Sources

sidechains.pdf

bitcoin.pdf

I think questions like this are ultimately the result of a fundamental lack of understanding about what Bitcoin is doing.

The problem Bitcoin is attempting to solve is getting everyone everywhere to agree on the same stable history of transactions. This is necessary because in order to prevent users from printing money from nothing the system must have a rule that you can’t spend a given coin more than once-- like I have a dollar then pay both alice and bob that dollar, creating a dollar out of nothing.

The intuitive way to prevent that excessive spending is to decide that first transaction that spends a coin is valid and any additional spends are invalid. However, in a truly decentralized system "first" is actually logically meaningless! As an inescapable result of relativity the order which different parties will perceive events depends on their relative positions, no matter how good or fast your communication system is.

So any system that needs to prevent duplication has to have a way to artificially assign "firstness". Centralized systems like ripple, eos, iota, blockstream liquid, etc. just have a single party (or a virtual single party) use its idea of whatever came first and everyone else just has to accept its decision.

A decentralized system like Bitcoin uses a public election. But you can’t just have a vote of 'people' in a decentralized system because that would require a centralized party to authorize people to vote. Instead, Bitcoin uses a vote of computing power because it’s possible to verify computing power without the help of any centralized third party.

If we didn’t have the constraint that this system needed to work online, then you could imagine an alternative where consensus could be determined by people presenting large amounts of some rare element. …​ but you can’t prove you control osmium online, it appears that computing power is the only thing that can work for this purpose online.

When people talk about "51%" all they’re really talking about is people rigging that election, so that they can override what everyone previously thought was the accepted order of transactions with a new order that changes some of their payments from one party to another.

With this understanding maybe you can see that the concern doesn’t even depend on a single person having too much of the hash-power. The attack would work just as well if there were 100 people each with an equal amount and a majority of them colluded to dishonestly override the result.

Also, any mechanism that would let you prevent one party (much less a secret collusion) from having too much authority would almost certainly let you just replace mining entirely. The only known way to do that is to introduce centralization and if you’re willing to do that it’s trivial, if you’re not it appears impossible. People have cooked up 1001 complicated schemes that claim to do it without introducing centralization, but careful analysis finds again and again that these fixes centralize the system but just hide the centralization.

I think people obsess far too much about "51%"-- it has some kind of attractive mystery to it that distracts people. If you’re worried that someone might reorder history using a high hash-power collusion-- just wait longer before you consider your transactions final.

A far bigger risk to Bitcoin is that the public using it won’t understand, won’t care, and won’t protect the decentralization properties that make it valuable over centralized alternatives in the first place. …​ a risk we can see playing out constantly in the billion dollar market caps of totally centralized systems. The ability demonstrated by system with fake decentralization to arbitrarily change the rules out from under users is far more concerning than the risk that an expensive attack could allow some theft in the case of over-eagerly finalized transactions.

AARON VAN WIRDUM SEP 12, 2015
Op-ed - The Decentralist Perspective

The block-size limit debate has dominated Bitcoin blogs, forums, chat rooms and meet-ups for months on end, while many of Bitcoin’s brightest minds are gathering in Montreal to discuss the issue face-to-face at the Scaling Bitcoin Workshop this weekend.

So far, however, the two sides of the debate have made little progress coming to a consensus. At least for some part, this seems to result from a difference of visions – visions that are based on a different set of priorities.

One of these visions – represented by Bitcoin XT developers Gavin Andresen and Mike Hearn – is straightforward and clear. For Bitcoin to succeed, they believe it needs to grow, preferably fast. And for Bitcoin to grow fast, it needs to be cheap, accessible and easy to use. This, in turn, means that the block-size limit needs to increase in order for more transactions to fit on Bitcoin’s blockchain, for fees to remain low, and without having to rely on complicated and far-off alternative solutions. This could mean that some aspects of the Bitcoin ecosystem need to specialize further, but that was always to be expected.

On the other end of the spectrum, a majority of Bitcoin’s most active developers think it’s not that simple. For them, Bitcoin’s decentralized nature is sacrosanct, and they believe that an increase of the block-size limit represents a trade-off with this core feature. Some of these developers – perhaps best described as Bitcoin’s “decentralists” – even warn that too big an increase could destroy the system as a whole.

But for many outside this select group developers it still seems unclear why, exactly, big blocks could pose such a grave threat. To find out, Bitcoin Magazinespoke with four of the most prominent of these decentralists: Bitcoin Core developer Dr. Pieter Wuille, Bitcoin Core developer and long-term block-size conservative Peter Todd, hashcash inventor and Blockstream founder and president Dr. Adam Back, and well-known cryptographer and digital currency veteran Nick Szabo.

MINING CENTRALIZATION

According to decentralists, the problem of big blocks is essentially twofold. On one hand there is the basic assumption that bigger blocks favor bigger miners – presumably mining pools. On the other hand is the fact that bigger blocks complicate mining anonymously.

The main (though not only) reason bigger blocks favor bigger miners has to do with latency. As the block size increases, so does the time it takes for a newfound block to transmit through the Bitcoin network. That is disadvantageous to all miners, except for the miner that found the block. During the time it takes a new block to make its way through the network, the miner who found the block gets a head start mining on top of the new block, while other miners are still busy mining on top of an older block. So as a miner find more blocks, it gets more head starts. And as a miner gets more head starts, it finds more blocks. Meanwhile on the other end of the equation, smaller miners find fewer blocks and, as a result, have more trouble turning a profit, ultimately causing them to drop off the network. Bigger blocks tend to centralize mining.

This problem is worsened, moreover, if a miner wishes to remain anonymous, and wants to use Tor. Since latency on the Tor network is always higher, the problem as described above is simply magnified. If smaller miners are disadvantaged by bigger blocks to the point where it’s hard to remain profitable on a regular connection, miners using Tor don’t even stand a chance.

Neither of these arguments against bigger blocks is controversial in itself. The controversy lies in the question how big is too big. Andresen and Hearn believe an increase to 8 megabytes or even 20 megabytes should be OK, and assume that it’s fine to grow this limit to 8 gigabytes over a 20-year time period.

Speaking to Bitcoin Magazine, Bitcoin Core developer and Blockstream co-founder Dr. Pieter Wuille explained why this assumption is not shared by decentralists.

“It is obvious that block propagation is too slow already,” Wuille said. “A recent software update revealed that several mining pools maintain arrangements where they share block headers – the minimal required part of an actual block – the moment they find a new block. All miners in on the deal then start mining on top of that block header instead of waiting for the full block to propagate over the network – waiting would cut into their profits too much.”

Explaining why this is a problem, Wuille continued:

“This practice is harmful for Bitcoin, as it requires a lot of trust among miners. They no longer verify the validity of blocks individually, and instead just rely on their peers. But validating blocks is supposed to be a miner’s main task on the Bitcoin network…”

Moreover, decentralists warn there might be no turning back once bitcoin mining has become too centralized. At that point, the remaining miners could have created a deadlock on the mining market, essentially preventing newcomers to compete profitably.

Core developer and long-time block-size conservative Peter Todd told Bitcoin Magazine:

“The big concern we have here is, as we reduce these security margins, we’ll see the already worryingly small number of pools decrease even further. Even more concerning though, is that while currently it’s pretty easy to start a new pool if an existing one ‘goes rogue,’ bigger blocks can make it much more difficult to do so, because from the beginning you’ll be much less profitable than the big pools.”

And while it has been suggested that miners can connect to a VPS if they prefer to remain anonymous rather than connect through Tor, this is not quite satisfying for decentralists either. Speaking to Bitcoin Magazine, hashcash inventor and Blockstream CEO Dr. Adam Back explained why.

“It is technically possible to mine using a VPS (Virtual Private Server), but miners who do so are not choosing their own transactions,” Back emphasized. “Instead, they connect to a server that does this for them. It’s another form of centralization, at the extreme. And we already see this happening due to bad connectivity in some countries, where miners use VPS services set up in another country to win some time and increase profits…”

REGULATION

Decentralization – and anonymity – might be sacrosanct for decentralists, but that does not mean they are goals in and of themselves. Instead, decentralists cling to these properties because they believe the health of the Bitcoin network relies on them. It’s only through decentralization and anonymity that the system can remain free from outside influence, such as government regulation.

“Bitcoin achieves policy neutrality by decentralization of mining,” Back explained. “If one miner won’t mine your transaction, another will. It’s an additional benefit if miners are many, geographically dispersed and anonymous, since it’s complex to coordinate a policy imposition on many small geographically dispersed miners. And it’s even more complex to impose policy on someone who is anonymous.”

If, on the other hand, Bitcoin reaches the point where only a handful of professional miners will be able to profitably partake in the process of Bitcoin mining, and if these miners are no longer able to do so anonymously, decentralists worry that Bitcoin’s fundamental properties might be at risk.

“It is pretty clear that forcing the Bitcoin protocol to implement anti-money laundering policy and blacklisting of funds is a long-term goal of governments, which can be done by pressuring mining pools,” Todd explained. “Being able to tell regulators that pressure will simply cause pools to leave regulated jurisdictions is important, but without anonymity, there really aren’t that many jurisdictions to run to.”

Furthermore, once more that half of all hashing power is effectively regulated, authorities could even demand a complete freeze of certain funds, Back explained:

“If more than 50 percent of mining is subject to policy, it can actually censor any transaction by ignoring – orphaning – blocks made by other miners. We don’t know if that would happen or not, but given the fact that it would be within their technical power to do it, it should be expected that regulators demand their regulations achieve an effect.”

Moreover, once this sort of regulation does set in, decentralists believe it will probably be too late to fix. Bitcoin would be caught in a regulatory trap without even noticing it – until the trap closed.

Back continued:

“If Bitcoin is already at high policy risk – sort of effectively centralized but not experiencing the side-effects of that yet – and then the policy problem arises, the properties of Bitcoin are lost or eroded. How can you fix it at that point? Suddenly decentralize it? It’s uncertain that the parties who are at that point under central control over the Bitcoin network have the free choice to work to decentralize it. They would have been regulatory captured.”

FULL-NODE CENTRALIZATION

But even mining centralization and regulation might not be the end of it, decentralists warn. Ultimately, over-sized blocks bear with it another – perhaps even bigger – risk: full-node centralization.

Full-node centralization could be an even bigger risk than mining centralization, decentralists argue, as full nodes effectively verify the consensus rules Bitcoin plays by. These consensus rules enforce that Bitcoin has a 1MB block-size limit, but also that the block reward halves every four years, or that the total supply of bitcoin will not exceed 21 million. And – importantly – being able to verify these rules is what makes Bitcoin a trustless solution. In essence, full nodes allow users to check that Bitcoin does as promised.

But as it becomes expensive to run a full node, decentralists worry that verifying the consensus rules could become reserved to a small elite. This could have several consequences.

An obvious consequence would be that it injects trust in the system. Instead of using trustless full nodes, users would, for instance, use web-wallets – which obviously require a lot of trust in the service. But even solutions such as Simplified Payments Verification (SPV) nodes are no better in this regard, as they do not verify the consensus rules either.

Peter Todd explained:

“SPV nodes and wallets are not a trustless solution. They explicitly trust miners, and do no verification of the protocol rules at all. For instance, from the perspective of an SPV node there is no such thing as inflation schedule or a 21 million bitcoin cap; miners are free to create bitcoins out of thin air if they want to.”

And while the cheating of SPV nodes could be seen as a short-term problem, some decentralists argue that a drop in full nodes might even have more severe consequences in the longer term.

According to Wuille:

“If lots companies run a full node, it means they all need to be convinced to implement a different rule set. In other words: the decentralization of block validation is what gives consensus rules their weight. But if full node count would drop very low, for instance because everyone uses the same web-wallets, exchanges and SPV or mobile wallets, regulation could become a reality. And if authorities can regulate the consensus rules, it means they can change anything that makes Bitcoin Bitcoin. Even the 21 million bitcoin limit.”

It is of vital importance for the health of the Bitcoin network, therefore, that it remains possible to run full node anonymously, Todd urged:

“Like mining, having the option to run full nodes totally ‘underground’ helps change the discussion and gives us a lot of leverage with governments: try to ban us and you’ll have even less control. But if we don’t have that option, it starts looking like regulation efforts have a decent chance of actually working, and gives governments incentives to attempt them.”

Commenting on the block size limit debate itself, Back added:

“I believe that the unstated different assumption – the point at which views diverge – is the importance of economically dependent full nodes. It seems that Gavin thinks a world where economically dependent full nodes retreat to data-centers and commercial operation – and basically all users can only get SPV security – is an OK trade-off and cost of getting to higher transaction volume a year early. But most of Bitcoin’s technical experts strongly disagree and say this risks exposing Bitcoin to erosion of its main differentiating features.”

TRADE-OFFS

So what if decentralists are right? Bitcoin mining, and perhaps even running a full node, is reserved to specialists working from data centers. Anti-Money Laundering and Know Your Customer policy might be imposed, and perhaps the protocol rules are regulated to a certain extent. Sure, it would be a blow for drug dealers, CryptoLocker distributors and extortionists, but Bitcoin would still be a global, instant and cheap payments system. In a way, Bitcoin might actually be better of without these outlaws. Right?

Well, not according to decentralists.

Most decentralists maintain that Bitcoin’s distinguishing features are not its global reach, its instant transactions, or its low costs of use. Instead, they argue, Bitcoin’s single most important distinguishing feature is its decentralized nature. Without it, there would be no reason for Bitcoin to even exist.

Well-known cryptographer and digital currency veteran Nick Szabo explained:

“In computer science there are fundamental trade-offs between security and performance. Bitcoin’s automated integrity necessarily comes at high costs in its performance and resource usage. Compared to existing financial IT, Satoshi made radical trade-offs in favor of security and against performance. The seemingly wasteful process of mining is the most obvious of these trade-offs, but it also makes others. Among them is that it requires high redundancy in its messaging. Mathematically provable integrity would require full broadcast between all nodes. Bitcoin can’t achieve that, but to even get anywhere close to a good approximation of it requires a very high level of redundancy. So a 1MB block takes vastly more resources than a 1MB web page, for example, because it has to be transmitted, processed and stored with such high redundancy for Bitcoin to achieve its automated integrity.”

The crucial importance of this trade-off, was seconded by Wuille:

“If we were to allow centralization of mining, we simply wouldn’t need a blockchain in the first place. We could just let a central bank sign transactions. That would allow us much bigger and faster blocks without any capacity problems. No variable block times. No wasted electricity. No need for an inflation subsidy. It would be better in every sense, except that it would involve some trust. Really, if we don’t consider centralization of mining a problem, we might as well get rid of it altogether.”

Szabo added:

“These necessary trade-offs, sacrificing performance in order to achieve the security necessary for independent and seamlessly global automated integrity, mean that Bitcoin cannot possibly come anywhere near Visa transaction-per-second numbers and maintain the automated integrity that creates its distinctive advantages versus these traditional financial systems.”

BITCOIN VERSUS BITCOIN

This leaves us with one last question. If “Bitcoin cannot possibly come anywhere near Visa transaction-per-second numbers” as decentralists claim, then what is the point of it all? Why even bother building software, investing in startups, and spend time evangelizing Bitcoin, if it inherently doesn’t scale?

The point of it all, for decentralists, lies in a classic distinction: the distinction between Bitcoin the network and bitcoin the currency.

Bitcoin the network, decentralists argue, is fundamentally designed as a settlement system, not as a network for fast and cheap payments. While maybe not the most typical decentralist himself, a recent contribution to the Bitcoin developer mailing list by Core developer Jeff Garzik perhaps explains the decentralist perspective best.

Garzik wrote:

“Bitcoin is a settlement system, by design. The process of consensus ‘settles’ upon a timeline of transactions, and this process – by design – is necessarily far from instant. … As such, the blockchain can never support All The Transactions, even if block size increases beyond 20MB. Further layers are – by design – necessary if we want to achieve the goal of a decentralized payment network capable of supporting full global traffic.”

But, importantly, this vision of Bitcoin as a limited settlement network, does not mean that bitcoin the currency cannot flourish beyond these built-in limits.

As explained by Szabo:

“When it comes to small-b bitcoin, the currency, there is nothing impossible about paying retail with bitcoin the way you’d pay with a fiat currency – bitcoin-denominated credit and debit cards, for example, with all the chargeback and transactions-per-second capabilities of a credit or debit card. And there are clever trust-minimizing ways to do retail payments in the works. Capital-B Bitcoin, the blockchain, is going to evolve into a high-value settlement layer, and we will see other layers being used for small-b bitcoin retail transactions.”

Or as Garzik elaborated:

“Bitcoin payments are like IP packets – one way, irreversible. The world’s citizens en masse will not speak to each other with bitcoin (IP packets), but rather with multiple layers (HTTP/TCP/IP) that enable safe and secure value transfer or added features such as instant transactions.”

Moreover, decentralists contend that even these upper layers could include most of the advantages that the Bitcoin network introduced. Once fully developed, technological innovations such as the Lightning Network and tree-chains should allow users to transact in a decentralized, trustless, and even instant fashion – while ultimately settling on the Bitcoin blockchain. While it is true that on-chain transactions will cost more as room in blocks becomes scarce, decentralists maintain that it is the only way to keep that chain decentralized and trustless – and that that does not need to be a problem.

“Yes, on-chain transaction fees will rise,” Todd acknowledged. “But that changes what you use Bitcoin’s underlying blockchain layer for, and how often – not whether or not you can transact at all. A world where you can send anyone on the planet money directly on the blockchain for five dollars – or for near zero via caching techniques like Lightning – is a very good option, and it will buy us time to develop techniques to make blockchains themselves scalable …”

This is hard to answer, as "blockchain" isn’t a very well defined thing. Often the term refers to some use of cryptography in a distributed system, but what it means beyond that depends on who you ask. To those who use it as a generic term, it is usually little more than a marketing term.

If you assume that at least there is an actual chain of blocks being built, either by a permissionless set of participants based on economic incentive ("miners"), or by a permissioned set of signers with long-term identities, the question you’re asking actually does not make sense. Blockchain consensus algorithms do not compete with or replace databases as such. They are a mechanism for obtaining consensus on a global state, where multiple participants have authority to accept changes. Arguably, each of those participants already needs a database themselves - the blockchain is merely a log of all accepted updates to those databases. Even in Bitcoin, every node actually has a local database with the UTXO set. In Bitcoin Core, that is a LevelDB database, but there is no fundamental reason why another database couldn’t be used.

Of course, in some scenarios all you need is a single authority deciding on all changes to the database. In that case a database is indeed all you need. But that’s a silly comparison: there are plenty of use cases for distributed systems with multiple writers today, in production use, that have no relation with blockchains. Look up Paxos, or Google Spanner for example. The complexity is not in the database part, but in keeping the participants synchronized. That is what a consensus algorithm does. Most production instances I know of this use mutually trusting authorities (and a distributed system is used for performance/latency reasons rather than trust), but algorithms that permit distrusting participants are well known as well, e.g. PBFT.

Now, digging deeper: how does a private blockchain compare with such a system? The answer is trivial: it is effectively a new way of looking at the same thing. Private blockchains (i.e. there is a set of known identities that can approve changes) rely on running a traditional consensus algorithm (e.g. PBFT) between the block signers to make sure only a single chain emerges. Here the "blockchain" is literally the log of changes, as many of its properties (e.g. the ability to temporarily fork) aren’t even used. That log may be useful for auditing purposes, and if you structure it as a hash chain, you could indeed call it a blockchain. But there is no innovation here whatsoever. That doesn’t mean "blockchain technology" is necessecarily useless here, as some of the cryptography for e.g. transaction verification may still be applicable (depending on the use case), but, arguably, the blockchain as a datastructure itself not novel in any way here.

Things get much more interesting when you’re talking about a public blockchain (where anyone can become an authorizer of changes) but its use cases are very limited. I’m going to focus here on proof-of-work, as I don’t believe any solution that completely avoids PoW actually securely offers the same properties. What PoW does is replace the signing of blocks by known identities with betting on particular versions of history and paying for the bet. Everyone who consistently bets with the majority ("miners") gets paid, and those who diverge don’t. There are two fundamental changes here: (a) there must be something of value to pay miners, which typically implies that your blockchain needs to define its own currency, limiting the use cases to effectively just cryptocurrencies (b) you don’t get guaranteed convergence anymore, only probabilistically and under economical assumptions.

To summarize, the answer to your question really depends on what you mean by blockchain, and what kind of thing you’re comparing it to:

Your prior understanding sounds correct.

Many people have a hard time understanding autonomous systems, there are many in their lives things like the english language-- but people just take them for granted and don’t even think of them as systems. They’re stuck in a centralized way of thinking where everything they think of as a 'thing' has an authority that controls it.

Bitcoin doesn’t focus on anything. Various people who have adopted Bitcoin chose of their own free will to promote it, and how they choose to do so is their own business. Authority fixated people may see these activities and believe they’re some operation by the bitcoin authority, but no such authority exists.

The article might just as well say "Meanwhile, English has recently introduced 'chatspeek'-- an informal abbreviated form of the language-- to attract a younger, more mobile, generation to its platform."

The term trustless is often misunderstood. I suspect you mean not needing to trust anyone, but if a program being open source helps for that, aren’t you implicitly relying on the people who are capable of reviewing the source code to have actually done so? Isn’t that also a form of trust? Of course it is. Every production system needs to trust various aspects of the infrastructure: the hardware it’s running on, the compiler that was used, the operating system, and last but not least the human operating it.

The trust we’re talking about in "trustless" is an abstract technical term. A distributed system is called trustless when it does not require any trusted parties to function correctly. In that sense, a "trustless wallet" does not make sense: wallets are an implementation aspect of a cryptocurrency, the design of which may or may not rely on trusted parties. The wallet software being open or closed source doesn’t change this.

Does that mean you should use a closed-source wallet? Hell no. Not because it’s "trustless" or not, but because there is no chance it’ll have been sufficiently reviewed (unless, perhaps, you have access to the source code under NDA and paid for thorough review yourself).

bitcoin.pdf

Bitcoin Core checks each block of transactions it receives to ensure that everything in that block is fully valid—allowing it to trust the block without trusting the miner who created it.

This prevents miners from tricking Bitcoin Core users into accepting blocks that violate the 21 million bitcoin limit or which break other important rules.

Users of other wallets don’t get this level of security, so miners can trick them into accepting fabricated transactions or hijacked block chains.

Why take that risk if you don’t have to? Bitcoin Core provides the best possible security against dishonest miners along with additional security against other easier attacks (see below for details).

… Is everyone awake? Sure. Jumping jacks. Wow, that’s bright. I am more idealistic than Eric. I am going to talk about utility and why people use bitcoin and let’s see how that goes.

Trustlessness is much better than decentralization. I want to talk about trustlessness. People use the word decentralization a lot and I find that to be kind of useless because decentralization is a means to an end. We use bitcoin because we don’t want to trust a third party, and decentralization is a fuzzy word but trustlessness you can assign some meaning to this. There was a piece on linkedin that was a history of ecash and where bitcoin came out of from the community in the 80s and 90s and it clearly birthed bitcoin. He talks a lot about various attempts at building ecash systems and why they all failed, and at the end of the day you had to trust someone. There’s a lot of different forms of that- trusting someone to continue to exist and stay in business, to not seize your coins or whatever. They all failed for those reasons. In Eric’s posting of the original satoshi announcement, you saw that you didn’t have to trust anyone. It was at least a two sentence blurb. Let’s talk about what forms this trustlessness takes in bitcoin. Why do people care about this and how do they use bitcoin?

It’s nice to think about digital gold vs payments argument; I think this is useless for evaluating cryptocurrency, but it’s interesting to loo kat that for what it implies for trusting or why you care about bitcoin. There’s a digital gold aspect of secure settlement where you want to only trust your own node, you want to verify the chain hopefully without inflation, and you get this nice property that you can run your own node and verify the rules and see on your own node the hashrate. You can see it and add it up, and calculate how much hashrate went into confirming these transactions. Maybe you wait a week, or a month, there’s various other issues with mining today. So you wait a while, you can accept transactions and say okay I know for sure without trusting anyone, a central bank, the fed, I don’t trust any of these people, or the government of Venezuela or whatever form that takes.

On the other hand, we have a payments view of trust where people are trying to avoid trusting Paypal, Visa, or someone more direct. So you are looking at bitcoin from the lense of wanting faster payments, you care about not necessarily waiting a week… where the entire modern financial system is built on the idea of coming together nad having trust around Visa or whatever. If Visa says you have paid a dollar then that’s the case. Some people might not want this- maybe you’re censored because you’re a marijuana grower in the US or various other places in the world… maybe you’re in a place where Visa doesn’t work or wherever it is. You want to be able to use bitcoin without necessarily trusting someone like that.

There’s this interesting concept that comes up. There’s this wonderful bitcoin system, hashrate you can see, you can see transactions coming through. But is that enough? Ultimately, people like to use bitcoin for more than just “well I can see a transaction and if it confirms that’s great”- they care about not being censored, about censorship resistance and getting their transactions through hopefully without trusting anyone else. Where do we get this property from?

This is where the decentralization ubzzword comes in. I refer to the concept of consensus-group distribution.. It’s useful to talk about consensus group distribution because it applies not just to proof-of-work and proof-of-stake but other systems. Your system has people putting transactions into blocks. At bitcoin, we have an attempt at consensus group distribution with hashrate and hopefully it’s decentralized and it’s really not today– that’s a huge open question; can we build a system that is in the long-term censorship resistant? It’s unclear. There have been othe rattempts like proof-of-stake and it turns out that stake and wealth has always been incredibly centralized throughout human history. There are also other untested proposals. Bitcoin is still very experimental, as well. Can we build this censorship resistant system that people want?

Also, this comes back to community norms. Why does bitcoin today actually work and have censorship resistance if mining is so centralized? Turns out, that’s community norms. People use bitcoin for censorship resistance, and if miners started aggressively violating that, then bitcoin would have less value, and miners would have less value in their investment. There’s an expectation in the community and this has played a useful role in creaitng censorship resistance. I would argue this is only temporary. If you have the next generation of miners or government, eventually people are going to find pressure points and figure out how to violate censorship resistance and try to censor payments and transactions as government are want to do.

There’s an extension to this community norms concept– in bitcoin we talk about not wanting to trust anyone, but a clear violation of this is when the rules change out from undre you. This was the old 2x fork drama. Who should I have to trust to use bitcoin for the rules to change? I would argue bitcoin applied this new community norm and really grew out of it; this is where the fork happened. You had one part of the community that wanted different norms to change the rules more aggressively, and another part of the community that didn’t want to change rules without broad agreement. This has interestingly resulted in bitcoin being unique that there’s a norm that changes don’t get made easily. Because that is the expectation of bitcoin users, and people expect this to be a thing they rely on for them to continue using bitcoin; it becomes self-perpuating because the community expects it and you thus have this nice property where you don’t have to trust bitcoin for the rules. Other projects are more about the community and who is going to enforce these rules and enforce changes.

Who’s the tech guy in here?

What implications do these concepts of various types of not wanting to trust someone have on scalability and how we look to the future? Blockchains don’t scale. If anyone tells you that they have a blockchain that scales, they are lying to your face. They might be leaving out some tradeoffs they have made. There are a lot of different areas in this overarching concept of not trusting anyone that we can relax and get a more trust-centric system that is more highly scalable. These are all valid approaches, but they are not the approach that bitcoin takes.

We could give up on the decentralization of the consensus group. We could be Ripple or Paypal where there’s a single entity or a small federation that confirms transactions. Of course, you probalby give up some of your cnesorship resistance, and maybe you have programmable money. This is a valid approach. You can also experiment with other ones— proof-of-stake probably lands in this category where you have relatively centralized stake and you end up with a consensus group which is more centralized and maybe they can censor transactions more, or maybe you get other security guarantees. That’s fine, that’s a valid approach.

You could give up on hte concept of self-validation where you give up on everyone running a fully-validating node. Everyone could be a SPV client where they only do partial validation or only see some part of the network, and this encompasses a lot of things, like sidechains and other things and sharding and ohters also fall under this category. If you can only see part of the network, then things could go faster. Other things could be going on that are invalid or incorrect and this might come back to bite you later. You don’t have this digital gold use case anymore because something happening elsewhere– that attempt at not trusting others, well it goes out the window because something happened and now people are posting on reddit that hey don’t accept payments for the next week while we reorg the whole chain or whatever. Again, valid approach, but that’s not bitcoin.

You could also choose to build a centralized payment channel network, something the opposite of lightning network– something focused on centralization instead. You could build a bank. If someone only cares about bitcoin because they only care about not wanting to trust the Fed, then maybe they’re fine trusting coinbase.com and they should be able to use the cryptocurrency that is great for that purpose. It’s interesting, because other systems in the cryptocurrency space make decisions about this. Ethereum has been talking about building in sharding techniques at the base layer, giving up on self-validation as a tradeoff. They are building this for all their users; you’re required to use that trust model.

In bitcoin, we try to avoid making decisions for people. As a community, we have been encouraging people more to build systems on top of bitcoin that gives up some of the trustlessness. If a user wants to build a bank, then they can. If people want to build a sidechain on top, they can. But this doesn’t infect everyone else using the system. It’s not built in, it’s not baked in, it’s not required to force it on everyone else just because the developers or whatever have decided to try that.

What about the future of bitcoin? What does that mean for going forward? Each use-case has different trust models baked in. Encourage different trust tradeoffs for different use-cases. Many interoperable systems for different uses. If people want to use an ETF, then fine. Let them hedge. Reduce usability gaps for those with “stricter” trust models. Continue setting community precedent.

We have to describe how the trust model works to bitcoin users. We want them to pick the thing most optimal to them. This is a massive open challenge in the community of bitcoiners. We should find a way to build these different systems and allow users to use what they want.

We should also try to focus a little bit on the usability gaps between different trust models— centralized websites are going to be infinitely more user-friendly. We should try to reduce those differences when we can. Coinbase.com is always going to be more user friendly, and it’s always more user-friendly to have a trusted system than a completely trustless system. People who want to use bitcoin without trusting others should not be discouraged from doing so simply because the usability might be terrible. You can’t change the rules out from under me. You shouldn’t do that.

TLDR; Bitcoin v22.0 moves to Guix so that we can "trust the compiler" even less

<tinfoil_hat_fud>

With any software that handles finance or private keys, the question of trust is important. Most have a general concept of this stuff, and that is usually fine for most anyone’s needs. But there is always the rare case where trust policies are too laxed and users get burned, like the Electrum v3.3.3 phishing attack. Here I’ll try to go through the minimal level of trust all the way down to the theoretical limit of what can be done. At the heart of the matter is the concept of extended trust. In most trust-tests, we start with something that has more trust and see if we can connect it to something with less trust. I’ll walk through a few examples from the top down. In general we will go through the following levels:

I can’t seem to find the link to your bank account records, mind posting them for us?

Luke is pretty much the last person you’d expect to give a crap about underground uses. But privacy is not only a consideration for them, or even primarily for them: dope dealers—or whatever you want your bogeyman to be—can buy their way to privacy even in a system which is very non-private.

Financial privacy is an essential element to fungibility in Bitcoin: if you can meaningfully distinguish one coin from another, then their fungibility is weak. If our fungibility is too weak in practice, then we cannot be decentralized: if someone important announces a list of stolen coins they won’t accept coins derived from, you must carefully check coins you accept against that list and return the ones that fail. Everyone gets stuck checking blacklists issued by various authorities because in that world we’d all not like to get stuck with bad coins. This adds friction and transactional costs and makes Bitcoin less valuable as a money.

Financial privacy is an essential criteria for the efficient operation of a free market: if you run a business, you cannot effectively set prices if your suppliers and customers can see all your transactions against your will. You cannot compete effectively if your competition is tracking your sales. Individually your informational leverage is lost in your private dealings if you don’t have privacy over your accounts: if you pay your landlord in Bitcoin without enough privacy in place, your landlord will see when you’ve received a pay raise and can hit you up for more rent.

Financial privacy is essential for personal safety: if thieves can see your spending, income, and holdings, they can use that information to target and exploit you. Without privacy malicious parties have more ability to steal your identity, snatch your large purchases off your doorstep, or impersonate businesses you transact with towards you…​ they can tell exactly how much to try to scam you for.

Financial privacy is essential for human dignity: no one wants the snotty barista at the coffee shop or their nosy neighbors commenting on their income or spending habits. No one wants their baby-crazy in-laws asking why they’re buying contraception (or sex toys). Your employer has no business knowing what church you donate to. Only in a perfectly enlightened discrimination free world where no one has undue authority over anyone else could we retain our dignity and make our lawful transactions freely without self-censorship if we don’t have privacy.

Most importantly, financial privacy isn’t incompatible with things like law enforcement or transparency. You can always keep records, be ordered (or volunteer) to provide them to whomever, have judges hold against your interest when you can’t produce records (as is the case today). None of this requires globally visible public records.

Globally visible public records in finance are completely unheard-of. They are undesirable and arguably intolerable. The Bitcoin whitepaper made a promise of how we could get around the visibility of the ledger with pseudonymous addresses, but the ecosystem has broken that promise in a bunch of places and we ought to fix it. Bitcoin could have coded your name or IP address into every transaction. It didn’t. The whitepaper even has a section on privacy. It’s incorrect to say that Bitcoin isn’t focused on privacy. Sufficient privacy is an essential prerequisite for a viable digital currency.

So, again, I ask—let’s see your bank records; I’m sure there is an export to CSV. Mtgox transaction dumps? Stock trading accounts. Let’s see you—even just you—post all this before you presume to say that you think that’s what the public wants forced on everyone.

The short answer is no. The long answer is split into three parts, each headed by a bold word.

Today, you can do a lot relative to stock Bitcoin in the direction of privacy. Two strategies I should mention are CoinJoin and CoinSwap.

Total anonymity, in the sense that when you spend money there is no trace of where it came from or where it’s going, is theoretically possible by using the cryptographic technique of zero-knowledge proofs. As an extreme example, you could imagine that rather than publishing blocks mapping old outputs to new ones (which is what transactions are in Bitcoin), miners published zero-knowledge proofs that they had a valid set of transactions which, in aggregate, mapped the old set of all outputs to the new set of all outputs. You could further obscure this by having the recipient choose the destination address(es) and pass different ones to every miner. That way, only the miner who gets the block (who is probably different for every block) and the recipient knows where money is going.

In what I’ve described, the values of all coins would still be visible, and perhaps tracking could be done by linking similarly-valued coins. We can fix this with homomorphically-encrypted values, say.

The point of this musing is that there are no strong theoretical reasons that what you want is impossible. But I’m going to burst the bubble I just created and talk about practical problems: firstly, to do this kind of general computation is zero-knowledge even remotely feasibly, you need to use a system which has a trusted setup (in cryptographic terms, the scheme is secure only in the CRS (common reference string) model). This means that some party, the scheme’s creator probably, has access to secret data which will allow them to produce false proofs, effectively allowing them to undetectably print money for all time. A recent example of such a thing is the paper SNARKs for C by Eli Ben-Sasson et. al., which provides a lot of historical context.

Secondly, even with this fatal flaw, these schemes are not all that computationally feasible. Zerocoin, now superceded by Zerocash, took this approach and needed to create serious restrictions: all coins have the same value, there is no scripting (even for multisignature transactions, I believe), and even so some serious work went into special optimizations to do whatever was left (such as hashing) in zero knowledge. For ZeroCash research is going into doing the initial setup in a multi-party computation so that no individual has the secret material needed to print coins; there would be several, and as long as even one securely destroyed their data, the currency would be safe from forgery.

However, ZeroCash’s trusted setup is orders of magnitude more complex than any other MPC that has ever been done. And the most efficient MPC schemes known depend on a trusted-setup as well, so we haven’t gained anything.

Having said that, we can get something weaker than total anonymity, and it looks like we can do it in a feasible way. As has been mentioned, CryptoNote-based currencies use ring signatures (contrast group signatures, which involve a trusted party) rather than plain old ECDSA signatures in the proof-of-ownership part of their transaction signature scheme. Arguably the most well-known cryptocurrency that was originally based on CryptoNote is Monero. Whilst Monero has subsequently deviated substantially from its CryptoNote origins, it still implements many of the key concepts below, and additionally improves a lot of the problem areas originally highlighted in this answer.

To understand how CryptoNote works we must first recap how Bitcoin transactions work. Essentially, in Bitcoin each transaction output has a public key associated to it (identified, though not revealed, by the Bitcoin address on the output), and to spend that output you need to produce a small script including a digital signature using this key. When everyone sees that transaction, they see that the old output(s) are spent (so they can forget about it, except as far as keeping historical blockchain data for new users) and that new unspent output(s) have been created. Ring signatures, on the other hand, are associated to an arbitrary set of public keys, and knowledge of only one is required to make a signature. CryptoNote uses this by having each transaction input be a set of potential unspent outputs of the same value, signed by a ring signature using all those outputs’ associated keys. It is impossible to determine which one is the “real” one that the signer is actually spending.

You might ask, if it’s impossible to determine which outputs are being spent, how can double-spending by prevented? CryptoNote solves this using a special ring signature algorithm (which is a modified version of existing signatures, so this is original cryptography and their security proof should be scrutinized — fortunately it is not too complicated) in which the real signing key has a key image associated to it, which must be published alongside the signature. This key image cannot be reversed to get the original key and deanonymize the sender, but if a double-spend is attempted, users will see that the same key image is used twice and reject the second attempt.

This provides good anonymity, but even with the improvements listed presently, this is not a zero-knowledge scheme. This means that linkability is confounded but an adversary with good analysis tools will certainly be able to glean a non-zero (literally, infinity times as much as zero) amount of information.

This is a very promising direction, and these signatures are feasible to verify by ordinary computers (though they are more difficult, so scaling will be worse than Bitcoin’s), but there are some serious limitations. Fortunately, all are fixable. The following list is the result of conversations between myself, Greg Maxwell, Peter Todd, Mark Friedenbach, Adam Back and several others (who I’m sure will contact me to be listed :)), and to the best of my knowledge hasn’t been published anywhere. So aspiring anonymous altcoins developers, here is a wishlist:

However, this can be further be improved by having users store only the outputs whose keys they own (plus some extras for anonymity) and only a subset of spent key images, which I will describe. The set of outputs would be stored in an insertion-ordered Merkle tree (so a user storing almost none of the tree can easily verifiably append new outputs, but can’t detect duplicates, which is fine). The set of images would be stored in a image-ordered Merkle tree (so a user storing almost none of the tree can easily add a new key image and verify that it didn’t exist before, given a proof of insertion, which is basically a path from the new node to the root of the tree, along with the siblings of each node along the way). To spend an output, the user provides a ring signature including the output, with appropriate key image and proof-of-new-insertion.

Note that to produce a proof of insertion for the new key image, the user needs to store all its neighbors in the key image tree. Since key images are random-looking, how can this be done without storing the whole thing? The answer is prefix-filtering. When a user creates a new key, he creates one whose first 10 bits (say) are a specific ten-bit sequence that all his key images will have. He stores every key image that starts these ten bits so that he can produce proof-of-insertion of such images. The result is a reduction in anonymity (by a factor of \(2^{10}\)) since everyone will know that nearby key images are more likely to be owned by the same person than are far-away ones, but a corresponding reduction in storage requirements (by a factor of \(2^{10}\)) and an increase in key generation time (since on average \(2^{10}\) keys will need to be generated before one with the right prefix comes along). This is a tradeoff that every user will have to make.

Peter Todd has suggested choosing a new prefix every few months or years, and retiring those in which every known key image has been used. This gets more privacy for the storage hit than simply decreasing the prefix length, since two key images in different prefix sets don’t reveal their common owner.

We can improve this to effectively CoinJoin all transactions in each block (with the caveats that (a) miners can deanonymize the CoinJoin, reducing anonymity to the smaller set provided by the ring signatures, and (b) it is possible to miners to detectably cheat, so there is a small window after mining in which block content might be invalidated by revealing its cheating, which increases complexity) (the complexity hit is because it is important that the block content, not the block itself, be invalidated, since otherwise miners could deliberately cheat then reveal the cheating later, giving them a large window in which everyone else is mining a bad chain). The exact scheme is described at the very top of this IRC log.

(The same security can be provided with fancy cryptography, specifically one-way aggregatable signatures (“just the math” by Greg Maxwell), which depends on pairing-based cryptography, which is slow and requires new security assumptions that make some people uncomfortable. The exact way these would be used is described from 21:24:58 onward in these IRC logs. It is very cool that we can get the same security with no new crypto.)

This can be fixed by requiring a minimum size of anonymity set, as Monero has done on a protocol level since March, 2016. But then we have a new problem — there are only so many outputs of any given size, and since all outputs in an anonymity set must be the same size (so the network knows how much you are spending), this might not be possible. This can be fixed by allowing outputs of any size in the anonymity set, and taking the minimum size to be the spend amount. But then given a ring signature across several outputs’ keys, people will know that the output with smallest size will be the “real” one. This is because each output can only be spent once, so if you mix it with smaller outputs, you are basically shrinking it to the size of those outputs since the network will only recognize the smaller value.

All these problems are addressed in the next point.

In fact, Greg Maxwell and I found a way such that every single output can be read as any uniform distribution of outputs (so 1BTC might be spendable as a single 1BTC output, or two 0.5 BTC outputs, or three 0.33 BTC outputs, etc.) There is a single “real” distribution, but only the creator of the output knows this, and it is not revealed except in the case of leaked keys. Therefore, literally every single output size can plausibly be claimed to be created by every output, and therefore all outputs can participate in each anonymity set. This scheme is described in this writeup.

With this is place, it is feasible to set a minimum anonymity set size, preventing people from using keys with no anonymity set and compromising their own and others’ anonymity. They can still do this compromise by revealing their secret key, but it’s not clear to me that this is even possible to prevent.

Monero has addressed this issue in a similarly powerful manner, by implementing a scheme based on Greg Maxwell’s Confidential Transactions. This novel scheme and implementation is called Ring Confidential Transactions. Because the value of outputs is no longer known under this RingCT scheme, you are no longer forced to only mix with a small subset of outputs (ie. those of the same denomination, which in CryptoNote and pre-RingCT Monero are all ^10 denominated outputs). This massively increases the potential anonymity set, and ensures that even large outputs are not “stuck” with only a handful of matching, mixable outputs.

And by the way, Dash (formerly Darkcoin) does not provide anonymity. They attached a (broken) implementation of CoinJoin to the ordinary Bitcoin client, and at least initially released it as a closed-source software. I haven’t looked into Anoncoin, but the best advice I have for folks looking into altcoins is to assume they are uninteresting (and probably dangerously broken) until someone has demonstrated a concrete technical innovation.

More accurately, the pseudonyms most commonly used are addresses, which are derived from public keys (not the longer public keys themselves).

In order for Bitcoin’s idea to work, you must have coins that can only be spent by the owner of a given private key. This means that whatever you send to must be tied, in some way, to a public key.

Using arbitrary pseudonyms (e.g. user names) would mean that you’d have to then somehow link the pseudonym to a public key in order to enable public/private key crypto. This would remove the ability to securely create addresses/pseudonyms offline (e.g. before someone could send money to the user name "tdumidu", you’d have to announce in the blockchain that "tdumidu" is owned by public key "a1c…​", and include a fee so others have a reason to announce it), reduce anonymity (by encouraging you to reuse pseudonyms), and needlessly bloat the size of the blockchain. It would also create a false sense of security that you’re sending to who you think you are (if I take the name "Linus Torvalds" before he does, then it’s mine and people might send money thinking they’re paying the creator of Linux, not me).

Using a pseudonym that either is, or can be calculated from, the public key removes these problems: the mere act of sending the money also describes, in cryptographically secure detail, who can spend it. As the existence of vanity addresses shows, it also allows a small amount of customization.

bitcoin.pdf

A always reuses addresses. Blockchain.info uses this to display their name and IP address along with their transactions, everyone else they’ve ever transacted with knows who they are, anyone can identify who they are with a simple google search, etc. Because A reuses so often even if A sometimes doesn’t reuse, the coins they receive inevitably get mixed up with the non-reused one. A is entirely public.

Now B is super careful and paranoid…​ and we’re not even in a world where blacklisting or whitelisting prevents B from comfortably using his paranoid practices. He never reuses. Someone is trying to figure out who B is because they want to defraud him. Initially they are thwarted by B’s pratices but then they see that B initially received his coins from A. Everyone knows who A is. Moreover, they see when they did so. From that alone they’ve learned a ton of information about B, beyond that they can now go ask A to tell them— they could coerce A, or just trick him, as we’ve already established that A is pretty happy go lucky and not very cautious. Beyond that it isn’t just A, B also transacts with other people who are not hygienic and those all potentially leak information too.

This actually works in practice, too…​ A nice whitehat hacker on IRC was playing around with brainwallet cracking and hit a phrase with ~250 BTC in it. We were able to identify the owner from just the address alone, because they’d been paid by a Bitcoin service that reused addresses and he was able to talk them into giving up the users contact information. He actually got the user on the phone, they were shocked and confused— but grateful to not be out their coin. A happy ending there. (This isn’t the only example of it, by far …​ but its one of the more fun ones).

Uh. We’ve gone pretty far offtopic here, perhaps these posts should be split from this thread?

While Bitcoin can support strong privacy, many ways of using it are usually not very private. With proper understanding of the technology, bitcoin can indeed be used in a very private and anonymous way.

As of 2019 most casual enthusiasts of bitcoin believe it is perfectly traceable; this is completely false. Around 2011 most casual enthusiasts believed it is totally private; which is also false. There is some nuance - in certain situations bitcoin can be very private. But it is not simple to understand, and it takes some time and reading.

This article was written in February 2019. A good way to read the article is to skip to the examples and then come back to read the core concepts.

People say the total will be 21000000 BTC.

... however:

After that, the reward is 0.

If you sum all these numbers together, you get 20999999.9769 BTC.

... however, either due to an oversight or intentionally, the coins created in the genesis block cannot be spent.

This leaves us with 20999949.9769 BTC.

... however, due to an early problem in Bitcoin, fixed by BIP30, it was possible to create a coinbase transaction identical to a previous coinbase. This caused the coins created by that older coinbase to be irreversibly "overwritten". This happened in block 91842 (overwriting the coinbase of block 91812) and 91880 (overwriting the coinbase of block 91722). Each time, 50 BTC was lost.

This leaves us with 20999849.9769 BTC.

... however, the protocol rules allow creating up to the amounts listed above. Due to various bugs and miners experimenting with code, some blocks claim less than allowed. Those coins can never be recovered.

This leaves us with 20999821.02921183 BTC.

... however, since recently there is a concept of provably unspendable coins. Coins can be sent to an "address" which provably burns them (using OP_RETURN). Bitcoin Core tracks these and removes them from its database, so they are easily accounted for. At least 3.71612692 BTC were burned this way.

This leaves us with 20999817.31308491 BTC (taking everything up to block 528333 into account)

... However, various wallets have been lost or stolen, transactions have been sent to the wrong address, people forgot they owned bitcoin. The totals of this may well be millions. People have tried to tally known losses up here.

This leaves us with: ??? BTC.

The bitcoin network is composed of 'bitcoin full nodes', which are computers located all around the world, each one running independently to verify the state of the network.

Part of that verification includes making sure that the right number of coins are being created with each passing block, such that the total number of coins in existence is known, and predictable.

To change this 'coin issuance schedule', you would have to change the code running on all of those computers, so that they would all independently agree on some new issuance schedule, and could all continue to verify which blocks are valid (or not), in independent consensus. If you could only change the code on some of those computers, then those computers would start to follow blocks which the remaining bitcoin network nodes would consider invalid, effectively creating an altcoin-fork of the network (similar to what happened with 'bitcoin cash').

Anybody, at any point in time, could create some software that changes the issuance schedule. Thats easy. The hard part is convincing everyone that is running a bitcoin full node to switch to this new code, which creates more coins. Nobody has the authority to push such a change onto the network (top-down governance), rather it is the independent choices of all of the network’s nodes (bottom-up governance) that defines the network.

So the answer is that you don’t have to trust someone to not increase the supply. You just have to run some code that will verify that they haven’t.

This post is a somewhat more-empirical sequel to “Two Types of Blockspace Demand”. And to my Building-on-Bitcoin talk.

Also covering Anti fee sniping

Fee sniping occurs when a miner deliberately re-mines one or more previous blocks in order to take the fees from the miners who originally created those blocks. Although re-mining a previous block is less likely to succeed than simply extending the chain with a new block, it can be more profitable if the previous block is worth much more in transaction fees than the transactions currently in the miner’s mempool.

Fee sniping is a problem that may occur as Bitcoin’s subsidy continues to diminish and transaction fees begin to dominate Bitcoin’s block rewards. If transaction fees are all that matter, then a miner with x percent of the hash rate has a x percent chance of mining the next block, so the expected value to them of honestly mining is x percent of the best feerate set of transactions in their mempool.

Alternatively, a miner could dishonestly attempt to re-mine the previous block plus a wholly new block to extend the chain. This behavior is referred to as fee sniping, and the dishonest miner’s chance of succeeding at it if every other miner is honest is (x/(1-x))^2. Even though fee sniping has an overall lower probability of success than honest mining, attempting dishonest mining could be the more profitable choice if transactions in the previous block paid significantly higher feerates than the transactions currently in the mempool—a small chance at a large amount can be worth more than a large chance at a small amount.

The problem is actually worse than described above because every miner who chooses to mine dishonestly reduces the number of honest miners trying to extend the chain. The smaller the share of hash rate controlled by honest miners, the greater the probability that a dishonest miner will be successful, so a single large miner rationally choosing to mine dishonestly can set off a cascade of ever smaller miners also rationally defecting to dishonest mining. If that persists for an extended period of time, confirmation scores cease to be a proxy for transaction finality and Bitcoin becomes unusable until the problem is resolved. We expect the most likely resolution would be centralization of mining—a cartel representing a majority of hash rate agreeing to never reorg each others’ blocks can restore stability to the system, but that comes with the increased risk that they’ll later censor certain transactions.

Peter McCormack: Hi there, Peter. How are you?

Peter Todd: I’m great, thanks.

Peter McCormack: Thank you for coming on the podcast. I’ve wanted to talk to you for quite a long time. I followed a lot of your work. And, one of the things that really stood out for me is when I went on your blog, and not only did I not understand the content of your articles, I didn’t even understand what they were about.

Like there’s a certain level of technical competence that I think you have to have to kind of understand this work. And, I then read about a story that you were emailing Hal Finney and Adam Back when you were at like 15?

Peter Todd: Yep.

Peter McCormack: I’ve got to ask about this. What’s the background? How does a 15-year-old start talking to Hal Finney and Adam Berk about Hashcash? What’s the journey to that?

Peter Todd: Well, the great thing with the Internet is, no one knows that you’re dark, and even when they do, they don’t care. And I mean, if you go back far enough, as a young kid, I watched a lot of Star Trek and thought the ideals of democracy and freedom of speech, they’re all said and well and good.

And, my dad’s an economist by training. So initially, really early on, I got interested in the freedom project, which is a decentralised censorship resistant publication network. Long story short is, it lets you make a website that no one can take down, lets you publish.

And I thought, “Oh! That’s really cool.” And, got interested in it, did a little bit of work on it. So actually, first time I kind of worked on creating an exploit, was actually against Freenet. The work I created a tool to go and map out the interconnections of different nodes, so those are all well and interesting.

But, I think the big issue with Freenet network, was, as I was thinking to myself, “Well, obviously the next step is you need decentralised money. Just being able to publish your thoughts isn’t enough. Political movements need money. Take a look, political movements for the marginalised, the poor.

If you’re a rich person, you have the way of funding the things you need to fund to make your political movement happen, whereas the poor don’t have that. We are often kind of talking about it in reverse, the rich will gain politics, and so on. And, reality, I mean you can’t kind of stop that. But, for the disadvantage, you definitely need that option to be able to move money around. You need to be able to without surveillance.

So, I think long story short is, somehow or another, I wanted upon a mailing list, the Blue Sky mailing list, which if I remember correctly, it was advertised on the Freenet mailing lists. So, I signed up, we started talking about stuff, and I spent a lot of time trying to invent Bitcoin, and like many people completely failed at it.

And, it’s really interesting looking back and seeing just how wrong I was, in almost 180 degrees offset what was the right answer. And, a lot of people, I think, had that experience.

Peter McCormack: So you tried to invent a Bitcoin?

Peter Todd: Yeah. I was one of many, many people trying to create decentralised currency. And, really failed at us.

Peter McCormack: What was version?

Peter Todd: Well, I think … I mean, I didn’t have a proposal, ’cause I realised all my thoughts on it weren’t going to work. But, I think what I caught so wrong was I had thought about Hashcash in terms of the thing that controls the creation of money. And, that’s not actually an important thing. The creation of money is not the important thing. It’s preventing double-spending that is.

The creation is just a onetime event. Allowing money to be moved consistently, and accurately without double spend, is actually the critical thing. And, unfortunately, because I tied proof of works to the creation so tightly, I never really came up with the concept of, “Well hang on.” No, no. We tied proof of work to the changes in the ledger, to make sure it’s difficult three or at the changes.

Peter McCormack: Right.

Peter Todd: And, my thinking on my kind of solution where we have some kind of decentralised database, how do you do that? I don’t know. It can be attacked, it can be civil attacked. And, I just constantly shot down ideas, and could never figure out, how do you make this work, when the answer was juts so simple. But, it was 180 degrees opposite what I was working on.

Peter McCormack: But, I’m guessing you’re saying it’s simple ’cause the answer was Bitcoin, right?

Peter Todd: I mean, literally someone could have sat down … Like honestly, it’s to the point where one tweet from the future, saying how Bitcoin works, would probably have been enough info for me to have created Bitcoin.

Peter McCormack: But, what is the key, the one key element then?

Peter Todd: Using proof of work to make changes to the ledger difficult. That one sentence, I think, encapsulates the key part of Bitcoin that we were missing back then.

Peter McCormack: So, it’s more the game theory than the code?

Peter Todd: I don’t even … The point is, I don’t even think the game theory part is a really critical thing. Like, absolute core of it that you must have is tying proof work to changes to the ledger, to make it expensive to change. You could probably have Bitcoin without even a financial reward. It would still work far better than any of the crazy ideas people had come up back then.

Peter McCormack: So, the Bitcoin white paper comes out, you’re obviously are aware of it, you read it. Is it obvious at the time or?

Peter Todd: Absolutely.

Peter McCormack: Oh, immediately you could?

Peter Todd: Yeah. For me, I believe I read the Bitcoin white paper for the first time, like late 2009. And, I remember, you know when I read it, I was like, “Oh, shit! I should’ve thought of that.” It was actually, for me, it was opposite many people.

For me, I read it, and this is obviously gonna work. And, only later did I come up with reasons why it wouldn’t.

Peter McCormack: Right.

Peter Todd: Whereas, for many people, they read and think, “How would this ever work?” And then, later they’re convinced it does. But, I’d been primed, ’cause I’d already worked on this and tried very hard. So, when I saw it that’s … It just was so obvious to me. “Oh, I was wrong. This was the missing piece”

Peter McCormack: How, as a 15-year-old, do you make the leap from realising that there is a need for money to finance certain projects and things, to it must be having to be a decentralised type of money that doesn’t already exist? How do you make that leap?

Peter Todd: I mean, the idea of e-money and cypherpunk stuff around that was not exactly like an unknown concept. I partly even read Sci Fi stories at the time talking about that. The notion of credits is really sort of a common term in Sci Fi stories. I mean. it’s just …

And also, money itself has a property. I mean, sure, it’s issued by the government, but paper money I can give to you, and no one can stop me. The idea that money would have to be controlled on transaction basis is this very new thing, pushed by big companies who want to go make money off this, and Law enforcement who would like to surveil everyone. This is the opposite of how money should work. This is not the status quo.

Peter McCormack: So, this Bitcoin worked then, or is it working?

Peter Todd: I mean, in terms of doing what money should do, it’s a hell of a lot closer than say PayPal. It’s a lot closer to what PayPal was meant to be. I mean, people who started PayPal wanted to create censorship resistant e-currencies. They didn’t have the tech to do it, and they didn’t have the legal frameworks to get away with it.

So, they didn’t. But, that was the initial concept with PayPal. So, Bitcoin’s a lot close to that. I mean, Bitcoin has scaled boldy problems. But, the core thing of what Bitcoin does is much closer to that than alternatives, certainly closer to things like Liberty Reserve, which of course got shut down.

Peter McCormack: Yeah, I guess there’s always been the centralised problem, right?

Peter Todd: Yeah. Centralisation kills things if they have adversaries. Often centralisation’s way to go. I mean, I have approached it myself, called Open TimeStamps, which is absolutely centralised. There are four calendars of the Open timeStamps system. I run two of them, two other people run another two.

It’s a centralised system. But, Open TimeStamps doesn’t really have adversaries in this way that Bitcoin does. And, no one’s going to profit by shutting down Open TimeStamps in the way you would with Bitcoin.

And also, because Open TimeStamps relies on Bitcoin for the truth of the timestamps, the central third parties on a position to fake things.

Peter McCormack: Okay. So, I wanna … I should’ve asked this at the start. I love asking this question, ’cause it’s so simple. And, the first time I heard it was when Epicenter asked Adam Berk, and it also blew my mind, just hearing it set out. So, I’m just gonna ask you again. What is Bitcoin? The answers are always different as well.

Peter Todd: Well, I’ll give you a different answer.

Peter McCormack: Okay.

Peter Todd: Which is, Bitcoin is a shared data structure, that we make artificially expensive to change, by destroying energy every time we update it.

Peter McCormack: Yeah. I’ve heard that one like four times. No. I’m joking. Yeah. I’m only joking. Okay. Okay.

Peter Todd: Bitcoin is an elephant, and it’s pink with like little spots.

Peter McCormack: I love the energy angle. So, you’ve been around since the start, right? It’s 10 years and-

Peter Todd: Not quite.

Peter McCormack: Pretty much.

Peter Todd: I mean, I’ve known about Bitcoin, since nearly the start. But, I actually got more active into it a bit later. And, the reason is, I mean, relative to many other developers, but the reason is because when I first learned about Bitcoin, well, I’d just started a new job at a crazy startup. And then, I was crazy enough to then also try to do a physics degree, while I was at the startup. So, I didn’t exactly have a lot of free time.

Peter McCormack: But, I mean, I’ve gone through the exercise of going through old mailing lists, and old Bitcoin talk forums. And, there’s a number of names I recognise. A number I don’t. And, I’ve seen you in there commenting and talking. So, you were there like pretty much since the start.

Peter Todd: I mean, I started working on this stuff full time 2014.

Peter McCormack: 2014.

Peter Todd: Which is a lot earlier than many people.

Peter McCormack: But, having been there, through the whole experience, how do you take it all in, because even though you knew it would work, there’s a difference between knowing theoretically it would work.

Peter Todd: Well, remember, I thought it would work.

Peter McCormack: You thought it would work?

Peter Todd: And then, I started realising, hang on, this isn’t as good as it sounds.

Peter McCormack: Right. Okay. We’re going to come back to those things. But, 10 years on is still exists. It holds billions of dollars in value. At one point, hundreds of billions. There is the talk of ETS. We have futures. We have so much happened. Did you foresee all this?

Peter Todd: I mean to be perfectly honest, this it doesn’t really surprise me that much. I mean, you always gotta be a bit careful. I mean, your memory of what you thought five years ago can be a bit vague. But, I don’t think if you’d asked me that many years ago, would it? Could it get to where it is now? I would have said no.

I think I would have said, “Yeah, I mean, this is plausible. It is an obvious utility. Digital gold is obviously useful. So, if things don’t fail and it continues to grow, I mean, surely could get to this point.”

I think the more interesting question is, well, how big could it get? And, I would actually put relatively small limits on it. We’re not gonna see … First time I bought Bitcoin, I bought it for 20 cents of a Bitcoin.

Peter McCormack: Right.

Peter Todd: And, I tell you, that was the best financial decision of my life. The worst financial decision of my life was only buying $20 worth.

Peter McCormack: Hold on. What is that? That’s like a hundred Bitcoin. Yeah. But, we won’t have hindsight.

Peter Todd: But, the thing with that is looking at how that grows. I mean, how many zeros is that times? Call it 10000 times growth or whatever, depending on what price you pick. We’re not going to get another 10000. The world economy is too small for that. We’re not that far away from having more money in Bitcoin than in the US dollar and gold combined.

Yeah. That’s if I remember correctly, it’s like a hundred X. That’s pretty … That’s a lot smaller than 10000X.

Peter McCormack: Yeah. But, I’m not convinced you care that much about price beyond the wider kind of a PR [inaudible 00:12:17] and brings people into the system. I don’t think you’re that. I don’t see you as somebody that is incentivised by the price.

Peter Todd: Well, I mean price is a funny thing, ’cause people often say, the price doesn’t matter. And, that’s definitely not true. Bitcoin security model relies on it being valuable. There is no getting around that. And, it probably would not work, if the price was said a thousand times less. Someone would probably attack it for kicks and giggles.

Peter McCormack: So, you were saying you started to look at the reasons why it won’t work. What were the main issues that you found, and where the things you attempted to try and break?

Peter Todd: Well, really, like the one big thing for me was when I realised, “Oh yeah. Scalability really matters, and this stuff doesn’t scale.”

Peter McCormack: Right.

Peter Todd: I figured that out, you kind of says embarrassingly late. But, in terms of like how long I was looking at Bitcoin seriously, fairly early. From the time I started looking at Bitcoin seriously, to when I realise this, and how important it was, we’re probably talking like three or four months.

And, that was while I was at a startup, doing a university career at the same time. Simple truth is, I just didn’t pay that much attention to it for quite a few years. And, when I realised that, well, I got very active and tried to solve this problem. And, also importantly got very active in debating people who thought it wasn’t an issue.

Peter McCormack: So, were you debating Rodger?

Peter Todd: Oh, he wasn’t around but around then.

Peter McCormack: Like you were going about earlier, okay. So, who would be debating this?

Peter Todd: Gavin Andresen, and actually literally debating Gavin Andresen on Bitcoin talk forums was probably the thing that got my name up there.

Peter McCormack: Right, okay. Because-

Peter Todd: There is a thread on Bitcoin talk where I disagree with Gavin Andresen, and it just spiralled.

Peter McCormack: And what? The disagreement was what? Block size?

Peter Todd: Exactly.

Peter McCormack: Okay. What did he want?

Peter Todd: His viewpoint was, yeah, he can … If I remember correctly, his exact viewpoint was you can have an unlimited block size. And, that was just such an extreme position. I laid out, very carefully, why this did not work. And, it wasn’t the first time there’d been a disagreement on that, but at least for me personally, that was the timeline when, “Hey, this is Peter Todd, the guy who disagrees with Gavin Andresen on this. And, these seem are a good point.

That’s really why my name got known. And, things just built on there.

Peter McCormack: But, there are different reasons why … Well, people give different reasons for why a larger block size won’t work. Some people I’ve heard discuss it because it doesn’t scale in computer power, ’cause of nodes.

Peter Todd: Remember, the notes Gavin’s view there was an unlimited block size. He thought the incentives were such that miners would voluntarily restrict the size of their blocks, even though they could make the biggest blocks if they want. And, I laid out basically with a bit of math and game theory why this is a bad idea.

That wasn’t even like a bigger picture. It’s just this is broken, because miners can do this when they create a bigger block, they’re going to push out the competitors. That’s kind of the arguments in a nutshell. And, the simple reality was, I was right on that. And, that’s just so well supported by academic research since. And, Gavin was just dead wrong.

Peter McCormack: And, has he ever come back and said, “You were right”?

Peter Todd: Nope.

Peter McCormack: Okay.

Peter Todd: I mean, there’s a reason why he’s no longer involved in Bitcoin in any real sense. He just wasn’t competent enough to do it.

Peter McCormack: Yeah. There’s probably more than one reason as well, right?

Peter Todd: Supporting Craig Wright was probably not the best move. But, all that stems from the fact he just isn’t that competent at what he was doing.

Peter McCormack: And, I guess it requires a certain level of competency to be able to work at that level. And, it doesn’t feel like there’s a lot of people at that level.

Peter Todd: No, definitely not. No. Most programmers in general, do you not have the capability to work on this stuff, because they don’t think it adversarially. It’s a tough thing for people to imagine. Most people are just not used to imagining, “All right, what are the bad things that could happen?”

Whereas for whatever reason, I, and a few other people, are good at that. I’m quite happy to imagine all the ways people could screw people over.

Peter McCormack: What do you make of Luke’s ideas around a smaller block? Is it 300K?

Peter Todd: I think his technical arguments for that are good, but I think he doesn’t understand the social side of that, which essentially makes it impossible. And after all, I mean, let’s face it, Luke is a crazy evangelical Catholic. He has very, very, very strong beliefs that are ultimately driven by very strongly held principles.

He is, to us, an evangelical crazy Catholic. But, that comes from him having very well defined beliefs and very strongly held principles. And, the logical conclusion of that is his belief system.

And, I think what Luke … I’m not even sure I could say that he fails to see, ’cause he may very well understand this perfectly, but you know why Luke would say something like that is, he has the principles, and he takes it to his conclusion. Whereas the way I’d put is, “Yeah. I mean, he’s not wrong, but it just ain’t gonna happen.”

Peter McCormack: Right. Okay. Where do you envisage the block size being in the future? Do you think it was gonna stay as it is, or do you think at some point there’ll be a change?

Peter Todd: Oh, I think it’s plausible actually for the rest of life of Bitcoin, we’re not going to see another block size increase. And, the reason why I say that’s plausible is ultimately things lightning and whatnot work pretty well. And, what would it be right now? Like 15 transactions per second or something is actually a fair amount.

And, the way people use Bitcoin, like after all, for Bitcoins be wildly successful, it doesn’t necessarily mean that people are actually making payments on it. Bitcoin as a store of value can be an incredible success story.

I think the bigger threat we would have is actually Bitcoin’s inflation schedule, ’cause in the long run … And, this isn’t a short term thing, but this is like 10, 20 years down in the future, there might not be enough inflation to pay for security.

Peter McCormack: I just wrote that down, actually. So, I’ve got a couple of questions about that. So, if it’s just a store of value, and there wasn’t enough Bitcoin being moved around for fees, and the mine of rewards have dropped, that’s a huge risk for the security of Bitcoin, right?

Peter Todd: Absolutely.

Peter McCormack: And-

Peter Todd: But, that’s a risk like 10, 20 years in the future. That is a very long time. And, by then, who the hell knows what the risks are?

Peter McCormack: But Peter Todd thinks adversarially, and I think that goes into the basket of things that you probably are thinking about now.

Peter Todd: Yep. Well, let me look this way. If I were able to go back in time, and redo Bitcoin, ’cause of course, I am Satoshi as is everyone else.

Peter McCormack: I’ve read it. I’ve read you invented Bitcoin at 12.

Peter Todd: Yeah, yeah. If I was able to go back in time and create Bitcoin from scratch, I would have made it have a perpetual say 0.5% or 1% inflation rate.

Peter McCormack: Okay. That’s controversial, for some people.

Peter Todd: I’ll put it this way if you can’t afford like a 0.1% or 0.5, or even a 1% inflation rate, what the fuck are you doing with your life? It’s 1% a year. So what?

Peter McCormack: So, who have you discussed that with? And, like you don’t have to name names. But, have you discussed that with people? What’s the general reaction? Because there’s no reason for that not to be introduced in the future, right? I mean …

Peter Todd: I think the general reaction is … Well, first of all, Bitcoin right now has what a 4% inflation rate. We’re a long way from any of this discussion being relevant. So, I think the general reaction right now is, it’s pushing it to the future. It’s just not a discussion worth having right now.

It’s drama, and of course, you look at my twitter account, and I don’t shy away from that. But, most of the development community wouldn’t really wanna touch the issue. And, I think they’re right. There is no reason to touch this issue until it actually matters.

Peter McCormack: What about if Lightning Network is hugely successful? And, people stop using the base chain, because Lightning is fast, and it’s cheap, is instant. Could we get to the point where there’s no argument to use the basechain, because Lightning is as trusted as the base chain? Do you see what I’m getting at?

Peter Todd: Well, I mean, Lightning security model is riskier than the base chain. It just doesn’t … Lightning, there’s a good reason to use it beyond scale. I mean, Lightning has much better UI experience. But, the simple reality is the Lightning security model is more dangerous than Bitcoin itself, assuming that you’re able to wait for confirmations.

Under certain cases, Lightning can actually be much more secure. I mean, if I go pay you with Lightning, the security of that payment from the point of view of being reversed 10 seconds from now is far better than the main chain ever could be. In effects, it will be better probably what an hour or two into the future.

But overall, if you’re making big payments that aren’t time sensitive, main chain has better security. On the other hand, this idea of Lightning taking my transaction fees, that’s not unique to lightning. Tons of things do this. Exchanges do this. Probably the most payment volume that happens is actually on exchanges. Liquid side chain does this as well. Liquid takes transaction fees away from the main chain.

There’s no end of things that take transaction fees away from the main chain. And, the inflation arguments I would give is very simple. It’s, well, make sure you always have this mechanism to ensure that the chain keeps marching forward.

Even with transaction fees, you actually need this for a kind of subtle to game theory technical reasons. The simple reality is, Bitcoin without an inflation subsidy has a much worse security argument than Bitcoin with an inflation subsidy, even if you have transaction fees paying for things.

Peter McCormack: I haven’t heard you talk about this a lot though, right? So, are you waiting? Is it a case of priorities? Deal with what needs to be dealt with now? And, you’ll bring this up in 10 years?

Peter Todd: Yeah. It’s just isn’t relevant for literally like another 10 years or so.

Peter McCormack: What about 10-minute blocks across the solar system though? When is that going to be a precedent? I read that.

Peter Todd: Well, yes. I did a talk, actually. I believe the title of the talk was a solar powered space miner. Yeah. Solar Powered Space Pirates, a Threat to Bitcoin. And, the simple answer to that is yes, if space travel becomes cheap enough that big mining operations are operating far enough away from earth that the speed of light gets people out of consensus, yeah, Bitcoin’s fucked, and we’ll probably have to increase the block control.

Peter McCormack: And, say are you general evil?

Peter Todd: Yes, I’m a bad person capable of love.

Peter McCormack: Okay. Outside of Bitcoin, ’cause other Bitcoiners are very Maximalist in nature. But, I have seen you talk about Zcash and a theory. Like, what’s your position on alternative coins and alternative currencies?

Peter Todd: Well, the thing is, I’m not a Bitcoin Maximalist. I’m a Maximalist. Anyone who understands economics and finance, and how markets work will be a Maximalist because it is more efficient to have one currency than a whole bunch of different ones. That’s just not a controversial opinion. And, it’s a controversial opinion amongst scammers who want you to go by their ICO.

But, standard non-scam driven, economic thinking, this is not a controversial opinion. This is how the Euro got created. And, there are certainly downsides to not having multiple currencies. The one world currency thing has a lot of very real economic problems. But, they’re not problems that apply to things like Bitcoin.

For digital payments in a decentralised environment, it’s just natural to end up with one coin. Whether or not it’s actually Bitcoin, who the heck knows? But, Bitcoin’s technical design and sort of technical ethos currently are definitely the most suitable for being the one currency everyone uses.

That’s just a matter of like simplicity, reliability, of disinterest in making deep dangerous changes. And, there’s just … Conservatism is a good thing for that store of value. It’s just a pretty obvious set of combinations that mean Bitcoin’s kind of the default there.

Peter McCormack: But therefore, is it good to have competing alternative currencies?

Peter Todd: I mean, it’s not going to hurt things. But, for the most part, the competing alternative currencies are scams.

Peter McCormack: Every single one?

Peter Todd: Well, some are more scammy than others.

Peter McCormack: Is Ethereum a scam?

Peter Todd: Ethereum is a funny example, because the way it was launched, and the way it was promoted, that’s much more of a scam than any of the surf currency itself. Had Ethereum, for instance, been launched. I mean, it’s hard to kind of come up with an example of where this would be possible.

Let’s suppose, hypothetically, somehow launch Ethereum, where it was just an add on to Bitcoin, where somehow the people behind Ethereum were making money off of it. This isn’t really technically feasible, but let’s assume for the sake of argument was. It would still wind up being a scam, even without a separate currency, because they were advertising things that they knew would not be possible.

Ethereum is just a bed of lies if you will. And, I think it’s very unfortunate, ’cause it also means a lot of academics, because they can get grant money from this, and because Ethereum is easy to experiment on. I think it’s pulled down ethical standards of academia.

And, it’s just an unfortunate position to be in. And, this is also … I mean, maybe a good way to explain this is the private chain side of things. Well, some of that’s perfectly reasonable. A lot of the more grandiose claims made are effectively scams. And, it’s sort of a new interesting category of scam where it’s not like we’re directly ripping people off, but rather were lying about what our products can actually do, and we’re getting away with it because it’s security.

And, in security, well I can sell you a magical rock that keeps lions away. How do you know it doesn’t work? There are no lions around.

Peter McCormack: So, what are the main claims for Ethereum then that you think of false?

Peter Todd: I mean, it’s a funny one, ’cause it’s tough to pin down because the main claims were designed to be vague. Claims like this is a world … A great example is the world computer thing. What does that actually mean?

When you start thinking about any reasonable interpretation of it is, no, this is total bullshit. But, it’s presented in a way which is vague enough, it’s tough to argue against. You’ve got to play pin people down on what does a world computer mean? What’s it actually computing?

Now, you ask a normal person, I think, “Oh yeah, computations done somehow on Ethereum.” And, it’s no, that’s not how it works at all. Your Ethereum node redoes the computation. It’s not a computer, it’s a verifier, whereas the sort of general way of building consensus applications I push is client-side verification, which is quite explicit.

Yes, we have this big dataset that your computer verifies. And, other people don’t even have to verify the data. They don’t even necessarily know what it means. They may never even have a copy of it. But, if I want to convince you that something’s true, like I just sold you a house, I give you the data to prove it’s true, and you verify that data yourself, and you come to a conclusion that yes, you now own a house, or no, I’m trying to defraud you.

That is a sane way to talk about block chains. A world computer is not. A world computer is a pie in the sky scam material. And, even Vitalik, I mean he’s kind of admitted, “Well, the world computer stuff was a bit of a red herring.” I’m sorry. The moment you say red herring, and please go and invest in my thing, you’re probably scamming someone.

Peter McCormack: I don’t get the feeling he intentionally scammed somebody.

Peter Todd: You know about his quantum computing thing?

Peter McCormack: No, tell me.

Peter Todd: Well, just prior to Ethereum, he was involved in a quantum computing scam.

Peter McCormack: Okay.

Peter Todd: And, essentially what the scam was was they would do simulated quantum computing that would somehow be better than anything else. It just didn’t make any sense. And, his claim is, “Oh! I kind of young, and just had higher hopes for it. That’s all.” No, you weren’t that stupid.

First of all, you were like 19, at university. You knew what this was. You knew this was bullshit. Yeah. The guy’s got the mind of a scammer, basically. He’s got the intentions of a scammer.

He’s very clever about it. He’s not someone who is careless. He’s not someone who gets himself clearly involved in a scam in the way that you can prosecute. But, he’s pushing dishonest stuff. I mean, that’s what scammers do.

Peter McCormack: So, ETH 2.0, I’m guessing you’ve read some of the specs.

Peter Todd: I mean, it’s one of those things where he just go put up a whole bunch of complex shit on the wall to try to be resistant to criticism. I think I believe Greg Maxwell was the one who deserves credit for this. But, he’s pointed out how the general approach of Ethereum crowd is, they put something out, it gets shot down because it doesn’t work. So, rather than go back and fix the problems, they make it more complex.

And, if you keep repeating this, eventually you appear to be secure, not because you’ve actually created something secure, but rather, you’ve created something sufficiently complex, it’s just too much work to criticise.

Peter McCormack: Yeah. I mean, I’ve read James Press, which is medium posts recently looking at ETH 2.0. I don’t know if you saw it.

Peter Todd: I might have.

Peter McCormack: I mean, the only thing I could think of when I was reading this is, “This just seems an insanely complicated way of creating a distributed database.” I was written about sharding, and then I was reading about state rent, and that certain things would be on chains. And, I was just thinking, “What’s this for?” I just can’t get my head around it.

Peter Todd: It is designed to be sufficiently complex that you can’t criticise it. Now, on the other hand, if I wanted to explain to you how Open TimeStamps works, I could do that in a morning, including the part where I explain how hash functions work. It is dead simple.

If I wanna explain to you how my proof Marshall Project works, I’d probably have to go spend the afternoon as well. This stuff is designed to be dead simple. I mean, this is why, on my twitter profile for a long time, the pinned tweet was, “A blockchain is a chain of blocks.”

Peter McCormack: I knew that was coming.

Peter Todd: Yeah. Blockchains are not complex things. People try to make them complex things, so they can go sell stuff, or in the case of academic skill, write papers and make them relevant. But, they just aren’t that complex.

Peter McCormack: Yup. And, they have one purpose. Like, Jimmy talks about this a lot. The blockchain has a really good purpose for Bitcoin and money. Nothing else really. And, I’ve tried-

Peter Todd: I actually disagree on that.

Peter McCormack: Well, that’s good, because I’ve tried to be open-minded, and tried to kind of just be as open-minded as a can say, “Okay. Is there something else here?” Like-

Peter Todd: You’ve gotta remember because I define a blockchain is a chain of blocks, I would actually have the viewpoint that, “Yeah. Blockchains are worth adding basically anything.” I mean, the moment you have a data structure, where you even wanna create a backup of it, it might as well throw it blockchain in there so it can update and ensure you have a complete copy.

My Open TimeStamps project, it’s a centralised system that creates timestamps, long story short. Well, one issue with it is if the central servers go down, you want to have a backup of all the timestamp proofs they made. How do you make that backup? Well, currently, you go and go through this HTTP, RPC, restful protocol, total box standard stuff, and he just download one after another.

How do you know that your copy of the back up is the same as mine? Well, obviously you gonna add hashing to it. Well, how are you going to add hashing to it? Well, why don’t you go and make updates, and have one update hash another? Oh, what do you know? We’ve created a blockchain.

Peter McCormack: Indeed a blockchain, yeah. Okay. So, I met with Zac Prince of Block Fight, and we have a long chat about Bitcoin. They do crypto back loans. And, it’s a market that makes sense. But, he also said, it doesn’t make sense when they’re Lending money, say to Argentina, that if you’ve got to lend out Bitcoin because it’s volatile.

He said it makes sense to do a stablecoin. A stablecoin is built on Ethereum. So, whether it’s a scam or not, the fact that people are building things that people are using, how do you sit with that?

Peter Todd: Well, so the point I’d make there is, the stable coin’s built on top of Ethereum. From a tech perspective, that could actually be the right decision. And, the reason why there can be the right decision is, yeah, I mean the infrastructure is there. We know we can throw together something. It doesn’t work as well as it could. But, the tooling’s there, we can get it done, push it out the door.

I’ve literally told clients of mine, “Well, you actually might want to build this on Ethereum, ’cause alternatives don’t exist yet.” We know they can exist, but the effort to actually make it work hasn’t been done yet. And, in all equally, I’d say the stable coin idea is just an obvious no brainer.

You might want to have exposure to this currency. Why wouldn’t you want to have some nice digital way of doing it with a well-defined trust relationship? It’s just not a complex thing to talk about. It has very obvious reasons to, in much the same way like having an ETF, it makes a lot of sense for certain people.

Now, having an algorithmic stable coin, where you try to do consensus, decentralised magic to keep the price stable, there’s a pretty good reason. I think those are impossible. It’ll never work.

But, a trusted stable coin, where you have a central issuer, who you have legal mechanisms to ensure that you get your money back, yeah. I mean, why not? Hell, in some cases, a stable coin that’s actually a total fraud can actually make sense. If I’m a trader, and I want to temporarily move out of a position into a stable thing, and then move into another position, even if the stable coin is a total fraud, and there’s no US dollars or whatever backing it, it can still be useful for me as a trader, because my risk of the stable coin going belly up, and the fraud playing out maybe less than the risk I have of not moving my currency, not moving my assets into that stable currency for whatever reason I needed to.

Peter McCormack: I only see the two use cases. I see Bitcoin and a stable coin. That to me is pretty much all I think we need, personally. I mean, you probably can think of some great other examples.

Peter Todd: Well, if you’re talking about money, and things related to money, I think you’re a lot more right than people would want you to be.

Peter McCormack: Yeah. Well, do you know why? Because other people want to invent other uses for blockchain, ’cause they want to monetise it. And, other people want to shoot down stablecoin-

Peter Todd: So, I guess the way I’d put it is, if there’s a money component involved, I think you’re ultimately right. If there’s not a money component involved, and we’re just trying to do something related to some asset or some data structure, which for a reason we what consensus over, I mean, yeah, block chains basically always make sense.

But, that’s because of blockchain is just a chain of blocks. It is not rocket science. I mean, I love the example GET. People say, “Oh, but then is GET a blockchain?” And, my answer is, well yeah. it’s basically a blockchain. It doesn’t quite precisely match the linear chain of blocks in how we use it. But, why GET is a set of hashed things in a direct acyclic graph is essentially the same reason why Bitcoin is a chain of blocks.

I want to make sure that my copy of the source code on my computer is the same as your copy. That’s why Bitcoin is blockchain. That’s why GET has something nearly a blockchain.

Peter McCormack: What about privacy coins? Obviously, I’ll see you tool more about Zcash than-

Peter Todd: Say proof of what?

Peter McCormack: Privacy coins.

Peter Todd: Oh, privacy coins?

Peter McCormack: Yeah. So, I’ve seen you talk about Zcash more than, say, Monero. What’s your position on privacy coins?

Peter Todd: I mean, they make a lot of sense if they work. The only reason I want to talk more about Zcash that Monero is Monero has less wrong with it.

Peter McCormack: Okay.

Peter Todd: Monero definitely could, in theory, have less privacy than Zcash. The underlying idea of what Monero is, it certainly has the potential for less privacy than Zcash. But, the Monero people have just done a competent job implementing something with very little drama, and the people behind it all seem pretty ethical. And, there’s very little criticised about Monero.

Peter McCormack: It’s the only other crypto I hold. I’ve got Bitcoin and Monero.

Peter Todd: Yeah. I mean, I hold essentially trivial quantities of Monero and Zcash, enough to use on occasion. But, in theory, Zcash should be better. Its privacy, the potential for privacy’s much better.

Peter McCormack: Is that ’cause it uses Zcash nodes?

Peter Todd: Exactly. Yeah. The difference is, in Monero, your payments might’ve come from immediately one of say 10 different people, and then of course you know a hundred and so on, whereas in Zcash, the moment you do a payment, if it’s a shielded payment, you’re now part of this big anonymity set.

What’s wrong with Zcash is sort of all the implementation details and sort of the people behind it.

Peter McCormack: Wow! So, I interviewed Zooko last week. And, one of the most important questions I think I put to him is I said, “Is a Zcash a company?” ’Cause that’s what it feels like. It feels like it’s a company.

Peter Todd: Yeah, it is, effectively. And, the reality is the way they do … The way they will do Zcash is very explicitly centralised. And, they kind of try to put fake leaves on edge. But, probably it’s a company of a few different people with really dubious ethics. It’s just …

I mean, it’s kind of fortunate, ’cause it’s a scary thing to have. The best privacy tech out there, for that type of use case, run by people who will lie to you.

Peter McCormack: Yeah. And, I’m not surprised that it seems like [inaudible 00:38:40] brothers have a preference to Zcash. It didn’t surprise me.

Peter Todd: Yeah. Well, the thing I think with it is, people in that kind of sphere, they would rather work with people who are not totally ethical. I get the sense this is why Coinbase and Zcash kind of seemed to get along, because they kind of see eye to eye on, “Well, we’re not going to strictly tell everyone exactly how this really works. We’re happy to Futz with stuff.”

I mean, when they did the trustee set up. The simple reality is they botched it. And, rather than just come and say, “Look, here’s where we made our mistakes. Here’s what we’re going to do better.” They just lied. They said it was multiparty set up in. And, the reality is, it wasn’t.

It was intended to be, but due to technical failures, I don’t think you can make that claim. In the Bitcoin world, I think had that happened with the people behind Bitcoin, they would have said, “Look, we screwed up this, this, and this. We’re going to fix this next time. Here’s the timeline where we roughly wanna do it. Here’s why this isn’t necessarily a big deal, et Cetera, et cetera.”

Had Zcash has simply done that, I think Zcash would still be a success. But, that’s not the way they think. They think, “Well, shit, we got to have good PR on this. We’ve got to preserve our money coming in.” And, after all, I mean, they get a ton of money from Zcash. They have incentives to hide flaws, because that’s her income, whereas in the more long term view, would be, “Well, all right, we might lose some money in the meantime, while we lose some market confidence. But, the longterm effect will be people will actually trust us.”

I don’t trust Zooko not to lie me.

Peter McCormack: Yeah. I’ve got to say, I trust Ricardo a bit more.

Peter Todd: Yeah.

Peter McCormack: You’re a big fan of Ripple Coin, right?

Peter Todd: Well, I think Ripple’s wonderful idea. You mean Ripple, the original concept to like peer to peer payments, right?

Peter McCormack: I’m on about Ripple Coin.

Peter Todd: Yeah. That’s remarkably scammy.

Peter McCormack: Yeah.

Peter Todd: It’s interesting. So, I, at one point, worked for R3. And, I should be careful what I say here, cause there’s probably NDAs, and they’re a bit … They are not very happy with me. But, long story short, I think what I can say is, initial was working as a consultant, evaluating other coins, and other systems. And, I think their business plan there was let’s just go buy something and let’s package it up and sell it to banks. A perfectly reasonable thing to do, act as middlemen.

Well, they had me analyse Ripple, ’cause at the time, there was a lot of interest among banks. And, I analyse it, and said, “Yeah, the centralised system obviously.” Which isn’t necessarily a bad thing. For banks, I think, that would have been fine.

Of course, I soon found out, they weren’t saying it was centralised banks. They were just flat out lying about what it actually was. So, when I did a big presentation in front of most of the world’s major banks and representatives from them, they’re like, “Wait, Ripple’s what?” ’cause they’d been lied to.

And, ripple these days, I don’t actually get the sense that’s true anymore. I get the sense that Ripple, the company, has become much more reasonable. But, Ripple’s tied to currency, and they don’t have any ability to get rid of this currency, which doesn’t really … It isn’t needed for technical reasons.

So, I think they’re putting in a very awkward position where there’s rabid fan base of big holders, essentially.

Peter McCormack: Very strange group.

Peter Todd: Yeah. Very, very strange. And, I would not be surprised if … Like as an example in Twitter, you say something about Ripple and the XRP troll army comes down on you. I would not be surprised if, for the most part, that sort of army of crazy people is actually not that involved with Ripple, the company selling things to banks. I don’t think that that dumb.

But, they can get away with it. There’s no mechanism for Ripple, the company, to actually extract themselves from the currency. Like it or not, they created the currency. They own a big chunk of it. They can’t get away from that. And, I mean this is one of the real dangers of creating coins for services. You might get tied to a coin that’s pointless.

Peter McCormack: Well, that’s why I call it Ripple Coin. I never changed from Ripple Coin, because I think it’s important for people … It was like with Bitcoin cash becoming BitCash. The alternative name, I think, was important.

I always call it a Ripple Coin, because I think people have to know, they have to know, it was created by the company. That it wasn’t a gift.

Peter Todd: I mean, it’s worse than that. I mean, last I checked in government, I haven’t looked very recently, the consensus was still controlled by the Ripple company. You can’t get away from the fact Ripple’s architecture is centralised.

The XRP community can say all they want. “Oh, all you know, it’s just nodes. You can go pick a different set.” Well, yeah. I mean, I can go pick a different currency. Unless you and I agree on the same set of nodes, the reality is we’re not looking at the same currency. And, that was really all my paper was.

I just pointed out. Yeah. Obviously, if you pick a different set of central nodes controlling the consensus than me, we can get out of consensus, and all hell will break loose. Thus, the only sane thing to do is pick the same set of servers for control of consensus.

Peter McCormack: One thing I do want to ask you about is because I think one thing, a lot of other alternative currencies have managed to do, whether it’s right or wrong, but by design have been able to create an incentive structure and financial incentives for developers.

Bitcoin is still largely voluntary, or there are some contributions in different ways. I know you’ve had a contribution. But, it’s-

Peter Todd: My point is not voluntary in the sense that developers go unpaid. It’s voluntary in the sense that the currency itself isn’t directly paying developers.

Peter McCormack: Of course, yeah.

Peter Todd: But, the reality is there’s enough money floating around for developers get paid, even total screw ups like me.

Peter McCormack: Are you still working on Bitcoin?

Peter Todd: I’m not working on Bitcoin core. But, I am working on projects around it like Open TimeStamps and Proof Marshall. And, I’ve had surprisingly good success getting paid for that.

Peter McCormack: I guess it depends on who you are though. And, the reputation you’ve built, you can be funded. But, when you say there is funds available for developers, I mean, how do they go about receiving funds? How do they do it?

Peter Todd: I mean, it’s kind of like anything. You do a bit of work, you show that you’re competent, and you find someone who’s interested in paying you to do more work. If you’re competent, and you prove that, the simple reality is there are ways to go get money. It is not the hardest part.

The hardest part is getting to the point where you’re confident. And, the things that us, even in coins which have developer funds, getting money out of those developer funds is surprisingly hard.

Peter McCormack: Right, okay.

Peter Todd: Like Zcash is a great example where the Windows clients for Zcash we’re completely unmaintained because Zcash wasn’t giving them any money.

Peter McCormack: Okay. So, ’cause I sort of say would Luke put up his patron, and I supported them. It just feels like there should be almost like something he shouldn’t have to worry about.

Peter Todd: How? I mean, the simple reality is, having funds in these coins is not a magic solution to that either. Yeah. The bigger problem is more you getting to a position where you’re doing interesting work that’s getting valued. And, if you’re able to do that, and actually contribute, getting that money is not that hard.

Peter McCormack: Is there enough developers coming through? ’Cause we talked earlier about enough of the kind of biggest and brightest minds who can really think adversarially or think outside the box. But, are there enough developers coming through who can we just work on more simpler tasks?

Peter Todd: The impression I get is mostly yes. But, the interesting thing about this is like Bitcoin core itself, that actual core software, I may not be very popular saying this, but I think it’s true that they’ve got good enough developers, maybe a little too many.

Bitcoin core itself doesn’t necessarily need to change that much. And, it can change on a somewhat slower basis than it has. I mean, it’s not really a big concern. The more interesting thing is like all the periphery infrastructure around it. Things like libraries that actually work are well documented and so on.

And, that’s not very sexy work. So, that may actually be the thing where we need more money put into. But, when you look at other coins, which should do over funds, they don’t do a good job with this either. So, it’s not like this is a magic solution that’s proven to work. This seems to be more a solution which has proven to make the people founded the coin a ton of money.

Peter McCormack: Yeah. I spoke to Brian Bishop. And, I think he says something along the lines of, “It would be great if some parts of the cost start to become compartmentalised, ’cause it’s kind of a big sprawling mess right now.” Is that correct?

Peter Todd: Oh, yeah, yeah. The fundamental like Bitcoin core architecture is not, I think, how you would do it these days. I think in the context of when it was created, it was probably the right decision to make. Do this very simple thing, which one person can create, and one person can comprehend, and it’s just one code base that’s very easy to review. But, for what we want it to do now, it’s probably not ideal.

On the other hand, I mean, people often think, “Oh! Bitcoin core doesn’t have this feature. It’s terrible.” Well, so what? Just turn on Bitcoin core node, grab the data from it and do whatever you need to do. What do you need to do? Do you need to have an index of transactions? Just follow the blocks and index your transactions. It’s slightly less efficient. But, so what?

Peter McCormack: Even if people who kind of want the base change essentially ossified. Is that the word they use?

Peter Todd: Base protocol is pretty stable. Not quite as stable as say TCP/IP. But, it’s reasonably stable. And, equally, so has the stability of TCP/IP held back the Internet. I don’t think you’d make the case at all. If anything it’s helped it by having the simple thing that works, and you can build on top of it.

Peter McCormack: I wanna ask you a bit about the work you’ve been doing. But, before that just one kind of … I’ll say one final question. I haven’t got through hardly anything here. This has been great. But, I do want to ask you about your views on fungibility, because in doing my interviews, I’ve kind of had two different perspectives.

There are some people who do want fungibility on the base chain. But, there are some like Saifedean wouldn’t. Saif’s view is that we want to say a completely transparent based chain, so we can ensure nobody is operating with say, fractional reserves. Where do you sit in that kind of field?

Peter Todd: I think his viewpoint is technically ignorant there. You can definitely have … I mean, as an example, ideally, Zcash would be completely non-transparent. In reality, it’s nearly entirely transparent, ’cause you’re actually using the shielded transaction features is hard and discouraged.

But, in theory, Zcash could be completely shielded. And, even then, it’d still be easy to be transparent. The better argument to make there is all the technology for privacy on base chains is potentially dangerous.

Peter McCormack: Okay.

Peter Todd: Yeah. Example being, with Zcash, you have that trusted set up. A trusted setup could easily fail. Implementation bugs could easily cause it to fail. In fact, the fundamental Zcash library, the thing that verifies transactions, just prior to release, they found a bug in it that could have allowed a moment of inflation. And, that’s not even like a trusted set up failure. It’s just a simple bug in it.

And, it’s not an easy bug to find. You really got understand math in very deep detailed find something like that, because you’re relying completely on the math to protect you from inflation. Whereas in Bitcoin you’re relying on stuff you could explain to a drunk art student. Speaking about a fine arts degree.

So, I’m a little bias there. I liked this level. But, that’s useful, ’cause it means tons of eyes can see this stuff. When Bitcoin had this some recent inflation exploit-

Peter McCormack: CV bug.

Peter Todd: Yeah. Had that actually being used, chances are alarm bells would have gone off in tons of places, because people are looking at, doing the math, figuring out how many Bitcoins are in existence. Does this number make sense? Any idiot can do that. It’s not hard. For Zcash to do that, you need to re-implement all Zcash nodes. And, it is a nightmare.

Peter McCormack: So, I guess you’re keen on some form of fungibility, but do you … Are you keen on it, say as a side chain or some kind? Like how do you-

Peter Todd: Well, I mean, Lightning adds that. Any add on to Bitcoin that’s scalable will naturally have better fungibility. And, the reason is, to scale, you have to distribute less data to less people. It’s just not possible to create a scaling solution that doesn’t at least add privacy to some adversary.

As an example, Coinbase. Let’s suppose, well, PayPal. Let’s go really out there. PayPal, compared to Bitcoin, has better privacy against most adversaries. If I pay someone with PayPal, North Korean spies don’t know what I did.

Obviously, the US government probably has a full copy of everything. But, most of my adversaries now do you not know that I made that payment, and have no way of knowing. That is categorically better than Bitcoin from that narrow perspective.

If my adversary’s US government, totally different discussion. But, PayPal scales. And, the only way it could scale is by reducing the data available to the bad guys.

Peter McCormack: Okay. All right. Look, we’ve done a lot here, but I do want to cover some of your work. So, when I spoke to Jack Ma, he was like, “Peter’s really busy working on Proof Marshall.” I don’t know anything about it. Can you tell me, what is Proof Marshall?

Peter Todd: Well, all right. So, first of all, my simpler project is Open TimeStamps. And, Open TimeStamps proves data existed in the past. The problem with Open TimeStamps is it doesn’t prove anything about whether conflicting data also existed. An example being, I sell your house. I give you a sign digital document saying, “I, owner of 1234 Main Street sell it to you.”

What you don’t know is if I already sold that someone else. Proof Marshall fixes that problem by … It’s a library to create data structures where you have consensus over. And, what consensus means there is simply, in the definition of selling a house, all the possible places where I could have put that data, you now can see. Thus, you can rule out me selling the house to someone else.

And, how do you do that? Well, you throw in a whole bunch of Merkle trees and hashing. This is … I mean, what’s hard about Proof Marshall is that the strategy for the implementation is effectively taking pointers and abstracting that concert.

Pointers are such a low-level fundamental idea in computer science that just … The low-level mechanics of actually implementing this is challenging and tricky to do well. And, you get a lot of issues. Like, if I’m giving you a math proof that now you own this house, I want to make sure that even if the code or writing that application isn’t that careful, that math proof won’t, for instance, use up all the memory in your system.

Turns out that’s actually a hard problem. It’s not a hard problem for like Bitcoin level reasons. And, this is an economics problem. It’s just, it’s a tough thing to implement at a computer science level, or maybe I’m just not a very good coder.

Peter McCormack: So, what’s your status? Where are you at with the project?

Peter Todd: About two weeks, for sure.

Peter McCormack: All right. Is that this week?

Peter Todd: No. I mean, truthfully, it’s something where I’m always thinking, “All right, I could finish this in two months.” But, two months later I say, “Oh, yeah. I didn’t realise but this isn’t this.”

I mean, as an example, the first version I had, for how it would represent, how it would obstruct a pointer, made the assumption that you always hash the data. And, I did a bunch of work in that, and I was, “Oh, yeah. That doesn’t actually work. That causes other technical problems that, long story short, this doesn’t work.”

Another example was I had this … My most recent implementation had a thing where when you took the data, in processing, and deserialised it, you would make a copy of it. And, I naively thought, “Oh, that’s not big deal. Make a copy of it. It’s all well, and good.” Of course, I go through the adversarial think, I was, “Oh, shoot. Because I made a copy of this, now my API doesn’t have a good way of assuring I don’t run out of RAM, ’cause all of these extra copies.”

So, I had to effectively redesign it so that all the data can be operated on directly. If you’re a programmer, the term I would say is the serialised version of it is identical to what you would process in main memory. Thus, you don’t have to make a copy to process it.

And, this is all like very much in the weak technical stuff. But, to make a robust implementation that works well, you have to solve these problems. And, it’s just hard. And, because it’s still at such a fundamental level of design, having two people work on it once, it’s very challenging.

Peter McCormack: Okay.

Peter Todd: ’Cause if I make a change, I’m usually changing how any of the code works. And now, if I have a partner working with me, suddenly everything they’re doing is broken. Maybe if I was sitting next to a guy in an office, this might go faster. But, it’s just not there. And-

Peter McCormack: It’s a one-man project.

Peter Todd: Yeah, yeah. For now. But, if it works, it’ll eventually work, and long store short is it’ll be a nice library to write consensus applications, to do all kinds of things you want. As an example, you could even implement GET and Proof Marshall to just have a good way of making sure you and I have the same copy code. Certificate Transparency is another example.

When you go to a website, the certificate that proves your talking to the computer you think you’re talking to, like your bank, for instance, that are published in a blockchain. The people who create certificate transparency, of course, hate the term blockchain and probably would strangle me if I said this in front of them. But, the reality is the data structure is effectively blockchain.

In proof Marshall, you could do things like that and … All right. You can do them now, but it’s just a lot less work when you have a library that just does it for you. It’s like … I mean, SQL databases are like this.

Sure. Prior to dimension SQL, you could, in theory, do anything you do with. It was just so much more work to get there.

Peter McCormack: I think I’ve kept up with about a good 50% of today.

Peter Todd: Well, it’s enough to do a 51% attack.

Peter McCormack: Well, yeah. I do wanna do that. I wanna 51% attack. We’re just going to have to do another one another day, ’cause there’s so much more wants to talk to you about. But, there is a couple of final closing things I want to talk to you about. One is just a bit left field.

I’ve noticed you tweet quite a bit about journalism. Why does that get to you so much?

Peter Todd: I think this really comes down to … And, I’ll say straight off, this is an example of not staying in your lane. This kind of phrase going around, stay in your lane, only talk about the stuff that you’re supposed to do professionally, and so on. And, I really don’t care what that for Twitter.

And, a lot of that gets down to, what does it take to have a society of the functions? You have to have people agree on basic facts around the world. And, I think the reason why I’m critical of that, same reason ultimately I’m critical of many scams in the crypto world, where people were saying things, but the projects just aren’t true, and polluting the ecosystem of ideas with false things.

And, unfortunately right now, we have a big problem with journalism where, first of all, it’s not very fun. It’s not well funded. It just isn’t that money to actually pay journalists to do their job properly.

I have quite a few friends who are journalists, and I see this every day. I mean, the timelines they have to operate on are ridiculous. There’s no way for them to do a good job given how fast they have to put out articles with how little help. And, on top of this to make money, you wind up with all kinds of dark practices, like clickbait.

And, when you combine that with the very ugly political landscape of the US, you get really ugly things like Covington, where I think it’s pretty fair to say major media organisation are, “Oh, this is a great story. Fits our narratives really well. We’re going to get a ton of clicks on this. Let’s rush published before anyone else does.”

And, the rush to publish is a really big deal. I’ve been told, directly by people managing media organisations in the crypto space, that collectively people like me are a huge competitor to them, because I can tweet faster than they can publish, and literally minutes matter in this stuff. If they’re not first to publish, they will get less clicks, less views, less money.

It sounds so stupid, but this is the truth of it. And, that pushes a cycle that just doesn’t allow for good research and good work. And, unfortunately, there are no easy ways to stop this. Maybe one of the solutions could be more use of defamation laws, and life moves on. But, there are very like very, very real risks to this for freedom of speech.

Peter McCormack: Yeah. I mean, my last interview that went out yesterday was Andrew Torba from Gab.com. What do you think of Gab? I mean, the content is tasteless. But, do you agree that …

Peter Todd: I’ve never actually looked at Gab’s website itself. And, I’m kind of sympathetic to them. I mean, I think organisations like that should be able to exist. I think the fact that they’ve been deplatformed from payment providers is a straight up antitrust issue. And, they’re not the only example of this.

I mean, the fact of the matter is companies like PayPal, MasterCard, Visa, are able to restrict freedom of speech very effectively. Not as effectively as they could without safe things like Bitcoin. But, the amount of control they have over what content gets produced is very scary.

Where deplatforming ends up is people being able to restrict speech, because they can say, “I don’t like what you’re publishing, and we’re going to cut off your money.” And, you can’t, for instance, do journalism without access to a flow of money to go pay people to do stuff.

And, this is a very, very real issue. What Patreon has done is scary. Now, as a libertarian, I’d say Patreon itself, I don’t have issues with them cutting off people. What I have issues with are the payment providers who have now said, “Oh, you’re trying to compete with Patreon, we’re going to cut you off as well.”

That’s where I think this crosses the line. It’s getting very scary as a society. So again, do I support Gab itself? Whatever. Let them do what they want. But, do I support fighting back at why Gab has a hard time running a business. That’s what matters to me.

And, I’m just not that concerned about people spreading hate on the Internet. I don’t think that’s actually a big concern for society. Particularly when we go see the left’s doing exactly the same thing but in a different context. There’s no like clear moral high ground here. And, obviously, if the left can do this, and society hasn’t collapsed, it’s not necessarily such a bad thing.

And, in some ways that kind of thing pisses me off more ’cause I definitely identify as liberal.

Peter McCormack: Well, yes I do sometimes. But, I was saying to Andrew that like politically, I’ve got no idea anymore where I am, because I’m finding so much to dislike about everyone. But also, there are these certain conservative things I do like, and then there’s a kind of liberal things I like. And, I’m just so confused. I don’t know where to position myself.

Peter Todd: I mean my entire adult life … I live in Canada. My entire adult life I’ve voted for the Liberal Party, which in Canada, the Liberal Party’s what the name suggests. It’s the Liberal Party.

These days I’m not sure I identify with them anymore. I’ll probably still go on voting for them because they’re the best of bad options. But, yeah. And, I think part of it too is like many of the social issues I do care about. Like freedom of speech, and gay rights and so on. A lot of that’s actually kind of solved.

Abortion’s legal in a lot of places. Gay Marriage is legal. The things that I cared about, we solve those problems.

Peter McCormack: Through free speech.

Peter Todd: I mean just through like the way politics moved. The Conservative party’s eventually, “All right, fine. We’ll go along with this.” And then, probably isn’t … At least in Canada, it’s probably not going to get reversed. So, now it’s like, “Oh, do I need to go vote for liberals again? I mean, the things that we’re fighting for gut solve, the things that they’re now fighting for, I don’t agree with. It’s a very strange situation to be in.

Peter McCormack: I think we could do a whole show on this. All right. Just to close out. We’ve had 10 years of Bitcoin. So, we look back. Looking forward over the next 10 years, what are the key things you would like to see happen? And, what are the most important things, not just in terms of code and develop it, but just overall for Bitcoin? What’s gonna be important?

Peter Todd: Well, I’ll give you a very specific answer, which is the things I’m working on with client-side validation like Proof Marshall I think are critical to moving this stuff to the next step. Getting past this narrative of all we need some Ethereum chain, where everything’s in one place, which we knew just doesn’t work.

I think smart contracts are actually really useful. But, they’re not useful done in the way Ethereum people want to do them. It doesn’t work technically. So, yes, this is kind of very narrow answer. But, this is the stuff I’m directly working on. And, I think that’s a very fruitful ground for making new and interesting things.

Beyond that, I mean, I’m sure the Lightning crowd, and so someone will do great work in making payments better and so on. But, on the store of value stuff, just not screwing up is enough to make that possible. So, that’s kind of my answer there.

Peter McCormack: Great. This was utterly fantastic. Thank you so much for coming on.

Peter Todd: Thank you.

Harmony and Discord

Bitcoin experts talk often of consensus, whose meaning is abstract and hard to pin down. But the word consensus evolved from the Latin word concentus, "a singing together, harmony,"[1] so let us talk not of Bitcoin consensus but of Bitcoin harmony.

Harmony is what makes Bitcoin work. Thousands of full nodes each work independently to verify the transactions they receive are valid, producing a harmonious agreement about the state of the Bitcoin ledger without any node operator needing to trust anyone else. It’s similar to a chorus where each member sings the same song at the same time to produce something far more beautiful than any of them could produce alone.

The result of Bitcoin harmony is a system where bitcoins are safe not just from petty thieves (provided you keep your keys secure) but also from endless inflation, mass or targeted confiscation, or simply the bureaucratic morass that is the legacy financial system.

Discord

Discord is the enemy of harmony. If, in the great chorus of Bitcoin full nodes, half the singers decided to suddenly switch tunes, the harmony would be lost. In its place would be two smaller singing groups who try to out sing each other (or who may compete through less scrupulous means), leaving everyone worse off.

This is what a contentious hard fork has the potential to do.  Some people will program their full nodes to sing one song; other people will program their full nodes to sing a different song.  In the cacophony that results, there will surely be confusion, recriminations, and loss of confidence.

For this reason, contentious hard forks are to be avoided.

But this doesn’t mean we have to sing the same song forever. We have other options. The first is gathering widespread agreement to change to a new song---to hard fork the system without giving discord a foothold.

The second way is to add new layers to the existing harmony.  A chorus will often sing accompaniment to an orchestra, and together they can entertain audiences neither of them could have pleased alone.  Soft forks are the preferred method for adding new features to Bitcoin because they allow old nodes to continue to sing the same old song (unless they’re miners), while new nodes get to partake in the expanded choices.

Given two forking paths to the same feature, a soft fork is the safer option because it leaves no room for discord, and no risk that the essential harmony that underlies Bitcoin’s security will be lost.

[1] Cassell’s Latin Dictionary, Wiley Publishing, fifth ed.

Publish date: Aug 23, 2017

Segregated Witness (SegWit) has activated on Bitcoin. As of today, all SegWit-ready nodes on the Bitcoin network are enforcing the new rules, marking Bitcoin’s biggest protocol upgrade to date.

But activation did not come easy, and it did not come fast.

This is a look back at the long road to SegWit.

Some thoughts about the activation mechanism for soft forks. In the past we used IsSuperMajority and currently use BIP9 as soft fork activation methods, where a supermajority of hashrate triggers nodes to begin enforcing new rules. Hashrate based activation is convenient because it is the simplest and most straightforward process. While convenient there are a number limitations with this method.

Firstly, it requires trusting the hash power will validate after activation. The BIP66 soft fork was a case where 95% of the hashrate was signaling readiness but in reality about half was not actually validating the upgraded rules and mined upon an invalid block by mistake[1].

Secondly, miner signalling has a natural veto which allows a small percentage of hashrate to veto node activation of the upgrade for everyone. To date, soft forks have taken advantage of the relatively centralised mining landscape where there are relatively few mining pools building valid blocks; as we move towards more hashrate decentralization, it’s likely that we will suffer more and more from "upgrade inertia" which will veto most upgrades.

Upgrade inertia in inevitable for widely deployed software and can be seen for example, with Microsoft Windows. At the time of writing 5.72% of all Microsoft Windows installations are still running Windows XP, despite mainstream support ending in 2009 and being superseded by 4 software generations, Vista, 7, 8 and 10.

Thirdly, the signaling methodology is widely misinterpreted to mean the hash power is voting on a proposal and it seems difficult to correct this misunderstanding in the wider community. The hash powers' role is to select valid transactions, and to extend the blockchain with valid blocks. Fully validating economic nodes ensure that blocks are valid. Nodes therefore define validity according to the software they run, but miners decide what already valid transactions gets included in the block chain.

As such, soft forks rules are actually always enforced by the nodes, not the miners. Miners of course can opt-out by simply not including transactions that use the new soft fork feature, but they cannot produce blocks that are invalid to the soft fork. The P2SH soft fork is a good example of this, where non-upgraded miners would see P2SH as spendable without a signature and consider them valid. If such an transaction were to be included in a block, the block would be invalid and the miner would lose the block reward and fees.

So-called "censorship" soft forks do not require nodes to opt in, because >51% of the hash power already have the ability to orphan blocks that contain transactions they have blacklisted. Since this is not a change in validity, nodes will accept the censored block chain automatically.

The fourth problem with supermajority hash power signaling is it draws unnecessary attention to miners which can become unnecessarily political. Already misunderstood as a vote, miners may feel pressure to "make a decision" on behalf of the community: who is and isn’t signalling becomes a huge public focus and may put pressures onto miners they are unprepared for. Some miners may not be in a position to upgrade, or may prefer not to participate in the soft fork which is their right. However, that miner may now become a lone reason that vetoes activation for everyone, where the soft fork is an opt-in feature! This situation seems to be against the voluntary nature of the Bitcoin system where participation at all levels is voluntary and kept honest by well balanced incentives.

Since miners already have the protocol level right to select whatever transaction they prefer (and not mine those they don’t), it would be better if a miner could chose to not participate in triggering activation of something they won’t use, but, without being a veto to the process (and all the ire they may have to experience as a consequence).

The alternative discussed here is "flag day activation" where nodes begin enforcement at a predetermined time in the future. This method needs a longer lead time than a hash power based activation trigger, but offers a number of advantages and perhaps provides a better tradeoff.

Soft forks are still entirely optional to use post activation. For example, with P2SH, many participants in the Bitcoin ecosystem still do not use P2SH. Only 11% of bitcoins[2] are stored in P2SH addresses at the time of writing. Miners are free to not mine P2SH transactions, however, the incentives are such that miners should still validate transactions so they don’t accidentally include invalid transactions and cause their block to be rejected. As an additional safety measure for well designed soft forks, relay policy rules prevent non-standard and invalid transactions from being relayed and mined by default; a miner would have to purposefully mine an invalid transaction, which is against their own economic interest.

Since the incentives of the Bitcoin system rely on self validation, economic nodes (miners and users) should always remain safe by ensuring their nodes either validate the current rules, or, they can place their network behind a full node that will filter out invalid transactions and blocks at the edge of their network (so called firewall or border nodes).

A user activated soft fork is permissive. Miners do not have to produce new version blocks and non-upgraded miners' blocks will not be orphaned as was the case with IsSuperMajority soft forks (e.g. BIP34, BIP66, BIP65-CLTV) which made it a compulsory upgrade for miners.

BIP9 "versionbits" soft fork activation method is also permissive in so far as non-upgraded miners are not forced to upgrade after activation because their blocks wont be orphaned. A recent case was the "CSV" soft fork that activated BIP68, BIP112 and BIP113. As such, the CSV soft fork allows non-upgraded miners to continue mining so long as they didn’t produce invalid blocks.

Miners always retain discretion on which transactions to mine. However, regardless of whether they actively include transactions using the new soft fork feature, or not, the incentive for hash power to upgrade in order to validate is strong: if they do not, they could be vulnerable to a rogue miner willing to waste 12.5BTC to create an invalid block, which may cause non-validating miners to build on an invalid chain similar to the BIP66 incident. Validation has always had a strong requirement.

A user activated soft fork is win-win because it adds an option that some people want that does not detract from other peoples' enjoyment. Even if only 10% of users ever wanted a feature, so long as the benefit outweighed the technical risks, it would not be rational to deny others the ability to opt-in.

My suggestion is to have the best of both worlds. Since a user activated soft fork needs a relatively long lead time before activation, we can combine with BIP9 to give the option of a faster hash power coordinated activation or activation by flag day, whichever is the sooner. In both cases, we can leverage the warning systems in BIP9. The change is relatively simple, adding an activation-time parameter which will transition the BIP9 state to LOCKED_IN before the end of the BIP9 deployment timeout.

You can find the proposal here https://gist.github.com/shaolinfry/0f7d1fd22743bb966da0c0b1682ea2ab

References:

[1]: https://bitcoin.org/en/alert/2015-07-04-spv-mining
[2]: http://p2sh.info/dashboard/db/p2sh-statistics?from=1472043312917&to=1488030912918

There are a series of soft-fork designs which have recently been making good progress towards implementation and future adoption. However, for various reasons, activation methods therefor have gotten limited discussion. I’d like to reopen that discussion here.

It is likely worth revisiting the goals both for soft forks and their activation methods to start. I’m probably missing some, but some basic requirements:

1) Avoid activating in the face of significant, reasonable, and directed objection. Period. If someone has a well-accepted, reasonable use of Bitcoin that is working today, have no reason to believe wouldn’t work long into the future without a change, and which would be made impossible or significantly more difficult by a change, that change must not happen. I certainly hope there is no objection on this point (see the last point for an important caveat that I’m sure everyone will jump to point out).

2) Avoid activating within a timeframe which does not make high node-level-adoption likely. As with all "node" arguments, I’ll note that I mean "economically-used" nodes, not the thousand or so spy nodes on Google Cloud and AWS. Rule changes don’t make sense without nodes enforcing them, whether they happen to be a soft fork, hard fork, or a blue fork, so activating in a reduced timeframe that doesn’t allow for large-scale node adoption doesn’t have any value, and may cause other unintended side effects.

3) Don’t (needlessly) lose hashpower to un-upgraded miners. As a part of Bitcoin’s security comes from miners, reducing the hashpower of the network as a side effect of a rule change is a needless reduction in a key security parameter of the network. This is why, in recent history, soft forks required 95% of hashpower to indicate that they have upgraded and are capable of enforcing the new rules. Further, this is why recent soft forks have not included changes which would result in a standard Bitcoin Core instance mining invalid-by-new-rules changes (by relying on the standardness behavior of Bitcoin Core).

4) Use hashpower enforcement to de-risk the upgrade process, wherever possible. As a corollary of the above, one of the primary reasons we use soft forks is that hashpower-based enforcement of rules is an elegant way to prevent network splits during the node upgrade process. While it does not make sense to invest material value in systems protected by new rules until a significant majority of "economic nodes" is enforcing said rules, hashpower lets us neatly bridge the gap in time between activation and then. By having a supermajority of miners enforce the new rules, attempts at violating the new rules does not result in a significant network split, disrupting existing users of the system. If we aren’t going to take advantage of this, we should do a hard fork instead, with the necessarily slow timescale that entails.

5) Follow the will of the community, irrespective of individuals or unreasoned objection, but without ever overruling any reasonable objection. Recent history also includes "objection" to soft forks in the form of "this is bad because it doesn’t fix a different problem I want fixed ASAP". I don’t think anyone would argue this qualifies as a reasonable objection to a change, and we should be in a place, as a community (never as developers or purely one group), to ignore such objections and make forward progress in spite of them. We don’t make good engineering decisions by "bundling" unrelated features together to enable political football and compromise.

I think BIP 9 (plus a well-crafted softfork) pretty effectively checks the boxes for #2-4 here, and when done carefully with lots of community engagement and measurement, can effectively fulfill #1 as well. #5 is, as I’m sure everyone is aware, where it starts to fall down pretty hard.

BIP 8 has been proposed as an alternative, largely in response to issues with #5. However, a naive deployment of it, rather obviously, completely fails #1, #3, and #4, and, in my view, fails #5 as well by both giving an impression of, setting a precedent of, and possibly even in practice increasing the ability of developers to decide the consensus rules of the system. A BIP 8 deployment that more accurately measures community support as a prerequisite could arguably fulfill #1 and #5, though I’m unaware of any concrete proposals on how to accomplish that. Arguably, a significantly longer activation window could also allow BIP 8 to fulfill #3 and #4, but only by exploiting the "needlessly" and "wherever possible" loopholes.

You may note that, from the point of view of achieving the critical goals here, BIP 8 is only different from a flag-day activation in that, if it takes the "happy-path" of activating before the flag day, it looks like BIP 9, but isn’t guaranteed to. It additionally has the "nice-to-have" property that activation can occur before the flag-day in the case of faster miner adoption, though there is a limit of how fast is useful due to node adoption.

Thus, to strike a balance between the drawbacks of BIP 8 and BIP 9, the Great Consensus Cleanup softfork proposal included this text in the discussion section (with the spec describing a BIP 9 deployment):

Ultimately, through admittedly rather limited discussion, I still like this model (though I cannot claim it as my own, the original proposal came from Greg Maxwell). BIP 9 only falls apart in case of unreasonable objection, which, naturally, should carry a high bar to ignore, given we have to have some level of agreement that it is, in fact, unreasonable (or untargeted). While I admit this is a possibility, I both find it less likely than in previous soft-forks, and even if it is the case, it only slows down the process, it doesn’t necessarily stop it. In the case that it does fail, BIP 9 process, in fact, provides a good learning opportunity as to the level of community readiness and desire for a given change. While we can (and should, and are) learning a lot about community readiness for, and acceptability of a change through outreach and discussion, there is something about a change with a timeframe that forces people to more carefully consider it.

Thus, as something a bit more concrete, I think an activation method which sets the right precedent and appropriately considers the above goals, would be:

1) a standard BIP 9 deployment with a one-year time horizon for activation with 95% miner readiness,
2) in the case that no activation occurs within a year, a six month quieting period during which the community can analyze and discussion the reasons for no activation and,
3) in the case that it makes sense, a simple command-line/bitcoin.conf parameter which was supported since the original deployment release would enable users to opt into a BIP 8 deployment with a 24-month time-horizon for flag-day activation (as well as a new Bitcoin Core release enabling the flag universally).

This provides a very long time horizon for more standard activation, while still ensuring the goals in #5 are met, even if, in those cases, the time horizon needs to be significantly extended to meet the goals of #3. Developing Bitcoin is not a race. If we have to, waiting 42 months ensures we’re not setting a negative precedent that we’ll come to regret as Bitcoin continues to grow.

Matt

Thanks also to AJ for feedback on an earlier version of this rant.

From Bitcoin Wiki

This page summarizes several technical proposals for activating the taproot soft fork defined by BIPs 340, 341, and 342. The goal is to succinctly reference the tradeoffs inherent in each class of proposals so that the development community can choose and implement an activation method that users will find acceptable.

Note that a common theme in many of the proposals is dealing with the case where an insufficient percentage of hashrate signals readiness to enforce taproot. This is a reaction to the difficulty activating segwit. However, there is currently no indication that there will be difficulty activating taproot---miners may offer it the same support that they offered other non-controversial soft forks such as BIP34 height in coinbase, BIP66 strict DER, BIP65 OP_CHECKLOCKTIMEVERIFY, and BIPs 68/112/113 relative locktimes.

KL: Can you hear me? Is it good? Okay. I hope you have practiced your French because.. no, the presentations are in English. Welcome and thank you very much for being here. This conference will very probably be the best we’ve had in the bitcoin sphere. The crowd is pretty crazy. I’ve had the ticket list and I can say the people in this room, not just the speakers, the attendees are all super amazing. I’m glad to be launching this event. We’re a little late. I have a small joke. I hope you sold your bitcoin today, because we’re breaking bitcoin. Thank you. Jimmy is going to start. Please welcome Jimmy Song.