--- title: Crypto currency ... This discussion is obsoleted and outdated by the latest advances in recursive snarks. The objective is to implement the blockchain in a way that scales to one hundred thousand transactions per second, so that it can replace the dollar, while being less centralized than bitcoin currently is, though not as decentralized as purists would like, and preserving privacy better than bitcoin now does, though not as well as Monaro does. It is a bitcoin with minor fixes to privacy and centralization, major fixes to client host trust, and major fixes to scaling. The problem of bitcoin clients getting scammed by bitcoin peers will be fixed through Merkle-patricia, which is a a well known and already widely deployed fix – though people keep getting scammed due to lack of a planned bitcoin client-host architecture. Bitcoin was never designed to be client host, but it just tends to happen, usually in a way that quite unnecessarily violates privacy, client control, and client safety. Monaro’s brilliant and ingenious cryptography makes scaling harder, and all mining based blockchains tend to the same centralization problem as afflicts bitcoin. Getting decisions quickly about a big pile of data necessarily involves a fair bit of centralization, but the Paxos proof of share protocol means the center can move at the speed of light in fiber, and from time to time, will do so, sometimes to locations unknown and not easy to find. We cannot avoid having a center, but we can make the center ephemeral, and we can make it so that not everyone, or even all peers, know the network address of the processes holding the secrets that signed the most recent block. Scaling accomplished by a client host hierarchy, where each host has many clients, and each host is a blockchain peer. A hundred or so big peers, who do not trust each other, each manage a copy of the blockchain. The latest block is signed by peers representing a majority of the shares, which is likely to be considerably less than a hundred or so peers. Peer share is delegated from clients – probably a small minority of big clients – not all clients will delegate. Delegation makes privacy more complicated and leakier. Delegations will be infrequent – you can delegate the stake held by an offline cold wallet, whose secret lives in pencil on paper in a cardboard file in a safe, but a peer to which the stake was delegated has to have its secret on line. Each peer’s copy of the blockchain is managed, within a rack on the premises of a peer, by a hundred or so shards. The shards trust each other, but that trust does not extend outside the rack, which is probably in a room with a lock on the door and a security camera watching the rack. Most people transacting on the blockchain are clients of a peer. The blockchain is in the form of a sharded Merkle-patricia tree, hence the clients do not have to trust their host – they can verify any small fact about the blockchain in that they can verify that peers reflecting a majority of stake assert that so and so is true, and each client can verify that the peers have not rewritten the past. Scale is achieved through the client peer hierarchy, and, within each peer, by sharding the blockchain. Clients verify those transactions that concern them, but cannot verify that all transactions are valid, because the blockchain is too big. Each peer verifies the entire blockchain from beginning to end. If the blockchain replaces the US dollar as the world currency, then it will rapidly become far too large for any one computer to verify the whole thing, so will have to be verified by a group of mutually trusting and trusted shards, but each such group of shards is a peer. The shards trust shards of the same peer, which are likely running on the same rack in the same locked room under the gaze of the same security camera, but they don’t trust shards of some other peer. In each transaction, each client verifies that the other client is seeing the same history and recent state of the blockchain, and in this sense, the blockchain is a consensus of all clients, albeit that consensus is mediated through a small number of large entities that have a lot of power. The architecture of power is rather like a corporation, with stake as shares. In a corporation CEO can do anything, except the board can fire him and choose a new CEO at any time. The shareholders could in theory fire the board at any time, but in practice, if less than happy with the board, have to act by transacting through a small number of big shareholders. Centralization is inevitable, but in practice, by and large corporations do an adequate job of pursuing shareholder interests, and when they fail to do so, as with woke capital, Star Wars, or the great minority mortgage meltdown, it is usually due to heavy handed state intervention. Google’s board is mighty woke, but in the Damore affair, human resources decided that they were not woke enough, and in the Soy wars debacle, the board was not woke at all but gave power over Star Wars brand name to wome who threatened them with \#metoo. And if this form of distributed power does not always work all that well, it fails less badly than anything else we have tried. Delegated power representing assets, rather than people, results in centralized power that, by and large, mostly, pursues the interests of those assets. Delegated power representing people, not so much. In bitcoin, power is in the hands of a very small number of very large miners. This is a problem, both in concentration of power, which seems difficult to avoid if making decisions rapidly about very large amounts of data, and in that miner interests differ from stakeholder interests. Miners consume very large amounts of power, so have fixed locations vulnerable to state power. They have generally relocated to places outside the US hegemony, into the Chinese or Russian hegemonies, or the periphery of those hegemonies, but this is not a whole lot of security. proof of share has the advantage that stake is ultimately knowledge of secret keys, and while the state could find the peers representing a majority of stake, they are more mobile than miners, and the state cannot easily find the clients that have delegated stake to one peer, and could easily delegate it to a different peer, the underlying secret likely being offline on pencil and paper in someone’s safe, and hard to figure out whose safe. Obviously, at full scale we are always going to have immensely more clients than full peers, likely by a factor of hundreds of thousands, but we need to have enough peers, which means we need to reward peers for being peers, for providing the service of storing blockchain data, propagating transactions, verifying the blockchain, and making the data readily available, rather than for the current pointless bit crunching and waste of electricity employed by current mining. Bitcoin proposes to solve the scaling problem by the [Lightning Network, which is a re-invention of correspondent banking and the General Ledger, SubLedger system](https://www.forbes.com/sites/francescoppola/2016/06/17/thunder-and-lightning-in-the-bitcoin-world/). Obviously re-inventing General Ledger and Subledger will improve scaling, but [Central Clearing houses are also needed](https://gendal.me/2013/11/24/a-simple-explanation-of-how-money-moves-around-the-banking-system/).  The power over the blockchain, and the revenues coming from transaction and storage fees, have to go to this large number of peers, rather than, as at present, mostly to four miners located in China. Also, at scale, we are going to have to shard, so that a peer is actually a pool of machines, each with a shard of the blockchain, perhaps with all the machines run by one person, perhaps run by a group of people who trust each other, each of whom runs one machine managing one shard of the blockchain. Rewards, and the decision as to which chain is final, has to go to weight of stake, but also to proof of service – to peers, who store and check the blockchain and make it available. For the two to be connected, the peers have to get stake delegated to them by providing services to clients. All durable keys should live in client wallets, because they can be secured off the internet.  So how do we implement weight of stake, since only peers are sufficiently well connected to actually participate in governance? To solve this problem, stakes are held by client wallets.  Stakes that are in the clear get registered with a peer, the registration gets recorded in the blockchain, and the peer gets influence, and to some extent rewards, proportional to the stake registered with it, conditional on the part it is doing to supply data storage, verification, and bandwidth. My original plan was to produce a better bitcoin from pair based cryptography.  But pair based cryptography is slow.  Peers would need a blade of computers when the volume surpassed bitcoin levels. Maybe not so slow.  [There is an assembly library](https://github.com/herumi/mcl) that promises three ops per millisecond So instead, swipe, I mean build upon, the cryptonote foundation.  (Which already implements the split between network node and wallet.) Two substantial currencies have been built from cryptonote: Monero and bytecoin.  Also Boolberry. But, on the other hand [MimbleWimble clearly has the best cryptography – at the bleeding edge](https://github.com/ignopeverell/grin/blob/master/doc/grin4bitcoiners.md). > no address. All outputs in Grin are unique and have > no common data with any previous output. Instead of relying on a > known address to send money, transactions have to be built interactively, > with 2 (or more) wallets exchanging data with one > another. Practically, this isn’t so much of a problem as there > are multiple ways for 2 programs to interact privately and securely. >  And this interaction could even take place over email or Signal > (or carrier pigeons). For example, suppose each peer has a thousand client wallets, and the capacity to connect to any other peer, that peers have fully accessible ports, and that the client wallets, who being behind consumer grade NATS generally do not have fully accessible ports, set up a direct client wallet encrypted connection through their NATS using their peer connections to initialize the connection. But obviously this software is not written yet.  Still vaporware, but vaporware that sounds very promising. Mimblewimble solves the problem of disk storage limiting scale. How does it go on bandwidth limiting scale? On bandwidth, it kind of sucks.  We are going to need shardable peers. We need a client peer host architecture that is future compatible with people who have serious money using a special purpose microcomputer with an lcd touchscreen, like an android but incapable of being reprogrammed, because it runs code in rom, and whose only essential functions are: Enter password, copy wallet from one memory card to another, show you what you are signing, and allow you to sign it.  Or perhaps a walled garden computer incapable of running any code except code signed by the builder, (except your adversary has physically got at it and replaced it by an evil twin) but otherwise a full internet capable androidish device. From which it follows that not only our host, but our client needs to be accessible through socket io. Bitcoin can do about 3 transactions per second That’s a far cry from the 2000 TPS that Visa rams through every second of every day. Bitcoin takes at least ten minutes to confirm your transaction. Inside the computer, transaction amounts will be represented as big integers with a fixed precision limit, initially sixty four bits. On the blockchain, in the canonical representation, they will be represented as arbitrary precision integers times one thousand raised to a signed arbitrary precision quantity, which for a very long time will be a one byte quantity. The initial smallest representable unit, corresponding to the internal representation inside the computer, $1µρ$, will be represented on the blockchain as $1*1000^{96}$, so that we do not have to think about\ whether that byte is signed or unsigned. If, after millennia of deflation, which I think and hope likely, it approaches zero, we will have to start thinking of it as a signed quantity, and if, after millennia of inflation, which I hope is far less likely, it approaches 128, we will start thinking of it as unsigned quantity. If rhocoin takes over the world, and the smallest unit is initially worth ten trillion dollars 2^-64^economic growth and various engineered and inadvertent currency leaks will result in slow deflation. If it deflates at two percent a year, then in six hundred years of so, there is going to be a problem with the smallest currency unit becoming too large. I would like my works to outlast those of Ozymandias. But by that time the equivalent of banks will have appeared, and banks can issue the equivalent of banknotes in a arbitrarily small units. Entities will appear that aggregate large numbers of small transactions on their network into a small number of large transaction on the main network. As the network comes to span the stars, transaction global to several stars will necessarily become too slow, leading to systems that aggregate transactions in local currency over time and space into larger, slower, and less frequent transactions on the main network. We don’t have to worry about that kind of scaling for a very long time. The deflation problem will likely be rendered irrelevant by the decentralization problem as we go into space. Figure that one out later – need the Merkle-patricia blockchain and paxos consensus formation on digital assets, and once we can construct and prove arbitrary consensus on arbitrary digital assets, we can build anything. But trouble is, I want my data format to outlast the stars. Ozymandias merely built in stone, which probably lasted a millennia or two. I have more durable building materials at hand than Ozymandias did. I intend to initially define the smallest representable quantity as something larger than $2^{-62}$ of the currency at issue, and then drop it to the lowest value the ui can handle, probably yoctorho, $yρ$, when the sofware supports that. And, having dropped, it is unlikely to change further for many millenia or so. If someone reads this in a few millennia, and the exponent, still eight bits on the blockchain, wraps through zero or one hundred and twenty eight, drink to me as the first builder who truly built to live forever. One solution is to have the canonical blockchain format, and the base communication format that every client and peer must support, even though obviously any two peers can agree to any format to communicate between each other, represent money in binary form as variable precision base one thousand floating point, and to the users in units of the metric prefixes tera giga, mega, kilo ... milli, micro, (and eventually nano, pico, femto). When deflation runs us out of prefixes, in a few millennia or so, perhaps the prefixes will wrap back to from zepto to yotta, but we can worry about that UI detail in the far future, supposing that the language has not radically changed by then. We have a configurable limit on the smallest representable quantity, which just happens to correspond to translating everything to sixty four bit integers, but that limit can be changed as necessary without breaking the canonical format - thus the canonical format will suffice forever. The sixty four bit integers will be an internal implementation detail, a particular internal representation of unsigned arbitrary precision floating point base one thousand, which can change in any one peer without breaking anything, and with machines using different internal representations still able to communicate with each other. M2, total US money supply, is about ten trillion, MB, the hard central bank issuance that roots M2, the base money, is about three trillion, the difference being term transformation. Assuming we want to replace all money everywhere, and support transactions down to one thousandth of a cent, $2^{64}-1$ millicents is over one hundred trillion, which will suffice.  (We don’t allow negative account values in the base money.) So, assuming at full volume, the currency is worth ten trillion, the base unit will be worth around 0.005 millicents. And at initial release, we want the total value of the currency to be about twenty million, so the base unit of the currency will be initially worth about 1E-10 cents. We want plenty of headroom for additional currency issue, so will initially issue only one sixty fourth of the possible currency, and want to initially issue sixteen million worth, so want the smallest unity of currency to be\ $2^{-64}*64*\$16\,000\,000$, which is approximately $\$2*10^{-10}$ Assuming we only have $2^{60}$ of the smallest base unit, and that when we are competing on an equal footing with other media of exchange, it has a capitalization of two trillion, then again the smallest base unit will be worth about two millicents, which is inconveniently small. So our named unit has to be a million or a billion times larger, If my plans work out, the currency will be controlled by the whales, who have net positive value in the currency, hence want permanent deflation, rather than the bankers, who owe a lot of promises to pay in the currency, backed by promises that when push comes to shove are likely to result in the delivery of property, rather than currency, and therefore have regular banking crises, resulting in regular demands to debase the currency, resulting in permanent inflation. So, assuming permanent deflation, make the smallest base unit the microrho, $1µρ$. So, when we are competing in the big leagues, our named unit will be worth about two dollars. Which is inconveniently small, but I anticipate further deflation eventually. Traditional coinage had as its lowest value coin the half reale, or the maravedi, one third of a reale. The most common coin in use was the peso, the piece of eight rendered so famous in pirate lore, which was eight reales or twenty four maravedi, subsequently divided into one hundred cents. The famous doubloon was sixteen reales, or forty eight maravedi. An eight reale coin, peso, was worth about a hundred dollars in today's money, so people were disinclined to use coins for small transaction, or disinclined to be minutely precise about the value of a transaction. So we want, after taking over the world economy, our standard unit of currency to be worth about four dollars, which is about 80000 times our smallest unit. But we want to use powers of a thousand, milli, kilo, mega, etc, So our base unit is going to be the microrho, or $μρ$, and our standard unit, the rho or $ρ$, is going to be worth about ten trillion$*1000000*2^{-64}$ which is about half a dollar. Or we could make our smallest representable unit the $nρ$, with might leave us with an inconveniently large value of the rho, and everyone using millirho followed by a decimal point and the rest in $μρ$, which is inconvenient. But, if we always display quantities in the metric unit such that the quantity is less than a thousand of that unit, but equal to or greater than one of that unit, it is OK. If we make our smallest possible base unit the $nρ$, then the maximum possible currency on issue, until we go to internally representing values within the computer as 128 bit, which is not that hard, since our representation on the blockchain and to humans is arbitrary precision times powers of a thousand, then the maximum transaction of which computers are capable is going to be eighteen billion rho, which is not a limitation. What is a limitation is that at scale, people will commonly be transacting in $mρ$. On the other hand, if we start out transacting in $ρ$, and end up transacting in $mρ$, that is continual propaganda for the currency as a store of value. At scale, the $mρ$ will be a roughly right sized value to get your mind around in small transactions, and the $ρ$ the right sized value for asking how your solvency is going and how much a car or a house is worth. We need to strongly support sidechains and chaumian cash, sidechains so that we can have competing protocols and higher volumes. Cryptonote has something arguably better than Chaumian cash. Our financial system is corrupt and oppressive. Cryptocurrencies represent an opportunity to route around that system, and make lots of money doing so. Cryptocurrency is real, and presents the opportunity to make enormous amounts of money.  Also, cryptocurrency scams are real, and present the opportunity to lose enormous amounts of money.  The successful altcoin will be genuinely decentralized, as bitcoin was designed to be, originally was, and to some extent still is.  Most of the altcoins, possibly all of them except the Bitcoins and Ethereum, are furtively centralized. It will use, or at least offer the option, of Zooko type wallet names. It will be scalable to enormous numbers of transactions with low transaction costs, as Steemit and Ripple are, but Bitcoin and Ethereum are not. It will support sidechains, and exchanges will be sidechained. It will be a blogging and tweeting platform, as Steemit is, and will be a decentralized blogging and tweeting platform, as Steemit is not.  Every website [reporting on the altcoin boom and the initial coin offering boom](https://coinmarketcap.com/coins/) has an incentive to not look too closely at the claimed numbers.  Looks to me that only Bitcoin and Steemit.com have substantial numbers of real users making real arms length transactions.  Maybe Ethereum and Ripple also.  The rest are unlikely to have any significant number of real, arms length, users. The crypto coin business is full of scammers, and there is no social pressure against scammers, no one wants to look too closely, because a close look would depress the market. Most of the alt currencies are just me-too copies of bitcoin, not adding any substantial value, and/or they cannot scale, and they are deceptive about how centralized and how vulnerable to state attack they are.  Nearly all of them are furtively centralized, as Bitcoin never was.  They all claim to be decentralized, but when you read the white paper, as with Waves, or observe actual practice, as with Steemit, they are usually completely centralized, and thus completely vulnerable to state pressure, and quite likely state seizure as an unregulated financial product, thus offer no real advantage over conventional financial products. The numbers [show](https://coinmarketcap.com/coins/) that Bitcoin is number one, ethereum number two, ripple number four, and steemit.com number eighteen, but my wild assed guess is that Bitcoin is number one, steemit number two, ethereum number three.  I have absolutely no idea where ripple stands.  No one is providing data that would enable us to estimate real, arms length users. Bitcoin exchanges are banks, and banks naturally become fractional reserve institutions.  Bitcoin exchanges are furtively and secretly investing customer deposits, without reporting the resulting term transformation. Genuinely free market banks, and bitcoin exchanges are genuinely free market banks, have a financial incentive to engage in term transformation – borrow short, lend long.  Which is great for everyone until a rainy day comes, rains on everyone, and everyone withdraws their deposits all at the same time, and suddenly all those long term loans cannot be liquidated except at a loss, whereupon the ~~banks~~exchanges turn to the state, and so begin the transition from a backed currency to a state currency, ceasing to be free market banks. The trouble with fractional reserve is that free market banks, banks trading in a backed, rather than state, currency, tend to deny, understate and misrepresent the term transformation risk, making them slowly, and often unintentionally, drift into becoming scams.  If the reserve fraction is visible to customers, then we could rely on caveat emptor.  Right now, however, every bitcoin exchange is drifting into becoming a scam. We need, and we could easily have but do not have, a system where the amount of bitcoins owed to customers by an exchange is knowable and provable, and the amount of bitcoins owned by an exchange is knowable and provable, so that the reserve fraction is visible, whereupon the exchange would have to provide information about the extent and nature of its term transformation, or else would likely lose customers, or at least would lose large, long term customers.  This would involve the decentralized cryptocurrency making each exchange a sidechain operating a centralized cryptocurrency backed by the decentralized cryptocurrency.  Which would also help mightily with scaling. Bitcoin and ethereum is truly decentralized, in that it is a protocol that any entity can use, and that in practice lots of entities do use.  If the government grabs some hosts, or some hosts do bad things, they can just be ignored, and the system continues elsewhere.  They also use Zooko type identities, which in practice means your wallet name looks like line noise.  This is outstandingly user hostile, and a reason so many people use exchanges, but it provides the core of resistance to state power. Unfortunately, Bitcoin and Ethereum face scaling limits.  Maybe ethereum will fix its scaling limits.  Bitcoin does not seem to be fixing them.  This makes Bitcoin and Ethereum transactions inherently expensive, which is likely to prevent them from replacing the corrupt and oppressive US government controlled financial system. Steemit.com has a far superior design which does not result in scaling limits – although we have yet to see how its witness election system will perform at scale – as the system scales, money holders have less incentive to vote, less incentive to vote responsibly, and voting will inherently cost more. Steemit.com is also highly centralized.  The altcoin that will win will be the one needs to be scalable all the way to Visa and Mastercard levels, and needs to be visibly decentralized, visibly resistant to state seizure, and needs to have a mechanism that makes the fractional reserves of exchanges visible to exchange users. Bitcoin was genuinely decentralized from the beginning, and over time became more centralized.  Big exchanges and a small number of big miners are on the path to inadvertently turning it into another branch of the oppressive and corrupt government fiat money system. The new altcoin offering are for the most part not genuinely decentralized.  They have a plan for becoming genuinely decentralized some time in the future, but the will and ability to carry the plan through has not been demonstrated. I like the steemit design.  The witness system is scalable, the witness election system has problems which may be fixable, or may be inherent. But I have a suspicion that investing in steemit is only going to profit whoever owns steemit.com, not the owners of steemit currency. According to Steemit documentation, it looks like a well designed cryptocurrency that deserves to replace Bitcoin, because it is more scalable, more user friendly, and more immediately usable. Well, that is what it looks like.  Except its front end is the steemit.com website, and any one website can easily be seized by the feds.  If actually decentralized, it should be a bunch of websites using a common crypto currency and a common identity system, Remember usenet: A common protocol, and an internal name system.  The particular host through which you accessed it did not matter all that much, because all hosts had to behave much the same. Steemit should be something like usenet with money, and it is not. The way usenet worked, anyone (meaning anyone’s computer and his client program) could join as a client by having an agreement with a host, and anyone (meaning anyone’s powerful and well connected computer system) could join as a host by having an agreement with a few existing members. A successful altcoin needs to be a blogging platform like Steemit, but it also needs to be a federation, like Usenet or Mastodon.  Many of the blogs will be offering goods or services for cryptocurrency. Then one could be more sure that success of the federation currency would benefit owners of the currency, rather than owners of a single central website. Needs to be Mastodon with the ability to support a blog like post, and like Steemit, and unlike Mastodon, to send and receive money.  Steemit.com is wordpress.com with the ability to send and receive money. Bitcoin has a decentralized name system, rooted in Zooko style names that are not human intelligible.  Its resistance to state power comes partly from the fact that there are several miners and anyone can be a miner, and partly from its decentralized name system. Steemit has a communication and blogging system.  But if I hold steemit currency, steemit.com connects that to my phone number, which the government connects to my true name.  All that handy dandy data that the government would like all in one place that you can serve a warrant on or mount a raid on.  Or just sell for profit. Need a decentralizedd communication, identity, name, and blogging system, unlike Steemit.com’s centralized communication and blogging system, and a name system that is resistant to government intervention and control, like Bitcoin’s name system. Thus the blogs offering goods and services for crypto currency will be resistant to regulation or seizure by the state.  When a ruler meddles as much as our state does, he gives dangerously great power to those dangerously close to him.  The regulatory state inevitably drifts into anarcho tyranny, or, like Venezuela, into violent and chaotic anarchy. But we also want human readable names.  How can we square Zooko’s triangle? (As Aaron Schwarz famously asked, and then infamously gave a very stupid answer.) I will give my answer as to how a crypto currency can square Zooko’s triangle in a following post.  (The answer being, much as namecoin does it.) Now since any crypto currency system is a generalized secure name system with money, how do we make this system available for general access between computers? Our wallet client will provide an interface to something that looks and acts very much like your browser bookmarks system.  Except that links in the system correspond to a new kind of url, perhaps ro: This will be registered the same way magnet, https, mailto, and http are registered.  In windows they are registry entryies of the form > Computer\\HKEY_CLASSES_ROOT\\http\\shell\\open\\command except, of course, that ours shall be > Computer\\HKEY_CLASSES_ROOT\\ro\\shell\\open\\command In our name system, links consist of a wallet name followed by a path.  The target wallet maps these names to a server somewhere, likely on his system, and a client protocol, such as http, on your system. The target may want a client walletname, or the client username and shared secret, which is usually stored in the link, but if it is not, has to be typed into the wallet software when you are opening the link.  Any required user name and password negotiation is done in the wallet UI, not in the UI of the client being launched. If the client protocol is http, this results in the wallet creating on your system a port which maps to a port on the destination system, and then launching your browser.  If a username and password is needed, then the wallet does the negotiation and launches the browser with a transient cookie. Thus, suppose the url ro:example_name/foo maps to http protocol with some target system determined by the owner of example_name. Then some port, perhaps 3237 on your system, will be mapped to port 80 on the target system, then the url ro:example_name/foo/bar will result in the command to launch your browser to http://localhost:3237/bar This is not a system for attaching to our legacy browser system.  It is global connection and protocol negotiation system which can be used for legacy systems such as http.  That browsers will mishandle these translated urls is a browser bug.  They should talk directly to the wallet client, and say "give me a socket for this ro protocol url." TCP identified protocols by small numbers, and target machines by rather larger numbers.  This totally failed to scale, and we have to replace it with a [better scheme](./protocol_specification.html), with support for urls such as "magnet" and "http" as a degenerate special case of this more general and more powerful scheme.  ------------------------------------------------------------------------ The coin to invest in, the coin that I will invest in both in money and as a software contributor, will solve the scaling problem, will be capable of scaling all the way to wiping out the US\$ as a world currency.  It will have integral support for sidechains with payments out of one sidechain to another sidechain being endorsed by sidechain signature which can be generated by arbitrarily complex rules idiosyncratic to that sidechain provided that conformity to the rules has verification of bounded computational time that the central chain can evaluate.  It will have an efficient system for securing history in which Merkle trees do not grow to enormous depth, so that it is possible to efficiently verify any one small part of history without needing to verify all transactions that have ever taken place.  (Because scalability implies we abandon everyone verifying everything down to the last byte.) It will be decentralized in the sense that if the police grab every single major contributor, software writer, and server, they cannot change the rules and make the currency act differently, they can only seize the money of the people that they have grabbed. A Merkle tree is a tree where every node contains the hash of its immediate children.  Thus the hash of the root of any subtree guarantees the contents of all its descendants, just as the hash of a file guarantees the contents of the entire file. This means that we can keep on adding to the tree, while keeping the past immutable, which is a useful feature for tracking who owns what, and who owes what.  If many people see the current hash at time X, you cannot change details about the past of time X without revealing what you have been up to. Any tree can be severely unbalanced, for example a binary tree where every node has a right hand child, and very few nodes have a left hand child, in which case the depth of the tree is approximately proportional to the total number of nodes in the tree – and the tree grows to enormous depth when the total number of node is enormous. Or it can be approximately balanced, in which case the depth of the tree is approximately proportional to the log of the number of nodes, which is always a reasonably small number even if the number of nodes is enormous. And a hash that testifies to every transaction that anyone ever did is going to be the hash of an enormous number of nodes.  But if it is at the root of a tree of moderate depth, then we can validate any part of the tree for conformity with the rules without validating the entire tree for conformity to the rules.  A blockchain is a Merkle tree that is chain like, rather than tree like.  Its depth grows linearly with its size, thus in time it becomes very deep.  Every node must store or at least have processed and summaried, the entire tree.  Thus if many equal nodes, cost of adding transactions is proportional to the number of nodes Thus, if we want a decentralized system, this can get very expensive. We want a system that can resist state power, a system where if the state grabs a few individuals and coerces them, it can seize their money, and perhaps all the money that they manage for other people, but cannot seize the entire system.  If it wants to grab control of everyone’s money, has to grab everyone, or at least grab most people.  Thus reducing the cost by having a few people authorized to validate the blockchain is a bad option, since the state could grab those people, or those people could conspire together to scam everyone. A blockchain runs on a set of nodes, each of which may be under the control of a separate company or organization. These nodes connect to each other in a dense peer-to-peer network, so that no individual node acts as a central point of control or failure. Each node can generate and digitally sign transactions which represent operations in some kind of ledger or database, and these transactions rapidly propagate to other nodes across the network in a gossip-like way. ## The way bitcoin works Each node independently verifies every new incoming transaction for validity, in terms of: (a) its compliance with the blockchain’s rules, (b) its digital signature and (c) any conflicts with previously seen transactions. If a transaction passes these tests, it enters that node’s local list of provisional unconfirmed transactions (the “memory pool”), and will be forwarded on to its peers. Transactions which fail are rejected outright, while others whose evaluation depends on unseen transactions are placed in a temporary holding area (the “orphan pool”). At periodic intervals, a new block is generated by one of the “validator” nodes on the network, containing a set of as-yet unconfirmed transactions. Every block has a unique 32-byte identifier called a “hash”, which is determined entirely by the block’s contents. Each block also includes a timestamp and a link to a previous block via its hash, creating a literal “block chain” going back to the very beginning. Just like transactions, blocks propagate across the network in a peer-to-peer fashion and are independently verified by each node. To be accepted by a node, a block must contain a set of valid transactions which do not conflict with each other or with those in the previous blocks linked. If a block passes this and other tests, it is added to that node’s local copy of the blockchain, and the transactions within are “confirmed”. Any transactions in the node’s memory pool or orphan pool which conflict with those in the new block are immediately discarded. Every chain employs some sort of strategy to ensure that blocks are generated by a plurality of its participants. This ensures that no individual or small group of nodes can seize control of the blockchain’s contents. Most public blockchains like bitcoin use “proof-of-work” which allows blocks to be created by anyone on the Internet who can solve a pointless and fiendishly difficult mathematical puzzle. By contrast, in private blockchains, blocks tend to be signed by one or more permitted validators, using an appropriate scheme to prevent minority control. Depending on the consensus mechanism used, two different validator nodes might simultaneously generate conflicting blocks, both of which point to the same previous one. When such a “fork” happens, different nodes in the network will see different blocks first, leading them to have different opinions about the chain’s recent history. These forks are automatically resolved by the blockchain software.  In bitcoin, the probability of this conflict continuing drops rapidly and exponentially, but never goes to zero. This document is licensed under the [CreativeCommons Attribution-Share Alike 3.0 License](http://creativecommons.org/licenses/by-sa/3.0/)