The Bitcoin ecosystem today finds itself at a crossroad where the line between science & dogma is increasingly blurry. Fanatics are resorting to twisted interpretations of Bitcoin’s “holy scriptures” in an attempt to advance their political agendas.
“Satoshi’s original vision” and other religious slants are shamelessly promoted to confuse users about the workings of the system. Mischaracterizations of its technical blueprints are used to promote the notion that Proof-Of-Work timestamping, Bitcoin’s solution to the double-spending problem, was intended as the governance mechanism of the protocol.
While the idea that a 51% hashing majority should decide on changes to the rules of a consensus-based system is dubious on its face, the claim is worth exploring if only to figure out where the confusion lies. As always, it is helpful to dig into the archives and examine how the technical idea of using distributed timestamp servers to secure the history of a replicated ledger emerged and how we arrived at Satoshi’s implementation.
Distributed resiliency & Byzantine generals
A natural corollary is if that there exists a security protocol that can eliminate or greatly reduce the costs of a TTP (trusted third-party), then it pays greatly to implement it rather than one which assumes a costly TTP. Even if the latter security protocol is simpler and much more computationally efficient. — Trusted Third Parties Are Security Holes, Szabo, 2001
In 1998, right in the tracks of the failure of DigiCash, two cryptographers independently began exploring a new approach to digital cash, one that imagined an entirely new monetary system rather than attempt to fix existing ones.
In both cases, their motivation was to eliminate reliance on trusted third-parties so as to free up money from unilateral control by state actors and eliminate central point of failures.
Anyone can create money by broadcasting the solution to a previously unsolved computational problem. The only conditions are that it must be easy to determine how much computing effort it took to solve the problem and the solution must otherwise have no value, either practical or intellectual. — Wei Dai — B-money, Wei Dai, 1998
Wei Dai’s b-money announced a departure from early digital cash implementations by introducing the idea of a publicly shared global ledger. The accounts of ownership are maintained in a distributed way by all participants in the system rather than a centralized server previously known as the mint. Privacy is preserved through the use of pseudonymous identities.
The paper also proposes a Proof-Of-Work-like scheme to attempt to solve the issue of money creation. Interestingly, in an email to the cypherpunks mailing list, cryptographer Adam Back followed up on the proposal and suggested his earlier hashcash invention as “a candidate function for Wei’s decentralised minting idea.” Although it paved the way for a new generation of distributed cryptocurrencies, b-money was never implemented and seemed plagued by the cynicism surrounding these submissions at the time.
Coincidentally, Nick Szabo was privately coming up with a similar system which he would eventually coin “Bit gold”. He would later outline the idea in a blog post and refine some of the concepts explored by Wei Dai. Notably, he highlighted the importance of timestamping the proof-of-work function:
Thus, it might be possible to be a very low cost producer (by several orders of magnitude) and swamp the market with bit gold. However, since bit gold is timestamped, the time created as well as the mathematical difficulty of the work can be automatically proven. From this, it can usually be inferred what the cost of producing during that time period was. — Bit gold, Szabo, 2005
Additionally, Szabo re-emphasizes the importance of distributing both the ledger of accounts and the timestamping service across different “servers” to avoid the security holes of trusted third-parties.
The main limits to the security of the scheme are how well trust can be distributed —Bit gold, Szabo, 2005
In both proposals, the balance of power between the stakeholders of the protocol is a recurring theme. Wei Dai specifically mentions that to the extent only a subset of participants should be responsible for maintaining the ledger, users should be able to verify their own account balance and check the sum of them against the total amount of money created.
This prevents the servers, even in total collusion, from permanently and costlessly expanding the money supply — B-money, Wei Dai, 1998
In parallel to his work on Bit gold, Nick Szabo had been investigating the progress in distributed system technologies for years and would eventually formalize his observations in his paper Secure Property Titles with Owner Authority. There he underlines the social context of trust-based systems designed to uphold property rights. Using “replicated database technology” as a foundation, he introduces a framework where the boundaries of trust between “property clubs” members are carefully laid out so that everyone can “securely agree on who owns what.”
Crucial to this framework is the Byzantine-tolerant quorum system, a probabilistic approach to replicated database security involving threshold “votes” across protocol participants. This method has the purpose of solving the double-spending problem and minimizing censorship but Szabo specifically warns on two occasions against confusing it for a governance mechanism:
The voting is necessary not due to a democratic political ideology but because it is the optimal result in analysis of distributed databases with malicious attackers. Users of the titles (relying parties) who wish to maintain correct titles can securely verify for themselves which splinter group has correctly followed the rules and switch to the correct group.
Note that the key security feature of the club is not the voting, but a set of objective, often automated, rules and an unforgeable audit trail that allows both club members and relying parties to check whether each vote followed the rules. — Secure Property Titles with Owner Authority, Szabo, 2005
Much like b-money, Bit gold would remain confined to the annals of cryptography and the scheme would see no software implementation. We can safely assume though that someone somewhere was paying attention to these developments and would eventually be motivated enough to put it all together and achieve one of the cypherpunks ultimate goal.
Solving the Nakamoto puzzle
A decade following Dai’s original proposal, Satoshi Nakamoto released the Bitcoin whitepaper to the world. Whether or not Nakamoto arrived to this design on his own is up for debate but he remarkably succeeded in putting together every technological insights acquired before him in a way only the greatest inventors can.
The paper introduces a novel solution to the Byzantine Generals Problem by combining the concepts of signature thresholds inspired by quorum systems and the proof-of-work challenge required to introduce scarcity. The result has been referred to in Back et al.’s sidechains whitepaper as a dynamic membership multi-party signature (or DMMS).
In order to solve the double-spend problem, miners form an unidentifiable and unbounded set of signatories who use their vote to timestamp transactions into blocks and, in doing so, are rewarded with the opportunity of minting new coins and raking in transaction fees. Rather than relying on the knowledge of a private key associated to a signature, they exercise this vote by providing a proof-of-work derived from a hashing function.
Each vote is weighted in proportion to the amount of computational resources individual miners provide. The cumulative resources expended by miners on every blocks of transactions provide probabilistic guarantees about the consistency of the global ledger’s shared history.
Because the miners do not form an identifiable set, they cannot have discretion over the rules determining transaction validity. Therefore, Bitcoin’s rules must be determined at the start of its history, and new valid transaction forms cannot be added except with the agreement of every network participant. Enabling Blockchain Innovations with Pegged Sidechains, Back et al., 2014
This “consensus mechanism” is presented as a technical solution to the shortcomings of identity-based alternatives such as quorum systems. Nakamoto proposes a peer-to-peer system designed to “enforce” rules. It’s worth noting that the latter are never specified in the paper aside from the explicit objective of solving the double-spend problem. Neither are the terms of a potential protocol upgrade addressed.
As Nick Szabo observed early on, the implementation of Byzantine-resilient timestamping falls out of the scope of the constitutional arrangements agreed upon by all of the protocol users. Above all else, the integrity of the ledger is ultimately preserved by the ability for all of its participants to independently validate “whether each vote followed the rules.”
Bitcoin is the first manifestation of a distributed cryptocurrency network with real value behind it. Accordingly, we have to live with the ever-increasing complexity of the system and the fluctuating dynamics that come with it. It should be expected that as the number of users of the system increase, interests start to diverge or compete and coordination becomes progressively difficult.
In an effort to drive development of the protocol forward we have historically designed different methods to cope with this issue. BIP 9 was one of those and one might argue that it is now revealing itself as an accidental misstep. While it provided an handy method to securely accelerate the introduction of upgrades for all users to benefit, it also had the unintended consequence of aggravating confusion over the responsibilities of miners.
With the help of a few power hungry activists, this inception has played out to its unfortunate, if not expected, conclusion: a handful of mining pool operators are now assuming the roles of guardians of protocol development. They are claiming a veto that will be yielded and misused as long as software upgrades are conditional on BIP 9 activation.
As such, soft forks rules are actually always enforced by the nodes, not the miners. Miners of course can opt-out by simply not including transactions that use the new soft fork feature, but they cannot produce blocks that are invalid to the soft fork. The P2SH soft fork is a good example of this, where non-upgraded miners would see P2SH as spendable without a signature and consider them valid. If such an transaction were to be included in a block, the block would be invalid and the miner would lose the block reward and fees. — Moving towards user activated soft fork activation, Shaolinfry, 2017
Considering this impasse, it is only right that Bitcoin users start exploring a new path forward. A proposal popularized under the acronym UASF (User Activated Soft Fork) promises to re-establish the balance of power between ecosystem participant. Inspired by basic principles of economic incentives and voluntary user upgrade, UASF underscores the important notion that any rule change, soft or hard, are ultimately enforced by network peers and the economy behind them. This concept is actually nothing new and is how the P2SH soft fork (BIP 16) was implemented. The more recent BIP 8 is an attempt to generalize this upgrade method.
It remains to be seen whether the system’s incentives are enough for conspiring actors to avoid standing in the way of protocol improvements. While one would hope that communication alone could solve this problem, previous attempts have been mired in controversy and too many bridges might have been burned already. If miners won’t align themselves behind the users’ interest, then the latter have a responsibility to stand up to them by enforcing rules so that obstructive miners are not rewarded for their work anymore. UASF gives them that chance.