Cryptographic Currency

CS 463/480 Lecture, Dr. Lawlor

What do you want out of money?

Everbody wants a currency anyone will accept for anything.
Everybody wants low transaction costs.
Savers want a stable, predictable store of value.
Society wants money to have a slight positive inflation rate, to incentivize people to make investments (keeping the money active) rather than just stuffing the money into a mattress (where it doesn't do anybody else any good).
Traders want volatile value, so they can make big money trades.

If you're a buyer, you want...	If you're a seller, you want...	If you're a criminal, you want...
Anonymity, so nobody can track your purchases.	Tracking, so you can find your customers and sell to them again.	Anonymity, so nobody can bust you.
Refunds to be easy, so sellers can't give you shoddy goods.	Refunds to be hard, but possible, to keep your buyers happy.	No refunds, so you can make a clean getaway.

Currently, cash works reasonably OK for buyers and criminals, but it's way too easy to counterfeit, handling lots of cash is expensive for sellers, and doesn't give sellers the ability to track buyers. The biggest weakness of cash is physical theft--muggers, sales clerks dipping into the till, bank robbers, seizure by law enforcement, etc.

Credit or debit cards have a high 1-3% transaction cost, nominally paid by the seller, but the seller then gets the buyer's name and address, and nobody has to carry cash, which is good for everybody except criminals. These transactions allow refunds to be initiated by either party ("chargebacks"), which is good for everybody except criminals. Sadly, it's still ridiculously easy to steal credit card numbers, since they're not only printed in large friendly letters on the front of the card, they are vulnerable during processing. There are security standards for protecting these numbers, called Payment Card Industry (PCI) compliance, but this is a nearly hopeless perimeter all the way from the point of sale to the issuing bank. (It's slightly better for chip-and-pin, since the secret never leaves the chip inside the card, although because the card has no display, there's no way for the purchaser to really verify what exactly they're purchasing: a coke downtown, or a Macbook in Romania?)

The original electronic currency is the Automated Clearing House (ACH) network used by US banks for processing direct deposit and direct payment, and the Society for Worldwide Interbank Financial Telecommunication (SWIFT) used for international bank transfers. Banks also transfer lots of money between themselves using nostro and vostro accounts. These bank-built networks rely entirely on perimeter security: since only banks exist inside the network, any bank can see and create transactions. A security failure at the Bangladesh Central Bank in 2016 allowed unknown attackers to both steal and transfer tens of millions of dollars around the world. Many big banks recently formed a consortium, R3, to examine how to use cryptocurrency ideas to make bank-to-bank transfers more secure.

Enter cryptocurrencies! The basic idea is a "sender signs" rule: anybody can post a public key that allows them to receive cash. To send cash, you sign a transaction with your private key, and the receiver can then post the transaction to a public ledger--in theory this ledger could be some trusted centralized organization (eg, PayPal, Google, Apple), but in practice you'd worry the central organization would post fake transactions stealing all your money.

A blockchain uses a peer-to-peer public ledger, so it works without any trusted central authority. Unlike with wikipedia, the ledger is designed to be append-only, via the "mining" process described below. Unlike with credit cards, you never reveal your private key, so there is nothing crossing the network to steal. Typically the public key is not associated with your real identity in any way, so buyers (and criminals) get the anonymity they want. The cryptocurrency transaction has no way to force a refund of a transaction, which means processing fees are low because no humans need to make a judgement call about whether the buyer or seller is correct, but it also means stolen cryptocurrency is truly gone.

Blockchain gets used for a variety of wacky things, including:

Bitcoin-style public ledger (recent readable Bitcoin summary)
Ethereum smart(?) contracts, where miners run bytecode contracts on the blockchain

E.g., the DAO, CryptoKitties

Since everybody replicates everything on the blockchain, it's a shockingly inefficient system. Probably if you can trust somebody, a permissioned ledger (like Ripple's XRP) is a better design, allowing much higher throughput, but you do need to both trust and verify, which means spending money on auditors and internal controls.

Technology of BitCoin

It's actually pretty simple:

A "transaction" is moving some money between one address and another.
An "address" is an ECDSA public key. The corresponding private key, which you keep secret, is used to authorize transactions by digitally signing them. The public key acts as the address's public name. There is no connection between an address and a legal identity; one person could have any number of addresses, and it's not possible to look at a transaction and be able to tell the difference between somebody rearranging their own accounts, and a major transaction between two people. An address never has negative balance--transactions that move out more money than are in the address ("double spend") are not valid. For example, the very old address 1FeexV6bAHb8ybZjqQMjJrcCrHGW9sb6uF has a balance of 79,957BTC (currently about half a billion dollars).
A "wallet" is just a list of addresses and their corresponding private keys. Old style wallets were just files with 100 spare keys for future use in the "key pool", so you can back up the wallet, make some transactions, and still manage to recover. New style "deterministic wallets" are just a pseudorandom generator seed, so you won't lose your private keys even if you're over 100 transactions beyond your last backup.
A "block" is a list of recent valid transactions, collected in a peer-to-peer fashion. The "blockchain" is a hash-linked list of all the blocks so far. If you receive money, you have an incentive to make sure everybody knows about the transaction, by getting it included in the blockchain.
"Mining" is collecting transactions and verifying the next block in the blockchain, which is key to keeping the entire ecosystem running. About every 10 minutes, somebody finds a block + nonce that has a SHA-256 hash with "enough" leading zeros, where "enough" keeps getting adjusted so they get found every 10 minutes. Currently the difficulty is set to need about *72* leading binary zeros, which takes thousands of trillions of tries to find (current hashrate is about 10^19 hashes/second). The big incentive to do this is you're allowed to add a transaction moving all the transaction fees plus a reward of 12.5 bitcoins (about $125,000) into your wallet at the end of the verified block! The mining process is what makes a transaction "final", because faking the transaction would require expending computation effort equivalent to the whole network's mining rate.
Each transaction also includes a small "fee" (typically a fraction of a milli-bitcoin) so the miners have an incentive to process it. Total fees are currently at around 100 bitcoins per block.

There are several good writeups of the technical details, such as "Bitcoins the hard way", which uses the address 1KKKK6N21XKo48zWKuQKXdvSsCf95ibHFa. The original paper by "Satoshi Nakamoto" from 2008 is quite readable.

The surprising things about it are:

There is no central bank, and no central trusted authority. Anyone can 'mine' to verify transactions--they'll even pay you coins to do this. This means counterfeiting is not really possible--you need to say where the money in your wallet came from for the transaction to be valid. In particular, officially sanctioned inflation like the 1933 Gold Executive Order, or today's quantitative easing, is theoretically impossible. (Granted, the government could just ban BitCoin and require people to use GovCoin, possibly at some exchange rate.)

By design, BitCoin's overall behavior is similar to the gold standard. Whether this is a bug or a feature depends on your point of view.

The total value of the BitCoins issued, times the current BitCoin/dollar rate, is about $200 billion dollars. This makes it big enough to be interesting to investment banks like Goldman Sachs. The total value of the US dollar is something like $10T, so BitCoin is a fairly minor currency.

Value of BitCoin

One problem with BitCoin is nobody knows what the value should be--is a pizza 10,000 BTC or 0.001 BTC? At some point both of these have been true. BitCoins, like gold or land, are indeed somewhat scarce ("Buy land! They're not making it any more."), but this is a poor argument for value--any pebble is utterly unique, but valueless.

The US dollar to bitcoin conversion rate has been quite volatile, with single-day drops exceeding 50 percent.

Value stability can be a problem with any currency, where there are two macroeconomic error conditions:

Inflation: value of the currency drops. Slight inflation is usually considered beneficial, since it acts like a tax on currency doing nothing (not invested in productive activity). Extreme inflation, "hyperinflation", first destroys savings and then destroys commerce, and is basically always caused by the supply side, where the government keeps printing money, usually to inflate away government debt.
Deflation: value of the currency rises. Deflation is easy for the government to fight if they can just print more money. If they can't, such as due to the gold standard, there's a serious problem with debt--deflation makes it harder for borrowers to repay with the more valuable currency. If borrowers can't repay, lenders won't lend and the economy seizes up.

Morality

The other huge problem with alternative payment services is they tend to get used for thing you can't do on legitimate services--for example, illegal transactions like money laundering or drug transactions. This means what looks like a technical issue, preserving anonymity in transactions, turns into a very controversial social and very thorny moral issue.

For example, the $1m/month online illegal drug marketplace Silk Road used BitCoin as its payment service, despite denominating prices in US dollars. Dealers and buyers still get busted, but it's during delivery, or because they didn't hide their IP address sufficiently, not via the payment service.

Morality of Drug Laws

In 2010 a doctor of neuropsychopharmacology in the UK led a workshop of experts to quantify the harms from a set of drugs, resulting in this surprising chart:

Nutt et al study of
drug harms, chart by type of harm

The first author of the study, David Nutt, was fired from his position on a UK government research council due to disagreements about this approach.

I personally am not sure what the lack of correlation between harm and legality implies--should we ban the manufacture, possession, and distribution of alcohol too? Legalize everything to the right of some trade-off point? Reboot our approach to drug addiction entirely? How? Unfortunately, there are no easy answers, only complex and historically dependent trade-offs.

One lesson here is you can't ignore the second-order and third-order effects of your choices. The designer of BitCoin chose to make transactions anonymous, which has fairly straightforward implications for a very touchy subject that could result in BitCoin being demonized and banned.