What is multisig security?

Since the Bitfinex hack we’ve been hearing the term “multisig security” thrown around as if it were supposed to be some sort of talisman that wards off the evil eye of bitcoin theft. So it’s time we took a look at how it works, so that maybe when we find out how the hack happened, we’ll understand (maybe).

by Kimson Doan for Unsplash - multisig
by Kimson Doan for Unsplash

A multisig transaction, as its name implies, requires several valid signatures for it to be accepted. Traditional, simple transactions involve me sending bitcoin to another address and signing with my private key. But what if my computer was hacked and my private key was copied? Then the hacker could create a transaction with my bitcoins and sign with my private key. How can I protect my funds against that happening?

I could establish a rule that more than one signature is necessary for a transaction. Instead of just one private key, my public address could have two private keys, one held by me and one held by a trusted third party. For the transaction to go through, it has to be signed by both private keys. That way, if someone does get hold of my private key and tries to send him- or herself my bitcoins with that signature, it won’t go through unless the second signature (with the second private key) is also applied. It’s a bit like the rule in some banks that two signatures are required for withdrawals. It puts a “check” in place, and makes it much, much harder for a thief to get at my account.

That sounds simple enough, but how do I know the third party won’t disappear or go offline? And what if I don’t want to give a third party that much access to what I do with my bitcoins? Isn’t one of the cryptocurrency’s main advantages independence and anonymity? Multisig transactions can be set up to be 2-of-3. Instead an address having two private keys, it has three. Two are held by me (one easy to access, the other in cold storage, for example), and one by the third party. Normally myself and the third party would sign. But if the third party refuses or can’t for whatever reason, and I really want to enable the transaction anyway, I can dig up my other key and commit the second signature with that.

Another potential application is that of e-commerce trust. What if I bought something with bitcoin, sent the transaction, signed it with my private key and then never received the merchandise? I can ask for my money back, but it’s unlikely I’ll get it. To make both myself and the vendor more comfortable, I could send the payment to an escrow account with multisig security, for which myself, the vendor and a trusted third party hold the private keys. The vendor sees I have done this, and releases the goods. When I receive the goods, I create the payment transaction, instruct the third party to add his or her signature, and everyone is happy. If I refuse to pay, the vendor could try to convince the third party that I am behaving badly. If the third party believes that the vendor should be paid, he or she and the vendor sign the payment transaction. Presumably I’m not happy, but at least the vendor isn’t out of pocket.

Although the term “multisig transaction” is often used, it’s actually the address that is multisig. Any movement of funds from that address needs to be co-signed. The address can be a one-time public key created for a specific transaction (in which case “multisig transaction” and “multisig address” are interchangeable). Or it can be a multisig wallet, from which all transactions require more than one signature. Most multisig wallets are HD (hierarchical deterministic), which means that a sequence of addresses can be generated from a “seed”. These addresses can be re-generated at any time from that seed, but it is impossible to determine the seed from one of the addresses. Each address generated in this way can in turn generate a series of corresponding private keys. This increases security even further, by allowing each transaction from a wallet to use a different address.

The most common configuration for co-signing is 2-of-3, in which three private keys are issued for an address, and any two of them are enough to authorize the transaction. But the combination could be anything: 5-of-7, 2-of-2, 6-of-10… And the multisig feature does not always have to involve a trusted third party. It could be your partner if you have a shared account. It could be you, your Treasurer and your COO for a company address. Or you could hold both keys, but on separate computers (or one online, one offline), to reduce the possibility of a hacker getting hold of both of them.

Multisig functionality was not part of the original bitcoin platform. It was added in BIP 11 (the first standard Bitcoin Improvement Proposal) in late 2011, but did not start to be widely used until 2014, as commercial services started to make it easier to configure. At the beginning of 2014, only 0.02% of all bitcoins were multisig protected. Today the figure is up to almost 12%. (Note the big slump end-July/beginning-August – yup, that’s the Bitfinex hack, the graph shows a significant amount of bitcoins being transferred out of multisig accounts).

from p2sh.info - multisig
from p2sh.info

The first multisig wallet was commercialized by BitGo in August 2013, and had the added feature of two-factor authentication. The BitGo server would send a one-time code to the user’s phone. If the user used the correct private key and accurately typed the code into the interface, then BitGo would use its private key to countersign the transaction. In 2014 it added the HD functionality. Since then, Armory, CryptoCorpBitPay, Circle, Coinbase, Xapo, Electrum, Ciphrex and other bitcoin services have implemented multisig protection, and several large exchanges (Kraken, Bitstamp, Bitfinex, Tera Exchange) have incorporated the functionality through collaborations.

There is no universal configuration format – each business case has different requirements, and each collaboration shares different priorities. Armory, for instance, introduced fully decentralized multisig functionality in July 2014, in which the user generates as many private keys as he or she wishes (up to 7), and can distribute and protect them separately. There is no “trusted third party” unless the user specifically designates one. As a digital custodian, Circle controls all the keys, in physical isolation, for the multisig security it uses to protect the bitcoins it holds for others. Xapo Vaults require 3-of-5 signatures from different cold storage vaults around the world.

In the bitcoin lifespan, multisig transactions are old news. They have been possible for 2/3 of bitcoin’s history (BIP11 was accepted in December 2011). But even now, they are not very widely used. Why? I suspect that it’s largely because of added complications. We’re lazy, and until we have a scare, we don’t see the point of implementing extra security measures. The recent Bitfinex hack could be enough to jolt us out of complacency, and send us searching for a safer option for our wallets. And wallet service providers will most likely continue to iterate and improve on their interfaces and their security. So multisig will increasingly become a relatively easy option, and who knows, perhaps even ending up as the default.

But the fact remains that multisig, as we have seen over the past week, is not as safe as we were led to believe. Once we know more about how the hacker managed to compromise two private keys, we’ll be able to draw conclusions about multisig’s reliability and needed updates.

Some potential weaknesses of multisig technology that come to mind:

  • In many cases, the third party signing is automated, and flags are only raised in certain circumstances (large amounts, sudden high volume of transfers, etc.). It would be theoretically possible for a thief to siphon off bitcoins without raising any flags.
  • Insider collusion. A hacker happens to work for a multisig wallet provider. He or she gets hold of the user’s private key, and then double-signs with the wallet’s key, diverting funds to his or her own account. Or, a hacker could be working in collusion with an insider. Or, a government could force the multisig third party to act a certain way…
  • The keys could be copied at time of creation. In some cases, the user’s two keys are sent to him or her by email. How hard would it be for a hacker to access that email?
  • Multisig configurations in which 2-of-3 keys are held by the user do not protect the user from coercion (sign this transaction with both of your keys or I’ll…).
  • As with any wallet software, you are trusting it has no “back door” for a hacker to use. The hacker would have to be either in collaboration with the software provider, or have created a convincing replica that he or she gets you to download instead.

We can’t go through life fearing every eventuality. No system is completely infallible, and all of the above situations are extremely unlikely. But they are possible. And the Bitfinex hack has shown us that multisig isn’t always enough.

Uncertainty is never good for any ecosystem, especially when the economic risk is so high. But knowledge is power, and identifying weaknesses does lead to additional strength. Multisig is a cool feature. It’s obviously not perfect, but as with most code, it can be tweaked and worked on to become even stronger.

The incentive to steal is as old as time itself. The incentive to protect ourselves from that theft has given birth to today’s technology, society, political systems and way of life. The bitcoin community continues to pour considerable time and effort into innovating, improving and staying one step ahead of the bad guys. And they will continue to do so because they have more to gain than the bad guys. After all, safe bitcoin deposits that are also easy to transact with, that will extend the use of the cryptocurrency and encourage a reform of the way we handle value – that’s a pretty good incentive.

(This post was originally published on LinkedIn.)



What is Ethereum’s difficulty bomb?

With an alarming name for a relatively straightforward workaround (although in blockchain land, even straightforward things aren’t really), the “difficulty bomb” is an ingenious way to get all Ethereum miners to switch to another consensus system.

by Blake Richard Verdoorn for Unsplash - Ethereum
by Blake Richard Verdoorn for Unsplash

A bit of background: Ethereum currently uses the Proof of Work consensus algorithm, but has always planned to switch to a Proof of Stake system at some point in the future. Casper, as its Proof of Stake system will be called, is in development, and will be rolled out sometime in early 2017, according to the current plan.

One problem has been, as with every decentralized permissionless system, how to get everyone to switch over to the new system, to avoid split chains, replay attacks, etc. As we saw with the recent hard fork, there is always a strong possibility that some will stick with the old system, and there’s not much that the Foundation can do to coerce them into following everyone else.

Unless it’s in their interest to do so. Here’s the ingenious part: the difficulty of mining Ethereum blocks (= the time it takes to find the nonce that will, when combined with the block data, give a hash within a certain parameter) has been gradually increasing since August 2015, and will continue to do so with exponential increments.

What does that mean? That Ethereum blocks will gradually take longer and longer to mine. The time between bitcoin blocks is in theory about 10 minutes (although recently it’s more like 20 minutes). The time between Ethereum blocks is about 17 seconds. This is one of several aspects that makes Ethereum more attractive to some.

But that is likely to change when Ethereum blocks take longer to process than bitcoin blocks. And it will certainly change, for the miners especially, when Ethereum blocks are so “difficult” to process that it no longer is profitable to mine them, since the electricity consumed in the calculations costs more than the potential ether reward.

The “difficulty bomb” is a clever way to force miners to stop using one system and move to another. Rather than pressure through centralized control (“do this or else…”), it does so through decentralized incentives. No-one is told what to do. But the current Proof of Work algorithm has a built-in self-destruct function that, since it is part of the code, no-one can do anything about. You either move to the new system, or you go out of business. Your choice. No coercion.

Since the increase occurs very gradually, “bomb” is perhaps not the best word for the concept, since no explosions or sudden changes disrupt operations. But it does successfully imply the destructive intent of the code, and subliminally encourages everyone to jump over as soon as Casper becomes available. Ethereum developers call it the “difficulty adjustment algorithm” or the “difficulty adjustment scheme”, which are not nearly as dramatic.

It’s worth noting that the difficulty bomb was conceived as a way to get everyone to move over to Casper when the time came. But it could be used to get everyone to move over to a different hard fork. Ethereum has committed to moving to a version of Proof of Stake. But who knows? Change happens. There’s also no guarantee that Casper will be ready in time. What everyone jumps over to, is not yet “written in stone”, as they say. But they will be jumping over to something different.

It’s also worth noting that the difficulty increase could be modified in the upcoming hard fork that will introduce Metropolis, the next planned iteration of the Ethereum platform (expected in the fall of 2016). This type of modification has already happened once. With the Homestead release in mid-March, the difficulty adjustment algorithm was relaxed a bit. Could this indicate a delay in the release of Casper? With the adjusted system, blocks will become un-mineable by 2021, but the slowness will, according to the founder of Ethereum, become “very annoying by the second half of 2017”. This may change.

Ethereum Classic, the alternative result of the latest fork, also has this ticking difficulty bomb, obviously. But what it doesn’t have is the obligation to migrate to a Proof of Stake consensus system, it doesn’t have the commitment to move to Casper. Its miners do have to move to a different algorithm, though. Or, Ethereum Classic could hard fork to remove the difficulty bomb. It will probably let Ethereum launch Casper and see how it goes, before deciding or not to adopt it. Only by then it will have had to do something about its difficulty levels. Assuming, of course, that it’s still around.

The genius here was in knowing that a possibly contentious hard fork was coming, and devising a way to pre-empt resistance. That doesn’t mean that the process won’t be without drama, though. It’s possible that disagreement emerges as to whether Casper is the right consensus algorithm to be using. Some may believe that another alternative is preferable, and independently fork to that. As we’ve seen with Ethereum Classic, it is possible for more than one Ethereum chain to exist (for now, anyway). The difficulty bomb does not solve the problem of trying to get intelligent and strong-willed people to agree on an optimum process, to facilitate the communication as to why the Casper version is the best, and to demonstrate that the entire community is buying into the Ethereum mainstream creed. Clever as it may be, what the difficulty bomb fails to do is to achieve consensus about consensus.

What is the difference between an algorithm and a protocol, and why does it matter?

This is a deep dive into supremely nerdy territory, but being a stickler for detail, I think it’s worth clarifying: algorithms and protocols are not the same thing. And in the bitcoin-blockchain world, the difference is important.

Which is surprising, since they seem to be used interchangeably. I certainly have used them as if they were the same thing, as have people much more knowledgeable than myself. And my inner Thesaurus desperately wants it to be so, to avoid over-using one word or the other. But a niggling doubt at the back of my mind pushed me to look into it a bit, and here is what I found:

That our confusion in this respect is holding us back.

So in this article, I hope to clarify the differences, and to show how a deeper understanding of this can lead to new breakthroughs. In part, it’s my fondness for the pedantic, but mainly it’s because I firmly believe that if we can understand something more profoundly, it’s more likely that we can come up with useful variations, innovations and use cases.

Here goes:

A protocol is a set of rules that governs how a system operates. The rules establish the basic functioning of the different parts, how they interact with each other, and what conditions are necessary for a healthy implementation. The different parts of a protocol are not sensitive to order or chronology – it doesn’t matter which part is enacted first. And a protocol doesn’t tell the system how to produce a result. It doesn’t have an objective other than a smooth execution. It doesn’t produce an output.

It’s like the engine of a car, how a car works.

An algorithm, on the other hand, is a set of instructions that produces an output or a result. It can be a simple script, or a complicated program. The order of the instructions is important, and the algorithm specifies what that order is. It tells the system what to do in order to achieve the desired result. It may not know what the result is beforehand, but it knows that it wants one.

It’s what you need to do to drive the car, the actions that the driver performs.

The protocol is a set of rules that determines how the system functions.

The algorithm tells the system what to do.

The protocol is. The algorithm does.

In the kitchen, the protocol would be a set of conditions and instructions such as:

  • The knife cuts
  • The flame heats
  • Olive oil is delicious
  • Frying pans are good for sautéing onions
  • Wash your hands before handling food
  • Burnt food tastes bad

An algorithm in the same kitchen could be:

  • First, chop the onion
  • Then, heat up the olive oil in the pan
  • Put the onion in the pan, add some salt, and stir until the onion is translucent
by Matthew Wiebe for Unsplash - algorithm
by Matthew Wiebe for Unsplash – the bridge is a protocol, the bike is a protocol, the rider is an algorithm

How is any of this applicable to the blockchain? Because the blockchain needs both protocols and algorithms, and each have a distinct role.

In blockchains, the protocol:

  • tells the nodes how to interact with each other (without telling them to do so)
  • determines how data gets routed from one node to the next (without telling the data to move)
  • defines what the blocks have to look like
  • stipulates who decides which transactions are valid
  • establishes how consensus is determined (without dictating the procedure)
  • identifies who maintains the ledger
  • delegates who determines how the rules of the system change
  • decides if identities are needed
  • determines who can create new coins (but not how)
  • triggers procedures in case of error

The algorithm, on the other hand:

  • verifies signatures
  • confirms balances
  • decides if a block is valid
  • determines how miners validate a block
  • establishes the procedure for telling a block to move
  • establishes the procedure for creating new coins
  • tells the system how to determine consensus

So far so good, right? Now here’s the truly befuddling part: are “Proof of Work” and “Proof of Stake” protocols or algorithms? In crypto journalism they tend to get used interchangeably, with frequency coming down on the side of algorithms, but with protocols getting a relatively high score (check out “proof of work algorithm” vs “proof of work protocol” in Google). So I’ve been furrowing my brow and staring into my empty cup of coffee and I’ve concluded:

They’re algorithms. Not protocols.

Both Proof of Work and Proof of Stake tell the miners how to go about validating a block. They establish conditions, like protocols do, but the instructions are fundamental, and there is definitely a desired outcome: to process transactions, to determine which blocks enter the chain, and to provide a consensus as to which chain is the correct one. Both use the underlying protocol to achieve those goals.

Continuing along this brain-wrinkling train of thought, are Bitcoin and Ethereum algorithms or protocols?

They’re protocols. Not algorithms.

They establish the ground rules, set up the “engines” and determine who does what and how. We, the users, then play around with algorithms to get coins sent, to execute smart contracts and to create new business models. The algorithms are what make the protocols useful.

So, if we understand that the rules are one thing and the instructions are another, we can get creative. What is our desired outcome? And what algorithms, using the rules of the protocol, can we come up with to get us those desired outcomes?

That is why the difference is important. We need to understand the distinction between the state and the action. Between the rules and the procedure. Between what we can and can’t do. We can’t change the rules (if you want to, go ahead and set up a new blockchain). But we can create a series of actions, instructions and processes that can get us to where we need to be.


How can Bitcoin be hacked?

Don’t get excited, this isn’t a how-to article. I have no idea how to hack Bitcoin (and even if I did, I probably wouldn’t tell you). With the Bitfinex drama and the Cryptsy theft (by its own CEO??) still appearing in headlines, and with so many of my friends asking “But I thought Bitcoin couldn’t be hacked???”, I wanted to dig into the how, the why and the who. I’m not going to go into all the crypto hacks and thefts over the past few years, that would produce an article the length of a book. But I am going to look at some of the more interesting and relevant ones, going back to the middle of 2014.

First, we need to differentiate between a hack and a theft. Many assume that they are one and the same, but they are not. Technically, a hack is “unauthorized access to a computer”. Many hackers go in and out of others’ computers and servers just for fun (scary, but it happens). Some hacks are positive – there is a service that will try to hack your bitcoin wallet to recover funds for you. The DAO fiasco saw the hacker(s) being hacked to try to recover funds (it didn’t work). And hackers have been helping to root out the owners of alleged scam cloudmining company HashOcean. So, not all hacks involve theft. And not all theft is a hack, obviously. Theft does still happen out there in the physical world, with no computer getting involved.

by Dmitriy Me2dev for Unsplash - hacks
by Dmitriy Me2dev for Unsplash

But, it’s not news that cybercrime is an intensifying threat to individuals, businesses and even economies, as the tougher the security, the more fun the challenge. And as more and more of our lives and our wealth is online, the stakes get higher. All major law enforcement groups have their own cybercrime division, drawing on the skills of detectives, lawyers and, yes, hackers. But in most cases, figures on cybercrime are difficult to come by, as most victims have no interest in publicity, and many attacks are covered up.

In the cryptocurrency world, however, things are very different. The media seems to relish a “see-I-told-you-it-wasn’t-safe” rubbing of hands and pronouncements of crypto doom. Plus, given the community’s active presence in forums and chats, news of hacks, outages and breaches spreads fast. Trying to cover up a crypto hack forever just wouldn’t work. A stroll through reddit or bitcointalk will give you an idea of the volume of chatter, level of detail and degree of scepticism about practically any and every aspect of the sector. Suspicions are aired, spread and debated, and the senior team of the putative hack victim is usually on hand to answer questions. From what I gather, and lamentably with some notable exceptions, they generally do so as truthfully as they can, with good intentions, because they know that hiding stuff from the community (some of whom are hackers themselves) is futile.

So, it’s not that cryptocurrency businesses suffer more hacks than all other sectors. They don’t. It just seems like they do, because those hacks get a lot of public attention.

The most recent one to occupy the headlines is the absolutely huge Bitfinex hack, in which 119,756 bitcoins (worth about $70 million at the time) were siphoned off from the exchange in early August. We don’t yet know how it was done, which is perplexing given that in 2015 Bitfinex announced a collaboration with multisig wallet producer BitGo to enable additional multisig security on Bitfinex wallets. In theory, with the BitGo solution, it was supposed to be impossible to hack clients’ wallets and steal their bitcoin. Yet that is exactly what happened. Both BitGo and Bitfinex assure us that BitGo was not at fault in the hack, that the coding worked as it should. Fingers seem to be pointing at the configuration Bitfinex employed, keeping bitcoins in individual accounts rather than in a cold storage pool (kept offline), to comply with a recent CFTC (Commodity Futures Trading Commission) investigation which resulted in a $75,000 fine and the requirement to change the process of settling margin trades.

In an unprecedented move, Bitfinex decided that in order to stay open for business (and as the 3rd largest exchange in terms of volume and the largest in US$/bitcoin trades, it was important that it do so, for market stability) it needed to spread the losses amongst the clients’ accounts. Rather than have some clients’ accounts lose everything, it applied a 36% haircut to all accounts, instituting the first “bail in” in digital currency history. This is more or less the haircut the account holders would get if Bitfinex went into receivership, and at least this way there is a chance that they can get their money back. The company has replaced the reduced amount with a cryptocurrency token which itself can be traded, or redeemed at a later date for bitcoins, or dollars, or shares in Bitfinex’s parent company, it hasn’t been decided yet. In the end they may not be able to do this, however, as the words “unprecedented” and “finance” generally don’t go well together, and the legality of token trading (which has already started, no time to waste) is in question, as is the concept of “socialized losses”. And, who knows, they may yet be able to recover some of the stolen bitcoins, given the $3.6 million bounty on offer.

In June, the Ethereum project theDAO was hacked to the tune of 3.6 million ether, at the time worth $60 million. The response of the Ethereum developers was to hard fork the blockchain, winding time back to before the theft, and closing the platform on which it happened. Hard forks are contentious, though, because of the risk involved – for it to work as planned, all network participants need to upgrade to the new version, to avoid some validating blocks on the old “invalid” code, which could lead to potential false transactions and double spending. In this case, the proposal was particularly contentious because it demonstrated that public blockchains are not necessarily immutable, resistant to censorship, etc. The Ethereum code was working fine. The change would be to avoid losing money. A good enough reason? If Ethereum can change the code to suit them, what’s to stop them from doing it again in the future, due to self-interest or coercion?

The hard fork turned out not to have the consensus that the developers assumed, and a few holdouts insisted on sticking with the “old” Ethereum chain. The “old” ether became a new cryptocurrency called ETC, while the new one retained the old symbol of ETH. The developers didn’t object at first because they really thought that ETC would fizzle out and quietly disappear. But it is now the 6th largest cryptocurrency in terms of market capitalization. And the thief still has his (or her) 3.6m ethers, the old version, although they are worth a lot less than the original $60 million. It’s disconcerting how one hack can change the fundamental nature of a promising blockchain in unforeseen ways.

gatecoin - hacks

In May, Hong Kong-based crypto exchange Gatecoin reported the theft of 250 bitcoins and 185,000 ether, worth about $2 million at the time. While most clients’ crypto assets are stored in multisig cold wallets, the hacker managed to overwrite the protocol that handles this so that ether went directly to the hot wallet (keys kept online) instead of the cold, and ignored the self-imposed limit of 5% of assets in online storage. In the end, the hacker made off with 15% of the exchange’s crypto assets. Immediately after, Gatecoin announced that it would seek $4-5 million in funding to cover the losses, and offered a bounty and a lifetime of free trading for return of the assets. In the end, the exchange managed to raise $500,000 to strengthen the security infrastructure, and replaced its CTO, referring to him as a possible suspect. At time of writing, its web site was undergoing an overhaul, and is supposed to relaunch today (August 17).

In April, exchange Shapeshift reported a hack executed in stages of 469 bitcoins plus some ether and litecoin, worth at the time about $230,000. In this case they were victim of an inside job – an employee stole the bulk of the funds, sold server access to a professional hacker, and installed malware on colleagues’ computers to enable the hacker to access the refreshed passwords. Erik Voorhees, the founder of Shapeshift, gives a riveting account of the drama here. No customer money was lost, and the site had relaunched by the end of the month.

Also in March of this year, Canadian exchange Cointrader suddenly closed down, with the explanation that an audit had revealed an unexplained deficit of bitcoin. The media took this to mean a hack, but it might not have been. In an email to clients, the exchange explained: “A recent internal audit revealed a deficiency of Bitcoin in our wallets.” Previously, trading had been halted on shares of the parent company Newnote Financial Corp. (listed on the Canadian Securities Exchange, similar to the US’s OTC market), because of failure to file financial statements. The company was undergoing an audit to rectify this, most likely the same audit that uncovered the missing bitcoins. In an official statement, Newnote announced that the audit was still ongoing and that Cointrader would be shut down due to “rising maintenance costs and lower trading volume attributed to an increase in competitors within the Canadian market space”. No mention was made of the hack. So, did the hack even take place? Or had the audit uncovered something else?

Here’s an interesting one, still making headlines today: In December 2015, exchange Cryptsy and the media started receiving a stream of customer complaints about stalled bitcoin withdrawals, some pending for weeks. In early January, in the face of no response whatsoever from the company, a frustrated client initiated a class action lawsuit in an attempt to recover their funds. The next day, the founder published a post on the Cryptsy blog announcing suspension of trade and withdrawals, and confessing to the loss of 13,000 bitcoin and 300,000 litecoin, at the time worth about $5.7 million. The founder explained that a back door had been installed on the exchange by someone claiming to be a developer. The most startling revelation was that the coins had been missing for a year and a half.

Why hadn’t he told anyone? According to his post, because he wasn’t sure what happened (even well over a year later), and “didn’t want to cause a panic”. He assumed that he could replenish the accounts with profits over time. But then an article was published in the sector blog Coinfire (now part of 99 bitcoins), claiming that Cryptsy was under investigation from several Federal agencies (including the SEC, the Department of Homeland Security and the IRS) for a long litany of infractions ranging from operating without licenses to knowingly servicing accounts linked to terrorist financing, which triggered massive withdrawal requests that Cryptsy simply could not honour.

A couple of weeks later, the CEO’s ex-wife claimed in a court filing that she believed that he would flee the country with the funds, and was using the money to support his lover and her children in China. A few weeks after that, we’re now in February of this year, the ex-wife was added as a defendant in the class action lawsuit, since it turns out that in early 2015 she and her (then) husband had paid for a waterside mansion in Palm Beach with cash. In April the court appointed a receiver to dissolve the business and determine how much was recoverable. Last week the receiver revealed that he had discovered that the (now ex-) CEO had been siphoning off crypto funds the whole time.

After an apparent lull in crypto hacks (what were the hackers up to?), in May 2015, a well-known Hong Kong-based exchange suffered a breach and a theft. The exchange was Bitfinex (yes, them again), and this time the target was their online hot wallets, which store a very small amount of crypto assets. Apparently about 1500 bitcoins were stolen, worth approximately $340,000 at the time. Customer wallets were affected, but Bitfinex was able to replenish the losses out of their reserves.

Also in March 2015, Panama-based Coinapult briefly suspended operations following the theft of 150 bitcoins (then worth $42,900) from its online wallet. Customer funds were unaffected, but immediately after, the exchange announced its intention to move to multisig authentication as soon as possible.

The previous month, Chinese exchange Bter, at the time the world’s largest exchange of altcoins (bitcoin alternatives), admitted to a hack of 7170 bitcoin (then worth $1.75 million) taken from its cold wallet. Because of the unlikelihood of a cold wallet getting hacked (the keys are kept offline, so how would the hacker get at them?), some pointed fingers at Bter, accusing them of covering up an inside job. However, there are cold wallets and then there are cold wallets. Depending on the configuration, some cold wallets can be compromised when they connect with the internet, however briefly, which they sometimes need to do to either move bitcoins or update balances.

The size of this theft almost caused Bter to sell the exchange, claiming that it simply did not have the funds to reimburse the 20,000 affected customers. A 1000 BTC loan from mining group JUA saved the day, however, and Bter was able to use that plus the promise to continue to repay out of profits to make the accounts whole. JUA also took over the protection of Bter’s cold wallets.

February 2015 was a busy month for hackers: Excoin was also hacked. The exchange turned out to have a prophetic name, since the hacker managed to divert all of the bitcoin on the exchange, which left it no choice but to shut down.

photo by Loic Djim for Unsplash - hacks
photo by Loic Djim for Unsplash

In January of last year, Bitstamp – a Luxembourg-based exchange, currently the fifth largest BTC/USD exchanges – had 18,866 bitcoins (then worth just over $5 million) stolen in a hack that involved targeted phishing emails and messages which installed malware on the computers of Bitstamp employees. The hackers not only spent time profiling the employees and creating specific language and offers for each in the emails, but they cleverly staged the access and the theft over the New Year period, counting on a slower reaction time. As soon as the movements were discovered (the same evening as the account was drained), it shut down operations, and started work on rebuilding the trading software from scratch.

After another lull in crypto hacks making headlines, in August 2014, Bter was hit again. Almost 52 million NXT (another cryptocurrency, associated with the blockchain of the same name), at the time worth $1.65 million, disappeared from its account. It turns out that the hacker got access by gathering information on one of the Bter developers, hacking an account that he used on a different website, and taking advantage of the fact that he used the same password to get into Bter. The exchange had set up 2-factor authentication on many of its systems, but not on NXT, which to make matters worse was kept in a “hot” online wallet, directly accessible from the site. Given the scale of the attack (at the time the theft was of 5% of the market cap), NXT considered “rolling back” the blockchain to reverse the hack, much like what Ethereum has just done. As we have seen, however, this is a very controversial move for any blockchain based on immutability and censorship resistance, and the majority of the participants opposed the idea. This hack had a “happier” ending, however, since the exchange managed to negotiate the return of the bulk of the coins. Perhaps they used the threat of a hard fork? Keeping some and returning the rest is better than losing all?

And another happy ending: in December 2014, wallet giant blockchain.info was hacked for 255 bitcoins. And then the hacker gave the coins back. Awwww.

Let’s end this walk through history with a really juicy story, with several chapters but no happy ending: in July 2014, altcoin exchange MintPal was relieved of approximately 8 million of bitcoin alternative VeriCoin, which at the time was 30% of its market cap of $6.3 million. It is interesting to note that the exchange’s bitcoin holdings were also targeted, but they were held offline in cold storage and thus ended up untouched. The Vericoin were supposed to be in cold storage, but due to an error most of them weren’t. The community couldn’t allow that much VeriCoin in the hands of one attacker, since it would have given him or her enough weight to instigate a 51% attack, which made the decision to fork simpler – it was that or see the currency completely crash. The problem with hard forks, though, is that everyone in the network needs to update pretty much at the same time. That didn’t happen here, which meant that older versions processing new blocks effectively “reassigned” the attacker the stolen 8 million. A second hard fork a day later managed to fix the problem, diverting the coins to a new, MintPal-controlled wallet.

Trading volumes dropped sharply after the attack, which led to its acquisition by the end of the month by Moopay (more commonly known as Moolah, not to be confused with the payments services provider of the same name). Three months later, on October 14th, after several delays to MintPal’s relaunch, Moopay announced its plans to declare bankruptcy and shut down operations. MintPal had apparently already been transferred to new management, and the new team was focussing on “the resolution of issues surrounding missing balances”. Missing balances?

The following day, the CEO of Moopay insisted that the company had never bought MintPal, all that it had was a management agreement (documents subsequently released show that, indeed, Moopay did not own a stake in MintPal, but the CEO of Moopay did, he held 48% of the company that owned 100% of MintPal). To add to the confusion, less than 24 hours later, the CEO and founder announced that no, on second thoughts, Moopay was not going into bankruptcy after all. He then resigned. At the same time reports started to emerge tying the founder to other identities. The next day, this was separately confirmed by both a former lover and by an ex-associate who in the past had pressed charges against him for fraud. The following day (a busy week) it turned out that the name that they knew him by wasn’t his real name, either. The day after that (we’re now at the 18th of October), the ex-CEO fired all the staff, and the following day he confessed to the name change. And in case things weren’t confusing enough, he re-confirmed the bankruptcy.

At the same time, it emerged that 3,700 bitcoins were missing from MintPal’s wallets. It turns out that they were being held in the Moopay CEO’s personal wallet, and were moved as soon as this was discovered. Simultaneously, the CEO posted an abject apology on Moopay’s blog, which has since been taken down but part of the text is reproduced here. Then the lawsuits started flying, injunctions were handed down and the CEO went missing. In December, he and a former colleague (alleged to be his then girlfriend) were arrested in the UK but released on bail. And in August of this year, a couple of weeks ago, he was sentenced to 11 years in jail, not for theft or fraud, but for rape. I bet you didn’t see that one coming.

As you know, it’s not just cryptocurrencies that get hacked. Banks around the world are subject to a frightening number of hack attempts, some really sophisticated, and some successful. However, the bank hacks tend to be shrouded in secrecy, and many are never even revealed to the public – we wouldn’t want a panic, now, would we? Another big difference is that bank accounts are, in most systems, insured up to a certain amount. There is little if any risk of “losing it all”. With the uninsured crypto exchanges, however, that is not the case, and while the amounts are much smaller than with fiat bank hacks, the community is much more vocal.

How can we protect ourselves from bitcoin hacks? A relatively easy answer is to spread our bitcoin holdings across several wallets and exchanges, and throw the bulk in cold storage. It’s an easy answer, but it’s a hassle, which is why most casual bitcoin users don’t do it. Sticking with reputable exchanges is also a good idea, but a really big hack could decimate even the most solvent of business (crossing fingers for you, Bitfinex). When an exchange gets hacked, the loss of the cryptocurrency is not the only cost. There’s also the expense of the investigation, migrating servers, rebuilding the platform, lawyers…

It’s so easy to apply common sense in retrospect, but unfortunately much less so as we go about our daily lives. And as we’ve seen, crypto hacks can affect any exchange, even reputable, well-protected ones. Theft is lamentably a part of life which we will never be able to completely avoid. And the fact that it exists in no way makes the stolen asset more vulnerable and worthless. Cash is stolen every day, and yet that doesn’t make us suggest that cash is useless, does it? Gold, diamonds, cars… Anything that can be moved, can be taken. And nothing is easier to move, in terms of logistics, than bits and bytes of information. The fact that it doesn’t happen more often is a testament to the ingenuity of security experts, who are continually trying to stay on top of a moving pile of sand. With each hack, the community learns. And with that knowledge, gets stronger. While this doesn’t help the thousands who lose savings, it does strengthen the sector as a whole. And shows that if people are trying to steal what you have, it must be worth stealing.

The hype of the halving is hardly helping

(Terrible title, I know, but how often do I get the opportunity to start with a string of “h” words?)

First of all, what is the halving? It’s when the amount of bitcoins that the block validators (the “miners”) get as a reward for processing transaction blocks is reduced by half. The bitcoin protocol has the reward falling by 50% every 210,000 blocks, to control the supply of bitcoins and permit a gradual tapering off of new coins as the limit of 21 million is approached (we have a way to go yet, that’s not expected until 2140). The last halving was in November 2012, when the reward fell from 50 bitcoins to 25. The next one is expected tomorrow.

It’s one of the reasons cited for the sharp increase in bitcoin’s price over the past few of weeks. And now that it’s so close, it’s one of the reasons for its sharp fall today. Which totally makes sense (not really).

The potential vulnerabilities the halving leaves us with:

  • A concentration of mining power. Many miners will have to drop out of the businesses as their operations become unprofitable. We’ve already seen the beginning of this, as KnCMiner announced their bankruptcy a few weeks ago, citing the upcoming event as one of the reasons. What would this mean for the sector? Increasing concentration in the hands of the powerful. This goes against the very idea behind bitcoin: a network run by everyone. That undermines the credibility of its story and its goal. But a more insidious worry is the vulnerability to manipulation. In a decentralized network, we can trust the honesty of the crowd. In a centralized one, not so much.
  • Slower transaction times. The removal of part of the hashing power (computers running the network) would make block confirmations even slower. As you know, blocks are confirmed by finding the right random value that gives a hash (= a condensed string of characters that results from passing the block through a certain algorithm) within a certain range. The range is set to be narrow or broad enough to ensure that blocks can be validated in about 10 minutes. If they get validated faster, the difficulty increases. Slower, it decreases. With fewer machines churning the random numbers and algorithms, it’s very likely that the block validation time will slow. Fewer machines searching for the right random variable will lead to a longer time to find the correct one, just as fewer people searching for a needle in a haystack leads to it taking longer to find the pesky needle. Slower transactions will lead to the system re-setting the difficulty, but that only happens every 2016 blocks. Until then, big frustration for people trying to pay with bitcoin.
  • An offloading of bitcoins. To help cover profitability shortfalls until faster and cheaper equipment appears, miners may well have to start selling some of their considerable bitcoin holdings on the market. That could push prices down. Or, given the fickleness and jitteriness of markets, the possibility that that could happen could be enough to trigger a fall.
by Danielle MacInnes for Unsplash - halving hype
A half is not as good as a whole – by Danielle MacInnes for Unsplash

Basic economics says that when the supply of something decreases, the price increases. So, many bitcoin experts are convinced that the bitcoin price will increase right after the halving. And so far, they’ve been proved right, the bitcoin price has gone up over 50% in the past three months.

But here’s the thing: the supply is not decreasing. In fact, it’s increasing. At a slower rate, true, but it’s steadily increasing. And here’s something else that I don’t understand: this slowdown in the rate of increase is totally expected. It has been expected since the beginning of bitcoin. So in a rational market, the price would have already discounted this halving, and would have no reason to increase in the run-up to it. The expected effect would already be in the value. It should be, in a rational market, price neutral.

So, either there’s something else going on (hello, China? You feeling ok?). Or, bitcoin’s market is not rational. Neither makes me feel particularly good as an investor.

And yet I am still a bitcoin fan. I want the volume to be strong and the price to increase. But this focus on the price, and the inherent volatility of the market, is not what bitcoin needs. It’s great for speculators. But for bitcoin to occupy the place in the world economy that it deserves, as a decentralized alternative to global transfers, we should be focussing on its inherent value, on its utility and on its future.

The halving will have a market impact. But it’s very unlikely that it will be long-lasting. Miners may drop out. Others will step in to take their place, with newer and faster and shinier machines. The price could go haywire. But it will calm down. There could be structural problems. But they will be fixed. And we will probably see some impacts that no-one expected. We’re new at this. But we’ll figure it out. I believe that focussing on this event is short-termist, and missing the big picture. The price increase is exciting, and I couldn’t be more pleased, but relating the price movements to halving event is latching on to easy explanations and buying into the media hype. And that the fundamentals of bitcoin deserve better.

Proof of Work, Proof of Stake and The Bitcoin Halving

You probably know that bitcoin’s security system is called Proof of Work (if not, see here). It’s based on the idea that the amount of work required to attack the system is a deterrent. The costs you would incur from changing transactions that were processed several blocks ago, to either double-spend or to modify details of the embedded data, would be greater than the potential gain. The same applies to what you could gain from denial of service or consensus attacks. By requiring a lot of computer power, Proof of Work assures the integrity and security of the system.

But Proof of Work is not the only game in town. It may not even be the best one.

by Aditya Siva for Unsplash
by Aditya Siva for Unsplash

What are the potential flaws in this system? For one, it consumes a LOT of electricity. A report came out recently suggesting that bitcoin mining (the generation of new bitcoins through successful block validation) will end up consuming as much electricity as Denmark by 2020. While this could well be exaggerated, it does help to envisage the scale of the energy needs. Some innovative ideas suggest that bitcoin mining rigs (the powerful computers used to generate new bitcoins and validate blocks) could simultaneously be used to heat buildings. There’s an ecological thought.

Two, imagine that electricity prices come down and computing power becomes more energy-efficient. And, imagine that there are billion dollar transactions on the network. It’s therefore not hard to imagine that there would be a strong economic incentive to try and change a previous transaction. The costs to engineering an attack on the system would not be so high. The cost of Proof of Work could cease to be a deterrent.

Three, given the current concentration of mining power in China, it’s not hard to see how a consortium could “break” the system by pooling their resources together. All an attacker looking to influence or change the course of the blockchain needs is 51% of the system’s computing power (different types of attacks could be pulled off with less). The top 3 mining pools in China hold 61%. And while there is no indication that they would ever do this (in fact, they have taken steps to dilute their power to avoid such doubt), it is technically possible. The incentives could be personal, or as a response to state pressure, or as a result of bribery, extortion or blackmail.

proof of stake
graph via blockchain.info

So what are the alternatives? One alternative used by some blockchains is Proof of Stake. While Proof of Work depends on computing power, Proof of Stake depends on the amount of the currency owned. In most Proof of Stake systems, a block validator “pledges” or “deposits” a certain amount of coins. That amount influences the likelihood of that validator processing the next “winning” block. While the reality is somewhat more complex than that, the premise is simple enough: to have a say in the development of the chain, you need to have a stake in the currency.

Proof of Stake has similar vulnerabilities to Proof of Work. But the likelihoods are lower, and the consequences very different. It is theoretically possible for an attacker to accumulate 51% of a cryptocurrency’s supply, especially in the younger, lower value currencies. In the case of Bitcoin, however, that would cost almost $5 billion at today’s price. And that’s assuming that the price holds still, which it obviously wouldn’t if someone started buying that many bitcoins. The real cost would be much, much higher. The bounty would have to be pretty spectacular to warrant that type of investment. Comparing this security with Proof of Work, it’s unlikely that accumulating 51% of Bitcoin’s computing power would cost anything like that. In this aspect, Proof of Stake would ensure greater security than Proof of Work.

Another shared vulnerability is that of centralization. As I mentioned before, Proof of Work tends to centralize through access to the “work” resources, specifically electricity (cheaper in some parts of the world than others) and computing hardware (more accessible in some parts of the world than others). Proof of Stake would centralize by making it easier for those with a higher stake to generate new coins through block validation. The higher your stake, or deposit, the easier the problem that needs to be solved. So the new coins tend to go to those who already have a high stake. But, those who hold a large amount of the currency are more likely to act in the currency’s interest, than those whose stake is high-powered computing equipment. Again, in this aspect, through the power of incentives (or disincentives), Proof of Stake would ensure greater security than Proof of Work.

And, it’s cheaper. Proof of Work implies a lot of computing power churning calculations and consuming electricity. Proof of Stake also uses resources, but fewer.

And, it’s more “democratic”. To mine bitcoins with Proof of Work, you need to invest in the equipment that can do the work. And you need to know how to operate and maintain it (or hire someone who does). It requires a significant initial outlay. With Proof of Stake, you need to buy the currency. That’s accessible to everyone. True, you need to have the funds and the tech knowledge to open a wallet, but it’s definitely easier.

Although it may sound like it, I’m not saying that Proof of Stake is better than Proof of Work. Conceptually, it has advantages. But practically, it hasn’t been tested at large scale. Technically, it is vulnerable to certain attacks (convoluted and rare, but a vulnerability is a vulnerability). And theoretically, on its own it isn’t ideal for consensus. Consensus is about everyone rapidly reaching a conclusion as to what is the “correct” chain. What’s to stop stakeholders from “betting” on multiple chains and thus reaching a stalemate? In its purest form, Proof of Stake is unlikely to work. The currencies that use it (Peercoin, BitShares, NXT, and Novacoin are a few) have each come up with ways to solve that problem, many of them using a combination of Proof of Work and Proof of Stake. Ethereum, the crypto-currency with the second-largest market capitalization, is planning to switch from Proof of Work to a Proof of Stake hybrid next year.

What does all this have to do with the halving?

First of all, what is the halving (sometimes called “the halvening”)? It’s when the amount of bitcoins that the block validators (the “miners”) get as a reward for processing transaction blocks is reduced by half. The bitcoin protocol has the reward falling by 50% every 210,000 blocks, to control the supply of bitcoins and permit a gradual tapering off of new coins as the limit of 21 million is approached (we have a way to go yet, that’s not expected until 2140). The last halving was in November 2012, when the reward fell from 50 bitcoins to 25. The next one is expected in mid-July of this year.

And here’s the thing: in theory, the halving increases Proof of Work’s vulnerability. But not Proof of Stake’s. Or at least, by not nearly as much.

Why would Proof of Work be more vulnerable after the halving? Because if everything else remains the same, it will lead to increased centralization. With increased centralization, miners would find it easier to collude to distort the system and to control block creation. Why would that lead to increased centralization? Because with the act of validating the blocks suddenly so much less profitable, it is possible or even probable that many participants would drop out. If the marginal ones drop out, that concentrates power in the larger miners and in the mining pools.

However, that theory does not take into account price movements. A doubling of the price would offset the reduction in the number of bitcoins received as a reward. And the price of bitcoin has gone up considerably since the beginning of the year – up 60% at time of writing. Is that enough to keep validation profitable for the marginal miners?

That’s hard to say, and harder to maintain. Bitcoin’s price is relatively volatile. It went up sharply and quickly (90% of the increase has been over the past month!). It could fall sharply and quickly. It’s an unreliable metric to base predictions of mining profitability on.

With Proof of Stake as a consensus method, this would not be as much of a problem. Proof of Stake requires less computation power, and as such, lower hardware costs and lower electricity costs. With lower costs, a lower reward is not as punitive. Centralization is always a risk with Proof of Stake, as we saw above. But in this case it would not be because of a contraction in production.

Obviously, bitcoin is not going to switch to Proof of Stake or any of its derivatives any time soon. Proof of Work is so deeply ingrained in its protocol and its culture that a switch would be turbulent, to say the least (and the Core developers do not seem eager to embrace radical change of any sort). But the comparison of the two systems and the increasingly obvious flaws in the decentralization assumptions of the bitcoin design highlight that we are all of us still learning as we go along. Bitcoin and other alternative currencies are still an experiment. In the case of bitcoin, one that’s shown impressive reach, resistance, activity, support and real-world potential. But nevertheless, an experiment. And in the grander scheme of things, when it comes to attempts to profoundly change the way society works, seven years is not a very long time. It’ll be interesting to see what happens next.

(This post was originally published on LinkedIn. Sometimes I publish there first, sometimes here. Experimenting.)

What is Proof of Stake?

Bitcoin relies on a system called Proof of Work to ensure consensus and security on a blockchain. So do other cryptocurrencies such as Peercoin, NXT, Nubits, Qora and Bitshares,  But some strongly believe that Proof of Work is wasteful and unreliable, and instead implement an alternative system called Proof of Stake.

by Len de la Cruz for Unsplash
by Len de la Cruz for Unsplash

How does Proof of Stake work? By offering the chance to validate a block of transactions, and to receive the corresponding reward, to holders of the currency in question.

In Proof of Work, those most likely to validate a block are those with the most computing power. Taking control of the blockchain is, then, a question of churning computations, and would be prohibitively expensive. Work = cost. That is how Proof of Work secures the blockchain, by making it too expensive to retroactively change, and too difficult to control going forward. Consensus is understood to be the chain with the most work behind it, ie. with the greatest number of validated blocks (technically it is possible to have a sequence of blocks with a relatively low level of work behind them, but it is rare).

In Proof of Stake, holders of the underlying currency “deposit”, “pledge” or “bond” an amount, in exchange for the right to validate blocks. Generally, the likelihood that they will successfully validate a block is in proportion to the amount deposited. Security is achieved by the high cost required to control the majority of the network (a validator would have to hold over half of the market capitalization!). Consensus is achieved by the assumption that stakeholders have a strong interest in the health of the network. If trust disappears because of suspected bad behaviour, the value of the currency will crash and the manipulator’s holdings will be worthless. With Proof of Stake, trust becomes a self-fulfilling prophecy.

Also, Proof of Stake in theory is more democratic. With Proof of Work, influence tends to concentrate in the hands of those with the most powerful computers. Not everyone has the wealth to purchase or the skill to maintain that level of equipment. With Proof of Stake, the validation can be done on any computer. The investment required is in the actual currency itself.

Yet Proof of Stake in its simplest form is not conducive to reaching a consensus, since there is no cost associated with mining on a chain. In Proof of Work, if you mine on the wrong chain, you lose the amount that you invested in doing that work (= the cost). In Proof of Stake, it doesn’t matter which chain you try to mine on. You’re depositing an amount of currency, not incurring a cost. If it turns out that you’re trying to mine on the wrong one, you lose very little. In fact, you could theoretically mine on several chains at the same time, since there is no additional cost for doing so. This makes consensus harder to achieve.

And it will obviously lead to increasing concentration, not ideal for a decentralized concept. Why increasing concentration? Because if those that have the highest stakes are more likely to receive the newly issued coins, then their stakes will become even greater, which will make them even likelier to receive the newly issued coins, etc.

So, the currencies that use it have solved these weaknesses by tweaking and adding features, often ending up with a hybrid system that includes some Proof of Work characteristics.

For instance:

One of the earliest examples of Proof of Stake was PPCoin, subsequently called PeerCoin, in which miners process blocks by submitting a stake. They do this by sending to themselves a chunk of their own coins. Only PeerCoins that have been held for at least 30 days can be used for this, and the longer they have been held without being used (up until 90 days), the higher the chance that block production process has of being successful. Once used, the stake has to sit idle for 520 days. This system ensures that the minting of new coins does not concentrate in the hands of a few participants. The consensus chain is the one with the highest “consumed coin age” behind it. Peercoin also allows for Proof of Work mining as an alternative, but this is being phased out as Proof of Stake becomes more important to the network.

NXT was the first 100% Proof of Stake currency. Block validators are selected at random based on the amount of the currency they hold, and everyone knows who the next miner is going to be. This makes double-spending very difficult, as it the whole network will be able to see if a transaction occurred or not. NXT does not offer fresh coins as a reward for validation – all 1bn coins were created at launch. Block validators focus on maintaining a healthy network, which will increase the value of their stake.

Bitshares uses a derivative called Delegated Proof of Stake, in which wallet holders elect 101 delegates who carry out the voting on which transactions get validated. These delegates take turns producing a block every 10 seconds, in a random manner. This is a less decentralized system than simple Proof of Stake, but more manageable.

Ethereum, the second largest cryptocurrency by market capitalization, currently uses Proof of Work, but plans to move over to a Proof of Stake variation some time in 2017. The twist that Ethereum plans to put on the concept is that validators have a “stake” in the outcome. They stand to lose out if they mine on the wrong chain. To earn the right to try to mine, participants submit a deposit, and are then invited to “bet” on which block will be validated next. Yes, you heard right, you “guess” (presumably in an experienced and insightful way) which block will be the next one to be included in the chain. If you guess right (= if you bet well), you get a reward. If not, you lose your bet. This will make consensus naturally easy to achieve – everyone sees where everyone else is concentrating, and converges on that chain.

As you’ve probably noticed, securing a network and identifying consensus in a decentralized public network that is not controlled by any one entity, is not at all simple. Both systems – Proof of Work and Proof of Stake – are totally ingenious, even though they both have their flaws. Will one turn out to be much better than the others? It’s way too soon to tell. Proof of Work has served Bitcoin well over the past seven years, but the cost and the centralization are becoming serious issues as the profitability of mining falls. Will it withstand the test of time? Proof of Stake has yet to find the magic formula that combines efficiency, security and decentralization. But that doesn’t mean that it won’t happen. We are still in the experimentation phase, launching ideas into the wild and seeing what adaptations and unexpected consequences the users come up with. And the cryptocurrency sector may well end up converging on something totally different. What is most likely, though, is that we will end up with an ecosystem that supports and nurtures combinations of what we have now. And it will be very interesting to see if we can reach a consensus on consensus.

What is Proof of Work?

Bitcoin uses Proof of Work to ensure blockchain security and consensus. Fine, but what does that mean?

“Proof of Work”, as its name implies, requires that the decentralized participants that validate blocks show that they have invested significant computing power in doing so. As we saw in “How does Bitcoin work?”, bitcoin validators (known as “miners”) compete to process a block of transactions and add it to the blockchain. They do this by churning enough random guesses on their computer to come up with an answer within the parameters established by the bitcoin program.

Hang on, that’s confusing. So, they wildly guess and hope that their resulting answer ends up in a certain range? Sort of. The main character in this game is called a “nonce”, which for trivia lovers, is an abbreviation of “number used once”. In the case of bitcoin, the nonce is an integer between 0 and 4.294.967.296.

The other main character is a “hash”, which is an algorithm (= a really long and complicated formula) that converts any sequence of characters (it could be the word “dog”, or it could be an entire novel) into a string of 64 letters or numbers.

Hashes are a big part of what makes bitcoin secure. If you change so much as a comma in the text that is hashed (= has the algorithm applied to it), or if you so much as add a space, you get an entirely new hash. It could be a little different, or it could be very different, the outcome is random. Only it’s not really random, because every time you pass a particular text through a hash, you get the same string. If you change something, it’s different. For a given text, it’s always the same. Change one thing, and it’s not.

So, if you hash a real estate purchase agreement or a last will and testament or a stock purchase deal, and put that on the blockchain, no-one can change the details without everyone knowing. If a hash on the blockchain suddenly changes, things get messy. That’s what makes historical bitcoin transactions and records tamper-proof.

by Paulo Vizeu for Unsplash - proof of work
by Paulo Vizeu for Unsplash

Now, let’s leave hashes for a second. You have a block of transactions to process. You want to be the first one to process it, because then you get the “mining reward”. The “mining reward” is an amount of new, fresh bitcoins awarded to the first one to process a block. Fresh bitcoins are a good thing to have. So, how do you get them?

You know the hash of the previous block of transactions. That’s public information, it’s on the blockchain. That will form the beginning of your block of text. Next, you take the current block of transactions, the one you want to process, and add it onto the hash of the previous block. Your block of text is growing.

Now, you pick a nonce, the random number that we mentioned above, and add that to your block of text. You perform a hash of that block (= apply the algorithm to it), which now consists of the hash of the previous block + the transactions + a random number. The resulting hash needs to be a string that has a certain number of zeros in front of it.

That doesn’t sound too complicated, right? Well, bear in mind that to find the number, your computer has to perform approximately 10^21 computations. That’s a LOT. It takes on average 10 minutes to find a nonce that gives you the desired string. That is why it takes about 10 minutes to completely process a bitcoin transaction, to get it registered on the blockchain. There isn’t only one nonce that will do it, there are probably several, but you have no way of knowing what they are.

(And if you know your numbers and thought that the possible range for the nonce given above is not very large, you’re right. In most cases all possible nonces in that range won’t get you the hash you want. So then you go and change a second nonce that is buried in the block, incrementing it by 1 or whatever you want, and you start all over again. Complicated, huh? So the total number of possible nonces from the combination of the two is 4.294.967.296^2, which gives you a really huge number.)

Sometimes computing power improves and the pesky nonces are found increasingly quickly. If that happens, the difficulty is increased. This means that the number of zeros needed in front of the resulting hash for the block to be accepted is increased.

Given the immense amount of work that your poor computers have to do, you can see why this system is called “Proof of Work”.

How does that ensure security and integrity?

Imagine that you wanted to go back and change something in a transaction or a document registered on the blockchain a few blocks ago. As I explained above, if you change so much as a comma, the entire hash changes. And since that hash forms part of the next hash, that would change too. And so on. You would effectively have to re-mine every subsequent block. If one is difficult and expensive, how difficult and expensive would it be to successfully get several re-mined? Prohibitively so. Proof of Work helps maintain bitcoin transactions’ integrity.

It can also prevent double-spending attacks. Let’s say that you send bitcoins to one person. The person that you sent the coins to in the first transactions sees that you did that, and releases or sends the goods you wanted to purchase. A second later, you send the same bitcoins to another address that you own. Given bitcoin’s latency (it can take a few seconds for transactions to spread around the nodes, and your second one may arrive at some nodes before your first one), it’s possible that your second transaction gets processed and validated first. Your first transaction is invalid. Are you going to send back the goods? Probably not. This is why, if you are a merchant accepting bitcoin, it is recommendable to wait for a few blocks to pile on top of the one that sends you the bitcoins, to make sure that yours is the one that got processed, not the “nice try!” fraudulent attempt by the sender.

Now let’s assume again that you’re an unethical bitcoin user (shame on you!). To make it likely that your block with the dodgy transaction is the one processed and added onto the chain, you would need to control over 51% of the validating nodes. If it weren’t for the amount of work that each validating node has to perform, you could create as many as you wanted. As many as you needed, in fact, to get 51% of the network. With Proof of Work, you simply can’t afford to. All of those nodes would have to, you know, do the work. There’s no way that the colossal cost would be compensated by the economic benefit.

What does that have to do with consensus?

For any system to work, you have to assume that at least half of the participants have good intentions. You don’t know who they are, though. With bitcoin, it doesn’t matter. Since there’s no way of knowing who the successful validator will be (because the successful choice of the necessary nonce is random), there’s a greater than 50% chance that it is an honest participant.

But that’s not really consensus, true. That’s where the concept of the chain comes in. In bitcoin you can assume that the longest chain, the one with the most blocks, is the “correct” one, and has the network “consensus” behind it. Why? Because the most amount of work has gone into that chain. We’ve seen how each block requires a lot of computing power. So the one with the most blocks has the highest amount of accumulated work invested in it.

And bear in mind that since the blockchain is distributed amongst all participants, they all know what’s on there. If the validators are adding on to a chain, and if it is impossible to know who the validator is going to be, then we can safely trust that the longest chain has the network’s consensus.

If it turned out that we could not trust at least half of the bitcoin validators, and that there was a strong chance that bitcoin transactions could be filtered, manipulated or duplicated, we would pack up and go home and start work on a new system in which we could rely on that assumption. If that happened, all bitcoin validators would lose not only the value of the bitcoins that they hold, but also the investment they made in the super-fast computers that do the validating (and they’re not cheap). So, the network has an economic incentive to stay honest. The network needs the trust in the system to remain intact.

Another way in which Proof of Work helps consensus is the time it takes for each block to be validated. In 10 minutes, you can be reasonably sure that the latest blockchain has been propagated to all nodes. Everyone has had time to receive the updated version. That version has consensus.

by Aaron Li for Unsplash - proof of work
by Aaron Li for Unsplash

Problem solved, right? Not so fast.

Let’s look at the drawbacks.

First, it’s inefficient. Imagine hundreds of computers all around the world churning power looking for a solution to a pointless puzzle. It sounds crazy, right? But the puzzle is only pointless in that it that it doesn’t solve anything. It just acts as a barrier. It does its best to make mining difficult, so that it would be expensive to fake.

Second, it’s expensive. Electricity costs. The super-fast computers cost. To compensate for the high cost of processing these blocks and churning computer power to find the elusive nonce, the first participant who finds the elusive nonce automatically gets a reward of new bitcoins. This is why the block processors are called “miners”. It’s almost as if they dig fresh “gold” out of the ground.

Third, the high cost is leading to centralization of bitcoin block processing. Remember how I said “hundreds of computers all around the world”? Well, they’re not really. Most of them are in China, where electricity is cheap. A kilowatt/hour in China costs $0.11, vs $0.18 in the US and $0.21 in the UK. In Spain, where I live, the variable rate for heavy users reaches almost $0.17/KwH. There are not a lot of miners in Spain (we had headlines just last week of bitcoin miners getting arrested for, among other things, stealing electricity from the neighbours to run their fast computers). Over 70% of bitcoin computing power (evocatively called “hashing power”) is in China.

So where does that leave us?

That leaves us with a secure and decentralized protocol that solves the problem of verifiable consensus, and incentives. It works. It’s not perfect, but so far it seems to be the best option available, at least for bitcoin. It’s not the only option, though, and we will soon look at alternatives, both conceptual and real. The number of blockchains out there is increasing, and each uses a different way of achieving security and consensus. Some are based on Proof of Work, some aren’t, and each has advantages and disadvantages. And if that weren’t confusing enough, there are more and more ideas emerging to improve on or even radically change the current Proof of Work system. Innovators don’t tend to sit still for long.

I want my stuff now: Bitcoin and immediate transactions

By now you know that a bitcoin transaction can take at least 10 minutes to verify and process. And to be really sure that it is permanently and indelibly on the blockchain, you’re supposed to wait for another 6 blocks (at least!) to pile on top. So, technically, a bitcoin payment could take over 1 hour to go through. This obviously is not ideal if you want to buy something with the digital currency. Imagine if you were told that you had to wait at least an hour for your pizza. Or that you had to come back to the store later to pick up your new jacket. You’d be right in thinking that this could be a significant barrier to bitcoin adoption.

So, how do we get around that?

by Sean McAuliffe for Unsplash
by Sean McAuliffe for Unsplash

One method used “back in the day” and which has fallen out of favour is “green addresses”. These are bitcoin addresses that are set up by a “trustworthy” institution (probably an exchange or a wallet) that is willing to advance the funds to the seller, while waiting for confirmed reception from the buyer. If I wanted to send you bitcoins, and I wanted you to feel secure that you had received them immediately, I would open an account with a well-known intermediary, I would send them the bitcoins, and I would ask them to pay you using a green address. They would do so immediately, without waiting for confirmation that my transaction to them was valid. They would trust me because of our working relationship, and probably because I have a balance of bitcoins held with them. The receiver (the seller) would have heard of the intermediary, and would trust their reputation enough to accept that the green address payment is valid. In effect, the intermediary “vouches” for my payment, and the seller trusts the intermediary enough to accept that.

One of the reasons that this system is not used so much any more is that two of the main green address intermediaries back in 2011, when this form of transaction verification was at its peak of popularity – Mt. Gox and Instawallet – ended up imploding. Obviously, trusting intermediaries is no longer an obvious thing to do.

Another drawback is that green addresses are not as private, since the name of the intermediary has to be disclosed. The intermediary’s records would then identify the buyer. Without a green address, the receiver (the seller) has no idea through which intermediary the funds arrived.

Furthermore, using a green address creates an additional bitcoin transaction, which, given the current intense debate about bitcoin scaling, is probably not the most efficient solution.

And, there is the irony of depending on a centralized trustworthy entity to make a purchase with a currency designed to work in a decentralized environment where no trust is needed. 😉

bitgo instant

Some wallet companies are coming up with ingenious work-arounds. Earlier this year BitGo launched BitGo Instant to make immediate transactions possible. After initial risk checks, BitGo Instant guarantees the funds for the receiver. How does it do this? By co-signing. The keys to a BitGo Instant wallet are held by three participants: the user, BitGo Instant and a key recovery service (a third party that generates, stores and protects public and private key pairs). Two signatures are required on every transaction, and in most cases, those two signatures will be the user’s, and BitGo Instant’s. Obviously before co-signing, BitGo Instant will check that the coins have not been previously spent. If that condition is met, BitGo Instant’s co-signature implies a guarantee that the funds will be paid. The only way that those funds could be double spent is if the user enters into a conspiracy with the key recovery service to send those very same coins somewhere else. To prevent this, the service is required to inform BitGo before it co-signs anything. Also, the key recovery service adds a layer of assurance that the bitcoins will still be accessible in the event that BitGo Instant stops operating, as it could provide the necessary second signature, allowing the user to access the funds. BitGo Instant’s risk in this is low, as it can easily verify that the bitcoins are there. And it is an original way to monetize BitGo’s reputation.

As with green addresses, the privacy of this type of instant transaction is lower than the standard, slow option, as the receiver knows that BitGo is involved. With that information, it is possible to figure out who the buyer (sender of bitcoins) is. So these transactions will most likely be of interest to average users who want instant purchase confirmation, and traders who don’t want funds tied up, not even for an hour. Privacy is probably not their main concern.

We will probably (hopefully) see the emergence of other clever ideas that improve the efficiency of bitcoin over the coming months. Instant transactions will not only increase the liquidity in the system by increasing the circulation. It will also dramatically increase the use cases, by offering instant bitcoin trading settlement, instant purchase confirmation, and less risk that the bitcoin exchange rate will move during the waiting time.

“Zero confirmation transactions”, or transactions that have not yet been embedded on the blockchain, are accepted in some cases, but the risk is high, so the practice is actively discouraged. For bitcoin to one day be widely used as a payment method, the “zero confirmation transaction” risk needs to be resolved. Some exchanges and wallets have been looking at probability approaches, but the system needs to find a simpler and more secure way to transact quickly. Even transactions that are one or two blocks deep in the chain are not free from risk of a block re-write, and waiting over an hour (after which the probability of the block being modified falls to practically zero) is often not practical. And until using the digital currency becomes practical, the talk of bitcoin one day replacing cash will remain just that: talk.

How does a bitcoin paper wallet work?

A bitcoin paper wallet is simply a public and private key printed together. It is an offline wallet, and is usually regarded as a type of cold storage, although it has some important differences that make its presence in that category debatable (more on this further down).

As the name suggests, paper wallets are usually made out of paper, although technically they could also be made of plastic or any other substance on which information can be durably printed.

bitcoin paper wallet
via bitaddress.org

What is printed on the paper wallet are the private and public keys, usually in QR form, with the latter also serving as the address. You could just copy and paste the keys onto a text document and print that out (erasing the copy on the computer afterwards). Or you could use one of the free web services that generate the printable wallet for you. The key generation is usually done in your browser, so they are never transmitted on the internet. To be safe, you should clear your browser after printing.

Some paper wallet services have a nifty design that you can cut, fold and seal, making them a lightweight and relatively secure form of storing bitcoins offline. You send your bitcoins to the public address displayed on the wallet, and then store it in a secure place.

What makes paper wallets secure is that they are totally offline. They are not within the reach of hackers, and your bitcoins are never trusted to a third party. As long as the paper wallet is secure, the bitcoins are secure.

But, therein lies the relative lack of security. Someone could find your hiding place, take your printout, spend all the bitcoins associated with those keys, and return the paper, so you would never know.

A more secure version would involve folding the paper so that the private key is hidden from sight, taping the fold with a seal that can’t be broken and replaced (just search for “tamper evident seals”, there are many different providers and models), and making sure that the private key cannot be seen even if the folded paper is held up to the light.

bitcoin paper wallet
image from bitcoinpaperwallet.com

Even that is not particularly secure. What if the folder, drawer or box that you keep it in floods? Sure, it’s unlikely, but when you’re securing a lot of bitcoins, it pays to think of worst case scenarios (and hey, what with climate change and all…). So, a tightly-sealed plastic bag would help. Or, if for whatever reason you have a machine that seals things in plastic, that would also be a good option (we may be verging on the surreal here, but some people do have them!).

So, how do you protect a paper wallet from fire? I have no idea. Keep it in the freezer? (That definitely would be “cold storage”, he he.)

Also, paper itself is not the most durable of substances. Apart from the obvious risks of fire or water damage, the ink could fade with time, making the keys unreadable. No readable keys, no bitcoin.

You can check your balance at any time using blockexplorer.com or blockchain.info (just type your public key into the search box).


bitcoin paper wallet
screenshot from blockchain.info

Most online wallets allow you to import your paper wallet data. To spend those bitcoins, you will be asked to type in the private key information, or scan the private key QR code (sometimes called the “spend” QR code). Because the private key will have now “touched” the internet, that does (however slightly) compromise its security, and it is advisable to move any remaining bitcoin to a new paper wallet.

Right there you have the main difference between paper wallets and other cold storage methods. With dedicated cold storage devices, the private key never touches the internet. With paper wallets, you do need to input the private key to sign the transaction. And, while steps can be taken to limit the danger, it is possible that the key can be intercepted. (Unlikely, but possible.)

It is worth remembering that the bitcoins are not actually stored in the wallet, they are on the blockchain, associated with those public and private keys – no-one can spend them without the private key, which is why it is important to keep that part of the paper wallet especially secure, and away from prying eyes.

bitcoin paper wallet
screenshot from bitaddress.org

Some good paper wallet generators:

Bitaddress.org and Walletgenerator.net are open-source random address and key generators that uses your browser’s JavaScript engine, so no keys are sent over the Internet. They’re simple and quick, and have a very cool random generator function in which you move your mouse around the screen to mix up the characters in a long string. That random sequence is then used to generate your public and private keys, which are displayed on the next screen, for printing.

Bitcoinpaperwallet.org will create a printout of a colourful paper wallet, with the appropriate fold lines, and will sell you tamper-evident stickers for sealing it shut.

Mycelium offers an original and even more secure way to generate paper wallets, with a USB dongle that you plug directly into your printer. The device generates a paper wallet that automatically gets printed out, without ever having touched your computer.

mycellium entropy bitcoin paper wallet

No doubt others will also come up with ingenious ways to make paper wallets even more reliable. Meanwhile, the current offerings are ingenious, relatively simple, and provide an additional step in bitcoin security. Of course, care needs to be taken. You can’t go scribbling phone messages on the back of your wallet printout if you have bitcoins associated with it. But, following the security measures and advice given above, paper wallets offer a relatively easy way to keep your bitcoin safe and away from hackers and digital thieves. Paper is not the most durable of materials, though. So for serious bitcoin safety, you’re better off with a dedicated cold storage device.

(For more on how Bitcoin works, see Bitcoin Basics.)