{"id":19287,"date":"2019-09-22T13:00:03","date_gmt":"2019-09-22T13:00:03","guid":{"rendered":"http:\/\/ci027cfe65f00926c3"},"modified":"2025-01-27T21:21:10","modified_gmt":"2025-01-27T21:21:10","slug":"discovering-bitcoin-part-7-missing-pieces","status":"publish","type":"post","link":"https:\/\/bitcoinmagazine.com\/technical\/discovering-bitcoin-part-7-missing-pieces","title":{"rendered":"Discovering Bitcoin Part 7: The Missing Pieces"},"content":{"rendered":"
<\/div>
<\/figure>\n

This is the seventh and final installment of bitcoiner Giacomo Zucco\u2019s series \u201cDiscovering Bitcoin: A Brief Overview From Cavemen to the Lightning Network.\u201d Read the <\/em>Introduction to his series<\/em><\/a>, <\/em>Discovering Bitcoin Part 1: About Time<\/em><\/a>, <\/em>Discovering Bitcoin Part 2: About People<\/em><\/a>, <\/em>Discovering Bitcoin Part 3: Introducing Money<\/em><\/a>, <\/em>Discovering Bitcoin Part 4: A Wrong Turn (New Plan Needed)!<\/em><\/a>, <\/em>Discovering Bitcoin Part 5: Digital Scarcity<\/em><\/a> and <\/em>Discovering Bitcoin Part 6: Digital Contracts<\/em><\/a>.<\/em><\/p>\n

As we conclude our \u201cDiscovering Bitcoin\u201d series, we will build on the use of digital signatures and of the CoinJoin paradigm to explore concepts of unique chronology, mining fees and off-chain transactions.<\/p>\n

Proving Unicity: Timechain<\/h2>\n

We are finally at the end of our exploration of Plan \u20bf<\/a>, back again to the question \u201cWhen?\u201d from whence we started. <\/p>\n

It\u2019s an important question, as it justifies the introduction of the so-called \u201cblockchain technology,\u201d a decidedly abused expression that, in its original meaning, just labeled the answer to a problem of unique chronology. (It\u2019s interesting, in this regard, that Satoshi himself called this structure “timechain,”<\/a> which is also the term we are going to use here \u2026 sorry, Peter<\/a>!).<\/p>\n

<\/figure>\n

Let\u2019s try to understand what problem it solves, by getting back to our little story. You designed a digital cash system in which issuance and ownership are both decentralized, leveraging puzzles<\/a> and signatures<\/a> in a clever combination.<\/p>\n

But how do you prevent users from double-spending the same UTXO? If Carol, a dishonest user, transfers sats to an address controlled by Daniel, and then signs another transaction that retransmits those very same sats to an address controlled by herself, which transaction will the network enforce? They would both be \u201cvalid\u201d from the point of view of the chain of signatures and scripts, and both would point to a valid initial issuance, with a correct PoW difficulty.<\/p>\n

And how do you prevent \u201cminers\u201d from lying about the correct timestamp, tricking the difficulty adjustment algorithm to increase the issuance rate? If the miner Minnie manages to solve hundreds of PoW puzzles at low difficulty, but she includes forged timestamps that depict the solutions as only 10 minutes apart from each other, how can a generic user, maybe just recently connected to the system, discover and prove such dishonest behavior?<\/p>\n

Within your previous e-gold experiment<\/a>, your trusted timestamp server trivially solved both issues. But now there is no central server, so who defines the unique chronology of events? <\/p>\n

If the network could somehow \u201cvote,\u201d it could reach a \u201cdemocratic\u201d consensus about it. But voting processes, while feasible in systems with a fixed number of known actors (often called \u201cfederations\u201d), can\u2019t work within dynamic sets of unknown, anonymous actors. You can\u2019t simply use \u201cnode count\u201d as a proxy for voting rights, since every user could pretend to \u201cbe\u201d millions of different nodes in what is known as a \u201cSybil attack.\u201d You need another, \u201cSybil-resistant\u201d way to push all the nodes to find (and keep) consensus over one single, consistent, immutable history.<\/p>\n

<\/figure>\n

Unfortunately, a deterministic and final solution based on mathematics is theoretically impossible. But a statistical and asymptotic solution based on economics is practically possible, and you are smart enough to find it. This is the idea: Every time miners try to solve PoW puzzles, they should include in their messages compact snapshots of the current transactional timeline! <\/p>\n

Instead of just their issuance messages, they should pass through the hash function more complex \u201cblocks\u201d of information, each containing (along with said issuance message, a timestamp and a random number needed to solve the puzzle at the correct difficulty) the solution of the previous block (which had been found by other miners about 10 minutes before) and a list of transactions recently made by other users.<\/p>\n

<\/figure>\n

A block that contains transactions already included in previous blocks is considered invalid. A block carrying a timestamp that is significantly incompatible with the previous ones is also discharged.<\/p>\n

Using this trick, all actors are incentivized to converge on a consistent version of the same chronology. Minnie could<\/em> include a valid transaction contradicting (double-spending) a previously confirmed one, or alter the timestamp to trick the difficulty adjustment, but then other nodes would reject such a block, and she would lose the value of the new issuance, having wasted time and energy for nothing. <\/p>\n

Miners spend money to solve puzzles, and thus it\u2019s quite safe to assume they want to enjoy the associated rewards, creating blocks that aren\u2019t rejected, at least in scenarios where they only follow financial incentives endogenous to the system.<\/p>\n

<\/figure>\n

Mining Fees<\/h2>\n

This solution, while brilliant, still lacks incentives for miners to include other people\u2019s transactions. They could just opt to save the computing power needed to verify scripts and signatures (which, while not being as much as the one needed for hash collision<\/a>, is still relevant) and to include only their own valid issuances in otherwise empty blocks. Also, the diminishing amount of sats allowed in such issuances, due to the controlled-supply paradigm, would reduce (even discounting for an increase in sats\u2019 purchasing power) the incentive to solve blocks at all, eventually canceling it completely at the end of the last era, when there will be no inflation. <\/p>\n

You solve this problem by introducing \u201cmining fees\u201d: a small \u201cextra\u201d that users can attach to their transactions to incentivize miners to include them.<\/p>\n

It works like this: The system allows miners to include in their reward transactions, along with the issuance of newly \u201cminted\u201d sats (compatible with the current era), also the difference in sats between created and consumed UTXOs of all the valid transactions included in the block. Fees never depend on the amount transacted, but only on the transaction size (script complexity, number of signatures, etc.) and the desired priority within blocks.<\/p>\n

Scaleness (and Darkness) Problems<\/h2>\n

The minimum mining fee necessary for a transaction to be included in a block fluctuates depending on supply and demand of \u201cblock space.\u201d On the supply side, the number of transactions that can be added to the timechain are limited by a maximum block size (less than 4 megabytes for each block) and a maximum block rate (about one every 10 minutes). On the demand side, each user has different constraints and preferences (some can wait more to pay less, some can pay more to wait less, some use wallets with excellent dynamic fee estimation, some don\u2019t). In general, a rising demand for block space would imply a rise in mining fees. This clearly limits the scaleness of the system (in particular, since miner fees are independent from the amount of value transferred, we could say that it actually reduces divisibility). <\/p>\n

More, in general, using a timechain implies that every node in the network must forever keep track of everything: Every single on-chain transaction must be downloaded and verified by every actor who will use the system for its entire history, even far into the future. Such a system is clearly not scalable. It also lacks darkness, since everyone has to keep a copy of every transaction forever, enabling any kind of forensic analysis and deanonymization attempt. <\/p>\n

<\/figure>\n

It would be possible to make the situation look better for some users, at the cost of creating another more \u201cprivileged\u201d class of users. For example, if you increase the size and frequency of blocks, then the block-space supply increases, and its price decreases. But the cost of running nodes, with the ability to independently verify the validity of transactions and blocks, increases way faster than said supply, centralizing the topology of the entire system. Sure, a new class of specialized nodes could serve as some kind of \u201csigned message\u201d to inferior, non-validating users, giving them some guarantee that a transaction is valid. After all, coinage was introduced in order to delegate to a few specialized trusted entities the expensive task of verifying precious metal coins. But, just like coinage, this strategy (knowns as \u201cSPV\u201d) implies a strong centralization, with all the attached risks of political interference or censorship by the likes of Mallory<\/a>.<\/p>\n

A New Paradigm: \u201cOff-Chain\u201d<\/h2>\n

There\u2019s a smart way to mitigate the fundamental scaleness limits of global consensus systems without sacrificing its decentralization. We will call it the \u201coff-chain paradigm.\u201d <\/p>\n

The idea is simple: Just refrain from committing every transaction to a block until it\u2019s strictly necessary, keeping most of the traffic off the public timechain (with its expensive global consensus) and only using it for conflict resolution and periodic settlement.<\/p>\n

This evolution is similar to the way people use courts and contracts in common-law systems: Courts can create publicly binding precedents, reaching some sort of \u201clegal global consensus,\u201d but they are comparatively slow and expensive, so most trading parties usually only sign private bidirectional contracts, asking courts to verify and enforce them only when conflicts arise or when some periodic settlement is due. <\/p>\n

Advanced smart contracts could be used to make this kind of \u201crecourse\u201d trust-minimized: Unlike an actual legal system, the decentralized timechain could avoid human bias and corruption, relying mostly on cryptography and code. Unlike the credit certificates discussed in the context of virtualization<\/a>, off-chain transactions are not \u201cvirtual\u201d; they are actual valid transactions, with high probability of being enforced by the system regardless of the honesty of the parties involved.<\/p>\n

<\/figure>\n

You soon realize that this kind of paradigm could highly improve the darkness of your system as well. Instead of having all the nodes registering all transactions forever, most of those transactions would be exchanged privately between the interested parties alone, making forensic analysis by malicious eavesdroppers harder, costlier, less complete and less reliable.<\/p>\n

<\/figure>\n

The main implementation of such a strategy is a secondary network of pre-funded, bilateral \u201cpayment channels\u201d that can route transactions across many hops in a trust-minimized, atomic way. Users call it by a very poetic name: \u201cthe Lightning Network\u201d (the acronym for which is often included in the label of the whole protocol suite of your system, named \u201cLNP\/BP\u201d as analogous to the historical \u201cTCP\/IP\u201d<\/a>).<\/p>\n

But there are other minor instances of the same paradigm; for example, several techniques to keep the actual script off the timechain until needed, saving block space and privacy as well. (People call these techniques many strange names, like \u201cTaproot,\u201d \u201cGraftroot,\u201d \u201cg*root,\u201d \u201cScriptless Script\u201d and so on.)<\/p>\n

<\/figure>\n

With the introduction of these final pieces of technology, your users finally have everything they need to use the system in real life, in order to take back some of the most important features of money. Thank you, \u201cSatoshi\u201d! <\/p>\n

<\/figure>\n

You have come a long way since your early caveman innovations, far in the past. Now, only the future can tell us if this Plan \u20bf of yours will work out. To the moon.<\/p>\n

A final thank you to Nicki DiCicco for her cover art and to <\/em>CryptoScamHub<\/em><\/a> for his meme art contributions to this series!<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

In the conclusion to the \u201cDiscovering Bitcoin\u201d series, Giacomo Zucco explores concepts of unique chronology, mining fees and off-chain transactions.<\/p>\n","protected":false},"author":3409,"featured_media":19293,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[35],"tags":[],"class_list":{"0":"post-19287","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technical"},"author_data":{"id":3409,"name":"Giacamo Zucco","nicename":"giacamozucco","avatar_url":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=robohash&r=g"},"featured_image_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/11\/zucco-7.jpg","_links":{"self":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/19287","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/users\/3409"}],"replies":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/comments?post=19287"}],"version-history":[{"count":0,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/19287\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media\/19293"}],"wp:attachment":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media?parent=19287"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/categories?post=19287"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/tags?post=19287"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}