1.  Introduction

Currency control has been a powerful tool for governments at least since the Roman Empire. Hence, it is surprising that Bitcoin is still thriving after 5 years, whereas earlier candidate virtual currencies were promptly shut down. Is Bitcoin really more resilient than its predecessors ? Does it really have all the properties that its proponents advertise ? Or is it a giant decentralized Ponzi scheme and an environmental disaster, as opponents argue ?

Regardless of its future, Bitcoin is worth studying as possibly the first software system which successfully binds a wide variety of intellectually-challenging disciplines:

  • Cryptography - the arcane art of securing data and communications
  • Distributed systems theory, including the Byzantine generals' problem and the CAP theorem
  • Economics and game theory - how to engineer sustainable economic systems
  • Politics - the making of consensus.

This article assumes familiarity with Bitcoin concepts such as the blockchain, mining and the 51% monopoly problem. Basic knowledge of economic theory is also expected.

2.  Conventions

"Bitcoin", capitalized, denotes the whole system. "bitcoins", in lowercase, denotes units of account of the currency.

Following the customs of the Bitcoin community, we refer to Bitcoin accounts as "wallets", to emphasize that unlike bank accounts, they do not have to be controlled by a trusted third party.

Following definitions adopted by several banking institutions, we call Bitcoin a virtual currency even though nowadays traditional currencies are just as virtual (i.e. "dematerialized") as Bitcoin.

3.  Common misconceptions about Bitcoin

Note: For a more balanced overview of Bitcoin misconceptions, see also [BITCOINIT_MYTHS].

3.1.  Myth #1: Bitcoin was made possible by advanced cryptography

Actually, Bitcoin uses only two very old cryptographic concepts:

  • Asymmetric cryptography: A public key identifies a compartment ("Bitcoin address") of a wallet, and the corresponding private key authorizes transfers from this compartment.

  • One-way hash functions for bandwidth reduction, for protection of public keys, and as part of the mining scheme.

The cryptographic primitives are ECDSA (2005), SHA256 (2001) and RIPEMD-160 (1996).

Other digital cash systems involve more sophisticated concepts such as blind signatures and zero-knowledge proofs. Many of these systems emphasize untraceability, whereas Bitcoin focuses on eliminating trusted third parties.

3.2.  Myth #2: Bitcoin transactions are anonymous and untraceable

Bitcoin does provide anonymity in so far as anyone can create and use a wallet without providing identification.

However, anonymity is not the same as untraceability. Actually, the way Bitcoin works implies that all transactions are public. Real estate is possibly the only other asset class where that level of transparency is enforced.

The Bitcoin community uses a variety of techniques to work around this constraint:

  • Users are strongly discouraged from publicly posting Bitcoin addresses, although this is a popular way to ask for donations.

  • Some wallet applications refrain from reusing Bitcoin addresses or merging funds, even when this would be the natural way of doing things. But this is merely obfuscation. "Blockchain forensics" appears to be a rapidly growing industry.

  • Using an online wallet provides some protection from public scrutiny, at the cost of having to trust a third party. But flows can still be traced with cooperation from the service provider.

  • There are trusted third parties whose sole business is to "mix" bitcoins from large numbers of users. These cryptocurrency tumblers are the digital equivalent of money laundering schemes, justified by the need to provide some privacy in a public ledger. There are also plans to implement such mixing in a decentralized way.

  • There are semi-legitimate businesses which are technically equivalent to money laundering services. For example, in early 2013, gambling accounted for half of all Bitcoin transactions and 5% of volume.

  • Bitcoins can also be transferred off-chain by simply handing over the private key of their address. For obvious reasons this requires that the recipient trust the sender to forget the key, except maybe if keys are generated and stored inside tamper resistant hardware.

This shows that with Bitcoin, there is a very thin line between protecting one's privacy and actively engaging in money laundering. At the very least, to avoid suspicion, users should refrain from using service providers who operate under foreign jurisdictions with weak financial regulations. Unfortunately the blockchain does not record at what moment money changes hands. So if a law-abiding customer pays a merchant and the merchant immediately forwards the funds to a laundering service, the customer might be in trouble.

3.3.  Myth #3: Bitcoin transactions are instantaneous

It is true that anyone can generate a Bitcoin transaction in just a few seconds, using a variety of wallet applications and online services.

But Bitcoin transactions are not validated instantaneously. Technically, they are never really finalized (except as a side-effect of checkpointing, in some implementations). The system merely ensures that the probability of having transactions invalidated decreases rapidly according to the following timeline:

Offline, within seconds .  A sender signs a Bitcoin transaction, and the recipient verifies the cryptographic signature. This provides about the same security as an anonymous check.

Online, within seconds .  The transaction is broadcast to the Bitcoin network. The recipient obtains an acknowledgement from one or more well connected Bitcoin nodes. At this point the recipient knows, with good probability, that the funds being transferred actually exist, that unsophisticated double-spending attacks will be rejected, and that the transaction is likely to be added to the blockchain within minutes. Note that the concept of "well connected nodes" implies that "some nodes are more equal than others". More about this later.

Online, within 10 minutes .  The recipient obtains a first confirmation, i.e. a proof-of-work endorsement of the transaction. Note that this delay of several minutes makes Bitcoin unsuitable for many popular applications such as point-of-sale payments, vending machines, toll booths and ATMs. Workarounds involve off-chain transactions and trusted third parties.

Online, after 1 hour .  The recipient has obtained six confirmations, which is considered sufficient for most uses. In theory this threshold should be adjusted as a consequence of mining centralization - see Section 3.14, “ Myth #14: Bitcoin security stems from a community of mutually distrustful miners ”.

Online, after 17 hours .  The recipient has obtained 100 confirmations. This is the maturation delay that Bitcoin uses internally to validate newly mined bitcoins.

3.4.  Myth #4: Bitcoin is money

Economists define money as having at least three functions:

  • Medium of exchange .  As of August 2014 Bitcoin does not work well offline. It does not have legal tender status anywhere. No government accepts it as payment for taxes. An increasing number of merchants accept it, but often only via third party intermediaries.

  • Unit of account .  Because of its volatility, Bitcoin is not currently a convenient unit of account. Merchants who accept it typically set their prices in traditional currency and compute amounts in bitcoins on-the-fly. Mainstream adoption would stabilize rates, but only to some extent, for lack of a central authority to provide liquidity, fend off speculators, and prosecute "pump and dump" and "short and distort" schemes. At the very least, in the short term, its market value will continue to reflect fluctuations in the electricity and semiconductor markets.

  • Store of value .  Because it lacks intrinsic value and its future is still uncertain, Bitcoin is obviously not a safe long-term investment.

In addition, money is implicitly expected to be fungible, i.e. two sets of coins, banknotes or bank deposits representing the same numerical amount should be interchangeable. But the extreme traceability of Bitcoin implies that a freshly mined coin might be worth more than one coming from a gambling website or a laundering service. There are proposals to allow bitcoins to be "redlisted", i.e. marked as suspicious.

Note that traditional currencies are not perfectly fungible either. For example, in late March 2013, one euro deposited in Cyprus was certainly worth less than one euro stored anywhere else.

3.5.  Myth #5: Bitcoin is a currency / Bitcoin is a commodity

Whether Bitcoin is a currency or a commodity is only a matter of fiscal policy, with significant implications wherever a value added tax is applicable. If Bitcoin is declared a currency, then a merchant who accepts it is receiving a payment. If Bitcoin is only a commodity, then the merchant is engaging in bartering.

3.6.  Myth #6: How can Bitcoin not be a currency when it has an official ISO code like USD and EUR?

It is true that, in an interesting development, ISO has allocated a three-letter code to Bitcoin. Note that the code is XBT, not BTC.

However, ISO 4217 is not restricted to currencies. It also defines codes for gold (XAU) and other commodities.

3.7.  Myth #7: As a currency and a payment processing system, Bitcoin is efficient

The cost of running the Bitcoin network can be estimated based on the following data from mid August 2014:

  • Total hash rate: 200 PH/s
  • Mining reward rate: 25 bitcoins per 10 min
  • All mining performed on state-of-the-art hardware costing 0.7 USD per GH/s and consuming 0.77 J/GH
  • Hardware must be renewed every 6 months
  • Cost of electricity: 0.15 USD/kWh.

Under these assumptions, the operating cost of Bitcoin is least 250 million USD per year, i.e. about 4% of the monetary base.

According to some estimates the daily transaction volume is about 59 million USD ([BLOCKCHAININFO_STATS]). This puts the overhead at 1.2%. However, this figure could be heavily underestimated because the blockchain does not distinguish between book-keeping operations and actual commercial transactions.

Regardless of how this compares with the operating overhead of traditional currencies and payment systems, a centralized version of Bitcoin would obviously be more efficient.

Users do not have to bear these costs because they are dwarfed by inflation (4% vs 13% - see Section 3.12, “ Myth #12: Bitcoin is deflationary ”). But this cannot last forever, and critics see similarities with Ponzi schemes.

Based on the same best-case hypotheses, it takes at least 190 USD to mine a new bitcoin (hardware: 35 USD, electricity: 154 USD). The actual cost, taking into account the installed based of older hardware, infrastructure and cooling, is probably very close to the exchange rate of 500 USD. Note that this is not surprising: Whereas central banks have a monopoly on issuing their currencies, anyone can mine bitcoins. In a market with no barriers to entry, prices cannot significantly and sustainably exceed production costs. A similar situation exists in the precious metals market, where the market price of gold (about 1300 USD/oz) is close to the average cost of extracting it from the ground (about 1200 USD/oz), despite the overhead of obtaining mining permits.

Is it economically rational for a currency to be worth no more than the cost of producing its tokens ? This is beyond the scope of this article.

3.8.  Myth #8: Bitcoin is open and egalitarian

It is true that Bitcoin allows anyone with Internet access to make international transactions, which is a major societal innovation. Billions of people do not have a bank account, but many of them do have smartphones.

However, the mining process favours those with cheap electricity, cheap semiconductors, cheap real estate and a cold climate. Botnets used to be a concern because they got all of this for free; fortunately ASICs have made them irrelevant. At the time of writing, mining activity appears to be concentrating in China, possibly due to the proximity of semiconductor factories and subsidized electricity costs.

3.9.  Myth #9: The recent rise in exchange rates must reflect massive demand for bitcoins

First we need to understand how the market value of bitcoins is determined.

The Bitcoin money supply is sometimes analyzed in terms of industrial production, as the phrase "mining" suggests. But this analogy does not hold. Indeed, the production of new bitcoins has been centrally scheduled since the beginning. Regardless of how much capital is invested in mining, and whatever the miners do, the difficulty adjustment mechanism will prevent them from producing more than 25 bitcoins per 10 min (as of August 2014).

Actually, the Bitcoin money supply is more like an auction. Everything happens as if a central bank were putting 25 bitcoins up for sale every 10 min. Each miner estimates how much the others are willing to spend and decides whether to match their bids or not. Since Bitcoin does not want to have a central bank, the money goes to the energy and semiconductor industry instead, but this does not affect price discovery.

Unfortunately, it is well known that auctioning scarce resources often results in overbidding. For example, auctions for the allocation of radio spectrum to telecom operators are sometimes organized in such a way that the highest bidder pays the second highest bid, rather than his own. This is done out of fear that otherwise candidates would overbid and go bankrupt. In the case of Bitcoin the only thing that can prevent overbidding is alternative supply from the secondary market, i.e. old bitcoins being offered for sale on exchanges. As of August 2014 the daily production of new bitcoins is about 2 million USD and the daily exchange trade volume is about 3 million USD. Is is unclear whether this ratio between primary market and secondary market can lead to fair price discovery.

All things considered, there are several candidate explanations for the rising market value of bitcoins:

  • Actual demand from users and investors.

  • A perception that due to upcoming regulation, freshly mined bitcoins are more valuable than ones which can be traced back to disreputable addresses. This would explain a disconnect between the primary market (mining) and the secondary market (exchanges), and over-investment in mining hardware. Also, from this perspective, "cloud mining" could be considered as a form of money laundering.

  • Rapid technical innovation: Whenever market prices fall below average production costs, the only way to mine profitably is to invest in newer, more efficient hardware. In the long term this increases production costs for everyone via the difficulty adjustment mechanism.

  • Spontaneous over-investment by miners. Note that this is not economically rational unless miners are secretly expecting a payoff beyond the sale of mined bitcoins. In a traditional market this would be akin to eliminating competition by selling at a loss. More about this hypothesis later.

3.10.  Myth #10: Bitcoin has no processing fees

Actually, the Bitcoin protocol does have provision for fees: Each transaction may include a "tip" which will be claimed by the miner who succeeds in adding it to the blockchain. The network expects a mandatory tip (a.k.a. fee) for unusual transactions which could be interpreted as flooding attacks. There are no fees for regular transactions, but offering a tip incentivizes miners to process the transaction more rapidly. According to some estimates, voluntary fees amount to about 0.3% of the transaction volume ([BLOCKCHAININFO_STATS]).

It is expected that as the Bitcoin monetary base approaches the ceiling of 21 million bitcoins, transaction fees will be the main incentive for miners to keep the network running. Until then, the cost of running the network is paid by inflation. According to some estimates, miners currently receive about 4% of the transaction volume in freshly-minted bitcoins ([BLOCKCHAININFO_STATS]).

3.11.  Myth #11: Bitcoins are inherently scarce, like gold

Proponents argue that Bitcoin is similar to physical gold because by design, mining can generate no more than 21 million coins. However:

  • Since some users entrust the management of their wallets to third-party services who handle accounts off-chain, Bitcoin is subject to fractional reserve banking, just like paper gold. This practice may increase the money supply well beyond the monetary base.

  • Not everything that is scarce is valuable. Gold's value does not result solely from its scarcity, but also from its uniqueness among metals. Bitcoins may be scarce, but there are already about 50 alternative virtual currencies with similar properties. Assuming virtual currencies become popular and their value significantly exceeds the cost of issuing them, exchange rates between Bitcoin and its competitors will be decided by popularity and technical merit. For example, a virtual currency that guarantees both anonymity and untraceability would certainly become more popular than Bitcoin for some applications. Conversely, a virtual currency with legal tender status somewhere, or one with built-in legal compliance mechanisms, would have a better chance of becoming mainstream.

  • The scarcity of bitcoins is not written in stone, nor in math. It is merely a consensual convention. If the Bitcoin community collectively decides that the monetary base should be increased for the greater good, then this can be implemented easily. This could happen if Bitcoin becomes popular and new users feel that the early adopters (now a minority) are enjoying an unfair advantage. In practice this would be decided by a supermajority of miners switching to a new version of the protocol. Miners would probably agree, as this would make their business model more sustainable. Indeed, in the current system, the scheduled reduction of mining rewards threatens them directly.

3.12.  Myth #12: Bitcoin is deflationary

Ignoring fractional reserve banking and competition from other virtual currencies, it is true that eventually the Bitcoin monetary base will increase slower than the economy, and then decrease as users inevitably lose private keys. However:

  • This does not guarantee that the purchasing power of one bitcoin will increase. Ultimately the value of Bitcoin as a medium of payment, as a unit of account and as a store of value will be determined by its actual usefulness.

  • As of August 2014, the Bitcoin monetary base is still growing at about 13% per year.

3.13.  Myth #13: The Bitcoin network is resilient

In practice Bitcoin is only as resilient as the Internet. Like all distributed/replicated databases, it is vulnerable to network partitioning: If a government decides to isolate its population from the Internet, then the blockchain forks and double-spending attacks become trivial.

Bitcoin proponents argue that the blockchain could be kept coherent by various means, including by attaching memory cards to carrier pigeons if need be. However, we have seen that real-time communications are crucial to detecting double-spending attempts and confirming transactions within reasonable time.

Alternatively, the Bitcoin protocol will automatically restore consensus after a partitioning event: When full network connectivity is restored, only the longest fork of the blockchain will survive. Transactions performed in isolation will be discarded. Resubmissions will make it to the blockchain, unless a double-spending attack has occurred in the meantime.

In the context of databases, the network partitioning problem is sometimes solved with out-of-band kill mechanisms: Whenever one node suspects that another node is faulty or unreachable, it actively kills it, e.g. by switching its power supply off. If the mechanism is fast enough, the probability of mutual destruction is low. This approach is appropriate when data consistency is more important than service availability. Bitcoin implicitly has a similar mechanism: The isolated portion of the network will suddenly have less hashing power and will therefore experience longer confirmation delays and lower transaction throughput.

Therefore, users who live under oppressive regimes, who are the ones who most need a trustworthy alternative currency, are the ones who would most suffer from a network-level attack against Bitcoin.

3.14.  Myth #14: Bitcoin security stems from a community of mutually distrustful miners

Figure 1.  Blockchain security vs mining centralization

Blockchain security vs mining centralization

This is the core tenet of Bitcoin as a decentralized currency without trusted third parties. Originally the Bitcoin network consisted of personal computers competing against each other during their idle time. But miners quickly realized that they could increase their return on investment by forming pools. This is a major departure from the zero-trust model because members of a pool have to trust each other and their leader.

As of mid August 2014, the largest pool controls 29% of the hash rate, two pools control 51%, and the seven largest pools control 75% ([BLOCKCHAININFO_POOLS]). Note that these figures are based on voluntary disclosures. There is no easy way to detect secret collusions between pools.

Recall that most players in the Bitcoin industry consider a transaction finalized after six confirmations (i.e. 1 hour). This number used to guarantee less than 0.1% fraud under the historical assumption that no node would ever control more than 10% of the hash rate. But now that one organization is known to control almost 30% of the hash rate, the risk associated with six confirmations has risen from 0.1% to 18%. To bring the risk back to 0.1%, users should wait 25 confirmations, i.e. 4 hours (source: [BITCOIN], page 8).

3.15.  Myth #15: Double-spending attacks will never happen because they would result in a net loss for the perpetrator

It is true that massive double-spending attacks require significant hashing power. Such attacks would undermine the credibility of Bitcoin and therefore reduce the value of the perpetrator's stolen bitcoins and hardware investments. However:

  • Various organizations may decide that they would profit from the destruction of Bitcoin. It is a matter of cost versus benefit.

  • Mining hardware would not lose value if it can be retargeted toward another virtual currency scheme which uses the same hash function. For example, miners could easily attack a minority fork, and conversely a majority fork could wipe out its parent. Par exemple, les mineurs pourraient facilement attaquer un fork minoritaire, et réciproquement un fork majoritaire pourrait ruiner le système dont il est issu.

3.16.  Myth #16: Bitcoin security does not depend on trusted third parties

Ignoring the problem of monopoly mining pools, it is true that the Bitcoin system does not involve trusted third parties. Bitcoin is possibly the first virtual currency with that property.

However, this assumes that the protocol and the rules of mining are fixed forever. But Bitcoin is still evolving, and changing the rules sometimes requires consensus at a higher level than the blockchain. In practice decisions are taken informally by a community of entities with conflicting interests:

  • Miners .  They appear to have a long-term stake in Bitcoin because of their infrastructure investments, but note that the hardware typically becomes obsolete after 6 months. Still, miners would object to any protocol modification that renders their ASICs useless.

  • Exchanges .  As customer-oriented businesses with marketing investments, they probably have a slightly longer-term stake in Bitcoin. Exchanges have to deal with traditional banks and with financial regulators. For example, exchanges based in the U.S. are undoubtedly money service businesses. If a choice had to be made between privacy and legal compliance, mainstream exchanges would certainly favour compliance. Most exchanges already require personal identification from their users. Some of them voluntarily refuse to process bitcoins coming from disreputable services such as unlawful gambling.

  • Core developers .  There is a reference Bitcoin protocol implementation and a group of core developers whom users trust to fix all problems. On two occasion (August 2010 and March 2014), software bugs caused the blockchain to fork, and the developers ultimately decided which branch was canonical. Note that this meant retroactively invalidating transactions recorded on the other branch.

  • Merchants (including workers paid in bitcoins) .  Ultimately they are the ones who will define the usefulness, and therefore the market value, of bitcoins. But most merchants do not have a long-term commitment to Bitcoin. They are willing to receive payments in traditional currencies via trusted third parties who handle the technical details of Bitcoin transactions, as long as the fees are lower than what credit card companies charge.

3.17.  Myth #17: Miners, acting out of self interest, will collectively prevent a 51% monopoly from emerging.

Classical economic theory postulates that anyone with mining resources will choose rationally between these two options:

  • Join the largest pool in existence, and take responsibility for pushing the system a little further toward the 51% monopoly doomsday scenario.

  • Join a smaller pool, and immediately accept a lower return on investment.

The optimal choice depends on the perceived cost of the 51% scenario. History suggests that markets do not fear it, otherwise exchange rates would have crashed in January 2014 when a well-known mining pool approached the threshold, and again in June 2014 when it probably exceeded it despite earlier assurances.

See also: diffusion of responsibility and tragedy of the commons.

3.18.  Myth #18: Bitcoin is already too big to fail

Based on the figures in Section 3.7, “ Myth #7: As a currency and a payment processing system, Bitcoin is efficient ”, anyone can double the current hash rate (and therefore control half the resulting total rate) at a cost of 140 million USD in hardware investments and 554,000 USD per day of operation. The cost of such an attack is even lower if the perpetrator is able to simultaneously kick a few large pools out of the network, e.g. with a denial of service attack, or by sabotaging their power supply, or simply with a legal injunction. Besides, large players could probably negotiate better prices on the hardware, obtain free electricity from idle nuclear plants, and find a use for the waste heat.

The perpetrator would then be able to claim 100% of the mined coins, i.e. 25 coins per 10 min as of mid August 2014. Assuming exchange rates remain stable despite the attack, break-even would be achieved in four months.

These amounts would be pocket change for a coalition of banks or governments intent on destroying the credibility of Bitcoin. High-stake bets are not unheard of in the financial sector.

3.19.  Myth #19: "Blockchain technology" will outlive Bitcoin

Whenever Bitcoin experiences a downturn, proponents tend to emphasize so-called "blockchain technology" instead. It is true that worldwide, decentralized, trustworthy and inexpensive notarization services would be useful, especially in politically unstable regions.

Unfortunately, blockchains cannot be simultaneously trustworthy and inexpensive. The only reason people spend 250 million USD per year on Bitcoin mining (as of August 2014) is because they get their money back in the form of freshly-minted bitcoins. A blockchain dedicated to notarizing, say, real-estate transactions for free, would not be able to reward its miners in the same way.

Besides, a notarization service is worthless without an enforcement mechanism. The Bitcoin blockchain is its own enforcement mechanism, because bitcoins do not exist outside of it. But how would a blockchain resolve disputes about real-estate transactions ? And who would ultimately decide which blockchain is legitimate for each type of transaction ?

3.20.  Myth #20: Anyone can permanently archive arbitrary data in the Bitcoin blockchain

It is true that the blockchain transaction format allows users to record free-form data. Since each node is expected to keep a copy of the whole ledger, as long as the Bitcoin blockchain is maintained, free-riding services can take advantage of this feature to permanently record all sorts of non-financial transactions.


  • The total bandwidth shared among all users is at most 1 MiB per 10 min. This boils down to only 8 bytes per human being per year. Even with an increased block size, it is ridiculous to expect the Bitcoin network to backup everyone's data for free.

  • Nodes could decide to reduce their storage costs by checkpointing balances and discarding obsolete transactions.

  • Pranksters have reportedly already inserted copyrighted content and links to illegal pornographic material into the Bitcoin blockchain. Thus, this feature could become a liability for node operators, and could provide a convenient justification for outlawing Bitcoin.

4.  Other decentralized systems

4.1.  How email became centralized

Bitcoin aims to replace traditional currencies in a way that is reminiscent of how email replaced postal mail.

SMTP, the protocol which defines modern email, is decentralized and peer-to-peer: Anyone can set up MX records in the DNS so as to have email delivered directly to their workstation. That is how things worked in the late 1980s.

But administering an always-on Internet-facing server is a lot of work, so eventually the IT departments of universities and large companies found themselves managing email accounts on behalf of thousands of users. Then in the late 1990s the Internet went mainstream and ISPs started handling email for millions of customers. Eventually pure Internet players captured the email business: In 2014 Gmail has 500 million users, Outlook.com (formerly Hotmail) has more than 400 million, and Yahoo Mail has a few hundred million too.

This shows that most users are willing to sacrifice privacy and control in exchange for access to a free, easy to use service.

4.2.  How public-key cryptography became centralized

When it was (re)discovered in 1977, public-key cryptography was heralded as a revolution that would allow individuals to communicate securely without depending on secret keys issued by trusted third parties.

Almost 40 years later, the decentralized web of trust model pioneered by PGP has failed to capture the imagination of the general public, and every mainstream operating system trusts a few hundred certification authorities, some of which have been hacked, coerced or bribed into issuing fake certificates for prominent Internet domains such as google.com, yahoo.com and microsoft.com.

This shows, again, that most users are not interested in taking charge of security matters.

5.  The Bitcoin endgame

5.1.  Phase 1: Centralized mining

We have seen that from a business perspective, it does not make sense for miners to refrain from crossing the 51% threshold. All it would take for centralization to happen right now is a behind-the-scenes handshake between the leaders of a few large pools. Representatives of the Bitcoin mining industry "accounting for 30% of the world's hashing rate" are reportedly already holding private meetings.

The libertarian advocates of Bitcoin should rejoice that pure unregulated capitalism is giving birth to a natural monopoly in just a few years, exactly as economic theory predicted.

What happens after a pool publicly claims monopoly status ?

  • Bitcoin will not die overnight. The newly established mining monopoly will not immediately abuse its power. It will run the Bitcoin ecosystem as a benevolent dictator, receiving 100% of newly mined bitcoins. Most users will not even notice.

  • The mining monopoly will actually be able to provide better service, e.g. real-time transaction confirmations and guaranteed rejection of double-spending attacks.

On the other hand:

  • Bitcoin will not be decentralized and trust-less anymore. This will be a major turn-off for the users (now a minority) who adopted it for ideological reasons.

  • The mining monopoly will become a single point of failure. Even if its rational interest is to keep Bitcoin alive, it may be coerced into acting otherwise, or convinced to sell out for a good price.

  • At this point the proof-of-work scheme will be useless. However, to fend off challengers, the mining monopoly will have to keep investing in hashing power, at great financial and environmental cost. Therefore the mining monopoly will suggest protocol modifications that will effectively designate it as the central authority.

In the long term, as mining becomes less profitable, the monopoly will try to profit from its position in other ways:

  • Users will find that their transactions clear faster if they voluntarily pay a larger tip.

  • The mining monopoly could also offer privileged access, peering agreements and other value-added services to large players in the Bitcoin ecosystem.

  • Or the mining monopoly will simply change the rules, e.g. it could raise the ceiling of the monetary base beyond 21 million.

5.2.  Phase 2: Centralized governance

Ultimately users will realize that Bitcoin is not what it used to be. This may happen quickly if the mining monopoly finds itself having to make decisions on polarizing issues such as:

  • Privacy versus regulatory compliance
  • How to blacklist stolen bitcoins
  • Whether Bitcoin needs a mechanism to reissue stolen or lost bitcoins (after they have been blacklisted)
  • Whether to ban gambling and laundering services
  • How far back in time any form of taint analysis should apply
  • How to respond to legal injunctions, e.g. seizures of bitcoin assets.

At this point the user community will expect someone to step in and take control. The Bitcoin foundation will immediately come to mind, but a coalition of exchanges might be better equipped to fight the mining monopoly. Several technical solutions will be considered:

  • Periodic checkpointing of the blockchain. Unfortunately decentralized checkpointing is a form of distributed consensus, i.e. the very problem that the blockchain was supposed to solve. Therefore this approach would probably require some kind of centralization.

  • Forbid miners from exceeding a fixed portion of the total hash rate (say, 10%). This would require putting a central authority in charge of micromanaging them, to prevent behind-the-scenes collusions.

  • Make the consensus system more democratic, as in "one person, one vote" instead of "one gigahash/s, one vote". This would require registration, i.e. the end of anonymity.

  • Switch to a hashing function that is less amenable to hardware optimization, i.e. restore the original "one computer, one vote" concept. This would still favour miners with cheap electricity, and bring back botnets.

  • Abandon proof-of-work and switch to proof-of-stake, i.e. "one bitcoin, one vote". This might incentivize users to pool their stakes (i.e. their assets) into banks.

  • Periodically designate new miners at random, as in sortition. But the chosen ones might be tempted to sell their privilege to the highest bidder.

See also: Prohibited changes, Hardfork Wishlist.

Most of these approaches would inevitably divide the Bitcoin community. And the very necessity of such fundamental changes would severely undermine the credibility of Bitcoin and virtual currencies in general. Therefore, the most likely outcome is that nothing will change. Control over Bitcoin will be shared between the mining monopoly and the central governance body, each having the power to destroy the system if the other abuses its position. Note that three core developers already have the ability to broadcast emergency messages to all users.

The governance body will define policies, reasonable fees and terms of use. The mining monopoly will run the infrastructure. Governments will easily coerce both into abiding by financial regulations.

Hopefully all parties will eventually agree on abandoning the wasteful and now useless proof-of-work scheme.

At this point the Bitcoin network will look very much like the VISA/MasterCard ecosystem, except more open and more flexible. Note that with proper security measures (chip and pin) and anti-trust regulation, an international credit card payment system can already operate with an overhead as low as 0.3%. This sets a benchmark for Bitcoin and all other virtual currencies.

5.3.  Aftermath

Will centralization kill Bitcoin ? Probably not. The Internet does need a form of programmable money. For many applications, users are willing to give up on the ability to dispute charges, in exchange for flexibility and savings.

Will centralization weaken Bitcoin and allow another virtual currency to replace it ? Not necessarily. As regulation draws Bitcoin out of the underground economy, alternative currencies will fill the void in that market. But for mainstream use, although Bitcoin is far from perfect, it has proven that it is good enough and it enjoys first-mover advantage in an industry with a powerful network effect. Micropayments and offline transactions will be handled via trusted third parties, whose power will remain limited as long as the core of Bitcoin remains autonomous (at least in theory).

6.  How to avoid centralization

6.1.  Mining quotas

Can centralization be avoided ? Not without sacrificing at least one of the defining properties of Bitcoin.

In this section we argue that enforcing mining quotas is possibly the least damaging course of action.

For example, quotas could be allocated to nations based on GDP or on some measure of political influence (details are left as an exercise for the reader).

Mining quotas are not as incompatible with the spirit of Bitcoin as they appear. After all, Bitcoin already has a built-in production quota: no more than 25 bitcoins per 10 min (as of August 2014). The purpose of quotas would not be to control who is allowed to run the ASICs, but to decentralize control over which transactions are allowed to make it to the blockchain. It does not even matter if all nations decide to outsource the hashing work to China or to Iceland, as long as they prepare the blocks themselves and independently from each other.

Why allocate quotas to nations rather than, say, to individuals or corporations ? The rationale is that nations are natural competitors, and mutual distrust is exactly what is needed to prevent centralization. A variety of political trends and societal values would be reflected in the ways nations organize their share of the mining work and make use of their bitcoins. If all nations were to unite under a world government with unified financial regulations, saving Bitcoin would be the least of its advocates' worries.

The DNS is also decentralized into national top-level domains (plus a few transnational ones) each with its own policy. This promotes freedom of choice for users.

6.1.1.  Benefits of mining quotas

  • Quotas would solve the 51% monopoly problem, which is arguably the main threat to Bitcoin and the gateway to complete centralization.

  • Quotas are a well-understood solution for markets which suffer from the tragedy of the commons.

  • Quotas could slow down the arms race between miners and therefore reduce the environmental impact of mining.

  • By design, mining is a portion of the Bitcoin ecosystem that is bound to become irrelevant anyway. 62% of the target monetary base has already been mined.

6.1.2.  Benefits of national mining quotas

  • National quotas would protect Bitcoin from overbearing regulation, because governments would have to reach consensus before drastic policies can be enforced at the blockchain level.

  • Overseeing mining fits well with the historical tradition that governments strive to control the issuance of money, but not so much its day to day use.

  • Getting governments involved would help legitimize Bitcoin as a mainstream currency.

6.1.3.  Drawbacks of mining quotas

  • Small-scale anonymous independent mining would become impossible. But it is already unprofitable anyway. In other words, mining quotas would safeguard fair and open access to the transaction system, at the cost of turning mining into a closed supervised oligopoly.

  • Ideally, mining quotas should be enforced in a decentralized, trust-less manner. This requires consensual modifications to all Bitcoin software. In practice exchanges would be the easiest to convince, and everyone else would probably follow.

  • Maybe the devil lies in the details and there is no practical way to enforce mining quotas in a decentralized manner.

  • Miners would have to disclose their controlling interests and generally be much more transparent than they are today. But we believe that regulation and transparency are coming anyway.

  • We have hypothesized (Section 3.9, “ Myth #9: The recent rise in exchange rates must reflect massive demand for bitcoins ”) that over-investment in mining might be one of the reasons for the current bubble (2013-2014) rather than merely its consequence, due to the unusual design of the Bitcoin money supply. As quotas would reduce the incentive to over-invest, exchange rates are likely to fall. It is unclear whether Bitcoin is already mature enough to reach a stable market value disconnected from mining costs.

  • Mining quotas do not address the centralization of governance, which could be triggered not only by the emergence of a mining monopoly, but also by a variety of other crisis scenarios.

6.2.  A generalization: maximally-distrustful oligopolies

The idea of national quotas fits well with the whole "mining" and "bitcoins-as-gold" analogy. But we are aware that the Bitcoin community might reject it for ideological reasons. In this section we propose a more general line of reasoning.

Let us start from the beginning. Bitcoin aims to provide a payment system without trusted third parties. This can be achieved by maintaining a public, decentralized ledger of all transactions. From the Byzantine generals' problem, it is known that distributed consensus on the content of this ledger can be achieved if and only if the proportion of dishonest participants is bounded.

Unfortunately, since Bitcoin also aims to provide anonymity, there are no participants to speak of in the first place. Therefore, Bitcoin must resort to an external, decentralized and reasonably fair metric in order to allocate decision rights. That is what proof-of-work is for. Hence the notion that "Bitcoin users vote with their computing power".

We have already mentioned alternatives such as proof-of-stake and pseudo-random selection of who gets to build the next block. But all these systems are biased toward centralization because votes can be bought. Whenever miners join a pool, they are effectively selling their right to debate which transactions make it to the ledger.

Centralization is not inherently bad (actually, it can yield economies of scale). Concentration of power only becomes dangerous when thresholds are crossed, e.g. resulting in the tyranny of the majority. A permanent oligopoly of three equally sized mining pools would make Bitcoin safe and efficient. Unfortunately it is well known that oligopolies tend to turn into cartels through secrets agreements.

Since a posteriori antitrust regulation would be impractical in an open, decentralized system with anonymity, we propose instead to deliberately engineer the oligopoly so as to minimize the risk of collusions. Hence the concept of maximally-distrustful oligopolies. In hindsight, adopting national mining quotas boils down to recognizing that centuries of wars and economic competition have shaped the world into an oligopoly of naturally distrustful entities: nations.

7.  Acknowledgements

Thanks to Stéphane Gourichon for reviewing an earlier version of this document.

8.  Post-scriptum (2016)

This article was originally written in mid-2014. Here is the situation two years later.

8.1.  Mining centralization

Mining is still centralized, but pools now refrain from approaching the 50% threshold. Hashrate distribution is quite stable, with a leading pool claiming about 30% and the second and third pools totalling another 30%. Needless to say, this situation is too perfect to be the result of a natural market equilibrium.

8.2.  Governance

The consensual governance of Bitcoin has been shattered by debates about minor technical issues:

  • The (re-)implementation of Replace By Fee (RBF), a painful reminder that Bitcoin transactions cannot be instantaneous and safe at the same time.

  • The block size limit controversy, which includes an interesting dilemma for the credibility of Bitcoin: On the one hand, if the status quo is maintained, then Bitcoin will not scale and will not be able to compete with mainstream payment systems. On the other hand, if the block size limit is increased, then users will realize that the rules can be changed at any time (including possibly those about the fixed supply and the permission-less nature of Bitcoin).

Several entities exploit this crisis of governance to try and take control of Bitcoin.

8.3.  "Private blockchains"

Various financial institutions are embracing "blockchain technology" and announcing plans about private blockchains. But without decentralized mining, a blockchain boils down to a notarization service operated by a trusted third party.

At best, private blockchains will allow competing banks to keep each other in check, as envisioned in Section 6.2, “ A generalization: maximally-distrustful oligopolies ”. There are rumors that powerful financial actors are able to pressure marketplace operators into reverting transactions after they turn out to be detrimental. An immutable decentralized ledger would prevent this, but would also make it impossible to correct genuine human errors.

9.  Post-scriptum (2017)

9.1.  Mining centralization

Mining centralization is now established, but inexplicably ignored by users. The persons in charge of the largest mining pools have been identified. There is little doubt that they have already been approached by governments and other powerful institutions.

9.2.  Governance

The Bitcoin network is congested and transaction fees routinely exceed 5 USD. This problem was anticipated years ago, but there was never a consensus on how to solve it.

Bitcoin Cash, a hard fork that increases the block size, managed to attract a fraction of the hashrate. The combined value of Bitcoin and Bitcoin Cash turned out to exceed the value of the original Bitcoin, in defiance of basic economic principles such as the network effect and the law of diminishing returns.

Segwit2x, another hard fork masquerading as a protocol upgrade, was cancelled at the last minute. On the one hand, this was the right thing to do: such a major change would have revealed that Bitcoin is not as immutable as its users believe. If a handful of people can double the block size, they can also increase the money supply. On the other hand, this implies that Bitcoin will never be a universal peer-to-peer digital cash system. Rather, it will become an expensive settlement layer or clearing house. The majority of Bitcoin transactions will have to be executed via trusted third parties.

9.3.  Valuation

The value of one bitcoin, measured in USD, has grown tenfold in one year. Let us review possible economic justifications.

  • Production costs have grown tenfold ? Most likely, miners are struggling to deploy new hardware fast enough to preserve their share of an expanding pie. Bitcoin hashrate has grown only 5x over the same period.

  • The dollar has depreciated tenfold ? Not corroborated by exchange rates with other major currencies.

  • The utility of Bitcoin has grown tenfold ? Maybe for Chinese and Venezuelian citizens, now that their governments have taken steps to outlaw Bitcoin. Maybe for victims of recent ransomware attacks. Darknet markets probably haven't grown tenfold; authorities now know how to shut them down. There is a new thing that can only be paid with bitcoins: Initial Coin Offerings, i.e. unauthorized IPOs in disguise; maybe this stimulates demand for bitcoins, like oil does for the USD.

  • Speculation and fear of missing out as fund managers find ways to get in before the bubble bursts ? But if unsophisticated investors are left holding the bag eventually, authorities will have to step in.

  • Price manipulation ? It took governments about two centuries to figure out how to regulate financial markets, and they still cannot catch all the Enrons and Madoffs. Bitcoin, being largely unsupervised, is a fantastic new playground for scammers.

9.4.  Energy consumption of mining

The energy consumption of mining is probably about one nuclear power plant. In response to the recent price increase, miners will certainly invest in new hardware as fast as logistics permits. Therefore energy consumption can be expected to grow significantly in the near future.

Bitcoin proponents will argue that this energy is not wasted because it helps provide a valuable service to users. But the efficiency of a process can only be measured with respect to other known methods for performing the same task. Banks and governments will reply that they can offer an "equivalent" (centralized) service while consuming much less energy. Hence, by definition, Bitcoin is wasteful.

The world is currently in a painful transition toward electric vehicles and renewable energy sources. Someday an energy crisis will force governments to tell miners that they cannot keep wasting electricity while the population is experiencing rising power bills or daily outages.

"Proof-of-burn", a scheme in which tokens are given out in exchange for burning bank notes, is not very different from mining. Actually, it looks more appealing: it does not transfer undue wealth to industries with poor environmental regulations, it does not waste natural resources, and it reduces inflation in the source currency. This shows the absurdity of proof-of-work as a source of scarcity.


[BITCOIN] Bitcoin: A Peer-to-Peer Electronic Cash System . Satoshi Nakamoto. https://bitcoin.org/bitcoin.pdf.

[BLOCKCHAININFO_STATS] Bitcoin Statistics . http://blockchain.info/stats.

[BLOCKCHAININFO_CHARTS] Bitcoin Charts . http://blockchain.info/charts.

[BLOCKCHAININFO_POOLS] Bitcoin Hashrate Distribution . http://blockchain.info/pools.

[BITCOINIT_MYTHS] Myths - Bitcoin . https://en.bitcoin.it/wiki/Myths.