89 comments

[ 5.3 ms ] story [ 152 ms ] thread
Side note:

"Minting" sounds so much nicer than "mining". Minting evokes connotations of gold and kings and craftsmen doing skilled work. Mining on the other hand is dirty. I associate digging, holes in the ground, mining waste, depths and darkness with that.

Maybe crypto [0] currencies would have had it a tiny bit easier to not look like an environmentally bad idea (this is purely about the looks of it, not reality) if they had not picked such a bad word to begin with?

[0] Another bad choice of words, imo

with your definitions in mind, i think mining is a lot more appropriate, haha
It is! I meant that they could have whitewashed the concept by using "minting" instead of "mining".
Or recycling. "We recycle electrons into coins!"
Believe it or not but there are people who think that "Bitcoin is a battery" because it can turn energy into money (and "money is easily converted to energy again", Umm... STEM education, we need to have a word because it looks like you are not doing your job properly...).

Here is an example: https://twitter.com/balajis/status/1351214402167578626

Balaji's take is easily the worst, least coherent take on proof of work to date. An absolute carnival of ignorance motivated by self-interest. The lengths people will do to defend the indefensible because it'll make them rich continues to disappoint.
I agree it’s a bad take, but the idea in the article he shared is, in my opinion, reasonable and doesn’t talk about BTC being a battery.

It talks about crypto mining as a last resort to utilizing excess energy produced by “green” sources (wind turbine), ie energy that cannot be sold to the grid or stored in batteries.

That's not, however, what the system incentivizes. It incentivizes using the cheapest energy period. Miners are not incentivized to care even the tiniest little bit about where the energy comes from - as evidenced by them re-opening coal plants. [1]

It's literally un-doing the progress we've made towards a renewable energy market.

It's a fantasy that (a) there's actually tons of energy floating around out there in the wild that can't be stored in some way or transported in some way and (b) that co-locating miners there is more economical than throwing some coal onto the fire.

[1] https://qz.com/1250980/an-australian-coal-power-plant-will-r...

It just so happens that energy that otherwise would be wasted is the cheapest energy you can find. Utilizing that is unequivocally good.

> It's a fantasy that

It absolutely is not a "fantasy". It's called curtailment and it can be greater than 50% at certain times of day in certain areas. Ontario wind production for example curtails 25% of it's energy on average. Please do your research before speaking with so much authority. https://www.iea.org/commentaries/more-of-a-good-thing-is-sur...

> It just so happens that energy that otherwise would be wasted is the cheapest energy you can find. Utilizing that is unequivocally good.

Not necessarily, no. There's no free energy you can just plug into. If the energy is far-flung and remote, then you need to build infrastructure, to co-locate your miners, to build buildings, to build generators, to maintain and service these generators. If it's distributed enough, the lack of economy of scale offsets the fact that you're not paying anything for the power per se. This is self-evident in the fact these "free" energy sources aren't hooked up to the grid.

There's a real economy of scale associated with a big coal plant.

Hence: It is a fantasy that (b) ...co-locating miners there is more economical than throwing some coal onto the fire.

> It absolutely is not a "fantasy". It's called curtailment and it can be greater than 50% at certain times of day in certain areas.

That article's title alone moots your point. "More of a good thing – is surplus renewable electricity an opportunity for early decarbonisation?"

If you use it for mining, it's not going to be used for decarbonization is it?

  The tendency is to treat this primarily as a technology problem for the power system to solve. Indeed part of the solution will lie in improvements in technology. We will need some form of energy storage to convert the excess at one time of day into necessary power system supply at another. Smart grids, especially smarter distribution systems, will be better able to manage increasing shares of renewables as well – and they too will likely have more energy storage. And finally, the growth of EVs (currently driving global battery demand) represents a huge potential source of storage and demand-side flexibility as well.
That is the solution, not hashing it away lol, which was my point.

Hence: It is a fantasy that (a) there's actually tons of energy floating around out there in the wild that can't be stored in some way or transported in some way. I said can't, not isn't, not shouldn't be.

You've in fact strengthened by point because there's enough there to lead to early decarbonization!

Not exactly an education issue, people can make up anything they want and education alone cannot stop them doing it; only shame and consequences can.
These people will justify bitcoin in such insane ways. I see one guy doesn't agree that it's a battery but still thinks mining is a good thing

> Bitcoin let’s anyone with excess energy manufacture sound money. This is a better option than wasting the energy.

There are times where the grid is producing more energy than is being demanded but it's not like it's that difference that's being used to mine. I also don't get why that energy would need to be turned into money. Simply creating new coins isn't useful work (validating transactions is, but it's a horribly inefficient way to do that)

> it's a horribly inefficient way to do that

It's not "inefficient", relatively speaking, if there's no more efficient way to do it while still achieving the same risk profile.

So visa is a few hundred thousand times more efficient. Are we not able to pay people without Bitcoin? The trustlessness and decentralization isn't a value in and of itself, it's value must be measured in its utility.
The efficiency of Visa isn't comparable because it solves a completely different problem than Bitcoin.

And yes, in most cases we can pay each other just fine without Bitcoin. That doesn't negate its specific usefulness.

It's already well documented that you don't see the trustlessness and decentralization to be a value for you personally. If that's the case then simply don't buy any. Those who do get value from those properties will use it, as is the case now.

Sorry its no longer that simple. It's wasting as much power as all of Switzerland and all of Austria combined. 52MT of CO2 emitted annually. 10kT of e-waste. And growing like grey goo. [1] Dormant coal facilities are now being re-activated to hash noise as fast as they can. [2]

This is literally everyone's problem now and we should all do everything we can, tell everyone we can, to shut this down before it's too late.

Your game of pass-the-spreadsheet-cell is now actively threatening the lives of people on the planet at probably the most critical time in human history re: global warming. I have general distaste for the MLM nature of most coins in this frothy climate - but those $SAFEMOON and $CUMMIES folks are just going to lose money, not ruin Earth. I mostly do everything I can to end Bitcoin by raising awareness. You should too.

I'd be just as vocal if your coin was based on proof-of-killing-elephants or proof-of-having-a-tire-fire-on-your-lawn.

[1] https://digiconomist.net/bitcoin-energy-consumption

[2] https://www.newsbtc.com/news/bitcoin/australian-power-compan...

As is commonly pointed out in these threads, that's likely only around 60% the usage of idle always-on electronics in the US. Isn't that a way more obvious low hanging fruit? Human activity uses energy, that's unavoidable.
> As is commonly pointed out in these threads, that's likely only around 60% the usage of idle always-on electronics in the US.

Luckily Bitcoin mining is utterly centralized. In fact turning off a single mine in Xinjiang cut power consumption by 1/4-1/2.

> Isn't that a way more obvious low hanging fruit?

No. Is idle device power in the US rising? Some data shows one of the biggest sources of idle power is halogen bulbs being left on which are being replaced with LEDs over time - unlike the exponential rise in BTC power consumption. Not to mention, it requires 400,000,000 people to each act. Killing Bitcoin requires a few people to act. Much easier. And of course, both should be done.

> Human activity uses energy, that's unavoidable.

Yes, much more when we choose intentionally 400,000X less efficient technologies because of idealism or because they're "neat." Living in a society requires we make compromises to ensure our shared survival. Our consumption is the sum of our choices. Time to start making some better ones.

This whataboutism and nihilism is pretty much a guarantee of inaction on all fronts. Step up and do the right thing!

I never said anything about which technology was easier to kill. The question is which technology can be made more efficient while retaining its utility. The subtle implication is obviously that Bitcoin isn't useful, but what is the point of writing all this just to essentially restate your presupposition that Bitcoin isn't useful? I already know you believe it's not useful, but it's not up to a single individual to decide that.

> when we choose intentionally 400,000X less efficient technologies because of idealism or because they're "neat."

Like I mentioned already there's no reasonable way to compare its efficiency to technologies like Visa which solve a totally different problem. So this is a useless and misleading metric aside from the obvious strawman that cryptocurrencies are only useful because they are "neat".

> The subtle implication is obviously that Bitcoin isn't useful, but what is the point of writing all this just to essentially restate your presupposition that Bitcoin isn't useful?

Not talking about Bitcoin, just PoW. The implication is clear: it uses a ton of energy and achieves almost nothing with it relative to competitive technologies.

> Like I mentioned already there's no reasonable way to compare its efficiency to technologies like Visa which solve a totally different problem.

Yes there is, it's by dividing into kWh per transaction. You can't pretend this away because you don't like the landslide loss.

[edit] I'm sure you well know those counterarguments are meaningless because they fly in the face of math. Look this is typical of crypto folks, who know well they're melting the ice caps to enrich themselves. It's shameful, and you should feel bad for participating in this. The comparison in the domain is against, for instance proof of stake coins.

I am sure you know well the counterarguments to measuring by kWh per transaction.

- The power consumption of Bitcoin has almost nothing to do with the transaction rate limit. Increasing it would have basically no impact on the power consumption. So it doesn't make sense to look at the energy usage on a per transaction basis.

- It's debatable whether there is actually a need to increase the transaction rate limit yet, whereas it's obviously necessary for Visa to process a high transaction rate right now and so it makes sense that Visa would have optimized for that already. I think even the "small blockers", who prefer the current low rate, can agree that the rate will need to be increased eventually.

Incidentally the last time [well, more like the 215th time ago, because this thing comes up like 10 times a day] this came up, I came up with a figure for US junk mail's CO2 footprint that was comparable to Bitcoin [US junk mail volume is something in the 6 million ton range, and the figures I got for paper were 3-10 pounds of CO2 / pound of paper].

I'm not bringing this up to dispute anything you just said, more that if you're looking to crusade against industries that generate a huge amount of waste to benefit a relative few, I think there's a strong argument for also killing junk mail along with PoW cryptocurrencies.

Bitcoin solves a problem that has corrupted governments for millennia. Control over the supply of money gives central bankers the ability to steal money from the people and funnel it into paying off politicians and doing other country destroying bs. Once you understand how bitcoin will eliminate a major source of corruption in our world you'll finally understand it's value
It does not. It only appears to on its face. Blockchain can only extend its trustless, decentralized and permissionless guarantees to the data on chain. These guarantees break down at the boundary between the blockchain and the real world. All the blockchain said is 1BTC=1BTC and which coins are associated with which keys. It doesn't say how much value each coin represents. Tether does that.

> Control over the supply of money gives central bankers the ability to steal money from the people and funnel it into paying off politicians and doing other country destroying bs.

Central banks don't print money and funnel it off to politicians lol. They control the money supply by deciding how much credit should be extended and at what interest rates and from time to time provide stability through buffering via purchase and sale of treasuries.

> Once you understand how bitcoin will eliminate a major source of corruption in our world you'll finally understand it's value.

It has created a whole slew of new kinds of corruption and crime, and all the existing corruption and crime remain. It's been a net add of corruption and crime.

> It doesn't say how much value each coin represents. Tether does that.

No. The market does that. I'm not sure why you think this is different than how the value of, say, a dollar represents.

> Central banks don't print money and funnel it off to politicians lol.

You misunderstand. Its not that direct. Central banks print money used to fund things like government loans (ie bonds), among other things. Member banks buy the government bonds and sells them at a profit to the central bank. The owners of those member banks in turn pocket that money and use some of it to fund the legalized corruption known as lobbying. This is not the only funnel that looks like this that comes out of the financial industry. There's a reason that Goldman Sachs "alums" trawl DC like cockroches.

So.. very much not lol. Not lol at all.

> They control the money supply by deciding how much credit should be extended and at what interest rate

I think you've missed the last 15 years where they started buying whatever they want in "open market operations". Where were you in 2008... or like the last year and a half?

>It has created a whole slew of new kinds of corruption and crime

You're misinformed. Show me one way that bitcoin has lead to new kinds of corruption. I would be very surprised if you could name a single thing and have some credible information about it.

> No. The market does that. I'm not sure why you think this is different than how the value of, say, a dollar represents.

Well most markets aren’t made up of 95% fictional trades, according to an ETF that attempted to list two years ago.

> You misunderstand. Its not that direct. Central banks print money used to fund things like government loans (ie bonds), among other things.

You misunderstand. Central banks don’t print money, they set reserve rates, interest rates and they occasionally purchase and sell bonds. Nothing more.

> You're misinformed. Show me one way that bitcoin has lead to new kinds of corruption. I would be very surprised if you could name a single thing and have some credible information about it.

Ransomware and tether (unless you count the liberty reserve and even that was nowhere close).

A point that I always try bring up is that adding more mining capacity shifts the distribution of coins but it doesn't change the rate of mining at all.

Ideally you'd have the compute power be tiny amounts divided up over a large number of people. But that would require everyone participating to be principled and using Bitcoin because of its decentralized nature instead of as a way to make money. Human nature would never let that happen.

Indeed, because proof of waste will centralize around the place where the wasted resources are the cheapest.
Bitcoin isn't a country. It's ridiculous to compare bitcoin's energy usage to countries because it's international. Video gaming uses more energy than bitcoin mining, so stop parroting this BS false narrative that bitcoin is so wasteful.
> Bitcoin isn't a country. It's ridiculous to compare bitcoin's energy usage to countries because it's international. Video gaming uses more energy than bitcoin mining, so stop parroting this BS false narrative that bitcoin is so wasteful.

Your point about video games is pretty asinine because a meaningful portion of the 8 billion people on earth playing video games. We have virtually nobody using Bitcoin because its so incredibly hamstrung. [2]

Based on this data [3] playing video games for 4.4 hours a day for an entire year consumes 823kWh. A single bitcoin transaction requires 1127.77kWh. [1]. So you can either play 6 hours of video games on your 3090 in ultra 1440p144Hz - or move 250 bytes of data.

Bitcoin's 3TPS currently yields as much CO2 as burning 1 ton of coal per second and generates 10kT of non-recyclable e-waste, which also includes a bunch of gold that has to be mined to make the systems in the first place. [1]

All for 3TPS lol.

[1] https://digiconomist.net/bitcoin-energy-consumption

[2] https://www.greentechmedia.com/articles/read/global-gaming-c...

[3] https://www.greentechmedia.com/articles/read/global-gaming-c...

> Your point about video games is pretty asinine

Well, I would have good points I could write. However, if you're just going to insult me, I'm not going to waste my time.

Hm did I offend? If so my bad! Cheers and enjoy your evening. I do however suspect you have no good points to share and hence your exit from this debate. Your point may have been asinine (I do not plan to walk that back) but that says nothing of you, it wasn't a value judgement on the speaker.
thanks for switching discourse like this. I think the defining problem of politics (and by extension change) nowadays is that people don't call out antisocial behavior anymore. Nearly every society in the past did this one way or another in the non-autocratic parts (farmers villages, soviet,...). Nowadays we have a system run by psycho- and sociopaths (aka the McKinseyan PMC) and we can't get at them because wokeness-brigade tells us: poor things, don't hurt them...
> There are times where the grid is producing more energy than is being demanded

That never happens. The production and demand in the electric grid must always be matched. When they are not, the voltage and frequency increase (excess production) or decrease (excess demand), and control mechanisms on all generators in the grid regulate the production so that it matches the demand again; if that's not possible (because the production and demand are too mismatched), safety mechanisms disconnect parts of the grid (and power off the generators) to avoid costly damage.

Minting implies exercising seigniorage authority, whereas mining physical commodities is naturally distributed (no central authority). The latter term is much more appropriate to describe issuance-via-PoW.
Before you mint a coin, you have to mine the metal ore :)
Miners technically do have seigniorage authority since they can collectively decide to change the underlying cryptocurrency.

Miner's de facto control of the network is a huge problem. It's why Bitcoin will never solve its energy use issue, and why Ethereum set up a "delayed difficulty bomb" to force miners to accept changes to the network.

> Miners technically do have seigniorage authority since they can collectively decide to change the underlying cryptocurrency.

The failure of the Bitcoin2x proposal and adoption of Segwit in 2017 demonstrated that miners do not have as much control as they might like to think. If node operators don't accept their blocks, they lose money.

I agree that miners don't have control if the social consensus goes against them

I think the exchanges have the most power, given the current state of the network where very, very few businesses will directly exchange goods and services for coins and most use of Bitcoin is done by converting to fiat through an exchange.

Looking back to 2017, there was the Bitcoin Cash fork. As I recall, Coinbase handled this in a fairly neutral way: if you held 1.0 BTC on the exchange, after the fork you held 1.0 BTC and 1.0 BCH, and trading was supported for both, so the market found a price for each. The only bias here is letting Bitcoin Core keep the "BTC" ticker symbol.

Suppose the top 3 exchanges had done the same thing, but treated Bitcoin Cash as the "real" one that trades under the BTC symbol (and is referred to on the exchange as just "Bitcoin"), and Bitcoin Core as the "fork" with a new symbol like BCC. Maybe even call it something lame like "Bitcoin Classic". Would that have affected which one won? Maybe a bit... but enough to make a difference, I'm not sure.

What if they really wanted Bitcoin Cash to win, and went a step further? What if they gave Bitcoin Cash the BTC ticker and didn't implement trading pairs for "Bitcoin Classic"? They'd still let you withdraw your forked "Bitcoin Classic" to your self-custody wallet, and you could send it from there to some other small-time exchange to try to dump it... but you couldn't trade it on Coinbase, Kraken, or Binance. What would have happened then?

There's no way of knowing, but if you asked me to guess, I'd say that what we call Bitcoin Cash today would've won. Bear in mind, for those who have strong opinions about BCH vs BTC... I have no opinion about which one is better or which one should be the "real bitcoin". I'm just speculating that, if they had wanted to, two or three big exchanges could have swayed that decision the other way.

> Miner's de facto control of the network is a huge problem. It's why Bitcoin will never solve its energy use issue, and why Ethereum set up a "delayed difficulty bomb" to force miners to accept changes to the network.

Not sure we should go as far as stating their control to be "de facto" as there has been no major cases of miners splitting a mainstream chain and "winning". Most examples are miners going one way, then slowly dying until they move back to the main chain.

I think given that one of the key aims of crypto was moving away from an inflationary model where new money can easily be created using a term other than minting was a conscious and considered move. Mining sounds harder and it is!
Minting has been throughout its long history associated with fraud. There's a reason people used to have to weigh the minted coins they received from transactions to make sure the minter was delivering the amount of gold or silver or other backing metal in the coin's alloy. Just another perspective on minting...
I'm not so sure "cryptocurrencies" is a bad word: it's basically cryptography everywhere. But transforming "crypto" to mean "cryptocurrency" is bad I agree.

Ethereum seems to be very serious about moving to proof-of-stake. It is a big project and they don't seem very concerned about the papers saying that "proof of stake cannot possibly work". I don't know if PoS can work or not but it's going to be costly for attackers to try to find out (as they'll get they staked deposit slashed if they try to attack the blockchain).

These days the phrase cryptocurrency is a misnomer, very few blockchain projects are designed to be just a currency.

Ethereum is the native currency of the Ethereum blockchain but Ethereum is not only a currency but a smart contact platform. Tokens on these platforms are rarely currencies too, as an example they can represent voting power, a stake in a software project or virtual goods.

Even blockchain is becoming a misnomer as most base player platforms are using more intersting techniques.

Maybe the transition to Proof of Stake is the time to change terminology. Proof of Work is really a lot like mining, digging around to see if a nugget is there, while Proof of Stake is a community of self-interested institutions sharing the same signature.
Ooh, the original Chaum paper!

Chaum "coins" behave a lot more like bearer instruments or "free banking" notes; they're IOUs issued by a bank that can be traded.

The advantage over a database is that there's some ability to do offline transactions, although the double-spend prevention is done through the originating bank.

The advantage over bitcoin is that is uses a tiny fraction of the energy. It's also naturally a "stablecoin", rather than highly volatile.

The disadvantage compared to Bitcoin is that it’s hardly meaningfully different from using Paypal or something.
How do you figure?
In short, the suggested method by Chaum requires a trusted 3rd party (bank). The topmost invention of Bitcoin is that it requires no trusted 3rd party.
> it requires no trusted 3rd party

Or, at least not the same 3rd parties. Instead, it requires trusting a much larger host of other 3rd parties, many of which are anonymous, and likely none of which will provide recourse if you lose your bitcoin due to their failure or malicious intent.[1]

Bitcoin represents a shifting of trust; not an elimination of trust. That's not to say there is no value. It's just that there are significant risks involving trust that are overlooked by most holders.

[1] https://www.schneier.com/blog/archives/2019/02/blockchain_an...

I wouldn't say those risks are overlooked by most holders, rather that risk profile is exactly the reason why anyone would want to use cryptocurrency to begin with.

Perhaps some hype artists would claim otherwise, but they shouldn't be defining how you view the technology itself.

Yes, I think it's important to distinguish between the technology & its current use case. The technology is promising (though in bitcoin, stagnant). The primary use case right now seems to be financial speculation. That would have to change in order for any crypto currency to really gain any sort of mainstream traction as an alternative to traditional cash or credit (banks).
I don't believe this is accurate.

As trust is spread across the network to an increasing number of people running nodes, the trust assigned to any individual participant approaches zero.

This can be observed in the resilience of the network, as it self-heals against any attacker or alternative fork from the consensus.

Bitcoin has democratically ossified into a store-of-value with absolute scarcity, deterministic monetary policy, and a priority on decentralization. It's extremely unlikely that those attributes will be compromised.

> As trust is spread across the network to an increasing number of people running nodes, the trust assigned to any individual participant approaches zero.

If only we knew this was true.

An increase in the number of people running nodes does not guarantee that the maximum trust assigned to any individual participant approaches zero. What is the size of the largest Bitcoin whale? What is the size of the largest Bitcoin cartel? How do you know that the share of the largest Bitcoin whale or cartel isn’t increasing? What prevents China from deciding to eliminate the Bitcoin threat to its control by taking over the Chinese miners and launching a 51% attack?

Even if you are willing to believe that trust is well distributed across many independent entities, you still need to have greater trust in your own security and IT skills. When your wallet is hacked or you lose your credentials, there’s no number to call to recover your Bitcoin.

Bitcoin still requires significant trust, which is often overlooked.

> What prevents China from deciding to eliminate the Bitcoin threat to its control by taking over the Chinese miners and launching a 51% attack?

China isn’t stupid.

If they 51% attacked Bitcoin (completely contrary to their self interest), everyone would switch to a different hash algorithm and now China has burned tens of billions of capital, hurt their reputation, and achieved nothing.

You trust China to not attack Bitcoin because you consider it against their self interest.

China just launched its own digital currency.[1]

“In order to protect our currency sovereignty and legal currency status, we have to plan ahead,” said Mu Changchun, who is shepherding the project at the People’s Bank of China.

China isn’t the only major power that needs to monitor transactions and maintain control of its money supply. There are plenty of capable parties that could launch a 51% attack and they’re unlikely to take responsibility for it afterwards, so reputation is hardly a factor. The fact that another hash algorithm could be used later doesn’t matter. A government doesn’t stop defending its interests just because threats change.

Certainly, there may never be a 51% attack, but it will not be surprising if it happens.

[1] https://www.wsj.com/articles/china-creates-its-own-digital-c...

Trust approaches, but never reaches, zero. In practice though, so few people run full nodes relative to the whole that trust is still not nearly as decentralized as it might appear. A few rough estimates from simple searches indicates that only 10% of about 1 million miners actually run a full node.

Further, while this article is about 2 years old, it indicates that many miners use outdated software that may have vulnerabilities. [0] Even assuming those expressed in the article have resolved, it may very well be the case that similar proportions of miners today aren't running the most recent software & are vulnerable to newer attacks.

Finally, while bitcoin may have ossified, I don't think that is has done so as a store of value (at least not year). A solid store of value should not fluctuate in value by 5%, 10%, 15% on a fairly regular basis.

If I wanted a good store of value, I would still be looking at the traditional option of gold or, at least over the long-term, real estate. Though I suppose if the world economic system every goes belly up, neither bitcoin, gold, or real estate will be of much use. In that case, the best store of value would be long-term shelf-stable food.

[0] https://thenextweb.com/news/bitcoin-100000-nodes-vulnerable-...

> A solid store of value should not fluctuate in value by 5%, 10%, 15% on a fairly regular basis.

What do you think it should look like when an asset monetizes from nothing to one of the world’s largest assets in under 15 years? A nice smooth geometric curve?

You don’t have to trust a “host of third parties” - you merely have to predict that a majority of third parties will not economically sabotage themselves.
...and to achieve that, Bitcoin has a backwards approach to security where the honest parties must work harder than the attackers, which ultimately means that nobody can confidently say that the system is secure unless a majority of energy produced on Earth is being devoted to honest parties mining Bitcoin.

It is also wrong to suggest that the bank in Chaum's system is a "trusted third party," as if the bank can unilaterally break any security property of the system. In fact the bank in an ecash system is very much constrained. The bank cannot violate a user's privacy (in the sense of linking a user's transactions) unless the user attempts to spend the same coin twice. The bank's ability to claim that a user was trying to conduct some kind of double-spending attack is also constrained (the no-frame-ups property) so that a user must actually attempt to double spend a coin for the bank to produce evidence of such a crime. It is also possible to create a distributed trust model where several parties must jointly issue the coins (threshold blind signatures).

Unlike Bitcoin, the security model of ecash is well-defined and follows the basic philosophy of cryptographic security: the computational difficult of attacking the system grows exponentially with the computational work performed by honest parties. Put another way, the energy expended in an ecash system will grow linearly with the number of transactions being performed in the system, and the incentive is to reduce the energy consumption by finding more efficient ways to process transactions. If the cost of a well-defined, rigorous security model, a system that incentivizes minimizing energy consumption, and features that Bitcoin can never actually support (e.g. direct peer-to-peer payments that do not require an Internet connection or any communication with any third parties), is to have a central bank or consortium of banks that issues the coins, you can count me in.

> unless a majority of energy produced on Earth is being devoted to honest parties mining Bitcoin.

Nope, try again

How do you know when enough computational effort / energy has been devoted to mining i.e. how do you know that there is no attacker out there who is working harder than all the honest users combined?
You can calculate how much capital an attacker would need to purchase the necessary mining equipment. When that amount of capital is more than large nations would be willing to commit, then you know it's pretty safe. Currently, the amount of capital is in the tens of billions, which is already rather out of reach for most governments to allocate for this kind of thing. Yes a government like the US could theoretically do it, but it would be incredibly difficult to make that fly politically.
That is a lot of assumptions about an attacker's means and willingness to invest in the attack. German cryptographers made that same mistake during World War II: they knew how to attack the Enigma cipher in principle, but assumed, incorrectly, that none of the allied powers would be willing to make the necessary investment. Tens of billions dollars is within reach for many governments, corporations, and even some individual people. It is not hard to imagine what might motivate an attack, whether politically (perhaps to disrupt the Western financial system once more institutional investors have take on large Bitcoin positions) or financially (imagine building a large short position in Bitcoin futures, then executing a 51% attack).

Moreover, why assume that the attacker will necessarily have to work as hard as the total work being done by honest miners, when the attacker might first try to take down the largest miners as a first step to reduce the capital investment? Blackouts in China significantly reduced the hashrate of several large mining pools recently. An attacker willing to invest tens of billions of dollars in an attack would have little difficulty sabotaging mining operations, especially given how concentrated and centralized those operations have become.

Really though, in what other context would we accept an argument that comes down to assumptions about what an attacker is willing to do? Cryptographic security demands that the attack effort grows exponentially (or super-polynomial in the case of public key cryptography) so that we can make the attack effort larger than the number of atoms on our planet (or galaxy or universe), which renders all speculation on the attacker's motives or willingness to invest an attack moot. With Bitcoin you can never make such a claim until most of the world's available energy is consumed by honest miners (the only point at which the attack is actually impossible, at least if we assume that the honest parties cannot be corrupted).

It would be easy for existing users to see how much energy the cheaters are spending based on the blocks that are getting published. A block gets published every 10 minutes on average so it wouldn't take a long time to become obvious.
So you only know how hard the honest parties must work to prevent an attack after a successful attack is detected?
If you assume all the current mining capacity is in use, and everyone mining right now is actually dishonest and collaborating with each other as a single party (worst case), then at most you just need to match the current capacity to prevent an attack. All you need is to make sure that more than 50% of miners aren't collaborating to benefit the same party at the same time.

If you are assuming that the attackers are also hiding "dark" mining capacity, then it's harder to say what capacity you would need to stop an attack, but they would be choosing not to run that hardware at a significant opportunity cost for no reason other than to create a false sense of security.

You seem to be implying that this is a strange model but I don't think so. It's no different from how you won't know how big of a military you need until after you get attacked. Your opponents could be hiding their military capacity. Etc. It's not clear that it is possible to avoid this problem in any trustless system.

Assuming that all mining capacity is visible is the sort of assumption that cryptographers typically avoid because you can easily be blindsided. Why shouldn't an attacker hide their equipment? Cryptographers also typically avoid speculating on the attacker's motivation, so talking about the opportunity cost is a pretty weak argument. Maybe the attacker just wants to cause mayhem in the system regardless of the cost, and they are idling their equipment until they are ready to attack.

It is also worth remembering that someone trying to attack Bitcoin is not limited to amassing enough of their own mining equipment; they can also try to reduce the work being done by honest miners by sabotaging honest mining operations, which at some point will likely be cheaper than trying to buy more mining rigs. So the honest miners need to do more than just match their own estimate of the capacity of would-be attackers. Honest miners must exceed attackers by enough of a margin to absorb attempts by an attacker to reduce the honest mining capacity, and that margin is also difficult to estimate.

I do not know what counts as "strange" but I certainly say that Bitcoin's security model is inefficient and backward by the standard used in cryptography. Honest parties have no advantage over the attacker and thus are left devoting ever growing amounts of energy to mining, continuously raising the bar for the attacker (and also raising transaction costs to pay for all that energy, not to mention creating an environmental disaster in the process). No competent military commander would pursue a strategy that depends purely on numerical superiority; armies set up bases in locations that are tactically advantageous (e.g. on a hilltop) and focus their planning (offensive or defensive) on strategically valuable targets (bridges, supply lines, etc.).

I don't think this comparison with "the standard used in cryptography" is really accurate or useful.

Cryptography tries to avoid speculating on the attacker's motivation, but establishing trust from nothing is a different problem than sending private messages on a public channel. It's not clear the former can be done any other way than by creating incentive structures to make the cost of cheating greater than some known amount.

> Honest parties have no advantage over the attacker

Honest parties have the advantage that it's easier for them to agree (and they are rewarded for agreeing). An honest party who wants to play honestly is implicitly supported by every other honest party whether they are explicitly allied or not. Whereas a dishonest party doesn't just need to be dishonest to benefit, they need to get >50% of all miners to agree to benefit them specifically, or otherwise amass all that capacity just for themselves while outcompeting every other honest party put together (not just their specific enemy, but every honest party).

> and thus are left devoting ever growing amounts of energy to mining, continuously raising the bar for the attacker

Why would the energy usage be "ever growing"? Bitcoin might become more popular and therefore might have bigger security demands expected of it in the future, but that should eventually reach a cap. From that point only cheapening electricity generation would increase the expected usage.

> No competent military commander would pursue a strategy that depends purely on numerical superiority;

That is certainly what they'd do if there was literally no other way to achieve an advantage (which is the case in this kind of landscape). Everything else is just a way to make their forces work more efficiently.

Modern cryptography is about a lot more than sending private messages over public channels. The entire field of secure multiparty computation is about mutually distrustful parties participating in a distributed computation of some kind. Bootstrapping trust from "nothing" is part of that, and the theoretical work in that field establishes the limits and feasibility of accomplishing that goal. There are settings where "trust from nothing" (more precisely, when only one party is honest) is possible to achieve with cryptographic security -- for example, if aborting the protocol (stopping the computation) is an acceptable outcome (this is unavoidable if there are only two parties).

"Honest parties have the advantage that it's easier for them to agree (and they are rewarded for agreeing)."

I should clarify that when I used the term "advantage" I was referring to something analogous to mechanical advantage. A basic tenet of cryptographic security definitions is that the honest parties should have an advantage over the attackers in the sense that a small increase the work done by the honest parties results in a large increase in the work that must be done to attack the system. Note also that cryptographic security definitions assume the opposite of what you said: that the honest parties are not coordinated and are operated independently, but that the attackers do coordinate with each other (in fact we just refer to "the adversary" which has full control over all the attacking parties, with full access to their internal state, inputs, outputs, randomness, and whatever else).

You mention incentive structures, but incentive structures are not very reliable. You need to make a lot of assumptions about motivation before an incentive structure makes sense, and those assumptions can easily fail because of something external to the system. What if a group of miners who collectively control 51% of the mining capacity of Bitcoin realized that they could open short positions in Bitcoin futures and make a fortune if they triggered a panic by e.g. executing very obvious double-spending attacks? Historically incentive structures have failed to prevent wars, crime, and other unwanted behaviors.

"Bitcoin might become more popular and therefore might have bigger security demands"

One does not follow from the other. Security requirements have nothing to do with popularity and everything to do with the ability of some attacker to succeed in attacking a system. Even if nothing about Bitcoin changes, a change elsewhere in the world may create an opportunity to profit from attacking Bitcoin (and there is no reason to think anyone other than the attacker would be aware of that opportunity). The attacker may not be rational at all; maybe the attacker just wants to create chaos, even at great expense. Like I said, incentive structures are unreliable and make for a poor approach to security on the Internet.

> A basic tenet of cryptographic security definitions is that the honest parties should have an advantage over the attackers in the sense that a small increase the work done by the honest parties results in a large increase in the work that must be done to attack the system.

I think a more accurate claim would be that cryptography aims to achieve the best security guarantees that can be assured mathematically. In the case of establishing consensus the best guarantees you can achieve are just different from what you can achieve in those other situations. That doesn't mean that Bitcoin is somehow going against some kind of cryptographic standard like you are implying here. It is using cryptographic technologies to achieve the most secure possible solution (as far as we have discovered) to the problem which it aims to solve. It just happens to be a different problem than those other problems and therefore the nature of the solution is different.

> Note also that cryptographic security definitions assume ... that the attackers do coordinate with each other

That's just one possible scenario which you might consider. Again I think it is misleading to imply this is some kind of "cryptographic litmus test" or something.

> You mention incentive structures, but incentive structures are not very reliable.

Right, but there's just no stronger guarantees which you can make when it comes to this problem.

> One does not follow from the other. Security requirements have nothing to do with popularity and everything to do with the ability of some attacker to succeed in attacking a system.

I think you are interpreting what I said backwards. Popularity defines what level of security is required. The level of security defines what attacks can be resisted. The more popular the coin, the bigger need it will have to resist attacks. And this is accommodated in the design: the higher the market price of the coin, the bigger the reward will be for miners (thus funding more mining, increasing the cost of an attack).

What do you mean? It's not like PayPal because the sender is actually anonymous (assuming that exact amounts are hidden by always withdrawing fixed size coins).
Bitcoin isn't quite anonymous, as a variety of criminals have found out. Cash is anonymous: there is no unique identifier associated either with the transaction or the parties to the transaction.

Bitcoin on the other hand is, at best, pseudonymous. This is particularly problematic because it gives information about true identities when the owner of coins wants to spend it in any way on anything where bitcoin is not an accepted form of payment. Then, the "off ramp" becomes much more closely associated with the owner of the coins.

Heck, even in a world where on-ramps & off-ramps to bitcoin weren't necessary because everyone used bitcoin this would still be problematic: An address suspected of holding coins obtained through illegal enterprise pays a car dealership in bitcoins for a new car, and the authorities simply go to the dealership with a warrant and say "tells us everything you possibly can about that transaction and the people involved in the purchase & delivery of that vehicle".

And figuring out those addresses can come from finding another criminal address. By its whole design Bitcoin lets everyone see which wallets have transacted with each other.
Precisely. I'm not saying it's a bad thing, but it really doesn't mesh with the common bitcoin dogma of a virtual currency free of the ability of governments to interfere with it.

There's nothing stopping governments from shutting it down either. The US by itself could practically take it down alone (or any other crypto) by banning US banks from working with it, or from working with any non-US bank that that deals with bitcoin. No need for a 51% attack, no need to track electricity usage to locate potential miners, just a simple piece of legislation. Or even simpler, an executive order issuing the same ban, stating that bitcoin enables significant financial activity by terrorists & criminals.

I wasn't talking about bitcoin, I agree on all those points. I was talking about Chaum's digital cash
Actually the bank does more than just issue coins and detect double spending. The bank is the ultimate authority on whether any coin is valid (just like with paper money), in the sense that the bank can refuse to accept a deposit. This is crucial to the security definition of ecash -- crucial because the security definition of any cryptosystem that is trying to achieve "electronic money" must in some way define "money."

Also, double-spending detection can be defined in several ways. My view is that the best definition includes the no-frame-up property and the "full tracing" property. A system that supports full tracing allows a cheating user to be blacklisted completely, since the double spending detection procedure produces a value that can be used to check if any coin was spent by the cheating user (basically, users have secret keys they use to spend; double-spending will reveal the secret key used for double spending). This is a nice property because it allows the bank to issue blacklists of cheating users, which are enforced by the bank's refusal to accept any coins that were spent by that user (even those not double spent), and thus no other party is willing to accept payments from blacklisted users since the coins are effectively worthless (as the bank will not accept them for deposit). In other words there is a meaningful way to punish a cheating user.

Finally, there is no reason these systems must naturally be "stablecoins." The bank need not peg the coin's value to anything, it can float freely like any other currency and the bank can choose any monetary policy, including one that results in significant volatility. The bank could even emulate Bitcoin by setting a fixed limit on coins in circulation (the different between the number of withdrawals and number of deposits) and periodically releasing more coins (maybe giving them in fixed amounts to randomly chosen users to simulate mining). If the coins did have stable values or were pegged to a currency with stable value, that would only be because the bank itself thought it was a good idea (perhaps in response to customer demand), not because there is something inherent in ecash that promotes stability.

> This is a nice property because it allows the bank to issue blacklists of cheating users

That property consequently allows a bank to black list any user, not just cheating users. There are many situations where that can be not so nice. In bitcoin, cheating isn't even feasible. It's better to prevent cheating entirely than to black list cheaters after the fact.

Did you actually read what I wrote? The full tracing property means that when double spending is detected, the bank can identify all coins that the cheating user spent. Honest users remain anonymous, which is the basic security property of ecash (and a property that Bitcoin does not achieve).

Also, this may seem pedantic, but cheating is entirely feasible in Bitcoin. In Bitcoin the honest users must perform more computation than the attackers, but that means that an attack must be feasible (as the effort of honest users must be feasible for anyone to use the system).

The arrogant ignorance about bitcoin on hacker news is just utterly staggering. So much holier than thou hatred of one of the most significant inventions of the 21st century.
(comment deleted)
Ah yes, the Chaum paper. The "Hey here is a cool thing you could do and solve a billion problems. Oh by the way we've patented the shit out of it and our royalty rates are pretty extreme. Ha ha ha!"

I think the last of the patents expire in 2023 which allow for an end to end zero knowledge based local transaction ledger system. That will be useful.