[aazaa]

The trouble with this article is that the author doesn't seem to know what Bitcoin is for.

Notice the vague treatment of actual cryptocurrency applications. There are lots of predictions about startup activity, "flippenings" and venture capital, but little about the goods and services customers will actually be buying, or what specifically startups will be building.

It's this kind of thinking that leads people into the dark thicket that is "tokens": digital instruments bought and sold largely for speculative purposes. It's understandable. The ability to print money is a fantasy of many people from a young age.

The last two years have seem a solid refutation of this notion. Almost every token has lost value against Bitcoin. It seems reasonable to conclude that the carnage will continue.

So the money printing press ship has sailed. It's going to come as a shock for many people (some with economics degrees), but bootstrapping censorship-resistant money is a one-time deal. Any attempt to profit from the undertaking harms the credibility of the founders. Only the genuine scammers are left to continue the exercise.

Here's a vision for the future of Bitcoin. Bitcoin will extend its role as a refuge from the growing foreign and domestic militarization of money. It will become an indispensable weapon against civil asset forfeiture, international sanctions, deplatforming, and mass surveillance.

That's your application for Bitcoin in the '20s. And it's a doozy. It places Bitcoin on the side of personal freedom and on a collision course with some of the world's biggest governments, including the US. There will be many attempts to "ban" Bitcoin.

Startups will play a marginal role at best because their ultimate aim of monopolization flies in the face of what Bitcoin was designed to do.

[nootropicat]

>censorship-resistant money

It's not, the majority of hash power is in China. That means the Chinese government could start censoring bitcoin transactions in a week if they wanted to - by orphaning non-compliant blocks. Regardless of anything else, this centralization alone makes bitcoin a failed experiment.

https://cointelegraph.com/news/study-chinas-btc-miners-contr...

[kerkeslager]

Well, first, "censorship-resistant" doesn't imply "censorship-proof".

Second, I don't think we can conclude what would happen if China tried to censor.

China certainly has 51% attack capability against Bitcoin, but the only implication that of that which is clear to me is that they could potentially execute double-spends. Using 51% attack capability to orphan transactions is different.

With a double spend, there's two transactions, both signed with the same key, and no way to determine which is valid (which came first). There's no source of truth for that information.

With an orphaned block, there's only one transaction signed with the key, so you have a single source of truth. You know the transaction exists, and at some point (i.e. after a certain number of blocks), if the transaction isn't included in the chain, you can conclude with reasonable certainty that the transaction is being intentionally orphaned. This allows you to reject the chain that doesn't include the transaction as invalid, and choose the longest chain that does include it. We already don't blindly follow the longest chain: for example, blocks that are improperly formatted are already rejected.

This would, of course, having different criteria for what is considered a valid block would cause fork in the currency. There would be the Chinese censored branch and the uncensored branch everyone else is using. But for a lot of reasons, I think people would be unwilling to trade as much traditional currency for the Chinese censored currency as they would for uncensored Bitcoin.

[nootropicat]

>There would be the Chinese censored branch and the uncensored branch everyone else is using

Every fork is vulnerable to the same attack, which is why such a switch doesn't make sense. There's no way to prevent Chinese miners from mining on the "Western" bitcoin if it's the more profitable option. The censorship can be easily made reactive: first, all Chinese miners have to register and report their hash power. If the total hash power for any specific network is below X (eg. 65%) they don't have to censor. The moment they do, they start orphaning blocks that don't comply with the Chinese law. Note it also increases their profits!

The same forces (lots of cheap electricity) that resulted in the concentration of sha256 hashing in China also work for any other PoW; switching to a GPU-based PoW would at best only prolong the inevitable. Most likely GPU PoW is also China-dominated.

Proof of work has infinite economies of scale and the winner can take all property. The second property makes it profitable for the majority of hash power to cartelize and exclude others. If the cartel was smartly set by the Chinese government - allowing access to all Chinese miners and making it illegal to create smaller cartels - everyone in China would join and after a while it would be enough to mine with only ~20% of the available hash power. That's a 5x increase in revenue per watt hour!

Why? Initially, Chinese miners can mine with >65% of global power, excluding competitors. They do it until everyone else goes bankrupt, giving them 100%. Then, each individual miner can start mining with only 20% of their total power. To prevent fraud, it's enough to make everyone mine with 100% for one hour every week, all at once, to prove their total individual hash power. If some foolish foreign competitor arrives with more than 20% of the Chinese hash power, every Chinese miner turns everything on. This monopoly would be almost impossible to defeat.

However, even if you assume someone defeats it somehow - the only way to defeat it is to have an even bigger centralized entity! All that happened is a new monopoly, not decentralization.

All of this means bitcoin can never become "refuge from the growing foreign and domestic militarization of money. [..] an indispensable weapon against civil asset forfeiture, international sanctions, deplatforming, and mass surveillance" to any noticeable degree. It's currently left alone only because it's irrelevant except as a speculative toy.

[thebean11]

Reusing the same attack would just result in a never-ending series of offshoots from the "western" chain. If anything that would guarantee that the uncensored chain stays dominant, as all of the forks would be quicky abandoned for the next

[nootropicat]

You can't expect people to fork every week to a new network. This is at best a one time deal, and if it doesn't work, that's it.

[kerkeslager]

People wouldn't do it manually--the entire point is to automate it.

But you corrected your assumption in the other comment thread, so I'll continue the conversation there.

[kerkeslager]

> Every fork is vulnerable to the same attack, which is why such a switch doesn't make sense.

No, it wouldn't. I don't think you're understanding the solution I'm proposing. There isn't an amount of computing power that allows you to submit invalid blocks.

[nootropicat]

I assumed you meant manually. This method isn't possible to automate under PoW, because any such actions require global time, but PoW is what provides time itself, creating a contradiction. What this means in practice is network splits.

>you know the transaction exists, and at some point (i.e. after a certain number of blocks), if the transaction isn't included in the chain, you can conclude with reasonable certainty that the transaction is being intentionally orphaned. This allows you to reject the chain that doesn't include the transaction as invalid

as what would happen is nodes that were online and observed the situation would follow one chain, but everyone else that joins later wouldn't be able to confirm that censorship actually happened, and follow another. If you have a solution that solves it, you solved the fundamental problem - absolute order - some other way and PoW becomes completely superfluous.

Then there's a problem of: what happens when there are contradictory transactions on two different chains at once? How do you decide which one is valid? This gets complex very fast.

If you want to try tackling the censorship issue in an automated way, you have to move away from PoW to a more typical consensus algorithm with online identities. In the simplest case, if all (ever - no new ones) network participants are online all the time, the problem becomes trivial and something close to your solution would work.

[kerkeslager]

EDIT: Everywhere I say that we wait 5 blocks/confirmations, that's just a number I picked. I think you could conservatively use fewer confirmations, but there's a bunch of network analysis you'd have to do to calculate what the probability of a transaction not being included in N sequential blocks simply due to network instability. I didn't do that network analysis, so you might need more or fewer confirmations to be reasonably sure that censorship is occurring and not just network instability.

> I assumed you meant manually. This method isn't possible to automate under PoW, because any such actions require global time, but PoW is what provides time itself, creating a contradiction. What this means in practice is network splits.

I don't think you need global time to do this. More on this later in this post.

> as what would happen is nodes that were online and observed the situation would follow one chain, but everyone else that joins later wouldn't be able to confirm that censorship actually happened, and follow another. If you have a solution that solves it, you solved the fundamental problem - absolute order - some other way and PoW becomes completely superfluous.

This situation resolves itself naturally via the mechanism I proposed.

Let's follow the scenario you propose and see how it resolves. The following events happen in this order:

1. The Chinese government decides to censor transactions from a certain address, refusing to accept blocks which include transactions from that address.

2. A transaction from that address is broadcasted.

3. Chinese miners mine 5 blocks that don't contain the transaction. Nodes which have been on the network the whole time notice the censored transaction, and go to the next-longest chain, creating a fork.

4. A new node joins the network. From the new node's perspective, there are two chains, but the Chinese one is longer so you go with that. However, you still have the signed transactions from the shorter chain, and your node notices that the Chinese chain doesn't contain some of those transactions. At the time of joining, as far as you know, that transaction simply hasn't been included in the longest chain yet.

5. Chinese miners mine 5 more blocks that don't contain the transaction. The newly-added node now notices the censored transaction, rendering the current chain invalid, and goes to the longest valid chain, which is the one everyone else was on. Consistency achieved.

The implication of this solution is that when you join the network, you now have to wait for 5 confirmations to ensure none of the transactions you have are being censored in the longest chain (i.e. it takes 5 confirmations to know that the longest chain is valid). Which is certainly an important implication!

Note that absolute order doesn't matter here. We don't have to know the order of the transaction, only that it has existed for some number of blocks without being included in the chain.

> Then there's a problem of: what happens when there are contradictory transactions on two different chains at once? How do you decide which one is valid? This gets complex very fast.

The way you've worded it, that's not really all that complex--that's the same as a double spend, and it's resolved the same way any other contradictory transaction is resolved: follow the longest (valid) chain (where part of the definition is "valid" is "containing all transactions I've had for 5 confirmations").

However, I think you might have left out part of what you meant here, so I'll try to explain what I think you're hinting at. There's a sophisticated way for China to hide their attack. It works like this:

1. The Chinese government decides to censor transactions from a certain address, refusing to accept blocks which include transactions from that address.

2. A transaction from that address is broadcasted. We'll call this the censored transaction.

3. Non-Chinese miners mine a block that includes the censored transaction. This becomes the root of what we'll call the censored branch.

4. Chinese miners ignore the mined block that includes the censored transaction, and mine a block which doesn't contain the transaction. This block becomes the root of a branch we'll call the red herring branch. In that block, they include a transaction which they never broadcasted to the network. We'll call this the red herring transaction.

5. Due to superior Chinese mining capability, the red herring chain quickly becomes longer. However, after 5 confirmations, the network notices the censored transaction isn't being included in the red herring chain. So they invalidate the red herring chain and go to the longest valid chain, which is the censored chain.

6. 4 more blocks are mined on the censored chain.

7. A new node joins the network.

8. At this point, the censored branch doesn't include the red herring transaction, and the red herring branch doesn't include the censored transaction. So our previous resolution strategy doesn't work, because we don't know whether it's the red herring transaction or the censored transaction that's being censored.

First, I want to say, this is a really sophisticated attack and I want to congratulate you for coming up with it.

Second, I think this problem can be solved by sweeping up ALL the transactions in EVERY block you receive, even if they are in blocks which haven't been confirmed, and treat them as if they were broadcast to you on the network. This way, the red herring transaction gets included into the censored branch. This gives us a new resolution:

1. The Chinese government decides to censor transactions from a certain address, refusing to accept blocks which include transactions from that address.

2. A transaction from that address is broadcasted. We'll call this the censored transaction.

3. Non-Chinese miners mine a block that includes the censored transaction. This becomes the root of what we'll call the censored branch.

4. Chinese miners ignore the mined block that includes the censored transaction, and mine a block which doesn't contain the transaction. This block becomes the root of a branch we'll call the red herring branch. In that block, they include a transaction which they never broadcasted to the network. We'll call this the red herring transaction.

5. Due to superior Chinese mining capability, the red herring chain quickly becomes longer. However, after 5 confirmations, the network notices the censored transaction isn't being included in the red herring chain. So they invalidate the red herring chain and go to the longest valid chain, which is the censored chain.

6. A new block is mined on the censored chain. Since we've swept up all the transactions from the red herring chain, this block includes the red herring transaction.

7. A new node joins the network and assumes the red herring chain is the longest valid chain.

8. After 5 blocks, the new node sees the red herring chain does not contain the censored transaction, invalidates the red herring chain, and goes to the longest valid chain, which is the censored chain. Consistency achieved.

[heptathorp]

>You know the transaction exists, and at some point (i.e. after a certain number of blocks), if the transaction isn't included in the chain, you can conclude with reasonable certainty that the transaction is being intentionally orphaned. This allows you to reject the chain that doesn't include the transaction as invalid, and choose the longest chain that does include it.

So you are going to reorg after many blocks (enough to be sure a transaction is being censored). This sounds extremely undesirable as it kills finality. Today you can very reasonably be sure that after say, 6 blocks, a transaction is irreversible. That's not the case with this new rule.

[kerkeslager]

It delays finality, but it doesn't kill it. Reorgs are already possible, this is why we currently wait for some number of confirmations (6 last time I checked) to say a transaction is complete. Adding the condition of requiring all transactions you've received to be included in a chain means that you need to wait for more confirmations to reach the same level of confidence that the chain is final, but it doesn't mean finality will never happen.

With a perfect network where everyone receives all transactions immediately, and where transactions are prioritizes for inclusion by transaction fee first, and order received second, we can conclude after ONE block whether a transaction with a high enough transaction fee is being excluded. But the network isn't perfect. There's some network analysis to be done here to gather probabilities, but for the sake of simplicity, let's say the network is reliable enough that we can reasonably conclude whether a transaction is being excluded in 5 blocks (I think the number is actually lower, but let's go with 5 to be safe).

So basically, what we're saying here is that if we reject the fifth block that doesn't contain a transaction after we see it, then we're forcing a reorg.

The attack you're describing happens when someone waits for China to start ignoring a transaction, then attempts to use the resulting reorg to execute a double spend.

Last time I checked, the recommendation was to wait for 6 confirmations to prevent double spends, because it would be unreasonable for an attacker to attempt to catch up to the main block chain when the main blockchain has a 6-block head start. But if China forces a reorg after 5 blocks, then the attacker attempting to execute the double spend only needs to catch up 1 block.

Trivially, all this means is that we have to wait for 5+6 = 11 confirmations to achieve the same level of confidence that we got from 6 confirmations when China couldn't force a reorg.

But wait: China actually can't force a reorg that quickly with 100% probability. In order to force this reorg, China has to mine 5 blocks in a row. China only has 66% of hashing power, so the probability of China mining a given block is P=0.66. The chances of China mining N blocks in a row is P=0.66^N. So the probability of China even being able to force this reorg is P=0.66^5=0.13.

That's not nothing, but that's a lot of effort for China to put in just for a 13% chance of delaying a transaction. Given China can't actually censor the transaction, only delay it, why would they spend all those hashing cycles to do this? The incentives don't line up.

[heptathorp]

Good points, thanks.

Followup question: how does a node coming online know not to trust China's (longer, censoring) chain? It wasn't online to have the transaction in its mempool, so it doesn't know to check for it in the longest chain.

I think it would need to check all candidate blocks with lower heights to see if their chains contain any transactions that aren't in a longer chain.

What happens if I mine off of a very old block and include my own transaction in it, and present it to you... how do you distinguish between what I just did vs the longer chain having censored the transaction this whole time?

[kerkeslager]

> Followup question: how does a node coming online know not to trust China's (longer, censoring) chain? It wasn't online to have the transaction in its mempool, so it doesn't know to check for it in the longest chain.

> I think it would need to check all candidate blocks with lower heights to see if their chains contain any transactions that aren't in a longer chain.

Yes. You wouldn't need to store all these, though, you just sweep them up once you find the transactions included in the longest chain.

> What happens if I mine off of a very old block and include my own transaction in it, and present it to you... how do you distinguish between what I just did vs the longer chain having censored the transaction this whole time?

Broadcast all transactions you have which aren't already in the longest chain to the network, and wait for them to include them.

I'm not 100% sure, but I think transactions get rebroadcast automatically already until they're included.

[kerkeslager]

This is literally the first comment on Hacker News I've seen that seems to actually understand the implications of decentralization. It's apparent to me that many people who are trying to profit on it don't actually understand why decentralization is desirable for some people. It's a foreign concept to many that there are motivations other than financial gain. Many attempts to "innovate" with Bitcoin are constantly trying to do things that are already solved with centralized systems, and end up working around decentralization.

> Startups will play a marginal role at best because their ultimate aim of monopolization flies in the face of what Bitcoin was designed to do.

I'd go further with this and say that decentralization is an active impediment to startups trying to create monopolies in the crypto space.

I think there's still room for development, but it will be hard for it to be motivated by profit. Particularly, a better-executed namecoin could be revolutionary if people started building infrastructure around it (i.e. as usernames, or a DNS replacement).

[danans]

> It places Bitcoin on the side of personal freedom and on a collision course with some of the world's biggest governments, including the US.

And until and unless you can use it to purchase the goods and services needed for daily life, and the military and police forces needed to secure the supplies lines of those, it will be at best a theoretical form of personal freedom.

Even if Bitcoin doesn't rely on trust, the rest of the functions of human society do.

[thebean11]

Not sure I understand how the military is going to stop individuals from exchanging goods within a country, are you suggesting the US/Chinese/Some other military would stop the flow of everyday goods into its own country to prevent Bitcoin transactions?

[dragonwriter]

> Not sure I understand how the military is going to stop individuals from exchanging goods within a country

States stop the exchange of goods within, into, or out of their jurisdiction of types or in manners not sanctioned by the state all the time, it's called “law enforcement”, and either the military or paramilitary police forces or both are often involved in it. It's never airtight, but it doesn't have to be to have a big effect.

[danans]

If the volume of crypto currency transactions ended up becoming a threat to the functioning of the state (through loss of the power of taxation), then yes.

But anyways, isn't that pretty much the anarcho-capitalist vs statist conflict that cryptocurrencies are ultimately trying to aim us towards?

[thebean11]

Yes meaning the military would starve a country to root out crypto users? In that scenario, you're unable to use crypto because no goods exist to buy (meaning dollars are useless as well)?

Sorry if I'm completely misunderstanding your argument, but having trouble reading it in a different way.

[danans]

> In that scenario, you're unable to use crypto because no goods exist to buy (meaning dollars are useless as well)?

The state will take over the entire supply chain to ensure that it transacts in a currency that it controls, crypto or otherwise.

Without that, the shared physical and legal infrastructure that supply chain depends on would cease to exist, and with it the supply chain.

Individuals, or the small communes that act financially as individuals in the crypto based trading system would have to trade in the simplest raw materials and finished products would be all have to be made hyper locally. Otherwise what entity would secure the transit of high value finished goods from supplier to customer?

I understand that it's a vision of the future that many people relish for its "freedom" from the state (but not so much from the local tribe). But universal crypto based transactions are not a drop in replacement for what we have now that keeps everything else the same. They come with their own radically different future-primitive vision for the world.

[thebean11]

Taking over the entire supply chain is completely impossible though, black markets will always exist, and not just for simple raw materials.

Another aspect of crypto is the ability to simply leave the oppressor's territory, taking your money with you.

I'm absolutely not saying this is a perfect solution, or that government is powerless in this situation, but it seems hand wavey to say they'll just seize control of every economic transaction. That's a VERY difficult thing to do.

[JohnJamesRambo]

I find it hilarious you think Coinbase CEO Brian Armstrong doesn't "know what Bitcoin is for."

Maybe you don't know what it is for. People that are sane like Mr. Armstrong and Satoshi Nakamoto intended it to be used as a currency. If Satoshi is still alive I'm sure he was quite disappointed when Bitcoin decided to not scale past its blistering 7 transactions per second.

"Bitcoin can already scale much larger than that with existing hardware for a fraction of the cost. It never really hits a scale ceiling." -Satoshi Nakamoto

https://steemit.com/bitcoin/@cryptodailyuk/bitcoin-broke-coi...

[esotericn]

He's the chair of a very public company with investors and whatnot.

Inevitably that hamstrings permissible opinions.

Not only that, the purpose of his company is to profit from cryptocurrency in a specific way, whether or not that's the 'right thing' for the space or not.

Their business model basically falls apart, for example, if people stop using fiat currencies and atomic swaps allow trades to happen without a clearing house.

All over this thread you can see waffle about money laundering or whatever else; which Coinbase cannot sidestep because they're forced to interface with banks that will cut them off, governments that don't like it if you don't do what they say, etc.

[SkyMarshal]

It doesn't matter what Satoshi said five years ago, it matters what he would say now, given what we've learned about Bitcoin since. His old opinions are less and less informed each year.

Increasing block size utilization has series tradeoffs for decentralization, privacy and reliability. Each year we learn and understand those tradeoffs better. Pro block-size increase people never seem to directly address them though, just talk around them and imply they don't matter. They do matter, a great deal.

[thomasrognon]

I don't think Satoshi's opinion would be any different now. Decentralization as a primary goal and maximizing it at all costs is a narrative that grew after he left. It was originally a means to an end and things just needed to be decentralized enough to be resilient. Relevant Satoshi quote:

The current system where every user is a network node is not the intended configuration for large scale. That would be like every Usenet user runs their own NNTP server. The design supports letting users just be users. The more burden it is to run a node, the fewer nodes there will be. Those few nodes will be big server farms. The rest will be client nodes that only do transactions and don't generate. https://bitcointalk.org/index.php?topic=532.msg6306#msg6306

[SkyMarshal]

The problem with that quote is that if "the rest" of the client nodes also can't validate, then Bitcoin is centralized and completely pointless. Mining is already effectively centralized, the only check and balance against collusion of miners is a robust and engaged community of users running full nodes.

The client nodes have to validate in addition to only doing transactions. Satoshi doesn't say that in his comment. But the faster the block size growth, the faster it gets to "every Usenet user runs their own NNTP server", and the fewer and fewer run full validating nodes.

His comment is self-contradictory.

[lawn]

What you meant to say is the propaganda has tried, and quite successfully, to make his opinions seem less informed each year.

It's funny you say that pro block-size increase people don't understand the decentralization, privacy and reliability trade-off, while the people against a block-size increase have never defined or quantified these trade-offs. And very often they also have the notion that "everyone must run a full node" that implies they don't have a good understanding of Bitcoin at all.

[SkyMarshal]

It’s a complex socio-economic-technical system, which probably can’t be perfectly quantified. Same as with the weather or the larger economy. We can understand it to some degree, but lack of perfectly predictive models does not invalidate these concerns, as you imply.

“Everyone must run a full node” is aspirational but not realistic. It’s nevertheless extremely valuable to continue working on ways of reducing the expense of running full nodes. MimbleWimble, Coda and others are doing a good job of exploring that problem space, as are some projects in Bitcoin that may take longer deploy.

When HN first started discussing Bitcoin almost a decade ago, the smartest skeptics here main objection was the obvious one that a distributed database where all the data is replicated across every node and which grows infinitely is likely not viable. They were right then and right now, it’s a hard problem and arguably the main existential risk to Bitcoin.

Throwing caution to wind so Bitcoin can have fast payments Now at the expense of failing at sound money later is short-sighted and irresponsible.

[lawn]

> It’s nevertheless extremely valuable to continue working on ways of reducing the expense of running full nodes.

And nobody will claim otherwise. But there's always a trade-off, and focusing only on reducing the expense is severely misguided.

> Throwing caution to wind so Bitcoin can have fast payments Now at the expense of failing at sound money later is short-sighted and irresponsible.

The funny thing is, the inaction of the Bitcoin devs have made it fail at one of the core features of money. You cannot consider it to be acceptable, as fees are so expensive they price out a lot of people. Money should be easy to move around, and you should be able to buy large and small things with it.

Yet this is somehow preferable, because doing otherwise would make Bitcoin "fail at sound money", whatever that means.

[SkyMarshal]

>And nobody will claim otherwise. But there's always a trade-off, and focusing only on reducing the expense is severely misguided.

That's conventional wisdom and applicable in lots of other places, but not in cryptosystem design. People have to accept that cryptosystems in general and cryptocurrency in particular are different domain from most other software engineering they're used to.

Any single error or bug can result in the complete compromise and failure of the entire system. The old rules of calculating acceptability of risk and errors based on whether they enable more value creation than they put at risk, no longer apply, because any/every error can result in total loss.

I believe different world views on this issue is one of the root causes of the schism in Bitcoin.

>The funny thing is, the inaction of the Bitcoin devs have made it fail at one of the core features of money. You cannot consider it to be acceptable, as fees are so expensive they price out a lot of people. Money should be easy to move around, and you should be able to buy large and small things with it.

That's a "nice to have" for sure, but not at the risk of a Global Financial Crisis style event happening to Bitcoin itself. The prudence of the Bitcoin devs has made it succeed at avoiding that so far.

>Yet this is somehow preferable, because doing otherwise would make Bitcoin "fail at sound money", whatever that means.

There's no need to be confused about that term, it has a simple, clear and easy to understand meaning. Sound money is money whose supply and value is both transparent and un-manipulatable.

When you choose to store savings in that currency, you know how it works, and you know it can't be changed in the future (to either your detriment or benefit). Sound money is a social contract that can't be broken or reneged.

By way of counter-example, in the GFC, the US Fed pumped up the money supply to prevent the failure of the banking system, risking devaluation of dollar-based savings and hyperinflation to the detriment of everyone else.

For another counter-example, the US Govt's inability to control its deficit and debt may one day result in it having to monetize the debt (print more dollars to pay for it), devaluing the dollar and dollar-based savings, and harming global confidence in the dollar as a reserve asset.

Cryptocurrency as sound money is a hedge against that, and that's the ultimate killer app. But if you lose enough decentralization, you lose this characteristic of it. Then its worthless, regardless how good of a payment system it makes.

And it will never be better than Paypal and other centralized payments services at merely transferring money quickly and cheaply, so if it has no other value proposition like sound money then its worthless.

[jotto]

Do you have any recommended links/reading on this? (better understanding on the tradeoffs)

[RustyRussell]

To be fair, Brian is a businessman who saw an opportunity in spending time and money to navigate the regulatory morasd required for fiat access in the US.

This entire model does not sit comfortably with a permissionless, even anarchic construction like Bitcoin. Partially because it puts you in constant conflict with regulators whose relationship is your business. Secondly because if Bitcoin becomes a major currency in its own right, your role as an onramp is no longer necessary, or at least far more competitive.

And as every other exchange discovered, the real money is in offering a blistering array of coins and taking a percentage on trade between them.

Thus, it might be disappointing to cypherpunks that Coinbase is only a reluctant proponent of Bitcoin, but it's also quite predictable.

[pixelperfect]

Bitcoin is continuing to scale, but it's doing so with the Lightning Network instead of by increasing block size.

I'm not super familiar with Bitcoin's tech, but that seems sensible to me. The blockchain is already 250 GB at 7 transactions per second. If you multiplied that by 100, you still have orders of magnitude less transactions per second than credit card processors, but the hardware requirements are now high enough that few individuals could afford to run full nodes.

[foepys]

The Lightning Network is a pipedream of ivory tower developers. People who think LN can scale Bitcoin into a global currency rivaling USD and EUR either don't understand LN or are lying on purpose.

Fact is that each LN "channel" needs a committed amount of Bitcoin that can only be withdrawn by closing the channel. If you want your Bitcoins "secured" in you wallet, you need to close the channel. Otherwise you will - by design - have to constantly monitor the LN for malicious actors trying to withdraw you funds from your channels - which by the way is also only possible with an extremely reliable internet connection. Ultimately it's only possible to "secure" your funds against malicious actors by closing the channel. This leads to nice DoS attack vectors, see below.

Opening and closing a channel requires an on-chain transaction. This means when you only calculate with the US population, you need at least ~700 million on-chain transactions per month, assuming people get paid once a month, which is absolutely underestimating reality. Also assuming business don't trade with each other.

Assuming 7 transactions per second for the Bitcoin network (which in reality is much closer to 3 by the way), you get 7×60×60×24×30 = 18,144,000 transactions per month. So LN cannot even serve 5% of the US.

Reading the LN white paper should give you an idea on how bad it is when you compare it to reality and how people are actually using money.

[pixelperfect]

Do you think people should stop working on LN? I think it's a good way to scale right now, regardless of whether or not it can theoretically handle the transactions of hundreds of millions of people.

There are probably going to be some big entities in the Lightning Network ("lightning service providers") that average users use to open channels in exchange for a fee. These LSPs need to closely monitor for malicious transactions, but the average user doesn't have to. The average user would only get ripped off if their LSP broadcast an invalid transaction. In that case, they could prove it to the network and everyone would leave the LSP. Eventually there will be long-standing LSPs with good reputation. People can open long-running payment channels with them. If on-chain transaction fees get really high, they could be set to timeout after a year. That gives both parties plenty of time to notice an invalid transaction. If they're paranoid about DoS or timing attack, they can close the channel a few days before it times out.

That's my understanding only from reading a few articles about how Lightning Network works, so what I'm saying might be ridiculous and I could be completely wrong.

[foepys]

You cannot distinguish between good or bad transactions. Malicious actors can create as many channels and addresses as they want because it's decentralized and "trustless". Anybody can join and leave the network as they want.

But even if there was a way to identify bad actors, what you describe as "big entities" already exists. They are called banks, just you described one with more steps and that's a lot more complicated.

[mundo]

Correct me if I'm misunderstanding things, but Lightning Network means off-chain transactions, right? Which can be be reneged on if one party is malicious, meaning they'll only occur between trusted parties? And in practice, that means traditional financial services companies and their KYC-compliant customers, which is the exact 180 degree opposite of the originally envisioned use case.

From where I sit, it seems like BTC was designed to be a currency that would free us from financial regulation, it has failed on both counts, and crypto enthusiasts are trying to turn it into an over-elaborate debit card because the alternative is for it to become a historical curiosity.

[moduspol]

It's complicated, and I'm not sold on the Lightning Network as the future, but

> Which can be be reneged on if one party is malicious, meaning they'll only occur between trusted parties?

This is not correct. My understanding is essentially each party is tying up Bitcoin as being between them on the blockchain, then trading cryptographically verifiable assertions of each other off-chain about what the latest status of the ongoing "tab" is between them. Either of them can close the tab at any time and reconcile to the blockchain.

They don't really need to trust each other, although this does introduce a dependency on some entity (whether the user's own server or a third party) to publish the latest version of the "tab" if the other guy maliciously tries to publish an older version of the "tab." And of course, that means you need some redundant storage / handling of those cryptographic assertions from the other guy about what the status of the latest "tab" is. But that doesn't require trust--you'd want to do it even if you trust the other party.

Or at least that's my understanding of it. I like the conceptual idea of LN but some of these details seem like dealbreakers to me.

[ericb]

Ever meet someone with a startup idea that is really an insanely complicated way of achieving something people already can do? It's like, you want to tell them "people will never do steps m,n,o,p,q,r,s and t because that's not how people think, and they have other simpler ways to get what they want.

That's the Lightning Network.

[gingeropolous]

Thats also bitcoin/cryptocurrencies. Decentralized money is insanely complicated compared to centralized money. There is no efficiency here.

[mundo]

> My understanding is...

That's how two finserv companies would transact off-chain with each other, but when I go to buy a cup of coffee with a bitcoin, I'm not opening up a payment channel with them for one transaction, that would defeat the whole point. The coffee shop will use a payment processor, who isn't going to deal with me off-chain unless I'm the KYC'd customer of them or some other finserv they trust. (please correct me if I'm wrong here)

[moduspol]

I think you're correct in that this will be the inevitable result. It just won't really be for trust reasons.

You won't want to open up a payment channel to them, but you don't need to. You just need an already open payment channel to someone who is, or (more importantly) there is some route of payment channels between you and them through any number of intermediaries.

There won't be a way to enforce KYC on the network itself, and you don't need trust for this to work.

But because of the inherent cost / time / complexity reduction benefits of just maintaining big channels between large entities, normal people and businesses will inevitably be incentivized to just work through banks to do this. The banks can just hold all their money and handle keeping the channels between themselves open and funded.

And that's where I think you're correct. It leads to a world where KYC can be required easily because the vast majority of legitimate use cases will be through centralized endpoints.

[xur17]

In the case of purchasing coffee, your payment can make multiple hops (through multiple channels) to the coffee shop. This means you only need a channel open with 1 participant in order to be able to transact, and none of you need to trust each other.

[pixelperfect]

Lightning Network is primarily off-chain transactions, but parties don't have to trust each other. If you open a payment channel with a malicious party, there's no way for them to benefit, and the worst they can do is make you wait a few days for a timelock to expire in order to withdraw your funds. Admittedly, that's a bit of a nuisance, which is why I'm surprised fees for Lightning Network transactions are so low currently (approximately $0.00). I've already used Lightning Network several times without ever doing KYC.

[dane-pgp]

For context, I don't think anyone is suggesting that BTC's blocks would still be full if they were 100 times bigger, so it is premature to talk about competing with credit card processors.

However, 250 GB is approximately 25 GB per year (since Bitcoin started in 2009), which, if you multiply it by 100, is 2.5 TB per year. That means it will take about 6.4 years to fill a 16 TB hard drive, which should cost less than $600:

https://www.techradar.com/uk/news/worlds-largest-hard-disk-d...

It's not hard to imagine someone paying under $100 per year to run a full node, whereas on the day that TechRadar article was published, the average price of a bitcoin transaction was $4.58 as seen here:

https://bitinfocharts.com/comparison/bitcoin-transactionfees...

[entropyneur]

I think they are being sarcastic. What they probably mean is "for political/business reasons Coinbase CEO has to tiptoe around Bitcoin's actual purpose".

[arthurcolle]

I mean Armstrong is calling it "economic freedom" so he's not that far off base, in any case.

[hnews_account_1]

Every single crypto that has tried to pass that limitation has remained centralised in one way or another. You can either:

1) have centralisation

2) assume storage space will expand exponentially since the entire point of bitcoin is many many copies of its ledger

3) come up with a new method more secure than PoW but still decentralised

Good luck with (3). (1) and (2) are not good choices. So they moved it off the chain into lightning network.

[trevelyan]

There is a solution (#3). Best known is to have the consensus layer prune data periodically, but check to see if the UTXO getting pruned are still spendable and charge fees for rebroadcasting them.

https://www.youtube.com/watch?v=agppUdX9YvI&feature=youtu.be...

An actual market-powered mechanism for data-pruning. As the price of new transactions rise, the amount paid by old (rebroadcast) transactions rise more. Network hits equilibrium where data in == data out.

[dane-pgp]

I'm not sure what you mean by "assume storage space will expand exponentially", since there is only a limited number of potential active crypto-currency users, making a small number of daily transactions (ignoring things like High Frequency Trading), recorded in a blockchain that grows linearly over time.

Would you say that the credit card network, or PayPal, has exponentially increasing storage requirements? It's possible for Bitcoin (for example) to be decentralised and useful to the world and only require linearly increasing storage space.

Fortunately it seems that storage technology will continue to scale linearly over the coming years too:

https://images.anandtech.com/doci/15064/seagate-roadmap.png

[hnews_account_1]

I should've phrased that better. What I meant was to assume consumer affordable storage space will increase in size exponentially i.e. if we pay $0.01 / GB today, we should be paying fractions of that fraction in a year (because obviously "exponential" is loose term here).

> (ignoring things like High Frequency Trading)

HFT is not a blockchain transaction. They are off blockchain transactions entirely because they trade money between bitcoin / other cryptos and dollars.

> there is only a limited number of potential active crypto-currency users

My entire point is that this limits them from growing. If the blockchain is kept from exploding, it helps to onboard more users.

> Would you say that the credit card network, or PayPal, has exponentially increasing storage requirements?

Indeed not. But their user base is now standardised. So they have a predictable number of transactions every second. However, their storage requirements are still obviously industrial grade server farms. The point of bitcoin is that everyone should have a copy of every transaction (excluding lightning network transactions). You see the connection? Not all of us can have our own server farms. If we all wants to store every transaction in the way the parent of my previous comment alluded to (increase block size), each of us will need our own mini server farm i.e. exponential storage growth.

> It's possible for Bitcoin (for example) to be decentralised and useful to the world and only require linearly increasing storage space.

Yes. It'll level off at some point. But we are far, faaar away from that point. So it'll take quite a while before it levels off.

[dane-pgp]

> The point of bitcoin is that everyone should have a copy of every transaction (excluding lightning network transactions).

Is that the point of bitcoin? Satoshi said:

> Long before the network gets anywhere near as large as that, it would be safe for users to use Simplified Payment Verification (section 8) to check for double spending, which only requires having the chain of block headers, or about 12KB per day. Only people trying to create new coins would need to run network nodes.

https://satoshi.nakamotoinstitute.org/emails/cryptography/2/

(He also didn't say anything about "lightning network transactions".)

> If we all wants to store every transaction in the way the parent of my previous comment alluded to (increase block size), each of us will need our own mini server farm i.e. exponential storage growth.

The BTC blockchain is currently 250 GB. If blocks had been 10 times bigger, the blockchain would still be less than 3 TB, and blocks would almost never be full, which would reduce transaction fees and help to onboard more users. I don't think that storing 3 TB of data requires a server farm.

[hnews_account_1]

> (He also didn't say anything about "lightning network transactions".)

Correct. I'm not going by what Satoshi said, but by what development the bitcoin core team is aiming to create now.

> If blocks had been 10 times bigger, the blockchain would still be less than 3 TB

Correct. The aim of the project is to keep it as small as possible. 3 TB may not seem prohibitive today, but that's because there's hardly been any usage of the network compared to what the real world looks like. If bitcoin truly competed with Visa / Mastercard, both of those numbers will start looking a lot bigger. If the compressed version was 3TB, the bigger blocks version now becomes 30TB - suddenly far out of consumer grade storage for a normal person.

[RustyRussell]

Except SPV as Satoshi described doesn't work, so the trade-off becomes "can users simply trust miners" to which the answer from experience is a resounding "no".

[gl00pp]

So 10 times (the current) 7 transactions per second = 70tps.

And it needs 3TB?? Cmon, that's not lot of gain for a lot of loss of control by the average.

[lawn]

No, the idea is to not force everyone to have a complete copy of the blockchain. This is already the case as most use light wallets or SPV wallets.

"Decentralization" is a means to an end. Not everyone have to run a full node, as long as there's enough.

It's amusing that LN is touted as a solution, since decentralized routing is an unsolved problem, meaning that LN will be more centralized than what it's supposed to solve.

[hanniabu]

4) An abridged chain. I wish I could find the link for this or remember what it was called, but there's a lot of research towards making a compressed chain that's still verifiable and would be small enough to have on your phone. I believe their thesis stated they should be able to get it down to 2mb if my memory serves correct.

[trevelyan]

I think you're thinking of Wimblemimble and ZK-snarks. They use cryptographic techniques where the signatures need to "add up" to what they should in order to be valid -- demonstrating that no new tokens have been added in the course of the new block.

Quite cool approaches. The problem is that you can't attach data to transactions, so only useful for a subset of applications, those unlikely to create much bloat in the first place.

[hanniabu]

No neither of those are it, I'm familiar with those. I believe this would still be the same old Bitcoin, but there will clients that use these proofs to run a lightweight full node without relying on external sources or resorting to a lite wallet model.

[trevelyan]

Sounds interesting -- if you remember the details pls post.

[nradov]

Bitcoin is for wealthy Chinese people to evade currency controls and get their wealth out to politically safer countries. Buy mining hardware and electricity with Renminbi, get Bitcoins, sell in a foreign country for hard currency.

[bouncycastle]

Your comment sounds like a priest delivering a sermon. No sources to back your argument up and also you missed a large fact that Bitcoin just doesn't scale for any of the applications you've outlined.

[brighton36]

Skepticism of crypto is immoral, and will be downvoted. Only confidence is allowed. lol

[brighton36]

Indexing crypto has outperformed BTC only strategies for a long time.

[arthurcolle]

Completely agree. I thought I posted on the other thread about 2020s predictions but apparently I didn't hit the reply button:

Bitcoin will definitely singularly emerge as the new common 'numéraire' in the near to mid-term (5 to 10 years). I love that you specifically call out the omnipresent crypto scams, because they are what disappointed me from the whole endeavor once they emerged in the ICO craze. Once 1 bitcoin has price of 500,000 to a few million in USD per individual 'bitcoin' UXTO, it'll be obvious for governments to just start using it, and create dual money systems that are just layers on top of the (maybe single, maybe not) existing, working blockchain, despite its slowness. China is pursuing this now, even in anticipation of large price increases.

IMO Bitcoin is definitely the numeraire of the future, and it is certainly not a sure thing right now but I am extremely certain of this. It then becomes so trivial to do aggregate balance of payments calculations without so much sketchy behavior by fraudulent sovereigns that want to represent their own vision of 'real trade' for various purposes, such as economic warfare.

For non-finance people, numeraire is a representative abstraction of a 'unit of exchange', used to simplify things. You can then idealize situations like having riskless borrowing, which simplifies many formulae. But this is not an accurate portrayal of reality, (look up sovereign defaults, as one example. Greece, Spain, Italy, some Asian countries at different times, Argentina, Venezuela, etc.) So having a numeraire that isn't sovereign would be really impactful in making all economic participants way more honest, outside of the immediate smaller-scale effects of allowing people to get their cryptos ropped by unscrupulous people on the darknet.

From Wiki: "The numéraire is a basic standard by which value is computed. In mathematical economics it is a tradable economic entity in terms of whose price the relative prices of all other tradables are expressed"

Anyways, the Bitcoin protocol could definitely fail, for any number of a few different reasons, but at present barring some kind of major technological paradigm shift that breaks existing cryptography (maybe QC, maybe something different) it is uniquely positioned to become the de-facto standard for all balance of payments activity internationally. Scalability issues are definitely a factor, but hey, the mempool is working its hardest until they rewrite the underlying consensus mechanisms to work at larger scale. But as a settlement system and a darknet unit of exchange, it is extremely clear that this is the first hard asset that won't just vanish at the mercy of sovereigns. Very powerful new technology.