ezyang’s blog

the arc of software bends towards understanding

Bitcoin is not decentralized

Bitcoin was designed by Satoshi Nakamoto, and the primary client is developed by a bunch of folks at bitcoin.org. Do you care who these people are? In theory, you shouldn’t: all they do is develop an open source client for an open source protocol. Anyone else can develop their own client (and some people have) and no one, save the agreement of everyone in the Bitcoin network, can change the protocol. This is because the Bitcoin network is designed to be decentralized.

If you believe in the long term viability of Bitcoin, you should care who these people are. While Bitcoin itself is decentralized, the transition from Bitcoin to a new currency cannot be. This transition is guaranteed by the fact that all cryptosystems eventually become obsolete. Who will decide how this new currency is structured? Likely the original creators of Bitcoin, and if you have significant holdings in Bitcoin, you should care who these people are.

The following essay will flesh out this argument more carefully, as follows:

  1. Cryptosystems, including cryptographic hashes, must be used with the understanding that they must eventually be replaced. One might argue that “If Bitcoin’s cryptography is broken, the rest of the financial industry is in trouble too”—we explain why this is irrelevant for Bitcoin. We also see why it’s reasonable to expect Bitcoin, if it becomes a serious currency, to stick around a long enough timespan for this obsolescence to occur.
  2. There are several rough transition plans circulating the Bitcoin community. We describe the most common decentralized and the most common centralized variant, and explain why the decentralized variant cannot work in a non-disruptive manner, appealing both to economics and existing markets which have similar properties.
  3. We more carefully examine the implications of these decentralized and centralized transitions, and assess the risk of the transition, in comparison to the other risks facing Bitcoin as a fledgling currency. We suggest that, while the transition of Bitcoin is not a central concern, the idea of naive decentralization is a myth that needs to be dispelled.

I’ve divided the essay into sections so that readers who are interested in specific sections of the argument. Feel free to skip around.

The cryptosystem time bomb

“All cryptosystems eventually become obsolete.” Compared to currency, cryptographic hashes are a relatively recent invention, dating only as far back as the 1970s. MD5 was invented in 1991, and it only took about a decade and a half to thoroughly break it. For computer programmers, the shifting landscape of cryptography is a given, and systems are designed with this in mind. Consider, for example, SSL certificates, which are used to secure many transactions on the Internet, including financial transactions. These need to be renewed every few years, and as new certificates are issued, their level of protection can be increased, to use newer ciphers or longer key sizes. Most current uses of cryptography follow this pattern: the ciphers and keys can be replaced with relative ease.

Bitcoin, however, is special. The way it achieves decentralization is by embedding all of its relevant technical details in the protocol. Among these is the hashing algorithm, SHA-256. It is literally impossible to “change” the hashing algorithm in Bitcoin; any change would constitute a change in the protocol, and thus result in a completely new currency. Don’t believe anyone who tells you otherwise. The argument “If Bitcoin’s cryptography is broken, the rest of the financial industry is in trouble too” is irrelevant, because other financial institutions have central control of the ciphers they use and can easily change them: Bitcoin cannot. And due to the possibility of weaknesses in SHA-1 spilling into the SHA-2 family (among which SHA-256 is a member), a competition for SHA-3 is already being held.

Will Bitcoin last long enough for fraudulent transactions to become practical? It may not (after all, there are many other possible problems with the currency that may kill it off before it ever gets to this stage.) However, if it does become established, you can expect it to be a hardy little bastard. Currencies stick around for a long time.

Decentralized and centralized currency transition

The Bitcoin community has realized the fact that a transition will become necessary, and though the general sense is that of, “We’ll figure it out when we get there,” there have been some vague proposals floated around. At the risk of constructing strawmen, I would like to now present my perception of the two most popularly voiced plans. First, the decentralized plan:

Because cryptosystems don’t break overnight, once the concern about SHA-256 becomes sufficiently high we will create a new version of Bitcoin that uses a stronger cryptographic hash. We will then let the market decide an exchange rate between these two currencies, and let people move from one to the other.

This is decentralized because anyone can propose a new currency: the market will decide which one will win out in the end. It also cannot possibly work in a nondisruptive manner, for the simple reason that anyone seeking to exchange the old Bitcoin for the new one will have to find a willing buyer, and at some point, hyperinflation will ensure that there are no willing buyers. All existing Bitcoins will then be worthless.

At this point, we’ll take a short detour into the mooncake black market, a fascinating “currency” in China that has many similar properties to an obsolescing Bitcoin. The premise behind this market is that, while giving cash bribes are illegal, giving moon cake vouchers are not. Thus, someone looking to bribe someone can simply “gift” them a moon cake voucher, which is then sold on the black market to be converted back into cash.

Those partaking in the moon cake black market must be careful, because once the Autumn Festival arrives, all of these vouchers must be exchanged for moon cakes or become worthless. As the date arrives, you see an increasingly frenzied game of hot potato for the increasingly devalued vouchers. The losers? They end up with lots of moon cakes. There is of course one critical difference, which is that the losers of the Bitcoin game are left with nothing at all.

Is this a transition? Yes. Is it disruptive? Definitely yes. It is certainly not what you want a currency you’re using for every day transactions to be doing. Of course, this may be acceptable risk for some industries, and we’ll analyze this more in the last section.

Here is the centralized plan:

Once the concern for the hashing algorithm is high enough, we will create a new Bitcoin protocol. This protocol will not only include a new hashing algorithm, but also be based off of the value of the old Bitcoin economy at some date: at that point, all newer transactions are invalid in the new Bitcoin scheme, and that snapshot is used to determine the amount of Bitcoins everyone has.

There is a variant, which deals with the case when active attacks are being carried out against the hashing algorithm before they have managed to switch, which involves marking specific block chains as known good, and zeroing out suspected fraudulent transactions.

Is this plan really centralized? Yes: someone needs to design the new protocol, to convince all the clients to buy into it, and to uniformly switch over to the new economy when the day arrives. The fragmentation of the Bitcoin economy would be extremely disruptive and not in the best interests of any of the main players. Any other changes to the Bitcoin protocol (and at this point, there probably would be many proposals) could have massive implications for the Bitcoin economy.

Implications and risk

Here, we assess the question, “Do I really care?” In the short term, no. Bitcoin has many, many weaknesses that it will be tested against. Though I personally hope it will succeed (it is certainly a grand experiment that has never been carried out before), my assessment is that its chances are not good. Worrying excessively about the transition is not a good use of time.

However, this does not mean that it is not an important fact to remember. The future of Bitcoin depends on those who will design its successor. If you are investing substantially in Bitcoin, you should at the very least be thinking about who has the keys to the next kingdom. A more immediate issue are the implications of a Bitcoin client monoculture (one could push out an update that tweaks the protocol for nefarious purposes). Those using Bitcoin should diversify their clients as soon as possible. You should be extremely skeptical of updates which give other people the ability to flip your client from one version of the protocol to another. Preserve the immutability of the protocol as much as possible, for without it, Bitcoin is not decentralized at all.

Thanks to Nelson Elhage, Kevin Riggle, Shae Erisson and Russell O’Connor for reading and commenting on drafts of this essay.

Update. Off-topic comments will be ruthlessly moderated. You have been warned.

Update two. One possible third succession plan that has surfaced over discussion at Hacker News and Reddit is the decentralized bootstrapped currency. Essentially, multiple currencies compete for buy-in and adoption, but unlike the case of two completely separate currencies separated only by an exchange rate, these currencies are somehow pegged to the old Bitcoin currency (perhaps they reject all Bitcoin transactions after some date, or they require some destructive operation in order to convert an old Bitcoin into a new one—the latter may have security vulnerabilities.) I have not analyzed the economic situation in such a case, and I encourage someone else to take it up. My hunch is that it will still be disruptive; perhaps even more so, due to the artificial pegging of the currency.

64 Responses to “Bitcoin is not decentralized”

  1. […] were stolen a few days ago. Meanwhile, the virtual currency’s long-term stability has been seriously questioned … but does it really make any sense to think about any “long term” at all for […]

  2. […] Institute of Technology student Edward Yang recently published an online analysis claiming that bitcoin isn’t actually decentralized. Malware designed to raid bitcoin wallets has reared its opportunistic head. In March, someone […]

  3. Dave says:

    Uh doesn’t anyone understand the current banking system? Currency is already issued digitally by the federal reserve they announced this during the bail out crisis. Under U.S. laws anyone who undermines the value of the dollar is guilty of a crime federally. In addition to that, any form of transaction that results in income to any one or both recipients not reported to the I.R.S. is in itself a crime and in violation of federal law. Any party who knowingly or unknowingly aids or abets transactions that involve illegal activity or unreported income is in violation of federal law and minimum sentencing is ten years per charge and up to 20 per offense. It does not matter what you think or what you call it, I personally know someone serving 14 years for money laundering for accepting via pay-pal, money in exchange for stolen property. The feds don’t care what you think you’re doing or how popular this service is, it is all illegal if money is involved at any point in the exchange. Bit coin will go down in flames and be forced to identify every user or face long prison terms. TOR was created by U.S. Naval intelligence you are playing with fire and don’t even realize it

  4. i.mars says:

    If it’s impossible to change the hasher then why is the encryption system pluggable?
    Just saying.

  5. Peter says:

    @ Dave; NEWS FLASH: The world is wider than US I.R.S. policy. Besides money makes the world go round. And money nowadays move’s faster than politics ;)

  6. X-Factor says:

    You say the protocol can’t change encryption. This is simply not true.

    Take namecoin, a slightly modified client and chain for decentralized dns, recently did change its protocol in order to merge with the current mining pools.

    All that is required is a change to the client and pick a starting block, all blocks after that are no longer valid in the old client, is all that happens. There is nothing preventing a change of encryption.

  7. Eric Olson says:

    I have read the you could send coins to in impossible to have address. You could use the information from that transaction to create coins on the new system insuring a specific and static rate of conversion. I imagine a client that support both networks could be built to allow people to convert their coins on their own.

  8. […] an interesting thought piece which goes in to more detail here, but the long and short of it is: Bitcoin cannot automatically alter its own security, but its […]

  9. […] a partially decentralized currency that allows buying and selling without bank or government oversight, using strong […]

  10. Hard Fork says:

    I know I’m trudging up ancient history here, but this simply isn’t true. Aside from the misidentification of the importance of SHA-256 (which you acknowledged in another article), this situation is *trivially* handled by a hard-fork. The basic process would be: A Bitcoin Improvement Proposal (BIP) would be created, and clients would accept a new *block* level protocol, using a different proof-of-work. Eventually the network would be sufficiently populated with these new clients (the majority of nodes on the network *will* be Bitcoin stakeholders, so it is in their best interest to use a new client which supports the new proof-of-work) the new protocol would take effect starting at a certain predetermined block number. This of course assumes that the SHA-256 vulnerability isn’t zero-day, but that’s a pretty safe assumption.

    Namecoin successfully used this method to fix a critical flaw. Of course a network as large as Bitcoin would need far more time to allow sufficient propagation of compliant clients, but it would be *fine*.

  11. Forks are easy says:

    @Hard Fork Honestly, even if there’s a zero-day exploit that kills Bitcoin’s encryption, they’d just hard fork a couple blocks before it.

    At this point, this article is very out of date and is essentially proven entirely incorrect. Ethereum has hardforked successfully three times to date, with prefork chains being reduced to worthless and postfork chains maintaining value. This can be done arbitrarily many times. It’s still decentralized because prefork vs postfork value ratios are determined by how much the public agrees with the change. If it’s a stupid fork, it has no value. If it’s a good one, it moves along smoothly. No power is with Ethereum itself, and their forks have been successful because they check public opinion before forking.

    On a business level, with any cryptocurrency there is a function P(b) which is the probability of a transaction holding if it is b blocks behind the head of the chain. The frequency of hard forks decreases the P value for a given b, but the fact is any business can take this into account and simply wait for P to be acceptable (Say, 99% for small transactions, and 99.999% for large ones). P is ever 100% anyway, so changing the P function doesn’t inherently change the basis of a cryptocurrency. It only means businesses must wait a couple more blocks before they feel safe (And reversals are taken into account in way that mirrors how gas prices are a bit higher for those who use credit cards).

  12. […] were stolen a few days ago. Meanwhile, the virtual currency’s long-term stability has been seriously questioned … but does it really make any sense to think about any “long term” at all for […]

  13. […] an interesting thought piece which goes into more detail here, but the long and short of it is: Bitcoin cannot automatically alter its own security, but its […]

Leave a Comment