In this post, we will build on the idea of using digital puzzles as a way to reproduce the scarcity and on the importance of supply control mechanisms to provide durability for cryptocurrencies. digital, from which the concepts of proof of ownership are discovered through signatures as well as writing, and the technique is called CoinJoin.
Proof of ownership: Signature
The second Plan B brought us was to focus on the human theme and to describe the question “Who is it?”.
You have rules set up for releasing new sats, but what about their transfer? Who is allowed to change the general balance sheet data and transfer ownership?
If there is a central authority responsible for reallocating the sats, follow the instructions of the current owner (it is possible to log into the system by accessing the usual username and password, similar to in the test There will be Mallory making you vulnerable to failure again: Why bother then switching from physical gold to PoW-based digital scarcity? On the other hand, if each user has equal rights to redefine ownership then your system is completely inoperable: People will be encouraged to continually transfer the sats of others to themselves. You need some sort of consistent authority protocol that people can independently audit.
The solution is an encryption technique known as a “digital signature”. It works like this: First, Alice chooses a random number called the “secret private key”, where she will keep absolute secret. She then passed this figure through a special mathematical function, easy to apply in one direction but practically irreversible. The result is a different number called the “public key”, which Alice keeps no secret: Instead, she guarantees that Bob will know about it. In the end, she passed the private key and the message through the second function was also difficult to reverse, resulting in a very large number called the “user’s signature”. A third and final mathematical function can be applied by Bob to Alice’s message, signature, and public key, resulting in either positive or negative verification. If the result is positive, he can be sure that Alice has authorized the message “authentication, which means she will then be unable to deny the authorization” the non-denial message. “(Non-repudiation) and the message is not changed in passing” integrity “(integrity).
In other words, it resembles a handwritten signature that is easy for everyone to test on some public sample, but difficult to copy if not the owner of the correct hand. Or wax stamp: easy for everyone to check against a public seal registry, but difficult to copy without the exact wax mold.
So you alter your protocol to create independent reusable proof of work fractions through digital signatures. The first model you deploy is considered trivial: Each user independently creates a private key and creates a public “account”, labeled with the corresponding public key. When a user wants to transfer ownership, they create a message that includes their account along with the recipient’s account and the number of sats they want to transfer. They then digitally sign and distribute it while everyone can verify.
What’s quite interesting is that a similar scheme can be used by many well-known (but possibly fake) developers to sign different versions of software so they can freely change and improve. , repair, update, test, review it and any end user of your system can independently verify signatures before operating their preferred version, leveraging a network The reliability mesh is scaled and fragmented, without the need for a single software delivery agency. This process allows for proper code hierarchy.
Script and “smart contract”
You don’t want to limit rules that every colleague must check before accepting any balance sheet changes, merely the validity of digital signatures.
You decide that each message can also include a “script”: a list of instructions describing additional conditions that the recipient account (or account) will have to meet in order to spend it again. . For example, the sender might request some secret key combination (merge or split) or specific time spent before spending. Starting with these very simple (and easy to audit) things, being able to build complex smart contracts that make and moreover make money effectively “programmable” (programmable) right even without central parties.
The problems of “darknes” and scaleness
Unlike an encrypted messaging system (in which if Alice sends Bob some messages, only Bob can read them), your plan isn’t really optimized for “darkness” ( if Alice sends sats to Bob, her message will have to be revealed outside of Bob’s reach – at least to those who will receive the same sats later).
Circulating money? Payee cannot trust any money transfer (even if duly signed) if they cannot verify that the transfer has actually been transferred to that particular payer, and vice versa, back to the first PoW-based issuance. With a sufficient number of circulating sats, active colleagues will be aware of a large number of past transactions, and legal analysis techniques can be used to statistically correlate quantity and time. , metadata and accounts, thereby eliminating many of their rejection.
Smart contracts can make this problem worse because specific spending conditions are used to define specific software implementations or separate organizational policies.
This lack of “shadow” is more serious than your previous e-gold impact test: Yes, before that, you stored most of your transaction data on your central servers, but Only you, at least as opposed to anyone who has visited (including many Mallory dealerships). Furthermore, you can implement some highly advanced coding strategies to make yourself at least a blind part of what is actually happening among your users.
There’s also a small scale issue associated with this design: The sizable digital signature and the transfer chain the payee needs to receive to validate everything will include multiple signatures, causing the validation can become more expensive. Furthermore, the account change is quite difficult to confirm in parallel.
A new model: “CoinJoin”
In order to mitigate similar problems, you decide to change the underlying entities of the model from bank “accounts” to a “Unspent Transaction Outputs (UTXOs). .
Instead of instructions for moving sats from one account to another, each message now includes a list of old UTXOs, coming from past transactions, and “used” components. And a list of new UTXOs that have “made” products and are ready for future trading. Instead of publishing a private or public key to be used as a general reference (like an IBAN bank or email address), Bob must provide a new, one-time public key for each payment. he wants to receive. When Alice pays him, she signs a message that “unlocks” sats from a previously generated UTXO number and locks it again on a new UTXO number.
As with actual cash, spendable bills do not always match the payment requirement – often requiring change. For example, if Alice wants to pay 1,000 sats to Bob, but she only controls one number of 700 sats UTXOs for each, she will sign a transaction that consumes two of those 700 UTXO sats (unlocking a total of 1,400 sats) and creates two new UTXOs: one associated with Bob’s keys which is the payment key (1,000 sats) and the other associated with Alice’s keys as the change key (400 sats).
Provided people aren’t using reusable keys for different payments, this design adds a “shadow” to itself. But even more so when your users begin to realize that UTXOs consumed and generated by a single transaction don’t have to come from two entities. Alice can create a spend message for old UTXOs she controls and create new UTXOs (linked to Bob), then she can pass that message on to Carol, who just needs to add the old UTXOs which she wants to use and the new UTXOs (linked to Daniel) want to create. In the end, Alice and Carol both signed and distributed the synthesis message (returning both Bob and Daniel).
This particular use of the UTXO model is called “CoinJoin”. (Activation warning: In actual Bitcoin history, this use was not the reason Satoshi’s design for the UTXO model itself but was discovered by other developers as a potential turning point years later. at launch). It disrupts the ability to statistically link the outputs, while preserving what is known as “atomicity”: Transactions are completely valid or invalid, so Alice and Carol cannot. mutual trust. (If one of them tries to change the partially signed message before adding their own signature, the current signature will be invalid.)
There’s one change going on to your system that can really improve the situation even further: another digital signature scheme replaces the currently used digital signature system, that is “Linear in signatures”. That means: when receiving two private keys (nothing but two numbers), sign the same message together and add the signature results together (nothing but two very large numbers) The result is that the correct signature corresponds to the sum of the two public keys associated with the original two private keys.
This sounds confusing, but the implication is simple: Alice and Carol, when CoinJoining, can add their private signature and emit only the amount that everyone can verify for the total number of public keys. their declaration. Since as we said, the signature is the heaviest part of the online heaviest deal, the ability to broadcast just one instead of many will save a lot of resources. Outside observers will eventually suspect every transaction to be CoinJoin, as many users can after gaining efficiency. This assumption will break most of the legal solutions.
Even without further improvement, the UTXO model somehow increased the scale: Unlike a state change in the account model, it allows validation to be processed in batches and in parallel effectively.