I’m still trying to understand the details of how cryptocurrencies like Bitcoin work. But the general principles involved seem clear enough, so let me start by explaining (what I think) these are. I’ll let the experts out there fill in the gaps (and correct any errors I may have made). So what follows is basically an introductory lecture I would deliver to a class on the subject.
This is about the payment system: the way we pay and get paid for things. Any payment system has to solve the following two problems:
 How to transfer credits across accounts in an honest, secure, and reliable manner;
 How to manage the total supply of credits over time.
The earliest (and arguably still most important) payment system relies on informal communal record-keeping. In small communities (villages, networks consisting of close friends, or work colleagues, clubs, etc.) a lot of what gets produced and consumed relies on what one might call “social credit” designed to exploit multilateral gains to trade (even when bilateral gains to trade are absent). In small groups, it is relatively easy for many members of the community to keep track of individual contributions to, and individual withdrawals from, the collective good. I may sometimes ask a favor of a team member even if we both know I have no direct way to return the favor personally. At the same time, I may be asked to deliver a favor to a team member even if we both know he/she has no direct way to return the favor personally. We just do these things because it is in our collective self-interest. In such reciprocal “gift-giving” economies, the currency that facilitates exchange consists of individual reputations (credit histories). If credit histories are easily observed by members of the community, then its difficult to misrepresent or distort your credits, or steal credits from others. If you try to do so, and if you are caught, you may be ostracized from the community, or worse.
I mention this idea of “communal monitoring” because some form of it seems to play a critical role in the practical application of the Bitcoin protocol.
As a practical matter, the “social credit” system described above seems to work well for small groups, but not so well for larger communities. It’s tough to keep track of the individual credit histories of thousands or millions of people, let alone ensure that such records remain a true representation of history. In large communities, many individuals become “anonymous” to one another. Anonymity here means that anything they do in a transient bilateral meeting will not be observed and recorded by the community. That’s too bad because efficiency may have dictated that a gift be made in such a meeting. The gift might have been made if the gift-giver received (a social) credit for his/her sacrifice. But if no social credit is forthcoming (because nobody can see it), then the trade does not take place, even though it should have (in an ideal world).
One solution to this problem is monetary exchange. That is, imagine that there exists a set of durable, divisible, portable, recognizable physical object that is hard to steal/counterfeit (the way that reputations need to be hard to steal or counterfeit). Then contributors (workers) could build up credit by accumulating this object, and recipients (consumers) could draw down their credit by spending this object. As it circulates in this manner, this object becomes money. According to this interpretation, money is nothing more than a substitute for the missing (excessively costly) communal record-keeping technology (see Ostory 1973, Townsend 1987, and Kocherlakota 1998).
In a monetary economy, there is no explicit communal monitoring going on. If money is difficult to steal/counterfeit, then the only way I could have acquired it is by working for it (or by having someone else who worked for it bequeath it to me as a gift). When I show up at my local Starbucks and ask for a triple grande latte, they won’t hand over my drink until I show evidence my contributions to society. The evidence is in the form of the money that I earned from work. As I hand over my money, I debit my wallet and credit the Starbucks wallet. This transfer of credits involves no intermediary–it is a “self-serve” accounting mechanism.
Of course, many exchanges do take place via intermediaries like banks and clearinghouses. A check drawn on my bank account is an instruction to debit my account and credit another account. The accounts sit on the books of a third party–the intermediary. The money in this case need not even take a physical form — it can exist simply as a book-entry object. Today, these book-entry objects take the form of electronic digits, and these digits are debited and credited across accounts managed by banks with instructions from debit card technology.
O.K., well suppose that you do not trust the government (or central bank) and their paper money. Suppose you want the convenience of electronic money (so no commodity money). And moreover, suppose you do not want to rely on a third party like a bank. Maybe you don’t trust them, or you do not like their fees, or the records of your purchases they keep, or the fact that your identity is associated with your account. What is the alternative?
What we want is some way to replicate the cash experience using electronic digits instead of physical currency. Recall that in bilateral cash transactions, the accounting is done on a self-service basis without the help of the community or some other third party. When it comes to digital money transferred over the internet across a large network of users, self-serve accounting is not likely to be practical. The self-serve part will have to be replaced by some communal monitoring service (obviously not a delegated third party, since this is what we are trying to avoid). I’ll try to explain why in a moment, but first let me considered an idealized world where the relevant information is costlessly accessible to all members of the community.
Digital cash with communal record-keeping and communal monetary policy
Digital cash consists of information encoded electronically as bits. For concreteness, let’s call digital cash “e-coins” and assume that an e-coin takes the form of a unique N-digit serial number.
[A1] Assume that the serial numbers of every e-coin created are recorded in a public data bank for all to see.
There is an initial money supply (50 bitcoins in the case of the Bitcoin protocol) and a publicly known protocol that governs money creation. In a nutshell, money growth can only occur by “communal consent.” In the present context, you can think of monetary policy as a rule for money creation (and distribution), where the rule can only be changed by communal consent.
Members of the community possess “computer wallets” where e-coins are stored in an encrypted file and managed by a computer app (you can download these programs for free). Computer wallets have a public address, like a P.O. box (the identity of the wallet is not known, and a person may own several wallets). So people can send money to your wallet, but only you can extract money from your wallet (only you possess a private digital key for this purpose).
[A2] The e-coin content of every wallet is part of the public database.
So here’s how things might work. Suppose a buyer wants to send an e-coin to a seller. Essentially, the buyer sends a message to the community: I wish to send e-coin SN01234 to [seller’s wallet address]. A digital signature ensures that this message could only have originated from the buyer’s wallet.
[A3] All messages are publicly observable.
(The italicized sentences above emphasize the assumed information structure. For Bitcoin, there is even more information than this: the entire transaction history of every wallet is part of the public database.)
Now, if every member can costlessly scan and verify every element of the public database, the transaction process should be straightforward. First, the seller can see that the buyer does indeed own e-coin SN01234. Second, by comparing SN01234 to the public database of serial numbers outstanding, the seller can see that SN01234 is unique and was not counterfeited by the buyer. Third, the seller can see that the buyer is not trying to “double spend” SN01234 (e.g., by simultaneously offering it to another merchant’s wallet).
The practical problem with this protocol is not that information assumptions [A1]-[A3] are violated. The information is available. There’s just so much of it that not everyone can be expected to absorb it all instantaneously. It is time lag that opens the door for scammers. The task of legitimizing, recording, and updating the database has to be delegated in some manner. In the Bitcoin protocol, the task is not delegated to any single third party, rather it is delegated to members of the community who wish to “volunteer” their monitoring services.
Now, the precise details of how this public monitoring and record-keeping is done presently escapes me. The basic idea is that the monitoring activity must be made costly, because otherwise there is an incentive for scammers to announce that their scam deals (e.g., attempts to double spend) are legitimate. In Bitcoin, the monitors (miners) are required to solve a complicated mathematical problem (consumes energy and CPU time), the answer to which is easily verifiable. I think that (somehow) the verification of this answer also verifies the legitimacy of the transaction (someone help me out here).
But if it is costly for miners to verify transactions, what motivates them to do it? There is a reward, of course. In Bitcoin, the reward comes in two forms: newly minted bitcoin and/or service fees. So in the Bitcoin protocol, the verification costs are partly financed via seigniorage. I do not understand the exact mechanics of this process, in particular, the cryptographic techniques involved, and how the parameters are varied over time (for example, to ensure that the supply of bitcoins never exceeds 21 million). Maybe some smart person can explain it to me in plain language. (Here is a good attempt).
Before I leave this part of the discussion, I want to make a remark about the “mining” activity in Bitcoin. A lot of people, including Paul Krugman, appear confused about it. I initially shared in this confusion. Mining actual gold for the purpose of increasing the money supply is indeed socially wasteful. That’s because an existing supply of gold can be stretched into an arbitrarily large supply of real money balances via an appropriate deflation. But the mining activity in Bitcoin is not a social waste–it is the cost associated with operating a payment system of this particular form when people have an incentive to cheat. The analog here is the cost associated with opening and maintaining your checking account at a bank.
Is Bitcoin a good money?
One could argue that the USD is at least partially backed by its ability to discharge real tax obligations. But bitcoins truly are purely fiat in nature (they have no intrinsic use in either consumption or production). Does this mean that the value of bitcoins must eventually crash to zero (their fundamental value)? No.
Bitcoins are information — record-keeping devices. You can’t eat my credit history either, but some companies would value (and pay for) this information nevertheless. So as long as Bitcoin conveys accurate information, its value can persist indefinitely. (There is, of course, the threat of entry, though Bitcoin appears to have a substantial early-mover advantage.)
One problem with Bitcoin as a currency is that its purchasing power sometimes fluctuates violently and at high frequency. As I have argued before, a desirable property of a monetary instrument is that it possess a relatively stable short-run rate of return. (A stable long-run rate of return is nice, but not essential, since other assets than money can be utilized as long-term stores of wealth.). Let’s take a look at the USD price of bitcoin:
Holy cow. (Wish I had bought in at 5 cents!)
What accounts for this price volatility? (By comparison, the real rate of return on USD over the same period of time was a relatively stable -1% p.a.). Well, it might have something to do with the thinness of the USD/BTC market (can anyone point me to some evidence?). Or it might have something to do with the fact that bitcoin is not a unit of account (even if it is a medium of exchange, prices are usually denominated in USD). Both of these problems might diminish over time as the popularity of the instrument grows.
But my own take on this is that the price volatility reflects the perception that the supply of bitcoins is (relatively) fixed. This, combined with large fluctuations in the demand for bitcoin, naturally results in huge rate of return volatility. We saw the same thing under gold standard monetary regimes (where gold was a unit of account). In principle, an “elastic” supply of currency (even the credible threat of an elastic supply) can be used to offset sudden changes in demand to keep the rate of return (inflation rate) on money relatively stable.
My colleague, Francois Velde of the Chicago Fed, has a nice primer on Bitcoin. (It delves into the mechanics of the cryptography involved, but I still find many parts of his discussion a little vague.) But in terms of what sort of trust is involved in Bitcoin and similar endeavors, I like what he has to say here:
[B]itcoin protocol is based on open-source software. Bitcoin is what bitcoin users use. The general principles of bitcoin and its early versions are attributed to an otherwise unknown Satoshi Nakamoto; improvements, bug fixes, and repairs have since been carried out by the community of bitcoin users, dominated by a small set of programmers.
Although some of the enthusiasm for bitcoin is driven by a distrust of state-issued currency, it is hard to imagine a world where the main currency is based on an extremely complex code understood by only a few and controlled by even fewer, without accountability, arbitration, or recourse.
Yes, it’s hard to imagine. But maybe it’s because we lack imagination? Only time will tell.