[Cryptography] Bitcoin is a disaster.

[Jeff Burdges]

Bitcoin shall remain a disaster of course, mostly due to the community denying problems exist, which is typical of purely economic communities.  

It fairly clear that proof-of-work mining eventually creates a capitalist tragedy of the commons in which miners run double spending attacks upon their own network.  I’d expect bitcoin should eventually die due to double spends, although China could step-in to regulate miners to prevent this. 


Almost all points raised by Bear have been addressed by one or another newer chain design: 

- Zcash-like methods make privacy and fungibility possible.  And arkworks and halo2 should deliver more flexible transactions.  There remains fear mongering over small trusted setups, and even zcash shall abandon trusted setups with halo2, but any chain requires a 2/3rd honest assumption that’s far worse than the trusted setup’s one-honest assumption, so larger trusted setups basically really do address these issues.  Anonymous transactions impose some minimal overhead by forcing UTXOs over accounts, but this appears acceptable.

- It’s true lightning is just extending the disaster of bitcoin, and even academic payment channel research is a disaster due to ignoring privacy, but actually private "layer two" designs based on blind signatures should work if restricted to only small payments.  About the only problem would be if the required locked stake could be better allocated doing other things.

- We’ve killed proof-of-work with schemes like Ouroboros Praos and the similar things Polkadot and ETHv2 use.  Alone Praos remains subject to the same double spending attacks as Bitcoin, but again chains like Polkadot and ETHv2 fix this by coupling Praos with a BFT finality gadget.

- We need constant rate block production, which Praos fails, but..  If you’ve few block producers, then there are secret single leader election (SSLE) protocols based on shuffles proposed by Dan Boneh and Mary Maller.  In Polkadot, we’ve too many block producers for shuffles, so we'll eventually adopt an only semi-secret single leader election protocol called Sassafras that merely sorts ring VRFs instead.  As an aside, Sassafras also kills the mempool, which saves considerable bandwidth and makes account based privacy designs less bad, not sure that matters.

- Polkadot has on-chain governance over the WASM blobs that define both the central relay chain and the shards parachains/parathreads.  This fixes the hardfork-to-upgrade problem.  We’ll create new problems with on-chain governance of course, but creating multiple chains with related but different cultures, different governance, and even different voting protocols should help mitigate these and explore the design space.  And Bryan Ford’s proof-of-personhood parties https://pop.dedis.ch/ remain an exciting post-covid direction.  WASM brings fun new problems, but solvable in practice.  

- There exist sharding designs that address the block space problem:  Arkworks, Coda, etc. want full zk roll ups, which adds considerable latency but should work eventually.  ByzCoin, ETHv2, etc. want hundreds of validators per shard so that adversaries simply cannot create invalid blocks, which requires good shared randomness.  In Polkadot, we take a more ambitious “cut n’ choose roll up" approach, first shards commit to their block by distributing it using erasure coding, and only afterwards do validators choose which shards they check, which yields security with only 10s of validators per shard and needs less good shared randomness.  Lazy Ledger has a similar goal to Polkadot, but using fancier erasure coding so that non-validators check too.  All these true sharded designs should yield Visa-ish performance, and they all stack, so future chains could far exceed Visa by using all three.  Memepools must die obviously.  And users cannot watch even the shards directly.  

All these improvements bring considerable complexity of course, especially due to their extensive interactions.  In this, we introduce punishments via slashing too, which even academics largely still reject, and requires nasty gymnastics ala https://github.com/w3f/research/blob/master/docs/polkadot/slashing/npos.md  At least Polkadot should eventually prevent honest mistakes from inducing slashes via back certs https://github.com/paritytech/substrate/issues/7398  

It’s quite a quagmire but it’ll work.. just not for bitcoin.


It appears fundamental that performance, efficiency, and functionality can be improved with punishments.  I suspect governments could always deploy a blind signature based payment system like GNU Taler, or similar zero-knowledge proof based designs, which out performs any blockchain design, based largely upon governments ability to jail bad bankers, although maybe slashing alone suffices.  Anonymous validator proposals suffer from this too, but probably they never made sense. 


Phillip Hallam-Baker phill at hallambaker.com writes:
> > >The more scalable the network becomes, the more centralized it becomes,
> > >until ultimately a "scalable" cryptocurrency would be doing things
> > >exactly the same way as a credit card processor.
> >
> > It never fails to amuse me how so many cryptocurrency enthusiasts
> > imagine they have deep new economic insights when they are just
> > reinventing the past, badly. The reason that banks use book entry
> > accounting with audits that can reverse bogus transactions is not
> > because they're stupid. It's because it scales indefinitely without
> > having to be online all the time, and because normal people don't
> > want to make large payments without some recourse if the transaction
> > goes bad.  (A cup of coffee, sure, a house or car, not so much.)
> 
> The refusal to believe that recourse is essential has been a problem since
> Chaum's DigiCash. And it is a recurring issue because the only reason the
> credit card system hangs together is it provides recourse and the only
> reason it can do that is every transaction is covered by insurance.

DigiCash and now Taler were never suitable for storing money or buying a house.  And afaik they never claimed otherwise.  That said, actually blind signatures would create regular SEPA transactions for digital payment, so if the payee deanonymizes themselves then they could exploit all the usual SEPA rules, modulo the exchange acting as intermediary.  

That said..

We absolutely do require a mechanism to reverse bogus transactions in blockchains!

I never watch polkadot’s governance closely, but even I noticed them reject quite a few “fix my mistake” request, and indeed a governance vote might not be the best solution.  Each one of those would usually be some small time participant loosing the earnings of hundreds or thousands of hours of their work, although maybe some ETH stuck funds drama enters this picture too.

I’d hope some chain that based its governance and validators upon Bryan Ford’s proof-of-personhood parties could overcome this “I’ve got mine” mindset.. and maybe find some mechanism to elect arbiters/jurors or something.

Jeff