If you’ve ever browsed the world of online Bitcoin advocacy, you may have come across content like this screed on /r/Bitcoin, where the author describes the evils of inflation and the “insidious tax on society” that we call the banking system. Reading this stuff, it’s easy to assume that Bitcoin is the sole purview of libertarian freaks. And, in general, it is.

But revisiting the original “Bitcoin paper”, published by the pseudonymous Satoshi Nakamoto in 2007, reveals something interesting: before Bitcoin advocacy was taken over by a cult of weirdos (which, to be clear, happened almost immediately), the arguments made in favor of it were much stronger and addressed a more interesting problem domain than what you see today. Writing this post didn’t turn me into a Bitcoin advocate; I don’t expect it will have that effect for any readers, either. But I do hope you’ll come away with a better idea of why someone might have ever thought Bitcoin was a good idea.

What is Bitcoin?

The paper, titled “Bitcoin: A Peer-to-Peer Electronic Cash System” starts with a simple argument:

Commerce on the Internet has come to rely almost exclusively on financial institutions serving as trusted third parties to process electronic payments. While the system works well enough for most transactions, it still suffers from the inherent weaknesses of the trust based model. Completely non-reversible transactions are not really possible, since financial institutions cannot avoid mediating disputes. The cost of mediation increases transaction costs, limiting the minimum practical transaction size and cutting off the possibility for small casual transactions,and there is a broader cost in the loss of ability to make non-reversible payments for non-reversible services. With the possibility of reversal, the need for trust spreads. Merchants must be wary of their customers, hassling them for more information than they would otherwise need. A certain percentage of fraud is accepted as unavoidable. These costs and payment uncertainties can be avoided in person by using physical currency, but no mechanism exists to make payments over a communications channel without a trusted party.

There’s two core arguments being made here:

• Relying on financial institutions for online transactions is expensive, because they charge transaction fees in order to run the system. This makes it hard to make small, casual transactions
• Because these institutions allow the reversal of transactions, sellers and buyers need a higher level of trust in each other because of the possibility of a fraudulent transaction or a buyer reversing a payment

The solution, Satoshi says, “is an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party”.

• This solves the first problem by removing the overhead that comes with a financial institution that charges fees in order to conduct transactions
• This solves the second problem by making transactions impossible to reverse and guaranteeing the identity of the recipient of a transaction

Both of these “solutions” are flawed, as we’ll see later. But something I’d like to emphasize here is that Satoshi makes no mention of the federal reserve, and the commentary on banks is pretty neutral. The emphasis is on letting people exchange money safely and efficiently, not overthrowing the global financial system. It’s an argument that is simultaneously much more sound and much less fantastical than much of what you see online today.

The next section of the paper describes the mechanics of how Bitcoin actually works. It starts with a central problem: it’s easy to use asymmetric key encryption to verify that someone actually sent a transaction to another person, in this case by sending a “coin” from one wallet to another. But it’s much more difficult to have a system where you can guarantee that someone didn’t spend the same coin twice. The solution, Satoshi explains, is a timestamp server: a service that can prove that a block of items was published a specific time:

A timestamp server works by taking a hash of a block of items to be timestamped and widely publishing the hash, such as in a newspaper or Usenet post [2-5]. The timestamp proves that the data must have existed at the time, obviously, in order to get into the hash. Each timestamp includes the previous timestamp in its hash, forming a chain, with each additional timestamp reinforcing the ones before it.

To implement a distributed timestamp server, where people can agree on a chain of timestamps without using any central authority, Satoshi introduces the concept of “proof of work”. In order to publish a timestamp, you must find a “nonce” value which, when hashed with the timestamp, produces a set number of zeros in the output. To do this, you have to randomly pick and try “nonce” values until you get the desired hash. Someone with more CPU cores can try more combinations at once, which Satoshi calls “one-CPU-one-vote”. In this system, if someone wanted to “attack” the blockchain and try to introduce an invalid transaction, they would need more CPUs than every other node in the network combined, making attacks extremely expensive.

An obvious criticism of this is that, in order to be truly decentralized, blockchain needs to reckon with it’s reliance on centralized network infrastructure. The act of broadcasting a timestamp requires the use of centralized ISPs, DNS providers, certificate authorities, and so on. But in context of the start of the paper, this makes less sense: if Bitcoin is about ensuring correctness by distributing the responsibility for checking transitions across many nodes, it doesn’t have to be absolutely decentralized, just sufficiently decentralized to be resistant to attack by bad actors and to avoid relying on any single authority to manage every transaction.

Given all that, how do you get people to actually do the work to verify blockchain transactions? Satoshi suggests a combination of giving new coins to verifiers, often called miners, and by attaching transaction fees to blocks by making the total output of a transaction greater than it’s input. As they point out in the paper, this creates a potential problem: a very successful miner could use their winnings to assemble so much computing power as to be able to take over the network. They suggest that the problem would resolve itself as follows:

If a greedy attacker is able to assemble more CPU power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to generate new coins. He ought to find it more profitable to play by the rules, such rules that favor him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth.

Basically, if you can make enough money mining Bitcoin to buy millions of CPU cores and take over the network, why stop the gravy train by destroying the integrity of the blockchain? It’s a good point, but I can think of a couple objections:

• If someone got to 50% of cores, could they become so dominant at winning block rewards that they eventually drove out all of their competitors and took over the entire network? I don’t see why not.
• Could someone with 50% of cores introduce small errors and obfuscate them to make them difficult to detect? I’m interested to read more about if people have researched possible attacks here.
• How would this affect trust in the integrity of the blockchain over time? It’s easy to imagine a 50% owned chain slowly driving away users concerned it could be attacked at any moment.

It’s also worth calling out that “50% + 1” attacks have absolutely occurred against smaller blockchains with fewer users, so we can safely say Satoshi’s assertion would only hold for a large, well-established blockchain with many verifiers. MIT researcher James Lovejoy has a post here with some speculation about exactly how many users a blockchain needs in order to be protected from this kind of attack.

The rest of the paper is more technical in nature. It’s good and worth reading, but not really noteworthy for the purposes of this post. There’s one final quote I’d like to call out, from the conclusion:

The network is robust in its unstructured simplicity.

This is an important characteristic of secure crypto-systems. Simple systems are less likely to hide weaknesses than complex ones that rely on more assumptions. It’s a property that, in my eyes, makes Bitcoin more trustworthy than some of the more complicated blockchain systems that have come later.

The Real World Problem

I’d like to return to this point, from when we summarized two key arguments for why Bitcoin is necessary:

Because these institutions allow the reversal of transactions, sellers and buyers need a higher level of trust in each other because of the possibility of a fraudulent transaction or a buyer reversing a payment

There’s no way I can claim to be the first person to think of this, but I would like to introduce a term I’ve started using to describe this: the real world problem. It says:

A crypto-system can only make strong guarantees about behavior within the crypto-system

The “real world” part comes from the fact that crypto-system security guarantees often fall apart when we move from the system into the real world. For an example, and to prove I’m not just picking on Bitcoin, let’s take PGP.

PGP is a popular set of tools for encrypting communications, particularly email. Users have a private key and a public key, where a message encrypted with a user’s private key can only be decrypted with their public key, and vice-versa. Since the private key is kept secret, other users can verify that only you could have sent a message by using your public key to decode it, and you can guarantee only a specific person will read your messages by encrypting them with that person’s public key. But there’s one problem: how do you know whose public key is whose?

This is the real world problem: PGP (really, the asymmetric-key encryption tools it’s based on) can only make strong guarantees about the relationships between keys and messages, not between users and keys. The “real world” aspect of this – which user owns which key? – is just as important, if not more, than the ability of a hypothetical attacker to decode an encrypted message.

The problem in Bitcoin is similar: if a user sends a coin to another Bitcoin wallet, the blockchain system can provide an absolute guarantee that the coin will arrive at the right wallet, and that the original owner has only spent that coin once. But it doesn’t say anything about who the person receiving or sending the coin is. If the first user is paying the second user for a bicycle, Bitcoin has nothing to say about if the bicycle actually changes hands, or if the bicycle received is the same as the one advertised.

And this is where Satoshi’s idea that Bitcoin can have any effect on fraud at all falls apart: internet fraud has essentially nothing to do with the kind of transaction errors that Bitcoin can prevent. If you buy a bicycle from an online merchant with a credit card and don’t receive the product you were advertised, you can have your bank charge back the transaction; if you pay in Bitcoin, you’re screwed. And blockchain fundamentally cannot solve this issue: newer blockchains like Ethereum promise “smart contracts” that apply the blockchain to operations beyond just transactions, but this still runs straight into the brick wall of the real world problem.

Satoshi Didn’t Predict Venmo

Satoshi’s second core argument about why Bitcoin is necessary might come across as a little strange to an audience in 2021. In a financial system based on centralized authorities like banks, he says:

The cost of mediation increases transaction costs, limiting the minimum practical transaction size and cutting off the possibility for small casual transactions

In 2007 it may have been true that it was difficult to make small, casual transactions, but that’s a situation that’s clearly changed. See this popular tweet as an example:

modern friendship is just sending the same $20 back and forth via venmo, forever

— Brandy Jensen (@BrandyLJensen) August 13, 2018

Venmo is actually really interesting to compare to Bitcoin, because they were created about the same time; the Bitcoin paper was published in 2007, and Venmo was launched in 2009. Both were a response to the pain points of online transactions at the time. But Venmo, a centralized platform, has clearly won with casual users. If you ask an average person what tool they’d use to make “small casual transactions” and they’re almost certainly going to tell you they’d use either cash, or Venmo, or a similar app.

Meanwhile, Bitcoin has not delivered at all on the promise of easy casual transactions. Bitcoin transaction fees are relatively high, and its throughput is pathetic compared to centralized systems. I’m less inclined to say this is an inherent problem with blockchain, because developers of other coins have a long list of solutions they want to try for this problem, but it’s very clear that Bitcoin itself has at least failed to deliver on this goal.

We clearly have the benefit of hindsight here: I don’t think Satoshi is stupid for not predicting the emergence of casual transaction apps like Venmo. It’s more that multiple responses emerged in response to the 2007 financial transaction status quo, and Bitcoin has clearly lost.

Is Bitcoin Actually Good?

The short answer is: no. Bitcoin did not succeed at its primary goals of reducing fraud or making online transactions cheap and easy. Neither it nor any other cryptocurrency will succeed at the significantly more deranged goal of displacing the dollar or destroying the federal reserve, or any other of the post-hoc purposes invented by some of the stupidest people on the planet.

But despite remaining wholly unconvinced about the virtues of Bitcoin, I really enjoyed reading Satoshi’s paper. It’s technically very smart – the blockchain really is an ingenious cryptographic system – and the arguments made in favor of Bitcoin in the paper are higher quality and less dogmatic than the vast majority of the drek you see online today.

It also helps clarify some of the debate around other cryptocurrencies that have subsequently emerged. I came away more skeptical about Ethereum, which seems to mostly want to be a better Bitcoin without solving any of the problems that make it functionally unusable for anything besides price speculation, and more curious about Nano, which seems to at least take Bitcoin’s problems seriously.

In a similar vein, I found myself simultaneously less ideologically opposed to cryptocurrency after reading the paper and more aware of its practical downsides. Using crypto to destroy fiat currency only sounds like a good idea if Ron Paul 2012 turned your brain into mush, but easy, cheap and trustworthy transactions are clearly a worthwhile goal. It’s just that Bitcoin never got close to accomplishing either goal, never mind its immense environmental impact that I’ve mostly avoided talking about in this post because I think it’s been covered extremely well by other writers already.

Finally, it really was fun to read an accessible, interesting cryptography paper. The fact that blockchain and proof of work can guarantee the system will produce correct results with up to 50% of nodes in the system being compromised is a genuinely good insight, and I’m curious if it has potential implications for people who need to design zero-trust distributed systems. I don’t think that’s a generally applicable tool, but I am legitimately curious if the hype around cryptocurrencies has driven attention away from more interesting applications of the underlying technology.

So no, Bitcoin is not good, nor is it especially promising. But it is interesting, and I think crypto-skeptics have a lot to learn from reading this paper.