Radar has a backchannel, and sometimes we have interesting conversations on it. Mike Loukides and I recently had a long chat about bitcoin. Both of us were thinking out loud and learning as we went along, and on re-reading the thread I’m astonished by our advanced level of ignorance. I would like to publish it because it hints at just how hard it is to understand the bitcoin network. The founding papers that describe the system leave a lot of implementation to the imagination, and the level of mis(dis?)information around the web is staggering. It’s no small thing to get the basics right. But beyond the basics, the bitcoin network has that property of an inside-out onion, where the harder you look, the more (and bigger slices of) complexity you find.

Anyway, we’re not going to publish it. I don’t mind looking stupid, but I don’t want to look that stupid — also, the comments would be torture.

However, some of the things we were wondering about are worth wondering about publicly. Especially this: what happens when the mining subsidies end? Will transaction fees pick up the slack? I think ultimately the answer is yes, but maybe not in the way a lot of people expect.

If you read around the web, the typical answer to that question sounds something like, “Yeah, of course they will. Costs will go down as some miners exit, but people will start voluntarily paying transaction fees. Also, unicorns.” Of course, the transaction fee bit is striking because a lot of people think one of the key benefits of “digital cash” is that, compared to credit card processors, they don’t charge fees.

Well, they don’t now. Now they subsidize the operation of the network by printing new money, er, mining — which I suppose is crypto libertarianism’s answer to quantitive easing. With 25 new bitcoins being minted every 10 minutes or so (at a current value of $11,600), the dearth of transaction fees is just noise. But over time, the pace of mining will drop (halving after every 210,000 blocks).

Before I get to the question posed in the title of this piece, we probably need a brief explainer so the rest of what I say has a chance of making sense. If you already know how bitcoin works, you can skip this part. Or, better yet, read it anyway and tell me what I get wrong. I’m well aware that I’m treading into speculative territory and probably don’t have this all sorted. In fact, that’s true for this entire post.

Bitcoin’s central feature is a distributed ledger called the block chain that contains a record of every verified transaction ever, going back to the “genesis block” of the first 50 bitcoins. It’s called a block chain because transactions are verified in blocks, and the blocks are chained together, each new one pointing to the one before it. Each block contains the worldwide transactions from approximately a 10-minute period.

Every bitcoin in existence can be traced back to one of these blocks. Either it originated in the genesis block, or it was issued as a reward to the miner who verified a more recent block.

One of the counterintuitive things about bitcoin is that there really aren’t bitcoins. Not in the sense that there is an indivisible coin with some unique identifier associated with it. Instead, users of the bitcoin network get value as an input (either from a transaction or from source coins issued in mining) and then they can either hold that value, or spend it as an output via a transaction. The transactions associate value with their key value, which substitutes for their identity.

Bitcoin is known as an anonymous or pseudo-anonymous system, but really it is completely transparent. Every transaction ever completed is available in the block chain for anyone to see. Smart users will take pains to change their encryption key with every transaction and be careful not to associate their public key with their real identity, but bitcoin probably has that common and awkward property of being less anonymous the more you use it. More data in the block chain means more opportunity to de-anonymize you.

The thing that makes bitcoin work is the way it handles verification in a completely decentralized manner — one that has no need to rely on trust or a central trust authority. In fact, there is one block chain, but not just one instance of it. Every node on the network (or a lot of them, I’ll leave that complexity out for now) has its own copy of the block chain.

As users of the network transact, those transactions are published to the network where they are gathered up by miners. (As I write this, the network is averaging approximately 500 transactions per block, or 3050 per hour). Miners do two things. First, they check each transaction against the currently confirmed block chain (or at least the fork of it that they are currently working from). These checks verify that the spender of bitcoin actually owned enough bitcoin to fulfill the transaction. For a value of bitcoin that was recently transacted, they’ll find this proof in a fairly recent block, in a dusty old coin they may have to dig deeper into the chain to find the proof. Sometimes miners expect to get paid for this with a transaction fee, but either way, this is the easy part.

The harder part, and the heart of the system’s decentralization, is the “proof-of-work.” Or, as I like to call it, the “proof-of-make-work.” This is the part of the system that I was confused about for a long time. I thought that all of those CPU cycles (well, now they are mostly ASIC cycles for efficiency reasons) that we hear about sucking down gigawatts were being spent on the transaction verification process, but they aren’t. That part is relatively simple in computing terms. The hard part is computing a puzzle with an improbable answer that the miner has to solve before he or she can send the finished block out to the network to be added to everyone else’s chain (and get their reward). The miner has to compute a SHA256 hash that combines the block header with an incremented nonce until they find a value of the nonce for which some condition is met on the hash. That condition is for the hash to be less than the current difficulty number.

It’s a winner-take-all system for each block. You construct a block from verified transactions and start hashing away. Because of the probabilistic nature of the puzzle, sometimes you’ll find the solution immediately (bingo! $11,600!), sometimes (most of the time) you’ll still be looking when someone else has found it. Over a couple of weeks, if the average time per block has been less than 10 minutes, the network will agree algorithmically to increase the difficulty. It almost always has to because new miners are starting up ever faster mining gear, and the aggregate rate of hashing keeps going up. This being a probabilistic game, as aggregate hash rate goes up, the time to solve a puzzle of static difficulty will go down. So, make the puzzle harder.

The expected value of the payout to any single miner is the ratio of the hash rate they control to the aggregate hash rate of all miners. But, because each block is winner take all — and there are many, many mining machines online now — even the fastest individual miners will see a very lumpy payout distribution. To remove the variance, most miners have joined into pools that attempt to distribute the winnings among their participants by some more-or-less fair measure of hash contribution. Usually this is done by having miners report a share that is a hash of a header plus nonce that meets a significantly less difficult test.

Back to that idea of proof-of-make-work. What is the point of the puzzle? Well, for this to work, there needs to be only one block chain. If a fork happens (not if, really, it’s when; the system operates kind of like distributed version control, so every node has its own fork), each node has agreed to always work on the current longest chain. If they receive two different block chains at roughly the same time, they’ll work on the one that got to them first until they receive another one that is longer. So, if I get fork A just before fork B, I’ll start working on A. If someone else, who for network latency reasons or whatever, got fork B first and finishes it first, then B is now the longer chain and I’ll drop the A fork and switch over to B going forward.

This means there is a lot of processor time (and electricity) invested in the current chain. If a bad actor wants to successfully fork the chain to insert a double payment, they have to do as much work as the whole real network did, and do it before the real network can finish the next block (or get really damned lucky). In practice, and to rely less on lightning-strike luck, this means being able to harness a hash rate of 51% or more of the existing network to have a reasonable chance of forking only one block back.

This is the virtual equivalent of the vault door at the bank. Bank doors aren’t drill proof; they just need to be thick enough for current drilling technology to take until 8 a.m. to drill. Proof-of-work, and its difficulty factor, are the thickness of bitcoin’s virtual vault door.

So, the network has this weird property of make-work. All of this electricity is being consumed to run thousands of mining rigs, only one of which will actually successfully create each block.

You could build a much more efficient payment system that had only one mining machine, send it transactions, let it verify them, give it a fee, move on. That network would use hella lot less electricity, but the problem with doing that is that now you have to either trust that machine or figure out a way for it to not let another machine pretend to be it. Trust in a single entity is counter to the libertarian economic principles on which bitcoin is founded, and in any case would open up the network to fraud and security problems. So, the actual bitcoin network is distributed (no trust of a single entity required), and all that make-work in the proof-of-work raises the computational difficulty for any one machine or attacker to a level too high to be met.

It looks like make-work, but those other machines are actually contributing in a real way by spending that electricity on hashes that, even though they will probably never be used, warp the probabilistic space and inflate the difficulty that an attacker will have to surmount to fork the block chain and take it over. Bitcoin is a lottery that makes its players Dance Dance Revolution as fast as they can for their tickets. The winning ticket doesn’t just entitle the miner to the winnings; it says to the world, “I danced my ass off as a sign of my commitment that this block is legit. You’ll have to dance more and faster than me (on average) if you want a chance at the next winning ticket to prove me wrong and pwn the block chain.”

Weird right? Abstract make-work, real electricity, pretend vault door. The purist in me wishes there were a more elegant solution.

Bitcoin is interesting in that the inherent transaction cost is very different from a fiat currency like the dollar. Dollars are printed by a mint and then transacted frictionlessly among a population. The backer of such a currency absorbs the cost of issuing the currency and keeping it secure as a fixed cost. In the bitcoin world, the transactions themselves cost money to keep secure, and after the subsidies end, will have to be paid for as variable cost. Costs look like they will be nominal, but they will be real because the electricity consumed to do proof-of-make-work is real.

Here’s something else that’s interesting. The bitcoin network is probably value destroying. A rational actor makes the decision to add a mining rig by looking at the fixed (machine purchase) and variable (electricity) costs and compares them to the expected value of the reward for mining. The expected value is based on the proposed new machines’ hash rate in relation to the current network aggregate hash rate, the current mining subsidy reward size per block, and the current exchange value to dollars or some other benchmark currency the miner cares about.

People being people, they’ll make the decision to invest in a mining rig based on current conditions, and many of them ignore the rate of change of future conditions — like the decline of their proportion of total hash rate based on the advance of hardware speeds and capacity accretion. The thing about fixed costs is, that at least for those miners who buy their own gear, they tend to turn immediately into sunk costs. So, even as the aggregate hash rate increases with new mining rigs coming online, miners leave their old rigs online until the variable cost of their electricity use exceeds their expected reward from mining. Many will never earn back the cost of their rigs, but they keep mining anyway because if the rig is a sunk cost, it’s rational to do so. This is also true in situations where the rewards of mining suddenly go down because the exchange rate tumbles in a moment of volatility manifest. Did half the miners take their rigs offline when the price went from $1,000 USD to $460? It doesn’t look like it.

What’s happening is that the aggregate mining capacity is riding a line where rig capacity is essentially constrained (loosely) by aggregate electricity cost compared to the fixed bitcoin production, and fixed costs are ignored post facto. Put another way, the bitcoin mining market operates near an efficient frontier that accounts for the cost of electricity but often ignores fixed cost. I think.

Also, the incentives to mine are disassociated from any notion of how much puzzle difficulty is required relative to potential threats to the network. The difficulty isn’t set to ensure that the puzzle is hard enough to prevent a successful block chain fork; it’s set to keep block processing time to 10 minutes. I may be missing something, but I don’t think that 10 minutes correlates in any meaningful way to the security of the network against fraud.

In other words, no one (or no algorithm) is saying, “an attacker can pull together a botnet with this much potential hash rate, so to protect the network we need this many machines, and at the current cost of electricity and equipment state of the art, we need mining incentives of X to attract that many machines.”

I guess I’m suggesting the bitcoin network could use some of Uber’s dynamic pricing to set difficulty relative to potential threats, rather than this fixed stairstep of currency growth and reward.

The current system is probably providing incentives (much?) higher than needed to keep the system secure. And even within that incentive framework, because of the fixed-cost-to-sunk-cost transition, there are probably more mining rigs online than even those high incentives would rationally suggest. I suspect we are using way more resources than required to safeguard the system. In the process, we are wasting electricity and mining rigs, and guaranteeing that miners are sub-profitably surfing the efficient frontier curve on average. Which raises the inverse question: after the subsidies go away, what will ensure that the network equilibrates with fees sufficient to not swing the other way and under-protect it? Especially since the network is being built on an almost religious expectation of very low or even zero fees.

Ok, that was probably more than a basic explainer, but let’s come back to that question of what happens after the subsidies go away. Will miners-cum-verifiers have an economic incentive to keep verifying? And will they be paid enough to continue to adequately safeguard the network? Let’s start by looking at the numbers for what it costs to verify transactions right now, just to get a sense of where we’re starting out.

Today, each block verification rewards a miner with 25 bitcoin. At current exchange rates, that equates to $11,500. As I mentioned before, there are approximately 500 transactions per block now for an average transaction cost of $23 per transaction. The average transaction size is 7.25 bitcoins, which equates to a dollar value of $3,345 (that seems high right? People aren’t buying their coffee with bitcoin yet.). This implies an effective fee rate of 0.7% (currently paid through subsidized currency dilution rather via transaction fees). Not bad compared to a credit card processor or PayPal, but not free, either.

Interestingly, the costs are really per block, and there seems to be only a loose correlation between cost and the number of transactions in the bock. Given the relative complexity of the proof-of-work puzzle, real costs are only very loosely connected to the per transaction cost of verification. So, as the system’s use goes up and the transaction rate goes up, cost per transaction will go down.

Assuming the transaction rate will go up as the amount of bitcoin in circulation goes up, another interesting tension in this system is that the transaction rate will most likely be at its highest level yet when the incentives for mining completely go away (it will keep climbing after that if the currency is successful, but it should be at its highest rate to date). At that point, there will be 1.55x more bitcoin in circulation than there are now, so we should expect the transaction rate then to be at least 775/block. Actually, I think it will be much higher than that. The average transaction size is still very high, which I think implies that people are using bitcoin more as an investment (speculation) vehicle than as a payment vehicle. I would expect that widespread use as payment will explode those transaction numbers.

But just for the sake of argument, let’s look at a transaction rate of 1000/block (or 6000/hour) at the end of subsidies. If verifying activities continued then at the rate that mining happens now and remain priced at the variable cost of electricity, we might expect a per transaction cost of about $11.50 per transaction or 0.34%.

In fact, what will probably really happen is that many miners will start dropping out as the subsidies go away (as their expected value of return drops below their electricity-based operating cost), and aggregate costs will go down, too. If, for example, half the miners leave, that cost becomes $5.75/transaction or 0.15%.

That is much cheaper than transacting via credit card, but even with transaction fee rates that low, there are a bunch of questions this leaves open.

The way the system works right now, transaction fees are voluntary and non-prescribed. Essentially, it’s just the difference between the input amount and output amount of a transaction. That difference goes to the verifier. But what is the price discovery mechanism? Will miner/verifiers eventually only block up transactions that meet their minimum fee rates? If so, how does that fee rate converge across all of the thousands of verifiers, and how do they signal it to the transactors? What happens to transactions that don’t meet their fee rate? Are they just left hanging until the transactor smartens up and adds more fee? Or, will fee rates stratify with fast processors, giving probabilistically faster transaction service in exchange for higher fees? A minimum 10-minute delay to your too-cheaply greased transaction strikes me as a blunt instrument for price signaling.

It’s the feedback loop dynamics here that I’m interested in — both the pricing feedback to the transactor and the feedback loop for potential verification operators. I assume the verification rig operators will behave similarly to the miners and be willing to operate near their variable cost of electricity and equipment financing, but I’m confused about how they’ll 1) signal that price to transactors and 2) converge amongst themselves on what that price should be.

I’m not going to go into a long tangent here, but if miner/verifiers don’t converge on expected fee prices, and the block processing time continues to average 10 minutes, under-fee’d transactors could wait a very long time for their transactions to process — perhaps many block generations until a lower-cost, slower verifier (willing to take a lower fee) finally wins the Dance Dance Revolution lottery and includes them in the verified block chain.

How to arrive at a “fair” transaction price in the absence of explicit signaling mechanisms is one thing, but a more interesting missing feedback loop seems to be between price and minimum secure viability of the network. Essentially, the security of the network will be a by-product of the transactors’ willingness to pay fees and the cost of electricity to the verifiers. It’s hard to see how the robustness, in the face of potential attackers, comes into this equation at all today. Nothing in the network measures it so that it can enter into the feedback loops in play.

Let me make this more concrete. Let’s say that when mining ends, the pressure of low transaction fees causes many previous miners to exit, and the network doing what it was designed to do, starts ratcheting the puzzle difficulty back down. Eventually, if the price sensitivity of fee payers is high, the puzzle difficulty may get simple enough that the network’s security in the face of a well-heeled attacker is compromised.

Which makes me wonder: who will have the most stake in the network’s safety and security if that seems imminent? The many holders and transactors of bitcoin may in fact be willing to pay higher fees to bump the difficulty back up. Or, perhaps the much smaller number of businesses built on top of bitcoin that are operating exchanges and other services, and that represent a tight concentration of interests, may feel they need to do something to protect the commons on which their businesses depend? At some point, do they — seeing how the network is struggling to converge on fees that are economically viable for verifiers and sufficient to satisfy the overall network’s security needs — start rolling out their own subsidized verifier nodes to add much needed hash rate?

What if they use their income stream from exchange activities to subsidize a large number of machines that, because of the flight of the original miners, begin to represent a material proportion of total aggregate hash rate? Initially, they may agree to just go with whatever the average fee rate is in order to add capacity that eventually will increase the puzzle difficulty, and hence safety of the network. But it won’t end there.

Even at the same fee rate, the mere presence of their machines on the network will make other verifiers less profitable. By adding capacity to the hash pool, they reduce everyone else’s expected value because, of course, they’ll win lotteries — and fees — in proportion to their hash rate contribution.

If they attempt to address this by only accepting fees slightly higher than the pool is already accepting, they will effectively price themselves out of getting any transactions. They may be verifying blocks, but some transactors might be willing to just wait until the next (cheaper) block than pay their fee. So, they probably won’t be able to influence an increase in fee rates designed to compensate for their participation.

It’s their concentration of interest combined with their ability to subsidize verification that’s intriguing here. Given that there is no provision to route transactions to any particular miner/verifier (there can’t be, that would be a bug in this network, not a feature), and that the feedback loop from miner/verifiers back to transactors is loosely coupled to say the least (I either include your transactions in the block, or I don’t), these price signals might be slow acting, and convergence will take time. But ultimately, a participant willing to subsidize verification will erode pricing by their very presence.

It’s easy to imagine this unleashing an unfortunate feedback loop that slowly shuts down the for-profit verifiers and forces subsidized verifiers to take on more and more of the work. A player with a different source of income in the system who can afford to be sub-economic as a verifier will drive out those with a single economic stream (mining and fees). Ultimately, the only ones left will be the ones who can leverage internal subsidies to operate inside the market’s efficient frontier for verification. The network then will look a lot like a centralized bank, where trust matters again not by design, but by concentrated ownership. And all of this could happen because of an unexpected dynamic in the verification incentive system.

There may be an obvious alternative to this outcome. The same companies who might be able to subsidize the network by adding sub-profitable hashing capacity to it might also agree to a scheme to more directly subsidize the for-profit miner/verifiers. They might just set up a round-robin transaction chain where every 10 minutes they pass one very high fee transaction from one to the next designed to directly subsidize the block verification process. This subsidy could be algorithmically tied to a target difficulty level on the network and would serve as a replacement to the current mining subsidy.

Well, theoretically that could work, but I’m skeptical. I keep thinking about how our existing financial exchanges work (for stocks, bonds, etc.) and how, over time, being on the network as a trader became important as much for the information harvesting as for direct transaction fees associated with the trades. I wonder, over time, if large bitcoin exchange operators won’t only be wanting to participate to support hash difficulty level, but also to be sure they are well positioned in the network for signal quality (though at this moment I’m not sure what signals they would be looking for or what they would do with them).

Remember those good old days on the web when we used log in via local mom and pop ISPs so we could talk about a web that was ideally small pieces loosely joined? Now we access the net via Verizon and Comcast to get to Facebook and Google? It turned out that on the web, the economic bias toward centralization overwhelmed the technical and cultural biases toward distribution and democratization. I think the bitcoin community is going to have to think hard about how transaction fees work to avoid the same fate in their network. If enough players can afford to subsidize verification in the post-mining era, bitcoin may end up looking more like a centralized bank than most of its proponents currently think.