Hacker News new | comments | show | ask | jobs | submit login
Bitcoin is "Worse is Better" (gwern.net)
41 points by r11t 2301 days ago | hide | past | web | favorite | 34 comments



The logic in this post appears to be:

1. "Notice how Bitcoin has a minimal-to-nonexistent cryptographic pedigree".

2. "Here are many criticisms of the system ranging from 'it is difficult to scale' to 'it is completely meaningless as a currency', many of them from cryptographers who have studied cryptocurrencies for over a decade".

3. "Notice how Bitcoin is currently popular".

4. "Therefore, Bitcoin is worse-is-better".

It helps at this point to understand that "worse-is-better" --- a casual essay by Richard Gabriel --- describes how Unix took over the world not based on merit but on its viral characteristics. By implication, this article suggests that Bitcoin is also poised to take over the world virally.

The issue here is that Unix was also a functioning operating system. Nobody criticizes Unix as "completely unworkable"; they just think it's inelegant.

Gwen recognizes this, and uses "elegance" as a straw-man argument to bucket Bitcoin critiques into and to make it fit the pattern of "worse-is-better". But the most damning criticisms of Bitcoin --- criticisms he himself cites in this very article --- aren't that it's inelegant.

Instead, the most damning critiques of Bitcoin are instead that it almost totally fails to achieve its security objectives, that it exploits a misperception about anonymity to handwave away the fact that for most users it is not anonymous, that it is reliant on centralized infrastructure ("Bitcoin is peer to peer in the sense of the British Peerage System"), and (most importantly) that it is meaningless as a currency: "I have taken $100 and set it on fire; I will sell you a certificate representing the smoke for $101".

These aren't elegance critiques. This isn't "worse-is-better"; to make a similar argument fly, you have to come up with "worthless-is-better". Unfortunately, the greater fool theory floats that argument too, at least until Esquire writes the postmortem on Bitcoin and all the fools who lost money to it.


Thanks for reading; your summary is pretty decent.

But obviously I differ about the elegance and following. Elegance is not optional; elegance is useful; elegance has important practical consequences.

Go back to rpg's original paper and one of his examples - the difference between ITS and Unix in system calls was not one of mere aesthetic elegance, but a case where Unix programs were incorrect and could, and did, fail! Like freeing memory in memory management, it's easy to omit the check whether the system call failed.

This applies to each of your points:

- the anonymous vs pseudonymous distinction - you can build anonymity on top of the pseudonymity (I spent a couple links and cites establishing this with the mix material!) but you can easily not succeed in getting the anonymity you wanted. Just like you can easily not check system call success on Unix.

- the centralized infrastructure: anyone who wants to be a full miner peer can... they just have to buy the GPU power. Like writing a secure & bug-free Unix C program, it'll cost you. (One in money, the other in time & skill.)

- meaningless as currency: I am actually not sure how elegance plays into that at all, so I have no cute analogy to rpg's Unix/ITS system calls. The wasted computing power is inherent to the system of avoiding double-spending (I also spent some time discussing this), but that's not related to Bitcoin being worthless or not as a currency. Any damn thing can be currency, after all; currencies are as currencies do.


The point Ben is making is not simply that Bitcoin is wasteful, although it is.

The point is that a $101 certificate for the smoke from $100 in burnt five dollar bills isn't worth $101. Or $100. Or $5. Or $0.01.

You can declare by fiat that as a proof of effort, the smoke certificate is worth something. You can try to convince people that certificates representing smoke function as a medium of exchange. But as a medium of exchange, it must reside on a continuum with all the other media of exchange, ranked by the certitude that it will in the long run be convertible to other media. And in that ranking, "smoke from burnt dollar bills" fares poorly.

There are obviously many types of Bitcoin advocates. The ones we see most often on HN are of the nerd clade. Nerdly Bitcoin advocates are fixated on the fact that "any damn thing can be a currency". This fixation presupposes that being a currency is interesting. The problem is, it isn't interesting. Toenails can be a currency. Belly button lint can be a currency. Burnt dollar bill certificates can be a currency. What's interesting is, what are good currencies.

Here the nerdly Bitcoin advocate handwaves around the fact that we actually have notions of what it means to be a "good" or "bad" currency. Dollar bills are highly liquid and have a relatively predictable valuation over time. To a lesser extent, so does gold. Bitcoin does not. It's volatilee, it has illusory liquidity (it is liquid only so long as the "exchanges" on which it trades decide to keep trading Bitcoins --- or decide not to succumb to their numerous security flaws), and it is in no place a native medium of exchange, such that some person somewhere will ever need it to e.g. pay their taxes.

To all that, add the critiques you sourced of Bitcoin; that while it has impressive virality, it largely fails at its security goal by making the cost to defend transaction integrity greater than the cost of attacking it; that it largely fails at its anonymity goal by requiring a complete audit log be made available to everyone simply in order to function; that it largely fails at its decentralization goal by requiring resources comparable to that of a Visa or a Mastercard just to scale.

What are you left with? Colorless, odorless tulips.


Your economic points seem to be just reiterating the claim 'currencies must have a backing!', which is something people can disagree on and not relevant to the essay. (If some random country adopted Bitcoin as its currency, would it suddenly cease to be Worse is Better and just be Better is Better? Or vice versa? If not, then the tough economics/philosophy question of whether a currency needs backing to be a 'currency' is not relevant.)

> To all that, add the critiques you sourced of Bitcoin; that while it has impressive virality, it largely fails at its security goal by making the cost to defend transaction integrity greater than the cost of attacking it; that it largely fails at its anonymity goal by requiring a complete audit log be made available to everyone simply in order to function; that it largely fails at its decentralization goal by requiring resources comparable to that of a Visa or a Mastercard just to scale.

It's true that the cost of defense is similar to attack, the audit log is public, and the scaling story is not good. But does it fail? That's the question, and so far it seems to bumble along, with all the major problems being in things surrounding Bitcoin (MtGox, MyBitcoin, that Polish exchange) but not actually Bitcoin. Bitcoin fails on a lot of properties, but it's still there. Unix failed at a lot of things too, but somehow it's still around.

That's kind of the essence of Worse is Better - maybe those security properties or software properties are not as important and valuable as people judging the elegance thought that they were.


> Here the nerdly Bitcoin advocate handwaves around the fact that we actually have notions of what it means to be a "good" or "bad" currency.

Like we had notions of what it means to be a "good" or "bad" encyclopedia before Wikipedia came out. Saying that Bitcoin is bad as a traditional currency does not prove that it is useless.


The point is that a $101 certificate for the smoke from $100 in burnt five dollar bills isn't worth $101. Or $100. Or $5. Or $0.01. You can declare by fiat that as a proof of effort, the smoke certificate is worth something. You can try to convince people that certificates representing smoke function as a medium of exchange. But as a medium of exchange, it must reside on a continuum with all the other media of exchange, ranked by the certitude that it will in the long run be convertible to other media. And in that ranking, "smoke from burnt dollar bills" fares poorly.

I still do not understand. Bitcoin's value is not based on making smokes.


- meaningless as currency: I am actually not sure how elegance plays into that at all, so I have no cute analogy to rpg's Unix/ITS system calls. The wasted computing power is inherent to the system of avoiding double-spending (I also spent some time discussing this), but that's not related to Bitcoin being worthless or not as a currency. Any damn thing can be currency, after all; currencies are as currencies do.

It would be great if tptacek actually explained what he means. It seems to be a muddled economic argument. I do not understand "meaningless as currencies goes".


In this comment I would like to propose "Flitcoin". Flitcoin is nearly identical to bitcoin, with exactly one difference. In Flitcoin, instead of brute forcing a nonce through SHA-256(x) to find hashes with a suitable prefix of 0's, Flitcoin brute forces a nonce through HMAC-SHA256("bananas", x) to find hashes with a suitable suffix of 1's.

Please explain to me why my Flitcoin is inferior to your Bitcoin.

As you do so, note that all the world's Bitcoin software is trivially upgradable to Flitcoin; in fact, it requires less than 10 lines of code to do so.


In this comment I would like to propose "PTTH". PTTH is nearly identical to HTTP, except you replace all occurrences of "HTTP" in the protocol by "PTTH". Why is this inferior to HTTP? Why are people investing time and money to provide HTTP service and not PTTH service? You are right when you say that the artificially imposed scarcity on Bitcoins does not entail a scarcity on digital currencies in general, but, as it stands, your argument seems weird.

Actually, I believe that Bitcoin's (possibly short-lived) fame has created some sort of value in the sense that there would probably be, for quite some time, people interested in hoarding Bitcoins just as a kind of souvenir ("hey, remember, people used to get excited over this"); not so with Flitcoin. I am not saying that this is something reasonable to base a currency on, just that it is wrong to assume that Bitcoin and Flitcoin are strictly equivalent.


Bitcoin has a long hash chain already in existence and a large amount of computing power currently lengthening it. Bitcoin may or may not be valuable, but the amount of total CPU time invested into it and the current rate of CPU use are criteria one can use to decide if one proof of work network is superior to another.


Bitcoin already has users and Flitcoin doesn't?


So, marketing? Ok! I'll just run a 2-for-1 sale on Flitcoin.

Less snarkily: why are people using Bitcoin? What's the intrinsic value they see in Bitcoin? Based on what evidence can they predict that Bitcoins purchased today will be convertible to gold, dollars, or even toenails at any valuation? You've begged the question.


Here's a nice concrete example. You start a content/news blog/site. Instead of selling adspace you charge for your content by the pageview. Now how much are people willing to spend per pageview ? Probably not very much. Let's say < 1 cent. You start looking around for ways to charge people < 1 cent. Turns out it's ridiculous idea, no credit/online banking proposition is interested in < 1 cent transactions, it just doenst exist because of transactions costs. Hola Bitcoin. I can send you < 1 cent for every pageview I consume with 0 transaction costs.

The tools to do this are currently in the pipeline or are really not that hard to devise. This is what bitcoin offers that others don't. Forget anonymity or libertarian arguments, 0 transaction costs are extremely disruptive.


This is an application of Bitcoin. It says, "well, people want something that promises what Bitcoin promises; therefore, Bitcoin must be intrinsically valuable". But it's obvious why that isn't true. Flitcoin promises precisely the same things.


i'm not really worried about the intrinsic value of bitcoin, it goes up, it goes down, it doesn't matter. You don't have to store your wealth in bitcoin, USD goes in USD goes out when you want it to at usually 0.5% transaction cost ( or less some places ). And there's no reason Flitcoin can't succeed in the same places. I'm not sure why that would have anything to do with intrinsic value or why intrinsic value is of paramount importance.


In other words, you're content to ride out the "greater fool" theory, confident that you'll be able to jump out before the market spirals down to zero. And that's fine, but it doesn't address the question that roots this thread.


you can jump out whenever you get bitcoins. You don't have to hold onto bitcoins more than a few minutes after a transaction is confirmed. You can tie goods/service to the market rate and sell your bitcoins whenever you get them. It won't matter what the price is, $30 or $0.30. No fooling going on. And tell me again what the question is that roots this thread?


In other words, you're ignoring all problems about value transfer systems like gold and cash while assigning basic problems like that nobody trades food for gold when starving to BTC alone.

Gold for instance, seems to be a fool's buy, because there are few truly-useful non-technical things to do with it (you can't eat it) but actually works well as a basis for some value transfers. In a crash your bitcoins would depreciate wildly because nobody would part with anything of value for some bits - or a piece of paper - or some shiny metal.

This is just inherent in trading - there has to be a difference in value or the trade wouldn't happen, and if there's a difference in value the values may not relatively correspond at all points.

To some people, at some times, a token may be a useful marker in trade, as cash is now. With World of Warcraft healthy, there can be a good market in magic swords. With a healthy world economy, cash can be useful. When either fails, current holders will suffer. Gold will suffer differently, it won't be counterfeit or lost, but it won't be liquid. Ditto for BTC, they just become irrelevant relative to food.

Gold is anonymous, but can't practically be traded that way in large quantities. Cash is only pseudonymous like BTC as usually used - bills are scanned when dispensed and deposited. It's not globally visible, just to the most likely and well funded enemy - your own government.

It really seems like you should be harshing on representational value systems in general, or something.


>You've begged the question.

No, you just asked a different question.

>What's the intrinsic value they see in Bitcoin?

Well, free transfers, for one, and not being subject to having your money frozen by online payment companies (e.g. Paypal).


"Free transfers" isn't an intrinsic value of Bitcoin. It's a benefit you get by supposing that Bitcoin has some intrinsic value.

What's the intrinsic value? Why is Bitcoin unlikely to be worth $0 in 10 years? Because it is spectacularly unlikely that gold will be worth $0 in 10 years, and similarly unlikely that a dollar will be. Virtually any trader in the world would take the other side of that bet.


Let me preface this by saying that I'm very ignorant about this subject.

>What's the intrinsic value? Why is Bitcoin unlikely to be worth $0 in 10 years?

Why does a currency require a value as anything other than a currency to be expect to have value?

Bitcoin offers a useful service. There's is no reason to believe this service will stop being useful in 10 years. Therefore, it's reasonable to expect a demand for Bitcoin in 10 years, making it worth more than $0.

>Because it is spectacularly unlikely that gold will be worth $0 in 10 years

Isn't most of gold's value based on its demand as a currency? If people stopped buying gold just to trade and store value, wouldn't current gold owners lose immensely?


As long as we're talking about Bitcoin, mind clarifying your criticisms?

it almost totally fails to achieve its security objectives, that it exploits a misperception about anonymity to handwave away the fact that for most users it is not anonymous

Are these the same -- both referring to the mere pseudonymity of addresses?

it is reliant on centralized infrastructure

How so? My understanding is that anyone can generate a new block, it's just (linearly) more likely to be you the more CPU you have.

and (most importantly) that it is meaningless as a currency

This seems like the weakest criticism. There are many conventions that work simply because they are conventions. In other words, they are self-supporting. Bitcoin has bootstrapped to the point where such a convention exists, and people are productively using it as a currency. This may not be the level of rigor you're used to in your work, but it seems plausible that a convention like Bitcoin could last for a significant period of time before collapsing.


The dollar isn't a currency simply by convention. Neither is gold. It only seems that way in the frictionless vacuum of message board arguments.


Agreed, and I didn't say they were.


Worse is better does not apply to bitcoin as a cryptographic system, only as a monetary system. As a cryptographic system it makes a clear choice for more features over simplicity.

Make no mistake, bitcoin is a very complicated system. Not for a piece of software, but for a cryptographic system. One that aims to replace the fundaments of our economic system. With such ambition, "it seems to work," is not good enough.

As someone who has spend some time hacking the bitcoin code, I have little confidence. Although I have not found any outright errors, the quality of the code shocked me. The code does nothing to provide structure and/or insight to the already complicated protocol. Basic protocol is mixed with parsing of messages and parallelism of the code. I for one, fully expect major and near fatal errors to be found in bitcoin.


> As someone who has spend some time hacking the bitcoin code, I would say I have little confidence.

There are a lot of differing opinions on this. I quoted Kaminsky at length as someone with major security credentials who is saying the opposite of you.


You are citing as an authority on code quality someone who says Bitcoin should use Bcrypt instead of SHA-256 because Bcrypt is less amenable to hardware optimization.

I hope to make the starburst of applicable points that follow from this by implication instead of explicit argument.


I'm afraid you're going to have to be explicit, because the idea of using Bcrypt for that reason makes perfect sense to me - the logic that makes Bcrypt better than SHA-256 for passwords seems to apply nicely to Bitcoin. Hardware optimization privileges the few who can invest in the hardware over the many who are able to run more commodity hardware, and is exactly contrary to the P2P Bitcoin ethos.

(A similar point applies to time-lock puzzles: http://www.gwern.net/Self-decrypting%20files Why were Rivest/Shamir/Wagner unhappy with brute-force decrypting? Because it's so amenable to hardware optimization. Why were subsequent researchers unhappy with successive squaring and looked for memory-bound hashes? Because squaring is still implementable in hardware.)


Bcrypt isn't specifically harder to compute on GPUs. It just has an adjustable amount of work it has to do which increases the load. Bitcoin effectively has the same thing with the difficulty.


...Not really. The point is not that you can make it harder, as you say both Bcrypt and zero-finding in SHA hashes can be adjusted and made harder. The point is that the constant factor speedups available from specialty hardware are greater for SHA than they are for Bcrypt.


First, I don't think your specific point is true. Second, and more importantly, the benefit of hardware isn't that it changes the constant factors; it's that it parallelizes the search. The whole point of scrypt is to create a state explosion that prevents that parallelization.


Parallelization is a constant factor. If you have 1000 processors, you get a constant-factor one-time speedup of 1000x (or less). No complexity class changes.


Sorry, missed that. Very interesting and indeed, his opinion easily trumps mine. However, I would like to see some evidence rather than the word of an expect (if only to learn). For example he says that "This code has the mark of having been audited by People Like Us", what marks would that be?


I have no idea what he means by that.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: