Syscoin Platform’s Great Reddit Scaling Bake-off Proposal
https://preview.redd.it/rqt2dldyg8e51.jpg?width=1044&format=pjpg&auto=webp&s=777ae9d4fbbb54c3540682b72700fc4ba3de0a44 We are excited to participate and present Syscoin Platform's ideal characteristics and capabilities towards a well-rounded Reddit Community Points solution! Our scaling solution for Reddit Community Points involves 2-way peg interoperability with Ethereum. This will provide a scalable token layer built specifically for speed and high volumes of simple value transfers at a very low cost, while providing sovereign ownership and onchain finality. Token transfers scale by taking advantage of a globally sorting mempool that provides for probabilistically secure assumptions of “as good as settled”. The opportunity here for token receivers is to have an app-layer interactivity on the speed/security tradeoff (99.9999% assurance within 10 seconds). We call this Z-DAG, and it achieves high-throughput across a mesh network topology presently composed of about 2,000 geographically dispersed full-nodes. Similar to Bitcoin, however, these nodes are incentivized to run full-nodes for the benefit of network security, through a bonded validator scheme. These nodes do not participate in the consensus of transactions or block validation any differently than other nodes and therefore do not degrade the security model of Bitcoin’s validate first then trust, across every node. Each token transfer settles on-chain. The protocol follows Bitcoin core policies so it has adequate code coverage and protocol hardening to be qualified as production quality software. It shares a significant portion of Bitcoin’s own hashpower through merged-mining. This platform as a whole can serve token microtransactions, larger settlements, and store-of-value in an ideal fashion, providing probabilistic scalability whilst remaining decentralized according to Bitcoin design. It is accessible to ERC-20 via a permissionless and trust-minimized bridge that works in both directions. The bridge and token platform are currently available on the Syscoin mainnet. This has been gaining recent attention for use by loyalty point programs and stablecoins such as Binance USD.
Syscoin Foundation identified a few paths for Reddit to leverage this infrastructure, each with trade-offs. The first provides the most cost-savings and scaling benefits at some sacrifice of token autonomy. The second offers more preservation of autonomy with a more narrow scope of cost savings than the first option, but savings even so. The third introduces more complexity than the previous two yet provides the most overall benefits. We consider the third as most viable as it enables Reddit to benefit even while retaining existing smart contract functionality. We will focus on the third option, and include the first two for good measure.
Distribution, burns and user-to-user transfers of Reddit Points are entirely carried out on the Syscoin network. This full-on approach to utilizing the Syscoin network provides the most scalability and transaction cost benefits of these scenarios. The tradeoff here is distribution and subscription handling likely migrating away from smart contracts into the application layer.
The Reddit Community Points ecosystem can continue to use existing smart contracts as they are used today on the Ethereum mainchain. Users migrate a portion of their tokens to Syscoin, the scaling network, to gain much lower fees, scalability, and a proven base layer, without sacrificing sovereign ownership. They would use Syscoin for user-to-user transfers. Tips redeemable in ten seconds or less, a high-throughput relay network, and onchain settlement at a block target of 60 seconds.
Integration between Matic Network and Syscoin Platform - similar to Syscoin’s current integration with Ethereum - will provide Reddit Community Points with EVM scalability (including the Memberships ERC777 operator) on the Matic side, and performant simple value transfers, robust decentralized security, and sovereign store-of-value on the Syscoin side. It’s “the best of both worlds”. The trade-off is more complex interoperability.
Syscoin + Matic Integration
Matic and Blockchain Foundry Inc, the public company formed by the founders of Syscoin, recently entered a partnership for joint research and business development initiatives. This is ideal for all parties as Matic Network and Syscoin Platform provide complementary utility. Syscoin offers characteristics for sovereign ownership and security based on Bitcoin’s time-tested model, and shares a significant portion of Bitcoin’s own hashpower. Syscoin’s focus is on secure and scalable simple value transfers, trust-minimized interoperability, and opt-in regulatory compliance for tokenized assets rather than scalability for smart contract execution. On the other hand, Matic Network can provide scalable EVM for smart contract execution. Reddit Community Points can benefit from both. Syscoin + Matic integration is actively being explored by both teams, as it is helpful to Reddit, Ethereum, and the industry as a whole.
Total cost for these 100k transactions: $0.63 USD See the live fee comparison for savings estimation between transactions on Ethereum and Syscoin. Below is a snapshot at time of writing: ETH price: $318.55 ETH gas price: 55.00 Gwei ($0.37) Syscoin price: $0.11 Snapshot of live fee comparison chart Z-DAG provides a more efficient fee-market. A typical Z-DAG transaction costs 0.0000582 SYS. Tokens can be safely redeemed/re-spent within seconds or allowed to settle on-chain beforehand. The costs should remain about this low for microtransactions. Syscoin will achieve further reduction of fees and even greater scalability with offchain payment channels for assets, with Z-DAG as a resilience fallback. New payment channel technology is one of the topics under research by the Syscoin development team with our academic partners at TU Delft. In line with the calculation in the Lightning Networks white paper, payment channels using assets with Syscoin Core will bring theoretical capacity for each person on Earth (7.8 billion) to have five on-chain transactions per year, per person, without requiring anyone to enter a fee market (aka “wait for a block”). This exceeds the minimum LN expectation of two transactions per person, per year; one to exist on-chain and one to settle aggregated value.
Tools to simplify using Syscoin Bridge as a service with dapps and wallets will be released some time after implementation of Syscoin Core 4.2. These will be based upon the same processes which are automated in the current live Sysethereum Dapp that is functioning with the Syscoin mainnet.
The Syscoin Ethereum Bridge is secured by Agent nodes participating in a decentralized and incentivized model that involves roles of Superblock challengers and submitters. This model is open to participation. The benefits here are trust-minimization, permissionless-ness, and potentially less legal/regulatory red-tape than interop mechanisms that involve liquidity providers and/or trading mechanisms. The trade-off is that due to the decentralized nature there are cross-chain settlement times of one hour to cross from Ethereum to Syscoin, and three hours to cross from Syscoin to Ethereum. We are exploring ways to reduce this time while maintaining decentralization via zkp. Even so, an “instant bridge” experience could be provided by means of a third-party liquidity mechanism. That option exists but is not required for bridge functionality today. Typically bridges are used with batch value, not with high frequencies of smaller values, and generally it is advantageous to keep some value on both chains for maximum availability of utility. Even so, the cross-chain settlement time is good to mention here.
Ethereum -> Syscoin: Matic or Ethereum transaction fee for bridge contract interaction, negligible Syscoin transaction fee for minting tokens Syscoin -> Ethereum: Negligible Syscoin transaction fee for burning tokens, 0.01% transaction fee paid to Bridge Agent in the form of the ERC-20, Matic or Ethereum transaction fee for contract interaction.
Zero-Confirmation Directed Acyclic Graph is an instant settlement protocol that is used as a complementary system to proof-of-work (PoW) in the confirmation of Syscoin service transactions. In essence, a Z-DAG is simply a directed acyclic graph (DAG) where validating nodes verify the sequential ordering of transactions that are received in their memory pools. Z-DAG is used by the validating nodes across the network to ensure that there is absolute consensus on the ordering of transactions and no balances are overflowed (no double-spends).
Unique fee-market that is more efficient for microtransaction redemption and settlement
Uses decentralized means to enable tokens with value transfer scalability that is comparable or exceeds that of credit card networks
Provides high throughput and secure fulfillment even if blocks are full
Probabilistic and interactive
99.9999% security assurance within 10 seconds
Can serve payment channels as a resilience fallback that is faster and lower-cost than falling-back directly to a blockchain
Each Z-DAG transaction also settles onchain through Syscoin Core at 60-second block target using SHA-256 Proof of Work consensus
Z-DAG enables the ideal speed/security tradeoff to be determined per use-case in the application layer. It minimizes the sacrifice required to accept and redeem fast transfers/payments while providing more-than-ample security for microtransactions. This is supported on the premise that a Reddit user receiving points does need security yet generally doesn’t want nor need to wait for the same level of security as a nation-state settling an international trade debt. In any case, each Z-DAG transaction settles onchain at a block target of 60 seconds.
Syscoin 3.0 White Paper (4.0 white paper is pending. For improved scalability and less blockchain bloat, some features of v3 no longer exist in current v4: Specifically Marketplace Offers, Aliases, Escrow, Certificates, Pruning, Encrypted Messaging)
16MB block bandwidth per minute assuming segwit witness carrying transactions, and transactions ~200 bytes on average
SHA256 merge mined with Bitcoin
UTXO asset layer, with base Syscoin layer sharing identical security policies as Bitcoin Core
Z-DAG on asset layer, bridge to Ethereum on asset layer
On-chain scaling with prospect of enabling enterprise grade reliable trustless payment processing with on/offchain hybrid solution
Focus only on Simple Value Transfers. MVP of blockchain consensus footprint is balances and ownership of them. Everything else can reduce data availability in exchange for scale (Ethereum 2.0 model). We leave that to other designs, we focus on transfers.
Future integrations of MAST/Taproot to get more complex value transfers without trading off trustlessness or decentralization.
Zero-knowledge Proofs are a cryptographic new frontier. We are dabbling here to generalize the concept of bridging and also verify the state of a chain efficiently. We also apply it in our Digital Identity projects at Blockchain Foundry (a publicly traded company which develops Syscoin softwares for clients). We are also looking to integrate privacy preserving payment channels for off-chain payments through zkSNARK hub & spoke design which does not suffer from the HTLC attack vectors evident on LN. Much of the issues plaguing Lightning Network can be resolved using a zkSNARK design whilst also providing the ability to do a multi-asset payment channel system. Currently we found a showstopper attack (American Call Option) on LN if we were to use multiple-assets. This would not exist in a system such as this.
Web3 and mobile wallets are under active development by Blockchain Foundry Inc as WebAssembly applications and expected for release not long after mainnet deployment of Syscoin Core 4.2. Both of these will be multi-coin wallets that support Syscoin, SPTs, Ethereum, and ERC-20 tokens. The Web3 wallet will provide functionality similar to Metamask. Syscoin Platform and tokens are already integrated with Blockbook. Custom hardware wallet support currently exists via ElectrumSys. First-class HW wallet integration through apps such as Ledger Live will exist after 4.2. Current supported wallets Syscoin Spark Desktop Syscoin-Qt
Recently, some news popped up on “blockchain voting” that promises the “security of the blockchain”. What. The. Hell. Disclaimer I did not read all 100 paragraphs of their patent (most of it describing implementations and technicalities) so what I write here may or may not be accurate to what they plan on doing. I will revise as I see new information. Pre-foreword: Vocabulary Asymmetrical encryption: Assymentrical encryption is where encryption and decryption require two different “keys”. Typically, there is the public key and private key. The private key is never shared, but the public key is shown to everyone in the world. In asymmetrical encryption, only the Private key can decrypt ciphertext encrypted with the Public key, and vice versa. Nonce: a cryptographic element which is just a random bunch of text at variable length. Hash: a cryptographic hash. Read: SHA Foreword: What’s blockchain? (This assumes USPS implements similar to the bitcoin paper) Blockchain is a system of a distributed ledger. Each entry contains information on a transaction. The “sender” of the money encrypts the transaction with their private asymmetrical encryption key. This means people with the public key can verify they sent it. Every “block” contains a set amount of entries, which are then hashed (in bitcoin- with a special nonce which is found by “mining”) and passed onto the next block in the chain. Every block is hashed with the previous block’s hash. Another part of blockchain is that whichever chain of blocks is longest is the correct chain- so long as the entries are valid. Shorter chains are discarded (this is how the Etherium 51% attacks that got 5.6 million worked). Why this sucks. As I understand it, the blockchain system works like so:
Voter A adds their name to the ledger on the “I voted” chain. Voter A anonymously adds their vote onto the “Who I voted for” chain.
Ok, cool. A did everything right. But if this is all that’s going on here...? The problems.
1. Blockchain assumes mining. The danger of blockchain without mining is quite simply that it will be undermined (get it?). Even with mining, it can be sabotaged. Computers that mine will have to exclusively be owned by the USPS. (Hint: $$$)
2. Blockchain is not anonymous. There’s only ons way I can think of to verify the integrity of votes while making it 100% anonymous. Several pseudo-anonymous and anonymous methods I can think of:
Generating keys for citizens and checking public keys against this list
Allowing any secure key pair to be authorized by credentials
Keeping a Boolean list of all keys, and only accepting a key once it has received authorization. (But... how do you verify they didn’t double vote?) Essentially... how do you prevent people from adding votes to the ledger without them saying they voted?
3. If mining is public, it will be sabotaged. It’d be weird for the USPS to pay citizens to mine, and assuming they won’t do that, criminals will quickly gather the hashing power to flat out deny the election.
4. Election rigging is just as likely- even possibly with mining. If you can’t see the list of voter keys’ holders (said keys will be held by the GOVERNMENT) then how do you know the votes are legitimate? You don’t. There is no need to take abode in false security
Ok, so what works? There are a BILLION other ways to do voting that are more secure and more anonymous than a damn blockchain. Here are some:
Two-stage asymetrical encryption Someone is sent a public key, encrypted. They must verify their identity before an automated machine will give them the private key to decrypt it. They then use the public key to encrypt their vote. This assumes voter verification is done by employees who have no access to the private/public keys. Employees should request a Cryptographic hash of the received encrypted key to check against their own database.
One-stage asymetrical A voter is mailed a public key to use to encrypt their vote. The private key will be checked against an approved list.
Epilogue As far as I understand, voting by blockchain is a bad idea and I will need to see some very good arguments defending it on the USPS side before I trust it. Distributed, public computing models should not be used in voting.
It takes a lot of money to make Blockchain secure.
Looking for Technical Information about Mining Pools
I'm doing research on how exactly bitcoins are mined, and I'm looking for detailed information about how mining pools work - i.e. what exactly is the pool server telling each participating miner to do. It's so far my understanding that, when Bitcoins are mined, the following steps take place:
Transactions from the mempool are selected for a new block; this may or may not be all the transactions in said mempool. A coinable transaction - which consists of the miner's wallet's address and other arbitrary data - that will help create new Bitcoin will also be added to the new block.
All of said transactions are hashed together into a Merkle Root. The hashing algorithm is Double SHA-256.
A block header is formed for the new block. Said block header consists of a Version, the Block Hash of the Previous Block in the Blockchain, said Merkle Root from earlier, a timestamp in UTC, the target, and a nonce - which is 32 bits long and can be any value from 0x00000000 to 0xFFFFFFFF (a total of 4,294,967,296 nonce values in total).
The nonce value is set to 0x00000000, and said block header is double hashed to get the Block Hash of the current block; and if said Block Hash starts with a certain number of zeroes (depending on the difficulty), the miner sends the block to the Bitcoin Network, the block successfully added to the blockchain and the miner is awarded with newly created bitcoin.
But if said Block Hash does not start with the required number of zeroes, said block will not be accepted by the network, and the miner Double Hashes the block again, but with a different nonce value; but if none of the 4,294,967,296 nonce values yields a Block Hash with the required number of zeroes, it will be impossible to add the block to the network - and in that case, the miner will either need to change the timestamp and try all 4,294,967,296 nonce values again, or the miner will need to start all over again and compose a new block with a different set of transactions (either a different coinable transaction, a different set of transactions from the mempool, or both).
Now, what I'm trying to figure out is what exactly each miner is doing differently in a mining pool, and if it is different depending on the pool. One thing I've read is that a mining pool gives each participating miner a different set of transactions from the mempool. I've also read that, because the most sophisticated miners can try all 4,294,967,296 nonce values in less than a fraction of a second, and since the timestamp can only be updated every second, the coinbase transaction is used as a "second nonce" (although, it is my understanding that, being part of a transaction, if this "extra nonce" is changed, all the transactions need to be double hashed into a new Merkle Root); and I may have read someplace that miners could also be given the same set of transactions from the mempool, but are each told to use a different set of "extra nonce" values for the coinbase transaction. Is there anything else that pools tell miners to do differently? Is each pool different in the instructions it gives to the participating miners? Did I get anything wrong? I want to make sure I have a full technical understanding of what mining pools are doing to mine bitcoin.
Bitcoin (BTC) is a peer-to-peer cryptocurrency that aims to function as a means of exchange that is independent of any central authority. BTC can be transferred electronically in a secure, verifiable, and immutable way.
Launched in 2009, BTC is the first virtual currency to solve the double-spending issue by timestamping transactions before broadcasting them to all of the nodes in the Bitcoin network. The Bitcoin Protocol offered a solution to the Byzantine Generals’ Problem with ablockchainnetwork structure, a notion first created byStuart Haber and W. Scott Stornetta in 1991.
Bitcoin’s whitepaper was published pseudonymously in 2008 by an individual, or a group, with the pseudonym “Satoshi Nakamoto”, whose underlying identity has still not been verified.
The Bitcoin protocol uses an SHA-256d-based Proof-of-Work (PoW) algorithm to reach network consensus. Its network has a target block time of 10 minutes and a maximum supply of 21 million tokens, with a decaying token emission rate. To prevent fluctuation of the block time, the network’s block difficulty is re-adjusted through an algorithm based on the past 2016 block times.
With a block size limit capped at 1 megabyte, the Bitcoin Protocol has supported both the Lightning Network, a second-layer infrastructure for payment channels, and Segregated Witness, a soft-fork to increase the number of transactions on a block, as solutions to network scalability.
Bitcoin is a peer-to-peer cryptocurrency that aims to function as a means of exchange and is independent of any central authority. Bitcoins are transferred electronically in a secure, verifiable, and immutable way.
Network validators, whom are often referred to as miners, participate in the SHA-256d-based Proof-of-Work consensus mechanism to determine the next global state of the blockchain.
The Bitcoin protocol has a target block time of 10 minutes, and a maximum supply of 21 million tokens. The only way new bitcoins can be produced is when a block producer generates a new valid block.
The protocol has a token emission rate that halves every 210,000 blocks, or approximately every 4 years.
Unlike public blockchain infrastructures supporting the development of decentralized applications (Ethereum), the Bitcoin protocol is primarily used only for payments, and has only very limited support for smart contract-like functionalities (Bitcoin “Script” is mostly used to create certain conditions before bitcoins are used to be spent).
In the Bitcoin network, anyone can join the network and become a bookkeeping service provider i.e., a validator. All validators are allowed in the race to become the block producer for the next block, yet only the first to complete a computationally heavy task will win. This feature is called Proof of Work (PoW). The probability of any single validator to finish the task first is equal to the percentage of the total network computation power, or hash power, the validator has. For instance, a validator with 5% of the total network computation power will have a 5% chance of completing the task first, and therefore becoming the next block producer. Since anyone can join the race, competition is prone to increase. In the early days, Bitcoin mining was mostly done by personal computer CPUs. As of today, Bitcoin validators, or miners, have opted for dedicated and more powerful devices such as machines based on Application-Specific Integrated Circuit (“ASIC”). Proof of Work secures the network as block producers must have spent resources external to the network (i.e., money to pay electricity), and can provide proof to other participants that they did so. With various miners competing for block rewards, it becomes difficult for one single malicious party to gain network majority (defined as more than 51% of the network’s hash power in the Nakamoto consensus mechanism). The ability to rearrange transactions via 51% attacks indicates another feature of the Nakamoto consensus: the finality of transactions is only probabilistic. Once a block is produced, it is then propagated by the block producer to all other validators to check on the validity of all transactions in that block. The block producer will receive rewards in the network’s native currency (i.e., bitcoin) as all validators approve the block and update their ledgers.
The Bitcoin protocol utilizes the Merkle tree data structure in order to organize hashes of numerous individual transactions into each block. This concept is named after Ralph Merkle, who patented it in 1979. With the use of a Merkle tree, though each block might contain thousands of transactions, it will have the ability to combine all of their hashes and condense them into one, allowing efficient and secure verification of this group of transactions. This single hash called is a Merkle root, which is stored in the Block Header of a block. The Block Header also stores other meta information of a block, such as a hash of the previous Block Header, which enables blocks to be associated in a chain-like structure (hence the name “blockchain”). An illustration of block production in the Bitcoin Protocol is demonstrated below. https://preview.redd.it/m6texxicf3151.png?width=1591&format=png&auto=webp&s=f4253304912ed8370948b9c524e08fef28f1c78d
Block time and mining difficulty
Block time is the period required to create the next block in a network. As mentioned above, the node who solves the computationally intensive task will be allowed to produce the next block. Therefore, block time is directly correlated to the amount of time it takes for a node to find a solution to the task. The Bitcoin protocol sets a target block time of 10 minutes, and attempts to achieve this by introducing a variable named mining difficulty. Mining difficulty refers to how difficult it is for the node to solve the computationally intensive task. If the network sets a high difficulty for the task, while miners have low computational power, which is often referred to as “hashrate”, it would statistically take longer for the nodes to get an answer for the task. If the difficulty is low, but miners have rather strong computational power, statistically, some nodes will be able to solve the task quickly. Therefore, the 10 minute target block time is achieved by constantly and automatically adjusting the mining difficulty according to how much computational power there is amongst the nodes. The average block time of the network is evaluated after a certain number of blocks, and if it is greater than the expected block time, the difficulty level will decrease; if it is less than the expected block time, the difficulty level will increase.
What are orphan blocks?
In a PoW blockchain network, if the block time is too low, it would increase the likelihood of nodes producingorphan blocks, for which they would receive no reward. Orphan blocks are produced by nodes who solved the task but did not broadcast their results to the whole network the quickest due to network latency. It takes time for a message to travel through a network, and it is entirely possible for 2 nodes to complete the task and start to broadcast their results to the network at roughly the same time, while one’s messages are received by all other nodes earlier as the node has low latency. Imagine there is a network latency of 1 minute and a target block time of 2 minutes. A node could solve the task in around 1 minute but his message would take 1 minute to reach the rest of the nodes that are still working on the solution. While his message travels through the network, all the work done by all other nodes during that 1 minute, even if these nodes also complete the task, would go to waste. In this case, 50% of the computational power contributed to the network is wasted. The percentage of wasted computational power would proportionally decrease if the mining difficulty were higher, as it would statistically take longer for miners to complete the task. In other words, if the mining difficulty, and therefore targeted block time is low, miners with powerful and often centralized mining facilities would get a higher chance of becoming the block producer, while the participation of weaker miners would become in vain. This introduces possible centralization and weakens the overall security of the network. However, given a limited amount of transactions that can be stored in a block, making the block time too longwould decrease the number of transactions the network can process per second, negatively affecting network scalability.
3. Bitcoin’s additional features
Segregated Witness (SegWit)
Segregated Witness, often abbreviated as SegWit, is a protocol upgrade proposal that went live in August 2017. SegWit separates witness signatures from transaction-related data. Witness signatures in legacy Bitcoin blocks often take more than 50% of the block size. By removing witness signatures from the transaction block, this protocol upgrade effectively increases the number of transactions that can be stored in a single block, enabling the network to handle more transactions per second. As a result, SegWit increases the scalability of Nakamoto consensus-based blockchain networks like Bitcoin and Litecoin. SegWit also makes transactions cheaper. Since transaction fees are derived from how much data is being processed by the block producer, the more transactions that can be stored in a 1MB block, the cheaper individual transactions become. https://preview.redd.it/depya70mf3151.png?width=1601&format=png&auto=webp&s=a6499aa2131fbf347f8ffd812930b2f7d66be48e The legacy Bitcoin block has a block size limit of 1 megabyte, and any change on the block size would require a network hard-fork. On August 1st 2017, the first hard-fork occurred, leading to the creation of Bitcoin Cash (“BCH”), which introduced an 8 megabyte block size limit. Conversely, Segregated Witness was a soft-fork: it never changed the transaction block size limit of the network. Instead, it added an extended block with an upper limit of 3 megabytes, which contains solely witness signatures, to the 1 megabyte block that contains only transaction data. This new block type can be processed even by nodes that have not completed the SegWit protocol upgrade. Furthermore, the separation of witness signatures from transaction data solves the malleability issue with the original Bitcoin protocol. Without Segregated Witness, these signatures could be altered before the block is validated by miners. Indeed, alterations can be done in such a way that if the system does a mathematical check, the signature would still be valid. However, since the values in the signature are changed, the two signatures would create vastly different hash values. For instance, if a witness signature states “6,” it has a mathematical value of 6, and would create a hash value of 12345. However, if the witness signature were changed to “06”, it would maintain a mathematical value of 6 while creating a (faulty) hash value of 67890. Since the mathematical values are the same, the altered signature remains a valid signature. This would create a bookkeeping issue, as transactions in Nakamoto consensus-based blockchain networks are documented with these hash values, or transaction IDs. Effectively, one can alter a transaction ID to a new one, and the new ID can still be valid. This can create many issues, as illustrated in the below example:
Alice sends Bob 1 BTC, and Bob sends Merchant Carol this 1 BTC for some goods.
Bob sends Carols this 1 BTC, while the transaction from Alice to Bob is not yet validated. Carol sees this incoming transaction of 1 BTC to him, and immediately ships goods to B.
At the moment, the transaction from Alice to Bob is still not confirmed by the network, and Bob can change the witness signature, therefore changing this transaction ID from 12345 to 67890.
Now Carol will not receive his 1 BTC, as the network looks for transaction 12345 to ensure that Bob’s wallet balance is valid.
As this particular transaction ID changed from 12345 to 67890, the transaction from Bob to Carol will fail, and Bob will get his goods while still holding his BTC.
With the Segregated Witness upgrade, such instances can not happen again. This is because the witness signatures are moved outside of the transaction block into an extended block, and altering the witness signature won’t affect the transaction ID. Since the transaction malleability issue is fixed, Segregated Witness also enables the proper functioning of second-layer scalability solutions on the Bitcoin protocol, such as the Lightning Network.
Lightning Network is a second-layer micropayment solution for scalability. Specifically, Lightning Network aims to enable near-instant and low-cost payments between merchants and customers that wish to use bitcoins. Lightning Network was conceptualized in a whitepaper by Joseph Poon and Thaddeus Dryja in 2015. Since then, it has been implemented by multiple companies. The most prominent of them include Blockstream, Lightning Labs, and ACINQ. A list of curated resources relevant to Lightning Network can be found here. In the Lightning Network, if a customer wishes to transact with a merchant, both of them need to open a payment channel, which operates off the Bitcoin blockchain (i.e., off-chain vs. on-chain). None of the transaction details from this payment channel are recorded on the blockchain, and only when the channel is closed will the end result of both party’s wallet balances be updated to the blockchain. The blockchain only serves as a settlement layer for Lightning transactions. Since all transactions done via the payment channel are conducted independently of the Nakamoto consensus, both parties involved in transactions do not need to wait for network confirmation on transactions. Instead, transacting parties would pay transaction fees to Bitcoin miners only when they decide to close the channel. https://preview.redd.it/cy56icarf3151.png?width=1601&format=png&auto=webp&s=b239a63c6a87ec6cc1b18ce2cbd0355f8831c3a8 One limitation to the Lightning Network is that it requires a person to be online to receive transactions attributing towards him. Another limitation in user experience could be that one needs to lock up some funds every time he wishes to open a payment channel, and is only able to use that fund within the channel. However, this does not mean he needs to create new channels every time he wishes to transact with a different person on the Lightning Network. If Alice wants to send money to Carol, but they do not have a payment channel open, they can ask Bob, who has payment channels open to both Alice and Carol, to help make that transaction. Alice will be able to send funds to Bob, and Bob to Carol. Hence, the number of “payment hubs” (i.e., Bob in the previous example) correlates with both the convenience and the usability of the Lightning Network for real-world applications.
Schnorr Signature upgrade proposal
Elliptic Curve Digital Signature Algorithm (“ECDSA”) signatures are used to sign transactions on the Bitcoin blockchain. https://preview.redd.it/hjeqe4l7g3151.png?width=1601&format=png&auto=webp&s=8014fb08fe62ac4d91645499bc0c7e1c04c5d7c4 However, many developers now advocate for replacing ECDSA with Schnorr Signature. Once Schnorr Signatures are implemented, multiple parties can collaborate in producing a signature that is valid for the sum of their public keys. This would primarily be beneficial for network scalability. When multiple addresses were to conduct transactions to a single address, each transaction would require their own signature. With Schnorr Signature, all these signatures would be combined into one. As a result, the network would be able to store more transactions in a single block. https://preview.redd.it/axg3wayag3151.png?width=1601&format=png&auto=webp&s=93d958fa6b0e623caa82ca71fe457b4daa88c71e The reduced size in signatures implies a reduced cost on transaction fees. The group of senders can split the transaction fees for that one group signature, instead of paying for one personal signature individually. Schnorr Signature also improves network privacy and token fungibility. A third-party observer will not be able to detect if a user is sending a multi-signature transaction, since the signature will be in the same format as a single-signature transaction.
4. Economics and supply distribution
The Bitcoin protocol utilizes the Nakamoto consensus, and nodes validate blocks via Proof-of-Work mining. The bitcoin token was not pre-mined, and has a maximum supply of 21 million. The initial reward for a block was 50 BTC per block. Block mining rewards halve every 210,000 blocks. Since the average time for block production on the blockchain is 10 minutes, it implies that the block reward halving events will approximately take place every 4 years. As of May 12th 2020, the block mining rewards are 6.25 BTC per block. Transaction fees also represent a minor revenue stream for miners.
A Question for those knowledgeable about Quantum Computing
If we hypothetically had quantum computers that were more capable than currently possible, how exactly would they go about trying to crack a private key? As in, what sort of algorithm would be used? Would it be a simple brute force algo, but possible due to the immense IPS of the QC? I believe that in order for it to work effectively, it would need one qubit per bit being attacked. I may be incorrect. If I am correct, what are you comparing qubits against? Do you need 256 qubits because that's the strength of SHA-256? Do you need 256 qubits because that's the number of bits in a bitcoin private key (assuming you're attacking BTC)? Do you need 160 bits because a BTC address is a 160-bit hash? Finally, let's say that you implement multisig to delay quantum attackers. Let's say that you set up a 2 of 3 wallet, so you need two private keys in order to access funds. Does that only double the amount of time required to crack the wallet (find private key 1, then find private key 2)? I assume that's the case, and that it isn't increasing complexity of cracking the wallet exponentially, ie. something like near-impossible^near-impossible. Otherwise, a complex multisig might be a way to help increase quantum resistance. I understand a few basics, including some rudimentary math and computer science, but as you can see from all the questions above, I have a great deal to learn.
I was going through old emails today and came across this one I sent out to family on January 4, 2018. It was a reflection on the 2017 crypto bull market and where I saw it heading, as well as some general advice on crypto, investment, and being safe about how you handle yourself in cryptoland. I feel that we are on the cusp of a new bull market right now, so I thought that I would put this out for at least a few people to see *before* the next bull run, not after. While the details have changed, I don't see a thing in this email that I fundamentally wouldn't say again, although I'd also probably insist that people get a Yubikey and use that for all 2FA where it is supported. Happy reading, and sorry for some of the formatting weirdness -- I cleaned it up pretty well from the original email formatting, but I love lists and indents and Reddit has limitations... :-/ Also, don't laught at my token picks from January 2018! It was a long time ago and (luckliy) I took my own advice about moving a bunch into USD shortly after I sent this. I didn't hit the top, and I came back in too early in the summer of 2018, but I got lucky in many respects. ----------------------------------------------------------------------- Jan-4, 2018 Hey all! I woke up this morning to ETH at a solid $1000 and decided to put some thoughts together on what I think crypto has done and what I think it will do. *******, if you could share this to your kids I’d appreciate it -- I don’t have e-mail addresses, and it’s a bit unwieldy for FB Messenger… Hopefully they’ll at least find it thought-provoking. If not, they can use it as further evidence that I’m a nutjob. 😉 Some history before I head into the future. I first mined some BTC in 2011 or 2012 (Can’t remember exactly, but it was around the Christmas holidays when I started because I had time off from work to get it set up and running.) I kept it up through the start of summer in 2012, but stopped because it made my PC run hot and as it was no longer winter, ********** didn’t appreciate the sound of the fans blowing that hot air into the room any more. I’ve always said that the first BTC I mined was at $1, but looking back at it now, that’s not true – It was around $2. Here’s a link to BTC price history. In the summer of 2013 I got a new PC and moved my programs and files over before scrapping the old one. I hadn’t touched my BTC mining folder for a year then, and I didn’t even think about salvaging those wallet files. They are now gone forever, including the 9-10BTC that were in them. While I can intellectually justify the loss, it was sloppy and underlines a key thing about cryptocurrency that I believe will limit its widespread adoption by the general public until it is addressed and solved: In cryptoland, you are your own bank, and if you lose your password or account number, there is no person or organization that can help you reset it so that you can get access back. Your money is gone forever. On April 12, 2014 I bought my first BTC through Coinbase. BTC had spiked to $1000 and been in the news, at least in Japan. This made me remember my old wallet and freak out for a couple of months trying to find it and reclaim the coins. I then FOMO’d (Fear Of Missing Out”) and bought $100 worth of BTC. I was actually very lucky in my timing and bought at around $430. Even so, except for a brief 50% swing up almost immediately afterwards that made me check prices 5 times a day, BTC fell below my purchase price by the end of September and I didn’t get back to even until the end of 2015. In May 2015 I bought my first ETH at around $1. I sent some guy on bitcointalk ~$100 worth of BTC and he sent me 100 ETH – all on trust because the amounts were small and this was a small group of people. BTC was down in the $250 range at that point, so I had lost 30-40% of my initial investment. This was of the $100 invested, so not that much in real terms, but huge in percentages. It also meant that I had to buy another $100 of BTC on Coinbase to send to this guy. A few months after I purchased my ETH, BTC had doubled and ETH had gone down to $0.50, halving the value of my ETH holdings. I was even on the first BTC purchase finally, but was now down 50% on the ETH I had bought. The good news was that this made me start to look at things more seriously. Where I had skimmed white papers and gotten a superficial understanding of the technology before FOMO’ing, I started to act as an investor, not a speculator. Let me define how I see those two different types of activity:
Investors buy because the price is less than the value they see in the investment. Speculators buy because they think that someone will pay more in the future than they are paying now.
Investors trade on information (The white paper was really well-written, had a clear technical advantage over other alternatives, and addresses a need that I can understand and value.) Speculators trade on sentiment. (Buy the rumor! Sell the news!)
Investors usually look at the investment and themselves and can describe why they purchase in those terms (ABC-Coin provides (service) that isn’t addressed yet and matches (requirements) for an investment.) Speculators usually describe why they bought something in terms of how other people think (I think that other people think that the price will rise, so I want to get ahead of that.)
Investors don’t necessarily check the price every day. The can, and very often I do, but it isn’t required because fundamentals don’t often change on a dime. Speculators need to be glued to a price feed, because sentiment very often changes on a dime.
Investors like ideas, people, business plans, and market opportunities. Good ones are like Spock. Speculators like trends. They are tribal.
Investors have a longer time horizon than speculators. In cryptoland, the notion of a “longer” time horizon is still laughably small (months) compared to traditional markets, but it certainly isn’t weeks or days or hours, which is whre speculators often live.
So what has been my experience as an investor? After sitting out the rest of 2015 because I needed to understand the market better, I bought into ETH quite heavily, with my initial big purchases being in March-April of 2016. Those purchases were in the $11-$14 range. ETH, of course, dropped immediately to under $10, then came back and bounced around my purchase range for a while until December of 2016, when I purchased a lot more at around $8. I also purchased my first ICO in August of 2016, HEAT. I bought 25ETH worth. Those tokens are now worth about half of their ICO price, so about 12.5ETH or $12500 instead of the $25000 they would be worth if I had just kept ETH. There are some other things with HEAT that mean I’ve done quite a bit better than those numbers would suggest, but the fact is that the single best thing I could have done is to hold ETH and not spend the effort/time/cost of working with HEAT. That holds true for about every top-25 token on the market when compared to ETH. It certainly holds true for the many, many tokens I tried to trade in Q1-Q2 of 2017. In almost every single case I would have done better and slept better had I just held ETH instead of trying to be smarter than Mr. Market. But, I made money on all of them except one because the crypto market went up more in USD terms than any individual coin went down in ETH or BTC terms. This underlines something that I read somewhere and that I take to heart: A rising market makes everyone seem like a genius. A monkey throwing darts at a list of the top 100 cryptocurrencies last year would have doubled his money. Here’s a chart from September that shows 2017 year-to-date returns for the top 10 cryptocurrencies, and all of them went up a *lot* more between then and December. A monkey throwing darts at this list there would have quintupled his money. When evaluating performance, then, you have to beat the monkey, and preferably you should try to beat a Wall Street monkey. I couldn’t, so I stopped trying around July 2017. My benchmark was the BLX, a DAA (Digital Asset Array – think fund like a Fidelity fund) created by ICONOMI. I wasn’t even close to beating the BLX returns, so I did several things.
I went from holding about 25 different tokens to holding 10 now. More on that in a bit.
I used those funds to buy ETH and BLX. ETH has done crazy-good since then and BLX has beaten BTC handily, although it hasn’t done as well as ETH.
I used some of those funds to set up an arbitrage operation.
The arbitrage operation is why I kept the 11 tokens that I have now. All but a couple are used in an ETH/token pair for arbitrage, and each one of them except for one special case is part of BLX. Why did I do that? I did that because ICONOMI did a better job of picking long-term holds than I did, and in arbitrage the only speculative thing you must do is pick the pairs to trade. My pairs are (No particular order):
I also hold PLU, PLBT, and ART. These two are multi-year holds for me. I have not purchased BTC once since my initial $200, except for a few cases where BTC was the only way to go to/from an altcoin that didn’t trade against ETH yet. Right now I hold about the same 0.3BTC that I held after my first $100 purchase, so I don’t really count it. Looking forward to this year, I am positioning myself as follows:
ETH will still be my core holding. It is the “deepest in the stack” crypto investment that I have. “Deep in the stack” is a programming term that gets at the idea that most software is built on other software. If you just think about your notebook, you have your OS, and programs run on that. But even inside the OS there is a stack. The bottom of your stack is the kernel, and on top of that are the drivers, protocols, and other layers that allow the programs to talk to the OS, the hard drive, the screen, the mouse, your printer, etc. You can change your mouse or printer easily. Changing things deeper in the stack becomes harder and harder. ETH is deep in the crypto stack, so is very hard to dislodge – Around 60 of the top 100 cryptocurrencies by market cap run on top of Ethereum, so getting rid of Ethereum is something that would take a long time to do.
DNT, QTUM, ZRX, and OMG are all, to varying degrees, “deep in the stack” tokens that, once established, will be very hard to dislodge.
That said, I am peeling away some of my holdings into USD right now, because big changes are afoot and they are going to cause market disruptions. I’m going to come right out and admit that this is speculative, but I’m also going to back it up with some non-speculative facts.
The SEC has been sending out hundreds of subpoenas to cryptocurrency organizations over the past 3-4 months. These subpoenas are simply asking for information and nobody has been charged with any crimes or misdoings, but it is clear that the SEC is getting together information so that they can begin to regulate cryptoland. When that happens, other countries will follow, and that means:
Some tokens will be deemed outright scams and people will be prosecuted.
Some tokens will be deemed securities and will be regulated.
Some tokens will not be deemed scams or securities and will continue as they have.
Looking at this, it is clear to me that the tokens that escape prosecution and regulation should do better, but the short-term impact will be brutal and ugly. It would not surprise me at all to see a 50% drop in overall market cap within Q1-Q2, with Q1 being more likely.
Cryptoland has always been a bit nuts, but it is more nuts now than I have ever seen it. Back in 2011-2014 it was a freaks-n-geeks show where people were all about the technology and I would sit around for a 3-day weekend installing a *nix VM on my Windows machine so that I could compile the most recent source and run a CUDA SHA-256 routine rather than thrash my CPU. If that doesn’t make sense to you, you wouldn’t have even thought about being involved.
Now, people see Bitcoin advertisements in their Facebook feed and think “I gotta get on the BTC train!” before going to Coinbase and buying some with a credit card. They don’t know anything about crypto, and they are getting eaten alive – It is no coincidence that BTC peaked after the Thanksgiving holidays when people sat around the table and Janice got Uncle Mike and Cousin Bob all excited as she talked about going to Cancun for Christmas because of her crypto winnings. Huge amounts of fiat got transferred from newbies to BTC whales during this period, and once the whales were done, BTC had dropped from $20,000 to $12,000. It’s now back at $15,000, but for people who bought at a higher level, this sucks. As a result many have moved from BTC to ETH, with the single biggest money flow in crypto in December being the BTC à ETH flow. As a result, it’s no coincidence that ETH is at all-time highs now. The thing is, though, that even most people that moved from BTC to ETH really have no idea what they are doing. They are acting on buzzwords and emotion. They are speculators and are going to get crushed.
The stock market is quite high right now, but people are starting to worry that it is too high and that we are going to enter into a period of inflation again. This has caused gold to go up a lot the last quarter and is likely also responsible a bit for the rise in cryptos. If this view is correct, then cryptos stay stronger than if that pressure wasn’t there. If wrong, then cryptos will swing down as money exits cryptoland for more traditional markets.
I am spending most of my time and money on the arbitrage effort. The nice thing about arbitrage is that it works as the markets go up, and it works as the markets go down. When markets are too volatile, however, arbitrage can get very messy and dangerous, with each trade generating a loss instead of a profit, so I am working right now to tune the algorithms to take into account rate-of-change and add in some circuit breaker triggers. Once this is done I will expand those operations.
I am getting much more serious about systems security.
I have a Nano Ledger and recommend that anyone with >$1000 of crypto have one. The Trezor is also supposed to be good, but I haven’t used it.
I will set up a dedicated *nix notebook that is used for nothing except my crypto work. All it takes is one keylogger to get on your PC/Mac and your crypto is gone. What is on your Nano Ledger will be OK, but they will sweep out your exchange account or Coinbase account faster than you can type. A standard Linux installation with Chrome and nothing else is as about as secure as you can get in the civilian world.
If you don’t use LastPass or a similar password manager yet, you need to do that. Your password to LastPass should be at least 16 characters long and should not have a recognizable English word in it. If you think that “Iluvu4evah” is a secure password, you’re wrong.
Hackers know that “4”=”for” and “u”=”you”. Writing a script to substitute those in is trivial if they want to write the script, but it’s much easier for them to download one of the many, many programs out there that already do this.
If your password contains any string of numbers from anything that can be associated with you at any time in your life, it is insecure. Take those numbers out of the character count because they are an insignificant barrier to cracking your account.
The good news is that you probably won’t be targeted, but if you ever mention online that you are doing anything significant in crypto, that chance increased enormously.
*Never* talk with *anyone* about how much you have in crypto. You’ll notice that I haven’t here. There is no reason to tell even a family member how much you have unless you are sharing a tax form. Sure, you may trust them, but all it takes if for someone to overhead someone else mention at a party that a relative got into crypto a long time ago and made a bunch of money. That person can also then be subjected to the $10 hack and force you to send all your crypto to them.
Your password to LastPass (Or equivalent.) should look something like this -> 6k0jQMoziX&D#4W8
Yes, it’s a headache. Imagine your headache, though, were you to open your account one day and find all of your money gone.
Looking at my notes, I have two other things that I wanted to work into this email that I didn’t get to, so here they are:
Just like with free apps and other software, if you are getting something of value and you didn’t pay anything for it, you need to ask why this is. With apps, the phrase is “If you didn’t pay for the product, you are the product”, and this works for things such as pump groups, tips, and even technical analysis. Here’s how I see it.
Technical analysis (TA) is something that has been argued about for longer than I’ve been alive, but I think that it falls into the same boat. In short, TA argues that there are patterns in trading that can be read and acted upon to signal when one must buy or sell. It has been used forever in the stock and foreign exchange markets, and people use it in crypto as well. Let’s break down these assumptions a bit.
i. First, if crypto were like the stock or forex markets we’d all be happy with 5-7% gains per year rather than easily seeing that in a day. For TA to work the same way in crypto as it does in stocks and foreign exchange, the signals would have to be *much* stronger and faster-reacting than they work in the traditional market, but people use them in exactly the same way. ii. Another area where crypto is very different than the stock and forex markets centers around market efficiency theory. This theory says that markets are efficient and that the price reflects all the available information at any given time. This is why gold in New York is similar in price to gold in London or Shanghai, and why arbitrage margins are easily <0.1% in those markets compared to cryptoland where I can easily get 10x that. Crypto simply has too much speculation and not enough professional traders in it yet to operate as an efficient market. That fundamentally changes the way that the market behaves and should make any TA patterns from traditional markets irrelevant in crypto. iii. There are services, both free and paid that claim to put out signals based on TA for when one should buy and sell. If you think for even a second that they are not front-running (Placing orders ahead of yours to profit.) you and the other people using the service, you’re naïve. iv. Likewise, if you don’t think that there are people that have but together computerized systems to get ahead of people doing manual TA, you’re naïve. The guys that I have programming my arbitrage bots have offered to build me a TA bot and set up a service to sell signals once our position is taken. I said no, but I am sure that they will do it themselves or sell that to someone else. Basically they look at TA as a tip machine where when a certain pattern is seen, people act on that “tip”. They use software to see that “tip” faster and take a position on it so that when slower participants come in they either have to sell lower or buy higher than the TA bot did. Remember, if you are getting a tip for free, you’re the product. In TA I see a system when people are all acting on free preset “tips” and getting played by the more sophisticated market participants. Again, you have to beat that Wall Street monkey.
If you still don’t agree that TA is bogus, think about it this way: If TA was real, Wall Street would have figured it out decades ago and we would have TA funds that would be beating the market. We don’t.
If you still don’t agree that TA is bogus and that its real and well, proven, then you must think that all smart traders use them. Now follow that logic forward and think about what would happen if every smart trader pushing big money followed TA. The signals would only last for a split second and would then be overwhelmed by people acting on them, making them impossible to leverage. This is essentially what the efficient market theory postulates for all information, including TA.
OK, the one last item. Read this weekly newsletter – You can sign up at the bottom. It is free, so they’re selling something, right? 😉 From what I can tell, though, Evan is a straight-up guy who posts links and almost zero editorial comments. Happy 2018.
In the past weeks I heard a lot pros and cons about IOTA, many of them I believe were not true (I'll explain better). I would like to start a serious discussion about IOTA and help people to get into it. Before that I'll contribute with what I know, most things that I will say will have a source link providing some base content.
The pros and cons that I heard a lot is listed below, I'll discuss the items marked with *. Pros
Many users claim that the network infinitely scales, that with more transactions on the network the faster it gets. This is not entirely true, that's why we are seeing the network getting congested (pending transactions) at the moment (12/2017). The network is composed by full-nodes (stores all transactions), each full-node is capable of sending transactions direct to the tangle. An arbitrary user can set a light-node (do not store all transactions, therefore a reduced size), but as it does not stores all transactions and can't decide if there are conflicting transactions (and other stuff) it needs to connect to a full-node (bitifinex node for example) and then request for the full-node to send a transaction to the tangle. The full-node acts like a bridge for a light-node user, the quantity of transactions at the same time that a full-node can push to the tangle is limited by its brandwidth. What happens at the moment is that there are few full-nodes, but more important than that is: the majority of users are connected to the same full-node basically. The full-node which is being used can't handle all the requested transactions by the light-nodes because of its brandwidth. If you are a light-node user and is experiencing slow transactions you need to manually select other node to get a better performance. Also, you need to verify that the minimum weight magnitude (difficulty of the Hashcash Proof of Work) is set to 14 at least. The network seems to be fine and it scales, but the steps an user has to make/know are not friendly-user at all. It's necessary to understand that the technology envolved is relative new and still in early development. Do not buy iota if you haven't read about the technology, there is a high chance of you losing your tokens because of various reasons and it will be your own fault. You can learn more about how IOTA works here. There are some upcoming solutions that will bring the user-experience to a new level, The UCL Wallet (expected to be released at this month, will talk about that soon and how it will help the network) and the Nelson CarrIOTA (this week) besides the official implementations to come in december.
We all know that currently (2017) IOTA depends on the coordinator because the network is still in its infancy and because of that it is considered centralized by the majority of users. The coordinator are several full-nodes scattered across the world run by the IOTA foundation. It creates periodic Milestones (zero value transactions which reference valid transactions) which are validated by the entire network. The coordinator sets the general direction for the tangle growth. Every node verifies that the coordinator is not breaking consensus rules by creating iotas out of thin air or approving double-spendings, nodes only tells other nodes about transactions that are valid, if the Coordinator starts issuing bad Milestones, nodes will reject them. The coordinator is optional since summer 2017, you can choose not implement it in your full-node, any talented programmer could replace Coo logic in IRI with Random Walk Monte Carlo logic and go without its milestones right now. A new kind of distributed coordinator is about to come and then, for the last, its completely removal. You can read more about the coordinator here and here.
These are blockchain-based cryptocurrencies (Bitcoin) that has miners to guarantee its security. Satoshi Nakamoto states several times in the Bitcoin whitepaper that "The system is secure as long as honest nodes collectively control more CPU power than any cooperating group of attacker nodes". We can see in Blockchain.info that nowadays half of the total hashpower in Bitcoin is controlled by 3 companies (maybe only 1 in the future?). Users must trust that these companies will behave honestly and will not use its 50%> hashpower to attack the network eventually. With all that said it's reasonable to consider the IOTA network more decentralized (even with the coordinator) than any mining-blockchain-based cryptocurrency You can see a comparison between DAG cryptocurrencies here
Some partnerships of IOTA foundation with big companies were well known even when they were not officialy published. Some few examples of confirmed partnerships are listed below, others cofirmed partnerships can be seem in the link Partnerships with big companies at the pros section.
So what's up with all alarming in social media about IOTA Foundation faking partnerships with big companies like Microsoft and Cisco? At Nov. 28th IOTA Foundation announced the Data Marketplace with 30+ companies participating. Basically it's a place for any entity sell data (huge applications, therefore many companies interested), at time of writing (11/12/2017) there is no API for common users, only companies in touch with IOTA Foundation can test it. A quote from Omkar Naik (Microsoft worker) depicted on the Data Marketplace blog post gave an idea that Microsoft was in a direct partnership with IOTA. Several news websites started writing headlines "Microsoft and IOTA launches" (The same news site claimed latter that IOTA lied about partnership with Microsoft) when instead Microsoft was just one of the many participants of the Data Marketplace. Even though it's not a direct partnership, IOTA and Microsoft are in close touch as seen in IOTA Microsoft and Bosch meetup december 12th, Microsoft IOTA meetup in Paris 14th and Microsoft Azure adds 5 new Blockchain partners (may 2016). If you join the IOTA Slack channel you'll find out that there are many others big companies in close touch with IOTA like BMW, Tesla and other companies. This means that right now there are devs of IOTA working directly with scientists of these companies to help them integrate IOTA on their developments even though there is no direct partnership published, I'll talk more about the use cases soon.
We are excited to partner with IOTA foundation and proud to be associated with its new data marketplace initiative... - Omkar Naik
IOTA's use cases
Every cryptocurrency is capable of being a way to exchange goods, you pay for something using the coin token and receive the product. Some of them are more popular or have faster transactions or anonymity while others offers better scalablity or user-friendness. But none of them (except IOTA) are capable of transactioning information with no costs (fee-less transactions), in an securely form (MAM) and being sure that the network will not be harmed when it gets more adopted (scales). These characteristics open the gates for several real world applications, you probably might have heard of Big Data and how data is so important nowadays.
Data sets grow rapidly - in part because they are increasingly gathered by cheap and numerous information-sensing Internet of things devices such as mobile devices, aerial (remote sensing), software logs, cameras, microphones, radio-frequency identification (RFID) readers and wireless sensor networks.
It’s just the beginning of the data period. Data is going to be so important for human life in the future. So we are now just starting. We are a big data company, but compared to tomorrow, we are nothing. - Jack Ma (Alibaba)
There are enormous quantities of wasted data, often over 99% is lost to the void, that could potentially contain extremely valuable information if allowed to flow freely in data streams that create an open and decentralized data lake that is accessible to any compensating party. Some of the biggest corporations of the world are purely digital like Google, Facebook and Amazon. Data/information market will be huge in the future and that's why there so many companies interested in what IOTA can offer. There are several real world use cases being developed at the moment, many of them if successful will revolutionize the world. You can check below a list of some of them.
Not having your wallet set up properly (min weight 14, etc.)
Problems that could be easily avoided with a better understand of the network/wallet or with a better wallet that could handle these issues. As I explained before, some problems during the "congestion" of the network could be simply resolved if stuff were more user-friendly, this causes many users storing their iotas on exchanges which is not safe either. The upcoming (dec 2017) UCL Wallet will solve most of these problems. It will switch between nodes automatically and auto-reattach transactions for example (besides other things). You can have full a overview of it here and here. Also, the upcoming Nelson CarrIOTA will help on automatic peer discovery for users setup their nodes more easily.
IOTA Vulnerability issue
On sept 7th 2017 a team from MIT reported a cryptographic issue on the hash function Curl. You can see the full response of IOTA members below.
Funds were never in danger as such scenarios depicted on the Neha's blogpost were not pratically possible and the arguments used on the blogpost had'nt fundamentals, all the history you can check by yourself on the responses. Later it was discovered that the whole Neha Narula's team were envolved in other concurrent cryptocurrency projects Currently IOTA uses the relatively hardware intensive NIST standard SHA-3/Keccak for crucial operations for maximal security. Curl is continuously being audited by more cryptographers and security experts. Recenlty IOTA Foundation hired Cybercrypt, the world leading lightweight cryptography and security company from Denmark to take the Curl cryptography to its next maturation phase.
It took me a couple of days to gather the informations presented, I wanted it to make easier for people who want to get into it. It might probably have some mistakes so please correct me if I said something wrong. Here are some useful links for the community.
This is my IOTA donation address, in case someone wants to donate I will be very thankful. I truly believe in this project's potential. I9YGQVMWDYZBLHGKMTLBTAFBIQHGLYGSAGLJEZIV9OKWZSHIYRDSDPQQLTIEQEUSYZWUGGFHGQJLVYKOBWAYPTTGCX
This is a donation address, if you want to do the same you might pay attention to some important details:
Create a seed for only donation purposes.
Generate a address and publish it for everyone.
If you spend any iota you must attach a new address to the tangle and refresh your donation address published before to everyone.
If someone sends iota to your previous donation address after you have spent from it you will probably lose the funds that were sent to that specific address.
You can visualize how addresses work in IOTA here and here.
This happens because IOTA uses Winternitz one-time signature to become quantum resistent. Every time you spend iota from a address, part of the private key of that specific address is revealed. This makes easier for attackers to steal that address balance. Attackers can search if an address has been reused on the tangle explorer and try to brute force the private key since they already know part of it.
**Last updated: May 30, 2018: Updated wallet info with release of Trinity. This 4 part series from the IOTA foundation covers most of the technical FUD centered at IOTA. https://blog.iota.org/official-iota-foundation-response-to-the-digital-currency-initiative-at-the-mit-media-lab-part-1-72434583a2 Also the official IOTA faq on iota.org answers nearly all of these questions if you want to hear the answers directly. Purpose of Writing Since posting FUD is so ridiculously low-effort in comparison to setting the record straight, I felt it necessary to put a log of copy-pastas together to balance the scales so its just as easy to answer the FUD as it was to generate it. So next time you hear someone say "IOTA is centralized", you no longer have to take an hour out of your day and spin your wheels with someone who likely had an agenda to begin with. You just copy-paste away and move on. It's also worth mentioning IOTA devs are too damn busy working on the protocol and doing their job to answer FUD. So I felt a semblance of responsibility. Here they are. These answers are too my understanding so if you see something that doesn't look right let me know! They are divided into the following categories so if you are interested in a specific aspect of IOTA you can scroll to that section. 1) WALLET 2) COMMUNITY 3) INVESTING 4) TECHNICAL
IOTA was hacked and users funds were stolen!
First, IOTA was not hacked. The term “hacked” is thrown around way too brazingly nowadays and often used to describe events that weren’t hacks to begin with. Its a symptom of this space growing way too fast creating situations of the blind leading the blind and causing hysteria. What happened: Many IOTA users trusted a certain 3rd party website to create their seed for their wallets. This website silently sent copies of all the seeds generated to an email address and waited till it felt it had enough funds, then it took everyones money simultaneously. That was the ”hack”. https://blog.iota.org/the-secret-to-security-is-secrecy-d32b5b7f25ef The lesson: The absolute #1 marketed feature of crypto is that you are your own bank. Of everything that is common knowledge about crypto, this is at the top. But being your own bank means you are responsible for the security of your own funds. There is no safety net or centralized system in place that is going to bail you out. For those that don’t know (and you really should if you’ve invested in anything crypto), your seed is your username-pw-security question-backup email all rolled into one. Would you trust a no-name 3rd party website to produce your username+pw for your bank account? Because thats essentially what users did. The fix: Make your seed offline with the generators in the sidebar or use dice. This is outlined in the “how to generate wallet and seed” directly following. The trinity and carriota wallets will have seed generators within them upon their release.
How to generate wallet and seed
1) Download official trinity wallet here 2) follow the instructions on the app. 3) Do not run any apps in conjunction with the trinity app. Make sure all other apps are completely closed out on your device.
Are you sure a computer can’t just guess my seed?
An IOTA seed is 81 characters long. There are more IOTA seed combinations than atoms in the universe. All the computers in the world combined would take millions billions of years just to find your randomly generated one that’s located somewhere between the 0th and the 2781st combination. The chance for someone to randomly generate the exact same seed as yours is 1 / (2781). If you can’t fathom the number 27 ^ 81, this video should help: https://www.youtube.com/watch?v=p8YIdmwcubc
Download Bolero and run! Bolero is an all-in-one full node install package with the latest IOTA IRI and Nelson all under a one-click install! https://github.com/SemkoDev/bolero.fun/releases "If you want to help the network then spam the network. If you really want to help the network then create a full node and let others spam you!"
No questions or concerns get upvoted, only downvoted!
That’s just the nature of this business. Everyone in these communities has money at stake and are extremely incentivized to keep only positive news at the top of the front page. There is nothing you're going to do about that on this subreddit or any crypto subreddit. It's just a reddit fact of life we have to deal with. Everyone has a downvote and everyone has an upvote. But what can be done is just simply answer the questions even if they are downvoted to hell. Yea most people wont' see the answers or discussion but that one person will. every little bit counts. I will say that there are most certainly answers to nearly every FUD topic out there. Every single one. A lot of the posts I'm seeing as of late especially since the price spike are rehashed from months ago. They are often not answered not because there isn't an answeexplanation, but because regulars who have the answers simply don't see them (for the reason listed above). I can see how it's easy for this to be interpreted (especially by new users) as there not being an answer or "the FUDsters are on to something" but thats just not the case.
IOTA Devs do not respond appropriately to criticism
When critiquers provide feedback that is ACTUALLY useful to the devs, then sure they'll be glad to hear it. So far not once has an outside dev brought up something that the IOTA devs found useful. Every single time it ends up being something that was already taken into consideration with the design and if the critiquer did an ounce of research they would know that. Thus you often find the IOTA devs dismissing their opinion as FUD and responding with hostility because all their critique is really doing is sending the message to their supporters that they are not supposed to like IOTA anymore. Nick Johnson was a perfect example of this. The Ethereum community was co-existing [peacefully]with IOTA’s community (as they do with nearly all alt coins) until Nick wrote his infamous article. Then almost overnight Ethereum decided it didn’t like IOTA anymore and we’ve been dealing with that shit since. As of today, add LTC to that list with Charlie’s (even admitting) ignorant judgement of IOTA. 12/17/2017: Add John McAfee (bitcoin cash) and Peter Todd (bitcoin) to the list of public figures who have posted ignorantly on IOTA.
A lot of crypto communities certainly like to hate on IOTA...
IOTA is disrupting the disrupters. It invented a completely new distributed ledger infrastructure (the tangle) that replaces the blockchain and solves all of its fundamental problems (namely fees and scaling). To give you an idea of this significance, 99% of the cryptocurrencies that exist are built on a block chain. These projects have billions of dollars invested into them meaning everyone in their communities are incentivized to see IOTA fail and spread as much FUD about it as possible. This includes well known organizations, public figures, and brands. Everyone commenting in these subreddits and crypto communities have their own personal money at stake and skin in the game. Misinformation campaigns, paid reddit posters, upvote/downvote bots, and corrupt moderators are all very real in this space.
All IOTAs that will ever exist were sold at the ICO in 2015. There was no % reserved for development. Devs had to buy in with their personal money. Community donated back 5% of all IOTA so the IOTA foundation could be setup.
No inflation schedule? No additional coins? How is this sustainable?
Interestingly enough, IOTA is actually the only crypto that does not run into any problems with a currency cap and deflationaryism. Because there are zero fees, you will always be able to pay for something for exactly what it's worth using IOTA, no matter how small the value. If by chance in the future a single iota grows so large in value that it no longer allows someone to pay for something in fractions of a penny, the foundation would just add decimal points allowing for a tenth or a hundreth or a thousandth of an iota to be transacted with. To give you some perspective, if a single IOTA equals 1 penny, IOTA would have a 27 trillion dollar market cap (100x that of Bitcoin's today)
IOTA is not for P2P, only for M2M
With the release of the trinity wallet, it's now dead simple for anyone to use IOTA funds for P2P. Try it out.
Companies technically don’t have to use the IOTA token
Yes they do Worth clarifying that 0 iota data transactions are perfectly fine and are welcomed since they still provide pow for 2 other transactions and help secure the network. In the early stages, these types of transactions will probably be what give us the tps/pow needed to remove the coordinator and allow the network defend 34% attacks organically. But... if someone does not want to sell or exchange their data for free (0 IOTA transaction), then Dominic is saying that the IOTA token must be used for that or any exchange in value on the network. This is inherently healthy for the ecosystem since it provides a neutral and non-profit middle ground that all parties/companies can trust. If one company made their own token it wouldn’t be trusted since companies are incentivized by profits and nothing is stopping them from manipulating their token to make them more money. Thus, the IOTA foundation will not partner with anyone who refuses to take this option off the table.
All these companies are going to influence IOTA development!!
These companies have no influence on the development of IOTA. They either choose to use it or they don’t.
Internet of things is cheap and will stay cheap
Internet of things is one application of IOTA and considered by many to be the 4th industrial revolution. Go do some googling. IOTA having zero fees enables M2M for the first time in history. Also, if a crypto can do M2M it sure as shit can do M2P and P2P. M2M is hard mode.
Investing in a project in its early stages was something typically reserved for wealthy individuals/organizations before ICO’s became a thing. With early investing comes much less hand holding and more responsibility on the user to know what they are doing. If you have a hard time accepting this responsibility, don’t invest and wait for the technology to get easier for you. How many people actually knew how to use and mine bitcoin in 2009 before it had all its gui infrastructure? IOTA is a tangle, the first of its kind. NOT a copy paste blockchain. As a result wallets and applications for IOTA are the first of their kind and translating the tangle into a nice clean user-friendly blockchain experience for the masses is even more taxing.
Why is the price of my coin falling?!
This may be the most asked question on any crypto subreddit but it's also the easiest to explain. The price typically falls when bad things happen to a coin or media fabricates bad news about a coin and a portion of investors take it seriously. The price increases when good things happen to a coin, such as a new exchange listing or a partnership announced etc.. The one piece that is often forgotten but trumps all these effects is something called "market forces". Market forces is what happens to your coin when another coin gets a big news hit or a group of other coins get big news hits together. For example, when IOTA data marketplace released, IOTA hit a x5 bull run in a single week. But did you notice all the other alt coins in the red? There are a LOT of traders that are looking at the space as a whole and looking to get in on ANY bull action and will sell their other coins to do so. This effect can also be compounded over a long period of time such as what we witnessed when the bitcoin fork FOMO was going on and alt coins were squeezed continuously to feed it for weeks/months. These examples really just scratch the surface of market forces but the big takeaway is that your coin or any coin will most certainly fall (or rise) in price at the result of what other coins are doing, with the most well known example being bitcoin’s correlation to every coin on the market. If you don't want to play the market-force game or don't have time for it, then you can never go wrong buying and holding. It's also important to note that there are layers of investors. There's a top layer of light-stepping investors that are a mixture of day traders and gamblers trying to jump in and jump out to make quick money then look for the next buying (or shorting) opportunity at another coin. There's a middle layer of buyers and holders who did their research, believe in the tech and placing their bets it will win out in the long run. And the bottom layer are the founders and devs that are in it till the bitter end and there to see the vision realized. When a coin goes on a bull run, always expect that any day the top layer is going to pack up and leave to the next coin. But the long game is all about that middle layer. That is the layer that will be giving the bear markets their price-drop resistance. That is why the meme "HODL" is so effective because it very elegantly simplifies this whole concept for the common joe and makes them a part of that middle layer regardless if they understand whats going on or not.
How is IOTA free and how does it scale
IOTA is an altruistic system. Proof of work is done in IOTA just like bitcoin. Only a user’s device/phone must do pow for 2 other transactions before issuing one of its own. Therefore no miners and no fees. And the network becomes faster the more transactions are posted. Because of this, spamming the network is encouraged since they provide pow for 2 other transactions and speed up the network.
IOTA is centralized
IOTA is more decentralized than any blockchain crypto that relies on 5 pools of miners, all largely based in China. Furthermore, the coordinator is not a server in the dev’s basement that secretly processes all the transactions. It’s several nodes all around the globe that add milestone transactions to show the direction of the IF’s tangle within the DAG so people don’t accidentally follow a fork from a malicious actor. Anyone with the know-how can fork the tangle right now with a double-spend. But no one would follow their fork because the coordinator reveals which tangle is the legit IF one. If the coordinator wasn’t there (assuming low honest-transaction volume), there would be no way to discern which path to follow especially after the tangle diverges into forks of forks. Once throughout of honest transactions is significant enough, the “honest tangle” will replace the coordinated one and people will know which one to follow simply because it’s the biggest one in the room. Referencing the coordinator is also optional. Also, if you research and understand how IOTA intends to work without the coordinator, it’s easier to accept it for now as training wheels. I suggest reading pg 15 and on of the white paper analyzing in great depth how the network will defend different attack scenarios without a coordinator. For the past several months, IOTA foundation has been using St Petersburg college’s super computer to stress test IOTA and learn when they can turn the coordinator off. There will likely be a blog about the results soon. This is another great read covering double spends on IOTA without a coordinator: www.tangleblog.com/2017/07/10/is-double-spending-possible-with-iota/ This too: http://www.reddit.com/Iota/comments/7eix4a/any_iota_guru_that_can_explain_what_this_guy_is/dq5ijrm Also this correspondence with Vitalik and Come_from_Beyond https://twitter.com/DavidSonstebo/status/932510087301779456 At the end of the day, outstanding claims require outstanding evidence and folks approaching IOTA with a “I’ll believe it when I see it” attitude is completely understandable. It’s all about your risk tolerance.
Masked authenticated messages exist right now so data can be transferred privately. Very important for businesses.
Centralized coin mixer is out that foundation runs. Logs are kept so they can collect data and improve it Folks can copy the coin mixer code and run it themselves. Goal is for mixer to be decentralized and ran by any node.
How do nodes scale? How on earth can all that data be stored?
Full nodes store, update and verify from the last snapshot, which happens roughly every month. Its on the roadmap to make snapshotting automatic and up to each full node’s discretion.With automatic snapshots, each full node will act as a partial perma-node and choose when to snapshot its tangle data. If someone wants to keep their tangle data for several months or even years, they could just choose not to snapshot. Or if they are limited on hard drive space, they could snapshot every week. Perma-nodes would store the entire history of the tangle from the genesis. These are optional and would likely only be created by companies who wish to sell historical access of the tangle as a service or companies who heavily use the tangle for their own data and want to have quick, convenient access to their data’s history. Swarm nodes are also in development which will ease the burden on full nodes. https://blog.iota.org/iota-development-roadmap-74741f37ed01
Bitcoin mining is a bit more than just number crunching
The charming cryptocurrency and the many ideas that surface in the minds of the observers typically surround couple of apparent concerns - how does it enter being and what about its flow? The response, nevertheless, is uncomplicated. Bitcoins need to be mined, in order to make the cryptocurrency exist in the Bitcoin market. The mystical developer of Bitcoin, Satoshi Nakamoto, imagined a method to exchange the important cryptocurrencies online, by getting rid of the need for any central organization. For Bitcoins, there's an alternative method to hold the essential records of the deal history of the whole blood circulation, and all this is handled through a decentralized way. The journal that helps with the procedure is called the "blockchain". The essence of this journal may need lots of newsprint for appearing frequently at all popular Bitcoin news. Blockchain broadens every minute, existing on the makers associated with the big Bitcoin network. Individuals might question the credibility, even credibility, of these deals and their recordings into Blockchain. This too is nevertheless warranted, through the procedure of Bitcoin mining. Mining allows production of brand-new Bitcoin and assembling deals to the journal. Mining basically involves fixing of complex mathematical estimations, and the miners utilize enormous computing power to resolve it. The private or 'swimming pool' that resolves the puzzle, positions the subsequent block and wins a benefit too. And, how mining can prevent double-spending? Practically every 10 minutes, impressive deals are mined into a block. So, any disparity or illegitimacy is entirely dismissed. For Bitcoins, mining is not mentioned in a conventional sense of the term. Bitcoins are mined by using cryptography. A hash function described as "double SHA-256" is used. However how tough is it to mine Bitcoins? This can be another inquiry. This depends a lot on the effort and computing power being used into mining. Another element worth pointing out is the software application procedure. For each 2016 blocks, problem involved in mining of Bitcoins is changed by itself just to keep the procedure. In turn, the rate of block generation is kept constant. A Bitcoin problem chart is an ideal procedure to show the mining trouble in time. The trouble level changes itself to increase or down in a straight proportional way, depending upon the computational power, whether it's being sustained or removed. As the variety of miners increase, portion of revenues been worthy of by the individuals decrease, everybody winds up with smaller sized pieces of the revenues. Having private economies and neighborhoods, cryptocurrencies like Dogecoin, Namecoin or Peercoin, are called Altcoins. You can easily track your different cryptocurrency by using reputable portfolio trackers.These are options to Bitcoin. Practically like Bitcoins, these 'cousins' do have a substantial fan-following and enthusiasts who are eager to take a deep plunge into the big ocean and start to mine it. Algorithms used for Altcoin mining are either SHA-256 or Scrypt. Numerous other ingenious algorithms exist too. Alleviate, price and simpleness can render it possible to mine Altcoins on a PC or by using unique mining software application. Altcoins are a bit 'down to earth' compared to Bitcoins, yet changing them into huge dollars is a little challenging. Cryptocurrency enthusiasts can simply hope, if a few of them might witness the comparable huge popularity!
Debunked: "We don't know what Satoshis opinion was on big blocks or exactly how he expected the Bitcoin design to scale past VISA levels and be usable as money for the entire world"
If the final edition of the design paper itself was not enough to convince you of how Bitcoin is designed to scale, here are Satoshis own less formal explanations.
Satoshi: Long before the network gets anywhere near as large as that, it would be safe for users to use Simplified Payment Verification (section 8) to check for double spending, which only requires having the chain of block headers, or about 12KB per day. Only people trying to create new coins would need to run network nodes. At first, most users would run network nodes, but as the network grows beyond a certain point, it would be left more and more to specialists with server farms of specialized hardware. A server farm would only need to have one node on the network and the rest of the LAN connects with that one node. The bandwidth [required for running a network node] might not be as prohibitive as you think. A typical transaction would be about 400 bytes (ECC is nicely compact). Each transaction has to be broadcast twice, so lets say 1KB per transaction. Visa processed 37 billion transactions in FY2008, or an average of 100 million transactions per day. That many transactions would take 100GB of bandwidth, or the size of 12 DVD or 2 HD quality movies, or about $18 worth of bandwidth at current prices. If the network were to get that big, it would take several years, and by then, sending 2 HD movies over the Internet would probably not seem like a big deal.
The proof-of-work is a Hashcash style SHA-256 collision finding. It's a memoryless process where you do millions of hashes a second, with a small chance of finding one each time. The 3 or 4 fastest nodes' dominance would only be proportional to their share of the total CPU power. There will be transaction fees, so nodes will have an incentive to receive and include all the transactions they can.
The existing Visa credit card network processes about 15 million Internet purchases per day worldwide. Bitcoin can already scale much larger than that with existing hardware for a fraction of the cost. It never really hits a scale ceiling. If you’re interested, I can go over the ways it would cope with extreme size. By Moore’s Law, we can expect hardware speed to be 10 times faster in 5 years and 100 times faster in 10. Even if Bitcoin grows at crazy adoption rates, I think computer speeds will stay ahead of the number of transactions.
The current system where every user is a network node is not the intended configuration for large scale. That would be like every Usenet user runs their own NNTP server. The design supports letting users just be users. The more burden it is to run a node, the fewer nodes there will be. Those few nodes will be big server farms. The rest will be client nodes that only do transactions and don't generate.
While I don't think Bitcoin is practical for smaller micropayments right now, it will eventually be as storage and bandwidth costs continue to fall [on the global market]. If Bitcoin catches on on a big scale, it may already be the case by that time. Another way they can become more practical is if I implement the client-only mode [which uses the "Simplified Payment Verification" described in the design PDF] and the number of network nodes [more rapidly] consolidates into a smaller number of professional server farms. Whatever size micropayments you need will eventually be practical. I think in 5 or 10 years, the bandwidth and storage will seem trivial.
It would be nice to keep the blk*.dat files small as long as we can. The eventual solution will be to not care how big it gets. But for now, while it's still small, it's nice to keep it small so new users can get going faster. When I eventually implement client-only mode, that won't matter much anymore.
It can be phased in, like: if (blocknumber > 115000) maxblocksize = largerlimit It can start being in versions way ahead, so by the time it reaches that block number and goes into effect, the older versions that don't have it are already obsolete. When we're near the cutoff block number, I can put an alert to old versions to make sure they know they have to upgrade.
What's this? I don't make a Technical post for a month and now BitPay is censoring the Hong Kong Free Press? Shit I'm sorry, it's all my fault for not posting a Technical post regularly!! Now posting one so that we have a censorship-free Bitcoin universe! Pay-to-contract and sign-to-contract are actually cryptographic techniques to allow you to embed a commitment in a public key (pay-to-contract) or signature (sign-to-contract). This commitment can be revealed independently of the public key / signature without leaking your private key, and the existence of the commitment does not prevent you from using the public key / signature as a normal pubkey/signature for a normal digital signing algorithm. Both techniques utilize elliptic curve homomorphism. Let's digress into that a little first.
Elliptic Curve Homomorphism
Let's get an oversimplified view of the maths involved first. First, we have two "kinds" of things we can compute on.
One kind is "scalars". These are just very large single numbers. Traditionally represented by small letters.
The other kind is "points". These are just pairs of large numbers. Traditionally represented by large letters.
Now, an "Elliptic Curve" is just a special kind of curve with particular mathematical properties. I won't go into those properties, for the very reasonable reason that I don't actually understand them (I'm not a cryptographer, I only play one on reddit!). If you have an Elliptic Curve, and require that all points you work with are on some Elliptic Curve, then you can do these operations.
Add, subtract, multiply, and divide scalars. Remember, scalars are just very big numbers. So those basic mathematical operations still work on big numbers, they're just big numbers.
"Multiply" a scalar by a point, resulting in a point. This is written as a * B, where a is the scalar and B is a point. This is not just multiplying the scalar to the point coordinates, this is some special Elliptic Curve thing that I don't understand either.
"Add" two points together. This is written as A + B. Again, this is some special Elliptic Curve thing.
The important part is that if you have:
A = a * G B = b * G Q = A + B
q = a + b Q = q * G
That is, if you add together two points that were each derived from multiplying an arbitarry scalar with the same point (G in the above), you get the same result as adding the scalars together first, then multiplying their sum with the same point will yield the same number. Or:
a * G + b * G = (a + b) * G
And because multiplication is just repeated addition, the same concept applies when multiplying:
a * (b * G) = (a * b) * G = (b * a) * G = b * (a * G)
Something to note in particular is that there are few operations on points. One operation that's missing is "dividing" a point by a point to yield a scalar. That is, if you have:
A = a * G
Then, if you know A but don't know the scalar a, you can't do the below:
a = A / G
You can't get a even if you know both the points A and G. In Elliptic Curve Cryptography, scalars are used as private keys, while points are used as public keys. This is particularly useful since if you have a private key (scalar), you can derive a public key (point) from it (by multiplying the scalar with a certain standard point, which we call the "generator point", traditionally G). But there is no reverse operation to get the private key from the public key.
Let's have another mild digression. Sometimes, you want to "commit' to something that you want to keep hidden for now. This is actually important in some games and so on. For example, if you are paying a game of Twenty Questions, one player must first write the object they are thinking of, then fold or hide it in such a way that what they wrote is not visible. Then, after the guessing player has asked twenty questions to narrow down what the object is and has revealed what he or she thinks the object being guessed was, the guessee reveals the object by unfodling and showing the paper. The act of writing down commits you to the specific thing you wrote down. Folding the paper and/or hiding it, err, hides what you wrote down. Later, when you unfold the paper, you reveal your commitment. The above is the analogy to the development of cryptographic commitments.
First you select some thing --- it could be anything, a song, a random number, a promise to deliver products and services, the real identity of Satoshi Nakamoto.
You commit to it by giving it as input to a one-way function. A one-way function is a function which allows you to get an output from an input, but after you perform that there is no way to reverse it and determine the original input knowing only the final output. Hash functions like SHA are traditionally used as one-way functions. As a one-way function, this hides your original input.
You give the commitment (the output of the one-way function given your original input) to whoever wants you to commit.
Later, when somebody demands to show what you committed to (for example after playing Twenty Questions), you reveal the commitment by giving the original input to the one-way function (i.e. the thing you selected in the first step, which was the thing you wanted to commit to).
Whoever challenged you can verify your commitment by feeding your supposed original input to the same one-way function. If you honestly gave the correct input, then the challenger will get the output that you published above in step 3.
Now, sometimes there are only a few possible things you can select from. For example, instead of Twenty Questions you might be playing a Coin Toss Guess game. What we'd do would be that, for example, I am the guesser and you the guessee. You select either "heads" or "tails" and put it in a commitment which you hand over to me. Then, I say "heads" or "tails" and have you reveal your commitment. If I guessed correctly I win, if not you win. Unfortunately, if we were to just use a one-way function like an SHA hash function, it would be very trivial for me to win. All I would need to do would be to try passing "heads" and "tails" to the one-way function and see which one matches the commitment you gave me. Then I can very easily find out what your committed value was, winning the game consistently. In hacking, this can be made easier by making Rainbow Tables, and is precisely the technique used to derive passwords from password databases containing hashes of the passwords. The way to solve this is to add a salt. This is basically just a large random number that we prepend (or append, order doesn't matter) to the actual value you want to commit to. This means that not only do I have to feed "heads" or "tails", I also have to guess the large random number (the salt). If the possible space of large random numbers is large enough, this prevents me from being able to peek at your committed data. The salt is sometimes called a blinding factor.
Hiding commitments in pubkeys! Pay-to-contract allows you to publish a public key, whose private key you can derive, while also being a cryptographic commitment. In particular, your private key is also used to derive a salt. The key insight here is to realize that "one-way function" is not restricted to hash functions like SHA. The operation below is an example of a one-way function too:
h(a) = a * G
This results in a point, but once the point (the output) is known, it is not possible to derive the input (the scalar a above). This is of course restricted to having the input be a scalar only, instead of an arbitrary-length message, but you can add a hash function (which can accept an arbitrary-length input) and then make its output (a fixed-length scalar) as the scalar to use. First, pay-to-contract requires you to have a public and private keypair.
; p is private key P = p * G ; P is now public key
Then, you have to select a contract. This is just any arbitrary message containing any arbitrary thing (it could be an object for Twenty Questions, or "heads" or "tails" for Coin Toss Guessing). Traditionally, this is symbolized as the small letter s. In order to have a pay-to-contract public key, you need to compute the below from your public key P (called the internal public key; by analogy the private key p is the internal private key):
Q = P + h(P | s) * G
"h()" is any convenient hash function, which takes anything of arbitrary length, and outputs a scalar, which you can multiply by G. The syntax "P | s" simply means that you are prepending the point P to the contract s. The cute thing is that P serves as your salt. Any private key is just an arbitrary random scalar. Multiplying the private key by the generator results in an arbitrary-seeming point. That random point is now your salt, which makes this into a genuine bonafide hiding cryptographic commitment! Now Q is a point, i.e. a public key. You might be interested in knowing its private key, a scalar. Suppose you postulate the existence of a scalar q such that:
Q = q * G
Then you can do the below:
Q = P + h(P | s) * G Q = p * G + h(P | s) * G Q = (p + h(P | s)) * G
Then we can conclude that:
q = p + h(P | s)
Of note is that somebody else cannot learn the private key q unless they already know the private key p. Knowing the internal public key P is not enough to learn the private key q. Thus, as long as you are the only one who knows the internal private key p, and you keep it secret, then only you can learn the private key q that can be used to sign with the public key Q (that is also a pay-to-contract commitment). Now Q is supposed to be a commitment, and once somebody else knows Q, they can challenge you to reveal your committed value, the contract s. Revealing the pay-to-contract commitment is done by simply giving the internal public key P (which doubles as the salt) and the committed value contract s. The challenger then simply computes:
P + h(P | s) * G
And verifies that it matches the Q you gave before. Some very important properties are:
If you reveal first, then you still remain in sole control of the private key. This is because revelation only shows the internal public key and the contract, neither of which can be used to learn the internal private key. So you can reveal and sign in any order you want, without precluding the possibility of performing the other operation in the future.
If you sign with the public key Q first, then you do not need to reveal the internal public key P or the contract s. You can compute q simply from the internal private key p and the contract s. You don't even need to pass those in to your signing algorithm, it could just be given the computed q and the message you want to sign!
Anyone verifying your signature using the public key Q is unaware that it is also used as a cryptographic commitment.
Another property is going to blow your mind:
You don't have to know the internal private key p in order to create a commitment pay-to-contract public key Q that commits to a contract s you select.
Q = P + h(P | s) * G
The above equation for Q does not require that you know the internal private key p. All you need to know is the internal public key P. Since public keys are often revealed publicly, you can use somebody else's public key as the internal public key in a pay-to-contract construction. Of course, you can't sign for Q (you need to know p to compute the private key q) but this is sometimes an interesting use. The original proposal for pay-to-contract was that a merchant would publish their public key, then a customer would "order" by writing the contract s with what they wanted to buy. Then, the customer would generate the public key Q (committing to s) using the merchant's public key as the internal public key P, then use that in a P2PKH or P2WPKH. Then the customer would reveal the contract s to the merchant, placing their order, and the merchant would now be able to claim the money. Another general use for pay-to-contract include publishing a commitment on the blockchain without using an OP_RETURN output. Instead, you just move some of your funds to yourself, using your own public key as the internal public key, then selecting a contract s that commits or indicates what you want to anchor onchain. This should be the preferred technique rather than OP_RETURN. For example, colored coin implementations over Bitcoin usually used OP_RETURN, but the new RGB colored coin technique uses pay-to-contract instead, reducing onchain bloat.
Pay-to-contract is also used in the nice new Taproot concept. Briefly, taproot anchors a Merkle tree of scripts. The root of this tree is the contract s committed to. Then, you pay to a SegWit v1 public key, where the public key is the Q pay-to-contract commitment. When spending a coin paying to a SegWit v1 output with a Taprooted commitment to a set of scripts s, you can do one of two things:
Sign directly with the key. If you used Taproot, use the commitment private key q.
Reveal the commitment, then select the script you want to execute in the Merkle tree of scripts (prove the Markle tree path to the script). Then satisfy the conditions of the script.
Taproot utilizes the characteristics of pay-to-contract:
If you reveal first, then you still remain in sole control of the private key.
This is important if you take the Taproot path and reveal the commitment to the set of scripts s. If your transaction gets stalled on the mempool, others can know your commitment details. However, revealing the commitment will not reveal the internal private key p (which is needed to derive the commitment private key q), so nobody can RBF out your transaction by using the sign-directly path.
If you sign with the public key Q first, then you do not need to reveal the internal public key P or the contract s.
This is important for privacy. If you are able to sign with the commitment public key, then that automatically hides the fact that you could have used an alternate script s instead of the key Q.
Anyone verifying your signature using the public key Q is unaware that it is also used as a cryptographic commitment.
Again, privacy. Fullnodes will not know that you had the ability to use an alternate script path.
Taproot is intended to be deployed with the switch to Schnorr-based signatures in SegWit v1. In particular, Schnorr-based signatures have the following ability that ECDSA cannot do except with much more difficulty:
It is possible to generate a single public key that cannot be signed, except by the agreement of multiple signers who each contribute part of the public key. I.e. this is MuSig, which allows to create an n-of-n signing group that has a single public key.
As public keys can, with Schnorr-based signatures, easily represent an n-of-n signing set, the internal public key P can also actually be a MuSig n-of-n signing set. This allows for a number of interesting protocols, which have a "good path" that will be private if that is taken, but still have fallbacks to ensure proper execution of the protocol and prevent attempts at subverting the protocol.
Escrow Under Taproot
Traditionally, escrow is done with a 2-of-3 multisignature script. However, by use of Taproot and pay-to-contract, it's possible to get more privacy than traditional escrow services. Suppose we have a buyer, a seller, and an escrow service. They have keypairs B = b * G, S = s * G, and E = e * G. The buyer and seller then generate a Taproot output (which the buyer will pay to before the seller sends the product). The Taproot itself uses an internal public key that is the 2-of-2 MuSig of B and S, i.e. MuSig(B, S). Then it commits to a pair of possible scripts:
Release to a 2-of-2 MuSig of seller and escrow. This path is the "escrow sides with seller" path.
Release to a 2-of-2 MuSig of buyer and escrow. This path is the "escrow sides with buyer" path.
Now of course, the escrow also needs to learn what the transaction was supposed to be about. So what we do is that the escrow key is actually used as the internal public key of another pay-to-contract, this time with the script s containing the details of the transaction. For example, if the buyer wants to buy some USD, the contract could be "Purchase of 50 pieces of United States Federal Reserve Green Historical Commemoration papers for 0.357 satoshis". This takes advantage of the fact that the committer need not know the private key behind the public key being used in a pay-to-contract commitment. The actual transaction it is being used for is committed to onchain, because the public key published on the blockchain ultimately commits (via a taproot to a merkle tree to a script containing a MuSig of a public key modified with the committed contract) to the contract between the buyer and seller. Thus, the cases are:
Buyer and seller are satisfied, and cooperatively create a signature that spends the output to the seller.
The escrow service never learns it could have been an escrow. The details of their transaction remain hidden and private, so the buyer is never embarrassed over being so tacky as to waste their hard money buying USD.
The buyer and seller disagree (the buyer denies having received the goods in proper quality).
They contact the escrow, and reveal the existence of the onchain contract, and provide the data needed to validate just what, exactly, the transaction was supposed to be about. This includes revealing the "Purchase of 50 pieces of United States Federal Reserve Green Historical Commemoration papers for 0.357 satoshis", as well as all the data needed to validate up to that level. The escrow then investigates the situation and then decides in favor of one or the other. It signs whatever transaction it decides (either giving it to the seller or buyer), and possibly also extracts an escrow fee.
Smart Contracts Unchained
Developed by ZmnSCPxj here: https://zmnscpxj.github.io/bitcoin/unchained.html A logical extension of the above escrow case is to realize that the "contract" being given to the escrow service is simply some text that is interpreted by the escrow, and which is then executed by the escrow to determine where the funds should go. Now, the language given in the previous escrow example is English. But nothing prevents the contract from being written in another language, including a machine-interpretable one. Smart Contracts Unchained simply makes the escrow service an interpreter for some Smart Contract scripting language. The cute thing is that there still remains an "everything good" path where the participants in the smart contract all agree on what the result is. In that case, with Taproot, there is no need to publish the smart contract --- only the participants know, and nobody else has to. This is an improvement in not only privacy, but also blockchain size --- the smart contract itself never has to be published onchain, only the commitment to it is (and that is embedded in a public key, which is necessary for basic security on the blockchain anyway!).
Hiding commitments in signatures! Sign-to-contract is something like the dual or inverse of pay-to-contract. Instead of hiding a commitment in the public key, it is hidden in the signature. Sign-to-contract utilizes the fact that signatures need to have a random scalar r which is then published as the point R = r * G. Similarly to pay-to-contract, we can have an internal random scalar p and internal point P that is used to compute R:
R = P + h(P | s) * G
The corresponding random scalar r is:
r = p + h(P | s)
The signing algorithm then uses the modified scalar r. This is in fact just the same method of commitment as in pay-to-contract. The operations of committing and revealing are the same. The only difference is where the commitment is stored. Importantly, however, is that you cannot take somebody else's signature and then create an alternate signature that commits to some s you select. This is in contrast with pay-to-contract, where you can take somebody else's public key and then create an alternate public key that commits to some s you select. Sign-to-contract is somewhat newer as a concept than pay-to-contract. It seems there are not as many applications of pay-to-contract yet.
Sign-to-contract can be used, like pay-to-contract, to publish commitments onchain. The difference is below:
Signatures are attached to transaction inputs.
Public keys are attached to transaction outputs.
One possible use is in a competitor to Open Timestamps. Open Timestamps currently uses OP_RETURN to commit to a Merkle Tree root of commitments aggregated by an Open Timestamps server. Instead of using such an OP_RETURN, individual wallets can publish a timestamped commitment by making a self-paying transaction, embedding the commitment inside the signature for that transaction. Such a feature can be added to any individual wallet software. https://blog.eternitywall.com/2018/04/13/sign-to-contract/ This does not require any additional infrastructure (i.e. no aggregating servers like in Open Timestamps).
R Reuse Concerns
ECDSA and Schnorr-based signature schemes are vulnerable to something called "R reuse". Basically, if the same R is used for different messages (transactions) with the same public key, a third party with both signatures can compute the private key. This is concerning especially if the signing algorithm is executed in an environment with insufficient entropy. By complete accident, the environment might yield the same random scalar r in two different runs. Combined with address reuse (which implies public key reuse) this can leak the private key inadvertently. For example, most hardware wallets will not have any kind of entropy at all. The usual solution to this is, instead of selecting an arbitrary random r (which might be impossible in limited environments with no available entropy), is to hash the message and use the hash as the r. This ensures that if the same public key is used again for a different message, then the random r is also different, preventing reuse at all. Of course, if you are using sign-to-contract, then you can't use the above "best practice". It seems to me plausible that computing the internal random scalar p using the hash of the message (transaction) should work, then add the commitment on top of that. However, I'm not an actual cryptographer, I just play one on Reddit. Maybe apoelstra or pwuille can explain in more detail. Copyright 2019 Alan Manuel K. Gloria. Released under CC-BY.
Creation of Bitcoin addresses. In order to produce a Bitcoin address, a private key, which is a randomly selected number, is multiplied using an elliptic curve to produce a public key. This public key is then put through both the SHA-256 and RIPEMD160 hashing algorithms. Where K = the public key and A = Bitcoin address: A = RIPEMD160(SHA-256(K)) Merkle trees in bitcoin use a double SHA-256, the SHA-256 hash of the SHA-256 hash of something. If, when forming a row in the tree (other than the root of the tree), it would have an odd number of elements, the final double-hash is duplicated to ensure that the row has an even number of hashes. About . SHA-256d was proposed in one of the Ferguson/Schneier books like so: . SHA-256d(x) = SHA-256(SHA-256(x)) The motivation for this construction is to avoid length extension attacks. Example . An example is this protocol designed to provide mutual proof that each party has made some minimum number of evaluations of some 256-bit hash function H (note: Alice performs the odd steps, and ... Double SHA-256 pipeline for Bitcoin mining A complete solution for Bitcoin mining, the A2_BTC pipeline forms the heart of a BTC solution. Multiple pipelines may be combined with our proprietary processor to form a complete solution. Hash per second is an SI derived unit representing the number of double SHA-256 computations performed in one second, referred to as hash rate.It is usually symbolized as h/s (with an appropriate SI prefix).. Use in hardware specifications. The hash rate is the primary measure of a Bitcoin miner's performance. In 2014, a miner's performance was generally measured in Ghash/s, or billions of ...
bitcoin bull trap, fomo, gaps cme : attention a la dÉsillusion - crypto monnaie analyse bitcoin btc - duration: 10:41. Cryptanalyst - Analyses crypto FR 2,581 views 10:41 Double My BTC offers a great way to invest bitcoins by providing the hottest bitcoin investing service on the Internet.Double your BITCOIN is the best option when it comes to doubling or ... How does a hash function work? Can you reverse a hash function? Are there risks of dependence on SHA-256? What is the purpose of double hashing to produce the address? These questions are from the ... #Bitcoin ETP listed on Xetra German stock exchange as CME golden cross confirmed! One third of U.S. and Europe institution invested in crypto, $BTC Japanese ... Blagovest Belev explains why Bitcoin has chosen to use the SHA-256 algorithm and the concerns that go with it. Blagovest Belev graduated from the American University in Bulgaria in 2009 and is ...