In Blockchain We Trust
Until recently, the only practical way to perform a transaction online was through a central authority. In exchange for a deposit of fiat currency, they give you a balance—essentially minting their own electronic currency—which you then instruct them to transfer, and the recipient can then withdraw for fiat. This works only so long as you trust these authorities both to keep track of balances and to exchange them for fiat, which has led to an oligopoly of large companies controlling electronic transactions. They are able to exploit their market power to be simultaneously lazy (failing to enter under-served markets) and greedy (charging huge transaction fees).
There is now an alternative. We've been promised that blockchains will enable "trustless" transactions, replacing the currencies minted by Visa and its ilk with decentralized "cryptocurrencies". I will examine what this promise means in practice, and whether blockchain-based currencies can really keep it.
Public-key cryptography completely solved the problem of allowing individuals to announce transactions in a forgery-proof manner, without any need for a central authority. In fact, centralized electronic currencies have often made use of this at the transfer layer. However, a currency needs two additional features which have traditionally required a central authority:
- Creating an authoritative record of transactions that have been performed, so that the same balance cannot be re-used for a second transaction (the double-spend problem).
- Minting new currency (traditionally in exchange for a deposit of fiat).
Satoshi's Bitcoin paper offered the first decentralized solution to both of these problems. It solves the first problem with a decentralized timestamp system, at the cost of a great deal of computing power required for Proof-of-Work, and then turns this cost into the solution to the second problem by rewarding said work with newly minted coins. The 8-page paper is a tour-de-force of applied cryptography and concise, straightforward writing; if you haven't read it, you should do so now.
Bitcoin and the many blockchain protocols it gave rise to are indeed decentralized currencies, and thus do not completely depend on trust in any single central authority. But they are far from trustless. As computer science has periodically rediscovered, new information technology requires different kinds of trust, rather than removing the need to trust altogether. In the case of blockchains, we need to trust not only the software running on our clients, but to trust that other people will assign a stable value to the currency, and that no group will leverage more than 50% of the hash rate of the chain to compromise its guarantees.
How reasonable is it to trust that a given cryptocurrency will be accepted at a relatively stable price in the near future? The history of Bitcoin and other blockchains' prices is not encouraging, although much of the blame for their fluctuations can be laid on speculation and low adoption. Perhaps once a single cryptocurrency is widely adopted, it could be trusted. But this trust does not have the security that centralized currencies do, where balances are secured by an (albeit fractional) fiat currency, generally one which is in turn secured by a historically stable and powerful government. Balance in a cryptocurrency is accepted only because others trust that it will be accepted. It's trust all the way down—what epistemologists call common knowledge.
Common knowledge is inherently brittle. Doubt is contagious; if you learn that others doubt that their balance will be accepted, you begin to doubt that they will accept your balance. Thus trust in a cryptocurrency will need a stabilizing force to smother any embers of doubt. In the traditional case, this force is either the fractional reserve of the authority or the power of a government, both of which set a floor on how useful their currency is, as it can be exchanged for fiat or used to pay taxes respectively. I believe that cryptocurrencies will require the same kind of guarantee in order to be long-term stable. In the absence of a central authority, this guarantee can only exist if a sizeable group of people have no decent alternative to that cryptocurrency for a significant fraction of their transactions. At a minimum, there must be only one such cryptocurrency in wide use among said group.
How worried should we be about attackers leveraging more than 50% of the global hash rate? Such an attacker can generate blocks faster than the rest of the network, so they can undo any and every transaction that occurs while they have more than 50% of the hash rate. In the classic attack, the attacker sells the cryptocurrency for fiat, then undoes the sale and repeats the process. Such attacks have been successfully carried out against multiple second-tier cryptocurrencies, but never against the major players (Bitcoin and Etherium).
Various arguments have been made claiming that a dominant cryptocurrency would never suffer from such an attack. The simplest is that the hash rate required for such an attack would be beyond the means of any single entity or allied group. Considering the means of some entities that may want to attack a cryptocurrency, such as the government of China, this is a truly startling claim. Are we to believe that so many resources would be devoted to running the cryptocurrency, that the concerted efforts of the Chinese government could never match it? If so, surely the currency is too wasteful to be practical.
A more subtle argument is that any group capable of such an attack would be so invested in the cryptocurrency by virtue of their hashing capacity that they would lose more in the resulting instability in the currency than they could possibly steal through such an attack. Note that this argument fundamentally relies on trust in others to act according to their long-term incentives, which is the same reason we trust central authorities running traditional electronic currencies. But besides requiring trust, this argument depends on narrow assumptions about the potential attackers' incentives. Suppose that the US economy becomes dependent on a certain cryptocurrency, while China bans that currency. The Chinese government would certainly lose money building and running enough hashing power to execute such an attack. But it could easily be worth it geopolitically. Or consider the operator of a competing cryptocurrency using a similar hashing algorithm, whose current and future balances may become more valuable as a result of such an attack.
The overarching reason why trust in large groups of strangers is so integral to blockchains is that, while they have no single point of failure, they have no single point of strength either. This contrasts with decentralized systems known for their resiliency, such as mesh networks or peer-to-peer file-sharing protocols, which allow any number of paths between nodes but continue to work even if all but one path is lost. Where such systems are almost strictly more resilient than centralized alternatives, blockchains involve a significant trade-off. This trade-off should be central to the debate over their adoption.
Is it possible to design a decentralized currency that is closer to a mesh network in resilience? It certainly isn't easy. Like Bitcoin, any such system will have to simultaneously address the problem of creating a single authoritative record and the problem of minting new currency. Non blockchain-based "cryptocurrencies" have tried, like Ripple and Stellar, but they are newer and less battle-tested than the blockchain-based currencies. And while they avoid the specific weaknesses discussed here, they introduce serious concerns of their own, which I may examine in a future post.
It seems likely that there would be only one cryptocurrency in wide use period, but it is also possible that differences in use case, culture or legal regime could overcome the advantages of consolidation.