I think it's important to note that this paper was a research paid by the Citi foundation, which belongs to Citi Group, a financial services corporation formed following the merger of banking giant Citicorp and financial conglomerate Travelers Group.
I'm not sure about this particular paper, but in most theoretical fields the authors are listed alphabetically by last name (the assumption being that each of them made a contribution without which the paper wouldn't exist - so ranking them is not important).
And that one too was quite poorly done; from the text, it actually seemed like they thought that "the blockchain" is a file stored on blockchain.info. Disappointing from the inventor of Shamir's Secret Sharing and differential cryptanalysis.
We acquired the complete state of the Bitcoin transaction system [...]
This required downloading 180,001 separate but linked HTML files [...]
following the links backwards to the zeroth block [...]
Each file was parsed in order to extract all the multisender/multireceiver transactions in it, and then the collection of transactions was encoded as a standard database on our local machine.
This is definitely a very strange way of retrieving the blockchain for research purposes. Couldn't they have simply issued RPC calls to the regular bitcoind client after downloading the blockchain via the built-in peer-to-peer mechanism?
No. Blockchain.info indexes the block chain by address. bitcoind indexes the block chain by transaction IDs (if you enable it). You'd still have to index the data you get from RPC calls by address if you want to track the movement of certain coins.
It's a lot easier to just get it from blockchain.info.
Blockchain.info is storing a centralized database for Bitcoin. Just not the centralized database... because there's not any official one. They're a value-added replica (via indexing & UI), not a constitutional authority.
(They have some earned authority, by a record of useful service.)
I can see where you are coming from, but how could you word that to be technically correct, succinct (not a full blown lecture on what bitcoin is), and not leave yourself open to giving people that impression?
Bitcoin isn't the simplest concept around. Unless you are in the business of packaging up bitcoin for non-technical consumers, I think it is reasonable to expect your users to bring some knowledge about bitcoin to the table.
Not sure what you mean by 'poorly researched'. Whatever it's flaws, it produced a hell of an innovative idea (or rather, a conglomeration of ideas into something innovative), and it has grown into something undeniably huge. Something people are building businesses upon. Something that is trading at over $900 USD/unit right now, despite countless rounds of naysayers decrying its intrinsic worthlessness and foretelling it's doom.
Meanwhile these guys are merely riding on the huge waves which that 'poorly researched' paper left in its wake, trying to catch some press-coverage-by-association with their shoddy research. I'm failing to see the irony here, this is apples and oranges stuff. Really seems like you just wanted to sneer at 'Bitcoin supporters'.
I mean that it was poorly researched. There was no definition of security, no mention of the vast body of related work in digital cash or secure multiparty computation, a weak security analysis, no mention of the fact that polynomial time attacks are usually considered to indicate that a system is not secure (one would think that a different security model would require at least some justification), and so forth. That is not the mark of a solid research paper; the fact that Bitcoin has become so famous or that people are making money with it has no bearing on the quality of Satoshi's own research.
It was a simple white paper, offered up anonymously for only what it was. It made no claims which have been demonstrated to be false, which is more than you can say about the paper being discussed here.
The Bitcoin whitepaper does what it says on the tin, you're the one inventing criteria for it that it doesn't meet. The white paper is also remarkably readable, which is something you can't say for most academic works.
"It made no claims which have been demonstrated to be false"
That is because no falsifiable claims were made.
(Edit: Strictly speaking, this is not true. Falsifiable claims were made; this, for example:
An attacker can only try to change one of his own transactions to take back money he recently spent.
This claim has already been falsified: an attacker who can control the block chain can also selectively deny transaction verifications and prevent miners from receiving the mining reward.)
"you're the one inventing criteria for it that it doesn't meet"
No, I am just stating the criteria that determine how well-researched a paper is. If a paper does not cite the relevant previous work, it is poorly researched -- that is the standard that every other paper is held to. If a cryptography paper does not have a well-formed or clearly articulated security definition, it is poorly researched -- that is the standard other cryptography papers are held to. If a security paper breaks from widely accepted notions of security but never bothers to justify that, it is poorly researched. These are not unheard-of criteria, these are standard fare.
"The white paper is also remarkably readable"
What is your point? Readability is orthogonal to how well-researched a paper is.
> If a paper does not cite the relevant previous work,
This is elevating form above substance. Ron & Shamir's work has the proper form, the proper names, and yet the material it contains is rubbish. It cites "relevant previous work", so long as you think that none of the work in industry is relevant.
The gold standard should not be if a work follows a set of practices, advisable as they may be, it should be if a work advances the understanding of mankind. One of these papers did, the other does not.
Reference to previous work is not some perfunctory requirement to satisfy for academic due process. It is critical for the advancement of knowledge. Also, its pretty much entirely the definition of "well-researched". Work that is done completely independent of the established base of knowledge in a field can be valuable but someone has to do the work of integrating it and contrasting it with what was already known or else how can you weed out the cranks without many people spending many hours working through their enormous stacks of drivel?
G. H. Hardy said that his most important contribution to the study of mathematics was the discovery of Ramanujan. One could easily make the mistake of thinking this contribution could have been easily replicated by someone else, but its entirely likely that never would have happened at all because Ramanujan was not aware of much of the contemporary work that he blitzed past.
I believe that I responded to that paper at least once. By my memory, the formalization of Bitcoin's security left room for a polynomial time attack on the system. That is a fine restatement of what we already know about Bitcoin, but:
1. It is irrelevant to this thread, because I was only talking about Satoshi's paper.
2. It is not the sort of security people demand out of other cryptosystems. There is a reason nobody uses this:
Personally, I say thank god it was poorly researched. If the whole thing was inundated with 20 pages of obscure terminology and various arcane inequalities far fewer people would have understood it. Also, Bitcoin takes such a completely different tack from existing digital cash and SMPC schemes that I think including any discussion on those would have been distracting.
Real-world cryptography often doesn't have security definitions, e.g. AES. In parts that is because security definitions tend to be asymptotic (which is a massive simplification), and real cryptography is working at a fixed parameter. Coming up with a good security definition is hard, the 2013 Turing award was given for one. I think it will take a long time before we get a realistic security definition for Bitcoin.
"Real-world cryptography often doesn't have security definitions, e.g. AES"
Block ciphers do have security definitions; what AES lacks is a rigorous proof that it satisfies the definition of security for a block cipher. There are different definitions for different notions of security, but that does not mean there is no security definition. It is also untrue to suggest that security parameters are fixed in practice; this is certainly false for public-key cryptography, but Rijndael was designed to support arbitrary parameters, as are many other practical block ciphers and hash functions.
"Coming up with a good security definition is hard, the 2013 Turing award was given for one."
Not one definition, but several definitions and an entire paradigm for definitions. The work also set the groundwork for proving that cryptosystems and cryptographic constructions meet such definitions.
Really, the importance of having a security definition cannot be understated. Without a security definition, you cannot have any falsifiable claims about security. If I claim a system without a definition is insecure, you can always refute me by claiming that the system was never designed to defend against my attack -- which is technically correct, because without a definition the system cannot be said to be designed to defend against any attacks.
Also, note that I did not say that Satoshi failed to give a good security definition for Bitcoin. What I said is that Satoshi failed to give any security definition. If Satoshi had given an unrealistic or otherwise bad security definition, then we could have a productive conversation about the definition and about whether or not Bitcoin satisfies it.
"I think it will take a long time before we get a realistic security definition for Bitcoin."
The thing is that we do have realisitic security definitions for digital cash -- the definitions just happen to rely on the existence of a central authority that issues the currency, which is a deal-breaker for the Bitcoin community.
The scary thing of these kinds of witch hunts is that law enforcement is listening / reading / conducting hunts of their own. And they will be prone to the same mistakes as these readers.
That brings the frontrunners of Bitcoin in a predicament.
On the one hand they are often libertarians and very happy with the succes of Bitcoin. On the other hand, getting in early gives them some windfall gains, and law enforcement will go after them, since many of the real criminals using Bitcoin will remain elusive to them.
A little tidbit that will hit any of them sooner or later: did they properly file their taxes on the Bitcoins they mined? Trammell just admitted holding 800K$ worth of Bitcoins. Where did they come from? (Mining, I know, but those lawsuits will get hairy, because lack of knowledge.)
I don't think so; witch hunts didn't exactly grow trust between people in the middle ages. Witch hunts grow mob feelings between people against whoever happens to get crushed by their collective paranoia that day.
I think if you have much influence, people should know at least who you are. The same applies to any kind of influence, but with fiat currencies it is much easier to hide it in certain positions.
This could also have a maybe unintended consequence of increasing equality, because some people, knowing who has the most bitcoins, might act to decrease the influence they feel is too large by, for example, choosing alternative product or service to use or buy. We see this effect already with people feeling that corporations like Google have grown too big and some go out of their way to not use their services.
If/When bitcoin grows as large as some think/hope it will, there won't be "a bitcoin community" anymore than there is a "USD community". Sure, you'll have communities of various sorts surrounding different aspects of the currency, like you do with any other currency, but for the most part the users of it won't really have any real sense of "community membership". I pay for things with paypal on occasion, but I don't have any sense of a "paypal community".
I think we should look closer at the cryptography mailing list for evidence of Satoshi's identity. It seems likely that at some point Satoshi posted under his real name about something unrelated to BitCoin, before he decided to switch identities to release BitCoin under a pseudonym. I really doubt that Satoshi would have lurked silently there for many years before suddenly dropping the BitCoin whitepaper on the list without once contributing under his own name, perhaps before he was even thinking about BitCoin.
I think someone should do a quantified textual analysis of posts to to derive some sort of written language fingerprint for each author on the Cryptography Mailing List. Has anyone been able to derive a unique fingerprint of written language that accurately predicts the identity of the author? Has an analysis like this been done and come up empty?
At the moment, it would be really helpful if you could submit archives of the original cypherpunk mailing list, the p2p-hackers mailing list, the cryptology mailing list, and the original member list of the p2presearch mailing list (not the current one).
A copy of the original pdf would also be really helpful. Not the one that md5 hashes to d56d71ecadf2137be09d8b1d35c6c042 please.
As far as I know, everything is open source, and I'm sure that some cryptography experts already analyzed that.
And even if no one did, it is obvious that the person/organization that started the whole thing would have the highest profit by definition without the need of any backdoor.
Just look at how many Bitcoins Satoshi made at the start, when competition and mining difficulty was low.
But yes, I share your concerns, since it could be a pyramid scheme.
The one that starts it profits the most, everyone that enters the game later earns less but hopes that the value increases as long as more and more new players are joining.
And this currency is deflationary by design, which obviously helps driving profit expectations for everyone. (why the hell would you want deflation in a currency? Deflation reduces circulation which defeats the purpose of a currency)
> a unique fingerprint of written language that accurately predicts the identity of the author
These kinds of analysis are usually more "fuzzy" than "unique" and "accurate". And can be easily fooled if you are trying to remain anonymous. Especially in the case that Satoshi isn't a single person.
Agreed, but strong evidence could plausibly be found. Also the style of writing/spelling errors can sometimes reveal nationality if you're familiar enough with different languages. I don't think someone would go through that much work, though.
Well, he said that the research was funded by Citi bank's 'philanthropic' foundation. Is he mentioning that to insinuate that a bank is trying to produce de-anonymizing scare research about Bitcoin, which need not be true so long as it shakes consumer confidence?
I suspect it's just very easy to get funding for Bitcoin related research right now because it's a hot topic, but that would be a much more fun explanation...
I doubt the real identity of Satoshi will ever be revealed. Seriously, if the claims of Satoshi mining the first 20,000 Bitcoins is true (with a value of almost one billion), would he seriously want to be publicly known?
I would imagine the FBI amongst other Government organisations and figures would love nothing more than to pick Satoshi's brain (by force if need be) if his or her identity were to ever be truly revealed. We won't ever know who the real Satoshi is.
I can make baseless and factless accusations as to who I think Satoshi is as well. I think it's Al Gore, he invented the Internet after all.
I think that's coming from the idea that the "ultimate value" of the BTC money supply should be ~$1 trillion (in order for it to replace real-world currencies in a significant fraction of transactions). 20,0000 Bitcoins is ~1/1000th of 21,000,000 potential Bitcoins.
Yeah, it's worth more like $50M if you place your sells across exchanges:
1,600,000.00 bitcoins can be sold for 35,066,701.01 USD on Mt. Gox with a slippage of 1,544,789,298.99 USD (97.78%)
222,043.14 bitcoins (insufficient bid volume) can be sold for 15,395,973.27 USD on Bitstamp with a slippage of 1,493,404,026.73 USD (98.98%)
It would be entertaining if the NSA could use blockchain data as an aid to cracking systems which employ SHA-256. It would be doubly fun if bitcoin was originally some off-the-cuff gamification scheme to help generate lookup tables for the NSA.
Are there any papers about practical (slash nefarious) uses one could make from the work put into the blockchain? I had the same thoughts as you recently, but don't have the background to imagine what's possible.
Each miner includes their own address and a nonce value in the work they are doing. Most of the work that goes into mining is generating failed hashes and is discarded by the client. Assuming a lack of mathematical attacks on sha 256, there isn't really anything nefarious to do with the published blocks.
I think so. Bitcoin is too global to be interesting to a domestic agency. It's more likely to be CIA.
If it's part of a policing effort, then it's obviously part of the UN, which according to Tim LeHaye, rules over the United States with an iron fist and is where the shadow government of totally-not-Jews would do exactly this kind of thing.
You're not supposed to think the CIA does much. They're the actual spy agency; the whole "just a star on the wall at Langley" thing is CIA; you don't hear about their victories, and if you do, it's a failure of some kind. Stuxnet, for instance, was almost certainly CIA.
If Bitcoin is a targeted strike against China somehow (not completely impossible), then the CIA is the likeliest candidate. Otherwise, of the USGov national agencies, the NSA is most likely.
The FBI doesn't really get anything out of it. The only reason I can think of for the FBI to do it is for paying off informants anonymously. (And as I've pointed out before, if anyone's an expert on money laundering, it's the FBI.)
It would be interesting if (inplementors of a majority of the client software installed base of) the community declared and anti-hoarders coup, and refused to verify transactions involving the low ID bitcoins.
So, they put forward a theory, it turned out to be wrong, they said "ok, we agree, we were wrong". I think this is how the science is supposed to work, not? Vast number of theories and ideas are put out and most of them prove to be wrong, some prove to be true. I think it is a very normal and healthy process and I wonder why so many people feel the need to attack the researchers personally just because one of their ideas turned out to be wrong.
Because their theory inculpated a person (Satoshi) with criminal activity and they were wrong. That is why an apology was appropriate. This isn't just a matter of scientific incorrectness - someone's reputation was attacked.
If it were published in an academic journal, the journal would publish these remarks by Dustin Trammell in the next issue. But this "paper" was published online without peer review, so it's up to Ron and Shamir to do the right thing.
Exposing a weakness in the post-journal open access publishing model. Non peer reviewed work getting more attention thannpeer reviewed work. At least on boards like HN, which I guess never respected the academic community as much as bloggers anyway.
Post journal open access publishing _includes_ peer-review; see PLOS ONE, PeerJ etc.
Similar problems as OP's have been noticed with non "post-journal open access publishing model". That's generally called "science by press conference" now - the most famous case was the arsenic life paper, which was published in Science, a "traditional" journal, and then later retracted after their press conference before the publication generated a huge buzz (and two later papers contradicted their findings).
This isn't a problem that's caused by open access or new publishing models.