ALL currencies involve some measure of consensual hallucination, but Bitcoin, a virtual monetary system, involves more than most. It is a peer-to-peer currency with no central bank, based on digital tokens with no intrinsic value. Rather than relying on confidence in a central authority, it depends instead on a distributed system of trust, based on a transaction ledger which is cryptographically verified and jointly maintained by the currency’s users. Transactions can occur directly between the system’s participants at almost zero cost, without the need for a trusted third party or any other intermediary, and are irreversible once committed to a permanent and fully public record. Bitcoin’s mathematically elegant design ensures that the money supply can increase only at a fixed rate that slows over time and then stops altogether. Anonymity, while not assured, is possible with the right precautions and tools. No wonder Bitcoin is so appealing to geeks, libertarians, drug dealers, speculators and gold bugs.

Bitcoin began in 2008, at the height of the financial crisis, with a paper published under the pseudonym Satoshi Nakamoto. The technical design outlined in the paper was implemented in open-source software the following year. It came to widespread prominence in 2012 and has been in the headlines ever since.

Investors are backing Bitcoin-related startups, the German finance ministry has recognised it as a “unit of account” and senior officials told an American Senate committee on November 18th that virtual currencies had legitimate uses. But there have also been many cases of Bitcoin theft. Exchanges that convert Bitcoin to other currencies have collapsed or closed. Silk Road, an online forum where illicit goods and services are traded for Bitcoin, was shut down by America’s Federal Bureau of Investigation in October but has since reopened. The Bitcoin price has fluctuated wildly, hitting $230 in April 2013, falling below $70 in July, and then exceeding $600 in November, prompting talk of a bubble.

The system is now straining at the seams. Its computational underpinnings have collectively reached 100 times the performance of the world’s top 500 supercomputers combined: more than 50,000 petaflops. Bitcoin’s success has revealed three weaknesses in particular. It is not as secure and anonymous as it seems; the “mining” system that both increases the Bitcoin supply and ensures the integrity of the currency has led to an unsustainable computational arms-race; and the distributed-ledger system is becoming unwieldy. Will Bitcoin’s self-correcting mechanisms, and the enlightened self-interest of its users, be able to address these weaknesses and keep Bitcoin on the rails?

Bitcoin uses a technique called public-key cryptography, which relies on creating an interlocking pair of encryption keys: a public key that can be freely distributed, and a private one that must be kept secret at all costs. The public key is treated as an address to which value may be sent, akin to an account number. Each transaction involves the paying party signing over a portion or all of the value in one of these addresses by using his private key to perform an operation, called “signing”, on the contents of the transfer, which includes the recipient’s address. Anyone can use the sender’s public key to verify that the sender’s private key signed the transaction. All transactions are appended to a public ledger, called the block chain.

Public keys are ostensibly anonymous, because they are created randomly by software under the control of each user, without central co-ordination. But it turns out that the flow of money from specific addresses can be tracked quite easily. In a paper presented in October, academics from the University of California, San Diego, and George Mason University engaged in a series of ordinary transactions to collect commonly used addresses for Bitcoin wallet services, gambling sites, currency exchanges and other parties.

Follow the money

The researchers exploited a current weakness in most Bitcoin personal and server software, which generates single-use addresses to store change from transactions. This allowed them to follow the movement of Bitcoins across hundreds of transactions from large sums accumulated at single addresses, including ones suspected of being controlled by Silk Road and stolen funds from exchanges. One of the authors, Sarah Meiklejohn, says that the same technique could easily be used to provide the basis of warrants to serve against exchanges or other parties. Law-enforcement agencies would regard this as a good thing, but to advocates of a completely secure and anonymous online currency, it represents a worrying flaw. Ms Meiklejohn says most current implementations of the Bitcoin protocol fall short of the level of anonymity that is theoretically possible, and that her group’s efforts represent just the tip of the iceberg of what could be deduced from analysis of the public block chain.

The Bitcoin system offers a reward to volunteer users, known as “miners”, who bundle up new transactions into blocks and add them on to the end of the chain. The reward is currently 25 Bitcoins (about $15,000 at this writing). Miners pull active transactions waiting to be recorded from the peer-to-peer network and perform the complex calculations to create the new block, building on the cryptographic foundation of the previous block. Comparison of the results produced by different miners provides independent verification. About every 10 minutes, one lucky miner who has generated the next block is granted the 25-Bitcoin reward, and the new block is appended to the chain. The process then starts again.

Mine craft

The Bitcoin system is designed to cope with the fact that improvements in computer hardware make it cheaper and faster to perform the mathematical operations, known as hashes, involved in mining. Every 2,016 blocks, or roughly every two weeks, the system calculates how long it would take for blocks to be created at precisely 10-minute intervals, and resets a difficulty factor in the calculation accordingly. As equipment gets faster, in short, mining gets harder. But faster equipment is constantly coming online, reducing the potential rewards for other miners unless they, too, buy more kit. Miners have formed groups that pool processing power and parcel out the ensuing rewards. Once done with ordinary computers, mining shifted to graphics-processing units, which can perform some calculations more efficiently. Miners then moved on to flexible chips that can be configured for particular tasks, called field-programmable gate arrays. In the past year, bespoke chips called ASICs (application-specific integrated circuits) have appeared on the scene.

Your correspondent visited a miner who operates a rack of mining hardware in his modest apartment. He had purchased his ASIC-based hardware a few months earlier, and it had arrived weeks late, causing him to miss out on a bonanza, because after arrival, the kit generated Bitcoins so quickly that it paid for itself within three days. But the edge that ASICs provide is quickly eroding. Between July, when the gear arrived, and mid-November, the computational capacity of the Bitcoin network increased 25-fold, from 200 trillion to 5 quadrillion hashes per second. This was due in part to the arrival in September of a newer generation of more efficient ASICs. Hashing capacity has increased so rapidly in 2013 that the practice of hijacking thousands of PCs and using them for mining is no longer worth the effort. The average time between blocks has fallen to between five and eight minutes.

The general consensus, says Mike Hearn, one of the volunteers who maintain the Bitcoin software, is that with this new generation of ASICs, mining will have approached a point where only those with access to free or cheap electricity will continue operations, and even they will produce a relatively marginal return on investment, rather than the huge multiples (when exchanged into traditional currency) possible even earlier this year. Mining has become increasingly commercial and professional, he says. Server farms with endless racks of ASIC cards have already sprung up. But as part of Bitcoin’s design, the reward for mining a block halves every 210,000 blocks, or roughly every four years. Sometime in 2017, at the current rate, it will drop to 12.5 Bitcoins. If the returns from mining decline, who will verify the integrity of the block chain?

To head off this problem, a market-based mechanism is in the works which will raise the current voluntary fees paid by users (around five cents per transaction) in return for verification. “Nodes in the peer-to-peer network will try to estimate the minimum fee needed to get the transaction confirmed,” says Mr Hearn.

Bitcoin’s growing popularity is having other ripple effects. Every participant in the system must keep a copy of the block chain, which now exceeds 11 gigabytes in size and continues to grow steadily. This alone deters casual use. Bitcoin’s designer proposed a method of pruning the chain to include only unspent amounts, but it has not been implemented.

As the rate of transactions increases, squeezing all financial activity into the preset size limit for each block has started to become problematic. The protocol may need to be tweaked to allow more transactions per block, among other changes. A further problem relates to the volunteer machines, or nodes, that allow Bitcoin to function. These nodes relay transactions and transmit updates to the block chain. But, says Matthew Green, a security researcher at Johns Hopkins University, the ecosystem provides no compensation for maintaining these nodes—only for mining. The rising cost of operating nodes could jeopardise Bitcoin’s ability to scale.

“The volunteer programmers who work on Bitcoin’s software have no special authority in the system.”

The original paper that sparked the creation of Bitcoin has since been supplemented by layers of agreed-upon protocol, updated regularly by the system’s participants. The protocol, like the currency, is a fiction they accept as real, because rejection by a large proportion of users—be they banks, exchanges, speculators or miners—could cause the whole system to collapse. Mr Hearn notes that he and other programmers who work on Bitcoin’s software have no special authority in the system. Instead, proposals are floated, implemented in software, and must then be taken up by 80% of nodes before becoming permanent—at which point blocks from other nodes are rejected. “The rules of the system are not set in stone,” he says. The adoption of improvements is up to the community. Bitcoin is thus both flexible and fragile.

So far, it has kept going. But can it withstand the pressure as it becomes more popular? “It’s got this kind of watch-like feel to it,” says Mr Hearn. It keeps on ticking, but “a mechanical watch is fragile and can be smashed.” Perhaps Bitcoin, like the internet, will smoothly evolve from a quirky experiment to a trusted utility. But it could also go the way of Napster, the trailblazing music-sharing system that pioneered a new category, but was superseded by superior implementations that overcame its technical and commercial flaws.