A proposed inefficiency in the Bitcoin markets
Salviati: Simplicio, do you think the Bitcoin markets are efficient?
Simplicio: If you’d asked me two years ago, I would have said yes. I know hindsight is 20⁄20, but even at the time, I think the fact that relatively few people were trading it would have risen to prominence in my analysis.
Salviati: And what about today?
Simplicio: Today, it seems like there’s no shortage of trading volume. The hedge funds of the world have heard of Bitcoin, and had their quants do their fancy analyses on it, and they actively trade it.
Salviati: Well, I’m certainly not a quant, but I think I’ve spotted a systematic market inefficiency. Would you like to hear it?
Simplicio: Nah, I’m good.
Salviati: Did you hear what I said? I think I’ve spotted an exploitable pattern of price movements in a $10 Billion market. If I’m right, it could make us a lot of money.
Simplicio: Sure, but you won’t convince me that whatever pattern you’re thinking of is a “reliable” one.
Salviati: Come on, you don’t even know what my argument is.
Simplicio: But I know how your argument is going to be structured. First you’re going to identify some property of Bitcoin prices in past data. Then you’ll explain some causal model you have which supposedly accounts for why prices have had that property in the past. Then you’ll say that your model will continue to account for that same property in future Bitcoin prices.
Salviati: Yeah, so? What’s wrong with that?
Simplicio: The problem is that you are not a trained quant, and therefore, your brain is not capable of bringing a worthwhile property of Bitcoin prices to your attention.
Salviati: Dude, I just want to let you know because this happens often and no one else is ever going to say anything: you’re being a dick.
Simplicio: Look, quants are good at their job. To a first approximation, quants are like perfect Bayesian reasoners who maintain a probability distribution over the “reliability” of every single property of Bitcoin prices that you and I are capable of formulating. So this argument you’re going to make to me, a quant has already made to another quant, and the other quant has incorporated it into his hedge fund’s trading algorithms.
Salviati: Fine, but so what if quants have already figured out my argument for themselves? We can make money on it too.
Simplicio: No, we can’t. I told you I’m pretty confident that the market is efficient, i.e. anti-inductive, meaning the quants of the world haven’t left behind any reliable patterns that an armchair investor like you can detect and profit from.
Salviati: Would you just shut up and let me say my argument?
Simplicio: Whatever, knock yourself out.
Salviati: Ok, here goes. Everyone knows Bitcoin prices are volatile, right?
Simplicio: Yeah, highly volatile. But at any given moment, you don’t know if the volatility is going to move the price up or down next. From your state of knowledge, it looks like a random walk. If today’s Bitcoin price is $1000, then tomorrow’s price is as likely to be $900 as it is to be $1100.
Salviati: I agree that the Random Walk Hypothesis provides a good model of prices in efficient markets, and that the size of a each step in a random walk provides a good model of price volatility in efficient markets.
Simplicio: See, I told you you wouldn’t convince me.
Salviati: Ah, but my empirical observation of Bitcoin prices is inconsistent with the Random Walk hypothesis. So the only thing I’m led to conclude is that the Bitcoin market is not efficient.
Simplicio: What do you mean “inconsistent”?
Salviati: I mean Bitcoin’s past prices don’t look much like a random walk. They look more like a random walk on a log scale. If today’s price is $1000, then tomorrow’s price is equally likely to be $900 or $1111. So if I buy $1000 of Bitcoin today, I expect to have 0.5($900) + 0.5($1111) = $1005.50 tomorrow.
Simplicio: How do you know that? Did you write a script to loop through Bitcoin’s daily closing price on Mt. Gox and simulate the behavior of a Bayesian reasoner with a variable-step-size random-walk prior and a second Bayesian reasoner with a variable-step-size log-random-walk prior, and thus calculate a much higher Bayesian Score for the log-random-walk model?
Salviati: Yeah, I did.
Simplicio: That’s very virtuous of you.
[This is a fictional dialogue. The truth is, I was too lazy to do that. Can someone please do that? I would much appreciate it. --Liron.]
Salviati: So, have I convinced you that the market is anti-inductive now?
Simplicio: Well, you’ve empirically demonstrated that the log Random Walk Hypothesis was a good model for predicting Bitcoin prices in the past. But that’s just a historical pattern. My original point was that you’re not qualified to evaluate which historical patterns are *reliable* patterns. The Bitcoin markets are full of pattern-annihilating forces, and you’re not qualified to evaluate which past-data-fitting models are eligible for future-data-fitting.
Salviati: Ok, I’m not saying you have to believe that the future accuracy of log-Random-Walk will probably be higher than the future accuracy of linear Random Walk. I’m just saying you should perform a Bayesian update in the direction of that conclusion.
Simplicio: Ok, but the only reason the update has nonzero strength is because I assigned an a-priori chance of 10% to the set of possible worlds wherein Bitcoin markets were inefficient, and that set of possible worlds gives a higher probability that a model like your log-Random-Walk model would fit the price data well. So I update my beliefs to promote the hypothesis that Bitcoin is inefficient, and in particular that it is inefficient in a log-Random-Walk way.
Salviati: Thanks. And hey, guess what: I think I’ve traced the source of the log-Random-Walk regularity.
Simplicio: I’m surprised you waited this long to mention that.
Salviati: I figured that if I mentioned it earlier, you’d snap back about how efficient markets sever the causal connection between would-be price-regularity-causing dynamics, and actual prices.
Simplicio: Fair enough.
Salviati: Anyway, the reason Bitcoin prices follow a log-Random-Walk is because they reflect the long-term Expected Value of Bitcoin’s actual utility.
Simplicio: Bitcoin has no real utility.
Salviati: It does. It’s liquid in novel, qualitatively different ways. It’s kind of anonymous. It’s a more stable unit of account than the official currencies of some countries.
Simplicio: Come on, how much utility is all that really worth in expectation?
Salviati: I don’t know. The Bitcoin economy could be anywhere from hundreds of millions of dollars, to trillions of dollars. Our belief about the long-term future value of a single BTC is spread out across a range whose 90% confidence interval is something like [$10, $100,000] for 1BTC.
Simplicio: Are you saying it’s spread out over the interval [$10, $100,000] in a uniform distribution?
Salviati: Nope, it’s closer to a bell curve centered at $1000 on a log scale. It gives equal probability of ~10% both to the $10-100 range and to the $10,000-100,000 range.
Simplicio: How do you know that everyone’s beliefs are shaped like that?
Salviati: Because everyone has a causal model in their head with a node for “order of magnitude of Bitcoin’s value”, and that node varies in the characteristically linear fashion of a Bayes net.
Simplicio: I don’t feel confident in that explanation.
Salviati: Then take whatever explanation you give yourself to explain the effectiveness of Fermi estimates. Those output a bell curve on a log scale too, and seems like estimating Bitcoin’s future value should have a lot of methodology in common with doing back-of-the-envelope calculations about the blast radius of a nuclear bomb.
Simplicio: Alright.
Salviati: So the causality of Bitcoin prices roughly looks like this:
[Beliefs about order of magnitude of Bitcoin’s future value] --> [Beliefs about Bitcoin’s future price] --> [Trading decisions]
Simplicio: Okay, I see how the first node can fluctuate a lot in reaction to daily news events, and that would have a disproportionately high effect on the last node. But how can an efficient market avoid that kind of log-scale fluctuation? Efficient markets always reflect a consensus estimate of an asset’s price, and it’s rational to arrive at an estimate that fluctuates on a log scale!
Salviati: Actually, I think a truly efficient market shouldn’t just skip around across orders of magnitudes, just because expectations of future prices do. I think truly efficient markets show some degree of “drag”, which should be invisible in typical cases like publicly-traded stocks, but become noticeable in cases of order-of-magnitude value-uncertainty like Bitcoin.
Simplicio: So you think you’re the only one smart enough to notice that it’s worth trading Bitcoin so as to create drag on Bitcoin’s log-scale random walk?
Salviati: Yeah, I think maybe I am.
Salviati is claiming that his empirical observations show a lack of drag on Bitcoin price shifts, which would be actionable evidence of inefficiency. Discuss.
If you were a quant, you would know that random walks on a log scale (geometric Brownian motion) are what people normally use for asset prices. It’s what’s beneath Black-Scholes, for example. An additive random walk can go negative, which prices can’t, but a log random walk is always positive.
(Also note that the fact that the EV is higher tomorrow than today isn’t that meaningful, because of time discounting- if the EV tomorrow is the same as the EV today in nominal terms, you should sell and buy something that’s expected to go up. How does the expected future growth rate compare to other opportunities?)
The book Fortune’s Formula describes a simple investing scheme invented by Claude Shannon, referred to as “Shannon’s Demon”, that’s specifically designed to make money in markets described by log random walks. I found a blog post describing the scheme here. (Some previous discussion.) I’d expect this kind of volatility harvesting scheme to work better for Bitcoins than for other assets because Bitcoins are more volatile.
However, I’m not convinced that the market for Bitcoins is efficient… for example, there are going to be 84 million Litecoins to Bitcoins’ 21 million, but typical investors don’t know that, so 4 Litecoins for $100 feels like more of a steal than 1 Bitcoin for $100 (even Silicon Valley software engineers commonly forget to account for this basic division operation). There was talk on /r/bitcoin about how once the price got to the $1000 range, people seemed reluctant to invest since it seemed so expensive and how things should be reframed as “mBTC”. And I’d expect that quant firms are reluctant to trade bitcoins due to factors like institutional regulation and it not being serious-seeming enough for themselves or their investors.
I think it’s worth mentioning the phrase “Kelly criterion,” because it is so much more popular than “Shannon’s Demon” (eg, it has a wikipedia entry).
I’m doing this (Shannon’s Demon). So far it’s profitable, although I think I’ve taken on more risk premium than investing 50% BTC 50% USD and not balancing.
There no reason at all to believe that the total value of Litecoins should have an easy relationship to Bitcoins. Bitcoin has much more infrastructure for real world usage behind it.
I agree, I’m just arguing that typical investors are not valuing either currency rationally and “failure to account for the denominator” is an argument in favor of this position.
Thanks for the link to Stable Investing. The Permanent Portfolio looks awesome.
That blog post describing the scheme starts out
If the sequence of coin flips has an equal number of heads and tails, you wouldn’t need any complicated scheme to win—you could just bet $0 on everything except the last flip, and you would know with 100% certainty what the result of the last flip would have to be to produce equal numbers, so you’d bet everything on it. This would even work if the win and loss payoffs are equal numerically instead of equal in percent.
I don’t see why anyone would postulate that the sequence of coin flips contains an equal number of heads and tails unless they are confusing “as you flip a lot of coins, it gets closer to 50% heads and 50% tails” (true) with “as you flip a lot of coins, the number of heads gets closer to the number of tails” (not true).
This doesn’t give me high confidence for the rest of that link. (My first suspicion is that the whole thing actually amounts to a proof that this type of random walk is nonexistent.)
It only does in expectation; the underlying process is a martingale. They’re using an illustrative example to show you that investing everything in that random walk leads to a modal expectation of having the same at the end as you do at the beginning.
But that’s an expected value of 0 in log terms; the expected value in linear terms of course follows 1.25^n, where n is the number of flips. Shannon’s Demon reduces the variance in return at the price of reducing the mean return. If you’re only half in the market, your expected value grows at 1.125^n.
But if you have a log utility function, the decreased variance is helpful because then your expected utility grows each period rather than staying flat. (With 100% exposure, your EV of one period is .5*log(2)+.5*log(.5), which is obviously 0, but with 50% exposure your EV of one period is .5*log(1.5)+.5*log(.75), which is positive.) If you have a log utility function, 50% exposure happens to maximize your growth in expected return.
(I do agree with you that the link saying that the offer is a “wash” without bringing in the log utility function, or the tradeoff between variance and expected return, is bad, but those are somewhat subtle issues that they might not want to introduce along with the game.)
That illustrative example highly depends on the number of heads being exactly equal. If the number of heads and the number of tails differed even slightly, the result would not be the same amount that you started with, and the fact that the ratio of heads to tails was close to 50% would not affect that. If you had 100 heads and 101 tails, you’d end up with half as much as you started with, and if you had 10000 heads and 10001 tails, you’d still end up with half as much as you started with.
And if the number of heads and the number of tails was exactly equal, I could guarantee doubling my money simply by waiting until the last flip to bet anything.
Everything else you’re saying is correct, but the example is bad. And I still suspect that this just proves it’s impossible for a real life stock to actually have equal chances of doubling and halving.
Well, real life models generally operate on much smaller timescales, with much smaller step sizes. A model where you increase or decrease by .01 on a log scale (roughly 1% increase and 1% decrease) each step seems much more reasonable, but again the same strategy (of 50% exposure, rebalanced continuously) is optimal for a log utility function.
I have no doubt that a real-life stock can change in a manner similar to a log scale, but if it changed in a manner exactly like a log scale, the company could never fail (sending the value to 0) and it could grow larger than the size of the entire economy.
Given that “it can only grow to a certain size before you exceed the real-life limit” transforms the St. Petersburg paradox from infinite expected value to a small expected value, I would expect to see anyone proposing this model show that such real-life limits don’t destroy this model in the same way.
The optimization that I’ve been linking to- take the derivative with respect to exposure, set it equal to 0- is a 1-step optimization problem. That is, the strategy I’m describing as optimal (Shannon’s Demon) is optimal even if there’s only one coin flip, and because of the nature of the setup and the log utility function what’s optimal for one coin flip is optimal for an arbitrary number of coin flips.
Ok, I admit I was ignorant of this. I just observed that the graph in the Wikipedia article for “Random Walk Hypothesis” was linear-scale. Thanks.
What made you believe that the Wikipedia version of one article gives you an accurate understanding of the complex formulas and computer models that today’s quants use?
Why I wrote the article:
It’s plausible that quants’ methodology breaks down in sufficiently unusual markets. In particular, markets with huge volatility.
I want to propose the object-level idea that efficient markets should show a drag on price movement with respect to expected-value movement.
I would doubt that there aren’t other markets with huge volatility. Certain options are probably high votilite right after related news items get posted.
On the other hand it might very well be possible that there are effects that you can find. There are quants that trade bitcoin but it’s not a big market from a quants perspective
It might very well be that the particular trading algorithm that mtgox uses creates market effects that usual markets don’t which are predictable when you throw the right math at it.
Personally akrasia was the only reason why I didn”t invest into bitcoin 9 months ago. I think that while it was possible that bitcoin might lose all it’s value, the chances that it would get a multiptude of it”s value where high enough to counteract it.
The point can be formulated even stronger: An additive random walk will go negative.
If you wait long enough, almost surely. But while that’s a visible reason to dislike additive random walk models, I don’t think it’s the most compelling- the underlying step change in price dynamics does appear to be a percentage shift, not an additive shift. (If the negativity were the only issue, then you can just set up the random walk to be reflect at 0 so it always stays nonnegative.)
Do we really ? My own view is quite the opposite—a kinda reverse bell curve, with two possible outcomes :
Bitcoin dies, either because the crypto behind it is broken (due to mathematical progress or Moore’s law) or because it gets replaced by other, “second generation” cryptocurrencies, or because states successfully fight it, or any other reason—and then it’ll have a very low value, maybe even less than $1 for a BTC.
Bitcoin survives, and then, because it’s inherently deflationary (fixed monetary mass for an always growing amount of real world wealth) there is no limit to how high the value of single BTC can grow.
But maybe it depends what exactly “long-term” is ?
My main issue with Bitcoin is a consequence of point 2: How can Bitcoin, in the long term, possibly avoid a deflationary spiral? At a certain point, it can’t inflate any more.
My other issue is that the maximum number of tradable units of Bitcoin is 21 million BTC / 10^-8 (smallest fraction trade-able), and 10^15 is not enough currency to run a serious global-scale economy on. But that can be fixed with additional cryptocurrencies more easily than the first problem.
Deflationary spiral is a purported feature; bitcoin is designed to do that. It makes sense under certain economic models. I don’t personally think it was a good choice on Satoshi’s behalf, but then that’s why I co-created Freicoin:
http://freico.in/
There are about 15 trillion U.S. dollars in existence, the closest thing we have to a world currency. Most accounts are denominated in cents. That’s only 1.5e14 units, which is very comparable. (Personally I think you will hit scalability problems long before the transaction volume is high enough to make the minimum precision a concern.)
However you definitely don’t need additional crypto currencies. Use existing mechanisms to fork the transaction format and extend the precision, if necessary.
Simplicio: There are zillions of exotic markets out there. I think you fixate on Bitcoins because they are fun and shiny. Why not instead try to outguess local real estate markets? You are much more likely to be successful.
Is there a way to outguess real estate markets that doesn’t involve buying relatively illiquid properties for thousands of dollars?
BTW, I would be interested in seeing a list of exotic markets if you’ve got one handy.
That would be interesting, if only for amusement. I heard of first “wine funds” appearing, if that scratches your itch for exotic markets.
No, although you could pool resources with a friend. If you have less than, say, $100,000 to invest you really, really shouldn’t be speculating on Bitcoins.
eBay is your best starting point for finding exotic markets.
Unlike real estate which requires much higher amounts of capital (read: your after-tax savings) to invest in, Bitcoins and other cryptocurrencies allow for people with just double-digit or less discretionary income to speculate.
In this manner, speculators/gamblers/investors are able to gain some experience with actual money and trading. The fees on the cryptocurrency exchanges are rather low, and since cryptocurrencies can go down to multiple decimal places, transaction fees of 0.45% (for example) are still feasible even on sub-$1 trades.
Of course, one could say that play money is just as useful for this type of scenario, but I think there’s a cognitive fallacy that tries to explain how people behave when real vs. imaginary money is in play, even though the net effect is essentially the same (let’s ignore the salient point that just $100 invested in Bitcoin in Jan 2013 would have netted $5000 in Dec 2013 as that needlessly distorts the point).
EDIT: One is unlikely to outguess the bitcoin market vs. any other exotic or local real estate market. However, cryptocurrencies allow for one to cheaply test whether they can outguess or not. Real estate is not cheap to test your prediction skills.
It’s hard to say how general financial guessing skills are, and something like “I bought Bitcoin in 2011 and held for two years and now my $1k is $1M, time to start buying real estate because I’m clearly a good investor” seems like a poor idea.
Why?
The percent of your assets you should put in Bitcoins is small enough that if you have less than $100,000 you should have basically nothing in Bitcoins, plus having that small amount of cash almost certainly means you are not a sophisticated investor, and since Bitcoins are very risky (could easily go to zero value) if you don’t have much of an asset cushion you shouldn’t speculate on them.
There are also fun and shiny exotic alternatives.
Salviati: I am proposing a way to outguess any markets that look like random walks on a log scale with a big step size.
This bitcoin conversation has run for almost a week now, and given the site I’d expect the level of reasoning to be quite high, yet when I hit “^Ftax” or “^Fgovern” or “^Fpolitic” almost nothing shows up, which causes me a measure of confusion, because these (much more than “magnitudes”) are key nodes in my causal reasoning about the future value of bitcoins.
From my perspective, the plausible socio-political implications of bitcoin are large enough, and different enough from what I see commonly discussed, that it causes me to question the quality of my own thinking and seek education.
In 1789 Benajmin Franklin wrote a letter wherein he said:
It could be that I’m wrong in my reasoning, but it appears to me that bitcoin allows tax evasion and black markets to function on such a breathtaking scale that if bitcoin persists and expands into common use then I anticipate, like tomatoes in winter, the withering of formal governmental power in its current form (based as it is on tax collection and the ability to regulate the market via indirect oversight) and perhaps even the withering of the public good of reasonably just protection services provided by democratically elected law makers.
Sharply put, it seems moderately plausible to me that either extant governments smash the bitcoin infrastructure, or bitcoin financially strangles modern nation states.
In more detail: If bitcoin turns out to be ineradicable so long as people have access to the untamed Internet (and this seems like an open but fundamentally empirically determinable question) it suggests to me that human communities may collectively face a choice between cutting their wires and jamming their airwaves or else lose the ability to form reasonable transparent organizations with elected officials who manage the local violence monopoly by paying law enforcers better wages than are available to criminals.
Or perhaps I’m underestimating the extent of the revamping that would be necessary? Still, it is hard to see how the IRS, SEC, ATF, or Fed could maintain their status quo operations if bitcoins become the de facto world currency. Traffic in drugs and slaves are relatively limited now, but I’m not sure it would stay so in a bitcoin dominated economy. Ransom payments become significantly more feasible with bitcoin, and the kidnapping market seems likely to grow if bitcoins persist.
Not that payment for protection services would completely disappear forever… Presumably we would switch to tax collectors (either hired by the existing but revamped governments or perhaps the henchmen of whatever violence monopolies replace them) who force people to transfer digital cash in amounts assessed based on visible or statistically inferrable indicators of wealth, or be jailed. Tax evasion in such a world seems likely to take the form of pretending to be poor, which seems to have weird implications for the personal status of the super rich? Facebook-based estimates of taxes owed would be amusing, but less ironic forms of surveillance could work as well. If the super rich were the ones hiring the tax collectors, that could reduce the number of sociologically confusing discrepancies, but it starts sounding somewhat feudal...
The Treasury Department must have people thinking about this? Or maybe the private individuals composing the Treasury Department have non-trivial personal stakes in bitcoin and no civic virtue? Or maybe the problem is international in scope and there’s an element of realpolitik where some nation states expect to weather the “bitcoin winter” better than others? Or maybe… I don’t know… There are a lot of things that could be going on...
In this family of scenarios, it seems like there would be large changes to many parts of the economy, many of which I expect would take a lot of people, including me, by surprise. Maybe drone-based mass surveillance and law enforcement could patch the gaps by enforcing laws so thoroughly at the physical layer than the digital layer can remain anarchic for a while longer? It seems like the kind of “everything is changing, faster and faster” thing that I might expect to be sprung on people in the lead up to various (somewhat disturbing) versions of an Kurzweil-style “smooth singularity”… Kurzweil did predict runaway deflation after all, and 2014 is the sort of year you’d read about something like this happening in a Stross novel.
So, anyway...
I see people trading in bitcoins. I don’t see the government moving to destroy the bit coin markets, or talking about the bitcoin market as though bitcoins were a social scourge that fundamentally disrupts the business model of status quo governments. But I also I don’t see people preparing for a profound restructuring of the political economy and everything effected by the current political economy. Thus, I am confused. I don’t see other people even talking about these sorts of implications, as though they are important open questions. Thus, I am doubly confused.
My best guess as to my confusion’s cause is twofold. I probably lack an adequate understanding of the big picture pragmatics of political economy, also I suspect that the really smart money in the bitcoin market is staying mostly silent so as to harvest money more efficiently. For myself, the political/moral dimension of the bitcoin market has frightened me away from it thus far… whether there is a “bitcoin winter” or a successful smashing of the bitcoin infrastructure, both outcomes seem to suggest that personal and/or political action might be prudent.
The value of information seems high. If anyone could respond here or via PM to help correct my confusion, I would very much appreciate the education!
I’d take bets against Bitcoin resulting in any significant restructuring of government. Remember, Warren Buffett pays lower tax rates than his secretary. Criminals around the world are already quite successful at money laundering. And yet society has not collapsed. This won’t collapse it either.
I have studied “secular/materialist eschatologies” as a reference class, and probably my biggest heuristic-level updates is “catastrophism memes spread fast and wide while being wrong in their catastrophic details and they are harbingers of the existence of a gradualist version of the same theory that is important for quantitative historical models with genuine human implications”. Less “zombies”, more “soft apocalypse”.
This is true, but I don’t think it responds to the heart of my concern. I could potentially rewrite this to something I think might be “gradualized” (with links to make it more local and near mode) but which is also potentially false.
I don’t mean to strawman you and claim you “said” the rewritten version. I’m just trying to show that your statement didn’t connect with my reasoning in a way that alleviates concerns, because I don’t think that I’m worried in a way that your statements (true as they may literally be) would mollify.
Nornagest proposes property taxes to replace income taxes, which is not too far my suggestion that “Facebook-based estimates of taxes owed would be amusing, but less ironic forms of surveillance could work as well.” But if that’s the case then it seems to predict that there should be long term arbitrage opportunities between real estate and bitcoins and that kind of insight seems unavailable in the normal ambit of bitcoin discussion… and maybe I need to go looking for such correlations before saying they don’t exist? :-P
Izeinwinter proposed that hedge funds were trading in Bitcoins while using government insider contacts to know when to bail out of the bubble in advance of the sheep. This seems not too far from my suggestion that “maybe the private individuals composing the Treasury Department have non-trivial personal stakes in bitcoin and no civic virtue?”
Ygert suggests I turn my point into a top level discussion post, which isn’t really my personal style. In the meantime he or she basically accepted that bitcoins threatened status quo government operations and vaulted from there into political theology, with mention of tradeoffs between Democracy and Monarchy themselves. If these kinds of tradeoffs were really on the table, I think I’d expect to see more waves in the mainstream?
I think I remain confused :-(
Even if bitcoin does entail the end of nation-states in current form, a soft transition to anarcho-capitalism need not be apocalyptic. In fact I see signs that we are already moving in that direction, and are already much less of a democracy than is commonly believed.
On the other hand, the USGov by itself is perhaps around 30% or more of the US economy, and it will not be switching to bitcoin anytime soon, if ever. If we add in its influence on the military-industry complex and associated large corporations, there is a very large core base of support for the dollar.
Money laundering at casinos in Australia is as simple as swapping cash for chips then chips for cash in sums of less than 10,000 (the figure above which transactions must be reported to authorities). Society may not collapse, but that’s funding a whole lot of problem gambling misery.
Bitcoin has less anonymity than cash. Every movement of coins is recorded in a publicly verified ledger. You can use some trickery like CoinJoins to try to regain some privacy, but even these can be mitigated by state-level actors, and don’t solve the problem that actually spending coins typically revels your real-world identity to the merchant you are interacting with (who must comply with local KYC laws).
You know what allows tax evasion and black markets on a breathtaking scale? Greenbacks. Do you think a criminal—even a technically competent one—would prefer a suitcase of cash or bitcoin transaction? One of these is, outside of extenuous circumstances, truly anonymous and untraceable.
Suitcases of cash are harder to ship long distances.
I don’t think this is true.
Let me list some points in random order.
Cash allows tax evasion and black markets to function. In the years BET (Before Electronic Transactions) cash and similar pieces of paper were very very popular and they did not destroy governments.
Bitcoin is not anonymous. It’s pseudonymous with transactions being always public. An actor with state-level resources (e.g. the NSA) would likely be able to track sufficiently large amounts of BTC.
Governments have official currencies. There are enough coercive pieces in there so that you can’t just run a whole economy on bitcoins and simply ignore the official currency. This means there must be exchanges and they will be very very important. These exchanges are / will be under full effect of government regulations.
Non-virtual businesses cannot and will not just pretend not to exist and so not owe any taxes (e.g. payroll taxes). Tiny businesses can try to stay under the radar, medium and large businesses can not.
Consider a typical contemporary office worker. He gets a salary, say, in USD. His employer reports that salary to the government so that the government withholds a variety of taxes. Let’s say that worker now gets his salary in bitcoins—how does it improve his capability to evade taxes? His salary is still reported to the government.
I think the potential society-level impact of Bitcoin has been seriously overestimated.
There are plenty of revenue sources available even to a government that can’t effectively track financial transactions. To name one, you can’t hide real estate, or other physical commodities, behind crypto.
Maybe they’re not cracking down on Bitcoin for the same reason China isn’t cracking down on free online proxies. (Read the whole post.)
You sort of seems to be proposing that the US federal government is similar to the government of China, with each using the barrier of trivial inconvenience to forestall otherwise revolutionary processes (non-fiat currency and the free flow of information respectively). Your admonition to “read the whole post” makes me think you’re offering a latent suggest that “libertarian paternalism” might be de facto implemented by creating a bitcoin market that sells banned things and is allowed to exist so long as dumb people can’t be victimized by it because they aren’t smart enough to strategically access it.
I think this is something I’ll have to ponder for a while. Thanks :-)
I indeed explicitly pointed that out in a comment, but as Nornagest mentions it sounds like they have since changed their minds. (Or maybe they were previously unaware of such a market. Prob’ly Gwern has a better explanation for why they left it alone until last October and then cracked down on it than I can think up.)
That would have been a fair description of Silk Road, before it was shut down. Suppose it depends on your parameters for “dumb”, though.
That could be a top-level Discussion post.
You are underestimating… Very badly.. Both the coercive power of a modern government and the sheer bloody-mindedness of a modern government in the face of overt threats.
If what it takes to stop that senario from happening is a zero’th level block in every motherboard, tablet and smartphone sold then you will not be able to buy hardware without that lockout. Chipfabs and assembly plants cant hide from the nice people with the automatic weapons, after all.
Current tax havens exist—at all—because politicians are not really very interested in shutting them down. It would be trivial to destroy them, and wouldn’t take a single bullet. All it would take would be to stop recognizing money transfers to and from those jurisdictions, and the caymans would be nothing but a serverfarm with a bunch of pointless ones and zeroes on it. Escalating to the point where tax evasion become an actual threat, rather than a reason for more donations to politicians would be darwin award level of stupid. Bitcoin is that stupid, by design. Thus it is going to get stomped on.
Which means “the smart money” are likely viewing the bitcoin market as a classic case of tulip mania. This does not mean they are not investing—it is really easy to make money in an inflating bubble if you know you are going to get early warning before it collapses. Hedgefunds have congress critters on payroll, and can therefore be confident that they are going to know that the hammer is about to drop in advance of every other player in the market, and unwind their position onto suitable patsies. Such as tech-libertarians who are buying into the narrative. In the final reckoning, bitcoin might as well have been deliberately designed to separate you. Yes, you. The person reading this. From your money.
Do you know how they catch tax evaders in Italy? They go to the harbour and look at the yachts. edit: and pretending to be poor to cheat taxes completely defeats the point of being rich. Granted, some people will do that, but they effectively eliminate themselves from the economy, as if those coins disappeared, raising the value of all other coins. They pay nearly 100% tax rate. It would be worthwhile to encourage that kind of behaviour, it’s good for the environment, and it taxes more than any government taxes.
You could spend the tax-evaded income on the black market, since you’re hiding contraband from the police anyway.
However they do it, it’s not terribly effective, tax evasion being about 18% of the Italian GDP.
Still quite enough to run the government. One doesn’t even have to try that hard.
Actually we’ve been running deficit for as long as I can find data for, except for about a decade in the 1990s.
But then, who hasn’t? The US?
(edit: Speaking of which, US has the tax law that is effectively anti-progressive on the high range—every big company exploits loopholes)
Good point.
The budget has to be in defecit, or else the whole system falls apart. That’s the modern system of fiat money—it’s based on continued issuance through deficit spending. Just not too much deficit or you end up in hyperinflation.
They mostly don’t. ba-dum tsssh
This is a long and well presented comment: I will chime in with army1987 that you could certainly write this up as a top level discussion post.
My response to it is that I think you are overestimating the value of our current form of government. This could be taken the wrong way, so let me be clear: It is a very good thing that w have a government. Without it, our lives would be nasty, brutish and short. Despite this, government-as-we-know-it (nationalism) is a very recent invention, and while it does some great things (and some not-so-great things), it (in its current form) is far from essential for society.
Democracy is better than monarchy, yes, but that does not mean it is the ideal government. (Recall that famous Churchill quote.) Trying to preserve it when future technology renders it obsolete is a bad idea, in my opinion.
So what should replace it? That is a deep and important issue, and one I can philosophise in depth over. This comment is already long, so I will spare a lengthy discussion here, but it suffices to say that while I am not sure, and this is a topic that needs much deep research and serious thought, I do see several possible directions and solutions that could bare fruit. If you are interested in continuing this conversation I would be happy to expound upon them.
In short, my two related arguments are that: 1) While Bitcoin may or may not bring down nationalism, that in itself does not mean anarchy and and a Hobbesian state of nature; and 2) Democracy is nice, in that it’s better than most other forms of government, but it’s by no means essential.
So a word of warning if you are thinking of playing the long-game here. The source of your observation is that bitcoin is (or has been) apparently undervalued.
But an other explanation is that its a bubble. While spot trading in bitcoin is quite liquid, the derivatives markets in bitcoin are fairly untested, relatively new, and fairly low volume. Right now, if I believe bitcoin is expected to climb, I can easily pile in, but shorting bitcoin takes more effort.
As the new bitcoin derivatives markets grow, its will give counterparties with negative opinions of bitcoin more voice, which may let the air out of the bubble a bit.
Edit: Also, we expect prices to take a multiplicative random walk, the meat here is whether or not the increase in expected value beats inflation/beats other asset markets you can easily invest in.
This is definitely a good word of warning, and I think it’s 60% likely that when the first serious Bitcoin-shorting vehicle is introduced, there will be at least a 30% price drop in the first week (if 60% seems high, remember Bitcoin drops 30% lots of weeks).
I think Dogecoin is an even starker example of what’s possible when you don’t have a derivatives market.
Tangent: Wtf is up with the various types of derivatives markets? Why can’t we just have asset markets and prediction markets?
The first line and Simplicio’s response seem to be incongruous. Was the question meant to be, “Do you think the Bitcoin markets are inefficient?”
Not surprising—the risk free rate (http://en.wikipedia.org/wiki/Risk-free_rate) is exponential, and any efficient asset has to do at least as well in expectation. So expected exponential growth in asset value is exactly the behaviour you’d expect.
Or put more prosaically: if I invest money at x% interest in a bank, I have exponential growth. Therefore any investment that would tempt me away from a bank account, must offer at least exponential growth.
Hm, pretty sure your logic doesn’t make sense here.
By your logic, Euros/Dollar, Yen/Dollar, and other currency prices would also be random walks on a log scale. But I don’t believe they are.
I think the reason Bitcoin is a log-scale random walk is that people’s beliefs about BTC’s Expected Value is Fermi-estimate-like.
And I think the only reason stocks and other standard exponentially-increasing investment vehicles are exponentially increasing, is because they entitle you to a constant fraction of the exponentially-increasingly-valuable economy.
Exponential increase is a consequence of the fact you don’t have enough capital to exhaust investment opportunities or affect the market (much). Suppose I can buy G for £100, which will give me £110 at the end of the year. Then I can buy 2G, or 3G, or xG, giving me £x110 at the end of the year. So my profit is always proportional to my capital (as long as my capital isn’t too large), so exponential growth of investment is the natural state of being.
Add uncertainty, and you get the random walk on a log scale (that’s a little bit more subtle, and needs some other assumptions, but the fundamental argument is similar).
Your explanation is consistent with mine but is more reductionist. Thanks.
Investments in Euros, Dollars and Yens are random walks on a log scale (because of the interest rates on offer in these currencies). Now, Bitcoin doesn’t have any banks paying interest, as far as I know. But the market will still drive it towards random walks on a log scale, simply by people entering and leaving the market depending on how its expected value and risk compares with other commodities and investments. Random walks on log scales are the “natural” state of any investment.
Now people also hold bitcoins for non-investment purposes (as medium of exchange, as a political statement, etc...) But people also hold other goods for non-investment purposes (as a consumption good, for instance). So I don’t see why bitcoin would differ from the usual financial rules.
Is this what you mean by “random walks on log scales are the ‘natural’ state of any investment”: Most assets have fundamental reasons why they grow exponentially, and the assets which don’t must therefore fall exponentially. Anything else going on?
Ok, we’re at the very limits of my understanding, so don’t assume that this is exactly correct, but...
Take the risk-free rate, either how it’s standardly defined, or by just the size of the whole economy. The risk free rate is exponential, but that’s an artefact of it being a “rate”. You can have sub-exponential or super-exponential rates of growth of the whole economy, by varying the risk-free rate from year to year (or from moment to moment).
Then, in a well traded market, for reasons akin to what I mentioned above, every asset will be a random walk on the log scale, with the risk-free rate as the origin (ie if we continually adjust the values by the risk-free rate, we will get such a random walk).
Ok, that seems consistent with what I said.
Several people already pointed out that what is most frequently used as a model for prices is precisely the log random walk. This should have been obvious since no asset can have a negative price, and it is known that the long-term probability of the one-dimensional random walk reaching any specified point (such as zero) is 1 (same for 2D, not so in 3+ D) - this part of how casinos make money.
It is very easy to spot why the random walk model doesn’t make sense for prices, just take the sentence that says “If today’s Bitcoin price is $1000, then tomorrow’s price is as likely to be $900 as it is to be $1100.” Now if the normal random walk model were true, then you could also have said that the price is as likely to deviate by +X as it is by -X for any X. Now take X=1000: is it as likely to cost $0 as it is to cost $2000?
can’t dispute the conclusion but I object to the argument.
Because, the argument doesn’t apply to this model: “Probabilities are calculated from a random walk, except for large unlikely changes, or changes when the price is near zero.”
Approximate models always have a range of applicability. Showing that the model gives absurd results outside the range of applicability for which it’s intended doesn’t mean much.
The fact that there are a stock has a random walk behavior in the log-scale does not imply that its expected future price is larger than its current price. Imagine that when a bitcoin is worth 1000$ today it has equal chance tomorrow of going up 100$ or going down 100$. Then if it goes to 900$, it has an equal chance of going up or down 90$ the next day, and similarly, if the price becomes 1100$, it has an equal chance of going up or down 110$. Then the log-price would have variations on the log scale, but at each step the expected value stays the same.
Please place more trust in the competence of mainstream institutions next time.
No, it would have an equal chance of going up $100 or down $90.
I am presenting a model which shows that log-scale fluctuations do not imply an opportunity for making profit. If you believe this model does not properly describe the bitcoin price movement, I suggest you provide empirical evidence to back this up (your model contradicts EMH, so the prior is in my favor). By the way, I believe my model is equivalent to the standard Black-Scholes model. In the log scale I think it is equivalent to a random walk with downwards drift.
Salviati’s claim at the end reminds me of Einstein asserting that mass has more inertia than you think, but you’ll only notice that when its velocity is really high.
Can you elaborate on why you think this is true?
O hai.
Imagine if everyone agreed that the best way to calculate Bitcoin’s expected future value was to look at a single source of news: the Bitcoin guru. Every day, if the Bitcoin guru goes on TV with his thumbs up, then everyone agrees that that is worth a Bayesian update of 1.25x to the expected future price, while thumbs down is worth a Bayesian update of 0.8x. And no one has a better model of how the Bitcoin guru’s thumb works than the fair-coin-flip model.
In other words, pretend you know that everyone’s expected future value of Bitcoin follows a log random walk. Now you can use inductive reasoning to conclude: If the expected future value of BTC is $1000/coin today, then it will be either $1250 or $800 tomorrow.
I used to think an “efficient market” was necessarily a market which current price captures people’s consensus expectation of future prices. But in my example, it seems possible to have a guaranteed-positive-return trading strategy: investing say 10% of your portfolio in BTC, and constantly trading as required to rebalance your 10% asset allocation.
There are a few names you can use for that...
“Drag Trading”: trading that causes market prices to be dragged toward their past value and away from their current expected future value.
“Shannon’s Demon”: a kind of Drag Trading—trading to maintain a constant % of BTC in your portfolio, i.e. near-continuous portfolio rebalancing.
“Kelly Criterion Trading”: An instance of the Shannon’s Demon strategy, where you choose your asset percentages in proportion to their long-term future relative value, which you derive by asking yourself what relative percentages of the world’s wealth are stored in your different asset classes.
My big point has two parts:
I think I’ve shown that an “efficient market” might not have prices that directly reflect a consensus of future prices, but instead might show some “price drag”.
Bitcoin’s wildly swinging prices is evidence that it is lacking this “price drag”, unless the model of expected future price drag is even more volatile than the exponentially-volatile one in my thought experiment.
Therefore drag-trading Bitcoin seems promising.
You assume trading. Who will be your counterparty?
Wat? A liquid market is a standard assumption.
Are you talking about your assumptions or are you taking about reality?
Bitcoin is plenty liquid right now unless you’re throwing around amounts > $1 mil or so.
Look at the grandparent:
Given that the expected value for the change between today and tomorrow ((+250-200)/2=+25) is publicly known, I wonder who will sell him bitcoins for $1000 today.
In other words, the situation as described is unstable and will not exist (or, if it will appear, it will be arbitraged away very very quickly).
What Vaniver said. Also, emperically, you can look at the current price/order book on an exchange and see that people are in fact willing to sell you these things. If my holdings represented a life altering sum of money it would be time to take less risk and I would be one of those people.
Sigh. Again, look at the context. There is a claim
Which happens to be wrong.
Ah, you’re disagreeing with the model and phrasing it as “if that model were true, no one would sell you btc, but people are willing to sell, therefore that model is false.” Do I understand?
If so, I do not agree that “if that model were true, no one would sell you btc” is a valid inference.
Essentially, the model says “there is free money lying on the ground, just picking it up is a ‘guaranteed-positive-return trading strategy’.”
I am pointing out that free money lying on the ground is an illusion.
If someone has a log utility function, a half chance of $800 and $1250 is as valuable as a certainty of $1000. Basically, people who have more risk than they want are selling to people that have less risk than they want.
(The stated example- of 2.5% growth in absolute terms per day- is very exaggerated compared to actual asset prices, I think. If this were about an asset that had an expectation of 2.5% growth in absolute terms per year, but the high variance, then it would be reasonable to imagine the market being much happier with the $1000 today than the gamble, because of how risky and low-growth it is compared to other options.)
I’m having a little trouble understanding the model.
Is the Bitcoin Guru correct in his predictions? If so, is he taking into account that people might be using your drag trading strategy? If not, then it sounds like the strategy no longer offers guaranteed returns.
Yes, the Bitcoin Guru makes accurate predictions.
No, he doesn’t take into account people’s drag trading behavior, because his conclusion is dominated by evidence about the underlying value of Bitcoin as usable money in the long-term.
Hmm, I might just be misunderstanding.
To make slightly more concrete what it means to say that the Guru’s predictions are accurate, could we say that all his predictions are for what the price will be on Jan 1st, 2019? So when we say he’s accurate, we mean that on that day the actual price will be some starting price, times the product of a bunch of 1.25s and .8s according to whatever his predictions were on all the days in between.
Does this match what you had in mind?
I mean this in the least hostile way possible—this was an awful post. It was just a complicated way of saying “historically speaking, bitcoin has gone up”. Of course it has! We already know that! And for obvious reasons, prices increase according to log scales. But it’s also a well known rule of markets that “past trends does not predict future performance”.
Of course, I am personally supportive and bullish on bitcoin (as people in IRC can attest). All I’m saying is that your argument is an unnecessarily complex way of arguing that bitcoin is likely to increase in the future because it has increased in price in the past.
I don’t know what gave you the idea that I’m talking about Bitcoin prices rising.
I’m suggesting there’s a systematic inefficiency, that the price changes with a predictably large magnitude but an unpredictable direction.
Financial markets typically exhibit leptokurtosis, meaning that rare large declines influence the expected value more than a lognormal distribution predicts. A few years of data are often inadequate to measure that.
I have posted this to /r/bitcoin, so as to allow the market to learn of this proposed inefficiency, and thus remove it, should it in fact exist.
Hey, that wasn’t nice. I assume Liron was partially trying to find advise and/or co-investors for making money off this himself.
In which case he shouldn’t have posted this on a publicly readable website.
Yup
Which thread in /r/Bitcoin?
Here
Not sure what the lesson is, or the question. An improvised model for explaining the seemingly exponential growth is the belief that there is inherent risk of being forgotten as a currency but that this risk falls exponentially with time or price itself. In this model we have efficient markets as in all knowledge is encoded, random walk and exponential growth.
I am sleepy so have mercy with my reasoning.
There no reason why that risk should fall.
Bitcoins has such risks as a mathematician inventing a way to break public key crypto that would completely destroy it. Again if people build useable quantum computers, bitcoin is gone.
For being an digital currency bitcoin has massive amounts of transfer costs. It’s possible that someone creates a better online currency.
This is not completely true—since only hashes of the public key are posted until funds are spent from an address, you need both (a quantum computer or a public key crypto break) and a major break in SHA256. If only one thing breaks, there may be enough time for bitcoin devs to make a fix. It’d be relatively easy to switch to a different address hashing algo, and the whole internet is going to hurt badly if public key crypto can’t be fixed when quantum computers become common, so there’s a lot of motivation to find a replacement.
(It’s hard to imagine a break in SHA256 that’s complete enough to affect mining—weakenings are just the equivilent of running extra hardware.)
(It’s also not completely false, as I still expect events like that to still cause a large temporary depression in bitcoin price.)
Grover’s algorithm cuts hash strength in half. As I understand it, the whole point of 256 bit crypto is to survive the advent of quantum computers, when it degrades to 128 bits. Yes, a quantum computer shouldn’t break SHA256, but quantum computers would almost immediately account for the vast majority of the hashing power, centralizing control of the currency.* Once everyone has quantum computers, it would work again (with a replacement public key system), but given such a disruption, I don’t see much point to salvaging the old currency, rather than starting over.
* I think a gigahertz quantum computer would have the hashing power of the current bitcoin network.
Some relevant numbers: Based on the current target, I estimate that miners compute 5*10^18 hashes per block, 8*10^15 hashes per second. To match that, quantum computers working in mining need to compute 9*10^7 hashes per second.
My math agrees with you. Looks like I was underestimating the effect of quantum computers.
Difficulty is currently growing at 30-40% per month. That won’t last forever, obviously, but we can expect it to keep going up for a while, at least. (https://blockchain.info/charts/hash-rate) Still, it looks like you’d need an unrealistic amount of ASICs to match the output of just 1000 quantum computers.
Given that, there’ll probably be a large financial incentive to mine bitcoins with the first quantum computers. The incentive goes away if you destroy the network in the process, though. It seems difficult to predict what will happen. Single pools have controlled > 50% of the mining briefly in the past.
A lot of unhappy btc holders may see a point, though. :)
In particular, the ability to roll back the blockchain breaks the patches you’ve mentioned for the fact that QC also breaks elliptic curve crypto.
That’s true, but there’s some precedent for picking a block that everyone agrees upon (that exists before quantum computers) and changing the rules at that block to prevent someone from rewriting the blockchain. A lot depends on how much warning we have.
It looks like making a cryptocoin that can survive quantum computers might be a high value activity.
Pubkeys are protected by a dual construction of SHA-256 and RIPEMD-160, resulting in 80 bits of keyspace in a post-quantum world (assuming that existing quantum constructions can be extended into this dual-hash-of-ecdsa-key construction, which is not at all clear).
/nitpick
I always forget about the RIPEMD-160 step. The bitcoin wiki claims that it’s strictly more profitable to mine than to search for collisions, but it seems to me that that’s a function of block reward vs. value of address you’re trying to hack, so I don’t know if I believe that. https://en.bitcoin.it/wiki/Technical_background_of_Bitcoin_addresses
It’s unclear to me how you would actually implement this in a quantum computer; do you have to essentially build a set of quantum gates that implement RIPEMD-160(SHA256(pubkey))? Does this imply you need enough qubits to hold all stages of the calculation in memory at the same time? I haven’t been able to figure out from wikipedia how I’d arrange qubits to do a single hashing operation. Given that it’s a lot of sequential steps, perhaps it actually takes a lot of qubits chained together?
Actually RIPEMD-160(SHA-256(pubkey(privkey))).
That’s a massive understatement. Grover’s algorithm can be used to reverse either RIPEMD-160 or SHA-256 with sqrt speedup. In principle it should also handle RIPEMD-160(SHA-256(x)), just with a lot more qubits. Shor’s algorithm can be used to reverse the pubkey-from-privkey step. I’ll hand-wave and pretend there’s a way to combine the two into a single quantum computation [citation needed].
It’s … a lot of qubits. And you still need 2^80 full iterations of this algorithm, without errors, before you are 50% likely to have found a key. Which must be performed within ~10 minutes unless there is key reuse. So really it’s of zero practical relevance in the pre-singularity foreseeable future.
Technically you are correct. But in no conceivable & realistic future will it ever be more profitable to search for collisions then mine bitcoins, so for practical purposes the wiki is not wrong.
Thanks for the explanation, it seems like I’m not wildly misreading wikipedia. :)
It seems like the more qubits are required for this attack, the more likely we are to have a long warning time to prepare ourselves. The other attack of just cracking the pubkey when a transaction comes through and trying to beat the transaction, seems vastly more likely to be an actual problem.
Do you have any idea how I’d go about estimating the number of qubits required to implement just the SHA256(SHA256(...)) steps required by mining?
So what? Then the attacker waits till someone spents his funds and double spends them and gives the double spending transaction a high processing fee.
Public key crypto is nice but not essential as long as you have central authorities that you trust. We already have to trust certificate authorties. There no reason why they can’t facilitate key exchange more directly.
There motivation to find a replacement but that doesn’t mean that there’s a replacement to be found.
This can be fixed by a protocol addition, which can be implemented as long as there’s warning. (First publish a hash of your transaction. Once that’s been included in a block, publish the transaction. Namecoin already does something like this to prevent that exact attack.)
No, that won’t work. Blocks are rejected if any transaction contained within is invalid (this is required for SPV modes of operation, and so isn’t a requirement that can be dropped). Therefore a miner that works on a block containing transactions he didn’t personally verify can be trivially DoS’d by the competition. They would have a very large incentive not to include your transaction.
I think you misunderstood me—the transaction could still be rejected when you try to get it included in a subsequent block if it’s not valid. The hash of the transaction is just to prove that the transaction is the first spend from the given address; the transaction doesn’t/can’t get checked when the hash is included in the blockchain. Miners wouldn’t be able to do it for free—the protocol addition would be that you pay (from a quantum-safe address) to include a hash of a transaction into the blockchain. You publish the actual transaction some number of blocks later.
It really only makes sense as an emergency “get your coins into an address that’s quantum computer proof” sort of addition. Hopefully the problem is solved and everyone moves their funds before it becomes an emergency.
How does the miner know that there is no other conflicting transaction whose hash appeared earlier?
They don’t.
Suppose you publish hash HT1 of a transaction T1 spending address A, and then several blocks later when you publish T1 itself, someone hacks your pubkey and publishes transaction T2 also spending address A. Miners would hypothetically prefer T1 to T2, because there’s proof that T1 was made earlier.
In the case where someone had even earlier published hash HT0 of transaction T0 also spending address A, but never bothers to publish T0 (perhaps because their steal bot—which was watching for spends from A—crashed), well, they’re out of luck, because A no longer has funds as soon as T1 is included in the blockchain.
The pre-published hashes would be used only to break ties among transactions not yet included in any blocks.
Also, in this hypothetical scenario, the steal-bot from above means you shouldn’t trust funds that haven’t yet been moved into a quantum-computer-safe address; you wouldn’t know who all might have a old hash published with a bot just waiting to spend your funds as soon as you try to move them.
I see. I understand your proposal now at least. The downside is that it requires infinitely increasing storage for validating nodes, although you could get around that by having a hash commitment have a time limit associated with it.
Infinitely is a bit of an overstatement, especially if there’s a fee to store a hash. I agree it might still be prudent to have a time limit, though. Miners can forget the hash once it’s been referenced by a transaction.
The ability to pay to store a hash in the blockchain could be interesting for other reasons, like proving knowledge at a particular point in the past. There’s some hacky ways to do it now that involve sending tiny amounts of BTC to a number of addresses, or I suppose you could also hash your data as if it were a pubkey and send 1e-8 btc to that hash—but that’s destructive.
If you make it part of the validation process, then every validating node needs to keep the full list of seen hashes. Nodes would never be allowed to forget hashes that they haven’t seen make it onto the block chain, meaning that anyone could DoS bitcoin itself by registering endless streams of hashes. Perhaps this isn’t obvious, but note that fully validating nodes do not need to store the entire block chain history, currently, just the set of unspent transaction outputs, and there are proposals to eliminate the need for validators to store even that. If it’s just a gentleman’s agreement then it would be doable but wouldn’t really have any teeth against a motivated attacker.
You certainly don’t want to store data on the block chain by sending bitcoins to fake addresses, sacrificing coins, or other nonsense. That is inefficient and hurts the entire network, not just you. Please don’t do it.
There are already mechanisms to store hashes on the block chain which require no changes to the bitcoin protocol. You simply store the root hash of a Merkle list or prefix tree to the coinbase string, or an RETURN output of any transaction. An output can have zero value assigned to it, and if prefixed by the RETURN scripting opcode, is kept out of the unspent transaction output set entirely. I proposed one such structure for storing arbitrary data here:
https://github.com/maaku/bips/blob/master/drafts/auth-trie.mediawiki
Just stick the root hash in a coinbase string or the PUSHDATA of a RETURN output, then provide the path to the transaction containing it and the path through the structure as proof.
That’s a good point. To make this work, it’d probably make the most sense to treat the pre-published hash the same as unspent outputs. It can’t be free to make these or you could indeed DoS bitcoin.
I did not know you could have zero value outputs. I’ll look into that. (And don’t worry, I wasn’t planning on destroying any coins!)
There’s nothing wrong with sacrificing coins (there are in fact, legitimate uses of that—see the Identity Protocol for example). The problem is creating outputs which you know to be unspendable, but can’t be proven by the deterministic algorithm the rest of the network uses (prefixing with RETURN).
The idea is that the attacker doesn’t get to start attacking the public key until the first transaction is spent. Assuming the attack takes a nontrivial amount of time (more than an hour or so) the spend will already have a few confirmations before the attacker can write their double spend, so they’ll be uselessly behind.
It’s not guaranteed that the first break won’t be something really fast, but people seem to expect it not to be.
Even if the attacker takes on average a day to crack a key that doesn’t mean that he doesn’t have 0.01% to crack a key in a minute.
If there a good reason to assume that the attack needs to last a minimum of an hour to produce a key?
Yes, you are talking about a search in a 2^80 keyspace, even with quantum speedups. It’ll be a long, long time before anyone has the capability to o 2^80 large quantum computations in the span of 10 minutes, much longer until the cost of doing that computation will be less than the value of the coins.
So long as you are not stupid enough to reuse keys, it’s a non-issue.
I have no problem with searching in a 2^80 keyspace with conventional means in a second. I have a low likelihood of finding the key but the likelihood is around the same if I do 100000 searches that take 1 second or one search that takes 100000 seconds.
If I want to stay under a 10 minute time threshold I can just switch the key I’m attacking every second.
I don’t know enough about quantum computation to know whether switching the attacked key frequently possible in the same way with the quantum algortihms but I would expect it to be.
I’m sorry, I don’t understand. That doesn’t make it any more economical. 2^80 is a big, big number: 1,208,925,819,614,629,174,706,176. Assuming you could try a billion keys a second (that’s quite the quantum computer!) then it’d still take you nearly 40 million years before you have a reasonable chance of guessing a single key.
The point is that the 10 minute time limited in which transactions get confirmed is irrelevant and provides no protection.
Shor’s algorithm runs in polynomial time and can thus effectively used to attack public key crypto if you have a quantum computer at your disposal.
Bitcoin public key crypto also runs on ECDSA and Bruce Scheiner annouced earlier this year that he fears the NSA might have the ability to hack into ECDSA: http://www.wired.com/opinion/2013/09/black-budget-what-exactly-are-the-nsas-cryptanalytic-capabilities/
But you can’t attack the ECDSA by Shor’s algorithm if you don’t know the public key, as is the case with a pubkey-hash address that has never been used. If you avoid key reuse, the only moment when coins are vulnerable is that ~10 minute interval after you’ve broadcast a transaction spending the coins but it hasn’t yet made it into a block.
Yes, but as I said above that 10 minutes interval is irrelevant when you can just change your target key every minute.
As a attacker it’s quite okay to capture random transactions instead of attacking specific transactions.
No, first of all they are qualitatively different. Not all targets are the same. At best you could attack whatever the largest input in your current mempool is, perhaps a few dozen bitcoins at most. Whereas if you could choose your targets, something like this is better:
http://blockchain.info/address/1933phfhK3ZgFQNLGSDXvqCn32k2buXY8a
Second, it doesn’t change the fact that you’d still have this insanely powerful quantum supercomputer running for millions of years before you have a chance at double-spending a single coin. Not economically viable as I said before.
Various people do consider ECDSA to be effectively broken with quantum computers. It’s hard to estimate what a quantum computer of a certain power is going to cost in 20 years.
That said, I don’t need to capture enough coins to pay for the attack. I can buy options on failing bitcoin price and attack. If it’s known that there’s an attacker who randomly hijacks transactions the bitcoin price takes a blow.
Why are we both downvoted?
I’m probably downvoted because lavalamp argued that I’m wrong on a factual level and my rebuttal of his post wasn’t yet online.
I didn’t downvote you, but your points about cracked crypto or replacement currencies didn’t seem to support the statement that there’s no reason the risk should fall.
It seems to me that there are a variety of risks, of which some should go down with adoption and some should not.
Given that it sounds like nobody has actually run the numbers, is there a reason to suspect that bitcoin prices are best modeled by a uniform random walk on the log scale? If it is modeled instead by a weighted random walk with an appropriate negative drift term the expected value of a BTC tomorrow could be exactly equal to today’s expected value (or more exactly today’s value adjusted for inflation).
How does this “negative drift term” work? What variables are in it?
Well, rather then modelling the price at time t by exp(B t) were B is a Brownian motion, you could model it by exp(B t—c*t) for some constant c.
On a more basic level instead of saying that after a day the price will be multiplied by either 0.9 or 1.111 with equal probability, you could have the price multiplied by either 0.9 or 1.1 with equal probability. In the later case, the expected value tomorrow is exactly the value today. On the other hand, because 0.9*1.1 < 1, this later process will end up at 0 in the long run almost surely. Then again, this model would probably only work as a first order approximation to the behavior anyway. If bitcoin ever does manage to become a competitive major currency, its volatility would almost have to decrease drastically.
Salviati is claiming that his empirical observations show a lack of drag om price shifts, which would be actionable evidence of inefficiency.
This is a great post and I will up vote it if you move it to Main.
Alright, done.