I want to focus on another dimension to this mining cost story. So far we have focused on the role that miners play in hashing blocks. But miners actually do two things: in addition to hashing blocks, they also perform transaction verification. The author’s of the BoE paper seem to conflate the two processes:

Low transaction fees for digital currency payments are largely driven by a subsidy that is paid to transaction verifiers (miners) in the form of new currency. The size of this subsidy depends not only on the current price of the digital currency, but also on miners’ beliefs about the future price of the digital currency. Together with the greater competition between miners than exists within centralised payment systems, this extra revenue allows miners to accept transaction fees that are considerably below the expected marginal cost of successfully verifying a block of transactions.

It’s that last sentence I take issue with. The “marginal cost of successfully verifying a block of transactions” is the cost of running the scripts on each TX in the block and verifying the digital signatures. The computational costs here are tiny compared to the cost of hashing the block, which plays no role in TX verification whatsoever. Hashing is there to raise the cost of a Sybil attack, nothing more.

What’s confusing about cryptocurrency is that there are these two different costs, hashing and verification, and two different sources of paying for them: seigniorage (the coinbase award) and TX fees. How the pair of costs and revenues match up is a protocol design consideration.

Costs Revenue Proof-of-Work (SHA256 hash problem) Coinbase (25 bitcoins) Transaction verification Transaction fees

In the case of Bitcoin, a miner has no control over the size of the coinbase award, but he does control which TX’s go into the block he’s currently hashing. So basic economic theory dictates that a miner will include a transaction if and only if the expected value of the TX’s fee is greater than his marginal cost of verifying that transaction. The costs due to proof-of-work do not come into the decision at all.

It makes sense to think of proof-of-work and TX verification as two separate subsystems with their own respective sources of financing: proof-of-work financed by coinbase and transaction verification financed by transaction fees. A digital currency protocol could follow this pattern and some do (Ethereum, for example). Bitcoin, however, is different. Its protocol dictates that the coinbase award halves every two years and never exceeds a cumulative total of 21m coins, which means that at some point both hashing costs and verification costs must be paid out of TX fees alone.

I’ve pointed out before that this aspect of Bitcoin’s protocol design is self-defeating in the long run. The market for media of exchange will gravitate towards those systems with the lowest transaction costs, and in the case of proof-of-work digital currencies, that means those protocols that forever subsidise hashing costs with the coin’s seigniorage (no supply cap). And even if that were not the case and Bitcoin remained the dominant digital currency, the protocol will need to change to incorporate a mandatory minimum fee that is sufficiently large to incentivise enough hashing to secure the network. I say “mandatory” because there is a collective action problem here in that an individual miner has no incentive to exclude a transaction whose fee exceeds his marginal verification costs, even if the aggregate effect of this rational behaviour is that the total TX fees are insufficient to support a hashing difficulty that secures the network.

Which brings me to the author’s bleak conclusion:

The eventual supply of digital currencies is typically fixed, however, so that in the long run it will not be possible to sustain a subsidy to miners. Digital currencies with an ultimately fixed supply will then be forced to compete with other payment systems on the basis of costs. With their higher marginal costs, digital currencies will struggle to compete with centralised systems unless the number of miners falls, allowing the remaining miners to realise economies of scale. A significant risk to digital currencies’ sustained use as payment systems is therefore that they will not be able to compete on cost without degenerating — in the limiting case — to a monopoly miner, thereby defeating their original design goals and exposing them to risk of system-wide fraud.

This is only partly right, and partly right for the wrong reasons. First of all, it’s not digital currencies that face this problem, but a subset of them that, like Bitcoin, eventually require TX fees to shoulder the entire burden of incentivising proof-of-work. But that is an accidental rather than essential feature of digital currencies. So, the conclusion is only partly right because it does not apply to protocols that finance hashing costs with a perpetual coinbase award.

And right for the wrong reasons… this sentence “With their higher marginal costs, digital currencies will struggle to compete with centralised systems unless the number of miners falls, allowing the remaining miners to realise economies of scale” is wrong because the authors have conflated hashing and verification costs.

I’m not sure I get the “economies of scale” thing in transaction processing systems, but perhaps the author’s are thinking of the extreme redundancy that distributed systems require. Transaction verification in a distributed system is redundantly performed by every node, so if there are 5,000 nodes verifying nodes on the system, every TX is verified 5,000 times. Compared to a centralised system that only needs to verify a TX once, it would seem that there is a simple economy of scale linear in the number of nodes in system.

But a centralised system must do much more than verify TX, it must do lots of things that nodes on a distributed system do not have to worry about. The centralised system must protect the server(s) against error and attack, as a centralised system is by definition a system with a single point of failure. You don’t have to be a network security expert to appreciate that this is hostile and difficult technical territory. I can’t offer estimates on what these additional costs are, but what I do know is that they are a large multiple of transaction verification costs, and exponentially more complicated processes. TX verification–parsing the blockchain and doing a bunch of ECDSA signature verifications–is easy and cheap by comparison.

So it is by no means obvious that the total costs of TX verification are lower in a centralised system than in a decentralised or distributed one, and it may in fact be the other way round. But either way, we can say two things with confidence:

The costs of distributed TX verification are a small fraction of the fees charged by legacy payment systems. Unlike hashing, this is not a costly computation even when multiplied by a large number of verifying nodes.

The costs of distributed TX verification will decline over time with improvements in computational efficiency, bandwidth, etc.

But the one thing that distributed systems must do that centralised systems do not have to worry about is a mechanism for achieving consensus on the authoritative state of the ledger. For Bitcoin and many other digital currencies, this mechanism is hash-based proof-of-work, and it is crucial to appreciate the fact that verification and proof-of-work hashing are separate processes with independent cost functions.

And it may turn out that the proof-of-work blockchain isn’t the best mechanism for achieving consensus anyway. There are other decentralised consensus algorithms used in projects like Ripple, Stellar, and Hyperledger that do not rely on energy intensive hashing problems to achieve consensus.