Joseph Bonneau is an assistant professor at New York University and co-author of “Bitcoin and Cryptocurrency Technologies,” a popular textbook.
This exclusive opinion piece is part of CoinDesk’s “Bitcoin at 10: The Satoshi White Paper” series.
The Bitcoin white paper has been, rightfully, recognized as one of the most original and influential computer science papers in history.
We all know how it has launched a $1 billion industry and thousands of follow-up research papers.
But it’s worth turning a critical eye on the paper (and original Bitcoin design for things not mentioned explicitly in the paper) and asking: how much did the paper get right? How much did it get wrong? And how much of the paper do we still not know the answer to?
What Bitcoin got right
In a sense, this is the hardest category to assess.
One mark of a truly successful idea is that it people forget how people looked at the world before that idea came around. Many of the most fundamental contributions of Bitcoin seem somewhat obvious in hindsight, but were not at all at the time.
It’s easy to forget that cryptocurrency was a research backwater for most of the 2000s. After the failure of many attempts in the 1990s to build a working system (largely using the ideas outlined by David Chaum in the 1980s), few papers were published in the area. Many simply believed there was no viable market for a non-state currency.
Prior to Bitcoin, decentralized systems were an active research area in the 2000s (often couched as peer-to-peer networks) and anonymity research was coming into its own (with the development of Tor).
But these were not seen as necessary features for a payment system.
Providing incentives for miners. One of Bitcoin’s core contributions is providing incentives for miners via inflation and fees, making the system hard to attack. This model has generally been successful and it’s fair to say few saw it coming. Many P2P systems in the pre-Bitcoin era that offered open participation (anybody can run a node) were plagued by Sybil attacks and incentive problems.
Simplified payment verification. The division in Bitcoin between full nodes and light (or SPV) nodes has proven quite powerful, and the block structure embedded into Bitcoin has made this not just possible but a natural way of viewing the system. Bitcoin’s UTXO design has also made this quite straightforward.
Support for scripting. While limited, Bitcoin’s scripting support (not discussed at all in the white paper) has enabled several useful features like multi-sig accounts and payment networks. It was wise to envision a system supporting more than simple payments.
Recognizing long-term incentives. There’s no evidence that Satoshi expected to see industrial-scale mining or mining pools in the white paper. But the paper does include a very prescient line about the risks of centralization: “[an attacker] ought to find it more profitable to play by the rules, such rules that favour him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth.” Despite a large number of theoretical attacks by miners being written about since, none have been seriously attempted in practice. Satoshi recognized a powerful principle, that miners have long-term incentives not to attack since they are invested in health of the ecosystem.
What Bitcoin got wrong
We’ll ignore some quaint-in-retrospect features in early versions of the Bitcoin code, such as pay-to-IP-address and a built-in e-commerce system, that never saw the light of day.
But there are a few features of Bitcoin that appear “wrong” in that no system built today would repeat them.
ECDSA. While this signature algorithm was a far better choice than, say, RSA, it is inferior to EC-Schnorr on all accounts. Most likely Satoshi simply didn’t know about this option (a legacy of software patents around Schnorr). Today, it would be obvious to use Schnorr instead, if not a more advanced signature scheme such as BLS.
Transaction malleability. This unintentional issue has led to headaches for features such as payment networks as well as famously enabling the attack on Mt. Gox. Today a prudent design would use something along the lines of segregated witness to ensure transaction IDs are unique and predictable.
Features since added. Quite obviously, it was a mistake not to include popular features such as pay-to-script-hash (P2SH) and check-locktime-verify, which have been added since by soft forks.
Limited divisibility of coins. Bitcoin has a limit of 21 million Bitcoins, but more importantly, it has a limit of about 2^52 satoshis as the atomic unit. This was never going to be enough if Bitcoin were to really become Earth’s only payment system, leaving fewer than a million units per human being. This isn’t nearly enough to capture both day-to-day transactions (even rounded to the equivalent of tenths of a dollar) and also large holdings. It would be quite cheap to expand this with a few extra…