Shitcoin: a Modest Proposal.
This post is of interest only to those who study Bitcoin. If you have never heard of Bitcoin, read my previous post on the subject.
Shitcoin is to be a distributed network for attaching “dirt” to particular bitcoins when certain conditions are met, in a manner which allows Bitcoin users to post bonds in order to establish trustworthiness. Unlike a conventional bond, these bitcoins could be spent at a later time, without voiding said bond. [1]
A Bitcoin user intent on “putting his money where his mouth is” could post a bond in the following way. He would start by creating a fresh Bitcoin address, publishing it, and transferring a certain number of bitcoins to it. He will prove that he is the particular user who did so by carrying out the transfer in a sequence of amounts announced in advance, or by allowing those whose trust he is trying to win – the bond-holders – to collectively specify the least-significant digits of the total amount. At any rate, he will have proven that he, at that time, was possession of a certain number of bitcoins, and proclaimed just which coins they were. The next step is to generate a certain number of shitcoins. A shitcoin consists of two numbers: J, which is randomly-generated and reasonably-long, and K, which is a cryptographic hash of the concatenation of the bitcoin value and of J. A J is given to a bond-holder, who keeps it secret, while K is posted to the Shitcoin distributed hash table network, along with a time stamp (secured through hash chaining, in exactly the same way as ordinary Bitcoin transaction records.)
If, at some future time, a bond-holder is dissatisfied with his relationship with the bond-issuer, he can invoke his shitcoin(s) by publishing his J on the network. When this happens, the bitcoin is to be considered, for all time, “dirtier by one shitcoin.” Anyone with access to the Shitcoin network can verify that a given J is genuine simply by hashing it with the bitcoin value in question to produce the previously-published K. At any later time, anyone can query the network and determine just how “dirty” any given bitcoin is, by counting the number of published valid J-K pairs. Given this fact, users could choose to distrust any bond issuer who posts excessively-dirty bitcoins as a bond.
Just how dirty is “too dirty” would be a matter for individual would-be bond-holders to decide for themselves. A certain amount of dirt may be seen as acceptable, as there will always be bond-holders who are angry at the bond-issuer for a less-than-legitimate reason and choose to maliciously invoke their shitcoins. Naturally, any user who would like to verify the dirtiness of a particular bitcoin will use a Shitcoin network client which verifies that the coin in question was actually held by the bond-issuer at the time K was originally posted.
Additionally, a bond-issuer who wishes to emphasize his honesty may choose to issue multiple shitcoins to each bond-holder, giving him a proportionately-greater power to damage his reputation should he decide to do so.
One possible variant of Shitcoin would allow bond-issuers to attach expiration times to the K values they publish, proclaiming that any J value posted after that time should be ignored by those interested in the history of the particular bitcoin to which K is linked. Users of the Shitcoin network may choose to respect these declarations, or they may not, as it suits them.
The beauty of this scheme is that it requires no modification to the Bitcoin protocol itself, and could exist independently of and in parallel with the existing Bitcoin network. Those who wish to post Shitcoin bonds could do so, and those who care about the dirtiness of a particular bitcoin could query the network, without any cooperation whatsoever from those Bitcoin users who think little of Shitcoin and choose to do neither.
One potential problem with the scheme is that innocent receivers of bonded bitcoins would suffer if the shitcoins attached to said bitcoins are invoked at a later time. The obvious countermeasure is for would-be receivers of a particular bitcoin to check (using automated means, of course) whether an unexpired Shitcoin bond is attached to these coins at the particular time they are about to receive them.
If Shitcoin were to become popular, any dealing with Bitcoin users known to be disreputable – and, by extension, dealing with those who choose to deal with them – would be heavily disincentivized. And this would happen if even only a substantial minority of Bitcoin users chose to use Shitcoin.
Edit: One bit of criticism I got after posting this is that Shitcoin would make bitcoins less fungible. Well yes, that’s the whole point! It appears that there exist two kinds of people: ones who believe that theft and fraud should be thought of as parts of the great circle of life; and those who believe that a world in which money turns a tell-tale black when it is stolen or otherwise ill-gotten would be a better world to live in. I belong to the latter category. The beauty of Shitcoin is that both types of person could peacefully co-exist, and recognize one another for what they are at a glance whenever they chance to meet. If you want to freely receive and spend fully-fungible bitcoins, with no regard to where they’ve been, don’t use Shitcoin. If you care about doing business with clean people who only ever do business with other clean people, then use it. But if you’d rather that neither Shitcoin nor anything like it exist at all, you’ve publicly revealed yourself as a scumbag, and provided a useful warning to your would-be victims – even if Shitcoin is never built – to avoid you like the plague.
Edit: The people who commented that a scheme like Shitcoin is unnecessary because one could instead use PGP-style trust identities are missing an important point. In a decentralized system like Bitcoin, identities are cheap. In fact, the only thing which isn’t arbitrarily cheap are the coins themselves. Which is why a reputation system where negative reaction from users threatens anything other than your coins themselves is mostly worthless. If you could literally bet your coins on your reputation, in a completely decentralized and mechanical way, you would be able to establish trust quickly, without having to present any meatspace credentials or giving your customers any hint of your legal identity whatsoever. In effect, a Shitcoin bond issuer would say: “If I were to defraud you, you could set my coins on fire.” (Or at least, “singe” them.) And as far as I can see, Shitcoin or something quite like it is the only possible way to give defrauded parties in Bitcoin transactions some genuine “teeth” without compromising the decentralized nature of Bitcoin or tying users’ reputations to their meatspace identities in any way.
[1] One could still spend a bitcoin which has one or more unexpired shitcoin bonds linked to it, but users of Shitcoin would be aware of the encumbrance when they consider receiving that particular coin in payment, and said coin would be considered less-valuable than an unencumbered one. Just how much less would naturally depend on the reputation of the bond issuer(s).
I think that should be left up to the feedback of the individual broker sites?
If not, why only do shitcoins? You might as well have shitcoins for negative “dirty” bitcoins and rosecoins for “good clean” ones
Dear Santana,
Identities are cheap, and most people at any given time will have relatively “young” ones. So the threat of having a bad rating attached to your identity is a mostly hollow one: most scammers will simply get new ones in rapid succession, the way spammers switch email addresses and IPs. You can indeed build a positive reputation, cultivating an identity, but this takes a long time. Bonds would allow a new user to establish trust very quickly. One could issue an arbitrary number of shitcoin bonds per bitcoin to establish proportionately-greater trust.
I don’t believe that “Rosecoins” would be useful, because anyone could attach an arbitrary amount of “rosiness” to a given bitcoin by issuing an ocean of rosecoins to shill addresses and then invoking them. Properly-implemented “rosiness” should instead be the absence of shitcoin “dirt.”
Naturally, if Shitcoin were to exist, exchanges would be built where one could trade a number of dirty bitcoins (or ones encumbered by unexpired bonds) for a smaller number of clean (and/or unencumbered) ones. This is all good and well: I never said that Shitcoin would eliminate fraud. But if enough users were to take it seriously, it would make fraud risky and expensive: having your bond called in would seriously hit you in the pocketbook, as your dirtied coins would be less desirable on the market.
Yours,
-Stanislav
This is a really, really bad idea. Remember, you can only check your bitcoins after you receive them, and then it is too late.
Imagine going to the ATM, and withdraw 200$. Too bad, 120 of them have traces of cocaine (or are black, as you mention above), and are therefore not accepted by honest merchants.
In the bitcoin world: You buy a load of bitcoins on an exchange. Unfortunately, the guy selling them to the exchange got them from a guy who got them from a girl, who got them from a guy, who … … … who was a scammer and had all his coins tainted. Tough luck! If such a system would become widespread, noone would dare use bitcoins as money.
The problem you are attempting to address is very, very real, and badly need a solution. But taint is the obvious solution that has been discussed and rejected countless times.
Dear picobit,
> you can only check your bitcoins after you receive them
This part isn’t true. The one who offers you the coins could show them to you before you receive them. But if it were true, your objection would apply.
Taint has not been implemented partly because no one – as far as I know – has suggested a simple way to implement it that doesn’t change the protocol, but I suspect that it was mostly because so many people misguidedly want Bitcoin to behave exactly like paper money or gold. They fail to realize that effectively-implemented taint would ultimately benefit everyone other than scammers and thieves.
Yours,
-Stanislav
If I understood the scheme correctly, it offers no protection against scams where scammer exchanges or spends the coins before the bond-holders manage to mark the coins as dirty. For example mining bonds – the bond issuer is expected to spend the coins immediately to buy hardware. In that case, the innocent third party ends up suddenly with dirty coins.
Dear jurov,
I’m afraid that you did not understand the scheme correctly. Bonds do not expire when a coin changes ownership. That would instantly break the system. And anyone, prior to agreeing to receive a coin, can see whether it is presently bonded. This would be implemented on top of current Bitcoin by maintaining a throw-away address as one’s public address, and making a point of sending coins back if they are deemed unacceptable when receiving payments.
When a Shitcoin bond is issued, the network records the fact that the bonded coins were in the scammer’s possession at that particular time. Where they go next does not matter – for so long as the bonds have not expired, they can be invoked, regardless of who owns the coins at a later time. Thus coins with unexpired bonds linked to them must be seen as less-valuable, depending on the reputation of the bond issuer, until such time as the bonds expire. (In your example, the seller of the mining hardware would be reluctant to accept bonded coins in payment for his wares, unless his faith in the bond issuer is extremely strong.)
Naturally, users of Shitcoin would have to behave somewhat differently than users of pure Bitcoin: since all coins would no longer be equally-valuable, it would be necessary to verify the Shitcoin status of a bitcoin before agreeing to receive it in payment for a good or service.
There is no way that a non-bond-issuing Shitcoin user could end up with dirty coins involuntarily: one would never be forced to accept a dirty or bond-laden coin as payment for anything. If you choose to accept such a coin, it should be seen as a calculated risk on your part.
Yours,
-Stanislav
Still I see big practical problems. When the seller of the hardware (or the exchange, if the hardware is, say, priced in USD) decides to accepts coins with unexpired bonds, they:
1. must assess the risk (expensive)
2. can’t just throw the coins on the market but must somehow accurately communicate the risk to potential buyers (expensive), or combine multiple kinds of bonded coins into some financial instrument and sell that (like those mortgage-backed securities, we all so fondly remember).
So IMHO it isn’t workable and it’s just simpler to raise unmarked coins for such a project.
Dear jurov,
> When the seller of the hardware (or the exchange, if the hardware is, say, priced in USD) decides to accepts coins with unexpired bonds
- “Doctor, it hurts when I do that!”
- “Don’t do that.”
Number one is easy: everybody insists on receiving clean, unbonded coins when doing business with strangers. Everybody, perhaps, except for gamblers – and gambling is voluntary. Problem solved.
Number two is a non-problem: there is no need for the dealer to communicate anything to buyers except for the identity of the offered coins. The buyers can shit-check them and decide to proceed with the transaction if they are clean and unencumbered, or return them and abort if they are not.
The ability to spend coins that have active bonds linked to them should be seen as an optional frill (no analogue to it exists with meatspace bonds, which sit out of your reach for so long as they are valid.) If no one can ever find a buyer for coins with active bonds, Shitcoin remains useful (and perhaps even more so than if a market existed for encumbered coins!)
Yours,
-Stanislav
Either I’m stupid or…
1. Mining bonds issuer makes an agreement with bondholders to mark (a) some (b) all coins
Case (a): He has now to find hardware seller that will accept the shitcoins – problem. Hardware vendors are not gamblers as you rightly say.
Case (b): Mining bonds issuer takes the unmarked coins and uses them at leisure – problem. He’ll just lose the marked part.
I don’t know, your reaction seems to me like “Then such transactions won’t happen at all. Easy.”
That might be interesting if you have the ability or requirement to “release” J within a pre-agreed time period, but it can be marked as “good result” or “bad result” when added to the network. If you get no answer at all when it expires, the bond gets marked as invalid.
Dear Josh,
I addressed the “good result” case in reply to the past comment which suggested “rosecoins.” This is a bad idea, because Bitcoin addresses can be generated in arbitrary quantities for shill accounts. A user could issue arbitrarily-many “positive” bonds on his own coins and invoke them, pumping some good karma out of thin air.
In a decentralized system like Bitcoin, identities are cheap. In fact, the only thing which isn’t arbitrarily cheap are the coins themselves. Which is why a reputation system where negative reaction from users threatens anything other than your coins themselves is mostly worthless. If you could literally bet your coins on your reputation, in a completely decentralized and mechanical way, you will be able to establish trust quickly, without having to present any meatspace credentials or giving your customers any hint of your legal identity whatsoever.
In effect, a Shitcoin bond issuer would say: “If I were to defraud you, you could set my coins on fire.” (Or at least, “singe” them.)
Yours,
-Stanislav
How is the shitcoin network going to be maintained? My understanding is that the Bitcoin network is held together by financially motivated miners, but what’s the motivation to do the same with the shitcoin network?
Dear Sgeo,
Shitcoin would be maintained by financially-motivated Bitcoin users. The motivation is to give every user, no matter how new to the game, a quick and easy means to “put his money where his mouth is” and establish a positive reputation by putting his coins on the line.
In my first piece on Bitcoin, I suggested that, instead of building dumb knock-offs of meatspace institutions like banks, stock exchanges, etc. Bitcoin users should experiment with purely mechanical extensions to the protocol which enhance trust without introducing centralization or traditional legal institutions into the mix. Pure pseudonymous-reputation systems suffer from the problem of identities being cheap and hence easily discarded once disgraced, so you need something quite different.
Unfortunately, it looks like most Bitcoin users want it to behave exactly like a teleporting version of physical gold. And so, I don’t expect to see much interest in actually implementing Shitcoin. I proposed it mainly as a thought experiment.
Yours,
-Stanislav
This is incidentally exaclty how MPOE bonds work currently (.xxxxx888 BTC) and how option trade worked on the old MPOE page (.xxxxx999 BTC).
Dear pletzalcoatl,
> This is incidentally exaclty how MPOE bonds work currently (.xxxxx888 BTC) and how option trade worked on the old MPOE page (.xxxxx999 BTC).
Not being familiar with MPOE, I would ask: is the latter a decentralized system, which, like Bitcoin itself, would continue to work even if all of its original authors were to be rounded up and shot by their local tyrants? Can it be used, like Bitcoin itself, without having to trust anyone other than the Byzantine majority of its users? Or is it simply a web site where users must rely on the continued honesty of a few people and the continued indifference of governments to Bitcoin?
Yours,
-Stanislav
[...] is old news by now, but Stanislav has <a href=”http://www.loper-os.org/?p=988″>suggested</a> a method by which Bitcoin users could track whether Bitcoins were stolen or otherwise [...]
I have a better idea: Let’s force the earliest coins to enter the market. Someone who is more knowledgable can come up with a cut off time, but let’s say never used coins in the first 18 months has to enter the market in a month, or they would be worthless (shitcoined).
Why is it good? Well, we want BTC to be a currency and not an investment tool. The first few million bitcoins were way too easily mined, and if the early adopters goal was usage, why haven’t they been used??? I wouldn’t cancel them right away, but give them a little time (let’s say a month) to be used and if the owner haven’t used it, it might have been lost anyway.
Now if so many extra coins enter the market rather suddenly, that would help with price discovery, probably push down the price so new comers could get into the game. If bitcoin has a future, it should recover anyway, so a temporary dip back to 2 digits value wouldn’t matter.
Bottomline is, the coins needs to be used, at least a large % of them and not to be horded…
Dear Pepe,
The ease of “selling” the hoard to the hoarders’ own shills makes this a rather pointless exercise.
“Bitcoin-P” is merely a thought experiment. If you were to spend some time interacting with serious Bitcoin users, you would learn that the idea is a total non-starter. Right now, what is the added value of a BTC-P coin over an ordinary one of unknown provenance, or of a BTC-P exchange over a standard exchange? Nothing. After the (hypothetical, future) Great Satoshi Flood? Everything. But Bitcoin users (or humans in general) aren’t exactly known for long-term thinking. They will wait for the crash and exit stampede, and then proceed to cry about devious Ponzi operators – purely in retrospect.
“Wisdom is getting on the train one day before everybody else.”
Yours,
-Stanislav