This might be hopium. But every good investment I've made in this space has been when I'm absolutely incredulous that the market hasn't valued something that we are on a collision course for.
To start, how do Bitcoin and Nano stack up in terms of average user experience under normal network conditions: Bitcoin... slow, cheap, reliable Nano... crazy fast, cheap, reliable
Nano took off in late 2017 for a reason. Yes, the faucet had recently been turned off and distribution was done. But the primary reason was because Bitcoin became congested. Many of you are here because of that period. You remember how awful it was to use Bitcoin. Yes, the $50 fees were bad, but what was worse was not knowing if your transaction was going to show up in an hour or in two days. It was clear and obvious to anyone at that point: Bitcoin doesn't do well when demand for space in a block exceeds supply for an extended period of time. Those were the conditions that existed that made so many of us open to and excited for the possibilities of Nano.
Fast forward 1.5 years... Bitcoin's congestion nightmare feels like a thing of the past. Scaling has happened - Segwit is at 40% adoption, and more transactions fit in a block now than ever before. http://charts.woobull.com/bitcoin-congestion/
But is this enough to service the demand for another bull run? It doesn't look like it...
There has been a clear pattern over time in terms of Bitcoin bull runs and volume of Bitcoins transmitted over the network each day. http://charts.woobull.com/bitcoin-network-momentum/
It seems that to sustain the price discovery of a bull market, Bitcoin needs to be transmitting a lot of value. Adjusting for increased supply since the start of the last bull market, if this trend holds true, Bitcoin needs to be transmitting 400-500k Bitcoin/day on average as the minimum threshold to sustain the next bull market.
Now let's switch back to the Congestion chart. http://charts.woobull.com/bitcoin-congestion/
At the capitulation bottom in 2015, Bitcoin blocks were 35% full. From that point, utilization ramped up over the next 2 years until 2017, when Bitcoin's blocks began to be consistently full. At that point, the bidding war for space in a block began, and transaction fees began to ramp up over the course of the year.
Fast forward to today. For most of 2018, transaction count slumped and blocks were no longer full. But block usage has slowly been ramping up (even with Segwit packing more transactions into each block), and now Bitcoin blocks are 93% full. Incidentally, the Bitcoin mempool is beginning to backlog for the first time in a year, and as a result transaction fees have climbed to $1.80, after sitting at ~5 cents since last bull market.
So if we combine what we know from these two charts...
-Bitcoin daily transaction volume needs to increase ~30-60% from current amounts to sustain a bonafide bull run, assuming past trends hold
-Bitcoin blocks are currently 93% full
-When Bitcoin blocks are full for an extended period of time, a bidding war for space in blocks occurs and transaction fees climb
-When Bitcoin is congested, users suffer high fees, transaction delays and uncertainty... the experience becomes "Bitcoin: slow, expensive, and completely unpredictable time to receive"
And THAT is when Nano makes sense to everyone. Right now it's a novelty that people don't think is worth learning about. But to me, it's plainly evident that we are on a collision course with late-2017 Bitcoin congestion again. But this time, it won't be for ~3 months at the very end of a 3 year bull market. This time, we're starting at 93% instead of 35%.
Thoughts? Am I missing something? Please let me know if I'm wrong about any of the above; would love to pressure-test my thesis.
What's this? I don't make a Technical post for a month and now BitPay is censoring the Hong Kong Free Press? Shit I'm sorry, it's all my fault for not posting a Technical post regularly!! Now posting one so that we have a censorship-free Bitcoin universe!
Pay-to-contract and sign-to-contract are actually cryptographic techniques to allow you to embed a commitment in a public key (pay-to-contract) or signature (sign-to-contract). This commitment can be revealed independently of the public key / signature without leaking your private key, and the existence of the commitment does not prevent you from using the public key / signature as a normal pubkey/signature for a normal digital signing algorithm.
Both techniques utilize elliptic curve homomorphism
. Let's digress into that a little first.
Elliptic Curve Homomorphism
Let's get an oversimplified view of the maths involved first.
First, we have two "kinds" of things we can compute on.
- One kind is "scalars". These are just very large single numbers. Traditionally represented by small letters.
- The other kind is "points". These are just pairs of large numbers. Traditionally represented by large letters.
Now, an "Elliptic Curve" is just a special kind of curve with particular mathematical properties. I won't go into those properties, for the very reasonable reason that I don't actually understand them (I'm not a cryptographer, I only play one on reddit!).
If you have an Elliptic Curve, and require that all points you work with are on some Elliptic Curve, then you can do these operations.
- Add, subtract, multiply, and divide scalars. Remember, scalars are just very big numbers. So those basic mathematical operations still work on big numbers, they're just big numbers.
- "Multiply" a scalar by a point, resulting in a point. This is written as a * B, where a is the scalar and B is a point. This is not just multiplying the scalar to the point coordinates, this is some special Elliptic Curve thing that I don't understand either.
- "Add" two points together. This is written as A + B. Again, this is some special Elliptic Curve thing.
The important part is that if you have:
A = a * G B = b * G Q = A + B
q = a + b Q = q * G
That is, if you add together two points that were each derived from multiplying an arbitarry scalar with the same point (G in the above), you get the same result as adding the scalars together first, then multiplying their sum with the same point will yield the same number. Or:
a * G + b * G = (a + b) * G
And because multiplication is just repeated addition, the same concept applies when multiplying:
a * (b * G) = (a * b) * G = (b * a) * G = b * (a * G)
Something to note in particular is that there are few operations on points. One operation that's missing is "dividing" a point by a point to yield a scalar. That is, if you have:
A = a * G
Then, if you know A but don't know the scalar a, you can't do the below:
a = A / G
You can't get a even if you know both the points A and G.
In Elliptic Curve Cryptography, scalars are used as private keys, while points are used as public keys. This is particularly useful since if you have a private key (scalar), you can derive a public key (point) from it (by multiplying the scalar with a certain standard point, which we call the "generator point", traditionally G). But there is no reverse operation to get the private key from the public key.
Let's have another mild digression.
Sometimes, you want to "commit' to something that you want to keep hidden for now. This is actually important in some games and so on. For example, if you are paying a game of Twenty Questions, one player must first write the object they are thinking of, then fold or hide it in such a way that what they wrote is not visible. Then, after the guessing player has asked twenty questions to narrow down what the object is and has revealed what he or she thinks the object being guessed was, the guessee reveals the object by unfodling and showing the paper.
The act of writing down commits
you to the specific thing you wrote down. Folding the paper and/or hiding it, err, hides
what you wrote down. Later, when you unfold the paper, you reveal
The above is the analogy to the development of cryptographic commitments.
- First you select some thing --- it could be anything, a song, a random number, a promise to deliver products and services, the real identity of Satoshi Nakamoto.
- You commit to it by giving it as input to a one-way function. A one-way function is a function which allows you to get an output from an input, but after you perform that there is no way to reverse it and determine the original input knowing only the final output. Hash functions like SHA are traditionally used as one-way functions. As a one-way function, this hides your original input.
- You give the commitment (the output of the one-way function given your original input) to whoever wants you to commit.
- Later, when somebody demands to show what you committed to (for example after playing Twenty Questions), you reveal the commitment by giving the original input to the one-way function (i.e. the thing you selected in the first step, which was the thing you wanted to commit to).
- Whoever challenged you can verify your commitment by feeding your supposed original input to the same one-way function. If you honestly gave the correct input, then the challenger will get the output that you published above in step 3.
Now, sometimes there are only a few possible things you can select from. For example, instead of Twenty Questions you might be playing a Coin Toss Guess game.
What we'd do would be that, for example, I am the guesser and you the guessee. You select either "heads" or "tails" and put it in a commitment which you hand over to me. Then, I say "heads" or "tails" and have you reveal your commitment. If I guessed correctly I win, if not you win.
Unfortunately, if we were to just use a one-way function like an SHA hash function, it would be very trivial for me to win. All I would need to do would be to try passing "heads" and "tails" to the one-way function and see which one matches the commitment you gave me. Then I can very easily find out what your committed value was, winning the game consistently. In hacking, this can be made easier by making Rainbow Tables, and is precisely the technique used to derive passwords from password databases containing hashes of the passwords.
The way to solve this is to add a salt
. This is basically just a large random number that we prepend (or append, order doesn't matter) to the actual value you want to commit to. This means that not only do I have to feed "heads" or "tails", I also have to guess the large random number (the salt). If the possible space of large random numbers is large enough, this prevents me from being able to peek at your committed data. The salt is sometimes called a blinding factor
Hiding commitments in pubkeys!
Pay-to-contract allows you to publish a public key, whose private key you can derive, while also being a cryptographic commitment. In particular, your private key is also used to derive a salt.
The key insight here is to realize that "one-way function" is not restricted to hash functions like SHA. The operation below is an example of a one-way function too:
h(a) = a * G
This results in a point, but once the point (the output) is known, it is not possible to derive the input (the scalar a above). This is of course restricted to having the input be a scalar only, instead of an arbitrary-length message, but you can add a hash function (which can accept an arbitrary-length input) and then make its output (a fixed-length scalar) as the scalar to use.
First, pay-to-contract requires you to have a public and private keypair.
; p is private key P = p * G ; P is now public key
Then, you have to select a contract
. This is just any arbitrary message containing any arbitrary thing (it could be an object for Twenty Questions, or "heads" or "tails" for Coin Toss Guessing). Traditionally, this is symbolized as the small letter s.
In order to have a pay-to-contract public key, you need to compute the below from your public key P (called the internal public key
; by analogy the private key p is the internal private key
Q = P + h(P | s) * G
"h()" is any convenient hash function, which takes anything of arbitrary length, and outputs a scalar, which you can multiply by G. The syntax "P | s" simply means that you are prepending the point P to the contract s.
The cute thing is that P serves as your salt. Any private key is just an arbitrary random scalar. Multiplying the private key by the generator results in an arbitrary-seeming point. That random point is now your salt, which makes this into a genuine bonafide hiding cryptographic commitment!
Now Q is a point, i.e. a public key. You might be interested in knowing its private key, a scalar. Suppose you postulate the existence of a scalar q such that:
Q = q * G
Then you can do the below:
Q = P + h(P | s) * G Q = p * G + h(P | s) * G Q = (p + h(P | s)) * G
Then we can conclude that:
q = p + h(P | s)
Of note is that somebody else cannot learn the private key q unless they already know the private key p. Knowing the internal public key P is not enough to learn the private key q. Thus, as long as you are the only one who knows the internal private key p, and you keep it secret, then only you can learn the private key q that can be used to sign with the public key Q (that is also a pay-to-contract commitment).
Now Q is supposed to be a commitment, and once somebody else knows Q, they can challenge you to reveal your committed value, the contract s. Revealing the pay-to-contract commitment is done by simply giving the internal public key P (which doubles as the salt) and the committed value contract s.
The challenger then simply computes:
P + h(P | s) * G
And verifies that it matches the Q you gave before.
Some very important properties are:
- If you reveal first, then you still remain in sole control of the private key. This is because revelation only shows the internal public key and the contract, neither of which can be used to learn the internal private key. So you can reveal and sign in any order you want, without precluding the possibility of performing the other operation in the future.
- If you sign with the public key Q first, then you do not need to reveal the internal public key P or the contract s. You can compute q simply from the internal private key p and the contract s. You don't even need to pass those in to your signing algorithm, it could just be given the computed q and the message you want to sign!
- Anyone verifying your signature using the public key Q is unaware that it is also used as a cryptographic commitment.
Another property is going to blow your mind:
- You don't have to know the internal private key p in order to create a commitment pay-to-contract public key Q that commits to a contract s you select.
Q = P + h(P | s) * G
The above equation for Q does not require that you know the internal private key p. All you need to know is the internal public key P. Since public keys are often revealed publicly, you can use somebody else's public key as the internal public key in a pay-to-contract construction.
Of course, you can't sign for Q (you need to know p to compute the private key q) but this is sometimes an interesting use.
The original proposal for pay
-to-contract was that a merchant would publish their public key, then a customer would "order" by writing the contract s with what they wanted to buy. Then, the customer would generate the public key Q (committing to s) using the merchant's public key as the internal public key P, then use that in a P2PKH or P2WPKH. Then the customer would reveal the contract s to the merchant, placing their order, and the merchant would now be able to claim the money.
Another general use for pay-to-contract include publishing a commitment on the blockchain without using an OP_RETURN output. Instead, you just move some of your funds to yourself, using your own public key as the internal public key, then selecting a contract s that commits or indicates what you want to anchor onchain. This should be the preferred technique rather than OP_RETURN. For example, colored coin implementations over Bitcoin usually used OP_RETURN, but the new RGB colored coin
technique uses pay-to-contract instead, reducing onchain bloat.
Pay-to-contract is also used in the nice new Taproot concept.
Briefly, taproot anchors a Merkle tree of scripts. The root of this tree is the contract s committed to. Then, you pay to a SegWit v1 public key, where the public key is the Q pay-to-contract commitment.
When spending a coin paying to a SegWit v1 output with a Taprooted commitment to a set of scripts s, you can do one of two things:
- Sign directly with the key. If you used Taproot, use the commitment private key q.
- Reveal the commitment, then select the script you want to execute in the Merkle tree of scripts (prove the Markle tree path to the script). Then satisfy the conditions of the script.
Taproot utilizes the characteristics of pay-to-contract:
- If you reveal first, then you still remain in sole control of the private key.
- This is important if you take the Taproot path and reveal the commitment to the set of scripts s. If your transaction gets stalled on the mempool, others can know your commitment details. However, revealing the commitment will not reveal the internal private key p (which is needed to derive the commitment private key q), so nobody can RBF out your transaction by using the sign-directly path.
- If you sign with the public key Q first, then you do not need to reveal the internal public key P or the contract s.
- This is important for privacy. If you are able to sign with the commitment public key, then that automatically hides the fact that you could have used an alternate script s instead of the key Q.
- Anyone verifying your signature using the public key Q is unaware that it is also used as a cryptographic commitment.
- Again, privacy. Fullnodes will not know that you had the ability to use an alternate script path.
Taproot is intended to be deployed with the switch to Schnorr-based signatures in SegWit v1. In particular, Schnorr-based signatures have the following ability that ECDSA cannot do except with much more difficulty:
- It is possible to generate a single public key that cannot be signed, except by the agreement of multiple signers who each contribute part of the public key. I.e. this is MuSig, which allows to create an n-of-n signing group that has a single public key.
As public keys can, with Schnorr-based signatures, easily represent an n-of-n signing set, the internal public key P can also actually be a MuSig n-of-n signing set. This allows for a number of interesting protocols, which have a "good path" that will be private if that is taken, but still have fallbacks to ensure proper execution of the protocol and prevent attempts at subverting the protocol.
Escrow Under Taproot
Traditionally, escrow is done with a 2-of-3 multisignature script.
However, by use of Taproot and pay-to-contract, it's possible to get more privacy than traditional escrow services.
Suppose we have a buyer, a seller, and an escrow service. They have keypairs B = b * G, S = s * G, and E = e * G.
The buyer and seller then generate a Taproot output (which the buyer will pay to before the seller sends the product).
The Taproot itself uses an internal public key that is the 2-of-2 MuSig of B and S, i.e. MuSig(B, S). Then it commits to a pair of possible scripts:
- Release to a 2-of-2 MuSig of seller and escrow. This path is the "escrow sides with seller" path.
- Release to a 2-of-2 MuSig of buyer and escrow. This path is the "escrow sides with buyer" path.
Now of course, the escrow also needs to learn what the transaction was supposed to be about. So what we do is that the escrow key is actually used as the internal public key of another
pay-to-contract, this time with the script s containing the details of the transaction. For example, if the buyer wants to buy some USD, the contract could be "Purchase of 50 pieces of United States Federal Reserve Green Historical Commemoration papers for 0.357 satoshis".
This takes advantage of the fact that the committer need not know the private key behind the public key being used in a pay-to-contract commitment. The actual transaction it is being used for is committed to onchain, because the public key published on the blockchain ultimately commits (via a taproot to a merkle tree to a script containing a MuSig of a public key modified with the committed contract) to the contract between the buyer and seller.
Thus, the cases are:
- Buyer and seller are satisfied, and cooperatively create a signature that spends the output to the seller.
- The escrow service never learns it could have been an escrow. The details of their transaction remain hidden and private, so the buyer is never embarrassed over being so tacky as to waste their hard money buying USD.
- The buyer and seller disagree (the buyer denies having received the goods in proper quality).
- They contact the escrow, and reveal the existence of the onchain contract, and provide the data needed to validate just what, exactly, the transaction was supposed to be about. This includes revealing the "Purchase of 50 pieces of United States Federal Reserve Green Historical Commemoration papers for 0.357 satoshis", as well as all the data needed to validate up to that level. The escrow then investigates the situation and then decides in favor of one or the other. It signs whatever transaction it decides (either giving it to the seller or buyer), and possibly also extracts an escrow fee.
Smart Contracts Unchained
Developed by ZmnSCPxj
A logical extension of the above escrow case is to realize that the "contract" being given to the escrow service is simply some text that is interpreted by the escrow, and which is then executed by the escrow to determine where the funds should go.
Now, the language
given in the previous escrow example is English. But nothing prevents the contract from being written in another language, including a machine-interpretable one.
Smart Contracts Unchained simply makes the escrow service an interpreter for some Smart Contract scripting language.
The cute thing is that there still remains an "everything good" path where the participants in the smart contract all agree on what the result is. In that case, with Taproot, there is no need to publish the smart contract
--- only the participants know, and nobody else has to. This is an improvement in not only privacy, but also blockchain size --- the smart contract itself never has to be published onchain, only the commitment to it is (and that is embedded in a public key, which is necessary for basic security on the blockchain anyway!).
Hiding commitments in signatures!
Sign-to-contract is something like the dual or inverse of pay-to-contract. Instead of hiding a commitment in the public key, it is hidden in the signature.
Sign-to-contract utilizes the fact that signatures need to have a random scalar r which is then published as the point R = r * G.
Similarly to pay-to-contract, we can have an internal random scalar p and internal point P that is used to compute R:
R = P + h(P | s) * G
The corresponding random scalar r is:
r = p + h(P | s)
The signing algorithm then uses the modified scalar r.
This is in fact just the same method of commitment as in pay-to-contract. The operations of committing and revealing are the same. The only difference is where
the commitment is stored.
Importantly, however, is that you cannot
take somebody else's signature and then create an alternate signature that commits to some s you select. This is in contrast with pay-to-contract, where you can take somebody else's public key and then create an alternate public key that commits to some s you select.
Sign-to-contract is somewhat newer as a concept than pay-to-contract. It seems there are not as many applications of pay-to-contract yet.
Sign-to-contract can be used, like pay-to-contract, to publish commitments onchain.
The difference is below:
- Signatures are attached to transaction inputs.
- Public keys are attached to transaction outputs.
One possible use is in a competitor to Open Timestamps. Open Timestamps currently uses OP_RETURN to commit to a Merkle Tree root of commitments aggregated by an Open Timestamps server.
Instead of using such an OP_RETURN, individual wallets can publish a timestamped commitment by making a self-paying transaction, embedding the commitment inside the signature for that transaction. Such a feature can be added to any individual wallet software. https://blog.eternitywall.com/2018/04/13/sign-to-contract/
This does not require any additional infrastructure (i.e. no aggregating servers like in Open Timestamps).
R Reuse Concerns
ECDSA and Schnorr-based signature schemes are vulnerable to something called "R reuse".
Basically, if the same R is used for different messages (transactions) with the same public key, a third party with both signatures can compute the private key.
This is concerning especially if the signing algorithm is executed in an environment with insufficient entropy. By complete accident, the environment might yield the same random scalar r in two different runs. Combined with address reuse (which implies public key reuse) this can leak the private key inadvertently.
For example, most hardware wallets will not have any kind of entropy at all.
The usual solution to this is, instead of selecting an arbitrary random r (which might be impossible in limited environments with no available entropy), is to hash the message and use the hash as the r.
This ensures that if the same public key is used again for a different message, then the random r is also different, preventing reuse at all.
Of course, if you are using sign-to-contract, then you can't use the above "best practice".
It seems to me plausible that computing the internal random scalar p using the hash of the message (transaction) should work, then add the commitment on top of that. However, I'm not an actual cryptographer, I just play one on Reddit. Maybe apoelstra
can explain in more detail.
Copyright 2019 Alan Manuel K. Gloria. Released under CC-BY.
Most people would agree that teather is a bad actor. its a centralised mint and has never been audited. there is plenty of speculation tether is printed to support btc and so is not backed bonafide by dollars as they cliam. submitted by
think about it, to run some kind of business or coin, to maintain a 1 for 1 reserve capital of dollars is crazy. the liability on their balance sheet is huge, they could do small short term loans to earn some cahs, but it wouldnt work out in ROI maintaining the peg.
so i see this is as a massive ponzie, and unlike regular crpytos which are based on notational value, this is based on real value 4 billion, which is also tied to the price of bitcoin at 200 billion. yes the numbers seem like teather is nothing to worry about its 5% of the mcap, but if its been used to prop up bitcoin it will totally waste the currency in a crash and all alts trading with it
the difference is all about it is teather beign real money vs notational value of bitcoin. thus the impact
A startup called Bonafide has raised $850,000 to build a reputation system for the bitcoin industry. The funding round, which comes from Quest Venture Partners, Crypto Currency Partners and the AngelList Bitcoin Syndicate, among others, is a step towards creating a scoring system for addresses on bitcoin’s network. As Bitcoin enters it’s mainstream adoption phase and starts being used as a means of exchange, a very important question may be raised! Should Bitcoin addresses be associated with real world identities? A startup by the name of Bonafide.io has taken on the gargantuan task of doing exactly that. B... A startup called Bonafide has raised $850,000 to build a reputation system for the bitcoin industry. The funding round, which comes from Quest Venture Partners, Crypto Currency Partners and the ... Ein Startup namens Bonafide hat $ 850.000 erhöht, um ein Reputationssystem für die Bitcoin-Industrie zu bauen. Die Förderrunde, die von Quest Venture Partners, Crypto Currency Partners und dem AngelList Bitcoin Syndicate stammt, ist unter anderem ein Schritt zur Schaffung eines Scoring-Systems für Adressen im Bitcoin-Netzwerk. Buy with Swish by BonafideAlex. Buy bitcoins using Swish with Swedish Krona (SEK) LocalBitcoins.com user BonafideAlex wishes to sell bitcoins to you.
I am a FULL TIME reseller on Ebay & Amazon. I strive to help other sellers big & small make money. Join MY Reseller Facebook Group (115,000 members)- https:/... Since Bitcoin (BTC) traders got a taste of parabolic price action in early-2019, during which the Bitcoin price surged from the low-$3,000s to $14,000 in a few weeks’ time, they have been ... Jul.12 -- Jill Carlson, Slow Ventures principal, and Ryan Selkis, Messari founder and chief executive officer, discuss Facebook Inc.'s plans for a new crypto... You can earn extra cash just by buying items at the dollar store and selling them online! This is called retail arbitrage and the purpose of this video is to... ⚪️Ledger Live Bitcoin BTC Event & Ledger Wallet Updates Ely Mist 5,645 watching Live now 🔵 Elon Musk about Bitcoin, BTC Halving to the MOON and SpaceX Updates [MAY 4. 2020] TeslaX 1,747 ...