Hacker News new | past | comments | ask | show | jobs | submit login
What Satoshi Did Not Know (2015) [pdf] (ifca.ai)
165 points by MrXOR 24 days ago | hide | past | favorite | 184 comments

With the benefit of hindsight, the biggest thing Satoshi didn't know (or didn't foresee) was that the idea of "one CPU, one vote" was flawed, a victim of its own success, because of mining ASICS.

A consequence of that is that bitcoin and related cryptocurrencies really aren't as decentralized as claimed.

It's fascinating how things just seem to have a way of becoming centralized once enough money is involved, even when engineers thought hard about how to avoid that (see also: the internet).

Decentralization works great for small communities and use cases. The moment you start scaling you run into a myriad of problems:

- fraud/abuse (spam)

- outsized influence of providers who make it easy to get on board without having to self host (gmail)

- inability to easily change your protocols to handle new features (IMAP4 is from the 90s)

- inflexibility to easily fix bugs and distribute patches across the entire fleet

- unequal footing in both feature capacity and security posture from node to node

Email, Matrix/Riot, etc all suffer from these problems. As does bitcoin. That's not to say that they're not overcomeable, but many of the challenges (especially fraud/abuse) require close collaboration between different decentralized node owners - which to some, defeats the purpose. I ask, what is the internet if not a way to communicate, so I guess I don't think it defeats the purpose.

I'm actually interested to see what matrix is doing, because they seem to realize that a platform of decentralized nodes that handles a lot of the challenges (updates, auth, etc) means that people will be able to build their own new use-cases on top of the network, or diverge.

Anyways, despite these problems, despite the uphill battle in user experience, despite the pain of self-hosting, despite all of the challenges: I still do it.

The internet is a miracle and one way to keep it a miracle is to take the reins of your presence on it.

This is the blockchain trilemma: Decentralization, Scalability or Security, choose only two.

That isn’t the trilemma - it’s decentralization, scalability and global state.

That's true for distributed computing in general so it has nothing specifically to do with the blockchain protocol itself.

Global state? Please explain more.

Perhaps they meant global consensus?

How is global consensus not global state?

What are we consensing on, if not a mutually agreeable set of facts (state) that we can use as a basis for future decisions?

If the answer is “nothing” then you by definition have a toy, not a tool.

I suspect they’re referring to how some blockchains (eg ethereum) are using sharing and lightning to scale

It has been solved long time ago. Just remove the PoW its not needed. XRPL did it first others followed.

Ripple is not permissionless. I think Algorand[1] is the first.

[1] https://people.csail.mit.edu/nickolai/papers/gilad-algorand-...

That Algorand paper suggests a way of scaling consensus to large numbers of nodes, i.e. by running a consensus algorithm on a random sample of nodes. It doesn't address scalability with respect to transaction volume, which is what people usually mean in the context of the blockchain trilemma.

>It doesn't address scalability with respect to transaction volume.

For scalability with small transaction volume, Coda[1] is the best.

[1] https://codaprotocol.com

Thats laughable nonsense tbh. People should "mine" to compress the blockchain lol. The blockchain isnt even needed (the history). Have a look at XRPL srsly its the perfect example it has terabytes of past transactions and they are stored by some nodes but its not needed to make progress. And ofc it could be compressed but that totally destroys its purpose. If you want the transactions you want to be able to query them which you cant do efficient if its compressed.

History is very much needed to verify that the current state was arrived at by following the rules.

No, that's commonly made up thing coming form bitcoin where "balances" don't exist and the state of the ledger is defined by chain of past transactions. It is a design decision not a fundamental rule. It does not apply to the XRPL where each closed ledger has to follow all rules and contains all information to make forward progress. For example if a balance would be made up it would guaranteed violate a rule now (in the current ledger) there is no need to know the past transactions because if you add balances that would change the sum of all balances which obviously violates the rules. So form that point on each following ledger would be obviously and known in real time to be invalid. In reality ofc that cant happen because the software would simply not include a transaction that causes the invalid state. If for any reason there would actually be something considered "wrong" in the past it would not have any effect. The system is the code itself all participants agreed on running the same code and agreed on that what the code deems valid is valid and unchangeable forever. A bug can be fixed but what it caused in the past cant be. So the whole validation thing is useless it was validated already by the rules (the code) that was running back then. Validating it again with a bug fixed version of the code is useless. Just like if you would find an error in the bitcoin blockchain that validated fine with the version from that time. So what? it doesn't matter it cant be changed and if someone sends you bitcoins he only has because of a bug how does that matter if it don't change anything in the presets? You don't have to trust that no mistakes where made in the past you only need to trust that the past cant be changed to rely on the system in the presets.

Here's an example how you can validate the current state without knowing the past.

Imagine there are 100 coins made form something that does not exist beside in these coins. Someone wants to pay something to you using 2 of these coins. Do you need to know where he got them from and where the person before got them from and so on? If you know there are only 100 in total. (state is public) And no way to change that. (rules/code is known) And you know that if you take the 2 no one can force you to give it back. (transactions are irreversible) Then no, you don't need to know the past transactions at all. Maybe they where stolen in the past a thousand times also lost and found by someone else many times. Does it matter? Not at all.

The need to verify history applies to all cryptocurrencies, including account-based ones like Ethereum and XRP. You can assume the current state as valid and verify from there on, but then you're not a fully verifying node, and you risk being fooled by some peers presenting you with a made-up current state.

You just repeated yourself and you are still wrong. Maybe read my message or inform you somewhere else. There is no way for anyone to fool you with a made up state. The systems state is public remember? It's up to you from whom you get it but usually from one node and the hash from many others to verify that all have the same state) And unlike with bitcoin there cant show up a longer chain later.

You didn't even say permissionless in your post. Ripple is a company you mean the XRPL. The XRPL is permissionless in every aspect. You can insert transaction without anyones permission. You can run a node without anyones permission. You can fork and create you own version without anyones permission. You can change code and create an amendment without anyone's permission. It needs 80% favorable votes for two weeks to become active but it doesn't need anyone's permission. There is no entity that can vote against it and prevent it.

I think you point out a lot of issues with decentralized services that lead to centralization.

Matrix is exciting, but still has the hosting problem. Even with the easy ability to get a host from them for $10/month you're still going to have a handful of players providing most of the hosting.

I think Urbit's design is actually really interesting and makes some progress on a few of these problems.

> Fraud/abuse (spam)

Their ID model that has inexpensive and limited IDs that require some cost ($10-20) change the economics on spam. IDs carry a reputation.

> Outsized influence of providers

Urbit still has some of this in the sense that where you host your 'planet' (basically your private server) will probably end up being dominated by centralized groups that do this work for you. Where it's different though is the design of urbit means your server is only accessible by you and the communication is still p2p/encrypted. It's a little like Matrix in that way, but the design makes install and updates way easier.

The other cool bit is that the p2p complexity is abstracted away at the application layer, so things are decentralized by default without the users having to be aware of any of that complexity. You'll eventually be able to share photos from one user to the other and no centralized server is required.

> Bug fixing across fleet

Urbit's hierarchical structure is a good solution to this too. There are 256 'galaxies' which are voting governance nodes in the network. Each of these spawn 256 'stars' (basically infrastructure nodes) and each star can span 65,536 'planets' (individuals IDs or private servers for users). Updates come down the pipe from stars and get seamlessly applied to all users on the fleet.

User planets can escape to a different star if their star becomes a problem. Stars are incentivized to remain up and neutral in order to stay relevant. Similarly stars can escape to different galaxies if there's an issue with theirs. In an extreme case a 'stellar congress' could push back against the galaxy governance body if they had to and start reporting to their own.

- unequal footing in both feature capacity and security posture from node to node

The OTA approach and functional VM design solve this for Urbit.


A more detailed introduction: http://hyperstition.al/post/urbit-an-introduction/

Anyway - I've playing with it for the last few months during lock down and it's the most interesting thing I've seen in a while.

i wrote that second link :) delighted to see it in the wild

Cool! - I thought it was a pretty good summary of a lot of the details.

Thanks for writing it.

"one-CPU-one-vote" comes from Satoshi contrasting the alternative of "one-IP-address-one-vote".

It's not about equality but fairness. Anyone can invest and purchase CPUs whereas the allocation of IPs is political. Satoshi never stated or expected one CPU should map to one individual person.

Satoshi said "At first, most users would run network nodes, but as the network grows beyond a certain point, it would be left more and more to specialists with server farms of specialized hardware.”https://satoshi.nakamotoinstitute.org/emails/cryptography/2/

“The design supports letting users just be users. The more burden it is to run a node, the fewer nodes there will be. Those few nodes will be big server farms. The rest will be client nodes that only do transactions and don’t generate."https://satoshi.nakamotoinstitute.org/posts/bitcointalk/287/

Thanks for this, I wasn't aware of these quotes that definitely provide important context for my comment.

I think my broader point stands, though: despite engineering efforts towards decentralization, market forces push Bitcoin towards centralization (due to mining pools and due to consolidation amongst manufacturers of mining hardware).

The most important counterbalance to this is not in the Bitcoin protocol, but also an economic one: large mining operations have an interest in keeping up (at least the perception of) decentralization, because that's why people like Bitcoin.

At that point however, you're back to a system where the safeguards are not of a technical nature at all. Maybe Satoshi foresaw that to some degree, but apparently he wasn't able to engineer around it.

You will notice how all those giant servers are all located in first world countries where the infrastructure and political stability is good.

Is this sarcasm or you're calling China "where the infrastructure and political stability is good"?

I mean, no-one’s denting the technical accomplishment of bitcoin, but if the envisaged final scenario was power in the hands of the rich what the heck was the point?

The purpose of Bitcoin is a digital currency where no central authority can debase the currency. Bitcoin stands in contrast to bank currency like the dollar, where central banks inflate the money supply to prop up the insolvency of their government and its banking cartel.

The fact that mining is a capital intensive operation has little to do with Bitcoin’s decentralization. Nodes cannot change the supply. When I wake up tomorrow I’m reasonably certain there will still be ~21,000,000 bitcoins, while the central bank will have further inflated the money supply https://upload.wikimedia.org/wikipedia/commons/thumb/c/c4/Co...

There’s nothing wrong with what you’re saying, but I find it hard to see why that matters. I mean, 1) bitcoin still isn’t a currency and there’s no signs of it becoming one 2) the banks and governments seem fine. It’s definitely gaining in value, but so is Apple stock and gold.

But more generally, I don’t see the point. We’ve established that the people who end up with lots of bitcoin are people with lots of fiat money (and some early investors), so all you’re doing here is perpetuating the current economic distribution, and frankly fiat currency and the corresponding banking system is very effective at that already.

Someone else having a lot of capital doesn’t prevent me in any way from acquiring or creating wealth. That somebody has more money than me doesn’t concern me.

You’re right, gold and stocks can also preserve capital against the constant depreciation of fiat currencies. I prefer bitcoin to gold because I can more easily hold my own bitcoin and transfer it globally. I don’t own stocks because I don’t care to tie my savings to the performance of various businesses.

Has there been an attempt to create an "one-IP-address-one-vote" cryptocurrency?

Huge advantage, no electricity waste.

Should allow for much larger transaction volume as well. IP-address vote flows naturally since well we are still using IPv4 to communicate.

The only downside would be that there would be some big winners in Apple,MIT,US Postal Service that is anyone else with 8/block.

Countries like Chad with 4096 addresses for population of 10M would benefit much less but they would still be in the game.

The opportunity cost of electricity, what you call waste, is the most apolitical and ungameable resource available. Every other example to "vote" I've seen quickly devolves into another political game.

Pretty sure Satoshi knew ASICs would eventually come. We miners were talking about them in 2010 on the forums and IRC when he was still around engaging with the community

Of course he foresaw that.

You can exchange money for CPUs, so the system was built so that those with more money have more influence over the blockchain.

The idea of votes being proportional to the dollars you control is very popular in some circles.

In contrast, one-person-one-vote systems tend to create regulation for financial institutions, which is something crypto currencies often like to avoid.

That consequence doesn't follow. Capital intensive mining does not make the blockchain any more decentralized, as long as miners doesn't collude enough to form a single majority. Game theory suggests that financially motivated attackers would do best to avoid that however.

Even if ASICs were not mentioned by name, Sastoshi wrote about how mining was expected in the future to be the work of large bank-like organizations, but apparently did not worry that this would harm the project.

What he may not have foreseen was the emergence of mining pools, separate from miners themselves, that in certain ways can behave like cartels. That could have been avoided with a mining pool protocol where miners are the ones to form blocks, but the software included no possibility to pool mining power at all.

Mining pools aren't inside the protocol. They collude outside the protocol.

Collude to do what though?

> protocol where miners are the ones to form blocks

Miner's would identify themselves

The only cryptocurrency that has achieved the "one CPU one vote" goal is Monero. RandomX is an impressive feat; I encourage you to look at the technical specifications and the security audits it has been through from notable firms.

> aren't as decentralized as claimed

This is a vague notion that doesn't make any sense. The purpose of the design of Bitcoin was not to give equal representation to every CPU. It is to prevent undue interference in transactions by third parties. And by that measure Bitcoin is definitely decentralized enough.

To do anything nefarious you need at least 51% of hash power and to not care that you are damaging the integrity of the blockchain, and even then you can't steal from or rewrite the blockchain - you can only prevent future transactions from going through.

A 51% attack can rewrite previous transactions in the Blockchain.

That just isn't true. Please don't spread misinformation about what you don't understand.


The binance article is confusing. It says transactions can be reordered, but not reversed. The reality is that someone in control of 51 pc can change the history (because that is what is required to reorder transactions) .

You are just going to state something that is blatantly false without any evidence or references? The nature of 51% attacks is pretty well known among the cryptocurrency community, and it's not hard to understand the technical aspects of it. You can't rewrite history because you don't have the private keys to the wallets you want to steal coins from. It's impossible. You can only affect transactions around the time of the attack.



"An attacker that controls more than 50% of the network's computing power can, for the time that he is in control, exclude and modify the ordering of transactions. This allows him to:

* Reverse transactions that he sends while he's in control Prevent some or all transactions from gaining any confirmations

* Prevent some or all other generators from getting any generations

The attacker can't:

* Reverse other people's transactions

* Prevent transactions from being sent at all (they'll show as 0/unconfirmed)

* Change the number of coins generated per block

* Create coins out of thin air

* Send coins that never belonged to him"

That’s not what “rewrite history” is generally accepted to mean. Substituting historical transactions with alternatives, and thereby reverting all dependent transactions is rewriting history. By doing so you can invalidate any transaction, so long as you control at least one input in the ever expanding web of prior transactions.

But that once again is only current transactions. It gets exponentially harder to interfere with transactions with each block in the past. And if you just decided to do so with arbitrary hash difficulty to make it faster, it will be very obvious and easy to reject.

Not if you control more than half of the hashpower. Then it’s just a matter of time.

Please don't spread misinformation about what you don't understand. Look up what a re-org attack is. Frankly, binance and other exchange websites are bad ways to learn about the bitcoin protocol.

Ummm.... There is literally already a name for this attack. It is called a reorg attack.

Doing a reorg of the blockchain can cause all sorts of problems, and reverse all sorts of things, depending on what those transactions were, and how they are re-ordered.

Other posts have pointed out that he did forsee that. However if we want to prevent specialized hardware from taking over, we do have a very easy solution in the form of memory-hard hash functions like scrypt or argon2. These didn't exist back in the day, but its a very trivial change to the bitcoin model (and thrre are coins that use these) so its not like this represents some fundamental architecture failure in bitcoin.

Memory hard PoW doesn't prevent specialized hardware from taking over. Witness the ASICs for scrypt, Equihash, CryptoNight, ethash, and Cuckatoo. Also, a good PoW should be trivially verifiable and thus hashcash makes a poor memory hard PoW [1]

[1] http://cryptorials.io/beyond-hashcash-proof-work-theres-mini...

> It's fascinating how things just seem to have a way of becoming centralized once enough money is involved, even when engineers thought hard about how to avoid that (see also: the internet).

This phenomenon even has three distinct names: grift, cronyism, and nepotism.

Bitcoin is economics.

Proof-of-Work relies on miners investing and competing. Miners that continually invest generally win - and those that do not, die. The stronger the system, the harder for Bitcoin enemies to subvert/takeover the system.

In 2008, miners used CPU's, several years later miners moved to GPU's, several years later miners moved to ASICs, and recently miners moved to data centers.

> In 2008, miners used CPU's,

Umm. It's not that old, testnet maybe but not the public blockchain.

He did forsee that, if you read his writings.

Its way more fundamental flaw. Production of anything is always more efficient if controlled my a single entity. "Producing" hashes are no exceptions. If "producing" X hashes per second cost Y then "producing" Xk hashes per second wont cost Yk. it costs less because of optimizations.

Yes, but a single entity owning all the hashrate would also significantly decrease the value of Bitcoin, which acts as a balance.

Reality shows otherwise. We don't need one entity to control all the hashrate. One controlling more than 50% is already fatal. Depending on what definition you use we already have that. China as a jurisdiction can be considered one entity. The price may or may not calculate that risk in but no matter how much it would fall it does not turn back time. Remember hashes per second is cheaper to produce when you produce more. That doesn't change if the price drops. The small hash producers are first to become unprofitable and have the smallest reserve's + as soon as they go bankrupt the others are more likely to become profitable regardless of price simply because there is now less competition. If one of the large player would go bankrupt the market would be flooded with cheap ASICs most likely to be bought up by the remaining large players.

If the owner (China) values something else higher, not so much.

Did Satoshi Predict Pooled Mining, Big Farms and ASICs?


Bitcoin technology was never decentralized, merely distibuted, despite ideals about how the software could be used.

What is decentralized is the currency at the user level. It has taken the power of control away from a central authority.

I find it bizarre that this comment is upvoted since it's so deeply ignorant of the evidence/history. I'll cite my sources down below but I want to emphasize that I really thought the HackerNews community would be more informed about bitcoin and cryptocurrencies. Maybe this was a false assumption on my part but...it's disappointing nonetheless.

"At that stage, most users should start running client-only software and only the specialist server farms keep running full network nodes, kind of like how the usenet network has consolidated." [1, emphasis added]

"The current system where every user is a network node is not the intended configuration for large scale. That would be like every Usenet user runs their own NNTP server. The design supports letting users just be users. The more burden it is to run a node, the fewer nodes there will be. Those few nodes will be big server farms." [2, emphasis added]

To clarify, these are excerpts of satoshi's comment that were in a thread. They've been kept through the Nakamoto Institute website (i.e. my source is a secondary source). I chose this and not the bitcointalk threads because it's Satoshi's writings only.

A few points to note, 'full network nodes' are nodes that do both mining and validating of wallets; not just validating like the Lightning Network or SPV clients. First quote talks about 'like how usenet network has consolidated' which hints at knowing about centralized farming. Second quote is more direct to rebuff the above opinion, fairly directly.

> the biggest thing Satoshi didn't know (or didn't foresee) was that the idea of "one CPU, one vote" was flawed, a victim of its own success, because of mining ASICS.

He knew. In the beginning, it wasn't truly one CPU, one vote. If you had a higher-end single cpu, you definitely got more than one vote since most people don't have the average CPU (it's high-end for a reason). Satoshi clearly had this in mind. Early adopters were awarded more bitcoins with their average CPUs then, than high-end ASICs today. This was all thought out in the economic sense and security sense, attempting to balance both.

>A consequence of that is that bitcoin and related cryptocurrencies really aren't as decentralized as claimed.

I feel this opinion is based on the crypto-twitter opinions. Or based on many 'bitcoin maximalists'. Basically, a narrow-minded group that isn't really seeking to inform the public, they just want to 'moon' and meme.

But looking at this critique from a different perspective, it's extremely decentralized in it's mining function. How many people have mined bitcoins? Throughout time? Has it always been one central authority (Satoshi, Gavin, etc)? Or have people from all stripes been able to? Yes. Many regular working people could buy an ASIC and mine today. That's fairly decentralized, no FED needed to inject a new QE.

Will you make a profit? That's not the question. Decentralization mining exists but at what cost?

I could also unpack the idea that buying coins in 2009 would be considered a decentralization of the currency, since there would be more people (not less/centralized) holding the currency, therefore more dispersed.

But let's return back to Satoshi to conclude. Satoshi thought about CPUs, FPGAs, GPUs, and ASICs. Look at his writings. Look at the OG code. Look at the whitepaper. He created an architecture that creates cryptographic trust through a proof of work function. He knew about Moore's Law and incorporated it. The specifics were quoted above but this conclusion is to bring everything together that bitcoin was thoroughly designed in such a way that thought through ten, twenty years in the future, based on the best science available then. My final thought is that Satoshi 'didn't think about______' is an opinion based on ignorance or it's something outside of the scope of Satoshi's intent with bitcoin. He has many posts that explain enough to settle most debates. Please read more, do less criticizing and when you're informed, let's have a mature discussion.

[1] - https://satoshi.nakamotoinstitute.org/posts/bitcointalk/105/...

[2] - https://satoshi.nakamotoinstitute.org/posts/bitcointalk/287/...

P.S. I'm not a Satoshi worshipper. I've done extensive research and came to my own conclusions. You can debate my auxiliary points but without reading Satoshi's writings, you're missing the context of the actual debate.

So you see Ethereum as a better solution!

Colin Lemahieu set out to solve at lot of the problems that Bitcoin suffers from by creating Nano (nano.org). He did this by having each account have its own blockchain, rather than using one blockchain for all transactions. The result is Nano transactions take under 1 second (fully confirmed) and there is no fee for transactions. It's also scalable with 1465 confirmations per second (aka transactions) reached on the test net the other day. There is no mining involved, so Nano is environmentally friend and voting is done using a system called ORV (open representative voting) which is similar to delegated proof of stake, but doesn't require actually staking and risking coins. Instead it is more like a liquid democracy system, where you delegate your voting weight to a representative you select and can change at any time. Because there are no mining fees, there is no incentive for centralization and for this reason it is expected that the Nano voting weight will become more distributed and decentralized over time as adoption increases. From a tech perspective, Nano really is amazing.

Nano is an interesting cryptocurrency, but it’s very benefits are attack vectors. Currently Nano has no way of dealing with a precomputed PoW attack which means a single attacker has the ability to effectively ‘DDOS’ the network. This is briefly discussed in their white paper, and AFAIK I’m the only one to have proposed a complete comprehensive solution to their problem, but the implementation appears to be so complex and would require a network split that the nano team has moved on to less comprehensive mitigations. Currently any actor, including myself with my trivial resources could easily DDOS the entire network, which is a major concern I hold to the cryptocurrency and cannot advocate its usage at least until this has been appropriately addressed.

Nano implemented Dynamic Proof-of-Work in V19 to mitigate spam attacks causing congestion on the network [1]. When the network gets congested due to a spam attack (or other reasons) the PoW required to send a transaction is dynamically raised. This should prioritize real transactions that will do the new, higher PoW, while the spam transactions that have a lower precomputed PoW have to wait to get processed until the network's PoW requirement dynamically lowers. Doesn't this mitigate the precomputed PoW attack vector? This tweet [2] also shows this dynamic PoW feature in action. [1]https://medium.com/nanocurrency/dynamic-proof-of-work-priori... [2] https://twitter.com/GenMeasures/status/1149855971457454081

The current mitigation enables attackers to raise the difficulty at whim and effectively disables any cached PoW's by large entities. This hurts Nano's primary feature - speed - for the end user. Also, while it certainly makes it harder for an individual attacker to attack the network, it is still very doable given enough time and resources. My proposal (which was shortly after the blog post you've cited came out) included a concept of leniency while making any possible attack exponentially more difficult both to plan and execute over a period of time while maintaining a constant ability for entities to precompute PoWs. However the biggest issue would be the introduction of synchronicity in an asynchronous network through probability and is not exactly trivial to implement. I've since moved on as I don't have the time or motivation to further pursue this (I am not exactly very hyped on the idea of cryptocurrency anymore).

Also worth noting that NANO distributed most of the supply via a CAPTCHA faucet. No token sale or mining. I think NANO is unique among cryptocurrencies with regards to its initial distribution.

This sounds incredibly interesting.

How does it work privacy-wise? Can I see other peoples wallets and who they've sent money to, received money from, etc, like Bitcoin or is it closer to Monero in that regard?

Currently, Nano is like Bitcoin in terms of privacy. So Nano is not private. However, the Nano devs are interested in adding privacy, if possible. This quote is supposedly from Colin LeMahieu in 2017

"I love the concept of privacy in the network and it's a hard thing to do right. Any solution used would need to be compatible with our balance-weighted-voting method which means at least we'd have to know how much weight a representative has even if we're hiding actual account balances. To be fully anonymous it would have to be hide accounts, amounts, endpoints, and also timing information; with advanced network analysis the timing is the hardest thing to hide. Hopefully some day we can figure out an efficient privacy solution though the immediate problem we can solve is making a transactional cryptocurrency so we're focusing on that." [1]


>He did this by having each account have its own blockchain, rather than using one blockchain for all transactions. The result is Nano transactions take under 1 second (fully confirmed) and there is no fee for transactions. It's also scalable with 1465 confirmations per second (aka transactions) reached on the test net the other day.

What are the trade-offs being made by using this rather than a blockchain? I'd imagine the consistency guarantees would be lower?

>There is no mining involved, so Nano is environmentally friend and voting is done using a system called ORV (open representative voting) which is similar to delegated proof of stake, but doesn't require actually staking and risking coins.

If there's no staking/risk involved, what's the disincentive for bad actors to fork the chain? The whole point of staking (and putting coins at risk) is to disincentivize that from happening.

Nano refers to their system as a block lattice rather than a blockchain. For just transferring value between users, a block lattice seems to be superior to a single blockchain like Bitcoin in terms of scalability, free transactions, and transaction speed. I'm not sure what a consistency guarantee is, but I've never heard of a Nano double spend if that's what you mean.

Since there isn't a single chain in Nano, I don't think Nano can be forked (in the BTC blockchain sense) by bad actors. Instead, a bad actor would need to have 51% of the online supply of Nano delegated to representatives they control. At that point, the bad actor could start blocking transactions. Of course, there are risks with any decentralized system. For BTC, this risk is about controlling hash rate (which can be done by controlling mining pools, not just mining hardware).

To get proper answers from the devs to these questions, your best bet would be to post them on the official Nano forum at https://forum.nano.org/

> I'm not sure what a consistency guarantee is

Without the consistency part, its trivial to make an asset that is billions of times faster/scalable/etc than nano.

I meant I don't know what specifically they meant by "consistency guarantee". Does that mean a double spend? Or a 51% attack? The Nano main net has been running since 2015 without any double spend incidents or a 51% attack.

Usually the proposers of a system define some security/consistency garuntees that they think their system meets, followed by some arguments why that is true. Users can then decide if these properties meet their needs.

"51% attack" is an attack. The corresponding security property would be something along the lines of "A malicious party that controls < 50% of the network hash power can make a transaction that is confirmed by the network n times and then make another conflicting transaction on an alternative chain, and have that chain eventually become the canonical chain, with probability negligible in n" (i probably messed up details but that is the gist).

A consistency garuntee isn't a specific attack, but the general properties of the system, what it can do and what it cannot do. The fact that nobody has done a double spend is pretty meaningless. We don't know if that's because nobody has tried/cared or if that's because its really hard.

To put it another way: say there were two engineers who designed two bridges. Someone asks the engineers, is your bridge safe? Engineer 1 says: we made a careful design and extensive testing, as long as no more than 100 tons is on the bridge, it won't collapse. Engineer 2 says: the bridge has been there for 5 years. In that time not a single person has died from the bridge collapsing on them. Which bridge would you trust more?

What would a consistency guarantee look like for a cryptocurrency? A whitepaper? If so, Nano's whitepaper can be found here (though I've heard it needs to be updated) https://content.nano.org/whitepaper/Nano_Whitepaper_en.pdf

If not a whitepaper, then what do you consider Bitcoin's (or any cryptocurrency's) consistency guarantee to be?

I think you're fixating a bit too much on the medium rather than the content. It could be a whitepaper, it could be a forum post, it could be a message written in the sand at the beach.

That said, the whitepaper does contain arguments in that direction. It would be nice to see more in depth formal arguments though, as well as some independent analysis.

I hate that there still hasn't been a thorough security / plausibility review on Nano; at least I haven't seen one. No one seems to take it very seriously. Maybe it's too good to be true.

A security audit of Nano was completed by Red4Sec in July of 2019. You can find an overview of the audit here[1] and the full Red4Sec report here[2]. "Red4Sec has been able to determine that the overall security level of the asset is optimal."

[1]https://medium.com/nanocurrency/nano-protocol-security-audit... [2]https://content.nano.org/Nano_Final_Security_Audit_v3.pdf

This seems to be an vulnerability analysis of the Nano source code. I meant the monetary security and game theoretic plausibility of the protocol itself.

E.g. how do we know which blocklattice is the correct one? (in Bitcoin it's the longest chain, which contains most energy and thus can't be created from thin air). Are there enough incentives to keep the network running and decentralized? Etc.

Each Nano account is its own blockchain. These accounts interacting form the block lattice. So it's not as though there are competing block lattices in Nano. In Bitcoin there can be a sidechain that can overtake the main chain (if the sidechain becomes longer than the main chain) and then cause a reorg of some blocks. But I don't think anything like this is possible in Nano. You'd have to ask the devs though to know for sure on the official Nano forum at forum.nano.org

In terms of the incentives to keep the network running without mining fees or proof of stake rewards, the Nano community and devs think that merchants and other services using Nano will save significant amounts of money by not having to pay credit card processing fees. This will incentivize those merchants and service providers to run their own node (which only costs around $60 per month) in order to keep the network healthy and decentralized. The lack of mining fees and proof of stake actually disincentivizes the kind of centralization we are seeing with Bitcoin mining.

Security wise Nano is DOA. Currently any attacker can effectively DDOS the network with trivial resources. I’ve personally proposed a complete solution to this problem over a year ago but it’s implementation is complex and would require a network split and my proposal has effectively been ignored in favor of other mitigation’s that fall far short of protecting the network. I’m not a security researcher and hell I’m not even in the CS field anymore so if I could figure out and implement an network wide attack on my own the barrier to entry is low (to be clear I have not executed any such attack). If you want to read further, the issue is a precomputed PoW attack. Nano’s very benefit - speed - is it’s biggest pitfall.

I'd be interested to know more about your proposal to solve the precomputed work attack vector. Also, I think if you can easily create an attack that would DDOS network, you should absolutely try it on the Nano test net. That's what the test net is there for. To my knowledge, the precomputed spam attack has been mitigated by the Dynamic PoW feature that was added in v19. See my other reply with more details on that. I would like to know more about your proposal. You can email me at purplewumpus@protonmail.com

I simply do not have the time nor motivation to conduct an attack on the Nano testnet. I've responded to your other reply with the technical shortcomings of the mitigation, my proposal is still open somewhere in github's issues but I've since moved on from cryptocurrency as a whole.

Interesting. What's the incentive to devote computation to make the system work if there aren't mining fees?

Merchants using Nano for transactions will not have to pay credit card processing fees. This will save them a significant amount of money. They will thus have an incentive to run a representative (a full node) that voting weight can be delegated to from other users in order to keep the network decentralized.

I think Satoshi didn't know that Bitcoin would not be a medium of exchange. It will remain digital gold. Bitcoin cannot fulfill its original promise to be electronic cash. This is the hardest hurdle for bitcoiners to understand. They think that sky high value of Bitcoin would transform it into a medium of exchange. But I think it's a false promise from Satoshi.


The biggest hurdle for cryptocurrency adoption is a medium of exchange. Most investors waste their time playing around with buzzwords like DeFi.

> Bitcoin cannot fulfill its original promise to be electronic cash.

Not as long as the Bitcoin core developers are actively sabotaging BTC's development so Blockstream can sell you the solution. Bitcoin was hijacked and it may never recover.

Lol, what? Only a small portion of Bitcoin Core contributors work at Blockstream. You should think critically rather than merely accepting as facts everything Bitcoin Cash proponents tell you.

As someone who was mining bitcoins in the very early days, like one every few hours, bitcoins has many flaws. The biggest issue is when you lose your password, you cant get your money back, over time there will be an increasing number of bitcoins that dont go anywhere, just like Satoshi doesnt spend theirs. When looking at it from a different perspective of watching network traffic at 5 eyes level, I also think of the makers of Tor, these "tools" may have the popular misconception for being secure, but now I just look at them as a 5+x eyes intelligence tool.

Here is a challenge to test this theory, computer hacking is illegal right, but satoshi's identity remains a mystery, they cant prove their identity in a court of law, so hack "his" bitcoin account and move his bitcoins to another bitcoin account. "He" will have to come forward to garner the help of the authorities to get his bitcoins back, ergo we will get to find out who Satoshi really is!

Put it like this, as an exercise, it will be interesting to see in court how "he" proves his identity. Do you see the problem?

Whats that Thomas Pynchon quote?

I don't understand what the problem you are referring to is.

That's a feature, not a bug. The government cannot hand over ownership of your btc. That's the whole point of decentralized.

The forgetting your password thing may be an issue for the person who forgets their password, but it is not an issue for the network. Those btc are out of circulation, sure, but there's lots more out there that people can exchange. Just don't forget your password and you'll be fine.

An escrow vs a currency.

(File under "hunch, but just guessing.")

I’m not convinced either if it can become currency but in my opinion if it will only ever become digital gold, an arguably superior version of physical gold, it’ll already be a great achievement.

Layer 2 will solve this.

Layer 2 does not solve the medium of exchange problem. The cause is volatility which is rooted in Bitcoin's limited supply design. You can dig in Layer 2 adoption. It's not growing. Bitcoin only has 2 use cases: hold and speculate. Transaction is not a use case.

Layer 2 is not necessary until Layer 1 has some kind of stability. Layer 2 can also malfunction during volatility. Ethereum has demonstrated this.

Your comment is wrong all around. Volatility doesn't prevent layer 2 from working, and it is growing. [0]

[0] https://defipulse.com/lightning-network

Well, there are decentralized stablecoins on Ethereum, like DAI.

Need I remind you that the world has been running almost exclusively on gold, which also has a limited supply "design"? That is if you look back a few thousand years. Deeply flexible currencies are mostly a recent invention, and their fate is not yet determined.

Volatility is a result of lack of actual usage of the currency. And yes, bitcoin has virtually no actual usage, save for speculation/investing. Any normal currency has hundreds of millions of contracts attached to it (starting from short term offers on groceries in your local shop). Each of those contracts is a volatility dampener. Saying that Bitcoin is not used because it's volatile it's like saying that x=y because x=y.

"Need I remind you that the world has been running almost exclusively on gold,"

Actually that is not true. Gold by weight as a currency has been used at times, but many other forms of currency were used historically even by people who had gold available to them. There is a lot of historical precedent for credit money (i.e. people using debts owed to them as currency) and for coins minted with non-gold metals like iron and bronze. The earliest known currencies were "virtual," taking the form of clay tokens that were used for accounting in the ancient near east -- a civilization that was well aware of gold but considered it to be more useful for producing ceremonial objects. Shortly after inventing paper the Chinese started using paper money.

Gold is actually a terrible currency that makes trade much less efficient. Historically gold was most useful as a currency when empires were able to procure a growing supply of the metal, and when the gold stopped coming in people would switch to some other currency (typically some form of credit money).

Yeah I agree with the first paragraph. I wrote "deeply flexible", that is ultimately not redeemable by gold. Credit is okay with me.

Why do you think the second paragraph is true?

Gold has been disconnected from currencies only since 1971, and this detachment clearly has had significant impact: https://wtfhappenedin1971.com/

Even if you are only talking about the United States, 1971 was not the first time the country left the gold standard:



Historically the pattern has generally been for a metal standard to be introduced only to be abandoned when the state is unable to procure more of the metal. The Romans abandoned their silver standard and started debasing their coins shortly after the empire reached its greatest extent, almost certainly because they could not find enough silver to keep the system going (though nobody bothered to write this detail down). In ancient China various dynasties are known to have started issuing iron and bronze coins when they could not find enough gold/silver/copper to meet their monetary needs (and when the weight of coins became impractical they issued paper money).

There is no question that using weights of gold as a currency makes trade less efficient. Most merchants and most consumers do not have the equipment or expertise needed to evaluate whether or not a given weight is pure gold, and having to pay someone to evaluate a sample amounts to a tax on every transaction. The inability for a central bank to adjust the supply of money in response to changing economic conditions actually led to greater price instability when the gold standard was in place (deflation during a banking crisis). It is economically inefficient to pay people to guard vaults filled with gold bars that are never going to do anything but collect dust. Leaving the gold standard was the right thing to do every time it happened, and going back to it was in every case the wrong thing to do (motivated more by alchemy and tradition than by any serious economic considerations).

And for thousands of years the world languished in poverty. The modern age as we know it with industrialisation and trade started with the Renaissance and boomed with the move away from the gold standard because it meant countries has a way to actually manage their monetary policy against things that mattered.

The move away from gold is still an ongoing experiment. I wouldn't say it's superior or proven at this point.

Philisophically or sociologically or ecologically, fiat money may be bad, but economically it's a clear winner.

The most popular fiat currency, the US dollar, was tied to gold until 1971. It's still not clear that breaking that link was a good move.

Also this: https://wtfhappenedin1971.com/

It's prone to boom and bust which has been devastating. Hayek describes a type of money that adjusts it's supply to maintain a stable price. Until now this wasn't technically possible. Ampleforth.org is an interesting experiment to introduce a new base reserve with dynamic supply and eventually a stable price. https://m.youtube.com/watch?v=9-uo-KfnkhI

Economies boom and bust. This has nothing to do with fiat currency, and is a heck of lot better then the alternative where shopkeepers and employees are made poorer due to economic prosperity because they don't adjust their prices fast enough.

or it's non-vc fork - https://based.money/!

Bitcoin is useful as a trust-less medium of exchange but in the real world, legitimate trade involves some level of trust and enforceability of implicit or explicit contracts. Nobody needs a blockchain for legitimate transactions because there is the accounting ledger which is transparent to the law and whose falsification constitutes an illegal act. For example your bank can not deduct money from your account without cause. You do not need a blockchain for the value stored in your account to be secure because falsification of ledger balances is a crime. You don't need to encrypt the account (equivalent to hiding money in an obscure place) because stealing is a crime and if bank robbery or failure happens you have the FDIC to ensure your balance to a certain degree (ask users of Bitfinex circa 2015 or 2016 about this...) Thus Bitcoin is largely a solution in search of a problem unless you are dealing in a black market or trying to hide money from legitimate authorities for some other reason.

The dollar is a highly decentralised currency in actual practice. Yes, the federal reserve or treasury can increase or decrease supply of dollars but in practice in recent years the value of a dollar is set by its usability in the real world not the actions of a central authority at the margins. In fact I would venture to say that if the central authorities started to undermine the value of the dollar for global commerce the central authorities would lose their power over the dollar before the dollar lost its value. Many more countries than the USA use dollars. In fact the vast majority of physical dollars, if not dollar balances exist outside of US jurisdiction.

The only way that the dollar can and will be dethroned is if some other currency becomes widely used in commerce. That certainly wont be Bitcoin but it could be another digital currency like maybe Ripple. Bitcoin is not very useable in actual commerce. The processing time of transactions is tremendous, and the deflationary and volatile nature of the currency makes it an unsuitable store of value or unit of account. There is no reason to expect in the future bitcoin will stabilise. Its price is set by exchange speculation and a decreasing rate of new coin supply. Unless commerce overtakes exchange speculation as the price setting mechanism for bitcoin it wont be very useable for legitmate commerce.

I agree that Bitcoin remains volatile. It will never stabilize. But there's a misunderstanding that Bitcoin will replace fiat. It doesn't have to compete directly. Bitcoin is an alternative money. It's volatile but predictable issuance. Fiat is stable but has unpredictable inflation (debasement). They co-exist. From a philosophical perspective, Bitcoin and fiat are the two extremes of Yin and Yang. They're both necessary for a functional money system.


The relatively predictable deflation rate of Bitcoin is completely swamped by Bitcoin's extremely high exchange rate volatility versus other assets. Inflation for the dollar and other major currencies is not really a problem anymore because when money supply increases or money becomes less scarce that excess is now absorbed by speculative increases in asset prices rather than CPI inflation. Thus housing and stocks, and Bitcoin go up in value but by definition these prices don't matter for inflation. Bitcoin's run up in recent years is almost entirely due to easy money (low interest rates) not due to increased usage in commerce or intrinsic factors like Bitcoin's endogenous deflationary tendency. There is no reason, why in the face of a general financial crisis, where asset prices are generally falling, prices of houses and stocks, etc, are falling, that bitcoin would not also crash. Its current price is not supported by internal deflation or increased usage. Its current price is part of a broader asset price bubble that can and will pop someday, probably soon. There is no reason why sub $100 Bitcoin is not possible a year or two from now.

Bitcoin is not really like digital gold because gold has unique properties that can not be duplicated. Anybody can create a new cryptocurrency at any time. There is no scarcity of cryptocurrency as a whole.

>Inflation for the dollar and other major currencies is not really a problem anymore because when money supply increases or money becomes less scarce that excess is now absorbed by speculative increases in asset prices rather than CPI inflation.

It's "not a problem" in the sense that you won't be struggling to buy food with your worthless dollars, but it's still problematic because it exacerbates inequality (rich people tend to have more assets that would appreciate in value).

Well this recent time you have massive inflation in speculative assets being offset by deflationary forces from massive layoffs so not much inflation overall. A huge transfer of wealth is occurring.

Anybody can create a new Facebook or Amazon at any time. Yet somehow it doesn't happen, why?

Network effect. Same with Bitcoin.

Over a long enough timeline Facebook and Amazon will also reach very low valuations.

Many here would find ampleforth.org's redbook fascinating.

You're assuming fiat currency is reliable, which is proven wrong in many jurisdictions.

Its reliable enough for the average person's purposes in my juridsiction. If we're talking about market forces that is really all that matters.


There's that word again. Bitcoin is fiat. You can't turn it back into electricity.

> The only way that the dollar can and will be dethroned is if some other currency becomes widely used in commerce.

Ultimately, it boils down to: 'do the people want a deflationary or inflationary currency?' Stability is subjective but purchasing power isn't. What's a fair function of money for society? Not a clue.

In other words, in your view, the dollar literally cannot go tits up?

It can go out of use but it won't be due to competition with Bitcoin. A digital currency that did what the dollar does but better could give the dollar a run for its money. No such currency currently exists and I have a hard time envisioning one right now. Maybe something based on kWh as the unit of account.

The world would literally collapse if that happened.. so, no.

No, it would figuratively collapse.

I figuratively apologize :)

The world literally collapsing would be much bigger than an economic problem. Yes markets would fail along with it, but the world wouldn't end. The US isn't the first with major economy or currency and its arrogant to think it will be the last.

The Roman Empire was unstoppable until they over extended themselves with endless war and tried to solve it by debasing their currency. It may not happen anytime soon, but America won't lead the world indefinitely forever, its only 244 years old for shit sake.

> The Roman Empire was unstoppable until they over extended themselves with endless war and tried to solve it by debasing their currency. It may not happen anytime soon, but America won't lead the world indefinitely forever, its only 244 years old for shit sake.

Sure, but Britain didn't lead the world forever, either, and it's not exactly like the £ collapsed leaving everyone who held it in ruin.

American won't lead the world forever doesn't mean much unless but it's collapse will be so sudden and unexpected as to leave no opportunity to unwind dollar positions without catastrophic loss.

It might be worth hedging against that, but digital collectibles are a poor hedge for that circumstance. Physical resources for community self-sufficiency and physical defense against the ravening hordes are the hedge you need if you take that threat seriously.

It is a common trope to compare America to Rome. Economically America has almost nothing in common with Rome. Rome was a non-industrial economy mainly based on plunder or at least transferring products from the provinces to the central government and upper class in terms of taxation (in kind, e.g. Egyptian grain, and monetarily denominated). When the Empire stopped expanding new wealth, for the most part stopped being created. Perhaps there is a little bit of a comparison with 19th century America and expanding to the west in manifest destiny but in modern America economic growth is driven by technological change. Not conquest.

This is the rise and fall of civilizations, while expansion is possible in the sense of, the majority of people can "win" at their culture (or have a clear path to), a civilization is successful. In Rome, and America this usually means economic improvement. In Egyptian times, this meant falling in line with the religion. Carroll Quigley has a very nice framework for what is a civilization. Let's just say he was a very influential historian, mentor of one rather recent US president.

Let me pose it to you this way. In what situation could the dollar collapse without the world being in ruins?

>but America won't lead the world indefinitely forever

I'm not talking about America. I'm talking about the dollar. In our highly tied global economy- those are very much two different things. Do you think any wealthy person in the world does NOT hold dollars or have direct exposure to it?

This is a great read and obviously Gavin has thought a lot about some of the deep problems in Bitcoin, especially from the crypto side.

I was a bit disappointed to see that he punted* on one of the more well-known “shallow” problems: the energy consumption of Bitcoin mining, and the wasted computing power therein. The problem is much easier to understand than to solve, and I appreciate there is only so much room in the text. However I did hope he might at least acknowledge that this is among the more important technical hurdles for Bitcoin to overcome.

[*] there is a rather cheeky dismissal of Proof of Stake which obliquely addresses this issue

It's not really a problem. There's lots of energy around, and consuming energy isn't bad per se.

Most Bitcoin miners run on renewables nowadays, because renewables are the cheapest sources of energy when miners can locate to them.

Also, the main assumption of Bitcoin's security model is that it's rather impossible to centralize energy production on this planet (or in the universe). Proof-of-stake assumes decentralization of ownership, which is a flimsier assumption, and will fail asymptotically.

"run on renewables nowadays".

I don't think that is true. At least not here in Montana. We've had several large farms pop up in old industrial parks due to the very low cost of electricity here. It's from coal.

We hackers are naturally inclined to look for technical solutions to social problems but more and more I think this very rarely works. It's too easy for people in power to twist any particular technical solution to their own ends so the really important thing is controlled who holds power in the first place.

These articles on HN always remind me how much more work crypto has to do in terms of education to the general technical public. Crypto Twitter is a recursive bubble.

Great to see Gavin Andresen's writings getting exposure here.

Andresen, along with Roger Ver, laid much of the ground work for Bitcoin's massive run up in adoption, brand recognition and price.

Their subsequent ousting by a group that basically acted like trolls, to sabotage Bitcoin's plan to hard fork to remove the 1 MB block size limit, and thereby prevent it from becoming a ubiquitous electronic cash, has irked me to no end.

I'm not sure why you're being downvoted but you're exactly right.

Love or hate Roget Ver, you'd be hard pressed to find any historical accounting of Bitcoin's rise to fame where he's not mentioned in a favorable light.

Gavin Andersen was the best steward that Bitcoin core ever had. He managed to keep the more toxic contributors at bay for a long time although they eventually forced him out through highly unethical means ( https://www.livebitcoinnews.com/core-developer-calls-andrese... )

> Their subsequent ousting by a group that basically acted like trolls

Gavin thought so too ( https://cointelegraph.com/news/former-bitcoin-cores-gavin-an... )

> to sabotage Bitcoin's plan to hard fork to remove the 1 MB block size limit, and thereby prevent it from becoming a ubiquitous electronic cash

Here's part of the story as told by one of the more honest core devs: https://blog.plan99.net/the-resolution-of-the-bitcoin-experi...

edit: spacing

This is pretty dated. Segwit has been implemented. The lightning network is growing. No mention of sidechains like Liquid. No mention of Taproot.

Satoshi is great proof that you don't need to know everything to understand something enough to make something, read some David Deutsch.

> Segwit has been implemented

Segwit adoption plateaued around 60% and has been steadily decreasing ever since. It's a piss poor substitute for real scaling by increasing the block size like Satoshi had intended. Even if it had been a good idea, the core devs butchered the implementation.

> The lightning network is growing.

Not even close. The lightning network is the ultimate vaporware. It was promised as the solution to Bitcoin's scaling problems NINE YEARS AGO ( https://twitter.com/starkness/status/676599570898419712 ) and is to this day considered unsafe and "experimental". It failed to deliver on just about every promise it made. Even the core devs have abandoned it for Liquid.

> No mention of sidechains like Liquid

Finally, we get to see the reason that a handful of Bitcoin core devs have been holding Bitcoin hostage for ten years. Liquid is a centralized Bitcoin sidechain that allows exchanges to pay extra in order to clear their transactions faster than would otherwise be possible on Bitcoin's now neutered base layer. Liquid was recently criticized for being fundamentally insecure after this embarrassment ( https://www.coindesk.com/blockstreams-liquid-network-sent-8m... )

> No mention of Taproot.

Wake me when it's merged. The sad truth is, ever since some of the core devs formed Blockstream and hijacked BTC, they have added almost no new features on the protocol level. The only one they were willing to work on is Segwit and only because it solidified their power over BTC. They have no incentive to make BTC better. If BTC worked well, nobody would want to buy Liquid.

Let me know when any of those things are used in a significant amount by real life, in person merchants....

Because right now, the only merchant point of sale system that has any non-negligible amount of adoption, is BitPay, and the only thing they might be using is Segwit, which gives pretty minimal fee savings.

They aren't even close to using anything like lighting, or liquid, or any of that other nonsense that is not implemented by any significant payment processor, or user wallet with any significant amount of adoption.

Was Satoshi a Cryptographer?

EDIT: (probably) No [1]

[1] https://cointelegraph.com/news/satoshi-nakamoto-had-outside-...

Almost certainly not. A few things immediately stood out to me when I looked at the original Bitcoin whitepaper:

1. No clear security definition, making it hard to know what counts as a successful attack against the system he proposed. Moreover, Bitcoin requires the honest parties to do more work than the attacker, which would appear backwards to most cryptographers and further complicates efforts to precisely define the security goal.

2. No mention of the mountain of previous research on cryptographic payments. He makes claims that "all" previous systems require an intermediary for each transaction, which is not true (see: offline+transferable ecash does not, but this is not mentioned anywhere). This is not just a stylistic issue; the whitepaper has a bibliography, it simply failed to mention anything that a cryptographer would have considered related work. When Satoshi announced his idea to the cryptography mailing list a great deal of confusion ensued because the cryptographers on the list were familiar with the previous research and assumed this was in some way related.

3. Specifying algorithms and data structures with C++ code without giving higher level descriptions. This makes it hard to analyze the system because of the various ambiguities of C++ and the unnecessary and often confusing syntax. I would also add the various, entirely arbitrary constants chosen for the system, which seem to have just been chosen at random (given the lack of formal analysis it is unlikely that these are fundamental to security). This is not how cryptographers typically communicate their designs.

I would say Satoshi was an enthusiast/hobbyist who had a passing knowledge of a few cryptographic constructions he read about in books or forums. At best his formal education on the topic was likely an undergrad level course, probably taught by someone whose expertise was applied security rather than cryptography; it is more likely that he had no formal education in cryptography at all.

Some other interesting bits, to me:

- Bitcoin (and the remarkably-written whitepaper) does enough things right that it's hard to imagine a single programmer delivering that whole package (writing, math, cryptography, programming). Calling it enthusiast or hobbyist level work really downplays it.

- Great attention to detail, like base58 and the checksum (even Ethereum years later went with hex and no checksum like most people would). Or proving he didn't premine by including the newspaper headline in the genesis block.

- Really good picks of crypto primitives off the beaten path. e.g. at the time, sha-1 was more popular and has since fallen apart, the same with the more popular elliptic curves.

- Even just the script system is interesting to include in a v1 like Bitcoin. You'd expect most of us HNers to just hardcode a pay-to-pub/privkey system, not detour with a script system.

- Obsession with compression. Made his own lil compressed floating point spec. How many people would include their own FP compression to save a few bits in a v1? Especially when it just saves like one byte per block. Usually the sort of programmer who goes down these paths isn't the one shipping software.

- World-class opsec. I mean, c'mon. We're still left to folk-theory and superstitions about who Satoshi could be. Never let his guard down. No one has caught him not using Tor. Even bought his domains with cash in the mail. People doing some of the most illegal things in the world couldn't be bothered to go to half of his measures. It's mind-bending. Text analysis hasn't even found good matches on his writing or programming style. All for a project that was overwhelmingly likely to get zero traction. It's like the project was partially compelled by a time traveler from the future.

- Though there are fuck ups too in Bitcoin, like the sequence number in transaction input. Has no point, an idea that didn't pan out.

It's hard to have a real theory here. Mine is that Satoshi was a pet project that someone with some political capital at NSA or something was able to get funded for a couple years.

Either way, the mysterious origin story is exactly what a project like Bitcoin needs and deserves, I think. It's hard to imagine any other origin being quite as compelling.

> at the time, sha-1 was more popular

but also had known limitations; the 'writing was on the wall' at the time that it would be obsolete 'soon' by most people reasonably up to date on the current state of the art - I wouldn't take this as too much of a 'sign' on its own.

> World-class opsec. I mean, c'mon. We're still left to folk-theory and superstitions about who Satoshi could be. Never let his guard down.

Unless he was found after all and made an offer he couldn’t refuse.

"Even bought his domains with cash in the mail."

Where is source for that information. Mail can be traced easily I'm pretty sure.

exactly, people are kind of dissapointed that Satoshi was not god-like in ability to know all disciplines from math to finance to programming to game theory

I like the theory that Satoshi was Paul Le Roux: https://en.wikipedia.org/wiki/Paul_Le_Roux#Satoshi_Nakamoto_...

I think it's either Hal Finney or Dave Kleiman. Both have background in crypto and security, and both have been deceased since early 2010s - just before the meteoric rise of bitcoin. The second part is key, because given the prominence and status of bitcoin they would have been unable to stay anonymous or silent.

> they would have been unable to stay anonymous or silent.

Not necessarily. Satoshi obviously planned his pseudonymity from the start. The decision to leave the project may very well have been taken long before it was carried out.

Satoshi could be alive and well. Maybe he carried on his work under his real name, as one developer among many, or maybe not. He obviously thought fairness and trust was important enough to value to form for him to prove the non-possbility of backdating the chain (later known as premining). Planned obsolescence for the creator plays well into this scenario.

In hindsight, having no real creator has served Bitcoin well. People would have listened too much to the creator for a decentralized decision process by consensus to form.

>Not necessarily. Satoshi obviously planned his pseudonymity from the start. The decision to leave the project may very well have been taken long before it was carried out.

I don't think so. I can't disprove your claim, but people aren't very good at that kind of planning and execution. Too many things can go wrong for them to either maintain anonymity or prevent others from maintaining this anonymity.

It comes off as a bad Hollywood movie. I think the person behind Satoshi has died.

>In hindsight, having no real creator has served Bitcoin well.

We'll see. It's too early to tell. One thing's for sure, I see a lot of less places that take bitcoin as currency then I did a few years ago. Also, the community is much more divided, and there are massive structural issues with bitcoin, from technical issues around the protocol itself, to lack of unified vision leading to forks and arguments, to massive amount of illegal behaviour.

>People would have listened too much to the creator for a decentralized decision process by consensus to form.

Is the leadership decentralized though? At the end of the day, someone needs to hold the keys for the code the runs the bitcoin protocol. Ultimately that individual or group has the power to do anything they want with bitcoin.

Have you considered the possibility that Satoshi was some random cryptography enthusiast of little note who died in a traffic accident? He probably told nobody about his project, and the lengths he went to to remain anonymous make me think he used full disk encryption -- so his family, not knowing his passphrase, probably unknowingly destroyed all evidence of his work on Bitcoin after he passed away.

What makes you think Satoshi had any background in cryptography? Everything about the Bitcoin whitepaper and even the design of Bitcoin itself says otherwise.

>Have you considered the possibility that Satoshi was some random cryptography enthusiast of little note who died in a traffic accident?

Yes. That could also be the case. The individual behind 'Satoshi' has probably died.

>I think it's either Hal Finney or Dave Kleiman.

You must be a new bitcoin user. Before Craig Wright came into the scene, has anyone heard of Kleiman? Legit question. What evidence is there of Dave? Dave wasn't even around then, zero evidence exists outside of CSW's claims.

>Before Craig Wright came into the scene, has anyone heard of Kleiman?

The salient part of my argument is that the individual behind the 'Satoshi' persona has most likely died in early 2010s. I have no idea if either Kleiman or Finney (or both or others) were Satoshi, but both fit the profile of Satoshi, and both have died in that time-frame. If not them, then it would be some individual or individuals like them. If you are sure it couldn't have been Kleiman, I won't argue and I will defer to you.

I have followed Craig Wright's claims and he does strike me as a bullshitter (for one thing, he promised 'irrefutable' proof and never delivered). So I'm OK with writing his claims off as a total fabrication. I could also see him trying to take credit for the work of the deceased person behind Satoshi IF he was somehow connected to early bitcoin development and knew who Satoshi was.

American computer security specialists did. He was getting interviewed by US TV stations so he had some reputation in the security industry.

And btw who heard of Jeff Bezos before Amazon? Nobody.

You can not judge somebody just by looking at their past. People change and evolve.

I apologize for not being clear enough. "has anyone heard of Kleiman? Legit question." By this I mean what substantive proof exists that Kleiman was interested with the underlying technologies that bitcoin incorporates?

> He was getting interviewed by US TV stations so he had some reputation in the security industry. The field is pretty vast. This is like saying because I've made websites, I can somehow fix your laptop. (I probably could but I couldn't come up with a solution fast and well thought out.) Satoshi was clearly meticulous about this, if you've read enough of their posts, it's clear as day.

> And btw who heard of Jeff Bezos before Amazon? Nobody. A lot of top talent is in hedge funds. So, I'm sure many people were looking. It is fair to say I choose a weak logical argument but the point is still valid (hopefully the added clarity to my intent pushes us deeper into our actual points).

> You can not judge somebody just by looking at their past. People change and evolve. Sure, this applies if we're trying to gauge someone's character but this doesn't apply in the expertise required to be Satoshi. Terry Tao (expert mathematician) isn't going to just randomly come up with the next bulletproof SHA function. It's out of his scope. Bitcoin is out of the scope of Kleiman's skillset. I have seen zero evidence to the contrary, other than a false narrative (perpetuated by 'news') that him and CSW created Bitcoin. Even the court has thrown out numerous dated evidence [1,2].

Being a computer forensics specialist doesn't easily port to creating a blend of PGP, Hashcash, eCash, bitgold, etc. Satoshi was an expert at this stuff. What evidence shows that Kleiman did anything? Even in the Kleiman/CSW court cases, there isn't evidence that's been produced by either party. That's the court of law. Please don't avoid this point, no evidence exists to tie Kleiman even to the ideas of digital cash. I haven't seen any and I looked into it heavily, maintaining an open mind. I got no dog in the fight, just a sizable curiosity to this mysterious character.

[1] - https://decrypt.co/21995/us-judge-throws-out-craig-wrights-l... [2] - http://blockchaingrade.org/experts-dissect-craig-wrights-sat...

Like Gavin Andresen said Satoshi wasn't a cryptographer.

First reference in Bitcoin Whitepaper is "W. Dai, b-money". But Satoshi never heard of it, Adam Back suggested to Satoshi to read it and he decided to reference it in Bitcoin Whitepaper.

"I suggested Satoshi should look into B-Money, which he didn’t seem to know about at that time, and this is how I think B-Money was added to the paper."[1]

Satoshi said to Wei Dai "I was very interested to read your b-money page. I’m getting ready to release a paper that expands on your ideas into a complete working system. Adam Back (hashcash.org) noticed the similarities and pointed me to your site."[2]

Satoshi seemed to be very good C++ programmer who had interests in electronic cash and cryptography but not a cryptographer.

Look and hear what Gavin said in his presentation:




When I said 'no proof exists', I didn't mean 'no proof of authority'. I mean no document exists. Assuming Satoshi 'covered ones tracks' is a straw-man because then you open up the possibility to anyone being Satoshi, not an exclusive person.

Please understand that many people talked with Satoshi through email as well. Those emails are mostly private. When someone points to an authority, the entire argument is a straw-man, even with someone very relevant to the discussion.

> Satoshi seemed to be very good C++ programmer who had interests in electronic cash and cryptography but not a cryptographer.

What physical circumstantial evidence exists that is shows Kleiman was good at anything you've described or was even interested in these during 2008 or earlier (heck, I can't find anything prior to 2013)? What about any interest into any digital cash/gold attempts?

The argument you're giving is fairly persistent in the crypto community. I'm not entirely sure why, except intellectual laziness. The irony here is 'proof of authority' argument...is an absolute contradiction to what bitcoin's primary function is (trustless 3rd party system). Why are people lifting up a 3rd party and not the code/evidence? An opinion (no matter how relevant) isn't what we're looking for, we are looking for evidence. Did scientific reasoning leave everyone?

(edited for grammar)

Have you read The Mastermind?

I won't spoil things, but what a man Paul Le Roux is.... SUrprised there aren't 10 documentaries & films on Netflix about him.

Finally finished it this summer. So fascinating and so disturbing at the same time. Re: him being Satoshi, it's the type of thing of which he was certainly capable, but after a certain point in the development of his operations, I don't think he had the time.

From what I've seen, it just seems too implausible to me even beyond the practical considerations. Satoshi was carefully guarded, but I suspect something not that far off from his real personality shone through in all of his posts and emails. Maybe even something very close to it. I have no idea what his moral character is, but my gut feeling is that he's just not the sort of person who would work as a bogus pharmaceutical seller, spammer, drug trafficker, arms trafficker, and murderer. Of course I can't possibly claim to know this with any certainty, but I just have the feeling it's very unlikely he's anything close to a Pablo Escobar-type.

My guess is he's a single individual whose real identity has never been publicly suggested as a serious Satoshi suspect.

... Huh

I do a lot of Wikipedia reading about strange folk in this world.

I had not yet come across this dude.

Wiki page is quite the interesting read. Thanks for making me aware of him.

Satoshi used Hungarian notation?!


It’s Adam Back. Watch this video and you’ll likely be convinced.

I think Satoshi is Craig Wright like it or not. I did some research on Craig's historical writings and I compared it to Satoshi and I found many similarities between them. I will publish my research when I get more time.

I did my research as a historian would do so I started from the basics and the first clue was Satoshi used perfect British English so most likely he is not American like some people imply. And why an American would link to British daily national newspaper cover like Satoshi did in Genesis Block?[1][2]


[2] https://www.okex.com/academy/wp-content/uploads/2020/05/thet...

I met Craig last year in person and spent some time reading his book. No way he is Satoshi; he refused to give straight answers to rather simple questions and spent the whole time making rather obvious allegations. From all the dodgy people I met in crypto over the last years, if I ever met someone where just everything screams “conman” then it was Craig. I might be wrong, who knows. But I’d be willing to make a huge bet against him.

@fyleo Time will tell, Satoshi's identity can not remain secret forever.

Sure it can. His use of remailers makes me think he used full disk encryption. His sudden disappearance makes me think he unexpectedly died (e.g. in a traffic accident), and his family probably did not know his passphrase. All evidence of this person's work on Bitcoin was probably unintentionally destroyed in that scenario, and the people who destroyed it have no idea what their loved one was up to before his death (and will never mention it, for lack of knowledge).

The guy can't even answer basic questions about cryptography.

Looking at the 0.1 code he comes around as a C++ hobbyists, not a professional.

Could you please clarify?

Comes across as an academic, not a professional.

PDF literally says no, probably not

I won’t call Bitcoin a success as long as its value is measured in dollars.

So is the euro not a success either? Or any other currency in the world for that matter?

That's completely unrelated. The Euro wasn't designed as an alternative to make USD obsolete. The Euro did do exactly what it was designed for, to unify much of Europe under one currency and economic system.

The value of a euro isn’t how many dollars you can buy with it. It is what goods and services you can buy with it, directly. That’s the point.

The greater success is blockchain, It will swallow dollars.

Blockchain would swallow databases not dollars. Currency is just one use for a blockchain, git is a great use for it and much older than bitcoin.

missed point 0: Economics.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact