Scrypt-coins
Krawisz then proceeds to argue against the merits of specific alternative cryptocurrencies. He first attacks so-called “Scrypt-coins”, of which Litecoin is currently the most popular. Scrypt is a hash algorithm, much like the SHA256, but with the main difference that Scrypt is designed to require a large amount of both processing power and memory to compute. Essentially, the way it does this is by pre-computing millions of intermediate values and then randomly selecting inputs from these values to generate the final result. A computer evaluating the Scrypt hash of a message (or, in this case, a block) must either keep all of these intermediate values in memory throughout the computation or re-compute the values every time they are needed, which is prohibitively slow. The benefit of using Scrypt instead of SHA256 for mining is that it becomes more difficult to create specialized miners that compute millions of hashes in parallel; with Scrypt, if you want to make an ASIC that computes hashes fifty thousand times faster than a CPU, then you will also need to include terabytes of RAM. This does not remove the potential for ASIC miners, but it does make them less efficient, allowing average users on CPUs and GPUs to continue mining without getting ruthlessly outcompeted by special-purpose hardware.
Krawisz, of course, disapproves of this idea. He compares the effort to create coins that average users can mine to the Candlemaker’s Petition, a satirical petition by the French economist Frédéric Bastiat featuring a candlemaker asking the government to, among other things, ban windows to protect his business from the competition of the sun. As a criticism of protectionist economic policies, the Candlemaker’s petition makes an excellent argument. The reason why the candlemaker’s request is harmful is that if his business relies on government intervention in the form of banning windows to continue operating, then the business is not providing any actual value to society in the first place; if his candles did provide value, people would be willing to spend money on them. Artificially maintaining a business that does not provide value makes no sense; if the candlemaker’s welfare is of concern, it is a far better solution to let the unproductive business die and supplement the merchant’s income through charity or a welfare program than to continue wasting resources.
As a criticism of Scrypt, however, the argument is not nearly so robust. In the case of the candlemaker, the product to society was light; the more light people get when they need it the better. In the case of cryptocurrency mining, however, the product to society is not hash calculations; by themselves, hash calculations are useless. Rather, it is producing more hash calculations than any potential attacker. Because the “memory-hardness” of Scrypt mining harms legitimate miners and attackers alike, its effect with regard to security is ultimately neutral; thus, this is not a case of artificially hamstringing one part of the economy to give another part a “fair chance”. Because mining is a competitive activity, both in terms of individual miners’ day-to-day operations and in terms of its ultimate purpose, many economic theories that work perfectly well for commodities fall flat on their face when applied to Bitcoin mining. The reality is that the economics of Bitcoin mining remains a heavily under-studied area, and much more research needs to be done before we understand what is truly going on.
Fast Block Confirmation Times
The topic of block confirmations is best explained by Krawisz himself:
The issue here is the risk of a double-spend attack. If you receive notice of a payment from someone, there is the possibility that he has made a second, conflicting payment using the same bitcoins. In this case, there is the chance that the other payment will be accepted into the block chain rather than yours, and yours will be considered invalid. This is a theoretical means of scamming Bitcoin merchants.
However, Krawisz then proceeds to make the following claim:
Furthermore, a double-spend attack is only possible if the two conflicting transactions occur within a few seconds of one another, so the best defense against double spending is simply to watch the network for a few seconds after receiving a payment. If no conflicting payments appear then there is nothing to fear from double spending.
Unfortunately, this is not necessarily true. A double-spend without mining power certainly does meet these restrictions. However, if an attacker with a substantial amount of mining power creates a double spending transaction, and then builds a blockchain with that transaction longer than the main blockchain, then Bitcoin nodes will still discard the old one and switch to the new one. So far, developers have rejected any attempt to change that fact because the risk is too high that it will break down network consensus and lead to a blockchain fork if different miners see incoming blocks in a different order and thus disagree on what the “correct” blockchain is.
Ultimately, against attackers with a substantial mining power, waiting for the network to “confirm” the transaction is the only solution. This takes ten minutes with Bitcoin, but 2.5 minutes with Litecoin and one minute with Primecoin. Even here, however, attackers with 1-49% of the network’s mining power can still sometimes get lucky and produce several blocks in a row; to prevent this, six confirmations is the accepted standard, ensuring that attacks have a 1 in 64 chance of success with 33% of the network’s hashpower, 1 in 729 with 25% hashpower and 1 in 15625 with 17% hashpower. Note that it is the number of confirmations, not the number of minutes, that counts; thus, while Bitcoin takes an hour to achieve this level of security, Primecoin does it in six minutes.
Primecoin
Next, Krawisz turns his attention to Primecoin, a cryptocurrency whose main innovation is the fact that its mining algorithm is intended to be actually useful. Rather than using SHA256 computations, Primecoin requires miners to look for long “Cunningham chains” of prime numbers – chains of values n-1
, 2n-1
, 4n-1
, etc up to some length such that all of the values in the chain are prime (for the sake of accuracy, n+1
, 2n+1
, 4n+1
can also be a valid Cunningham chain, and Primecoin also accepts “bi-twin chains” of the form n-1
, n+1
, 2n-1
, 2n+1
… where all terms are prime). It is not immediately obvious how these chains are useful – Primecoin advocates have pointed to a few theoretical applications, but these all require only chains of length 3 which are trivial to produce. However, the stronger argument is that in modern Bitcoin mining the majority of the production cost of mining hardware is actually researching methods of mining more efficiently (ASICs, optimized circuits, etc) and not building or running the devices themselves, and in a Primecoin world this research would go towards finding more efficient ways of doing arithmetic and number theory computation instead – things which have applications far beyond just mining cryptocurrencies.
Krawisz’s attack on Primecoin is simple: “Primecoin is a wuzzle. It tries to do two unrelated things at once, which, generally speaking, is the opposite of a good design.” In most cases, this is a valid argument; it is a core part of the Unix philosophy that applications should “do one thing and do it well”. A device that attempts to be a baseball bat and a water bottle at the same time will likely fail at both, being too heavy to carry around as a bottle and too unpredictable due to internal water flows to serve as a reliable bat. However, here the situation is different, because Primecoin’s two purposes are fundamentally different in character: one is a private good, whereas the other is a public good. Primecoin’s value as a currency is enjoyed by those who choose to use it and only those who choose to use it; hence, this is the private component of the good that Primecoin offers. However, the scientific research that Primecoin generates is public in nature; the results will be usable by anyone, regardless of whether they used or mined Primecoin or not.
It is a well-understood fact in economics that public goods are underproduced in a pure market. For example, suppose that there is a community of ten thousand people, and it is publicly known that if people contribute $1 million, then some disease will be cured. Furthermore, everyone knows that, without a cure, they will all suffer from this disease at some point, and so everyone is, theoretically, willing to pay $5,000 for a working cure. If everyone contributed $100 toward curing the disease, then the $1 million goal would be reached and the disease would be cured, leading to a $4,900 benefit for everyone. However, from each individual’s point of view, contributing $100 only leads to 0.01% progress toward curing the disease – a personal benefit of only $0.50, not nearly enough to justify the expense.
The way such problems are generally solved is by bundling the public good with a private good. For example, suppose that one quarter of these people were all customers of the same health insurance agency (it can be a private company, a cooperative or an arm of the government; the distinction is not particularly relevant in this simplified example). The agency could spend $1 million curing the disease, but then save the $5,000 that it would have spent paying for the treatment of each of its 2,500 customers, leading to a net gain of $11.5 million. The public goods problem is solved because a private good, in this case insurance, was bundled with the public good of curing the disease – in Krawisz’s terms, a wuzzle. Primecoin accomplishes the exact same thing. It bundles a private good, namely its own block reward, with the public good of advancing research into scientific computation. Arguably, this is much closer to economic genius than “bad design”.
The argument that Krawisz ends off with is this: if these features are so good, why do they need to be in their own currencies? Why can’t the developers of these features ask the Bitcoin developers to put these features into Bitcoin instead? One argument that I already made is that modifying Bitcoin at this point is simply too risky to be worth it; however, an even better rebuttal can be made by simply flipping the argument on its head. Why did Satoshi have to create his own currency? Why couldn’t he have simply been a good little consumer and filled out a suggestion form asking his local bank to implement a semi-anonymous and global value transfer mechanism instead? If inflation is the problem, why couldn’t he have engaged in legitimate democratic process and petitioned his government to add a hard currency supply limit to his local fiat currency instead? Why couldn’t he have just nicely asked Paypal to offer a payment option that is irreversible?
The answer is obvious. Sometimes, people in control of powerful and established institutions are either irrational or simply factually wrong, and there needs to be an outlet for people to try out new ideas with or without their support. If the idea fails, then it goes into the dustbin of history where it belongs. If, on the other hand, the idea succeeds, then it is a very good thing that the idea’s inventor was able to simply ignore the initial skepticism and go ahead with the project. Governments and banks are stubborn about a lot of things, but Bitcoin developers do also have their points of stubbornness as well. Perhaps they are right, but perhaps they are wrong – but in either case, a real-world market is the best way we have to find out for sure.