bits and bob

[Eugen Leitl]

http://www.economist.com/blogs/babbage/2011/06/virtual-currency

Virtual currency

Bits and bob

Jun 13th 2011, 20:30 by J.P. | LONDON AND G.T. | MELBOURNE

MILTON FRIEDMAN famously called for the abolition of the Federal Reserve,
which he thought ought to be replaced by an automated system which would
increase the money supply at a steady, predetermined rate. This, he argued,
would put a lid on inflation, setting spending and investment decisions on a
surer footing. Now, Friedman's dream has finally been realisedbalbeit not by
a real-world central bank.

BitCoin, the world's "first decentralised digital currency", was devised in
2009 by programmer Satoshi Nakomoto (thought not to be hisbor herbreal name).
Unlike other virtual moniesblike Second Life's Linden dollars, for
instancebit does not have a central clearing house run by a single company or
organisation. Nor is it pegged to any real-world currency, which it resembles
in that it can be used to purchase real-world goods and services, not just
virtual ones. However, rather than rely on a central monetary authority to
monitor, verify and approve transactions, and manage the money supply,
BitCoin is underwritten by a peer-to-peer network akin to file-sharing
services like BitTorrent. 

The easiest way to store BitCoins is to sign up to an online wallet service
through which all transactions are carried out. This, of course, means
trusting the provider of that service not to cheat, or go out of business,
taking clients' savings with it. Warier users can install a personal digital
wallet on their own computers. They must then, however, keep it safe from
viruses or physical damage. If a laptop went up in smoke, so would the
virtual coins stored on its hard drive. (Keeping back-up copies would do the
trick.)

All transactions are secured using public-key encryption, a technique which
underpins many online dealings. It works by generating two mathematically
related keys in such a way that the encrypting key cannot be used to decrypt
a message and vice versa. One of these, the private key, is retained by a
single individual. The other key is made public. In the case of BitCoin
transactions, the intended recipient's public key is used to encode payments,
which can then only be retrieved with the help of the associated private key.
The payer, meanwhile, uses his own private key to approve any transfers to a
recipient's account.

This provides a degree of security against theft. But it does not prevent an
owner of BitCoins from spending his BitCoins twicebthe virtual analogue of
counterfeiting. In a centralised system, this is done by clearing all
transactions through a single database. A transaction in which the same user
tries to spend the same money a second time (without having first got it back
through another transaction) can then be rejected as invalid.

The whole premise of BitCoin is to do away with a centralised system. But
tracking transactions in a sprawling, dispersed network is tricky. Indeed,
many software developers long thought it was impossible. It is the problem
that plagued earlier attempts to establish virtual currencies; the only way
to prevent double spending was to create a central authority. And if that is
needed, people might as well stick with the government devil they know.

To get around this problem, BitCoins do not resemble banknotes with unique
serial numbers. There are no virtual banknote files with an immutable digital
identity flitting around the system. Instead, there is a list of all
transactions approved to date. These transactions come in two varieties. In
some, currency is created; in others, nominal amounts of currency are
transferred between parties.

In the very first transaction the creator's computer forged 50 units of the
currency. The next transaction would have involved subtracting some amount
from the creator's account and crediting it to a recipient's. These actions,
and any subsequent ones, were automatically broadcast to the entire network.
At first, when the network was small and transactions few and far between,
verifying them was been straightforward. The first person to confirm the new
transactions would offer his updated log as the one against which any future
transactions ought to be judged. Once everyone else agreed that this
candidate register was indeed accurate, it would be adopted and the new
transactions included in it confirmed. If anyone tried to game the system by
erasing an old transaction (so he could re-use the same money again) or
adding an unwarranted new one (transferring the same money as before, say),
he would be promptly found out, his proposed log discarded, and the
transactions rejected as invalid.

However, as the network expands from dozens of users to thousands, and
transaction volume grows, so does the number of logs vying for the official
crown. Getting everybody to scrutinise the first proposal aired across the
network for inconsistencies soon becomes impractical; the whole system grinds
to a halt. Some way is therefore needed to ensure that the official register
can be updated and agreed on in real time (or nearly), while preventing
individuals from tampering with it. Mr (or Ms) Nakomoto's ingenious solution
involves two related cryptographic techniques: hashing and forced work.

A hashing algorithm converts a message into a number called a hash value, or
a digest. If this number is big enough, it provides a unique representation
of the original (since the same algorithm could not conceivably yield
identical hash values for different messages). Moreover, it is impossible to
reconstruct the original on the basis of the digest alone. Nor is it possible
to predict what the digest would be for even a slightly tweaked version of
the original message; fiddling with a single letter will produce a completely
different digest. In that regard, digests appear to be generated at random.
As a result, hashing is what computer scientists call an irreversible
process.

Consider a hashing algorithm which converts anything fed into it to a whole
number between one and 1,000. For random sets of data, the algorithm would
spit out a value below 11, say, once in every 100 tries, on average. Now
suppose some data are given in advance. How does one find a number that needs
to be appended to these given data to produce a hash value below 11? Because
hashing is irreversible, and digests are essentially random, the only way to
do this is through trial and error: by splicing different numbers onto the
old data and hashing the whole lot until the desired result pops out. On
average, this will require 100 tries. However, once the answer is found,
everyone else can verify whether the problem has indeed been solved by
running the hashing algorithm just once, with the proposed solution. This
type of puzzle can only be cracked using brute force, which is why it is
dubbed forced work.

With BitCoin, all new transactions are automatically broadcast across the
entire network and analysed in portions, called blocks. Besides any new
as-yet-unconfirmed transactions, each block contains the digest for the last
block to have got the nod from the network. That last block will always come
from tip of the longest chain of blocks currently on the network. This chain
is, in effect, the official logbconfirmation that all the previous blocks tot
up.

For a new block to be deemed valid, some computer on the network must create
a transaction log for it that dovetails with the previous blocks. To prevent
acceptance of bogus logs, giving it a seal of approval has to be
prohibitively costly to any individual user, but relatively cheap for the
network as a whole. This is done by making it into a forced-work task, which
involves using the valid blocks and the new transactions to generate a digest
consisting of 256 bits (ie, any number between 0 and 2256). The task is
complete when the system's algorithm spits out a hash value below a preset
target (like 11 in the example above). The target is set so that the puzzle
is solved by someone on the network, and a new block approved, every 10
minutes. To keep this rate constant as the network's ranks swell and its
combined computing power grows, the target is lowered in order to make
generating a value below it harder. (Conversely, if the network were to
shrink, it would get easier again.)

Creating the doctored block and having it validated and attached to the
official log would thus require outpacing the network's combined computing
power. This can only happen if a fraudster controls more than half of the
network's total number-crunching capacity, which is possible, but extremely
expensive for any one person.

The system can thus rely on users to police it. As a reward for giving up
some computing power to that end, the first user to crack the forced-work
task gets 50 coins for the effort. This is done by always making the first
new transaction in each block the conjuring up of 50 coins out of nothing.
When other participants agree to append the new block to the official chain,
they also validate the creation of the new money (they would, of course,
reject it if someone tried to game the system by minting more than 50 coins).

This is also how BitCoin niftily gets around the problem of increasing the
money supply without a central mint. Since blocks are created at a constant
average rate, and there is a set number of coins minted per block, the total
money supply, too, increases at a steady clip. For now, this is 300 coins
every hour on average. Every four years, though, the minting rate is set to
fall by a half. It will drop to 25 coins per block in 2013, to 12.5 coins in
2017, and so on, until the total supply plateaus at 21m or so around 2030.

The idea is to mimic the extraction of minerals (the transaction-validating
software is called the BitCoin miner). As the most readily accessible
resources are exhausted, the supply dwindles. Unlike real resources, however,
there is no as-yet-undiscovered, hidden lode a fortunate prospector can
strike to disrupt the money supply. Should a powerful new computer be
introduced to the network, the difficulty of the forced-work challenge would
soar, keeping the rate at which blocks are approvedband new money
createdbunchanged.

In theory, then, the system ought to keep a lid on inflationbmaking it
attractive to critics of interventionist monetary policy of the sort
practised since 2008 by America's Federal Reserve under the label
quantitative easing. (The mineral analogy, in particular, appeals to
proponents of a return to a gold standard.) It offers other apparent
benefits, too. The currency can be used by anyone (unlike credit cards, for
instance), anywhere. Transaction costs are also likely to be lower than those
for traditional payment systems, though these are not in fact zero. Some are
reflected in the hardware and energy used to police the system. Some surely
creep in whenever those who have no wish to mine BitCoins themselves purchase
them for dollars, euros and several other currencies at specialised sites
like Mt. Gox. 

Legally, BitCoin exchanges are subject to the same regulations as ones
trading commodities. For example, an exchange must report any transaction
above $15,000, a policy meant to stem money laundering. For the purposes of
taxation, meanwhile, reimbursing somebody for a product or service in
BitCoins is treated as barter. The tax code makes provisions for such
practices, though, admittedly, they can be tough to enforce.

This has not stopped some American politicians from expressing grave concern
about the virtual currency. Charles Schumer, a prominent Democratic senator,
has inveighed against it, claiming it is just what drug dealers have been
waiting for. All the clever cryptography means BitCoin dealings are difficult
to trace. But not impossible. According to BitCoin's defenders, its users may
be more difficult for a government agency to pinpoint than someone paying
with a credit card. But they are easier to catch than those using cash.
Moreover, any drug trade involves sending physical products to recipients.
Authorities already track many packages sent by groups under investigation.
When it comes to physical delivery, the method of payment is irrelevant.
Another worry, for the authorities at least, is that, in theory, a BitCoin
account cannot be frozen. But, like cash, Bitcoins can be nabbed by seizing
the computer on which they are stored. 

Ordinary folk, meanwhile, have different concerns. They fear being bilked by
a cabal of clever boffins, who can insidiously fiddle with the system's
software to take advantage of less geeky types. This queasiness, though
understandable, may be misplaced. As an open-source project, the computer
code which undergirds BitCoin can be viewed, and modified, by anyone. As with
all such ventures, however, if a change is introduced that most participants
do not accept, they will simply refuse to download that version of the
software. Since the self-professed geeks who make up the web's open-source
communities often delight in (and excel at) scrutinising seemingly
impenetrable lines of computer language, it is highly unlikely that someone
could get away with surreptitiously inserting a command to create excess
BitCoins and siphon them off to his account, for instance. For the same
reason, the open-source nature of the project is also a bulwark against
hackers or malware. Indeed, as cybercrime goes, BitCoin may be safer than
traditional financial institutions, which are often on the receiving end of
such attacks.

And then there are the currency's economics. These have engendered a
surprisingly lively debate. One particular bone of contention is whether it
makes sense to decrease the rate of money creation with time. Some people
think this will entail disastrous deflation if the demand for BitCoins grows
at a faster rate than new coins are minted. As recent wild swings in their
dollar price amply demonstrated, they are not the most predictable of
vehicles. The volatility is largely down to the fact that the currency
remains illiquidbonly 6.5m currency units (divisible to eight decimal places)
are currently in circulation among some 10,000 users (including several
hundred merchants who accept payment in BitCoins). This seems unlikely to
change in the foreseeable future, as even BitCoin's most ardent supporters
admit. That is not because people are queasy about intangibles. After all,
much of modern pecuniary activity already involves bits rather than bob and
consumers have embraced credit cards, electronic transfers and the like.

The difference is that established fiat currenciesbones where the bills and
coins, or their digital versions, get their value by dint of regulation or
lawbare underwritten by the state which is, in principle at least, answerable
to its citizens. BitCoin, on the other hand, is a community currency. It
requires self-policing on the part of its users. To some, this is a feature,
not a bug. But, in the grand scheme of things, the necessary open-source
engagement remains a niche pursuit. Most people would rather devolve this
sort of responsibility to the authorities. Until this mindset changes,
BitCoin will be no rival to real-world dosh.