1
0
forked from cheng/wallet
wallet/docs/white_paper.md
reaction.la 5238cda077
cleanup, and just do not like pdfs
Also, needed to understand Byzantine fault tolerant paxos better.

Still do not.
2022-02-20 18:26:44 +10:00

23 KiB
Raw Blame History

title
Rhocoin White Paper

This is a preliminary draft, not the final version.

The centre of mass of the world financial system is starting to shift from fiat currency to crypto currency and crypto currency exchanges. Total value of crypto currency and transaction volume is within one order of magnitude of US$, and when regulatory authorities cut off crypto currency exchanges and stablecoins from the US$ banking system it has very little impact on them.

Scaling

The time urgently approaches for a cryptocurrency capable of scaling to ten thousand transactions per second, so that eight billion people can buy a lollipop with crypto currency. Bitcoin can currently do ten transactions per second.

The big problems are scaling and privacy.

Fungibility

A currency has to be fungible. And a cryptocurrency needs privacy, not so much to protect its users (there does not seem to be a lot of demand for privacy) but to protect its fungibility.

Lack of privacy is likely to lead to the blood diamonds attack, where governments declare a long and ever growing list of bitcoins to be tainted, and twist the arms of the miners to exclude transactions in those bitcoins, with the result bitcoins cease to be fungible and thus cease to be money, as uncut diamonds ceased to be money.

Bitcoin is vulnerable to the one third attack. If one third of miners exclude “tainted” bitcoins and refuse to add to a chain ending in a block containing “tainted” bitcoins, other miners have an incentive to exclude “tainted” bitcoins also, to improve the prospects that their block becomes part of the longest chain.

(This has been called the ten percent attack, but it does not actually work until rather more than ten percent join the attack. One third, however will suffice. Calling it the blood diamonds attack is more accurate. The blood diamonds attack put a lot of people out of business, for they were really in the money changer business, rather than the jewelry business.)

Bitcoin is already under the ten percent attack. If it approaches one third, time to flee bitcoin.

Blockchain analysis is a big problem, though scaling is rapidly becoming a bigger problem.

Monaro and other privacy currencies solve the privacy problem by padding the blockchain with chaff, to defeat blockchain analysis, but this greatly worsens the scaling problem. If Bitcoin comes under the blood diamonds attack, Monaro will be the next big crypto currency, but Monaro has an even worse scaling problem than Bitcoin.

The solution to privacy is not to put more data on the blockchain, but less - considerably less. The place for clever cryptography to secure privacy is the lightning network and sidechaining, so that most transactions happen off the main blockchain, with primary blockchain transactions each recording the accumulated effect of many transactions.

A true lightning network functions as full reserve correspondence banking with no central authority. The existing Bitcoin lightning network functions as marginal reserve banking with good conduct enforced by central authority.

But even with sidechaining and the lightning network, we are going to need the capacity to put thousands of transactions per second on the primary blockchain.

We need off blockchain blockchains, sidechains, but how do you transact between one sidechain and another? It would seem that it is not much use if it only supports half a dozen people transacting with each other.

The answer is that such transactions reach other peoples sidechains through the lightning network, that you are usually transacting with one particular person in that sidechain, who is a well connected lightning node. A sidechain transaction can only directly connect to someone who is participating in that particular sidechain, but it can reach anyone in the world through the lightning network if one entity of the small number of entities in that small sidechain has half a dozen lightning gateways on other sidechains and on the primary blockchain.

The lightning network naturally results in lots of repeated blockchain transactions between stable small groups of people, because you are always sharing new cryptocoins between the same group of people when a lighting gateway overflows.

So every time you have a stable account with someone, your pub, your club, your fiber connection, your bank, the shopping chain that delivers your groceries, you form a lightning network gateway with them, whose shared cryptocoins are likely in a sidechain much of the time. You participate in roughly as many sidechains as you have accounts or regular repeated transactions with people.

The solution to all these problems is a lightning network done right, to support both scalability and pseudonymity. Multiparty lightning network transactions have to be trustless and full circle. Ann pays Bob to pay Carol to pay Ed to pay Frank, and Frank sends a receipt to Ann, and all of them go through, or none of them go through, and if someone breaks the circle, then either none of them go through (non Byzantine failure, as with a poor connection to the internet, or someones computer goes down), or, if someone breaks the circle in a Byzantine failure suggestive of Byzantine defection, then, and only then, it goes through on the primary blockchain.

The problem with the existing Bitcoin lightning network is that it has a hidden and unexplained central authority, whom you have to trust, and which does stuff that is never explained or revealed. This is not stable, and does not scale. Not only is it evil, it is incapable of connecting everyone in the world to everyone in the world. The existing lightning network has the same problem as Tether.

Tether is not a ponzi scheme. It is an unregulated bank, but it is still doing marginal reserve banking, and will implode sooner or later due to insider fraud or maturity transformation, and something analogous is bound to happen with the existing Bitcoin lightning network, because of the inherent fragility of centralization. The moral problem of the existing lightning network is the same as the moral problem of marginal reserve correspondence banking. Scaling requires trustlessness. Or rather you are trusting that if enough people see and process the transactions in full, then, because they are not parties to that transaction and dont have a dog in the fight, they will process it correctly. And as soon as you have a central authority that you have to trust, you have a party with an interest and capability to not process it correctly.

So we dont want everyone in the world, or even every full peer in the world, to process every transaction in the world. We want every full peer in the world to process every transaction in the world where the parties quarrel, with most other transactions never showing up directly on the primary blockchain. And we dont want everyone in the world to be a full peer. We want enough full peers that the vast majority will not have a dog in the fight, and we want anyone in the world who is reasonably affluent and wants to be a full peer to be able to be a full peer, which is likely to be most with substantial amounts of cryptocurrency. At scale, nearly everyone will keep his money in his client wallet, but if it is a lot of money, his client wallet will likely be a client of a peer that he controls.

The failures of bitcoin

The pseudonymity of coins being owned by the bearer of some cryptographic key is a failure; People have been eavesdropping and aggressively analyzing the block chain from day 1. And the block chain will always be there, it will always be public, and it will always be subject to further analysis. And we are learning that analysis of that record is sufficient to destroy any pretense of anonymity or pseudonymity.

The scarcity of transactions has led people to re-invent every last feature of the banks they thought they were going to be escaping. Including debt brokering (lightning network) and fractional-reserve banking, starting with the case of Mt. Gox and continuing to ventures today by “responsible” business people who just dont get, or dont care, or both, that the entire reason the system existed, as far as the early adopters were concerned, was to get away from exactly that. They have made Bitcoin into a debt-based system like any other; as long as the “exchange” holds your keys for you, there is no obligation for them to maintain assets equal to the deposits. You cant prove that they are, or arent, maintaining sufficient assets until after those assets are spent and the evidence appears in the block chain.

And its useless for small transactions. Had it been deployed to a market the size of, say, a college campus it could bear the load and the bidding for block space wouldnt exceed the value of most transactions. But had it been deployed to a market the size of a college campus, the small pool of miners available would make mining bursty and unstable, and the block chain therefore not well protected from tampering. Same could have happened to Bitcoin early on, which is why Satoshi was mining like crazy and jumping on when needed to prop up the block rate and back off again when the blocks were coming too fast.

And that brings us to mining. Bitcoin mining has encouraged corruption (Because its often done using electricity which is effectively stolen from taxpayers with the help of government officials), wasted enormous resources of energy, fostered botnets, centralized mining activity in a country where centralization means its effectively owned by exactly the kind of government most people thought they DIDNT want looking up their butts and where the people who that government allows to “own” this whole business work together as a cartel.

The whole idea of proof-of-work mining is broken the instant hardware comes out which is specialized for mining and useless for general computation because at that point the need to have compute power for other purposes is absolutely irrelevant in having any effect on mining, and there ceases to be any force that causes mining to be distributed around the world. It becomes a “race to the bottom” to find where people can get the cheapest electricity, and then mining anywhere else anywhere the government tries to make sure ordinary people actually get the benefit from electricity bought for tax money, for example becomes first pointless, then a net loss.

Bitcoin doesnt scale, except by becoming the very thing it was supposed to replace.

Bitcoin was a Pilot system, a good first effort. It did what a Pilot system is intended to do: show where the pitfalls lie.

You're supposed to learn from it, then toss it out and go back to the drawing board.

We cannot keep pushing the prototype, we must a designing a proper production system.

Satoshis main goal was to improve on DigiCash, RPOW and other similar schemes that had a fair degree of decentralization but still relied on a central authority. Satoshi managed to solve this problem in a genius way by combing existing technologies and understanding of human psychology.

People had been trying to solve it for decades without any luck. People like Wei Dai and Szabo came close but never managed to materialize their visions (assuming they're not Satoshi).

Bitcoin showed us where the pitfalls are, so we can focus attention on solving them.

Privacy, security, efficiency, and scalability are mutually opposed if if one attempts to have them all on the blockchain. For the blockchain achieves security by everyone repeating the processing of everyone elses transactions, which is opposed to privacy, efficiency, and scalability.

The most efficient way is obviously a single central authority deciding everything, which is not very private nor secure, and has big problems with scalability.

If a transaction is to be processed by many people, one achieves privacy, as with Monaro, by cryptographically padding it with a lot of misinformation, which is contrary to efficiency and scalability.

The efficient and scalable way to do privacy is not to share the information at all. Rather we should arrange matters so that information only goes to the blockchain to be scrutinized by many people if the parties to the transaction have a falling out. Which is what the Bitcoin lightning network was supposed to be, but is not.

Bitcoins pseudonymity is alarmingly weak, (though the Wasabi wallet partially fixes this). The lightning network layer would fix this, as well as providing instant transactions, but a true lightning network cannot be implemented over Bitcoin as it exists today.

A lightning network would provide instantly settled transactions and strong fungibility. It would make bitcoins (unspent transaction outputs of the blockchain) far less traceable, because lightning transactions happen off chain and inherently mingle coins, thus making crypto coins fully fungible, thus increasing their desirability as a direct substitute for cash.

proof of stake, Byzantine fault, and statehood

A proof of stake currency is a corporation. Its currency is shares in that corporation. Corporations derive their corporateness from the authority of the sovereign, but a proof of stake currency derives its corporateness from each stakeholder (shareholder) playing by the rules because all the other stakeholders play by those rules.

Which means the rules to be incentive compatible and have provide Byzantine Fault Resistant consensus.

This was Satoshis great stroke of genius. If most people follow Satoshis rules, everyone has an economic incentive to follow the rules. Constructing such a set of rules is very hard. Even non Byzantine distributed consensus is hard, because distributed consensus is very hard.

The Byzantine Generals problem is named after Byzantium, because in the latter days of the Byzantine empire, there were some generals who wanted a large part of the Byzantine army defeated and annihilated so that they could take Byzantium, overthrow the emperor, and become emperor.

So general Malloc might send general Bob the the message:

facing overwhelming enemy attack, falling back. You and general Dave may soon be cut off.

and general Dave the message:

enemy collapsing. In pursuit.

With the intent that general Dave will advance and find himself cut off and isolated.

That the messages are inconsistent is Byzantine failure, and that they are deliberately inconsistent with malicious intent is Byzantine defection.

The phrase “Byzantine failure” is usually used to refer to one computer in a network sending a message to one computer that is inconsistent with the message it sent to another computer.

The generals need to find a consensus as to whether they are all going to attack, or all going to retreat. They are physically separate, and messages going between them may get lost. And some of them are traitors. The problem of establishing a true consensus for cohesive action under these circumstances is difficult, and the algorithms and process often hard to understand.

To achieve cohesive action, to act as one, all the independent actors need to follow some process. And it can be proven that deviation from process yields an advantage of least two to one in getting ones way.

This is a Byzantine fault. And if people get away with it, pretty soon no one is following process, and the capacity to act as one collapses. Thus process becomes bureaucracy. Hence todays American State Department and defense policy. Big corporations die of this, though states take longer to die, and their deaths are messier. It is a big problem, and people, not just computer programs, fail to solve it all the time.

Proof of work was a brilliant and unobvious solution but it is costing too much, and it is slowing down the rate at which transactions can handled, which slowness is now starting to bite hard.

The blockdag, done right, is equivalent to the Practical Fault Tolerant Byzantine consensus, albeit the equivalence is far from obvious, and the blockdag is in ways simpler to understand. Practical Fault Tolerant Byzantine consensus is arcane, but reveals a number of interesting mathematical facts about the nature of collective action.

Sovereign Corporation

A successful proof of stake currency would be a non state corporation, a sovereign corporation. What is a sovereign corporation but a state? The power of the US is in substantial part that it is a world currency, albeit a major reason why it is a world currency is airsea war superiority, and as its relative airsea war superiority power declines, its role as a world currency declines. If the shares of a sovereign corporation took over the role of the US dollar, that sovereign corporation would be a world power. Its power would be in the network, as the power of the US was in the air and sea, rather than the land. But the dollar and nukes are not the only bases of USG power. Even more than being a financial root node, the power of USG is a result of being the monopoly truth root node. (Via Harvard aka the Cathedral, but including lesser official government outposts such as the CIA.) USG establishes the worlds narratives which control what everyone cool across the world believes that gay marriage is justice, for example, or that “trans” people are a real thing and not just crazy and/or sexually deviant, or that global warming is real, human-caused, and disastrous, or that black lives matter. A proof of stake currency is not very functional, unless, like the Jitsi blockchain, it provides a namespace and service, because you need to interact with peers that have authority over the consensus the shareholders, or their computers, need to interact with the computer equivalent of the members of the board and CEO. A nameservice, that unlike Domain names, cannot be seized by the government, nor mimmed by any of a hundred organizations that have a certificate authority in their pocket. Replacing the domain name service as well as the US$ would substantially undermine the US Governments monopoly of truth. Yarvin analysis of bitcoin

The big metadata security hole

The necessarily cumbersome process of embedding a payment in SSL is a huge security hole in every crypto currency, as for example when one leases a virtual private server (cloud server) over the internet using bitcoin. We need to replace SSL, which requires replacement of the name system that is integrated in SSL.

The Domain Name System means that names are ultimately owned by the government, and the government can intercept communications to and from such names. SSL is inherently insecure, because any entity that has one of a thousand certificate authorities in its pocket can man in the middle communications to and from such names. A currency cannot be truly private, and thus is in danger of losing fungibility, if payments are sent and received from entities with government owned names.

Names should be owned by secrets in crypto wallets.

The name system is worth serious money

Business is moving to the internet

Increasingly, the primary assets of a business are its internet name, other peoples links to its name, and its position on other peoples pages.

The primary asset of Amazon is the same as the primary asset of Ebay. It silos the reputations that enable strangers to do business with each other. You do business on Amazon, it owns your reputation.

We need a name system that supports reviews, so that you own your own reputation.

For the lightning network to work without central authority, we need a cryptographic means to enforce full circle payments, so you are guaranteed acknowledgment of your payment if it it goes through. In which case we can have Amazon and Ebay like reviews, without a central authority such as Amazon or Ebay.

Amazons management of its primary asset is rapidly becoming worse and worse.

Amazon is not primarily a warehousing and delivery service, and to the extent that is a warehousing and delivery service, it is poorly run warehousing and delivery service. When I get something through Amazon, it usually comes direct from the seller, not through an Amazon warehouse. It is primarily a reputation service like Ebay suffering from the delusion that it is a warehousing and delivery service.

There is another option, neither FBA nor your own warehousing and delivery service, but using some other logistics services company. Schenker is big, precisely because they are offering to run practically every aspect of your business, warehouse, shipping, a basic aftersales (call center going through a script, giving replacements or credit notes for returns), they are even offering things like billing or even building a webshop.

You design a product. China manufactures it for you and these logistics services companies deal with all the details of getting the product out. So you do not really have to have a real business with employees. Logistics is a service, accounting is a service, marketing is a service, sales is a service, every department can be virtualized into a service bought from another company.

This is probably too expensive in the long run, but very good when you are just putting your toes into the water. Suppose you have a real actual company in the US with employees, office, warehouse. You decide you try to sell your stuff in France and Germany. Will you go through hiring people and renting office and warehouse? Without even knowing if anyone wants to buy your product there? Too risky. In 1980 it was necessary to risk it, but not today, you can have an entirely virtual business where every department is outsourced to local (local language etc.) service providers, it can be started one day and liquidated the other day if it does not work out. And if it does work out, you start insourcing the most expensive services.

If you take that path, you are bypassing Amazon owning your name. Instead, the Domain Name Service owns your name. There is a lot of money in names, and while the service is not failing as badly as the banks, it still is mighty bad. And it is missing the capability to securely pay money to the entity that has the name. The methods for encapsulating payments inside SSL work, but are cumbersome and indirect, hence the ubiquitous need to sign up, fill out a captcha, receive an email message to confirm your sign up, click on a link in that message, before you enter your credit card details which promptly get stolen. You should be able to receive an invoice from example.com the way you can receive an email from name@example.com, know for sure it is the same example.com you were just clicking around in, rather than yet another scammer, and reply to that message by clicking on a pay button.

To accomplish this will be a great deal of work, but the foundation for accomplishing it is that names need be on the same blockchain as cryptocoins, and controlled by their owners secrets, rather than some central authority which is apt to pursue its own political objectives and the financial interests of the registrars, rather than those whose names are being registered.