out this way, just my 2 satoshis)


Anyone serious about crypotcurrencies will know at least know two ideas not being Satoshi originals - 1. Ecash, Digicash - author's refer to it in paragraph one as something people are aware of. 2. PoW/Hashcash - Sure people might not be aware of the anti-spam but they are aware of Hashcash and Adam Back.

That being the case, I think author's assumption that everyone in the bitcoin space thinks Satoshi as the one inventing everything and hence the article needs to prove otherwise is..well false at best.


i completely agree. there is nothing new to somebody a bit involved into bitcoin. there is even a website which is old and widely known (http://nakamotoinstitute.org) where all the referenced literature is listed...


/me waits for the citation for the prior fault tolerant 'consensus' with O(N) scaling; or for the consensus process that doesn't have approved membership but still achieves some useful security properties


This was a great read. I've been in a pretty heated debate with one of my friends (As BTC seems to do) about the origins of the technical under pinnings of Bitcoin. I'm relatively new to the cryptocurrency space, but it seems like there is huge political push (Cypherpunk ideology) promoted by a vocal slice of the BTC community. Every time I ask for the history and origins, my friend credits everything to the Cypherpunk community.


Gwern Branwen noted all this ages ago, and should have been cited in this paper.

https://www.gwern.net/Bitcoin%20is%20Worse%20is%20Better


Gwern actually replied elsewhere in this thread mentioning that paper. It's a great read.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: