Ben Laurie, who is a core contributor to OpenSSL and a security researcher for Google, has put forth some criticism against Bitcoin, the crypto-currency that has recently gained some amount of popularity. Part of it may be sour grapes, because Bitcoin seems to be taking off much more than previous systems, some of which Laurie was involved in. But he does make a good argument against the proof-of-work technique that Bitcoin employs.

Suppose I take 20 £5 notes, burn them and offer you a certificate for the smoke for £101. Would you buy the certificate?

This is the value proposition of Bitcoin. I don’t get it. How does that make sense? Why would you burn £100 worth of non-renewable resources and then use it to represent £100 of buying power. Really? That’s just nuts, isn’t it?

Laurie co-wrote a paper in 2004 called Proof-of-Work Proves Not To Work. At the time, proof-of-work was an idea being floated to combat email spammers: Mail would only be delivered if the sender performed a number of expensive calculations first. The paper points out that in addition to negatively impacting legitimate bulk-mailers, the whole approach falls flat when the people sending spam are the same people that control huge amounts of computing power through the botnets that they use to send spam.

In Bitcoin, it is not the case that anyone who wants to transfer coins has to engage in the expensive proof-of-work calculations. Only the so-called miners need to do that, a minority group that gets to sign off on the transaction records. It is not possible for miners to fake transactions, all they could potentially do is refuse to include transactions into the official record (the block chain, or cause a lot of confusion by forking the block chain (thereby facilitating double-spending). Proof-of-work is supposed to make sure that there are always enough independent miners that do not collaborate with each-other for nefarious purposes. What Laurie is saying that this will not work too well, because a nasty attacker could undermine this equation by throwing a large botnet at the problem, and that in order to make that unfeasible, you would need a large number of honourable entities to spend a really huge amount of computing power on mining, which does in fact burn electricity to no end. Considering that in the end you need to trust that a majority of participants be honest anyway, you could build on that trust to come up with a cheaper solution to the distributed consensus mechanism.

According to this reasoning, Bitcoin either does not work at all, or it does so at much too high a cost. Maybe someone can come up with an alternative way to agree on the block chain that is either less expensive or performs calculations with some meaningful side-effects (such as decoding genomes or something). That seems to be difficult without giving up the completely anonymous (or rather pseudonymous) and decentralised nature of the system.

Even more troubling than this, however, is the reaction these or other objections receive on the Bitcoin forums, where large parts (or at least the most vocal parts) display an almost religious frenzy, antisocial tendencies and inability to engage in reasonable arguments. In the minds of the general public technologies like email encryption and Bittorrent are often associated with criminal behaviour, which must have hurt their adoption. Looking at the forums, Bitcoin might be headed to an even worse image.