Unintended consequences: Could proof of stake just become no proof of work?

Bitcoin operates through a process known as proof of work (PoW). In order to determine which network participant gets to create the next block (and claim a reward), the process requires the contribution of computer processing power. The more processing (work) you perform, the more likely you are to be rewarded with Bitcoins.

Running this hardware is very expensive, the Bitcoin network is already said to consume as much electricity as the entire country of Ireland.

Satoshi Nakamoto’s vision when he created Bitcoin was that everybody would mine Bitcoin on their computers, all around the world, and that this would decentralise the network.

Unfortunately, CPUs are incredibly inefficient miners. A decent laptop might manage around 14MH/s. A specially designed (ASIC based) AntMiner S9 can achieve 14TH/s – that’s 1,000,000x faster.

Nakamoto could not have foreseen the rise of ASICs when he wrote the Bitcoin white paper. Consequently, instead of being distributed around the world, Bitcoin has faced huge centralising pressure. The number of people required to control Bitcoin can fit around one table. Centralisation provides self perpetuating benefits of easier access to the best hardware and cheapest electricity, though once ASIC chips bump up against Moore’s Law there’s good reason to believe we will see a shift back towards decentralisation.

The holy grail of cryptocurrency would be the security of proof of work, but without the cost and centralisation. I first read about proof of stake (PoS) a number of years ago and, seduced by the idea, immediately invested in PeerCoin, the first cryptocurrency to implement it.

So what is proof of stake?

PoW uses expensive and ‘wasteful’ electricity to try and calculate a hash of sufficient difficulty for the network to accept – enabling that participant to create a new block.

PoS works the other way around. There are a number of proposals, but the basic principle is that each participant can ‘stake’ their coins to create a kernel (type of hash). The bigger the stake, the bigger the chance their kernel will ‘match’. Match what? Well, the blockchain itself generates a random and unpredictable seed based on the data in the proceeding blocks (also by hashing), and the closest matching kernel gets permission to create the next block, and is rewarded for doing so.

As there is no requirement to lock up computer processing power, everybody can run the software on their own machine without the expense and hardware requirements of PoW.

Sounds great, doesn’t it? Well, as with the unintended consequences of PoW, let’s try and foresee how the PoS landscape might evolve.

Under PoW we have seen the rise of pooled mining. Pooled mining has been wildly popular because it makes mining income more predictable.

Think of PoW like a lottery. The more processing power you contribute, the more tickets you get. In Bitcoin there is just one winner every 10 minutes.

If the current bitcoin difficulty didn’t increase, even with the most efficient miner – the 14TH/s Antminer S9, you’d have to enter this lottery for over 2 years on average to win just once.

If you join a pool that has 25% of the hashing power (lottery tickets), then you can expect that pool to win once every 40 minutes on average, and you can then regularly collect your share of the winnings. This is favourable as opposed to running your hardware for years in the uncertain (unlikely) hope of winning the jackpot. Pooled mining in PoW offers no other benefit than making your income more predictable.

Would the same be true of PoS?

There has been testing in PoS experiments that has gotten the block creation time down to 3 seconds per block. This means instead of having 52,560 lottery winners per year in Bitcoin, you could have 7.6 million winners each year. This would certainly reduce, though not eliminate, the appeal of mining pools.

However, in cryptoeconomics we must assume that each participant will always act in their own self interest. Could there be other benefits from PoS pooled mining that are not present in PoW?

In digital security, randomness is very valuable. In PoW the randomness that selects the next block is generated by an external source – all that hardware calculating trillions of random hashes. In PoS this necessary randomness does not come from an external source, it can only come directly from the blockchain itself.

This means a seed generated from previous blocks is used to determine which participant will create the next block.

There are two different data sources you can hash for this randomness. If you included all the contents of the block to generate a hash, this would be a disaster, since there are infinite combinations of block contents. If it was an individual’s turn to create the next block and they had sufficient hardware they would just crunch as many combinations of block contents as possible and hopefully find one that generates a seed matching a kernel they control, allowing them to create the next block and repeat the process again.

This ‘stake grinding’ wouldn’t represent a shift away from proof of work, it would just mean work has taken place but without any proof or transparency.

An alternative option is to only hash header information which cannot be manipulated, such as the block creator’s signature. A potential issue here this is that if you pooled together, you could gain a competitive advantage.

Imagine you’re in a pool with 30% of the staked coins. This should mean that your pool creates 30% of the new blocks. However, let’s speculate an instance where the seed to determine the next block has two pool members as the two closest matches. Imagine the closest match signing a block would create a hash that would allow the next block to be created by a non-pool member, whereas the 2nd closest match would allow the next block to be created by another pool member. If you had sufficient hardware the pool could work to rapidly calculate the best combination of block creators to maximise revenue for the pool.

You can try to mitigate this risk by punishing participants for not creating a block when it’s their turn, but getting the economic balance right to not overly punish people with less reliable Internet connections for example (another centralising pressure) strikes me as an unenviable task.

Ultimately, if the pool has the size and hardware resources to crunch the numbers far enough ahead – it’s still going to game the system when it calculates a combination that will likely generate 10 consecutive blocks, compensating those members who lost out in the process for the greater benefit of the pool.

Such a system could actively incentivise centralisation. The bigger the pool, the greater the advantage. It could create a race to the bottom, since while everyone may recognise this centralisation as undesirable, they also must make an economic sacrifice to avoid participating in it.

Perhaps this centralisation pressure and obscuring of work would be an unintended consequence of PoS. All I know is, the more I study PoS and its goal to provide the security of PoW without the cost, the more a phrase from growing up in Yorkshire comes to mind… “you don’t get owt for nowt”. In other words: there’s no such thing as a free lunch.

What on earth is a Merkle tree? A non-technical answer the question you’ve always wondered

Merkle trees are one of the areas of Bitcoin I found hardest to understand.

The biggest problem was every time I read about them I just saw diagrams that didn’t make any sense with lots of multiplication and layers. Ignore the terminology, don’t worry about leaves, branches, roots or trees – these are words concerned with the technical process of creating one and will just confuse you.

Perhaps more helpful than understanding exactly how a Merkle tree is created, is understanding why they are useful. For the techies, I apologise for the over simplifications.

If you haven’t already, check out my article where I explain hashing. Hashing is such a simple concept, and it has very cleverly been integrated into Bitcoin in a number of ways.

Basically, a hash is a way to convert any information at all into a completely random but consistent value.

There are many different hashing methods, Bitcoin uses SHA-256 which enables you to convert any data into a 256 bit (32 byte) value.

If I hash the text ‘seebitcoin.com’ I get the 256 bit hash: e37695b5a5f8671d24e4160ec69755f73061bbc01d319403ce5ba5034bd57dc0.

If you do the same you will get the same result. A tiny change and the entire hash will be different, for example ‘seebitcoin.nom’ always gives the hash: cebe400cd1a7319a6c1e881d85322120f03c95c4dc00d996b1ae3472398753fa.

This allows us to do some really useful things. You can take the entire contents of a Shakespeare book and convert it into a 256 bit hash. If you have a hash for all your Shakespeare books, and your friend gives you a hash for their favourite Shakespeare book, you can know whether you have exactly the same copy.

If anything had changed, even as small as say an uppercase letter becoming lower case, the hash would completely change and you could know for certain the books were not identical.

We could take the complete works of Shakespeare, and for each piece of work we could create a hash. This means to have enough information to be able to verify 884,647 words, we’d only need 196 hashes total (38 plays, 154 sonnets and 4 poems).

This verification information could be stored on a single page of paper, while the complete works of Shakespeare could fill a bookcase.

While people probably aren’t too worried about the words in their copy of Hamlet being tampered with, in the Bitcoin world people want to know with certainty that none of the previous transactions they have stored have been altered, as this would introduce the possibility of fraud.

Like the complete works of Shakespeare, the Bitcoin blockchain is huge. There are over 420,000 blocks which can contain as many as 1MB worth of transactions. Currently the blockchain is over 75GB in size.

Just like all the words in a Shakespeare book can be converted into a 256 bit hash, all the transactions that took place in a block can be converted into a single 256 bit hash. This hash, in Bitcoin terminology, is called the Merkle root (the final value when calculating a Merkle tree).

This means for 420,000 blocks, you could have enough information to verify with certainty every transaction with just 13MB of data. Considering that’s over 75GB worth of transactions this is extremely useful.

In a Bitcoin block, the header data (all the important information about the block) and the transaction data (all the actual transactions, the bulk of the data) are separate.

This means that the software only needs to use the data in the block headers to do most things, which is far more efficient. Another benefit is that your smart phone only needs to download the block header data (around 32MB for 420,000 blocks) to run a Bitcoin client, and can just request additional data as needed without having to download and store an entire copy of the 75GB blockchain.

Merkle trees are what makes these things possible, and are basically just a method to convert all of a block’s transactions into a single hash to be used to verify no information has been manipulated.

Any requests for other explanation articles? Let me know in the comments.

Correction: I erroneously suggested a hash was 256 bytes instead of bits, values have now been corrected.

Let’s talk hard forks: the most exciting area of cryptocurrency?

In my last article I outlined the difference between and soft and hard fork. Now, I will switch my focus to the different types of hard fork.

Not all hard forks are born equal

A hard fork is when a blockchain splits into two separate and incompatible versions. The reasons for this happening and the consequential fallout are varied.

At the uncontentious end of the spectrum, you have essential hard forks. In its early days, a simple overflow bug in the then not properly audited Bitcoin code allowed somebody to create 184 billion Bitcoin out of nothing in a single block. The protocol allows a maximum of 21 million Bitcoin to ever be produced, and so this bug violated the protocol and rendered that version of the software useless. Bitcoin basically crashed. An update was essential to fix the problem, and a new version was released within hours.

Fixing critical bugs is as uncontroversial as it gets – since crypto economics assumes every participant should rationally act in their own self interest there were no participants who would benefit from Bitcoin remaining broken and the forked blockchain quickly became the dominant one.

Also uncontentious is an upgrade hard fork. Bitcoin hasn’t had one of these yet, but Ethereum has. These involve improvements to the protocol. In the case of Ethereum it was established from the beginning that the protocol would hard fork 3 times, gradually introducing new features. Those using Ethereum accept as part of its use they will need to upgrade their software in order to stay on the main blockchain, and since they are integral and promised improvements they are eagerly anticipated.

The next type of hard fork gets a little more ambiguous. There is consensus in the Bitcoin community that the 1MB block size needs increasing through the use of a hard fork. Where the level of contentiousness exists is when and by how much this increase to the transaction capacity needs to be. There have already been a few failed attempts to hard fork to a bigger block size. Most recently Bitcoin Classic failed to gain enough support to introduce a 2MB block size hard fork, requiring but not obtaining support of 75% of miners be running the new software in order for it to be activated.

Since even Bitcoin Core has an increase to 2MB blocks on its scaling roadmap for the future, it is very unlikely that if such a fork had been activated, the other 25% would have remained on the old blockchain stubbornly insisting that they didn’t want to upgrade ‘yet’, as they would simply be left behind as the wider community accepted consensus had been reached.

If a fork to permit a 100GB block size increase had been successfully activated things would be different. There are many people who are strongly opposed to the increased centralisation, reduced protection from DoS/spam attacks and lack of fee incentive that larger blocks could bring. It is likely that no matter what a portion of the community would reject the fork and continue to participate on the original blockchain.

Here, we have reached the crux of what a contentious hard fork is: ideological.

Sometimes, consensus is simply impossible to achieve. If you passionately and ideologically believe something is right, you’d rather continue using and supporting the vision you believe in, even if you’re in a minority of <1%.

The ‘worst’ type of contentious fork would involve a community truly split down the middle, 50/50, as neither chain could be said to have won, and you’d find yourself with a format war, two competing and widely used solutions waiting for a winner to emerge. Many view this as undesirable.

There is no reason two sides of a hard fork cannot coexist peacefully, and both can be traded on exchanges with people free to use whichever fork they believe in. There are some complications though.

In the event of a hard fork, anybody who owns coins at the time the hard fork occurs will own those coins on both blockchains.

A hard fork will probably seen as a negative initially and so cause the value of the coins to be lower, though this will probably be priced in once it is apparent the hard fork will occur. Then, after the split, the value of each set of coins would reflect the mining and community support for each side of the fork.

If you log into an exchange which has decided to support both sides of the fork, you will find you have two balances. If you’re with an exchange that has decided to support only one side of the fork, you’re possibly going to miss out and lose some coins that could hold, even if small, a future value. I wouldn’t be surprised if those exchanges left themselves open to legal action over the missing coins.

It is a simplistic and highly speculative example, but let’s say a hypothetical $100 coin splits into two blockchains with a 75%/25% hashing power split, you may see the overall value drop 80% leaving the coins valued at $60 and $20 on each side of the fork respectively.

While it will be immediately obvious how the miners have split their support between the chains, it is a lot more difficult to estimate community support. If you had a majority of miners in favour of fork A, and a majority of the community in favour of fork B, you’d likely see a quick swing in price with fork B overtaking A in value. There will likely be arbitrage opportunities for anybody who is able to identify the likely disparity between miner support and community support which is impossible to see until left to the market to decide at the exchanges.

Cryptoeconomics anticipates that people will act in their own self interest. If someone genuinely believes in one side of the fork ideologically, it is likely they will ‘dump’ their coins on the losing side of the chain in order to lower its value and in theory increase the value and the likelihood of success on the chain they believe in.

This is a gamble, they could dump all the coins they don’t believe in, and then find out the community valued that side of the fork more highly leaving them ultimately with a lot of highly devalued coins. It is also possible such a devaluation would be temporary, and if people persist to support the ‘losing’ side its value could recover.

In the case of Ethereum, which is about to undergo the first ever contentious hard fork, there are people who strongly believe in both sides of the fork and would be prepared to gamble dumping the coins they oppose to negatively influence the price.

Hard forks also create an unintended problem, replay attacks. If you have two almost identical protocols, the format of the transactions you submit to the network are identical. If you see a transaction on one side of the fork sending money from X to Y, anybody can view it and submit that same transaction to the other blockchain so that it occurs there too, even if the people initiating the transaction don’t want that to happen.

There are ways to try and prevent this, but it adds a layer of complexity and is a barrier to peaceful coexistence. If you have a lower value coin you want to send to somebody, you could ‘lose’ your higher value coins in the event of a replay attack, so this factor likely favours the most popular (highest value) side of the fork, as people want to minimise the risk of losing their more valuable coins.

Ultimately, the safest reaction and likely most common response to a contentious hard fork is to wait and see how it all plays out.

If you had $100 coin, that split to $60 and $20, it may be that if you wait a week the coins are worth $79 and $1 – overall you’ve not lost anything. The sooner you move your coins, the bigger the risk you face, but also the bigger the potential reward.

Many people will expect that on the smaller side of a fork there will be a huge dump of coins from people who only want to hold a balance on the ‘winning’ side of the chain. This could have a knock on effect on the viability of mining, with only those of the strongest ideological resolve mining at a loss in the hope of future returns.

Let’s look at Ethereum’s imminent hard fork as an example, which will be fascinating to observe. The community is split following an attack where an individual was able to steal a large number of tokens from a smart contract called the DAO that huge swathes of the community had invested in. This was no fault of the protocol or Ethereum itself, but rather a badly coded contract. Ethereum has marketed itself as immutable and “contract is law”, so there is an ideological argument that a hard fork to return the stolen funds from a badly coded contract undermines the entire project, which is why a number of the community are so strongly opposed.

Once the hard fork takes place, there are many people who oppose the hard fork and want to remain on the original chain who do so acknowledging there is a possibility the vast majority of the community will dump their coins causing its value to plummet. This seems in violation of the principle that people would always act in their self interest as they could see the value of their own coins diminish and mining become unprofitable.

Rather than a bad thing, many of these people see the dump as a great time to buy these coins at a heavily discounted price, with the opinion that if something like the DAO hack has happened before, it will likely can happen again. They envisage a future where the community accepts sacrificing its immutability was a mistake and hard forking to solve problems is not viable, and that people will abandon the compromised chain and come back to realise the value of the original immutable, “contract is law” blockchain and the value of their holdings will increase finally allowing them to profit. It’s a long term hedge.

A contentious hard fork outcome is so hard to predict, they’re quite a lot like an election. There are certain indicators, but until it happens there’s always the possibility of a surprise. In reality nobody knows what will happen, but they are not the end of the world, and they are rather exciting.

Understanding Bitcoin: what’s the difference between hard and soft forks?

It occurred to me at the Bristol Bitcoin meetup the other week that forks are one of the concepts of cryptocurrency that can be a source of confusion, so I thought I’d have a go at explaining the basics. It is a particularly interesting time for forks as the Ethereum network looks set to go through the uncharted process of a contentious hard fork, but more on that another time.

What is a fork?

Bitcoin and other cryptocurrencies are distributed networks.

What’s incredible about them is that they operate on thousands of different machines with nobody in charge, but are still able to reach a consensus.

Bitcoin is basically a giant list of transactions – every transaction that has ever taken place on the network in fact. Every 10 minutes, all the transactions from the previous 10 minutes are collected together into a block, and then this block is added to the end of the chain of all the other blocks which contain all the previous transactions – the blockchain.

There are two roles involved in distributing the network, miners and nodes. Nodes basically just connect to the network and share blocks and transactions with other nodes. Miners have the additional responsibility of creating blocks, and are rewarded with new Bitcoins for doing so. (For an explanation on how the network decides which miner will create the next block, see my article on proof of work.)

In order for all the machines to work together, they have to operate according to a strict series of rules. This particular group of rules together are known as the protocol.

An example rule of the Bitcoin protocol is that a block can contain a maximum of 1MB worth of transactions.

Remember, every participant on the network has a copy of exactly the same rules/protocol. If a miner tried to create a block that contained more than 1MB of transactions and then sent that to other nodes, they would simply say nope, that’s not valid – and then they would discard it instead of passing it on so it can propagate around the network. It would be completely pointless to create such a block, a waste of processing power.

Sometimes people believe improvements can be made by changing some of the rules. Some people in the Bitcoin community would like the block size increased from 1MB to 2MB so that the number of transactions can double. This would require a change to the rules of the Bitcoin protocol and could only be achieved through what’s called a hard fork – everyone would have to upgrade their software to the new protocol rules.

There are other changes that can be made that involve the enforcement of new rules, but the changes do not require a change to the protocol that everybody agrees upon. For example, if all the miners said they were going to mine blocks with a maximum size of 0.5MB – everybody on the network would accept these blocks as valid since they fall within the protocol’s 1MB allowance.

If over 51% of miners all agree to a maximum block size of 0.5MB they can force this change upon the entire network without anybody else having to change their software. This is called a soft fork. Every node and miner will accept the blocks as valid and build on top of them.

You might think if 49% of miners were still creating 1MB blocks, surely the blockchain would have some 0.5MB blocks and some 1MB blocks, since they are all technically valid within the protocol and recognised by all participants as legitimate.

It could work like that, but in the case of a soft fork it doesn’t. 51% is the magic number at which point the majority of miners can force all other miners to limit themselves to 0.5MB blocks. Since miners get to choose which blocks they build upon, the 51% of miners could simply ignore any blocks they no longer considered valid within the new rules they have implemented, and so only 0.5MB blocks would ever be included in their blockchain.

Some people argue a soft fork is a confusing term because the network itself doesn’t really fork (split in two), and all software would still follow the same blockchain. It is however a fork in the sense that miners who hadn’t upgraded their software would find themselves building incompatible (forked) blocks, it’s just that those blocks would be ignored and consequently orphaned by other miners and would quickly become irrelevant.

Technically, a soft fork is exactly the same as a 51% attack, and some argue it should be described as such. I think the big distinction is that soft forks generally have a social consensus and are accepted as improvements to the network, while a 51% attack is widely considered to be harmful. An example 51% attack would be to include no transactions (0MB) in any blocks, as is permitted, and cause the network to grind to a halt. In fact, many would argue the example I gave of of lowering the block size to 0.5MB and consequently halving transaction volume is better described as a 51% attack than a soft fork, but it was easier to explain than actual soft forks widely considered improvements such as P2SH and Segregated Witness.

In summary, a soft fork involves a change to the rules that only minors must agree upon and implement, a hard fork involves a change to the protocol that every participant must agree upon and implement.

There are currently over 5,600 Bitcoin nodes, while only 14 different mining pools have found blocks in the last month. This means soft forks are a lot easier to implement, 400x easier in terms of a rather simplistic count of the number of installations that need their software upgraded.

It’s not quite that simple though, consensus is a lot more fuzzy and complicated. In my next article I will talk more about hard forks, which open up a whole new jumble of exciting possibilities and unintended consequences. Stay tuned.

photo credit: Fork via photopin (license)

An objective look at past Bitcoin rallies and what we might expect now

I’ve been following Bitcoin since 2011. The current price rally feels very familiar. ‘Feel’ is not good enough for me, I want to be objective – look at historical trends, develop a hypothesis, and then allow the passage of time to determine its accuracy.

I am not a trader. I view it as gambling and I plan to keep my Bitcoin long term without regard for the price… a classic HODLer. I don’t get excited about fractals and prices, I get excited about BIPs.

Despite this I was curious to objectively look at previous rallies to see if there were any consistent trends, and then to speculate on what these trends would mean if they held true again, which I am not suggesting they will.

I decided to look at the peak of each rally, and then look for measurable points of reference on either side. I found I got useful information looking at the 1 and 2 month points before the peak, as well as a value 4 months after the high to see where the price had settled.

I’ll use the most conservative figures from each rally, and use the lowest recent price from the last month before the current rally began to make a projection – $437 on 19 May.

Here are the previous 3 big rallies:

8 Apr 2011 = $0.75
8 May 2011 = $3.87 (+420%)
8 Jun 2011 = $29.60 (1 mo: +660%) (2 mo: +3850%)
---
8 Oct 2011 = $4.01 (+435% from start, -86% from high)

9 Feb 2013 = $23.65
9 Mar 2013 = $46.85 (+100%)
9 Apr 2013 = $230 (1 mo: +390%) (2 mo: +870%)
---
9 Aug 2013 = $93.36 (+295% from start, -59% from high)

4 Oct 2013 = $121
4 Nov 2013 = $225 (+86%)
4 Dec 2013 = $1147 (1 mo: +410%) (2 mo: +848%)
---
4 Apr 2014 = $449 (+271% from start, -61% from high)

Using the most conservative figure at each stage gives the following projection:

19 May 16 = $437
19 Jun 16 = $812 (+86%)
19 Jul 16 = $3979 (1 mo: +390%) (2 mo: +811%)
---
19 Nov 16 = $1621 (+271% from start, -59% from high)

A lot has changed in the last few years. There is far more interest from China and a lot more liquidity in the markets, but humans are still humans. In the past we’ve gotten carried away by the rising price, created a bubble which then has then burst before the price settles again at a higher than starting level following a correction.

Those numbers look and feel really high now, but so did the previous rallies. I’ll be interested to see whether this pattern plays out again.

Understanding Bitcoin: the childhood game that rules the network

Its a childhood classic, “guess what number I’m thinking of”. Its funny to think, but Bitcoin is basically a computerised version of that game.

In the childhood game, you may play with a friend and state that the number is between 1 and 10: in this case each round of the game won’t last long. How could you make the game longer? Easy, by increasing the difficulty to make them guess a number between 1 and 500.

Let’s say ideally you want a game to last for 10 minutes, and you have 5 players. If each player can make 60 guesses per minute, in 10 minutes each person will make 600 guesses, that’s 3000 between the group. Double this number and you know that for the game to last around 10 minutes, your target difficulty is a number between 1 and 6000.

This simple game has advantages, as long as nobody can know what number you might be thinking of, it is impossible to cheat. The only advantage that can be gained is through guessing more quickly than the other players. The more guesses you can make, the more likely you are to win.

In Bitcoin this game is played is to decide who processes the last 10 minutes worth of transactions. The winner creates a block of transactions, adds it to the blockchain, and is rewarded with (currently) 25 Bitcoins.

By playing a game that is impossible to cheat, it prevents attacks against the network, as anybody who wants to maliciously attack the network would need to be able to make over 50% of the guesses.

In Bitcoin terminology, the number being guessed is called a nonce, and guessing is called hashing. A hash rate is basically a guess rate.

Hashing sounds complicated, but it really isn’t, its just a way to turn any information into an unpredictable sequence of letters and numbers.

As an example, I’ll invent a simple hash method that converts any number into a completely different but unpredictable number.

For my method, you prefix the chosen number with 98765 and then divide the number by 4321. You then multiply the 1st-5th by the 6th-10th digits after the decimal point to get a hash.

This is completely made up, so don’t worry if you don’t follow, but it would produce the following demonstration hashes:
45 = 6660386432
(Method: 9876545/4321 = .7081694052 = 70816 * 94052)
100 = 2955753
(Method: 98765100/4321 = .0006942837 = 00069 * 42837)

This would be a disastrous, collision-ridden hash for Bitcoin, which uses a far superior method called SHA-256 – but it demonstrates the principle that you can turn anything into an unpredictable hash that everyone can independently verify for themselves.

With my hash, as with Bitcoin, I can set a difficulty level. Let’s say I require the first 5 digits of the hash to be ‘11111’ (Bitcoin uses zeroes).

With my method the number 74340 would produce a hash of the target difficulty:
74340 = 111110100
(Method: 9876574340/4321 = .9595001158 = 95950 * 01158)

This cannot be cheated, you can’t predict a number which will produce a hash beginning ‘11111’. You (your machine) simply has to keep guessing until finding one that successfully matches. This is where ‘proof of work’ comes from – finding a matching number proves you have done work and once you’ve guessed correctly you can tell everybody your number and they can check it for themselves.

Back to our kids ‘guess the number’ game there is one common problem: cheating. If your friend guesses correctly but you don’t want to relinquish control you can say ‘wrong’. If you pick a number and tell your friend what to guess – they can secure victory on their first guess. This would have disastrous implications for Bitcoin where the reward is the currency itself.

Hashing solves the problem of who is in charge of deciding the number because there is no number, just a difficulty level – everybody just keeps guessing until they find a hash that satisfies it and they get to broadcast their proof and claim their reward.

The Bitcoin network constantly adjusts its own difficulty level so that on average one correct guess is made (hash is found) every 10 minutes.

The processing power that goes into generating these hashes is mind boggling. A group of researchers tried to estimate the number of grains of sand in the world – every grain of every desert and beach. Their estimate was 7.5 x 1018 grains of sand – seven quintillion, five hundred quadrillion.

Currently the Bitcoin network takes just 6 seconds to make as many guesses as their are grains of sand on earth and only one of those guesses is correct every 10 minutes. That’s one hell of a game.

Craig Wright is a liar and anyone who still believes he is Satoshi is a gullible fool

Forgive the blunt tone of this post, but I wanted to be to the point. Craig Wright has now declared he will not be providing the promised proof that he is Satoshi.

I thought he may try and drag it out a little longer… but the outcome was always going to be the same – failure to provide evidence.
His ruse didn’t play out how he planned. He thought he could gain credibility from a simple confidence trick on Gavin and others and that the community would all hail Caesar and accept a public signature from block 9 as proof. He was naive and/or desperate to think that is how it would play out.

Let us be objective. Craig Wright’s reputation and credibility is mud and could not sink lower. Consequently he has absolutely nothing to gain by failing to provide the proof he claims to possess. The only objective explanation is that he is a fraud.

His only shred of hope now is that a small core of gullible fools will continue to believe in and defend him, don’t. He has made this mess himself, and if he is telling the truth only he has the power to fix it – do not drag your reputation down with his. Even if he somehow did turn out to be Satoshi he is responsible for how this has played out.

The proof that he is a fraud will likely come in the outcome of his investigation by the Australian Tax Office.

On a human side, Craig Wright must be in a pretty desperate place to even try and pull this off, I actually feel bad for him. I hope now that he will face reality and come clean with the full truth, for his own sake and for the family of Dave Kleiman.

The feather in Wright’s cap: demonstrating a signature from block #1 to Gavin Andresen is going to backfire spectacularly and will ultimately prove his downfall

Imagine you’re trying to convince the world you created Bitcoin.

What greater coup than convincing Gavin Andresen of your legitimacy, Satoshi’s chosen successor and the man who arguably knew him better than any other.

So, how would you do it? Well, if you have a private key that the real Satoshi Nakamoto would possess it’s easy. You ask for a message to sign, sign that message, and then send the signature back to be verified. The whole process can be completed from the opposite ends of the world in minutes with 100% certainty.

What would you do if you didn’t have that private key? Well, you might ask someone to fly to London to meet with you and ask them to sign a nondisclosure agreement. That way, if the meeting doesn’t go as you hoped, they’re not allowed to comment on it.

You could then alter the software on a laptop to make it say that an invalid signature is actually valid. You could then stick a factory seal on the box, bring it out, and claim your assistant just bought it brand new from the shop so it could not possibly have been interfered with. You could then demonstrate an invalid key, and then take away the USB pen and laptop so that person had no evidence to check for themselves.

Somehow, that plan worked. The BBC ran with the headline “Craig Wright reveals himself as Satoshi Nakamoto”.

Then, everyone else was confused – where was the evidence?

Craig Wright has a big problem now. He could have tried to claim to be Satoshi Nakamoto but concoct some elaborate excuse for why he was unable to access any private keys that Satoshi would have owned. This would have made an already difficult con even more insurmountable, but would at least give him plausible deniability – nobody could prove his story was false.

The problem is, Craig Wright claims to have demonstrated using a private key from block #1 to Gavin Andresen. That means he can no longer concoct such an excuse as a get out of jail free card. He now must either put up or shut up.

If Craig Wright genuinely signed a message from block #1 for Andresen, then he still has that private key and can prove it in minutes. That he keeps dragging this out is very telling.

Convincing Gavin Andresen he possessed the private key to block #1 once seemed his greatest asset, it has now become his greatest liability.

photo credit: Feather in my cap via photopin (license)

Everything makes sense if David Kleiman was Satoshi Nakamoto. Here’s why

There is so much about Craig Wright’s claim to be Satoshi Nakamoto that does not add up.

It all started back in December when he was ‘outed’. The problem is all the evidence back then pointed to an elaborate fraud, orchestrated by Wright himself.

Why would Craig Wright want people to believe he is Satoshi Nakamoto? Well, he’s under investigation from the Australian Tax authorities who gave his company a $54m tax refund for spending on R&D, spending it looks possible was never was actually spent, since the manufacturer denied ever selling the supercomputer this research was supposed to be carried out on. If he could persuade them he was Satoshi Nakamoto it would certainly help him convince them of his legitimacy, and make it easier to attract additional investment. The motive here is obvious.

David Kleiman was an expert in Computer security. He was paralyzed from the chest down after a motorcycle accident in 1995 and became a reclusive computer forensics obsessive. In late 2010 he was hospitalised where he would remain until discharging himself a few months before his death from MRSA complications in April 2013. He died broke and in squalor.

In December 2015, following the ‘leaked’ documents, Gizomodo ran with the headline “This Australian Says He and His Dead Friend Invented Bitcoin”, and Wired said:

Another leaked email from Wright to computer forensics analyst David Kleiman, a close friend and confidant, just before bitcoin’s January 2009 launch discusses a paper they’d been working on together.

From the leaked documents, it seems the tone was that Kleiman and Wright worked on Bitcoin together.

Fast forward to the BBC interview and Wright says that while there were others involved, he [Wright] “was the main part of it”.

If the leak was the result of a genuine hack on Wright, then the documents that were leaked should be considered more accurate than anything Wright is saying now, since everything he is saying now he will be shaped to serve his own self interest.

If the leak was made by Wright, as seems likely, perhaps the change of tone reflects a change in strategy. Maybe ‘sharing’ credit for somebody else’s work feels more acceptable, but you get to a certain point where you’ve sunk so deep into the deceit and you might as well go all the way.

It gets even more interesting, according to the Gizmodo article Wright made contact with some of Kleiman’s business partners in February 2014 to inform them they’d been working on a project together and that Kleiman had mined an enormous amount of Bitcoins, and he requested they check his old computers for wallet files.

Kleiman’s business partner, Patrick Paige, called to ask for more information and was told by Wright that Kleiman was the creator of Bitcoin, before he later backpedaled and said Bitcoin was invented by a group of people which included Kleiman.

At around this same time, on Feb 12th 2014, Kleiman’s then 92 year old father commented on a Techcrunch article about Bitcoin with the message “Please send information pertaining to David Kleiman’s participation in the development of Bitcoin”. Perhaps this was related to something Kleiman had told his father while still alive, or details of Wright’s phone call being passed on by Paige.

There is good reason to believe Kleiman and Wright knew each other well. Wright posted an emotional tribute to Kleiman on YouTube (since removed) upon learning of his death. It is entirely possible that Wright was a trusted friend and confidante of Kleiman’s, and this might have given him access to information that ‘only Satoshi could have known’ that would have been useful when Craig Wright convinced Gavin Andresen of his legitimacy.

What does not make any sense, if Wright is Satoshi, is for him to create a trust to prevent himself being able to access his own Bitcoins until 2020 – and leave this in the trust of a man in Florida.

Such a trust is detailed in the December 2015 leak and includes bizarre stipulations including that if Wright dies, all the Bitcoins would transfer to his wife, minus a deduction to show the “lies and fraud perpetrated by Adam Westwood of the Australian Tax Office against Dr Wright”. It would be interesting to know when the Australian Tax Office began their investigation. The trust is dated 9th June 2011, and values 1.1 million Bitcoins at $100,000 at a time when their actual value was closer to $30 million. The document is just odd and full of inconsistencies.

What seems more likely is that Kleiman possessed the Bitcoins, and Wright is trying to create a retrospective paper trail to enable him to make a legal claim for ownership of them in the event they ever become accessible. Perhaps Kleiman had made provisions that would enable his family to recover his Bitcoins at some future point in the event of his death, and that he had disclosed details of this to Wright.

Everything makes a lot more sense if David Kleiman was Satoshi Nakamoto and confided in Craig Wright. It explains why Wright would possess enough information to convince some people of his authenticity, but has been unable to provide any verifiable proof that he has access to any of Satoshi’s private keys. Craig Wright has gone to an extraordinary level of effort to convince people he is Satoshi Nakamoto. Given that 1.1 million Bitcoins are currently worth around $500m – it’s not hard to imagine why.

If Craig Wright is Satoshi Nakamoto he could easily verify it cryptographically. The fact he has gone to such lengths without providing this proof suggests he simply doesn’t have it. What’s most likely to happen next? Well, if he’s been involved in Bitcoin since the early days he probably has some early coins – so he’ll probably move them as ‘proof’. Not early enough to be linked to Satoshi, but early enough for him to claim they are and make the circus drag on a little longer.

I believe the fact that he has gone to such lengths to link himself to 1.1 million Bitcoins held by Kleiman suggests he genuinely believes David Kleiman possessed that number of Bitcoins, and that he has a chance of being able to claim them for himself. This adds support to the idea that Kleiman, and possibly the also deceased Hal Finney, really were Satoshi Nakamoto.

It is also notable that Kleiman was hospitalised in late 2010. Gavin Andresen became lead developer of Bitcoin in December 2010 and Satoshi then disappeared.

Whatever is happening is fascinating, it’s a plot worthy of Hollywood. Sadly, this is the real world, and I can’t help but feel sadness for the family of David Kleiman who are possibly about to encounter tremendous invasions of their privacy as a consequence of Craig Wright’s actions.

Keiman was a security expert who practised what he preached. All his data was no doubt encrypted and any evidence of his being Satoshi likely died with him. It is possible this mystery will never be solved.

It is also possible that David Kleiman had nothing to do with Bitcoin at all.

I just know that if he was Satoshi, he seemed a modest man who died a pauper while likely sitting on a trove of millions and avoiding the abundance of recognition he deserved. Craig Wright on the other hand is an egotist who fakes having PhDs and drags out a bizarre media circus to reveal himself as Satoshi without providing simple evidence.

Here’s how Craig Wright probably tricked Gavin Andresen

What an exciting and dramatic day for Bitcoin.

I woke this morning to my girlfriend asking if I had seen the news that “Satoshi Nakamoto had been uncovered as that Craig Wright guy”.

My initial reaction was scepticism, in my mind he was a scammer, definitely not Satoshi. There it was however, on the trusty BBC home page, with the promise of proof. The proof, however, was elusive.

A quick trip to Craig Wright’s blog and I came away more confused. Had he proven he was Satoshi? Then I encountered Gavin Andresen’s blog where he verified that Craig Wright had signed a message of Andreson’s choosing with a private key known to be Satoshi’s – this looked like case closed.

The problem is, as the day progressed, all the other evidence crumbled under scrutiny. The one shred that retained any credibility was Andreson’s account. How could this proof have been faked?

Let’s find out what happened. In his blog Andresen says:

I witnessed the keys signed and then verified on a clean computer that could not have been tampered with

Only a person with a private key can ‘sign’ a message. Once a message is signed, people can use software to check that the signature is genuine and was created by someone in possession of the private key.

With open source software, anybody can download the source code themselves. This makes it incredibly easy to make small modifications to the otherwise identical software.

It would be quite trivial to find the bit of code that verifies whether a signature is valid and then change the word invalid to valid. Depending on the software it could literally be as easy as deleting the proceeding letters IN.

The modified software would then say that every signature tested was valid, regardless of whether it was or not.

This is the reason the “clean computer” is relevant. If I invite you to view my computer where I show you a validation, I could easily have modified the software. If we go to a shop and buy a brand new computer and then download fresh software, that would eliminate this risk.

This is Andresen’s account of what happened in a post on Reddit:

Craig signed a message that I chose (“Gavin’s favorite number is eleven. CSW” if I recall correctly) using the private key from block number 1.

That signature was copied on to a clean usb stick I brought with me to London, and then validated on a brand-new laptop with a freshly downloaded copy of electrum.

I was not allowed to keep the message or laptop (fear it would leak before Official Announcement).

I don’t have an explanation for the funky OpenSSL procedure in his blog post.

As far as we can tell, Andresen bought a new USB stick. This stick was put into Wright’s computer and a file was copied over containing the signature.

This USB stick was then put inside a brand new laptop.

A remote possibility is that Wright’s computer secretly copied files to the USB stick, files which were then transferred to the new laptop and ran behind the scenes to modify the freshly downloaded Electrum software. This seems unlikely though.

All the scenarios involve Wright somehow running a modified version of Electrum, but another remote possibility is that he somehow discovered a bug in the code that allows you to trick the software into displaying a valid message for an invalid signature. Again, this is unlikely.

Let’s look for more clues, this time from a Wired article:

Andresen says an administrative assistant working with Wright left to buy a computer from a nearby store, and returned with what Andresen describes as a Windows laptop in a “factory-sealed” box. They installed the Bitcoin software Electrum on that machine. For their test, Andresen chose the message “Gavin’s favorite number is eleven.” Wright added his initials, “CSW,” and signed the message on his own computer. Then he put the signed message on a USB stick belonging to Andresen and they transferred it to the new laptop, where Andresen checked the signature.

At first, the Electrum software’s verification of the signature mysteriously failed. But then Andresen noticed that they’d accidentally left off Wright’s initials from the message they were testing, and checked again: The signature was valid.

“It’s certainly possible I was bamboozled,” Andresen says. “I could spin stories of how they hacked the hotel Wi-fi so that the insecure connection gave us a bad version of the software. But that just seems incredibly unlikely. It seems the simpler explanation is that this person is Satoshi.”

There’s a bit of a smoking gun here. A factory seal doesn’t prove something hasn’t been tampered with any more than writing ‘this is genuine’ on a CD makes it genuine. Instead of buying a laptop himself, he allowed one of Wright’s representatives to source the laptop. This means the laptop can no longer be considered ‘clean’. It could have been preloaded with modified software, either to trick the computer into downloading a modified version of Electrum, or by modifying a legitimately downloaded version of Electrum during or after installation.

As Andresen mentions himself, it is also possible the Wifi connection was compromised to point to a different download location, in which case even an clean computer could be compromised.

Either way, a major weakness of Andresen’s is that it sounds like he already was convinced of Wright’s story before he arrived and was the victim of a confidence trick. This means he may have let his guard down in permitting one of Wright’s associates to source the ‘clean’ machine, or in his verification of the legitimacy of the software installed. It is possible to verify a software has not been modified by checking the MD5 checksum, it would be interesting to know if Andresen performed this test. It is also very suspect that Wright insisted on keeping the laptop and USB stick without a compelling reason after the demonstration as that would have allowed Andresen to verify the test.

There are other possibilities too. Andresen may have not witnessed any of this and may be in on the scam, or acting under duress. Another unlikely possibility is that Craig Wright is Satoshi Nakamoto.

As Gavin Andresen says himself, the simpler explanation is often the most likely, and in this case it seems most likely he was bamboozled by a world class con artist.