One luminary clock against the sky
Proclaimed the time was neither wrong nor right.
Robert Frost, Acquainted with the Night (1928)
Time is still the great mystery to us. It is no more than a concept; we don’t know if it even exists…
Clifford D. Simak, Shakespeare’s Planet (1976)
Time is money, or so the saying goes. It follows that money is also time: a representation of the collective economic energy stored by humanity. However, the link between time and money is more intricate than it might seem at first. If money requires no time to create, it doesn’t work as money very well, or not for long. More profoundly, as we shall see, keeping track of things in the informational realm always implies keeping track of time.
As soon as money goes digital, we have to agree on a definition of time, and herein lies the whole problem. You might think telling the time is as easy as glancing at whatever clock is nearby, and you would be right when it comes to everyday tasks. But when it comes to synchronizing the state of a global, adversarial, distributed network, telling the time becomes an almost intractable problem. How do you tell the time if clocks can’t be trusted? How do you create the concept of a singular time if your system spans the galaxy? How do you measure time in a timeless realm? And what is time anyway?
To answer these questions, we will have to take a closer look at the concept of time itself and how Bitcoin makes up its own time: block time — more commonly known as block height. We will explore why the problem of timekeeping is intimately related to keeping records, why there is no absolute time in a decentralized system, and how Bitcoin uses causality and unpredictability to build its own sense of now.
Timekeeping devices have transformed civilizations more than once. As Lewis Mumford pointed out in 1934: “The clock, not the steam-engine, is the key-machine of the modern industrial age.” Today, it is again a timekeeping device that is transforming our civilization: a clock, not computers, is the true key-machine of the modern informational age. And this clock is Bitcoin.
Keeping Track of Things
Let the child learn to count things, thus getting the notion of number. These things are, for the purpose of counting, considered alike, and they may be single objects or groups.
David Eugene Smith, The Teaching of Elementary Mathematics (1900)
Very broadly speaking, there are two ways to keep track of things: physical tokens and ledgers. You can either use real-world artifacts directly, e.g., give someone a sea shell, a coin, or some other tangible thing, or you can replicate the state of the world by writing down what happened on a piece of paper.
Imagine you are a shepherd and want to make sure that your whole flock returned home. You can put a collar on each sheep, and as soon as a sheep returns home, you simply remove the collar and hang it up in your shed. If you have one hanger for every collar, you will know that every sheep returned safely as soon as all hangers are filled. Of course, you can also count them and keep a list. However, you will have to make sure to create a new list every time you start counting, and you will also have to make sure not to count a single sheep twice (or not at all).
Money is essentially a tool to keep track of who owes what to whom. Broadly speaking, everything we have used as money up to now falls into two categories: physical artifacts and informational lists. Or, to use more common parlance: tokens and ledgers.
It is important to realize the inherent difference of these categories, so let me point it out explicitly: The first method — a physical token — directly represents the state of things. The second one — a ledger — indirectly reflects the state of things. Each comes with advantages and disadvantages. For example, tokens are physical and distributed; ledgers are informational and centralized. Tokens are inherently trustless; ledgers are not.
In the digital realm — no matter how intensely marketing gurus try to convince you of the opposite — we can only use ledgers. It is an informational realm, not a physical one. Even if you call a certain kind of information a “token,” it is still a malleable piece of information, written down on a hard drive or some other medium that can hold information, effectively rendering it an informational record.
The ledger-like nature of all digital information is the root cause of the double-spend problem. Information never represents the state of the world directly. Further, the movement of information implies copying. Information exists in one place, and to “move” it, you have to copy it to another place and erase it at its origin. This problem doesn’t exist in the physical realm. In the physical realm, we can actually move things from A to B. The informational realm doesn’t have this property. If you want to “move” information from list A to list B, you have to copy it from A to B. There is no other way.
Another way to think about it is in terms of uniqueness. Physical tokens are unique composites of atoms whose assembly is not easily replicable. Pure information does not have this property. If you can read the information, you can also copy it perfectly. Practically speaking, it follows that physical tokens are unique, and digital tokens are not. I would even argue that “digital token” is a misnomer. A token might represent secret information, but it will never represent unique, singular, uncopyable information.
This difference in properties shows that there really is no way to “hand over” information. It is impossible to pass on a digital token like you would pass on a physical one since you can never be sure if the original owner destroyed the information on his end. Digital tokens, like all information, can only be spread, like an idea.
… if you have an apple and I have an apple, and we swap apples — we each end up with only one apple. But if you and I have an idea and we swap ideas — we each end up with two ideas.
Charles F. Brannan (1949)
Physical tokens — what we call physical bearer assets, or “cash” — are free from this dilemma. In the real world, if you hand me a coin, your coin is gone. There is no magical duplication of the coin, and the only way to give it to me is to physically hand it over. The laws of physics do not allow you to double-spend it.
While double-spending does exist in the non-digital realm — George Parker, a con artist who famously “double-spent” the Brooklyn Bridge and other landmarks comes to mind — it requires elaborate deception and gullible buyers. Not so in the digital realm.
In the digital realm, because we are always dealing with information, double-spending is an inherent problem. As everyone who ever copied a file or used copy-and-paste knows, information is something that you can copy perfectly, and it is not bound to the medium that hosts it. If you have a digital photograph, for example, you can copy it a million times, store some copies on a USB stick, and send it to thousands of different people. Perfect copies are possible because information allows for flawless error correction, which eliminates degradation. And to top things off, there is virtually no cost to duplication and no way to tell what the original was.
Again: when it comes to information, copying is all there is. There simply is no way to move digital information from A to B. Information is always copied from A to B, and if the copying process was successful, the original copy of A is deleted. This is why the double-spending problem is so tricky. Absent of a central authority, there is no way to move anything from A to B in a trustless manner. You always have to trust that the original will be deleted. A natural side-effect is that, when it comes to digital information, it is impossible to tell how many copies are in existence and where these copies might be.
Because of this, using digital “tokens” as money can not and will never work. Since tokens derive their reliability from being hard to reproduce as a result of their unique physical construction, this advantage disappears in the digital realm. In the digital realm, tokens cannot be trusted. As a result of the nature of information’s intrinsic properties, the only viable format for digital money is not a token but a ledger — which brings us to the problem of time.
Tokens Are Timeless, Ledgers Are Not
For the things seen are temporary, but the things unseen are everlasting.
Paul of Tarsus, Corinthians 4:18b
When it comes to physical tokens, the time of a transaction does not matter. You either have the coins in your pocket, or you don’t; you can either spend them, or you can’t. The simple act of possession is the only prerequisite for spending. The laws of nature take care of the rest. In that sense, physical tokens are trustless and timeless.
When it comes to ledgers, physical possession falls to the wayside. Whoever is in control of the ledger needs to make sure that things are in order. What is otherwise given by physical laws, namely that you can’t spend money that you don’t have and you can’t spend money that you have already spent previously, has to be enforced by man-made rules. It is these rules that govern the orderly operation and maintenance of a ledger, not physical laws.
Moving from physical laws to man-made rules is the crux of the matter. Man-made rules can be bent and broken, physical laws not so much. For example, you can’t simply “make up” a physical gold coin. You have to dig it out of the ground. You can, however, absolutely make up a gold coin on paper. To do this, you simply add an entry to the ledger and give yourself a couple of coins. Or, in the case of central banks, simply add a couple trillion with a few computer keystrokes. (Fancy financial people call this “Rehypothecation,” “Fractional Reserve Banking,” or “Quantitative Easing” — but don’t be fooled, it’s all the same: making up money.)
To keep ledgers and those who manipulate them honest, regular, independent audits are required. The ability to account for every single entry in a ledger is not a luxury. Auditors need to be able to go over the books — backward in time — to keep ledgers honest and functioning. Without reliable timestamps, verifying the internal consistency of a ledger is impossible. A mechanism to establish an unambiguous order is essential.
Without an absolute sense of time, there is no way to have a defined order of transaction. And without a defined order of transactions, the rules of a ledger can not be followed. How else can you make sure how much money you actually have? How else can you make sure that things are in order?
The distinction between tokens and ledgers highlights the necessity for keeping track of time. In the physical realm, coins are timeless artifacts that can be exchanged without oversight. In the digital realm, coinstamping requires timestamping.
Time: a great engraver, or eraser.
Yahia Lababidi (b. 1973)
The common way to solve the double-spending problem — the problem of making sure that a digital transfer only happens once — is to have a central list of transactions. Once you have a central list of transactions, you have a single ledger that can act as the sole source of truth. Solving the double-spending problem is as easy as going through the list and making sure that everything adds up correctly. This is how PayPal, Venmo, Alipay, and all the banks of this world — including central banks — solve the double-spending problem: via central authority.
The problem of course is the payee can’t verify that one of the owners did not double-spend the coin. A common solution is to introduce a trusted central authority, or mint, that checks every transaction for double-spending. […] The problem with this solution is that the fate of the entire money system depends on the company running the mint, with every transaction having to go through them, just like a bank.
Satoshi Nakamoto (2009)
It is worth pointing out that Satoshi didn’t manage to make information non-copyable. Every part of bitcoin — its source code, the ledger, your private key — can be copied. All of it can be duplicated and tampered with. However, Satoshi managed to build a system that makes rule-breaking copies completely and utterly useless. The Bitcoin network performs an intricate dance to decide which copies are useful and which aren’t, and it is this dance that brings scarcity into the digital realm. And like with every dance, a temporal measuring stick is required to dictate the rhythm.
Even a centralized ledger can only solve the double-spending problem if it has a consistent way to keep track of time. You always need to know who gave how much to whom and, most importantly: when. In the realm of information, there is no coin-stamping without time-stamping.
It must be stressed that the impossibility of associating events with points in time in distributed systems was the unsolved problem that precluded a decentralized ledger from ever being possible until Satoshi Nakamoto invented a solution.
Gregory Trubetskoy (2018)
Time brings all things to pass.
Aeschylus (525 BC – 456 BC)
Time and order have a very intimate relationship. As Leslie Lamport pointed out in his 1978 paper Time, Clocks, and the Ordering of Events in a Distributed System: “The concept of time is fundamental to our way of thinking. It is derived from the more basic concept of the order in which events occur.” Absent a central point of coordination, seemingly intuitive notions of “before,” “after,” and “simultaneously” break down. In the words of Lamport: “the concept of ‘happening before’ defines an invariant partial ordering of the events in a distributed multiprocess system.”
Phrased differently: Who should be in charge of time if putting someone in charge is not allowed? How can you have a reliable clock if there is no central frame of reference?
You might think that solving this problem is easy because everyone could just use their own clock. This only works if everyone’s clock is accurate, and, more importantly, everyone plays nice. In an adversarial system, relying on individual clocks would be a disaster. And, because of relativity, it does not work consistently across space.
As a thought experiment, imagine how you could cheat the system if everyone was in charge of keeping the time for themselves. You could pretend that the transaction you’re sending now is actually from yesterday — it just got delayed for some reason — thus, you would still have all the money that you’ve spent today. Because of the asynchronous communication that is inherent in every decentralized system, this scenario is more than a theoretical thought experiment. Messages do indeed get delayed, timestamps are inaccurate, and thanks to relativistic effects and the natural speed limit of our universe, it is anything but easy to tell apart the order of things absent of a central authority or observer.
Who’s there? Knock knock.
An Asynchronous Joke
To better illustrate the impossibility of the problem, let’s look at a concrete example. Imagine that you and your business partner both have access to your company bank account. You do business all over the world, so your bank account is in Switzerland, you are in New York, and your business partner is in Sydney. For you, it is January 3^rd^, and you are enjoying a beautiful Sunday evening at your hotel. For her, it’s Monday morning already, so she decides to buy breakfast using the debit card of your shared bank account. The cost is $27. The available balance is $615. The local time is 8:21 am.
At the same time, you are about to pay for your stay with another debit card linked to the same bank account. The cost is $599. The available balance is $615. The local time is 5:21 pm.
So it comes to be that — at exactly the same moment — you both swipe the card. What happens? (Dear physicists, please excuse my use of “the same moment” — we will ignore relativistic effects and the fact that there is no absolute time in our universe for now. We will also ignore that the concept of synchronous events doesn’t really exist. Bitcoin is complicated enough as it is!)
The central ledger at your bank will probably receive one transaction before the other one, so one of you will be lucky, the other not so much. If the transactions happen to arrive in the same tick — let’s say in the same millisecond — the bank would have to decide who gets to spend the money.
Now, what would happen if there was no bank? Who decides who was the first one to swipe? What if it wasn’t only you two, but hundreds or even thousands of people coordinating? What if you didn’t trust those people? What if some of those people are trying to cheat, e.g., by setting their clocks back so that it looks like they spent the money a couple of minutes earlier?
A time-related tool [is] needed to establish a canonical ordering and to enforce a unique history in the absence of any central coordinator.
Giacomo Zucco, Discovering Bitcoin (2019)
This problem is precisely why all previous attempts of digital cash required a centralized registry. You always had to trust someone to correctly identify the order of things. A centralized party was required to keep the time.
Bitcoin solves this problem by re-inventing time itself. It says no to seconds and yes to blocks.
Keeping the Time, One Block at a Time
Time’s glory is to calm contending kings,
To unmask falsehood and bring truth to light,
To stamp the seal of time in aged things,
To wake the morn and sentinel the night,
To wrong the wronger till he render right;
William Shakespeare, The Rape of Lucrece (1594)
All clocks rely on periodic processes, something that we might call a “tick.” The familiar tick-tock of a grandfather’s clock is, in essence, the same as the molecular-atomic buzzing of our modern Quartz and Caesium clocks. Something swings — or oscillates — and we simply count these swings until it adds up to a minute or a second.
For large pendulum clocks, these swings are long and easy to see. For smaller and more specialized clocks, special equipment is required. The frequency of a clock — how often it ticks — depends on its use-case.
Most clocks have a fixed frequency. After all, we want to know the time precisely. There are, however, clocks that have a variable frequency. A metronome, for example, has a variable frequency that you can set before you make it tick. While a metronome keeps its pace constant once it is set, Bitcoin’s time varies for each tick because its internal mechanism is probabilistic. The purpose, however, is all the same: keep the music alive, so the dance can continue.
|Grandfather’s clock||~0.5 Hz|
|Metronome||~0.67 Hz to ~4.67 Hz|
|Quartz watch||32768 Hz|
|Caesium-133 atomic clock||9,192,631,770 Hz|
|Bitcoin||1 block (0.00000192901 Hz* to ∞ Hz**)|
* first block (6 days)
** timestamps between blocks can show a negative delta
The fact that Bitcoin is a clock is hiding in plain sight. Indeed, Satoshi points out that the Bitcoin network as a whole acts as a clock, or, in his words: a distributed timestamp server.
In this paper, we propose a solution to the double-spending problem using a peer-to-peer distributed timestamp server to generate computational proof of the chronological order of transactions.
Satoshi Nakamoto (2009)
That timestamping was the root problem to be solved is also apparent by examining the reference at the end of the Bitcoin whitepaper. Out of the eight references in total, three are about timestamping:
- How to time-stamp a digital document by S. Haber, W.S. Stornetta (1991)
- Improving the efficiency and reliability of digital time-stamping by D. Bayer, S. Haber, W.S. Stornetta (1992)
- Design of a secure timestamping service with minimal trust requirements by H. Massias, X.S. Avila, and J.-J. Quisquater (May 1999)
As Haber and Stornetta outlined in 1991, digital time-stamping is about computationally practical procedures that make it infeasible for a user — or an adversary, for that matter — to either back-date or forward-date a digital document. Contrary to physical documents, digital documents are easy to tamper with, and the change doesn’t necessarily leave any tell-tale signs on the physical medium itself. In the digital realm, forgeries and manipulations can be perfect.
The malleable nature of information makes time-stamping digital documents an elaborate and sophisticated process. Naive solutions do not work. Take a text document, for example. You can’t simply add the date at the end of the document since everyone — including yourself — could simply change the date in the future. You could also make up any date in the first place.
Time is a Causal Chain
In an extreme view, the world can be seen as only connections, nothing else.
Tim Berners-Lee, Weaving the Web (1999)
Making up dates is a general problem, even in the non-digital realm. What is known in the kidnapping world as “Authentication by Newspaper” is a general solution to the problem of arbitrary timestamps.
This works because a newspaper is hard to fake and easy to verify. It is hard to fake because today’s front page refers to yesterday’s events, events that could not have been predicted by the kidnapper if the picture would be weeks old. By proxy of these events, the picture is proof that the hostage was still alive on the day the newspaper came out.
This method highlights one of the key concepts when it comes to time: causality. The arrow of time describes the causal relationship of events. No causality, no time. Causality is also the reason why cryptographic hash functions are so crucial when it comes to timestamping documents in cyberspace: they introduce a causal relationship. Since it is practically impossible to create a valid cryptographic hash without having the document in the first place, a causal relationship between the document and the hash is introduced: the data in question existed first, the hash was generated later. In other words: without the computational irreversibility of one-way functions, there would be no causality in cyberspace.
With this causal building block in place, one can come up with schemes that create a chain of events, causally linking A to B to C and so on. In that sense, secure digital timestamping moves us from a timeless place in the ether into the realm of digital history.
Causality fixes events in time. If an event was determined by certain earlier events, and determines certain subsequent events, then the event is sandwiched securely into its place in history.
Bayer, Haber, Stornetta (1992)
It goes without saying that causality is of the utmost importance when it comes to economic calculations. And since a ledger is nothing but the embodiment of economic calculations of multiple cooperating participants, causality is essential for every ledger.
We need a system for participants to agree on a single history […]. The solution we propose begins with a timestamp server.
Satoshi Nakamoto (2009)
It is fascinating that all of the puzzle pieces that make Bitcoin work did already exist. As early as 1991, Haber and Stornetta introduced two schemes that make it “difficult or impossible to produce false time-stamps.” The first relies on a trusted third party; the second, more elaborate “distributed trust” scheme, does not. The authors even identified the inherent problems of trusting a causal chain of events and what would be required to rewrite history. In their words, “the only possible spoof is to prepare a fake chain of time-stamps, long enough to exhaust the most suspicious challenger that one anticipates.” A similar attack vector exists in Bitcoin today, in the form of a 51% attack (more on that in a later chapter).
One year later, Bayer, Haber, and Stornetta built upon their previous work and proposed to use trees instead of simple linked lists to tie events together. What we know as Merkle Trees today are simply efficient data structures to create a hash from multiple hashes deterministically. For timestamping, this means that you can efficiently bundle multiple events into one “tick.” In the same paper, the authors propose that the distributed trust model introduced in 1991 could be improved by carrying out a recurring “world championship tournament” to determine a single “winner” who widely publishes the resulting hash somewhere public, like a newspaper. Sounds familiar?
As we shall see, it turns out that newspapers are also an excellent way to think about the second ingredient of time: unpredictability.
Causality and Unpredictability
Time is not a reality [hupostasis], but a concept [noêma] or a measure [metron]…
Antiphon the Sophist, On Truth (3rd century AD)
While causality is essential, it is not sufficient. We also need unpredictability for time to flow. In the physical realm, we observe natural processes to describe the flow of time. We observe a general increase in entropy and call that the arrow of time. Even though the laws of nature seem to be oblivious in regards to the direction of this arrow in most cases, certain things can’t be undone, practically speaking. You can’t unscramble an egg, as they say.
Similarly, entropy-increasing functions are required to establish an arrow of time in the digital realm. Just like it is practically impossible to unscramble an egg, it is practically impossible to unscramble a SHA256 hash or cryptographic signature.
Without this increase in entropy, we could go forward and backward in time willy-nilly. The sequence of Fibonacci Numbers, for example, is causal but not entropic. Every number in the sequence is caused by the two numbers that came before it. In that sense, it is a causal chain. However, it is not useful to tell the time because it is entirely predictable. In the same way that a kidnapper can’t simply stand in front of a calendar that shows the current date, we can’t use predictable processes as proof of time. We always have to rely on something that can’t be predicted in advance, like the front page of today’s newspaper.
Bitcoin relies upon two sources of unpredictability: transactions and proof-of-work. Just like nobody can predict what tomorrow’s newspaper will look like, nobody can predict what the next Bitcoin block will look like. You can’t predict what transactions are going to be included because you can’t predict what transactions are going to be broadcast in the future. And, more importantly, you can’t predict who will find the solution to the current proof-of-work puzzle and what this solution will be.
In contrast to the kidnapper’s newspaper, however, proof-of-work is physically linked to what happened directly. It is not just a record of an event — it is the event itself. It is the probabilistic directness of proof-of-work that removes trust from the equation. The only way to find a valid proof-of-work is by making a lot of guesses, and making a single guess takes a little bit of time. The probabilistic sum of these guesses is what builds up the timechain that is Bitcoin.
By utilizing the causality of hash-chains and the unpredictability of proof-of-work, the Bitcoin network provides a mechanism for establishing an indisputable history of events witnessed. Without causality, what came before and what came after is impossible to tease apart. Without unpredictability, causality is meaningless.
What is intuitively understood by every kidnapper was explicitly pointed out by Bayer, Haber, and Stornetta in 1992: “To establish that a document was created after a given moment in time, it is necessary to report events that could not have been predicted before they happened.”
It is the combination of causality and unpredictability that allows the creation of an artificial “now” in the otherwise timeless digital realm. As Bayer, Haber, and Stornetta point out in their 1991 paper: “the sequence of clients requesting time-stamps and the hashes they submit cannot be known in advance. So if we include bits from the previous sequence of client requests in the signed certificate, then we know that the time-stamp occurred after these requests. […] But the requirement of including bits from previous documents in the certificate also can be used to solve the problem of constraining the time in the other direction, because the time-stamping company cannot issue later certificates unless it has the current request in hand.”
All the puzzle pieces were already there. What Satoshi managed to do is put them together in a way that removes the “time-stamping company” from the equation.
Proof of Time
Causa latet: vis est notissima.
The cause is hidden, but the result is known.
Ovid, Metamorphoses, IV. 287 (8 AD)
Let us recapitulate: to use money in the digital realm, we have to rely on ledgers. To make ledgers reliable, unambiguous order is required. To establish order, timestamps are necessary. Thus, if we want to have trustless money in the digital realm, we must remove any entity that creates and manages timestamps and any single entity that is in charge of time itself.
It took a genius like Satoshi Nakamoto to realize the solution: “To implement a distributed timestamp server on a peer-to-peer basis, we will need to use a proof-of-work system similar to Adam Back’s Hashcash.”
We need to use a proof-of-work system because we need something that is native to the digital realm. Once you understand that the digital realm is informational in nature, the obvious conclusion is that computation is all we have. If your world is made of data, manipulation of data is all there is.
Proof-of-work works in a peer-to-peer setting because it is trustless, and it is trustless because it is disconnected from all external inputs — such as the readings of clocks (or newspapers, for that matter). It relies on one thing and one thing only: computation requires work, and in our universe, work requires energy and time.
I know it works for me.
As we cross the bridge — the burning bridge —
With flames behind us,
We front the line.
It’s you and me, baby, against the world.
Kate Bush, Burning Bridge (1985)
Without proof-of-work, one would always run into the Oracle problem because the physical realm and the informational realm are eternally disconnected. The markings on your list of sheep aren’t your sheep, the map is not the territory, and whatever was written in yesterday’s newspaper isn’t necessarily what happened in the real world. In the same manner, just because you use a real-world clock to write down a timestamp doesn’t mean that this is actually what the time was.
Put bluntly, there simply is no way to trust that data represents reality, except if the reality in question is inherent in the data itself. The brilliant thing about Bitcoin’s difficulty-adjusted proof-of-work is that it creates its own reality, along with its own space and time.
Proof-of-work provides a direct connection between the digital realm and the physical realm. More profoundly, it is the only connection that can be established in a trustless manner. Everything else will always rely on external inputs.
The difficulty to mine a new Bitcoin block is adjusted to make sure that the thin thread between Bitcoin’s time and our time remains intact. Like clockwork, the mining difficulty readjusts every 2016 ticks. The goal of this readjustment is to keep the average time between ticks at ten minutes. It is these ten minutes that maintain a stable connection between the physical and the informational realm. Consequently, a sense of human time is required to readjust the ticks of the Bitcoin clock. A purely block-based readjustment wouldn’t work since it would be completely disconnected from our human world, and the whole purpose of the readjustment is to stop us ingenious humans from finding blocks too fast (or too slow).
As Einstein has shown us, time is not a static thing. There is no such thing as a universal time we could rely upon. Time is relative, and simultaneity is nonexistent. This fact alone makes all timestamps — especially across large distances — inherently unreliable, even without adversarial actors. (This is why timestamps of GPS satellites have to be adjusted constantly, by the way.)
For Bitcoin, the fact that our human timestamps are imprecise doesn’t matter too much. It also doesn’t matter that we have no absolute reference frame in the first place. They only have to be precise enough to calculate a somewhat reliable average across 2016 blocks. To guarantee that, a block’s “meatspace” timestamp is only accepted if it fulfills two criteria:
- The timestamp has to be greater than the median timestamp of the previous 11 blocks.
- The timestamp has to be less than the network-adjusted time plus two hours. (The “network-adjusted time” is simply the median of the timestamps returned by all nodes connected to you.)
In other words, the difficulty-adjustment is about keeping a constant time, not a constant level of security, difficulty, or energy expenditure. This is ingenious because good money has to be costly in time, not energy. Linking money to energy alone is not sufficient to produce absolute scarcity since every improvement in energy generation would allow us to create more money. Time is the only thing we will never be able to make more of. It is The Ultimate Resource, as Julian Simon points out. This makes Bitcoin the ultimate form of money because its issuance is directly linked to the ultimate resource of our universe: time.
The difficulty adjustment is essential because, without it, the internal clock of Bitcoin would tend to go faster and faster as more miners join the network or the efficiency of mining devices improves. We would quickly run into the coordination problem that Bitcoin sets out to solve. As soon as the block time falls below a certain threshold, say, 50 milliseconds, it would be impossible to agree on a shared state, even in theory. It takes light around 66 milliseconds to travel from one side of the earth to the other. Thus, even if our computers and routers were perfect, we would be back at square one: given two events, it would be futile to tell which event happened before and which event happened after. Without a periodic adjustment of Bitcoin’s ticks, we would run into the hopeless problem of solving the coordination problem faster than the speed of light. Time is also at the root of the problem of cryptographic instability, which was outlined in Chapter 1. Cryptography works because of an asymmetry in time: it takes a short time to build a cryptographic wall and a long time to break it down — unless you have a key.
Thus, in some sense, proof-of-work — and the difficulty adjustment that goes along with it — artificially slows down time, at least from the perspective of the Bitcoin network. In other words: Bitcoin enforces an internal rhythm whose low frequency allows ample buffer for the latency of communications between peers. Every 2016 blocks, Bitcoin’s internal clock readjusts, so that — on average — only one valid block will be found every 10 minutes.
From an outside perspective, Bitcoin funnels the chaotic mess of globally broadcast asynchronous messages into a parallel universe, restricted by its own rules and its own sense of space and time. Transactions in the mempool are timeless from the point-of-view of the Bitcoin network. Only when a transaction is included in a valid block does it get assigned a time: the number of the block it is included in.
It is hard to overstate how elegant a solution this is. Once you are able to create your own definition of time, deciphering what came before and what came after is trivial. In turn, agreeing on what happened, in what order, and, consequently, who owes what to whom, becomes trivial as well.
The difficulty adjustment makes sure that the ticks of Bitcoin’s internal metronome are somewhat constant. It is the conductor of the Bitcoin orchestra. It is what keeps the music alive.
But why can we rely on work in the first place? The answer is threefold. We can rely on it because computation requires work, work requires time, and the work in question — guessing random numbers — can not be done efficiently.
Time forks perpetually toward innumerable futures.
Jorge Luis Borges, The Garden of Forking Paths (1941)
Finding a valid nonce for a Bitcoin block is a guessing game. It is very much like rolling a die, or flipping a coin, or spinning a roulette wheel. You are, in essence, trying to find a beyond-astronomically large random number. There is no progress toward finding a solution. You either hit the jackpot, or you don’t.
Every time you flip a coin, the chance of it coming up heads or tails is 50% — even if you flipped it twenty times before, and it came up heads every time. Similarly, every time you wait for a bitcoin block to come in, the chance that it will be found this second is ~0.16%. It doesn’t matter when the last block was found. The approximate waiting time for the next block is always the same: ~10 minutes.
It follows that every individual tick of this clock is unpredictable. Relative to our human clocks, this clock appears to be spontaneous and imprecise. This is irrelevant, as Gregory Trubetskoy points out: “It doesn’t matter that this clock is imprecise. What matters is that it is the same clock for everyone and that the state of the chain can be tied unambiguously to the ticks of this clock.” Bitcoin’s clock might be probabilistic, but it isn’t illusory.
Time is an illusion,
lunchtime doubly so.
Douglas Adams (1979)
The present moment, however, can absolutely be an illusion in Bitcoin. Since there is no central authority in the network, strange situations can arise. While unlikely, it is possible that a valid block is found at the same time (again: apologies to all physicists), which will make the clock tick forward in two different places at once. However, since the two different blocks will very likely differ in their content, they will contain two different histories, both equally valid.
This is known as a chain split and is a natural process of Nakamoto consensus. Like a flock of birds that briefly splits in two only to merge again, nodes on the Bitcoin network will eventually converge to a shared history after some time, thanks to the probabilistic nature of guessing.
Nakamoto consensus simply states that the correct history is to be found in the heaviest chain, i.e., the chain with the most amount of proof-of-work embedded in it. Thus, if we have two histories A and B, some miners will try to build upon history A, others will try to build upon history B. As soon as one of them finds the next valid block, the other group is programmed to accept that they were on the wrong side of history and switch over to the heaviest chain — the chain that represents what actually happened, by definition. In Bitcoin, history is truly written by the victors.
The payee needs proof that at the time of each transaction, the majority of nodes agreed it was the first received. […] When there are multiple double-spent versions of the same transaction, one and only one will become valid. The receiver of a payment must wait an hour or so before believing that it’s valid. The network will resolve any possible double-spend races by then.
Satoshi Nakamoto (2009)
In this simple statement lies the secret of the distributed coordination problem. This is how Satoshi solved the problem of the “simultaneous payment” our fictitious business partners encountered previously. He solved it once and for all, relativistic effects be damned!
Because of this probabilistic nature of Bitcoin’s clock, the present moment — what we call the chain tip — is always uncertain. The past — blocks buried below the chain tip — is ever more certain.
The more thorough the understanding needed, the further back in time one must go.
Gordon Clark, A Christian View of Men and Things, p. 58. (1951)
Consequently, the Bitcoin clock might rewind from time to time, for some peers, for a tick or two. If your chain tip — the present moment — happens to lose to a competing chain tip, your clock will first rewind and then jump forward, overriding the last few ticks that you thought were history already. If your clock is probabilistic, your understanding of the past has to be too.
Tick tock tick tock tick — what is the time?
Tick tock tick tock… it ends in c619.
Are you sure this is fine? Are we probably late?
Absolutes do not matter: before nine there comes eight.
The clock isn’t exact; it sometimes goes in reverse.
Exact time implies center; that’s the root of this curse!
Yet this clock keeps on ticking, tock-tick and tick-tock,
there’s no profit in tricking; just tick-tock and next block.
A Funny Little Rhyme on Bitcoin and Time (2020)
Time is still one of the great mysteries in physics, one that calls into question the very definition of what physics is.
Jorge Cham and Daniel Whiteson: We Have No Idea: A Guide to the Unknown Universe, pp. 117 – 118 (2017)
Keeping track of things in the informational realm implies keeping track of a sequence of events, which in turn requires keeping track of time. Keeping track of time requires agreeing on a “now” — a moment in time that eternally links the settled past with the uncertain future. In Bitcoin, this “now” is the tip of the heaviest proof-of-work chain.
Two building blocks are essential for the structure of time: causal links and unpredictable events. Causal links are required to define a past, and unpredictable events are required to build a future. If the sequence of events would be predictable, it would be possible to skip ahead. If the individual steps of the sequence aren’t linked, it would be trivial to change the past. Because of its internal sense of time, it is insanely difficult to cheat Bitcoin. One would have to rewrite the past or predict the future. Bitcoin’s timechain prevents both.
Viewing Bitcoin through the lens of time should make clear that the “block chain” — the data structure that causally links multiple events together — is not the main innovation. It is not even a new idea, as is evident by studying the timestamp literature of the past.
A blockchain is a chain of blocks.
What is a new idea — what Satoshi figured out — is how to independently agree upon a history of events without central coordination. He found a way to implement a decentralised timestamping scheme that (a) doesn’t require a time-stamping company or server, (b) doesn’t require a newspaper or any other physical medium as proof, and (c) can keep the ticks more-or-less constant, even when operating in an environment of ever-faster CPU clock times.
Timekeeping requires causality, unpredictability, and coordination. In Bitcoin, causality is provided by one-way functions: the cryptographic hash functions and digital signatures that are at the core of the protocol. Unpredictability is provided by both the proof-of-work puzzle as well as the interaction with other peers: you can’t know in advance what others are doing, and you can’t know in advance what the solution to the proof-of-work puzzle will be. Coordination is made possible by the difficulty adjustment, the magic sauce that links Bitcoin’s time to ours. Without this bridge between the physical and the informational realm, it would be impossible to agree on a time by relying on nothing but data.
Bitcoin is time in more ways than one. Its units are stored time because they are money, and its network is time because it is a decentralized clock. The relentless beating of this clock is what gives rise to all the magical properties of Bitcoin. Without it, Bitcoin’s intricate dance would fall apart. But with it, everyone on earth has access to something truly marvelous: Magic Internet Money.
Bitcoin Is Time is a chapter of my upcoming book 21 Ways.
- Spanish translation by Natalí Attiná & Leonardo Demartino
- German translation by Rene
- German translation by Karl Klawatsch
- Russian translation by Tony
- English (video version) translation by Till Musshoff
- Greek translation by Nina
- Portuguese translation by Eduarda Lobato
- French translation by Théo Mogenet
- Italian translation by Filippo
- Malay translation by Jesper
Want to help? Add a translation!