Shitcoin: a Modest Proposal.

This post is of interest only to those who study Bitcoin. If you have never heard of Bitcoin, read my previous post on the subject.

Shitcoin is to be a distributed network for attaching "dirt" to particular bitcoins when certain conditions are met, in a manner which allows Bitcoin users to post bonds in order to establish trustworthiness.  Unlike a conventional bond, these bitcoins could be spent at a later time, without voiding said bond. [1]

A Bitcoin user intent on "putting his money where his mouth is" could post a bond in the following way.  He would start by creating a fresh Bitcoin address, publishing it, and transferring a certain number of bitcoins to it. He will prove that he is the particular user who did so by carrying out the transfer in a sequence of amounts announced in advance, or by allowing those whose trust he is trying to win - the bond-holders - to collectively specify the least-significant digits of the total amount. At any rate, he will have proven that he, at that time, was possession of a certain number of bitcoins, and proclaimed just which coins they were. The next step is to generate a certain number of shitcoins.  A shitcoin consists of two numbers: J, which is randomly-generated and reasonably-long, and K, which is a cryptographic hash of the concatenation of the bitcoin value and of J. A J is given to a bond-holder, who keeps it secret, while K is posted to the Shitcoin distributed hash table network, along with a time stamp (secured through hash chaining, in exactly the same way as ordinary Bitcoin transaction records.)

If, at some future time, a bond-holder is dissatisfied with his relationship with the bond-issuer, he can invoke his shitcoin(s) by publishing his J on the network. When this happens, the bitcoin is to be considered, for all time, "dirtier by one shitcoin." Anyone with access to the Shitcoin network can verify that a given J is genuine simply by hashing it with the bitcoin value in question to produce the previously-published K.  At any later time, anyone can query the network and determine just how "dirty" any given bitcoin is, by counting the number of published valid J-K pairs.  Given this fact, users could choose to distrust any bond issuer who posts excessively-dirty bitcoins as a bond.

Just how dirty is "too dirty" would be a matter for individual would-be bond-holders to decide for themselves. A certain amount of dirt may be seen as acceptable, as there will always be bond-holders who are angry at the bond-issuer for a less-than-legitimate reason and choose to maliciously invoke their shitcoins. Naturally, any user who would like to verify the dirtiness of a particular bitcoin will use a Shitcoin network client which verifies that the coin in question was actually held by the bond-issuer at the time K was originally posted.

Additionally, a bond-issuer who wishes to emphasize his honesty may choose to issue multiple shitcoins to each bond-holder, giving him a proportionately-greater power to damage his reputation should he decide to do so.

One possible variant of Shitcoin would allow bond-issuers to attach expiration times to the K values they publish, proclaiming that any J value posted after that time should be ignored by those interested in the history of the particular bitcoin to which K is linked. Users of the Shitcoin network may choose to respect these declarations, or they may not, as it suits them.

The beauty of this scheme is that it requires no modification to the Bitcoin protocol itself, and could exist independently of and in parallel with the existing Bitcoin network.  Those who wish to post Shitcoin bonds could do so, and those who care about the dirtiness of a particular bitcoin could query the network, without any cooperation whatsoever from those Bitcoin users who think little of Shitcoin and choose to do neither.

One potential problem with the scheme is that innocent receivers of bonded bitcoins would suffer if the shitcoins attached to said bitcoins are invoked at a later time. The obvious countermeasure is for would-be receivers of a particular bitcoin to check (using automated means, of course) whether an unexpired Shitcoin bond is attached to these coins at the particular time they are about to receive them.

If Shitcoin were to become popular, any dealing with Bitcoin users known to be disreputable - and, by extension, dealing with those who choose to deal with them - would be heavily disincentivized.  And this would happen if even only a substantial minority of Bitcoin users chose to use Shitcoin.

Edit: One bit of criticism I got after posting this is that Shitcoin would make bitcoins less fungible. Well yes, that's the whole point! It appears that there exist two kinds of people: ones who believe that theft and fraud should be thought of as parts of the great circle of life; and those who believe that a world in which money turns a tell-tale black when it is stolen or otherwise ill-gotten would be a better world to live in. I belong to the latter category. The beauty of Shitcoin is that both types of person could peacefully co-exist, and recognize one another for what they are at a glance whenever they chance to meet. If you want to freely receive and spend fully-fungible bitcoins, with no regard to where they've been, don't use Shitcoin. If you care about doing business with clean people who only ever do business with other clean people, then use it. But if you'd rather that neither Shitcoin nor anything like it exist at all, you've publicly revealed yourself as a scumbag, and provided a useful warning to your would-be victims - even if Shitcoin is never built - to avoid you like the plague.

Edit: The people who commented that a scheme like Shitcoin is unnecessary because one could instead use PGP-style trust identities are missing an important point. In a decentralized system like Bitcoin, identities are cheap. In fact, the only thing which isn’t arbitrarily cheap are the coins themselves. Which is why a reputation system where negative reaction from users threatens anything other than your coins themselves is mostly worthless. If you could literally bet your coins on your reputation, in a completely decentralized and mechanical way, you would be able to establish trust quickly, without having to present any meatspace credentials or giving your customers any hint of your legal identity whatsoever. In effect, a Shitcoin bond issuer would say: “If I were to defraud you, you could set my coins on fire.” (Or at least, “singe” them.)  And as far as I can see, Shitcoin or something quite like it is the only possible way to give defrauded parties in Bitcoin transactions some genuine "teeth" without compromising the decentralized nature of Bitcoin or tying users' reputations to their meatspace identities in any way.

[1] One could still spend a bitcoin which has one or more unexpired shitcoin bonds linked to it, but users of Shitcoin would be aware of the encumbrance when they consider receiving that particular coin in payment, and said coin would be considered less-valuable than an unencumbered one. Just how much less would naturally depend on the reputation of the bond issuer(s).

This entry was written by Stanislav , posted on Thursday October 11 2012 , filed under Bitcoin, Distractions, Idea, Mathematics, ModestProposal, NonLoper, Philosophy . Bookmark the permalink . Post a comment below or leave a trackback: Trackback URL.

24 Responses to “Shitcoin: a Modest Proposal.”

  • Santana says:

    I think that should be left up to the feedback of the individual broker sites?

    If not, why only do shitcoins? You might as well have shitcoins for negative "dirty" bitcoins and rosecoins for "good clean" ones

    • Stanislav says:

      Dear Santana,

      Identities are cheap, and most people at any given time will have relatively "young" ones. So the threat of having a bad rating attached to your identity is a mostly hollow one: most scammers will simply get new ones in rapid succession, the way spammers switch email addresses and IPs. You can indeed build a positive reputation, cultivating an identity, but this takes a long time. Bonds would allow a new user to establish trust very quickly. One could issue an arbitrary number of shitcoin bonds per bitcoin to establish proportionately-greater trust.

      I don't believe that "Rosecoins" would be useful, because anyone could attach an arbitrary amount of "rosiness" to a given bitcoin by issuing an ocean of rosecoins to shill addresses and then invoking them. Properly-implemented "rosiness" should instead be the absence of shitcoin "dirt."

      Naturally, if Shitcoin were to exist, exchanges would be built where one could trade a number of dirty bitcoins (or ones encumbered by unexpired bonds) for a smaller number of clean (and/or unencumbered) ones. This is all good and well: I never said that Shitcoin would eliminate fraud. But if enough users were to take it seriously, it would make fraud risky and expensive: having your bond called in would seriously hit you in the pocketbook, as your dirtied coins would be less desirable on the market.


  • picobit says:

    This is a really, really bad idea. Remember, you can only check your bitcoins after you receive them, and then it is too late.

    Imagine going to the ATM, and withdraw 200$. Too bad, 120 of them have traces of cocaine (or are black, as you mention above), and are therefore not accepted by honest merchants.

    In the bitcoin world: You buy a load of bitcoins on an exchange. Unfortunately, the guy selling them to the exchange got them from a guy who got them from a girl, who got them from a guy, who ... ... ... who was a scammer and had all his coins tainted. Tough luck! If such a system would become widespread, noone would dare use bitcoins as money.

    The problem you are attempting to address is very, very real, and badly need a solution. But taint is the obvious solution that has been discussed and rejected countless times.

    • Stanislav says:

      Dear picobit,

      > you can only check your bitcoins after you receive them

      This part isn't true. The one who offers you the coins could show them to you before you receive them. But if it were true, your objection would apply.

      Taint has not been implemented partly because no one - as far as I know - has suggested a simple way to implement it that doesn't change the protocol, but I suspect that it was mostly because so many people misguidedly want Bitcoin to behave exactly like paper money or gold. They fail to realize that effectively-implemented taint would ultimately benefit everyone other than scammers and thieves.


      • jurov says:

        If I understood the scheme correctly, it offers no protection against scams where scammer exchanges or spends the coins before the bond-holders manage to mark the coins as dirty. For example mining bonds - the bond issuer is expected to spend the coins immediately to buy hardware. In that case, the innocent third party ends up suddenly with dirty coins.

        • Stanislav says:

          Dear jurov,

          I'm afraid that you did not understand the scheme correctly. Bonds do not expire when a coin changes ownership. That would instantly break the system. And anyone, prior to agreeing to receive a coin, can see whether it is presently bonded. This would be implemented on top of current Bitcoin by maintaining a throw-away address as one's public address, and making a point of sending coins back if they are deemed unacceptable when receiving payments.

          When a Shitcoin bond is issued, the network records the fact that the bonded coins were in the scammer's possession at that particular time. Where they go next does not matter - for so long as the bonds have not expired, they can be invoked, regardless of who owns the coins at a later time. Thus coins with unexpired bonds linked to them must be seen as less-valuable, depending on the reputation of the bond issuer, until such time as the bonds expire. (In your example, the seller of the mining hardware would be reluctant to accept bonded coins in payment for his wares, unless his faith in the bond issuer is extremely strong.)

          Naturally, users of Shitcoin would have to behave somewhat differently than users of pure Bitcoin: since all coins would no longer be equally-valuable, it would be necessary to verify the Shitcoin status of a bitcoin before agreeing to receive it in payment for a good or service.

          There is no way that a non-bond-issuing Shitcoin user could end up with dirty coins involuntarily: one would never be forced to accept a dirty or bond-laden coin as payment for anything. If you choose to accept such a coin, it should be seen as a calculated risk on your part.


          • jurov says:

            Still I see big practical problems. When the seller of the hardware (or the exchange, if the hardware is, say, priced in USD) decides to accepts coins with unexpired bonds, they:
            1. must assess the risk (expensive)
            2. can't just throw the coins on the market but must somehow accurately communicate the risk to potential buyers (expensive), or combine multiple kinds of bonded coins into some financial instrument and sell that (like those mortgage-backed securities, we all so fondly remember).

            So IMHO it isn't workable and it's just simpler to raise unmarked coins for such a project.

            • Stanislav says:

              Dear jurov,

              > When the seller of the hardware (or the exchange, if the hardware is, say, priced in USD) decides to accepts coins with unexpired bonds

              - "Doctor, it hurts when I do that!"
              - "Don't do that."

              Number one is easy: everybody insists on receiving clean, unbonded coins when doing business with strangers. Everybody, perhaps, except for gamblers - and gambling is voluntary. Problem solved.

              Number two is a non-problem: there is no need for the dealer to communicate anything to buyers except for the identity of the offered coins. The buyers can shit-check them and decide to proceed with the transaction if they are clean and unencumbered, or return them and abort if they are not.

              The ability to spend coins that have active bonds linked to them should be seen as an optional frill (no analogue to it exists with meatspace bonds, which sit out of your reach for so long as they are valid.) If no one can ever find a buyer for coins with active bonds, Shitcoin remains useful (and perhaps even more so than if a market existed for encumbered coins!)


              • jurov says:

                Either I'm stupid or...
                1. Mining bonds issuer makes an agreement with bondholders to mark (a) some (b) all coins
                Case (a): He has now to find hardware seller that will accept the shitcoins - problem. Hardware vendors are not gamblers as you rightly say.
                Case (b): Mining bonds issuer takes the unmarked coins and uses them at leisure - problem. He'll just lose the marked part.

                I don't know, your reaction seems to me like "Then such transactions won't happen at all. Easy."

  • Josh says:

    That might be interesting if you have the ability or requirement to "release" J within a pre-agreed time period, but it can be marked as "good result" or "bad result" when added to the network. If you get no answer at all when it expires, the bond gets marked as invalid.

    • Stanislav says:

      Dear Josh,

      I addressed the "good result" case in reply to the past comment which suggested "rosecoins." This is a bad idea, because Bitcoin addresses can be generated in arbitrary quantities for shill accounts. A user could issue arbitrarily-many "positive" bonds on his own coins and invoke them, pumping some good karma out of thin air.

      In a decentralized system like Bitcoin, identities are cheap. In fact, the only thing which isn't arbitrarily cheap are the coins themselves. Which is why a reputation system where negative reaction from users threatens anything other than your coins themselves is mostly worthless. If you could literally bet your coins on your reputation, in a completely decentralized and mechanical way, you will be able to establish trust quickly, without having to present any meatspace credentials or giving your customers any hint of your legal identity whatsoever.

      In effect, a Shitcoin bond issuer would say: "If I were to defraud you, you could set my coins on fire." (Or at least, "singe" them.)


  • Sgeo says:

    How is the shitcoin network going to be maintained? My understanding is that the Bitcoin network is held together by financially motivated miners, but what's the motivation to do the same with the shitcoin network?

    • Stanislav says:

      Dear Sgeo,

      Shitcoin would be maintained by financially-motivated Bitcoin users. The motivation is to give every user, no matter how new to the game, a quick and easy means to "put his money where his mouth is" and establish a positive reputation by putting his coins on the line.

      In my first piece on Bitcoin, I suggested that, instead of building dumb knock-offs of meatspace institutions like banks, stock exchanges, etc. Bitcoin users should experiment with purely mechanical extensions to the protocol which enhance trust without introducing centralization or traditional legal institutions into the mix. Pure pseudonymous-reputation systems suffer from the problem of identities being cheap and hence easily discarded once disgraced, so you need something quite different.

      Unfortunately, it looks like most Bitcoin users want it to behave exactly like a teleporting version of physical gold. And so, I don't expect to see much interest in actually implementing Shitcoin. I proposed it mainly as a thought experiment.


  • pletzalcoatl says:

    or by allowing those whose trust he is trying to win -- the bond-holders -- to collectively specify the least-significant digits of the total amount.

    This is incidentally exaclty how MPOE bonds work currently (.xxxxx888 BTC) and how option trade worked on the old MPOE page (.xxxxx999 BTC).

    • Stanislav says:

      Dear pletzalcoatl,

      > This is incidentally exaclty how MPOE bonds work currently (.xxxxx888 BTC) and how option trade worked on the old MPOE page (.xxxxx999 BTC).

      Not being familiar with MPOE, I would ask: is the latter a decentralized system, which, like Bitcoin itself, would continue to work even if all of its original authors were to be rounded up and shot by their local tyrants? Can it be used, like Bitcoin itself, without having to trust anyone other than the Byzantine majority of its users? Or is it simply a web site where users must rely on the continued honesty of a few people and the continued indifference of governments to Bitcoin?


  • [...] is old news by now, but Stanislav has <a href=”″>suggested</a&gt; a method by which Bitcoin users could track whether Bitcoins were stolen or otherwise [...]

  • Pepe says:

    I have a better idea: Let's force the earliest coins to enter the market. Someone who is more knowledgable can come up with a cut off time, but let's say never used coins in the first 18 months has to enter the market in a month, or they would be worthless (shitcoined).

    Why is it good? Well, we want BTC to be a currency and not an investment tool. The first few million bitcoins were way too easily mined, and if the early adopters goal was usage, why haven't they been used??? I wouldn't cancel them right away, but give them a little time (let's say a month) to be used and if the owner haven't used it, it might have been lost anyway.

    Now if so many extra coins enter the market rather suddenly, that would help with price discovery, probably push down the price so new comers could get into the game. If bitcoin has a future, it should recover anyway, so a temporary dip back to 2 digits value wouldn't matter.

    Bottomline is, the coins needs to be used, at least a large % of them and not to be horded...

    • Stanislav says:

      Dear Pepe,

      The ease of "selling" the hoard to the hoarders' own shills makes this a rather pointless exercise.

      "Bitcoin-P" is merely a thought experiment. If you were to spend some time interacting with serious Bitcoin users, you would learn that the idea is a total non-starter. Right now, what is the added value of a BTC-P coin over an ordinary one of unknown provenance, or of a BTC-P exchange over a standard exchange? Nothing. After the (hypothetical, future) Great Satoshi Flood? Everything. But Bitcoin users (or humans in general) aren't exactly known for long-term thinking. They will wait for the crash and exit stampede, and then proceed to cry about devious Ponzi operators - purely in retrospect.

      "Wisdom is getting on the train one day before everybody else."


      • richard k says:

        (shrug) People want to polish the turd that is Bitcoin because they don't want to acknowledge that it's a pile of crap. Hell, even you succumb to that temptation.

        Bitcoin was always a ponzi scheme, something that can be proven without thinking about the specifics of the protocol, let alone analyzing them in detail! A ponzi scheme is an investment vehicle backed by absolutely nothing other than the participants' willingness to buy it.

        Bitcoin markets itself as a currency but any economist will tell you it isn't a currency but an investment vehicle. Why? Because the purpose of a currency is TO BE USED. In order to provide a structural incentive to be used, a currency must be either negative-interest or deflationary with respect to the economy it's a currency of. Bitcoin is *inflationary* in structure therefore it isn't a currency but a store of value, an investment vehicle.

        That's why all these people who've been defrauded by the false marketing of Bitcoin as a currency are whining about hoarders. They're whining about people who aren't acting like Bitcoin is a currency. They're whining because they're having the truth shoved in their faces and their faces painfully rubbed into it. And instead of accepting reality as it is, instead of accepting the truth they've been defrauded by a ponzi scheme, they want to "fix" it.

        But there is no fixing it, and YOU do nothing to fix it either because you *don't address the problem*. Or even recognize it at all frankly. Bitcoin's being an investment vehicle vs currency is hardcoded into the software.

        How much time and thought and effort have you wasted thinking about how to "fix" Bitcoin, Stan? And meanwhile, you're still not addressing Pepe's central point: that Bitcoin was marketed as a currency and its users expect and want it to be a currency. But it isn't. None of your proposals would convert it to a currency either. Rather, you dismiss people who condemn hoarders ... because you just don't get the point. Of what a currency even is.

        Stupid people are the bane of my existence, Stan. But you're smart, and that makes it so much more unforgivable for you to be this stupid around Bitcoin.

        I could wax eloquent about temporal equity. Currencies are means of exchange but is this purely in space or in time as well? It can work either way but one way needs a lot more of the currency and is unstable. Or how the use-value of currencies (people's willingness to accept it) makes them a commodity in a sense and all commodities must depreciate over time. But it would all be wasted because you don't grasp something so simple, obvious and trivial as /Bitcoin isn't even a currency/.

  • Joe says:

    I like this proposal, I was discussing it with a few developers of an alt-coin and I was discussing how to make an incentive for running a full trusted tracking node (a node to track the "blood stain on the coin") versus just a client node.
    There's a lot of good ideas to sift through and maybe some time you would like to discuss the idea. I imagine it could be implemented to work on any coin as a way to do cross chain validation. I would be glad to listen to what you have to say.
    I'm interested in creating a proof of concept of this idea and then expanding it further as I envision it being able to work. (i.e. after a number of "good transactions" a seller could feel comfortable accepting a 0 confirm transaction)


    • Stanislav says:

      Dear Joe,

      The concept is simple in the extreme. Everything you need is described in this post. Or you could implement Shitcoin in some entirely different way.

      The one aspect that should not be neglected is decentralization. My plan (which, unfortunately, I lack the free time to put into action) was to store the Shitcoin data in the Bitcoin blockchain proper, as ordinary-looking microscopic transactions. If you do this, you will not need to modify the core of the classical "bitcoind" (or your favourite altcoin equivalent) at all. Both reading and writing Shitcoin data would be accomplished through ordinary transaction commands. And non-participating users would still end up relaying the necessary bits, whether they like it or not.


  • wingus says:

    Hi Stanislav,

    Shitcoins are intriguing, but I'm confused about an aspect of the system you're proposing. You write:

    When this happens, the bitcoin is to be considered, for all time, “dirtier by one shitcoin.”

    But as I understand it, bitcoins aren't distinguishable (that is, they don't have a serial number or the like); they're just a balance associated with a wallet. Once the amount of bitcoin associated with J has moved through a wallet or two (either by happenstance, or due to tumbling/mixing/whatever we're calling it these days), how do you know where it's gone? Is doing so a question of so-called tainting, where the taint will be diluted as the coins move from wallet to wallet, or is there something to shitcoining I'm not seeing?

    • Stanislav says:

      Dear wingus,

      If Shitcoin were implemented, it would clearly have to function on the "spoon of shit in a barrel of honey" principle. Those who opt in (see article) would have to deliberately avoid unintended mixing.


  • [...] Such a method is not currently part of any cryptocurrency, but a framework for such a method has been created. The idea is to add a function, either to the Bitcoin protocol or as an external supplement, that [...]

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre lang="" line="" escaped="" highlight="">

MANDATORY: Please prove that you are human:

62 xor 70 = ?

What is the serial baud rate of the FG device ?

Answer the riddle correctly before clicking "Submit", or comment will NOT appear! Not in moderation queue, NOWHERE!