Yves here. An important post, in that it describes fundamental limits of cryptocurrencies, namely, the high cost of transaction verification, which is destined to reduce their liquidity.
By Raphael Auer, Principal Economist, Bank for International Settlements. Originally published at VoxEU
Bitcoin and related cryptocurrencies are exchanged via simple technical protocols for communication between participants, as well as a publicly shared ledger of transactions known as a blockchain. This column discusses research on how cryptocurrencies verify that payments are final, that is, that they are irreversible once written into the blockchain. It points to the high costs of achieving such finality via ‘proof-of-work’ and to a crucial externality in the transaction market, and argues that with the current technology, the liquidity of cryptocurrencies is set to shrink dramatically in the years to come.
Much of the allure surrounding Bitcoin and related cryptocurrencies stems from the facts that no government is needed to issue them, and they can be held and traded without a bank account. Instead, they are exchanged via simple technical protocols for communication between participants, as well as a publicly shared ledger of transactions (a blockchain) that is updated by a decentralised network of ‘miners’ via costly computations (i.e. ‘proof-of-work’) (see Figure 1).
What is the economic potential of this new means of exchange? In this column, I analyse the underlying economics of how Bitcoin achieves payment finality – i.e. how it seeks to make a payment unalterable once included in the blockchain, so that it can be considered as irrevocable. I then discuss the future of this type of cryptocurrency in general.1
The key innovation of Nakamoto (2008) is to balance the cost and reward for updating the blockchain by creating incentives to ensure that updates are correct. The updating process deters forgeries by imposing a cost on updating the blockchain. At the same time, accurate updating of the blockchain confers a reward on the so-called miners who do the updating. Miners, or their computers, effectively compete to solve a mathematical problem. Presenting a solution proves that they have done a certain amount of computational work. Such ‘proof-of-work’ allows a miner to add a block of newly processed transactions to the blockchain, collecting fees from the subject transactions as well as ‘block rewards’ – newly minted bitcoins that increase the outstanding supply.
Figure 1 Cryptographically chained, valid blocks of transactions form Bitcoin’s blockchain
Notes: The publicly available ledger is updated in bunches of transactions, and each update is termed a ‘block’. Blocks, in turn, are chained to each other sequentially, thus forming a ‘blockchain’. The blockchain is updated much like adding individual pages with new transactions to a ledger, with page numbers determining the order of the individual pages. Each block is a small file that includes a number of payment transactions, stating the amount, the payer and the payee, and also the transaction fee. The original Bitcoin protocol restricts each block to a maximum file size of 1 MB, which in practice implies that around 2,000 transactions can be included in each block. Only transactions including the valid digital signature associated with the transferred funds are accepted into a block. A new block is added to the blockchain only about once every ten minutes. Adding a block to the existing block chain requires a valid proof-of-work (also called a ‘nonce’), which involves a hash function that takes a random text input and produces from this an output according to set rules. The key property of the SHA256 hash function used in the Bitcoin protocol is that the output is unpredictable – to get a desired result, the only solution is thus to try many starting values randomly, which creates a computing cost. Cryptographic chaining of blocks is achieved by including summary information from the previous block in the proof-of-work of the current block.
Source: Auer (2019).
The costs and rewards of Nakamoto’s updating process are the focus of my discussion (see also Auer 2019). Two questions are raised. First, how efficient is the fundamental architecture of deterring forgeries via costly proof-of-work? And second, can the market for transactions actually generate rewards that are valuable enough to ensure that payment finality is really achieved?
Analysing these two elements uncovers fundamental economic limitations that cloud the future of cryptocurrencies based on proof-of-work. In sum, with the current technology, it is not even clear whether such cryptocurrencies can keep functioning as they do at the time of writing. This statement is unrelated to well-known restrictions on the scale of such payment systems or the volatility of cryptocurrencies.2 Rather, it concerns the fundamentals of Nakamoto’s updating process, which has two limitations that interact in a fateful manner.
The first limitation is that proof-of-work axiomatically requires high transaction costs to ensure payment finality. Counterfeiters can attack bitcoin via a ‘double-spending’ strategy: spending in one block and later undoing this by releasing a forged blockchain in which the transactions are erased. I analyse the concept of ‘economic payment finality’ in a blockchain. That is, a payment can be considered final only once it is unprofitable for any potential adversary to undo it with a double-spending attack.3 If the incentives of potential attackers are analysed, it is clear that the cost of economic payment finality is extreme (see also Budish 2018 on this issue). For example, for finality within six blocks (roughly one hour), back of the envelope calculations suggest that mining income must amount to 8.3% of the transaction volume – a multiple of transaction fees in today’s mainstream payment services.
The underlying intuition is simple: double-spending is very profitable. In fact, attackers stand to gain a much higher bitcoin income than does an honest miner. While honest miners simply collect block rewards and transaction fees, counterfeiters collect not only any block rewards and transaction fees in the forged chain, but also the amount that was double-spent (i.e. the value of the voided transactions). This ‘attacker advantage’ ultimately translates into a very high required ratio for miners’ income as compared with the transaction volume (the amount that can be double-spent).
The second fundamental economic limitation is that the system cannot generate transaction fees in line with the goal of guaranteeing payment security. Either the system works below capacity and users’ incentives to set transaction fees are very low, or the system becomes congested.4Underlying this is a key externality: the proof-of-work, and hence the level of security, is determined at the level of the block one’s transaction is included in, with protection also being provided by the proofs-of-work for subsequent blocks. In contrast, the fee is set by each user privately, hence creating a classical free-rider problem, amounting to a veritable ‘tragedy of the common chain’. While each user would benefit from high transaction fee income for the miner, the incentives to contribute with one’s own fee are low.
My key takeaway concerns the interaction of these two limitations: proof-of-work can only achieve payment security if mining income is high, but the transaction market does not generate an adequate level of income.5 As a result, liquidity is set to deteriorate substantially in years to come.
The backdrop is that the bulk of miners’ current income consists of block rewards (Figure 2, left-hand side). But block rewards are being phased out (e.g in Bitcoin and many of the clones that have ‘forked’ from it, the next time block rewards will halve is in 2020). Whenever block rewards decrease, the security of payments decreases and transaction fees become more important to guarantee the finality of payments. However, the economic design of the transaction market fails to generate high enough fees. A simple model suggests that ultimately, it could take nearly a year, or 50,000 blocks, before a payment could be considered ‘final’ (Figure 2, right-hand side).
Given these considerations, I conclude with a discussion of how technological progress is set to affect the efficiency of Bitcoin and related cryptocurrencies. So-called second-layer solutions such as the Lightning Network that mount further layers of exchange on the blockchain can improve the economics of payment security. However, while they are seeing some adoption (Figure 3, left-hand side), they are no magic bullets, as they face their own scaling issues.
Figure 2 Block rewards have made up the bulk of mining income
Notes: All bitcoins in existence have been issued via ‘block rewards’. Every new block added to the block chain increases the total supply, with the newly created bitcoins being credited to the miner who adds the block. Block rewards were set to 50 bitcoins per block initially and are halving every 210,000 blocks (see left-hand panel), a formula ensuring that the total supply of bitcoins will be 21,000,000. Miners’ income is made up of block rewards and transaction fees (also see left-hand panel). The lines displayed in the right-hand panel show the implied waiting time (number of block confirmations before merchants can safely assume that a payment is irreversible) required to make an economic attack unprofitable: the attacker rents mining equipment on a short-term basis and executes a change-of-history attack. Calculations of the implied waiting times are based on equation (7) in Auer (2019) and assume transaction fees of 0.18 bitcoin per block, which corresponds to average transaction fees during the period 30 Apr 2018–31 Oct 2018. Dashed pattern indicates predicted values.
Source: Auer (2019).
Figure 3 Looking ahead: Can new technologies counter the deterioration of Bitcoin liquidity?
Notes: The left-hand panel shows the volume of bitcoins that have been committed to the Lightning Network (mainnet) as well as the number of active nodes. The right-hand panel shows the impact on the required waiting times (number of block confirmations before merchants can safely assume that a payment is irreversible) in the case that social coordination is used to undo a double-spending attack. Calculations are based on equation (7) in Auer (2019), assuming that block rewards are zero. The horizontal axis denotes the probability that the network of bitcoin users will coordinate and undo any double-spending attack. The vertical axis shows the resultant required waiting times for various levels of transaction fees.
Source: Auer (2019).
In order to prevent liquidity from ebbing away, Bitcoin and other cryptocurrencies would need to depart from using proof-of-work – a system that is not sustainable without block rewards – and embrace other methods for achieving consensus on blockchain updates. Among many proposed developments, the most prominent is ‘proof-of-stake’ – a system in which coordination on blockchain updates is enforced by ensuring that transaction verifiers pledge their coin holdings as guarantees that their payment confirmations are accurate. Yet, because such a system lacks the solid grounding offered by proof-of-work (which proves actual offline activity), its success may rest on additional overarching coordination mechanisms (i.e. some degree of implicit or explicit coordination by an institution).
Judging based on the current technology, the overall conclusion is that in the digital age too, good money is likely to remain a social rather than a purely technological construct (e.g. Carstens 2018, Borio 2018). That cryptocurrencies might in future profit from social coordination or institutions is also highlighted by the very same algebra that shows the doomsday economics of pure proof-of-work. The point is that their payment efficiency could be greatly improved by introducing an institutional underpinning to undo double-spending attacks should they occur (see Figure 3, right-hand side). In this light, one key question for future research is whether and how technology-supported distributed exchange could complement the existing monetary and financial infrastructure.
Editors’ note: This column is taken from the VoxEU eBook “The Economics of Fintech and Digital Currencies”, available to download here. The views expressed here are those of the author and should not be attributed to the Bank for International Settlements.
See original post for references