Is Bitcoin’s Proof of Work Useless Work?

Bob McElrath
May 11, 2016 · 5 min read

Charlie Brummitt asked me an interesting question the other day: “can bitcoin mining be changed so that the computations could simultaneously be used for science (e.g., protein folding, SETI)?”

A common complaint about Bitcoin is that it uses a lot of energy, especially among people who first encounter it — including myself. But let’s keep things in perspective. At today’s BTC/USD price of $450, and the 25 BTC subsidy per block, and 1500 transactions per block, the amortized cost per transaction is about $3.33, even though the sender only pays about $0.03. This is a bit high compared to Mastercard/Visa transactions (2%-4%) or ATM fees (~$3.00), but not by much. Furthermore, work is afoot to improve Bitcoin’s scalability, including Bitcoin-NG, “weak blocks”, and replacing the blockchain with a Directed Acyclic Graph or “Braid”. I’ll save these interesting topics for a future BitDevs meetup and blog post. But suffice it to say that I don’t think a 100x-1000x improvement in throughput is unreasonable in the long term, and this increase in throughput does not require any corresponding increase in mining energy consumption.

The SolidX mining operation is for demonstration purposes only.

So back to Charlie’s question. Bitcoin mining could in principle use a different function but in practice it’s very difficult to find an appropriate function. What is required is any computation that is expensive to compute but easy to verify. Bitcoin’s proof of work is basically brute-forcing a hash function. So it’s O(N) in the number of tries N required to find a suitable input, but O(1) to verify that the input results in the desired output. Furthermore you need a function with a regular distribution of solutions (in time). E.g. brute forcing a hash function, assuming it’s a Random Oracle, is a geometrically distributed process (which is why the block confirmation time is never exactly 10 minutes, it’s only 10 minutes on average). Many problems with increasing difficulty, like Mersenne primes, would be unsuitable.

Most any process involving data processing (SETI) is right out because you’ve got a huge problem in distributing the data to be analyzed and ensuring that everyone has an uncorrupted copy in order to verify the results. Problems with no input are good candidates (e.g. primes, optimal golomb rulers, etc). In fact there does exist Primecoin.

There are a couple of other problems though. Bitcoin’s consensus is decided by majority of miners. If there exists computing power out there equivalent to that of the network, and that computing power can be reallocated to mine the coin (an “external majority”), then someone who can control that computing power can take over the network and reverse transactions, double spend, and otherwise wreak havoc with the transaction ledger. This “external majority” will always exist if the mining computation can be done with general purpose CPUs or GPUs. In Bitcoin’s early days, compromised websites, viruses, and browsers (javascript) were all used to mine Bitcoin. Now you have to buy a special purpose ASIC chip to do it, which I think increases the security somewhat because the chances of someone controlling >50% of the mining is (probably) lower. This is an excellent case for open source hardware, to mitigate the possibility that a single manufacturer could gain a monopoly and therefore produce more than 50% of mining chips. There does exist an open source FPGA miner, but as AFAIK there is no open source VHDL for a Bitcoin ASIC. The community would certainly benefit if there were. If I were to start a new crypto-currency from scratch today, I’d do it with an open-source ASIC design and distribute the first batch of chips as widely as possible, hopefully requiring one to run a full node. The actual algorithm doesn’t matter very much, but a wide distribution of mining hardware matters a lot to the security of the chain. Miner centralization is a persistent and continuing concern among the Bitcoin community.

People new to Bitcoin often complain about the energy “wasted” by Bitcoin mining. But it’s a fact that if viruses and trojans can perform a computation to make money (whether that’s cracking passwords or mining Bitcoin), nefarious people will do it. So the energy used by Bitcoin is not so much wasted as it is a hedge against the energy expenditure capabilities of the criminal element (as are Bitcoin’s transaction fees). Numerous alternative crypto-currencies have been proposed that try to eschew mining, but they all have the property that there exists a computation one can perform (often called “grinding”) to nefariously transfer yourself more coins. If Bitcoin mining had a second “useful” purpose, this would simply reduce the security of the mined chain, from an economic perspective, since miners could in principle sell the “useful” output as well as the Bitcoin. Thus the value of Bitcoin relative to the amount of resources consumed goes down. Nefarious people could use selling this “useful” output as a hedge against failure of their attack.

I like to think of Bitcoin’s proof-of-work as a random number generator. It randomly selects the next node to produce a block in a cryptographically indisputable manner, in an adversarial environment. You can imagine other methods of selecting the next node to produce a block. e.g. a commit-reveal-hash algorithm like that used by a number of alternative crypto-currencies including Bitshares Delegated Proof-of-Stake. Unfortunately all algorithms I’m aware of only work with a fixed number of nodes. If you allow nodes to come and go (as Bitcoin does) you open the possibility for someone to “grind” and improve their chances of being the next block producer. In an adversarial distributed system (aka Byzantine Fault Tolerance), you must expect that nodes will come and go. I challenge you to come up with an algorithm that is provably random, cannot be “ground” and, can tolerate a fluctuating number of participants. I suspect one can prove that no such algorithm exists. Either result would be very interesting.

So it seems we’re stuck. Either we expend resources to secure our finances, or criminals will expend resources to steal from us. As long as most participants are honest, the honest majority can muster more resources than the criminals and keep them at bay. So don’t be so concerned about Bitcoin’s energy usage. I’m confident that we will improve Bitcoin’s transaction rate by many orders of magnitude, and the economics of mining will not cause the energy expenditure to scale with the number of transactions. A few years from now, the amortized cost (including the block reward subsidy) for transactions will be pennies per transaction, and the world of traditional finance will struggle to compete with it.


SolidX Partners provides consulting and strategy solutions to organizations seeking to learn about blockchain and implementation solutions. The firm also provides blockchain-based software solutions relating to the indelible recording of records, transfer of assets, and identity. For more information, please visit www.sldx.com or email the team at info@sldx.com.

Bob McElrath

Written by

Reverse-engineering the universe and remaking money. Ph.D. Theoretical Physics; Bitcoin hacker; SolidX CTO

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade