Adi Shamir's paper on bitcoin

[Meni Rosenfeld]

Some changes have been made to the paper based on the community's feedback. The revised version is available at the same URL, http://eprint.iacr.org/2012/584.pdf.

[greyhawk]

Now this is peer review as it should be. 

[niko]

Now this is peer review as it should be. 

p2p

[molecular]

can someone post a diff or have the old version? I'd like to see what got changed.

[Peter Todd]

can someone post a diff or have the old version? I'd like to see what got changed.

https://s3.amazonaws.com/retep/2012BitcoinFinalNonAnonymous.pdf <- EDIT: taken down, I accidentally uploaded the revision circulated to authors. Meni found a link to all revisions published at http://eprint.iacr.org/cgi-bin/versions.pl?entry=2012/584

[molecular]

can someone post a diff or have the old version? I'd like to see what got changed.

https://s3.amazonaws.com/retep/2012BitcoinFinalNonAnonymous.pdf

Thanks, retep, for the link. I made a diff of the textual changes. Changes marked in bold:

-------------------------------------------------------------------------------

In many places:

bitcoin

Bitcoin

Page 3:

Payments are made inAnd in the Acknowledgements: bitcoins (BTC's), which are digital coins issued and transferred by the bitcoin network. Nodes broadcast transactions to this network, which records them in publicly available web pages, called block chains, after validating them with a proof-of-work system.

Payments are made in bitcoins (BTC's), which are digital coins issued and transferred by the Bitcoin network. The data of all these transactions, after being validated with a proof-of-work system, is collected into what is called the block chain.

Page 12:

A common prominent practice of bitcoin users is to create chains of consecutive transactions as can be seen in Fig. 7: An initial amount of 50,000 BTC's is rapidly transferred from one address to another leaving out some small amounts. In this example 350 such transactions are carried out within the first two days during which the initial amount of 50,000 BTC's is reduced to 34,000 BTC's. In the next three weeks an additional 100 transactions follow and the amount is further reduced to merely 15,000 BTC's. A similar chain of length 120, with initial amount of 500,000 BTC's which decreases to 340,000 BTC's at the end of the chain, is shown in Fig. 1. Note that some of the transactions in this chain are carried out by Mt.Gox. Additional such chains can be found in Fig. 2, Fig. 3, Fig. 4 and Fig. 5, with lengths of 3, 15, 23, 26, 80 and 88 transactions.

A common prominent practice of Bitcoin users is to create chains of consecutive transactions. Some of these chains can be explained by the change mechanism in which small payments are accompanied by the creation of a new address, into which the user transfers the dierence. Such chains can be found in Fig. 2, Fig. 4, Fig. 5 and Fig. 7, with lengths of 3, 15, 26, 80, 88 and 350 transactions. However, the behavior seen in Fig. 3 deviates significantly from this pattern, since the same amount of 5,000 bitcoins is repeatedly split off the main sum and put into accounts which have no additional transactions associated with them.

And in the Acknowledgements:

Finally, we would like to thank all the members of the bitcoin community who sent us excellent comments criticisms and suggestions.

Finally, we would like to thank all the members of the Bitcoin community, and in particular Meni Rosenfeld and Stefan Richter, who sent us excellent comments, criticisms and suggestions.

[Meni Rosenfeld]

can someone post a diff or have the old version? I'd like to see what got changed.

https://s3.amazonaws.com/retep/2012BitcoinFinalNonAnonymous.pdf

This isn't the old version, it's something between the old and new. As such, there are many changes not appearing in molecular's diff. I'll try to look for the original version.

Update: Adi has informed me that all revisions are available at http://eprint.iacr.org/cgi-bin/versions.pl?entry=2012/584. In particular the first version is at http://eprint.iacr.org/cgi-bin/getfile.pl?entry=2012/584&version=20121016:132906&file=584.pdf.

Note that the intermediate one retep uploaded isn't there, it was mailed to some of the people who communicated with the authors.

[molecular]

can someone post a diff or have the old version? I'd like to see what got changed.

https://s3.amazonaws.com/retep/2012BitcoinFinalNonAnonymous.pdf

This isn't the old version, it's something between the old and new. As such, there are many changes not appearing in molecular's diff. I'll try to look for the original version.

damnit! I figures as much when I arrived at the Acknowledgements. Finished regardless.

Offering to do it again.

[Peter Todd]

can someone post a diff or have the old version? I'd like to see what got changed.

https://s3.amazonaws.com/retep/2012BitcoinFinalNonAnonymous.pdf

This isn't the old version, it's something between the old and new. As such, there are many changes not appearing in molecular's diff. I'll try to look for the original version.

Thanks, I'd appreciate a copy for my archives as well. There's probably going to be at least one more additional revision, if only because Adi offered to acknowledge me by name as well. I also pointed out in my last email that the definition for inactive addresses, which appears to be on a per-address rather than per-transaction basis, has the problem where the people who seem to be sending dust spam to random addresses can incorrectly cause both older, pre-Mt.Gox addresses to be appear to be active after that date and then subsequently inactive and considered to be savings.

You know, it'd be worth it for someone to try to replicate the whole paper with our own toolchain, such as znort's blockchain parser, and publish our own findings. If I had the free time I'd look into doing so myself.

[molecular]

You know, it'd be worth it for someone to try to replicate the whole paper with our own toolchain, such as znort's blockchain parser, and publish our own findings. If I had the free time I'd look into doing so myself.

If there was an expectation of getting meaningful results I guess the incentive to do this might be higher.

Just "showing Adi how it's done right" is not worth the effort in my mind. I don't think the way he did it invalidates the results.

Still: if you find the time: go for it! Maybe you can find even more interesting results.

If I'd do something like this, I'd use bitcoin-abe and sql-queries.

[Peter Todd]

You know, it'd be worth it for someone to try to replicate the whole paper with our own toolchain, such as znort's blockchain parser, and publish our own findings. If I had the free time I'd look into doing so myself.

If there was an expectation of getting meaningful results I guess the incentive to do this might be higher.

Just "showing Adi how it's done right" is not worth the effort in my mind. I don't think the way he did it invalidates the results.

Still: if you find the time: go for it! Maybe you can find even more interesting results.

If I'd do something like this, I'd use bitcoin-abe and sql-queries.

I'm thinking do this first of all just to check that their(1) statistics were correct in the first place. For all we know some problems exist at the core of these results, and it'd also be useful to get more details on, for example, the claim of that 70,000BTC "laundering" transaction. It's one of the things that bothers me about the paper actually: they should have published what transactions they were talking about in many of the examples. (modulo privacy considerations where they have identified someone)

Once you can reproduce those results, then you can work on more exciting concepts. Maybe those exciting measurements will only happen after time has been spent struggling? Don't forget that another perfectly valid result is that people in the Bitcoin community who really understand the system have spent a lot of time thinking about the problem, and can't find any way to get statistics out of the system.

I agree that incentive is a problem. Myself I already have school, work, and a timestamping project to juggle. More generally replication papers in science are never sexy.


(1) We shouldn't forget it's not really Adi Shamir's paper, but his grad student Dorit Ron's paper, who according to her linked-in page is working on a masters degree. She would have done essentially all the work with Adi only supervising. Quite possibly prior to publishing the paper Adi didn't actually know much about Bitcoin. However now that it's raised a lot of controversy I'm not surprised that Adi seems to be the one handling emails; it is his reputation on the line after all and he's the one with experience handling controversial results. <- wrong, see https://bitcointalk.org/index.php?topic=118797.msg1301988#msg1301988

[molecular]

Why doesn't Dorit Ron pop in here and suck all knowledge from us and use our resources? Is there some formal reason like having to write the thesis on her own?

[marcus_of_augustus]

It seems to me that best incentive for doing this kind of work is to figure out how much information is currently available from the block-chain, so that better privacy enhancing techniques can be developed to thwart further analysis. Rinse and repeat, so to speak.

[Meni Rosenfeld]

In case someone missed it, I posted a link to the old version in the previous post.

(1) We shouldn't forget it's not really Adi Shamir's paper, but his grad student Dorit Ron's paper, who according to her linked-in page is working on a masters degree.

Link? According to http://www.wisdom.weizmann.ac.il/~dron/ she's been writing papers for 28 years (and in case there is another Dorit Ron at WIS, the emails match).

She would have done essentially all the work with Adi only supervising.

Even if that was true, "supervising" doesn't mean not having a clue what the research is about.

Quite possibly prior to publishing the paper Adi didn't actually know much about Bitcoin.

I don't know if he knew much about Bitcoin, but he's interested in cryptocurrencies and has said "of course I've heard about Bitcoin" as early as a year ago.

Why doesn't Dorit Ron pop in here and suck all knowledge from us and use our resources? Is there some formal reason like having to write the thesis on her own?

Probably due to low signal to noise ratio on this forum. I agree that they should have consulted with local and global Bitcoin experts at a much earlier point. (Speaking of which we're talking about me coming to visit for a meeting of faculty interested in Bitcoin and/or the paper).

By the way Adi and probably also Dorit are reading these threads.

[Peter Todd]

In case someone missed it, I posted a link to the old version in the previous post.

(1) We shouldn't forget it's not really Adi Shamir's paper, but his grad student Dorit Ron's paper, who according to her linked-in page is working on a masters degree.

Link? According to http://www.wisdom.weizmann.ac.il/~dron/ she's been writing papers for 28 years (and in case there is another Dorit Ron at WIS, the emails match).

Ah, look like I'm wrong then. The linked-in page was found by someone I know who has a pro-account, so they might have found the wrong person. I edited my post to make this clear.

Why doesn't Dorit Ron pop in here and suck all knowledge from us and use our resources? Is there some formal reason like having to write the thesis on her own?

Probably due to low signal to noise ratio on this forum. I agree that they should have consulted with local and global Bitcoin experts at a much earlier point. (Speaking of which we're talking about me coming to visit for a meeting of faculty interested in Bitcoin and/or the paper).

That's great news!

Finding info on the forums is definitely difficult, and in addition Dorit seems to be a mathematician rather than a programmer, which would explain why she used what to us is a convoluted way of generating the results. Note how she acknowledged help from someone else in parsing the block chain itself.

[Binford 6100]

As pointed out by Davout, the paper assumes shared wallets like mt gox are ONE owner of a lot of addresses. This logic is flawed.

Also - it seems a bit strange to count the 2Million+ sub 0.01 balance wallets as the poor end of some sort of wealth pyramid.
Many of these are surely people who just tried it out, e.g by getting some from a freebie site. They may or may not even have kept that wallet, let alone become engaged as an active Bitcoin user.

Some of those might be miners, collecting a lot of little bits of change.

or service operators collecting fees from transactions

[molecular]

In case someone missed it, I posted a link to the old version in the previous post.

thanks. I tried to make another diff, but I'm having a hard time (line breaks have to be removed, my pdf reader's copy to clipboard function screws up on many chars, hyphenation marks need to be removed, etc). It'd be awesome to have the sources (tex or whatever they are).

Right now it's too much effort for me unless someone has a great idea on how to get clean(er) text from the pdfs.

Why doesn't Dorit Ron pop in here and suck all knowledge from us and use our resources? Is there some formal reason like having to write the thesis on her own?

Probably due to low signal to noise ratio on this forum. I agree that they should have consulted with local and global Bitcoin experts at a much earlier point. (Speaking of which we're talking about me coming to visit for a meeting of faculty interested in Bitcoin and/or the paper).

Cool!

By the way Adi and probably also Dorit are reading these threads.

Hello! *waves*

[cypherdoc]

In case someone missed it, I posted a link to the old version in the previous post.

thanks. I tried to make another diff, but I'm having a hard time (line breaks have to be removed, my pdf reader's copy to clipboard function screws up on many chars, hyphenation marks need to be removed, etc). It'd be awesome to have the sources (tex or whatever they are).

Right now it's too much effort for me unless someone has a great idea on how to get clean(er) text from the pdfs.

Why doesn't Dorit Ron pop in here and suck all knowledge from us and use our resources? Is there some formal reason like having to write the thesis on her own?

Probably due to low signal to noise ratio on this forum. I agree that they should have consulted with local and global Bitcoin experts at a much earlier point. (Speaking of which we're talking about me coming to visit for a meeting of faculty interested in Bitcoin and/or the paper).

Cool!

By the way Adi and probably also Dorit are reading these threads.

Hello! *waves*

thx for trying.  it would indeed be helpful at some pt to see the changes they have acknowledged.

[molecular]

thx for trying.  it would indeed be helpful at some pt to see the changes they have acknowledged.

yeah, would like to see them, too. I got stuck at trying to figure out wether it'd be more work/cost to do it manually, hack up a script, search for existing tools or put up a bounty in the newbie subforum

[Binford 6100]

thx for trying.  it would indeed be helpful at some pt to see the changes they have acknowledged.

do you think they will update the paper once more? molecular already posted first diff few days ago.

yeah, would like to see them, too. I got stuck at trying to figure out wether it'd be more work/cost to do it manually, hack up a script, search for existing tools or put up a bounty in the newbie subforum

not sure how computer readable the sources are and how frequently they change but I'm sure ms word can compare two files (I'm thinking about copy-paste the versions into separate files and use standard office tool, not as elegant as diff but works as well) but will not fight in newbie section for the bounty. have thought colleagues at previous job how to use this. I even saw a manual how to do it. One must love public administration.

By the way Adi and probably also Dorit are reading these threads.

In this case I apologize for the noise and the disturbing noise that can be found here.
Why don't they include a bitcoin address in the update? For R&D purposes ; ) read donations