[This is a subpost of Bitcoin, Cryptocurrencies and Blockchains]

Blockchains are distributed ledgers, a database we each keep an up-to-date copy of. In private blockchains, such as that underlying the Venezuelan ‘petro’ or that proposed by UBS for bank transactions, a centralized authority decides who can record new ‘transactions’; not much novel here from the perspective of economic theory, although there are important technical advances that make private blockchains more efficient than existing distributed ledger technologies. Most casual interest is in public blockchains, which are decentralized and in which participants are anonymous. These blockchains are the main technological advance underlying cryptocurrencies such as Bitcoin or Ethereum. So what is a blockchain?

A blockchain is exactly that: a chain of blocks! Each block contains a record of some transactions, or events in general. When a new block is created, recording new transactions, it is attached to the end of the chain of existing blocks. For a blockchain to work there are then two main challenges: how to ensure that everyone follows the existing ledger of transactions (the existing chain)?, and how to decide who gets to record new transactions (blocks)?

In 2008 someone calling themselves Satoshi Nakamoto introduced the blockchain that underlies Bitcoin. His main innovation is to use proof-of-work to decide who gets to record new transactions. Proof-of-work operates as follows: ‘miners’ try to solve purely numerical problems, an activity referred to as mining. A miner who solves their problem obtains a proof-of-work which gives them the right to disseminate a new block to be added the end of the blockchain. The instantaneous probability that a miner solves their proof-of-work problem is increasing in the computational power they use. Determining who gets to record transactions in this way means that the identity of the miner who proposes the next block is determined at random. This ensures that miners take turns to validate blocks, and therefore no single miner has control over the whole verification process. When a new block is disseminated through the network, it becomes part of the consensus if miners chain their next block to it. Proof-of-work thus solves the first challenge of public blockchains: how to decide who gets to record new transactions.

For this process to generate a stable, usable blockchain successful miners must always want to attach their new block to the longest existing blockchain. In principle, miners could choose to attach their block to an alternative blockchain; perhaps the most recent block contains a transaction in which I spent all my money on pizza, a decision I now regret and would like to eliminate by instead returning to the shorter blockchain that does not include this transaction. This is the second challenge of public blockchains, ensuring that everyone sticks to the existing chain of transactions. We distinguish between two reasons for not sticking to the existing chain, (i) malicious, like double spending and tampering, to which we will return later, and (ii) benign, based on widespread disagreements, to which we turn now. Proof-of-work appears to almost perfectly solve the first, but only partially the second.

Why does proof-of-work solve this second challenge of public blockchains, of making sure new blocks are attached to the existing chain? Theorists working in Computer Science have shown that if most miners are ‘good’ and want to follow the existing blockchain, then with proof-of-work a minority of ‘bad’ miners will not be able to ruin things; coordination on adding new blocks to the end of the longest existing blockchain is a stable consensus equilibrium; see Bonneau et al (2015) for a survey. This Computer Science literature has agents being exogenously either ‘good’ or ‘bad’, and these agents following ad-hoc rules. Theorists in Economics instead view miners as rational profit-maximizers and analyze their incentives to follow an equilibrium of coordinating on the longest existing blockchain (Biais, Bisiere, Bouvard & Casamatta, 2018). They find that coordination on the longest existing blockchain is a markov perfect equilibrium, but this equilibrium is not unique with other equilibria representing forks of the blockchain. In a simple model environment such forks only occur due to some random outside event, a sunspot shock. Extending the model environment to allow for the realistic elements of information delays, and mining software updates creates the possibility of forking equilibrium, without the need for sunspot shocks.

There are two important economic forces at play in the blockchain that determine whether miners attach their new blocks to the longest existing chain. First, miners’ actions are strategic complements: under the assumption that the value of a blockchain depends on it’s being stable and credible, and that miners are rewarded in the cryptocurrency based on that blockchain, it follows that miners should focus on a single blockchain. Miners do this by playing the ‘longest chain rule’ strategy, as suggested by Nakamoto (2008), and the resulting coordination on a single blockchain is a Pareto-optimal equilibrium. However, if for any reason (e.g., a sunspot shock) a miner thinks that other miners will coordinate on a different chain, then the optimal strategy is also to follow that other chain, resulting in a fork and all miners now coordinate on that other chain. Hence multiple equilibria are possible, and while a stable blockchain is one of these equilibria, forks of this are another. Examples of such forks arising from widespread disagreement among miners about the future of Bitcoin include Bitcoin Gold and Bitcoin Cash.

The second important economic force is vested interest: miners cannot immediately spend the cryptocurrencies they receive as a reward for successful mining. This means some miners will necessarily hold cryptocurrency whose value is tied to the blockchain on which they were mining remaining active. This blunts the incentive of previously successful miners to create new forks. It also means that if a fork does occur then some miners will have incentives to continue mining on the preexisting, now minority, chain. This creates the possibility that after a fork there will be multiple existing blockchains, and that these will persist. Unlike temporary forks that rely only on coordination motives and would arise with atomistic miners, equilibria with persistent forks rely on some miners being large enough that they take into account the impact of their actions on the value of the blockchain. In practice, there exist pools of miners, such as AntPool and BTC.com, who each represent more than 10% of computing power, and who likely exhibit such strategic behaviour.

Proof-of-work vs proof-of-status: Energy use and the negative externalities of mining.

The standard approach of public (decentralized) blockchains to allocating who gets to update the blockchain, adding new blocks of transactions, is by ‘proof-of-work’. All miners attempt to solve problems that are computationally difficult and when a miner finds a solution they get to add a block; the problems are such that their solution is easily verifiable by other miners. For miners solving these problems the more computing power they have the more problems they will solve, but the difficulty of the problems is determined so that the greater the combined total computing power of all miners the more difficult the problems. Since the same number of blocks are being created in a given time, and since computing power is expensive, both in terms of the cost of electricity and the associated carbon emissions, it is society’s interest to use the minimum amount of electricity necessary. For an individual miner, using more computing power increases their chance of successful mining. Any one miner using more computing power means that the total computing power increases, and so everyone else’s chance of successful mining decreases: a negative externality on everyone else. This negative externality leads to overuse of computing power, and wasted resources. If all the miners could agree to sign a binding agreement to all use less computing power they would want to do so.

What alternatives are there to proof-of-work? One is centralized blockchains, but these are really a different concern. The main suggested alternative for decentralized blockchains is proof-of-status. Proof-of-status works by allocating the right to add a new block to the chain randomly to current holders of cryptocurrencies based on their current holdings of the currency. Blocks would be added at regular time intervals and, e.g., someone who held 5% of all existing currency would have a 5% chance of being chosen to be the one who adds the new block. The main problem conceptual objection is nothing-at-stake, that if a fork occours then there is no reason not to keep contributing block to both the blockchains, rather than settling on one ‘true’ blockchain. The worry is that this leads to a proliferation of different blockchains which for cryptocurrencies would dilute their value, and for other blockchain applications would render them useless.

Theories exist in both Economics and Computer Science exploring the conditions under which a proof-of-stake mechanism for allocating the right to edit would work; e.g., Saleh (2017) shows that under the assumption that eventually everyone would agree on a single blockchain then proof-of-status will quickly lead to everyone agreeing on that blockchain, but this largely glosses over the nothing-at-stake problem by ignoring the possibility that the alternative blockchains exist forever. The Ethereum currency has long discussed switching to proof-of-status, and Peercoin has implemented a cryptocurrency based on proof-of-status. However existing implementations have remained marginal. Implementing a practically useful proof-of-status implementation, or other decentralized alternative to proof-of-work, such as proof-of-contribution or proof-of-network-centrality, would solve many of the inefficiencies resulting from excess electricity use and the major environmental objection to cryptocurrencies, and decentralized blockchains more generally.

Blocksize and Transaction Costs

As of early 2018, the number of transactions that Bitcoin is able to process is limited to just 3-4 per second, compared to the 30,000 credit-card transactions per second by Visa. Since the demand for Bitcoin transactions is greater than this (self-imposed) limit transaction fees have emerged to determine which transactions get processed. In 2017 the total transaction fees paid on Bitcoin transactions was US$277.1 million.

The limited number of Bitcoin transactions is self-imposed due to the maximum size of each block, which is currently set to around 2mb. There is no reason this could not be changed, so that each block took up more storage space and so could record more transactions. It would simply require a technical adjustment to the code implementing the Bitcoin protocol, and this change is periodically proposed needing a simple majority of miners to adopt it. (Such changes are sometimes made, in fact prior to 2010 the blocksize was 36mb.) The main argument against is that any increase in the blocksize would makes the blockchain much larger and more expensive to store, as well as increasing bandwidth requirements. This is especially true as the number of transactions is linear in the blocksize, so an increase from 2mb to 20mb per block would increase from 3-4 to 60-80 transactions per second. To those who wish to view Bitcoin as money this is problematic, but is not a problem for those who view Bitcoin as a digital alternative to gold.

The limited supply of transactions, combined with an increased demand for transactions, has led directly to the existence and growth of transaction fees which miners charge to include a given transaction in a block. These transaction fees match the demand for Bitcoin transactions with the fixed supply, and increase during periods when there is high demand for transactions (Easley, O’Hara & Basu, 2017). While these transaction fees do match the demand to the supply by reducing the quantity demanded it is worth repeating that they do not help to increase the quantity supplied as this is strictly limited by the blocksize which is coded into the protocols implementing Bitcoin. The transactions fees do however increase the returns to mining, resulting in more computing power being used to process the same number of transactions; the difficulty of the numerical problems solved by miners increases to ensure that the rate at which blocks are added does not change in response to the increased mining.

This use of transactions fees to decide which transactions to process was foreseen and a deliberate part of the Bitcoin protocols. The idea is that in its early days Bitcoin would reward successful miners by giving them bitcoins, but that the size of this reward would decrease over time to ensure that the number of bitcoins in existence would eventually level out, and the rewards to successful miners would instead come in the form of the transaction fees they could charge.

These issues around transaction fees in principle exist in essentially all public (decentralized) blockchain implementations as they involve fixed limits on the size of each block and the rate at which new blocks are added to the blockchain. In principle transaction fees could be avoided by adjusting the blocksize or arrival rate of new blocks in response to the demand for transactions (which are placed in a queue in the ‘mempool’) in the much the same way the protocols currently automatically adjust the difficulty of the numerical problems in response mining effort. Economic theory suggests that rewarding miners with coin, rather than transaction fees, is more efficient as it spreads the same cost over a wider base —all transactions in the memory pool, rather than just those that are processed— and so is less distorting (Chiu & Koeppl, 2017). Although transaction fees do have the efficiency advantage of reducing processing delays for those transactions that are highest priority—that is, those for which people are willing to pay to reduce the delay (Huberman, Leshno & Moalleni, 2017). Which effect would dominate depends how large the queue of transactions to be processed is.

The Threat of Double-Spending: Avoiding Tampering

Since the coins in any cryptocurrency are not physical objects it is possible to send the same coin to two different people. However the transaction record will only end up showing one of these transactions, the other will be illegitimate. Double-spending involves doing exactly this, using one coin to make two purchases, only one of which will end up being legitimate and so only one of the two sellers will ever get paid. A useful cryptocurrency will have to prevent such attacks. In 2013, GHash.io used double-spending to steal about $100,000 USD worth of bitcoin from gambling site Betcoin Dice. They paid for a bet by making a bitcoin transaction, if the bet won they simply did nothing, but if the bet lost then they made a double-spending attack. This was possible both because Betcoin Dice didn’t wait to settle the transaction, and because GHash.io accounted for 35% of all mining at that time and so would often win the right to add new blocks.

Roughly speaking, to execute a double-spending attack in a blockchain-based cryptocurrency you would spend a coin, which would be recorded in a block, and then respend the same coin and replace the previous block recording the first spend with a new block recording the second spend. The difficulty in pulling off a double-spending attack is that you have to get the right to edit that block. For a blockchain in which the right to edit is allocated by proof-of-work this means that pulling off a double-spending attack is more difficult if there are lots of miners (if your own computing power is small relative to total computing power of all miners), and the number of blocks since the first spend (you have to replace all of them to become the longest chain). The payoff to a successful double-spending attack is bigger the larger the size of the payment (the payoff to spending the same $10 twice is $10, the payoff to spending the same $100 twice is $100). Chiu & Koeppl (2017) provide a more detailed description. Defense against double-spending comes in two main forms, waiting until some time has passed since the transaction was added to the blockchain so that a double-spending attack would have to edit more blocks, and the blockchain having more miners so pulling off a double-spending attack is more costly. Technical changes to make double-spending easier to detect and so more difficult to pull-off have also been proposed.

Let’s define a good cryptocurrency as one in which transactions can be processed quickly and at the minimum expense (less waiting and less mining), but which prevents double-spending (more waiting and more mining). This leads to a few guidelines for a good cryptocurrency, and for what transactions a cryptocurrency is best suited. A good cryptocurrency rewards mining effort with new coin, rather than transaction fees. This way the cost of paying to encourage mining is shared by all transactions, rather than just successful ones, which discourages double-spending. Cryptocurrencies are best for processing small transactions, as processing large ones means there are greater incentives to double-spend and so settling large transactions takes longer. Based on this Chiu & Koeppl (2017) estimate that a cryptocurrency that issued new coins at an annual money growth rate of 2% could be competitive with existing payment systems for processing retail purchases in terms of transactions costs and processing times.

Next post in this series on Cryptocurrencies: Cryptocurrencies: Untamperable? Crime? Anonymous? Price Manipulation?

This theory focuses on the ‘economic’ and transactional aspects of the blockchain, rather than the code and computing aspects. The following book covers much of both: Bitcoin and Cryptocurrency Technologies, by Narayanan, Bonneau, Felten, Miller, and Goldfeder.

Caveat: most of this theory ignores the fluctuating value of the cryptocurrencies in which miners are paid/compensated. For the Computer Science theory this is ‘irrelevant’ in the sense that all actors anyway follow ad-hoc rules. For the Economics theory this would obviously affect incentives (the value of the cryptocurrencies do change, but not in a way that reflects the large swings in value that have been seen to occour in reality).

I have deliberately avoided a more technical description of the implementation of the blockchain, which would include that when a miner is successful in solving a problem their proof-of-work is attached to their block and this is then distributed throughout the network. Network participants verify the proof-of-work and transactions validity, and accept it by chaining it to the end of the blockchain. I have referred to this as a miner simply adding their block to the end of the blockchain. I focus on the mathematical side of the technical operation of blockchains, rather than the specific code and protocols used to implement them in practice.

References:

Bonneau, Miller, Clark, Narayanan, Kroll & Felten. SoK: Research Perspectives and Challenges for Bitcoin and Cryptocurrencies, 2015.

Biais, Bouvard, Bisière, and Casamatta. The Blockchain Folk Theorem, 2018.

Chiu & Koeppl – The Economics of Cryptocurrencies – Bitcoin and Beyond, 2017

Easley, O’Hara & Basu – From Mining to Markets: The Evolution of Bitcoin Transaction Fees, 2018.

Huberman, Leshno & Moalleni – Monopoly without a Monopolist: An Economic Analysis of the Bitcoin Payment System, 2017.

Nakamoto – Bitcoin: A Peer-to-Peer Electronic Cash System, 2008.

Saleh – Blockchain Without Waste: Proof-of-Stake, 2017.