This is a follow-up on https://old.reddit.com/Bitcoin/comments/hqzp14/technical_the_path_to_taproot_activation/
Taproot! Everybody wants it!! But... you might ask yourself: sure, everybody else
wants it, but why would I
, sovereign Bitcoin HODLer, want it? Surely I can be better than everybody else
because I swapped XXX fiat for Bitcoin unlike all those nocoiners?
And it is important for you to know the reasons why you, o sovereign Bitcoiner, would want Taproot activated. After all, your nodes (or the nodes your wallets use, which if you are SPV, you hopefully can pester to your wallet vendoimplementor about) need to be upgraded in order for Taproot activation to actually succeed instead of becoming a hot sticky mess.
First, let's consider some principles of Bitcoin.
- You the HODLer should be the one who controls where your money goes. Your keys, your coins.
- You the HODLer should be able to coordinate and make contracts with other people regarding your funds.
- You the HODLer should be able to do the above without anyone watching over your shoulder and judging you.
I'm sure most of us here would agree that the above are very important principles of Bitcoin and that these are principles we would not be willing to remove. If anything, we would want those principles strengthened (especially the last one, financial privacy, which current Bitcoin is only sporadically strong with: you can
get privacy, it just requires effort to do so).
So, how does Taproot affect those principles?
Taproot and Your /Coins
Most HODLers probably HODL their coins in singlesig addresses. Sadly, switching to Taproot would do very little for you (it gives a mild discount at spend time, at the cost of a mild increase in fee at receive time (paid by whoever sends to you, so if it's a self-send from a P2PKH or bech32 address, you pay for this); mostly a wash).
(technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash, so the Taproot output spends 12 bytes more; spending from a P2WPKH requires revealing a 32-byte public key later, which is not needed with Taproot, and Taproot signatures are about 9 bytes smaller than P2WPKH signatures, but the 32 bytes plus 9 bytes is divided by 4 because of the witness discount, so it saves about 11 bytes; mostly a wash, it increases blockweight by about 1 virtual byte, 4 weight for each Taproot-output-input, compared to P2WPKH-output-input).
However, as your HODLings grow in value, you might start wondering if multisignature k-of-n setups might be better for the security of your savings. And it is in multisignature that Taproot starts to give benefits!
Taproot switches to using Schnorr signing scheme. Schnorr makes key aggregation -- constructing a single
public key from multiple public keys -- almost as trivial as adding numbers together. "Almost" because it involves some fairly advanced math instead of simple boring number adding, but hey when was the last time you added up your grocery list prices by hand huh?
With current P2SH and P2WSH multisignature schemes, if you have a 2-of-3 setup, then to spend, you need to provide two different signatures from two different public keys. With Taproot, you can create, using special moon math, a single public key that represents your 2-of-3 setup. Then you just put two of your devices together, have them communicate to each other (this can be done airgapped, in theory, by sending QR codes: the software to do this is not even being built yet, but that's because Taproot hasn't activated yet!), and they will make a single
signature to authorize any spend from your 2-of-3 address. That's 73 witness bytes -- 18.25 virtual bytes -- of signatures you save!
And if you decide that your current setup with 1-of-1 P2PKH / P2WPKH addresses is just fine as-is: well, that's the whole point of a soft
fork: backwards-compatibility; you can receive from Taproot users just fine, and once your wallet is updated for Taproot-sending support, you can send to Taproot users just fine as well!
(P2WPKH and P2WSH -- SegWit v0 -- addresses start with bc1q; Taproot -- SegWit v1 --- addresses start with bc1p, in case you wanted to know the difference; in bech32 q is 0, p is 1)
Now how about HODLers who keep all, or some, of their coins on custodial services? Well, any custodial service worth its salt would be doing at least
2-of-3, or probably something even bigger, like 11-of-15. So your custodial service, if it switched to using Taproot internally, could save a lot more (imagine an 11-of-15 getting reduced from 11 signatures to just 1!), which --- we can only hope! --- should translate to lower fees and better customer service from your custodial service!
So I think we can say, very accurately, that the Bitcoin principle --- that YOU are in control of your money --- can only be helped by Taproot (if you are doing multisignature), and, because P2PKH and P2WPKH remain validly-usable addresses in a Taproot future, will not be harmed by Taproot. Its benefit to this principle might be small (it mostly only benefits multisignature users) but since it has no drawbacks with this (i.e. singlesig users can continue to use P2WPKH and P2PKH still) this is still a nice, tidy win!
(even singlesig users get a minor benefit, in that multisig users will now reduce their blockchain space footprint, so that fees can be kept low for everybody; so for example even if you have your single set of private keys engraved on titanium plates sealed in an airtight box stored in a safe buried in a desert protected by angry nomads riding giant sandworms because you're the frickin' Kwisatz Haderach, you still gain some benefit from Taproot)
And here's the important part: if P2PKH/P2WPKH is working perfectly fine with you and you decide to never use Taproot yourself, Taproot will not affect you detrimentally
. First do no harm!
Taproot and Your Contracts
No one is an island, no one lives alone. Give and you shall receive. You know: by trading with other people, you can gain expertise in some obscure little necessity of the world (and greatly increase your productivity in that little field), and then trade the products of your expertise for necessities other people have created, all of you thereby gaining gains from trade.
So, contracts, which are basically enforceable agreements that facilitate trading with people who you do not personally know and therefore might not trust.
Let's start with a simple example. You want to buy some gewgaws from somebody. But you don't know them personally. The seller wants the money, you want their gewgaws, but because of the lack of trust (you don't know them!! what if they're scammers??) neither of you can benefit from gains from trade.
However, suppose both of you know of some entity that both of you trust. That entity can act as a trusted escrow. The entity provides you security: this enables the trade, allowing both of you to get gains from trade.
In Bitcoin-land, this can be implemented as a 2-of-3 multisignature. The three signatories in the multisgnature would be you, the gewgaw seller, and the escrow. You put the payment for the gewgaws into this 2-of-3 multisignature address.
Now, suppose it turns out neither of you are scammers (whaaaat!). You receive the gewgaws just fine and you're willing to pay up for them. Then you and the gewgaw seller just sign a transaction --- you and the gewgaw seller are 2, sufficient to trigger the 2-of-3 --- that spends from the 2-of-3 address to a singlesig the gewgaw seller wants (or whatever address the gewgaw seller wants).
But suppose some problem arises. The seller gave you gawgews instead of gewgaws. Or you decided to keep the gewgaws but not sign the transaction to release the funds to the seller. In either case, the escrow is notified, and if it can sign with you to refund the funds back to you (if the seller was a scammer) or it can sign with the seller to forward the funds to the seller (if you were a scammer).
Taproot helps with this: like mentioned above, it allows multisignature setups to produce only one signature, reducing blockchain space usage, and thus making contracts --- which require multiple people, by definition, you don't make contracts with yourself --- is made cheaper (which we hope enables
more of these setups to happen for more gains from trade for everyone, also, moon and lambos).
(technology-wise, it's easier to make an n-of-n than a k-of-n, making a k-of-n would require a complex setup involving a long ritual with many communication rounds between the n participants, but an n-of-n can be done trivially with some moon math. You can, however, make what is effectively a 2-of-3 by using a three-branch SCRIPT: either 2-of-2 of you and seller, OR 2-of-2 of you and escrow, OR 2-of-2 of escrow and seller. Fortunately, Taproot adds a facility to embed a SCRIPT inside a public key, so you can have a 2-of-2 Taprooted address (between you and seller) with a SCRIPT branch that can instead be spent with 2-of-2 (you + escrow) OR 2-of-2 (seller + escrow), which implements the three-branched SCRIPT above. If neither of you are scammers (hopefully the common case) then you both sign using your keys and never have to contact the escrow
, since you are just using the escrow public key without coordinating with them (because n-of-n is trivial but k-of-n requires setup with communication rounds), so in the "best case" where both of you are honest traders, you also
get a privacy boost, in that the escrow never learns you have been trading on gewgaws, I mean ewww, gawgews are much better than gewgaws and therefore I now judge you for being a gewgaw enthusiast, you filthy gewgawer).
Taproot and Your Contracts, Part 2: Cryptographic Boogaloo
Now suppose you want to buy some data instead of things. For example, maybe you have some closed-source software in trial mode installed, and want to pay the developer for the full version. You want to pay for an activation code.
This can be done, today, by using an HTLC. The developer tells you the hash of the activation code. You pay to an HTLC, paying out to the developer if it reveals the preimage (the activation code), or refunding the money back to you after a pre-agreed timeout. If the developer claims the funds, it has to reveal the preimage, which is the activation code, and you can now activate your software. If the developer does not claim the funds by the timeout, you get refunded.
And you can do that, with HTLCs, today.
Of course, HTLCs do have problems:
- Privacy. Everyone scraping the Bitcoin blockchain can see any HTLCs, and preimages used to claim them.
- This can be mitigated by using offchain techniques so HTLCs are never published onchain in the happy case. Lightning would probably in practice be the easiest way to do this offchain. Of course, there are practical limits to what you can pay on Lightning. If you are buying something expensive, then Lightning might not be practical. For example, the "software" you are activating is really the firmware of a car, and what you are buying is not the software really but the car itself (with the activation of the car firmware being equivalent to getting the car keys).
- Even offchain techniques need an onchain escape hatch in case of unresponsiveness! This means that, if something bad happens during payment, the HTLC might end up being published onchain anyway, revealing the fact that some special contract occurred.
- And an HTLC that is claimed with a preimage onchain will also publicly reveal the preimage onchain. If that preimage is really the activation key of a software than it can now be pirated. If that preimage is really the activation key for your newly-bought cryptographic car --- well, not your keys, not your car!
- Trust requirement. You are trusting the developer that it gives you the hash of an actual valid activation key, without any way to validate that the activation key hidden by the hash is actually valid.
Fortunately, with Schnorr (which is enabled by Taproot), we can now use the Scriptless Script constuction by Andrew Poelstra
. This Scriptless Script allows a new construction, the PTLC or Pointlocked Timelocked Contract. Instead of hashes and preimages, just replace "hash" with "point" and "preimage" with "scalar".
Or as you might know them: "point" is really "public key" and "scalar" is really a "private key". What a PTLC does is that, given a particular public key, the pointlocked branch can be spent only if the spender reveals the private key of the given public key to you.
Another nice thing with PTLCs is that they are deniable
. What appears onchain is just a single 2-of-2 signature between you and the developemanufacturer. It's like a magic trick. This signature has no special watermarks, it's a perfectly normal signature (the pledge). However, from this signature, plus some datta given to you by the developemanufacturer (known as the adaptor signature
) you can derive the private key of a particular public key you both agree on (the turn). Anyone scraping the blockchain will just see signatures that look just like every other signature, and as long as nobody manages to hack you and get a copy of the adaptor signature or the private key, they cannot get the private key behind the public key (point) that the pointlocked branch needs (the prestige).
(Just to be clear, the public key you are getting the private key from, is distinct from the public key that the developemanufacturer will use for its funds. The activation key is different from the developer's onchain Bitcoin key, and it is the activation key whose private key you will be learning, not the developer's/manufacturer's onchain Bitcoin key).
- Privacy: PTLCs are private even if done onchain. Nobody else can learn what the private key behind the public key is, except you who knows the adaptor signature that when combined with the complete onchain signature lets you know what the private key of the activation key is. Somebody scraping the blockchain will not learn the same information even if all PTLCs are done onchain!
- Lightning is still useful for reducing onchain use, and will also get PTLCs soon after Taproot is activated, but even if something bad happens and a PTLC has to go onchain, it doesn't reveal anything!
- Trust issues can be proven more easily with a public-private keypair than with a hash-preimage pair.
- For example, the developer of the software you are buying could provide a signature signing a message saying "unlock access to the full version for 1 day". You can check if feeding this message and signature to the program will indeed unlock full-version access for 1 day. Then you can check if the signature is valid for the purported pubkey whose private key you will pay for. If so, you can now believe that getting the private key (by paying for it in a PTLC) would let you generate any number of "unlock access to the full version for 1 day" message+signatures, which is equivalent to getting full access to the software indefinitely.
- For the car, the manufacturer can show that signing a message "start the engine" and feeding the signature to the car's fimrware will indeed start the engine, and maybe even let you have a small test drive. You can then check if the signature is valid for the purported pubkey whose privkey you will pay for. If so, you can now believe that gaining knowledge of the privkey will let you start the car engine at any time you want.
- (pedantry: the signatures need to be unique else they could be replayed, this can be done with a challenge-response sequence for the car, where the car gathers entropy somehow (it's a car, it probably has a bunch of sensors nowadays so it can get entropy for free) and uses the gathered entropy to challenge you to sign a random number and only start if you are able to sign the random number; for the software, it could record previous signatures somewhere in the developer's cloud server and refuse to run if you try to replay a previously-seen signature.)
Taproot lets PTLCs exist onchain because they enable Schnorr, which is a requirement of PTLCs / Scriptless Script.
(technology-wise, take note that Scriptless Script works only for the "pointlocked" branch of the contract; you need normal Script, or a pre-signed nLockTimed transaction, for the "timelocked" branch. Since Taproot can embed a script, you can have the Taproot pubkey be a 2-of-2 to implement the Scriptless Script "pointlocked" branch, then have a hidden script that lets you recover the funds with an OP_CHECKLOCKTIMEVERIFY after the timeout if the seller does not claim the funds.)
Now if you were really
paying attention, you might have noticed this parenthetical:
(technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash...)
So wait, Taproot uses raw 32-byte public keys, and not public key hashes? Isn't that more quantum-vulnerable??
Well, in theory yes. In practice, they probably are not.
It's not that hashes can be broken by quantum computes --- they're still not. Instead, you have to look at how you spend from
a P2WPKH/P2PKH pay-to-public-key-hash.
When you spend from
a P2PKH / P2WPKH, you have to reveal the public key. Then Bitcoin hashes it and checks if this matches with the public-key-hash, and only then actually validates the signature for that public key.
So an unconfirmed transaction, floating in the mempools of nodes globally, will show, in plain sight for everyone to see, your public key.
(public keys should be public, that's why they're called public keys, LOL)
And if quantum computers are fast enough to be of concern, then they are probably fast enough that, in the several minutes to several hours from broadcast to confirmation, they have already cracked the public key that is openly broadcast with your transaction. The owner of the quantum computer can now replace your unconfirmed transaction with one that pays the funds to itself. Even if you did not opt-in RBF, miners are still incentivized to support RBF on RBF-disabled transactions.
So the extra hash is not as significant a protection against quantum computers as you might think. Instead, the extra hash-and-compare needed is just extra validation effort.
Further, if you have ever, in the past, spent from
the address, then there exists already a transaction indelibly stored on the blockchain, openly displaying the public key from which quantum computers can derive the private key. So those are still vulnerable to quantum computers.
For the most part, the cryptographers behind Taproot (and Bitcoin Core) are of the opinion that quantum computers capable of cracking Bitcoin pubkeys are unlikely to appear within a decade or two.
- Current quantum computers can barely crack prime factorization problem for primes of 5 bits.
- The 256-bit elliptic curve use by Bitcoin is, by my (possibly wrong) understanding, equivalent to 4096-bit primes, so you can see a pretty big gap between now (5 bit primes) and what is needed (4096 bit primes).
- A lot of financial non-Bitcoin systems use the equivalent of 3072-bit primes or less, and are probably easier targets to crack than the equivalent-to-4096-bit-primes Bitcoin.
- Quantum computers capable of cracking Bitcoin are still far off.
- Pay-to-public-key-hash is not as protective as you might think.
- We will probably see banks get cracked before Bitcoin, so the banking system is a useful canary-in-a-coal-mine to see whether we should panic about being quantum vulnerable.
For now, the homomorphic and linear properties of elliptic curve cryptography provide a lot of benefits --- particularly the linearity property is what enables Scriptless Script and simple multisignature (i.e. multisignatures that are just 1 signature onchain). So it might be a good idea to take advantage of them now while we are still fairly safe against quantum computers. It seems likely that quantum-safe signature schemes are nonlinear (thus losing these advantages).
- If you are a singlesig HODL-only Bitcoin user, Taproot will not affect you positively or negatively. Importantly: Taproot does no harm!
- If you use or intend to use multisig, Taproot will be a positive for you.
- If you transact onchain regularly using typical P2PKH/P2WPKH addresses, you get a minor reduction in feerates since multisig users will likely switch to Taproot to get smaller tx sizes, freeing up blockspace for yours.
- If you are using multiparticipant setups for special systems of trade, Taproot will be a positive for you.
- Remember: Lightning channels are multipartiicpiant setups for special systems of lightning-fast offchain trades!
I Wanna Be The Taprooter!
So, do you want to help activate Taproot? Here's what you
, mister sovereign Bitcoin HODLer, can do!
- If you have developer experience especially in C, C++, or related languages
- Review the Taproot code! There is one pull request in Bitcoin Core, and one in libsecp256k1. I deliberately am not putting links here, to avoid brigades of nontechnical but enthusiastic people leaving pointless reviews, but if you are qualified you know how to find them!
- But I am not a cryptographeBitcoin Core contributomathematician/someone as awesome as Pieter Wuille
- That's perfectly fine! The cryptographers have been over the code already and agree the math is right and the implementation is right. What is wanted is the dreary dreary dreary software engineering: are the comments comprehensive and understandable? no misspellings in the comments? variable names understandable? reasonable function naming convention? misleading coding style? off-by-one errors in loops? conditions not covered by tests? accidental mixups of variables with the same types? missing frees? read-before-init? better test coverage of suspicious-looking code? missing or mismatching header guards? portability issues? consistent coding style? you know, stuff any coder with a few years of experience in coding anything might be able to catch. With enough eyes all bugs are shallow!
- If you are running a mining pool/mining operation/exchange/custodial service/SPV server
- Be prepared to upgrade!
- One of the typical issues with upgrading software is that subtle incompatibilities with your current custom programs tend to arise, disrupting operations and potentially losing income due to downtime. If so, consider moving to the two-node setup suggested by gmax, which is in the last section of my previous post. With this, you have an up-to-date "public" node and a fixed-version "private" node, with the public node protecting the private node from any invalid chainsplits or invalid transactions. Moving to this setup from a typical one-node setup should be smooth and should not disrupt operations (too much).
- If you are running your own fullnode for fun or for your own wallet
- Be prepared to upgrade! The more nodes validating the new rules (even if you are a non-mining node!), the safer every softfork will be!
- If you are using an SPV wallet or custodial wallet/service (including hardware wallets using the software of the wallet provider)
- Contact your wallet provider / SPV server and ask for a statement on whether they support Taproot, and whether they are prepared to upgrade for Taproot! Make it known to them that Taproot is something you want!
But I Hate Taproot!!
- Raise your objections to Taproot now, or forever hold your peace! Maybe you can raise them here and some of the devs (probably nullc, he goes everywhere, even in rbtc!) might be able to see your objections! Or if your objections are very technical, head over to the appropriate pull request and object away!
- Maybe you simply misunderstand something, and we can clarify it here!
- Or maybe you do have a good objection, and we can make Taproot better by finding a solution for it!
Discussions About Taproot Activation
CryptoDiffer team Hello, everyone! We are glad to meet here: Max Freeman (@maxfreeman4), Project Lead at Epic Cash Yoga Dude (@Yogadude), PR&Marketing at Epic Cash Xenolink (@Xenolink), Advisor at Epic Cash Max Freeman Project Lead at Epic Cash submitted by
Thanks Max, we are excited to be here! Yoga Dude PR&Marketing at Epic Cash
Hello Everyone! Thank you for having us here! Xenolink Advisor at Epic Cash
Thank you to the CryptoDiffer team and CryptoDiffer community for hosting us! CryptoDiffer team Let`s start from the first introduction question: Q1: Can you introduce yourself to the community? What is your background and how did you join Epic Cash? Yoga Dude PR&Marketing at Epic Cash
Hello! My background is Marketing and Business Development, I’ve been in crypto since 2011 started with Bitcoin, then Monero in 2014, Ethereum in 2015 and at some point Doge for fun and profit. I joined Epic Cash team in September 2019 handling PR and Marketing.
I saw in Epic Cash what was missing in my previous cryptos — things that were missing in Bitcoin and Monero especially. Xenolink Advisor at Epic Cash
Hello Cryptodiffer Community, I am not an original co-founder nor am I a developer for the Epic Cash project. I am however a community member that is involved in helping scale this project to higher levels. One of the many beauties of Epic Cash is that every single member in the community has the opportunity to be part of EPIC’s team, it can be from development all the way to content producing. Epic Cash is a community driven project. The true Core Team of Epic Cash is our community. I believe a community that is the Core Team is truly powerful. EPIC Cash has one of the freshest and strongest communities I have seen in quite a while. Which is one of the reasons why I became involved in this project. Epic displayed some of the most self community produced content I have seen in a project. I’m actually a doctor of medicine but in terms of my experience in crypto, I have been involved in the industry since 2012 beginning with mining Litecoin. Since then I have been doing deep dive analysis on different projects, investing, and building a network in crypto that I will utilize to help connect and scale Epic in every way I can. To give some credit to those people in my network that have been a part of helping give Epic exposure, I would like to give a special thanks to u/Tetsugan
. Tetsugan has been doing a lot of work for the Japanese community to penetrate the Japanese market, and Japan has already developed a growing interest in Epic. Daku Sarabh the owner and creator of Crypto Daku Robinhooders, I would like to thank him and his community for giving us one of our first large AMA’s, which he has supported our project early and given us a free AMA. Many more to thank but can’t be disclosed. Also thank you to all the Epic Community leaders, developers, and Content producers! Max Freeman Project Lead at Epic Cash
I’m Max Freeman, which stands for “Maximum Freedom for Mankind”. I started working on the ideas that would become Epic in 2018. I fell in love with Bitcoin in 2017 but realized that it needs privacy at the base layer, fungibility, better scalability in order to go to the next level. CryptoDiffer team
Really interesting backgrounds I must admit, pleasure to see the team that clearly has one vision of the project by being completely decentralized:) Q2: Can you briefly describe what is Epic Cash in 3–5 sentences? What technology stands behind Epic Cash and why it’s better than the existing one? Max Freeman Project Lead at Epic Cash
I’d like to highlight the differences between Epic and the two highest-valued privacy coin projects, Monero and Zcash. XMR has always-on privacy like Epic does, but at a cost: Its blockchain is over 20x more data intensive than Epic, which limits its possibilities for scalability. Epic’s blockchain is small and light enough to run a full node on cell phones, something that is in our product road map. ZEC by comparison can’t run on low end devices because of its zero knowledge based approach, and only 1% of transactions are fully private. Epic is simply newer, more advanced technology than prior networks thanks to Mimblewimble
We will also add more algorithms to widen the range of hardware that can participate in mining. For example, cell phones and tablets based around ARM chips. Millions of people can mine Epic that can’t mine Bitcoin, and that will help grow the network rapidly.
There are some great short videos on our YouTube channel https://www.youtube.com/channel/UCQBFfksJlM97rgrplLRwNUg/videos
that explain why we believe we have created something truly special here.
Our core architecture derives from Grin, so we are fortunate to benefit on an ongoing basis from their considerable development efforts. We are focused on making our currency truly usable and widely available, beyond a store of value and becoming a true medium of exchange. Yoga Dude PR&Marketing at Epic Cash
Well we all have our views, but in a nutshell, we offer things that were missing in the previous cryptos. We have sound fiscal emission schedule matching Bitcoin, but we are vastly more private and faster. Our blockchain is lighter than Bitcoin or Monero and our tech is more scalable. Also, we are unique in that we are mineable with CPUs and GPUs as well as ASICs, giving the broadest population the ability to mine Epic Cash. Plus, you can’t forget FUNGIBILITY 🙂 we are big on that — since you can’t have true privacy without fungibility.
Also, please understand, we have HUGE respect to all the cryptos that came before us, we learned a lot from them, and thanks to their mistakes we evolved. Xenolink Advisor at Epic Cash
To add on, what also makes Epic Cash unique is the ability to decentralize the mining using a tri-algo model of Random X (CPU), Progpow (GPU), and Cuckoo (ASIC) for an ability to do hybrid mining. I believe this is an issue we can see today in Bitcoin having centralized mining and the average user has a costly barrier of entry.
To follow up on this one in my opinion one of the things we adopted that we have seen success for , in example Bitcoin and Monero, is a strong community driven coin. I believe having a community driven coin will provide a more organic atmosphere especially when starting with No ICO, or Premine with a fair distribution model for everyone. CryptoDiffer team Q3: What are the major milestones Epic Cash has achieved so far? Maybe you can share with us some exciting plans for future weeks/months? Yoga Dude PR&Marketing at Epic Cash
Since we went live in September of 2019, we attracted a very large community of users, miners, investors and contributors from across the world. Epic Cash is a very international project with white papers translated into over 30 languages. We are very much a community driven project; this is very evident from our content and the amount of translations in our white papers and in our social media content.
We are constantly working on improving our usability, security and privacy, as well as getting our message and philosophy out into the world to achieve mass adoption. We have a lot of exciting plans for our project, the plan is to make Epic Cash into something that is More than Money.
You can tell I am the Marketing guy since my message is less about the actual tech and more about the usability and use cases for Epic Cash, I think our Team and Community have a great mix of technical, practical, social and fiscal experiences. Since we opened our YouTube channels content for community submissions, we have seen our content translated into Spanish, French, German, Polish, Chinese, Japanese, Arabic, Russian, and other languages Max Freeman Project Lead at Epic Cash
Our future development roadmap will be published soon and includes 4 tracks:
Epic Server 2.9.0 — this release improves the difficulty adjustment and is aimed at making block emission closer to the target 60 seconds, particularly reducing the incidence of extremely short and long blocks — Status: In Development (Testing) Anticipated Release: June 2020
Epic Server 3.0.0 — this completes the rebase to Grin 3.0.0 and serves as the prerequisite to some important functional building blocks for the future of the ecosystem. Specifically, sending via Tor (which eliminates the need to open ports), proof of payment (useful for certain dex applications e.g. Bisq), and our native mobile app. Status: In Development (Testing) Anticipated Release: Fall 2020
Non-Interactive Transactions — this will enhance usability by enabling “fire and forget” send-to-address functionality that users are accustomed to from most cryptocurrencies. Status: Drawing Board Anticipated Release: n/a
Scaling Options — when blocks start becoming full, how will we increase capacity? Two obvious options are increasing the block size, as well as a Lightning Network-style Layer 2 structure. Status: Drawing Board Anticipated Release: n/a
Confidential Assets — Similar to Raven, Tari, and Beam, the ability to create independently tradable assets that ride on the Epic Blockchain. Status: Drawing Board Anticipated Release: n/a
GUI Wallet 2.0 — Restore from seed words and various usability enhancements — Status: Needs Assessment Anticipated Release: Fall 2020
Mobile App — Native mobile experience for iOS and Android. Status: In Development (Testing) Anticipated Release: Winter 2020
Telegram Integration — Anonymous payments over the Telegram network, bot functionality for groups. Status: Drawing Board Anticipated Release: n/a
RandomX on ARM — Our 4th PoW algorithm, this will enable tablets, cell phones, and low power devices such as Raspberry Pi to participate in mining. Status: Needs Assessment Anticipated Release: n/a
The economics of mining Epic are extremely compelling for countries that have free or extremely cheap electricity, since anyone with an ordinary PC can mine. Individual people around the world can simply run the miner and earn meaningful money (imagine Venezuela for example), something that has not been possible since the very early days of Bitcoin.
Atomic Swaps — Connecting Epic to other blockchains in a trustless way, starting with ETH so that Epic can trade on DeFi infrastructure such as Uniswap, Kyber, etc. Status: Drawing Board Anticipated Release: n/a Xenolink Advisor at Epic Cash
From the Community aspect, we have been further developing our community international reach. We have been seeing an increase in interest from South America, China, Russia, Japan, Italy, and the Philippines. We are working on targeting more countries. We truly aim to be a decentralized project that is open to everyone worldwide. CryptoDiffer team
Great, thank you for your answers, we now can move to community questions part! Cryptodiffer Community
You have 3 mining algorithms, the question is: how do they not compete with each other? Is there any benefit of mining on the GPU and CPU if someone is mining on the ASIC? Max Freeman Project Lead at Epic Cash
The block selection is deterministic, so that every 100 blocks, 60% are for RandomX (CPU), 38% for ProgPow (GPU), and 2% for Cuckoo (ASIC) — the policy is flexible so that we can have as many algorithms with any percentages we want. The goal is to make the most decentralized and resilient network possible, and with that in mind we are excited to work on enabling tablets and cell phones to mine, since that opens it up to millions of people that otherwise can’t take part. Cryptodiffer Community
To Run a project smoothly, Funding is very important, From where does the Funding/revenue come from? Xenolink Advisor at Epic Cash
Yes, early on this was realized and in order to scale a project funds are indeed needed. Epic Cash did not start with any funding and no ICO and was organically genesis mined with no pre-mine. Epic cash is also a nonprofit community driven project similar to Monero. There is no profit-driven entity in the picture. To overcome the revenue issue Epic Cash setup a development fund tax that decreases 1% every year until 2028 when Epic Cash reaches singularity with Bitcoin emissions. Currently it is at 7.77%. This will help support the scaling of the project. Cryptodiffer Community
Hi! In your experience working also with MONERO can you please clarify which are those identified problems that EPIC CASH aims to develop and resolve? What’s the main advantage that EPIC CASH has over MONERO? Thank you! Yoga Dude PR&Marketing at Epic Cash
First, I must admit that I am still a huge fan and HODLer of Monero. That said:
✅ our blockchain is MUCH lighter than Monero’s
✅ our transaction processing speed is much faster
✅ our address-less blockchain is more private
✅ Epic Cash can be mined with CPU (RandomX) GPU (ProgPow) and Cuckoo, whereas Monero migrated to RandomX and currently only mineable with CPU Cryptodiffer Community
Max Freeman Project Lead at Epic Cash
- the feature ‘Cut Through’ deletes old data, how is it decided which data will be deletes, and what are the consequences of it for the platform and therefore the users?
- On your website I see links to download Epic wallet and mining software for Linux,Windows and MacOs, I am a user of android, is there a version for me, or does it have a release date?
- This is one of the most exciting features of Mimblewimble, which is its extraordinary ability to compress blockchain data. In Bitcoin, the entire history of a coin must be replayed every time it is spent, and comprehensive details are permanently stored in the blockchain. Epic discards spent transaction inputs and consolidates outputs, storing neither addresses or amounts, only a tiny kernel to allow sender and receiver to prove their transaction.
- The Vitex mobile app is great for today, and we have a native mobile app for iOS and Android in the works as well.
$EPIC Have total Supply of 21,000,000 EPIC , is there any burning plan? Or Buyback program to maintain $EPIC price in the future?
Who is Epic Biggest competitors?
And what’s makes epic better than competitors? Xenolink Advisor at Epic Cash
We respect the older generation coins like Bitcoin. But we have learned that the supply economics of Bitcoin is very sound. Until today we can witness how the Bitcoin is being adopted institutionally and by retail. We match the 21 million BTC supply economics because it is an inelastic fixed model which makes the long-term economics very sound. To have an elastic model of burning tokens or printing tokens will not have a solid economic future. Take for example the USD which is an inflating supply. In terms of competitors we look at everyone in crypto with respect and also learn from everyone. If we had to compare to other Mimblewimble tech coins, Grin is an inelastic forever inflating supply which in the long term is not sound economics. Beam however is an inelastic model but is formed as a corporation. The fair distribution is not there because of the permanent revenue model setup for them. Epic Cash a non-profit development tax fund model for scaling purposes that will disappear by 2028’s singularity. Cryptodiffer Community
What your plans in place for global expansion, are you focusing on only market at this time? Or focus on building and developing or getting customers and users, or partnerships? Yoga Dude PR&Marketing at Epic Cash
Since we are a community project, we have many developers, in addition to the core team.
Our plans for Global expansion are simple — we have advocates in different regions addressing their audiences in their native languages. We are growing organically, by explaining our ideology and usability. The idea is to grow beyond needing a fiat bridge for crypto use, but to rather replace fiat with our borderless, private and fungible crypto so people can use it to get goods and services without using banks.
We are not limiting ourselves to one particular demographic — Epic Cash is a valid solution for the gamers, investors, techie and non techie people, and the unbanked. Cryptodiffer Community
EPIC confidential coin! Did you have any problems with the regulators? And there will be no problems with listing on centralized exchanges? Xenolink Advisor at Epic Cash
In terms of structure, we are carefully set up to minimize these concerns. Without a company or investors in the picture, and having raised no funds, there is little scope to attack in terms of securities laws. Bitcoin and Ethereum are widely acknowledged as acceptable, and we follow in their well-established footprints in that respect. Centralized exchanges already trade other privacy coins, so we don’t see this as much of an issue either. In general, decentralized p2p exchange options are more interesting than today’s centralized platforms. They are more censorship resistant, secure, and privacy-protecting. As the technology gets better, they should continue to gain market share and that’s why we’re proud to be partnered with Vitex, whose exchange and mobile app work very well. Cryptodiffer Community
What are the main utility and real-life usage of the #EPIC As an investor, why should we invest in the #EPIC project as a long-term investment? Max Freeman Project Lead at Epic Cash
Because our blockchain is so light (only 1.16gb currently, and grows very slowly) it is naturally well suited to become a decentralized mobile money standard because people can run a full node on their phone, guaranteeing the security of their funds. Scalability in Bitcoin requires complicated and compromised workarounds such as Lightning Network and light clients, and these problems are solved in Epic.
With our forthcoming Mobile Mining app, hundreds of millions of cell phones and tablets will be able to easily join the network. People can quickly and cheaply send money to one another, fulfilling the long-envisioned promise of P2P electronic cash.
As an investor, it’s important to ask a few key questions. Bitcoin Standard tokenomics of disinflation and a fixed supply are well proven over a decade now. We follow this model exactly, with a permanently synchronized supply from 2028, and 4 emission halvings from now until then, with our first one in about two weeks. Beyond that, we can apply some simple logical tests. What is more valuable, money that can only be used in some cases (censorable Bitcoin based on a lack of fungibility) or money that can be used universally? (fungible Epic based on always-on privacy by default). Epic is also poised to be a more decentralized and therefore resilient network because of wider participation in mining. Epic is designed to be Bitcoin++ Privacy, Fungibility, Scalability Cryptodiffer Community
Q1. What are advantages for choosing three mining algorithms RandomX+, ProgPow and CuckAToo31+ ?
Q2. Beam and Grin use MimbleWimble protocol, so what are difference for Epic? All of you will be friends for partners or competitors? Max Freeman Project Lead at Epic Cash
RandomX and ProgPow are designed to use the entirety of a CPU / GPU’s unique processing capabilities in a way that other types of hardware don’t work as well. You can run RandomX on a GPU but it doesn’t work nearly as well as a much cheaper CPU, for example. Cuckoo is a “memory hard” algorithm that widens the range of companies that can produce the hardware.
Grin and Beam are great projects and we’ve learned a lot from them. We inherited our first codebase from Grin’s excellent Rust design, which is a better language for community participation than C++ that Beam currently uses.
Functionally, Mimblewimble is similar across the 3 coins, with standard Confidential Transactions, CoinJoin, Dandelion++, Schnorr Signatures and other advanced features. Grin is primarily ASIC-targeted, Beam is GPU-targeted, and Epic is multi-hardware.
The biggest differences though are in tokenomics and project structure. Grin has permanent inflation of 60 coins per block with no halvings, which means steady erosion of value over time due to new supply pressure. It also lacks a steady funding model, making future development in jeopardy, particularly as the per coin price falls. Beam has a for-profit model with heavy early inflation and a high developer tax. Epic builds on the strengths of these earlier mimblewimble projects and addresses the parts that could be improved. Cryptodiffer Community
Some privacy coin has scalability issues! How Epic cash will solve scalability issues? Why you choose randomX consensus algorithem? Xenolink Advisor at Epic Cash
Fungibility means that you can’t distinguish one unit of currency from another, in example Gold. Fungibility has recently become a hot issue as people have been noticing Bitcoins being locked up by exchanges which may of had a nefarious history which are called Tainted Coins. In example coins that have been involved in a hack, darknet market transactions, or even processing coin through a mixer. Today we can already see freshly mined Bitcoins being sold at a premium price to avoid the fungibility problem Bitcoin carries today. Bitcoin can be tracked by chainalysis and is not a fungible cryptocurrency. One of the features that Epic has is privacy with added fungibility, because of Mimblewimble technology, Epic has no addresses recorded and therefore nothing can be tracked by chainalysis. Below I provide a link of an example of what the lack of fungibility is resulting in today with Bitcoin. One of the reasons why we chose the Random X algo. is because of the easy barrier of entry and also to further decentralize the mining. Random X algo can be mined on old computers or laptops. We also have 2 other algos Progpow (GPU), and Cuckoo (ASIC) to create a wider decentralization of mining methods for Epic. Cryptodiffer Community
I’m a newbie in crypto and blockchain so how will Epic Cash team target and educate people who don’t know about blockchain and crypto?
What is the uniqueness of Epic Cash that cannot be found in other project that´s been released so far ? Yoga Dude Pr&Marketing at Epic Cash
Actually, while we have our white paper translated into over 30 languages, we are more focused on explaining our uses and advantages rather than cold specs. Our tech is solid, but we not get hung up on pure tech talk which most casual users do not need to or care to understand. As long as our fundamentals and tech are secure and user friendly our primary goal is to educate about use cases and market potential.
The uniqueness of Epic Cash is its amalgamation of “whats good” in other cryptos. We use Mimblewimble for privacy and anonymity. Our blockchain is much lighter than our competitors. We are the only Mimblewimble crypto to use a unique cocktail of mining algorithms allowing to be mined by casual miners with gaming rigs and laptops, while remaining friendly to GPU and CPU farmers.
The “uniqueness” is learning from the mistakes of those who came before us, we evolved and learned, which is why our privacy is better, we are faster, we are fungible, we offer diverse mining and so on. We are the best blend — thats powerful and unique Cryptodiffer Community
Can you share EPIC’s vision for decentralized finance (DEFI)? What features do EPIC have to support DEFI? Yoga Dude PR&Marketing at Epic Cash
We view Epic as ideally suited to be the decentralized digital reserve asset of the new Private Internet of Money that’s emerging. At a technology level, atomic swaps can be created to build liquidity bridges so that wrapped Epic tokens (like WBTC, WETH) can trade on other networks as ERC20, BEP2, NEP5, VIP180, Algorand and so on. There is more Bitcoin value locked on Ethereum than in Lightning Network, so we will similarly integrate Epic so that it can trade on networks such as Uniswap, Kyber, and so on.
Longer term, if there is market demand for it, thanks to Scriptless Script functionality our blockchain has, we can build “Confidential Assets” (which Raven, Tari, and Beam are all also working on) that enable people to create tokenized assets in a private way.
If you could choose one celebrity to promote Epic-cash, who that would be?
Max Freeman Project Lead at Epic Cash
I am a firm believer that the strength of the project lies in allowing community members to become their own celebrities, if their content is good enough the community will propel them to celebrity status. Organic celebrities with small but loyal following are vastly more beneficial than big name professional shills with inflated but non caring audiences.
I remember the early days of Apple when an enthusiastic dude named Guy Kawasaki became Apple Evangelist, he was literally going around stores that sold Apple and visited user groups and Evangelized his belief in Apple. This guy became a Legend and helped Apple become what it is today.
Epic Cash will have its OWN Celebrities
How does $EPIC solve scalability of transactions? Current blockchains face issues with scalability a lot, how does $EPIC creates a solution to it?
Xenolink Advisor at Epic Cash
Epic Cash is utilizing Mimblewimble technology. Besides the privacy & fungibility aspect of the tech. There is the scalability features of it. It is implemented into Epic by transaction cut-through. Which means it allows nodes to remove all intermediate transactions, thus significantly reducing the blockchain size without affecting its validation. Mimblewimble also does not use addresses like a BTC address, and amount of transactions are also not recorded. One problem Monero and Bitcoin are facing now is scalability. It is evident today that data is getting more expensive and that will be a problem in the long run for those coins. Epic is 90% lighter and more scalable compared to Monero and Bitcoin.
what are the ways that Epic Cash generates profits/revenue to maintain your project and what is its revenue model ? How can it make benefit win-win to both invester and your project ?
Max Freeman Project Lead at Epic Cash
There is a block subsidy of 7.77% that declines 1.11% per year until 0, where it stays after that. As a nonprofit community effort, this extremely modest amount goes much further than in other projects, which often take 20, 30, even 50+ % of the coin supply. We believe that this ongoing funding model best aligns the long term incentives for all participants and balances the compromises between the ends of the centralized/decentralized spectrum of choices that any project must make.
Q1 : What are your major goals to archive in the next 3–4 years?
Q2 : What are your plans to expand and gain more adoption?
Yoga Dude Pr&Marketing at Epic Cash
Max already talked about our technical plans and goals in his roadmap. Allow me to talk more about the non technical 😁
We are aiming for broader reach in the non technical more mainstream community — this is a big challenge but we believe it is doable. By offering simpler ways to mine Epic Cash (with smart phones for example), and by doing more education we will achieve the holy grail of crypto — moving past the fiat bridges and getting Epic Cash to be accepted as means of payment for goods and services. We will accomplish this by working with regional advocacy groups, community interaction, off-line promotional activities and diverse social media targeting. Cryptodiffer Community
It seems to me that EpicCash will have its first Halving, right? Why a halving so soon?
Is a mobile version feasible? Max Freeman Project Lead at Epic Cash
Our supply emission catches up to that of Bitcoin’s first 19 years after 8 years in Epic, so that requires more frequent halvings. Today’s block emission is 16, next up are 8, 4, 2, and then finally 0.15625. After that, the supply of Epic and that of BTC stay synchronized until maxing out at 21m coins in 2140.
Today we have a mobile wallet through the Vitex app, a native mobile wallet coming, and are working on mobile mining. Cryptodiffer Community
What markets will you add after that? Yoga Dude PR&Marketing at Epic Cash
Well, we are aiming to have ALL markets
Epic Cash in its final iteration will be usable by everyone everywhere regardless of their technical expertise. We are not limiting ourselves to the technocrats, one of our main goals is to help the billions of unbanked. We want everyone to be able to mine, buy, and most of all USE Epic Cash — gamers, farmers, soccer moms, students, retirees, everyone really — even bankers (well once we defeat the banking industry)
We will continue building on the multilingual diversity of our global community adding support and advocacy groups in more countries in more languages.
Epic Cash is More than Money and its for Everyone. Cryptodiffer Community
Almost, all cryptocurrencies are decentralized & no-one knows who owns that cryptocurrencies ! then also, why Privacy is needed? hats the advantages of Private coins? Max Freeman Project Lead at Epic Cash
With a public transparent blockchain such as Bitcoin, you are permanently posting a detailed history of your money movements open for anyone to see (not just legitimate authorities, either!) — It would be considered crazy to post your credit card or bank statements to Twitter, but that’s what is happening every time you send a transaction that is not private. This excellent video from community contributor Spencer Lambert https://www.youtube.com/watch?v=0blbfmvCq\_4
explains better than I can.
Privacy is not just for criminals, it’s for everyone. Do you want your landlord to increase the rent when he sees that you get a raise? Your insurance company to raise your healthcare costs because they see you buying too much ice cream? If you’re a business, do you want your employees to see how much money their coworkers make? Do you want your competitors to trace your supplier and customer relationships? Of course not. By privacy being default for everyone, cryptocurrency can be used in a much wider range of situations without unacceptable compromises. Cryptodiffer Community
What are the main utility and real-life usage of the #EPIC As an investor, why should we invest in the #EPIC project as a long-term investment? Xenolink Advisor at Epic Cash
Epic Cash can be used as a Private and Fungible store of value, medium of exchange, and unit of account. As Epic Cash grows and becomes adopted it can be compared to how Bitcoin and Monero is used and adopted as well. As Epic is adopted by the masses, it can be accepted as a medium of exchange for store owners and as fungible payments without the worry of having money that is tainted. Epic Cash as a store of value may be a good long term aspect of investment to consider. Epic Cash carries an inelastic fixed supply economic model of 21 million coins. There will be 5 halvings which this month of June will be our first halving of epic. From a block reward of 16 Epic reduced to 8. If we look at BTC’s price action and history of their halvings it has been proven and show that there has been an increase in value due to the scarcity and from halvings a reduction of # of BTC’s mined per block. An inelastic supply model like Bitcoin provides proof of the circulating supply compared to the total supply by the history of it’s Price action which is evident in long term charts since the birth of Bitcoin. EPIC Plans to have 5 halvings before the year 2028 to match the emissions of Bitcoin which we call the singularity event. Below is a chart displaying our halvings model approaching singularity. Once bitcoin and cryptocurrency becomes adopted mainstream, the fungibility problem will be more noticed by the general public. Privacy coins and the features of fungibility/scalability will most likely be sought over. Right now a majority of people believe that all cryptocurrency is fungible. However, that is not true. We can already see Chainalysis confirming that they can trace and track and even for other well-known privacy coins today such as Z-Cash. Cryptodiffer Community
Max Freeman Project Lead at Epic Cash
- You aim to reach support from a global community, what are your plans to get spanish speakers involved into Epic Cash? And emerging markets like the african
- How am I secure I won’t be affected by receiving tainted money?
Native speakers from our community are working to raise awareness in key markets such as mining in Argentina and Venezuela for Spanish (Roberto Navarro called Epic “the holy grail of cryptocurrency” and Ethiopia and certain North African countries that have the lowest electricity costs in the world. Remittances between USA and Latin American countries are expensive and slow, so Epic is also perfect for people to send money back home as well. Cryptodiffer Community
Do EPICs in 2020 focus more on research and coding, or on sales and implementation? Yoga Dude PR&Marketing at Epic Cash
We will definitely continue to work on research and coding, with emphasis on improved accessibility (especially via smartphones) usability, security and privacy.
In terms of financial infrastructure will continuing to add exchanges both KYC and non KYC.
Big part of our plans is in ongoing Marketing and PR outreach. The idea is to make Epic Cash a viral sensation of sorts. If we can get Epic Cash adopters to spread the word and tell their family, coworkers and friends about Epic Cash — there will be no stopping us and to help that happen we have a growing army of content creators, and supporters.
Everyone with skin in the game gets the benefit of advancing the cause.
Folks also, this isn’t an answer to the question but an example of a real-world Epic Cash content — https://www.youtube.com/watch?v=XtAVEqKGgqY
a challenge from one of our content creators to beat his 21 pull ups and get 100 epics! This has not been claimed yet — people need to step up 🙂 and to help that I will match another 100 Epic Cash to the first person to beat this Cryptodiffer Community
I was watching some videos explaining how to send and receive transactions in EpicCash, which consists of ports and sending links, my question is why this is so, which, for now, looks complex?
Let’s talk about the economic model, can EpicCash comply with the concept of value reserve? Max Freeman Project Lead at Epic Cash
In V3, which is coming later this summer, Epic can be sent over Tor, which eliminates this issue of port opening, even though using tools like ngrok.io, it’s not necessarily as painful as directly configuring the router ports. Early Lightning Network had this issue as well and it’s something we have a plan to address via research into non-interactive transactions. “Fire and Forget” payments to an address, as people are used to in Bitcoin, is coming to Epic and we’re excited to develop functionality that other advanced mimblewimble coins don’t yet have. We are committed to constant improvement in usability and utility, to make our money system the ease of use leader.
We are involved in the project (anyone can join the Freeman Family) because we believe that simply by choosing to use a form of money that better aligns with our ideals, that we can make a positive change in the world. Some of my thoughts about how I got involved are here: https://medium.com/epic-cash/the-freeman-family-e3b9c3b3f166 Max Freeman Project Lead at Epic Cash
Huge thanks to our friends Maks and Vladyslav, we welcome everyone to come say hi at one of our friendly communities. It is extremely early in this journey, our market cap is only 0.5m right now, whereas the 3 other mimblewimble coins are at $20m, $30m and $100m respectively. Epic is a historic opportunity to follow in the footsteps of legends such as Bitcoin and Monero, and we hope to become the first Top 5 privacy coin project. Xenolink Advisor at Epic Cash
Would like to Thank the Cryptodiffer Team and the Cryptodiffer community for hosting us and also engaging with us to learn more about Epic. If anyone else has more questions and wants to know more about EPIC , can find us at our telegram channel at https://t.me/EpicCash
. Yoga Dude Pr&Marketing at Epic Cash
Thank you, CryptoDiffer Team, and this wonderful Community!!! Cryptodiffer TEAM Thank you everyone for taking your time and asking great questions Thank you for your time, it was an insightful session Spread the love
Original design presented for discussion and criticism originally posted here: https://bitcointalk.org/index.php?topic=5212814.0 TLDR: Proposing the following that's possible today to use for any existing or new altcoins:
- arriving at consensus AND distributing coins via burning Bitcoin instead of electricity/equipment to create permissionless, unfakeable, green, and trust minimized basis over every aspect of sidechain control.
- creating Bitcoin peg from altcoin chain to mainchain (the hard direction) by allocating small percentage of Bitcoin intended for burning to reimbursing withdrawals, effectively making it a childchain/sidechain (no oracles or federated multisigs)
This is not an altcoin thread. I'm not making anything. The design discussed options for existing altcoins and new ways to built on top of Bitcoin inheriting some of its security guarantees. 2 parts: First, the design allows any altcoins to switch to securing themselves via Bitcoin instead of their own PoW or PoS with significant benefits to both altcoins and Bitcoin (and environment lol). Second, I explain how to create Bitcoin-pegged assets to turn altcoins into a Bitcoin sidechain equivalent. Let me know if this is of interest or if it exists, feel free to use or do anything with this, hopefully I can help.
- how to create continuous sunk costs, permissionless entry, high cost of attacks?
- how to do it without needing to build up a new source of hardware capital or energy costs?
- how to peg another chain's token value w/o incentivized collusion risk of federation or oracles?
- how to make sidechain use fully optional for all Bitcoin parties?
- how to allow programmable Bitcoins w/ unlimited permissionless expressiveness w/o forcing mainchain into additional risks?
Solution to first few points:
- Continuous Proof of Bitcoin Burn (CPoBB) to distribute supply control and sidechain consensus control to independent parties
- Distributes an altcoin for permissionless access and sidechain-only sybil protection.
- In case of sidechain block-producer censorship, Bitcoin's independent data availability makes sidechain nodes trivially aware
PoW altcoin switching to CPoBB would trade:
- cost of capital and energy -> cost of burnt bitcoin
- finality of their PoW -> finality of Bitcoin's PoW
- impact on environment -> 0 impact on environment
- unforgeable costliness of work -> unforgeable costliness of burn
- contract logic can include conditions dependent on real Bitcoins as it's Bitcoin-aware
PoS altcoin switching to CPoBB would trade:
- permissioned by coin holders entry -> permissionless entry by anyone with access to Bitcoin
- no incentive to give up control or sell coins -> incentive to sell coins to cover the cost of burnt bitcoin
- incentivized guaranteed centralization of control over time by staking -> PoW guarantees with same 0 environmental impact
- nothing at stake -> recovering sunk costs at stake
- contract logic can include conditions dependent on real Bitcoins as it's Bitcoin-aware
We already have a permissionless, compact, public, high-cost-backed finality base layer to build on top - Bitcoin! It will handle sorting, data availability, finality, and has something of value to use instead of capital or energy that's outside the sidechain - the Bitcoin coins. The sunk costs of PoW can be simulated by burning Bitcoin, similar to concept known as Proof of Burn where Bitcoin are sent to unspendable address. Unlike ICO's, no contributors can take out the Bitcoins and get rewards for free. Unlike PoS, entry into supply lies outside the alt-chain and thus doesn't depend on permission of alt-chain stake-coin holders. It's hard to find a more bandwidth or state size protective blockchain to use other than Bitcoin as well so altcoins can be Bitcoin-aware at little marginal difficulty - 10 years of history fully validates in under a day.
What are typical issues with Proof of Burn?
- limited burn time window prevents permissionless entry in the future. how many years did it take for most heavily mined projects to become known and well reviewed? many. thus entry into control of supply that's vital to control of chain cannot be dependent on the earliest stage of the project. (counterparty)
- "land grabs" - by having limited supply without continuous emission or inflation we encourage holding vs spending.
- These issues can be fixed by having Proof of Burn be permanently accessible and continuous: Continuous Proof of Bitcoin Burn CPoBB
This should be required for any design for it to stay permissionless. Optional is constant fixed emission rate for altcoins not trying to be money if goal is to maximize accessibility. Since it's not depending on brand new PoW for security, they don't have to depend on massive early rewards giving disproportionate fraction of supply at earliest stage either. If 10 coins are created every block, after n blocks, at rate of 10 coins per block, % emission per block is = (100/n)%, an always decreasing number. Sidechain coin doesn't need to be scarce money, and could maximize distribution of control by encouraging further distribution. If no burners exist in a block, altcoin block reward is simply added to next block reward making emission predictable.
Sidechain block content should be committed in burn transaction via a root of the merkle tree of its transactions. Sidechain state will depend on Bitcoin for finality and block time between commitment broadcasts. However, the throughput can be of any size per block, unlimited number of such sidechains can exist with their own rules and validation costs are handled only by nodes that choose to be aware of a specific sidechain by running its consensus compatible software.
Important design decision is how can protocol determine the "true" side-block and how to distribute incentives. Simplest solution is to always :
- Agree on the valid sidechain block matching the merkle root commitment for the largest amount of Bitcoin burnt, earliest inclusion in the bitcoin block as the tie breaker
- Distribute block reward during the next side-block proportional to current amounts burnt
- Bitcoin fee market serves as deterrent for spam submissions of blocks to validate
sidechain block reward is set always at 10 altcoins per block Bitcoin block contains the following content embedded and part of its transactions: tx11: burns 0.01 BTC & OP_RETURN tx56: burns 0.05 BTC & OP_RETURN ... <...root of valid sidechain block version 1> ... tx78: burns 1 BTC & OP_RETURN ... <...root of valid sidechain block version 2> ... tx124: burns 0.2 BTC & OP_RETURN ... <...root of INVALID sidechain block version 3> ...
Validity is deterministic by rules in client side node software (e.g. signature validation) so all nodes can independently see version 3 is invalid and thus burner of tx124 gets no reward allocated. The largest valid burn is from tx78 so version 2 is used for the blockchain in sidechain. The total valid burn is 1.06 BTC, so 10 altcoins to be distributed in the next block are 0.094, 0.472, 9.434 to owners of first 3 transactions, respectively.
Censorship attack would require continuous costs in Bitcoin on the attacker and can be waited out. Censorship would also be limited to on-sidechain specific transactions as emission distribution to others CPoB contributors wouldn't be affected as blocks without matching coin distributions on sidechain wouldn't be valid. Additionally, sidechains can allow a limited number of sidechain transactions to happen via embedding transaction data inside Bitcoin transactions (e.g. OP_RETURN) as a way to use Bitcoin for data availability layer in case sidechain transactions are being censored on their network. Since all sidechain nodes are Bitcoin aware, it would be trivial to include.
Sidechain blocks cannot be reverted without reverting Bitcoin blocks or hard forking the protocol used to derive sidechain state. If protocol is forked, the value of sidechain coins on each fork of sidechain state becomes important but Proof of Burn natively guarantees trust minimized and permissionless distribution of the coins, something inferior methods like obscure early distributions, trusted pre-mines, and trusted ICO's cannot do.
More bitcoins being burnt is parallel to more hash rate entering PoW, with each miner or burner getting smaller amount of altcoins on average making it unprofitable to burn or mine and forcing some to exit. At equilibrium costs of equipment and electricity approaches value gained from selling coins just as at equilibrium costs of burnt coins approaches value of altcoins rewarded. In both cases it incentivizes further distribution to markets to cover the costs making burners and miners dependent on users via markets. In both cases it's also possible to mine without permission and mine at a loss temporarily to gain some altcoins without permission if you want to.
Altcoins benefit by inheriting many of bitcoin security guarantees, bitcoin parties have to do nothing if they don't want to, but will see their coins grow more scarce through burning. The contributions to the fee market will contribute to higher Bitcoin miner rewards even after block reward is gone.
What is the ideal goal of the sidechains? Ideally to have a token that has the bi-directionally pegged value to Bitcoin and tradeable ~1:1 for Bitcoin that gives Bitcoin users an option of a different rule set without compromising the base chain nor forcing base chain participants to do anything different.
Issues with value pegs:
- federation based pegs allow collusion to steal bitcoins stored in multi-party controlled accounts
- even if multisig participants are switched or weighted in some trust minimized manner, there's always incentive to collude and steal more
- smart contract pegs (plasma, rollups) on base chain would require bitcoin nodes and miners to validate sidechain transactions and has to provide block content for availability (e.g. call data in rollups), making them not optional.
- bitcoin nodes shouldn't be sidechain aware so impossible to peg the value
Let's get rid of the idea of needing Bitcoin collateral to back pegged coins 1:1 as that's never secure, independent, or scalable at same security level. As drive-chain design suggested the peg doesn't have to be fast, can take months, just needs to exist so other methods can be used to speed it up like atomic swaps by volunteers taking on the risk for a fee.
In continuous proof of burn we have another source of Bitcoins, the burnt Bitcoins. Sidechain protocols can require some minor percentage (e.g. 20%) of burner tx value coins via another output to go to reimburse those withdrawing side-Bitcoins to Bitcoin chain until they are filled. If withdrawal queue is empty that % is burnt instead. Selection of who receives reimbursement is deterministic per burner. Percentage must be kept small as it's assumed it's possible to get up to that much discount on altcoin emissions.
Let's use a really simple example case where each burner pays 20% of burner tx amount to cover withdrawal in exact order requested with no attempts at other matching, capped at half amount requested per payout. Example:
withdrawal queue: request1: 0.2 sBTC request2: 1.0 sBTC request3: 0.5 sBTC
same block burners: tx burns 0.8 BTC, 0.1 BTC is sent to request1, 0.1 BTC is sent to request2 tx burns 0.4 BTC, 0.1 BTC is sent to request1 tx burns 0.08 BTC, 0.02 BTC is sent to request 1 tx burns 1.2 BTC, 0.1 BTC is sent to request1, 0.2 BTC is sent to request2
withdrawal queue: request1: filled with 0.32 BTC instead of 0.2 sBTC, removed from queue request2: partially-filled with 0.3 BTC out of 1.0 sBTC, 0.7 BTC remaining for next queue request3: still 0.5 sBTC
Withdrawal requests can either take long time to get to filled due to cap per burn or get overfilled as seen in "request1" example, hard to predict. Overfilling is not a big deal since we're not dealing with a finite source. The risk a user that chooses to use the sidechain pegged coin takes on is based on the rate at which they can expect to get paid based on value of altcoin emission that generally matches Bitcoin burn rate. If sidechain loses interest and nobody is burning enough bitcoin, the funds might be lost so the scale of risk has to be measured. If Bitcoins burnt per day is 0.5 BTC total and you hope to deposit or withdraw 5000 BTC, it might take a long time or never happen to withdraw it. But for amounts comparable or under 0.5 BTC/day average burnt with 5 side-BTC on sidechain outstanding total the risks are more reasonable.
Deposits onto the sidechain are far easier - by burning Bitcoin in a separate known unspendable deposit address for that sidechain and sidechain protocol issuing matching amount of side-Bitcoin. Withdrawn bitcoins are treated as burnt bitcoins for sake of dividing block rewards as long as they followed the deterministic rules for their burn to count as valid and percentage used for withdrawals is kept small to avoid approaching free altcoin emissions by paying for your own withdrawals and ensuring significant unforgeable losses.
Ideally more matching is used so large withdrawals don't completely block everyone else and small withdrawals don't completely block large withdrawals. Better methods should deterministically randomize assigned withdrawals via previous Bitcoin block hash, prioritized by request time (earliest arrivals should get paid earlier), and amount of peg outstanding vs burn amount (smaller burns should prioritize smaller outstanding balances). Fee market on bitcoin discourages doing withdrawals of too small amounts and encourages batching by burners.
The second method is less reliable but already known that uses over-collateralized loans that create a oracle-pegged token that can be pegged to the bitcoin value. It was already used by its inventors in 2014 on bitshares (e.g. bitCNY, bitUSD, bitBTC) and similarly by MakerDAO in 2018. The upside is a trust minimized distribution of CPoB coins can be used to distribute trust over selection of price feed oracles far better than pre-mined single trusted party based distributions used in MakerDAO (100% pre-mined) and to a bit lesser degree on bitshares (~50% mined, ~50% premined before dpos). The downside is 2 fold: first the supply of BTC pegged coin would depend on people opening an equivalent of a leveraged long position on the altcoin/BTC pair, which is hard to convince people to do as seen by very poor liquidity of bitBTC in the past. Second downside is oracles can still collude to mess with price feeds, and while their influence might be limited via capped price changes per unit time and might compromise their continuous revenue stream from fees, the leverage benefits might outweight the losses. The use of continous proof of burn to peg withdrawals is superior method as it is simply a minor byproduct of "mining" for altcoins and doesn't depend on traders positions. At the moment I'm not aware of any market-pegged coins on trust minimized platforms or implemented in trust minimized way (e.g. premined mkr on premined eth = 2 sets of trusted third parties each of which with full control over the design).
Brief issues with current altchains options:
- PoW: New PoW altcoins suffer high risk of attacks. Additional PoW chains require high energy and capital costs to create permissionless entry and trust minimized miners that are forever dependent on markets to hold them accountable. Using same algorithm or equipment as another chain or merge-mining puts you at a disadvantage by allowing some miners to attack and still cover sunk costs on another chain. Using a different algorithm/equipment requires building up the value of sunk costs to protect against attacks with significant energy and capital costs. Drive-chains also require miners to allow it by having to be sidechain aware and thus incur additional costs on them and validating nodes if the sidechain rewards are of value and importance.
- PoS: PoS is permissioned (requires permission from internal party to use network or contribute to consensus on permitted scale), allows perpetual control without accountability to others, and incentivizes centralization of control over time. Without continuous source of sunk costs there's no reason to give up control. By having consensus entirely dependent on internal state network, unlike PoW but like private databases, cannot guarantee independent permissionless entry and thus cannot claim trust minimization. Has no built in distribution methods so depends on safe start (snapshot of trust minimized distributions or PoW period) followed by losing that on switch to PoS or starting off dependent on a single trusted party such as case in all significant pre-mines and ICO's.
- Proof of Capacity: PoC is just shifting costs further to capital over PoW to achieve same guarantees.
- PoW/PoS: Still require additional PoW chain creation. Strong dependence on PoS can render PoW irrelevant and thus inherit the worst properties of both protocols.
- Tokens inherit all trust dependencies of parent blockchain and thus depend on the above.
- Embedded consensus (counterparty, veriblock?, omni): Lacks mechanism for distribution, requires all tx data to be inside scarce Bitcoin block space so high cost to users instead of compensated miners. If you want to build a very expressive scripting language, might very hard & expensive to fit into Bitcoin tx vs CPoBB external content of unlimited size in a committed hash. Same as CPoBB is Bitcoin-aware so can respond to Bitcoin being sent but without source of Bitcoins like burning no way to do any trust minimized Bitcoin-pegs it can control fully.
Few extra notes from my talks with people:
- fees must be high to be included in next block (and helps pay and bribe bitcoin miners), RBF use is encouraged to cancel late transactions
- what if not enough burners, just passive nodes? you can burn smallest amount of bitcoin yourself when you have a transaction you want to go through
- using commit hashes on bitcoin to lock altcoin state isn't new (e.g. kmd) but usually those rely on some federation or permissioned proof of stake mechanism with no real costs. this is combination of both.
- this is not exactly like counterparty's embedded consensus as block data and transactions are outside Bitcoin, but consensus is derived with help of embedded on Bitcoin data.
- deterministic randomness (e.g. via that block's hash) could be used to assign winning sidechain block weighted by amount burned to allow occasional blocks formed by others curbing success rate of censorship by highest burner
- blockstacks proposed similar methods as I just saw: https://blog.blockstack.org/video-reusing-bitcoins-hashpower-to-launch-the-stacks-blockchain/ https://blockstack.com/tokenpaper.pdf https://blockstack.org/whitepaper.pdf with many similarities! but also major differences:
- wants to transition away from using proof of burn via tunable proofs and native proof of work (whitepaper)
- a dominant premine (trust maximized) relative to emission that defeats the purpose of distributing control over incentives (figure 3 in tokenpaper suggests premine still ~30%-70% by year 2050)
- variable emission rate "adaptive mint and burn" makes supply unpredictable (and possibly gameable)
- additional rewards that aren't trust minimized like "app mining" and "user incentives" possibly gameable with premine
- election of a leader includes their own PoW to be elected even at start (5% cap), why lol?
- blockstack also suggested use of randomness that depends on that block so Bitcoin miners that already spent energy mining that block can't just re-do it to get picked at no cost
- if can burn bitcoins directly via op_return tx would help to use 1 less output and be provably prunable for utxo set (not sure if that's relayed as standard)
Main questions to you:
- why not? (other than blocktime)
- can this be done without an altcoin? (Not sure and don't think so w/o compromising unforgeable costliness and thus trust minimization. At least it's not using an altcoin that's clearly centralized.)
- how to make it less detectable by Bitcoin miners? ( BMM could use some techniques described here: https://twitter.com/SomsenRuben/status/1210040270328254464 ) ( Perhaps since sidechain nodes receive proposed blocks independently and can figure out their hash, the commit message ( sidechain id + block commit + miner address) can be hashed one more time before its placed on Bitcoin, making miners unaware until after Bitcoin block is found that this is that sidechain's burn. Sidechain block producers would have to delay sidechain block propagation until after Bitcoin block is propagated, 10 minutes blocktime helps here. Hiding the fact that Bitcoin is burnt until after the fact is another possibly important matter. )
- Should reward be split between all valid blocks or just winner gets all? (Blockstacks approach does not reward blocks marked by different from leader chaintip. That seems dangerous since sidechain tx sorting would be difficult to match and could take significant time to be compensated for perfectly valid work and coins burned. It doesn't seem as necessary in burning since we're not expending costs based on only one previous block version, the costs are independent of block assembly. Tradeoff is between making it easier for independent "mining" of sidechain and making it easier to validate for full nodes on sidechain)
open to working on this further with others
Bitcoin is the first blockchain ever created relying on proof-of-work. It has since spread to become widely used in many cryptocurrencies. Transactions are connected to a user’s Bitcoin address, which is derived from the user’s private key. A transaction on the Bitcoin blockchain can be seen as a transfer of value between Bitcoin wallets ... Digital money that’s instant, private, and free from bank fees. Download our official wallet app and start using Bitcoin today. Read news, start mining, and buy BTC or BCH. Yes. All public addresses generated from your wallet can still receive funds, even if they no longer appear under Request.As explained here, a new bitcoin/bitcoin cash address will automatically display under Request once the previously displayed address receives a payment. Your receiving address for ether will not change. Unfortunately, the scammers do trick some people. One scammer made about 2.5 BTC, or $15,500 USD, in the first two days of their scam on July 11 and 12. We know this because Bitcoin transaction records are public, so it’s possible to see how much money was sent to the scammer’s wallet address. Don’t Negotiate or Pay. Don’t Even Respond. Non-Spendable Bitcoin scam There are two types of scams ongoing where this non-spendable BTC is used 1. Once you have lost your Money or BTC in any scam, you are angry and hopeless. Then you start looking for ways to scam the scam artist or to hac...
Start trading Bitcoin and cryptocurrency here: http://bit.ly/2Vptr2X Bitcoin is the first decentralized digital currency. All Bitcoin transactions are docume... This video is part of a larger online course, "From Barter to Bitcoin: Society, Technology and the Future of Money" run by Prof. Bill Maurer and Prof. Donald J. Patterson In addition to the video ... A look at the details of a bitcoin blockchain block This video is part of a larger online course, "From Barter to Bitcoin: Society, Technology and the Future of Money" run by Prof. Bill Maurer and ... ep 13: How is bitcoin "locked" to an address - OP_CHECKSIG, locking scripts, signatures, UTXO chain - Duration: 47:07. Matt Thomas 4,823 views. 47:07. Network Security 101: Full Workshop ... A simple yet full explanation of how the Script language in Bitcoin works. Includes examples of the most commonly used locking scripts (and unlocking scripts...