Oleg Andreev



Software designer with focus on user experience and security.

You may start with my selection of articles on Bitcoin.



Author of Gitbox version control app.

Author of CoreBitcoin, an implementation of Bitcoin in Objective-C.

Lead developer of FunGolf GPS, the best golfer's personal assistant.



I am happy to give you an interview or provide you with a consultation.
I am very interested in innovative ways to secure property and personal interactions: all the way from cryptography to user interfaces. I am not interested in trading, mining or building exchanges.

This blog enlightens people thanks to your generous donations: 1TipsuQ7CSqfQsjA9KU5jarSB1AnrVLLo

Bitcoin is not compatible with the State

Bitcoin and State do not go together at all. Neither logically, nor economically.

Logically, if you think that the state is a useful and viable institution and Bitcoin is a useful and viable technology, you are lying to yourself. State is a hierarchical construction of “trusted third parties” (TTPs). In theory, some social interactions may involve a conflict that may be resolved by a trusted third party (arbiter). In a nation state it is ultimately some government agency (e.g. a cop). In case there’s a conflict between a citizen and a government agency, there is another government agency to watch over it. Thus, a cop is watched by his chief, a chief is watched by a court, court is watched by a parliament or a president, and those are being overthrown by an angry mob from time to time. The theory goes that every single conflict can be justly resolved by the state if parties cannot resolve it by themselves.

Bitcoin is an attempt to remove some trusted third parties from equation. That is all sorts of financial institutions including government regulators. From the Bitcoin perspective, it is a moral hazard to enable control over money supply and monetary flows to a hierarchy of trusted third parties. History is full of examples when private banks and government agencies could manipulate and destroy entire economies by being able to produce money without limits or censor its use. Bitcoin is strange and a bit complicated way to protect all users of money. Users can transact without need for any third party to record and acknowledge their transactions, and what’s more, no one can even become a third party by hijacking the system and imposing controls and rules on its usage. The former is not possible without the latter.

So if you support the idea of Bitcoin, you acknowledge the hazard of entrusting the entire economy to trusted third parties. You acknowledge that the ultimate power must be spread thin among every single participant and never be entrusted in hands of a few, even if it’s a democratically elected government. (Trusted third parties on top of decentralized foundation are fine as long as every person has equal access to that foundation and can jump off anytime.) But if you acknowledge the hazard of TTPs, then what arguments are left for any other government activity? Government is the ultimate trusted third party to resolve disputes in the entire economy. If there’s a conflict in a monetary system and we need Bitcoin to resolve it so no banker, judge or president could have personal interest in it, then the same applies to any other conflict. Every conflict could have someone’s personal interest in it to screw things up. The fact that we rely on the government to resolve it only shows that we couldn’t find a safer way yet. By supporting Bitcoin you give up all arguments for validity of the State.

If you, however, prefer the State, then supporting Bitcoin is illogical: why do you need such a complex and hard to understand (for non-hackers) system if every problem can be solved with trusted third parties? Look, Visa processes bazillion of transaction per day by just flipping the bits in their database. Bitcoin cannot do that, it is a consensus network that needs everyone to be aware of all transactions. Making instant payments requires extra complexity on top of that existing complexity. Also, there’s constant hazard of computer viruses and backdoors that steal your coins. If you believe that problems can be efficiently solved simply by electing trusted people, than Bitcoin is a huge overhead. So you should pick one: Bitcoin or State.

But most importantly, Bitcoin and State will never survive together for economical reasons.

State exists because it can. It can pay for its expenses, pay for those who enforce the laws, write the laws, brainwash children in schools and adults in evening news.

How does the state pay for its expenses? First, the government controls money supply. If needed, money is just being “borrowed” from the government’s puppet bank under promise to repay the debt (with interest!) from the extracted taxes (or by borrowing even more from the same place). When the state wants to go to war, enormous amount of money can’t be just extracted and is being printed. Extra money flows into markets, prices go up, business plans get messed up, people’s savings get destroyed and they lose their jobs at the same time. But we are at war, so folks are better to work harder “for the children” and maybe even join the army (you lost your job, after all).

Second, the state is paid by all those good businesses that must use banking system to operate. And the banking system is all heavily licensed and cooperative with the state. A lot of monetary flows are monitored by the tax collectors. Natural greed makes people avoid taxation just like all other costs, but taxes are avoided only in black market and by small businesses working with cash. Everyone who accepts cash hides some percentage from the taxman. If not for personal greed, but at least under competitive pressure by tax evaders (e.g. your café cannot survive if you don’t increase your profit margin by not paying 10% of the taxes like all your competitors do). If you business has to work with partners over the wire, you had to use banks and pay 100% of your taxes. With Bitcoin banks are not necessary. Bitcoin allows you to trade with anyone on the entire planet with near-zero costs. More businesses would bypass Banks and as a side effect, more businesses would be able to withhold their taxes from the state. Competition would force other businesses to drive their costs down the same way. Bitcoin will become a black hole that grows and attracts more and more people in it.

From the point of view of tax collectors, however, it’s the other way around. In Bitcoin world government cannot pay cops IOUs it makes up. It must pay real bitcoins that it must extract first from the businesses. But as more and more businesses avoid paying more and more taxes, there is less money being left for the government. That means that extraction will become increasingly less effective and therefore allowing even more people to avoid taxation on even larger scale. This cycle would repeat until all government employees will run away to seek real jobs because their bosses wouldn’t be able to pay them a single penny.

So if Bitcoin continues to grow, the nation state would peacefully dissolve. If state is to be preserved, Bitcoin must be stopped and never allowed again. However, the more people invest in Bitcoin, the more interest, wealth and power is on its side to protect it against any aggression. They didn’t invest in Bitcoin to try it out. They invested to make it ubiquitous and global phenomenon and they all will fight hard to make it happen. At some point we will witness a critical mass of supporters that no one will be able to stop. And then there will be no state anymore.

Bitcoin ideas worth pursuing

Here are some ideas for services around Bitcoin that are highly interesting to me.

1. Truly secure wallet & vault. Protected from institutional risks, backdoors in software and hardware, losing backups and forgetting passwords. Works on regular computers (phones, laptops). Multisig with blind signatures for privacy. Authenticating with a circle of friends or arbitrary services instead of a single centralized institution. Only this can make people safely invest in Bitcoin and push the entire economies to it unlocking the rest of the features (low fees, autonomous agents, smart contracts etc.)

Btw, I have a working implementation of blind signatures already with a demo app: Code: https://github.com/oleganza/CoreBitcoin/blob/master/CoreBitcoin/BTCBlindSignature.h Paper: http://blog.oleganza.com/post/77474860538/blind-signatures-for-bitcoin-the-ultimate-solution-to Demo app: https://github.com/oleganza/blindsignaturedemo

2. Wallet API for web sites and native apps. A standard way for any app to request user’s wallet to allocate and sign certain amount of bitcoins to be used in a custom transaction. The unified API would allow maximum flexibility for any sorts of schemes and contracts while preserving user’s keys secure and his financial details completely private. Wallet requests approval from the user and gives the absolute minimum of information to the app. Wallet will also sign its inputs only if all the change outputs are respected. Use case: your app does some fancy scripts and needs user’s coins. Today you have to make your own wallet in which the user must send coins (and you have to reinvent all security measures as described above). Tomorrow you could simply request what you need from an existing wallet without having user to do extra movements.

I helped to develop a draft of the spec: http://bitcoin-wallet-api.github.io

3. Decentralized clearing mesh network for frequent and instant payments. Similar to Ripple, but without made-up currency and without any trust. Nodes form point-to-point contracts using bilateral 2-of-2 deposits that put a limit on IOUs issued between two nodes. Thus nodes can connect anonymously without any trust. When two people pay each other, they simply find the cheapest path (every node may ask for any fee) between them and propagate an IOU denominated in BTC. There’s no global consensus and no single point of failure. If you owe 50% of the amount deposited, you have to clear the debt with real BTC transaction. Any amount of money can be moved back and forth and all IOUs are 200% insured. This mesh could be used to buy a latte or for one automated service to pay another automated service.

4. Decentralized markets. People can use the same bilateral insurance scheme to create a “nash equilibrium” escrow without any 3rd party. This makes free trade possible without risk of fraud or censorship. My friends in San Francisco already have a working prototype that uses Bitmessage to post products and bids. And it works great!

When released, the app will be published here: http://voluntary.net/

5. Crowdfunding protocol and apps where majority vote controls the funds. Bitcoin already allows some neat schemes to crowdfund money directly by the founders, but these schemes do not allow for X% (typically 50%) vote to unlock, or otherwise control funds. If that was possible, then founders could still have a comfortable guarantee of funds for their enterprise, but wouldn’t be able to waste them all at once. If their business plan is no longer aligned with the interest of majority of stakeholders, they could take the remaining money back or redirect to entirely different managers. This is a very big thing! If done in absolutely p2p manner, it will enable fantastic possibilities for mankind. For instance, non-targeted crowdfunding will become possible: “someone please repair our road and we’ll pay you $5000”. The funds can be directed to the guys who solved the problem by a majority vote of the backers (unless all backers turn out to be total jerks, of course).

The problem with modern corporations is that they are de-jure owned by stakeholders, but the real power to make decisions is on managers who are hired to manage the capital. In other words, it is really hard for thousands of small stakeholders to coordinate and affect decisions of the top management. More strict crowdfunding protocol with direct democracy built in would allow all stakeholders, small and large, to better control the flow of funds.

Numerologies

Umberto Eco, Foucault’s Pendulum:

"Gentlemen," he said, "I invite you to go and measure that kiosk. You will see that the length of the counter is one hundred and forty-nine centimeters-in other words, one hundred-billionth of the distance between the earth and the sun. The height at the rear, one hundred and seventy-six centimeters, divided by the width of the window, fifty-six centimeters, is 3.14. The height at the front is nineteen decimeters, equal, in other words, to the number of years of the Greek lunar cycle. The sum of the heights of the two front corners and the two rear corners is one hundred and ninety times two plus one hundred and seventy-six times two, which equals seven hundred and thirty-two, the date of the victory at Poitiers. The thickness of the counter is 3.10 centimeters, and the width of the cornice of the window is 8.8 centimeters. Replacing the numbers before the decimals by the corresponding letters of the alphabet, we obtain C for ten and H for eight, or C10H8, which is the formula for naphthalene."

"Fantastic," I said. "You did all these measurements?"

"No," Aglie said. "They were done on another kiosk, by a certain Jean-Pierre Adam. But I would assume that all lottery kiosks have more or less the same dimensions. With numbers you can do anything you like. Suppose I have the sacred number 9 and I want to get the number 1314, date of the execution of Jacques de Molay-a date dear to anyone who, like me, professes devotion to the Templar tradition of knighthood. What do I do? I multiply nine by one hundred and forty-six, the fateful day of the destruction of Carthage. How did I arrive at this? I divided thirteen hundred and fourteen by two, by three, et cetera, until I found a satisfying date. I could also have divided thirteen hundred and fourteen by 6.28, the double of 3.14, and I would have got two hundred and nine. That is the year in which Attalus I, king of Pergamon, joined the anti-Macedonian League. You see?"

"Then you don’t believe in numerologies of any kind," Diotallevi said, disappointed.

PDF: http://www.cs.utexas.edu/users/acharya/Inputs/Books/Foucault’s%20Pendulum.pdf

Bitcoin is like…

Bitcoin is like physical cash: it is not reversible and you are responsible for handling it. If you lose your wallet, you lose your money. You can give bitcoins to someone to hold them for you, but it will be like with any bank: you have to trust them that they won’t run away with your cash.

Bitcoin is unlike physical cash: you can store as much as you want and it will not take any space. You can send it over the wire to anyone. It is impossible to counterfeit. You can’t give it in one second: to actually guarantee that transaction has happened, you have to wait 10-15 minutes for the cryptographic proof to be produced by the network. However, for small in-person payments you sometimes can accept zero-confirmation payments with relatively low risk of transaction being cancelled.

Bitcoin is like gold: it cannot be produced at will, there’s a limited amount of it and this amount is scattered in spacetime continuum (mostly time). To get some bitcoins someone should give them to you, or you should mine them. Like gold, Bitcoin is shiny: it attracts people with its beautiful engineering, built-in contract programming language, wise incentives, and libertarian promise of freedom from coercion.

Bitcoin is unlike gold: supply of Bitcoin is completely fixed via scheduled mining (only so much bitcoins are created per hour). You have a guarantee that no one will suddenly find a mountain of bitgold or mine it on asteroids. Unlike gold, Bitcoin difficulty is adjusted to the mining efforts to keep the schedule fixed. You may dig up all the gold in one day, but it will never be possible with Bitcoin no matter how fast computers will ever become. Growing mining efforts can only bend schedule slightly (network adjusts difficulty to producing 6 blocks per hour, but if network constantly grows it may produce 7-8 blocks per hour).

Bitcoin is like bank: there are computers, a database and transactions. Database stores entire history of all incoming and outgoing payments: who send how much to whom. Everything is digital. There are no vaults with gold or personal deposit boxes, only bookkeeping in a single “ledger”.

Bitcoin is unlike bank: everyone can verify the integrity of the ledger. There is no manager in charge of updating the ledger and making sure it is not tampered with. Any person may have as many accounts as they like and all accounts are anonymous (unless one reveals his identity himself). Ledger does not store names, only balances and account numbers. There is no possibility of “fractional reserve” when bank loans out more money than it actually has. In fact, there are no debts on bitcoin ledger: either you have money on your address and it is fully yours, or you don’t and you can’t use it at all. Also, Bitcoin allows to lock money with “contracts”: cryptographic puzzles designed to spread the decision making between several people or across time.

Bitcoin is like Monopoly money: there are abstract tokens that are not claims to any value. People value them because they choose to play the game. In fact, the same is true for gold or any other money.

Bitcoin is unlike Monopoly money: there is a limited supply of tokens and no one can counterfeit them. This makes them a good candidate for a universally recognized collectible like gold or silver coins.

Bitcoin is like Git: in Git (a distributed version control system) all your changes are organized in a chain protected by cryptographic hashes. If you trust the latest hash, you can get all the previous information (or any part of it) from any source and still verify that it is what you expect. Similarly, in Bitcoin, all transactions are organized in a chain (the blockchain) and once validated, no matter where they are stored, you can always trust any piece of blockchain by checking a chain of hashes that link to a hash you already trust. This naturally enables distributed storage and easy integrity checks.

Bitcoin is unlike Git in a way that everyone strives to work on a single branch. In Git everyone may have several branches and fork and merge them all day long. In Bitcoin one cannot “merge” forks. Blockchain is a actually a tree of transaction histories, but there is always one biggest branch (which has the value) and some accidental mini-branches (no more than one-two blocks long) that have no value at all. In Git content matters (regardless of the branch), in Bitcoin consensus matters (regardless of the content).

Bitcoin is like Bittorrent: the network is fully decentralized, there is no single “mint” or “bank”. The blockchain is like a single file on bittorrent: cryptographically authenticated and shared across many computers. Every participant, including miners are acting on equal grounds. If one part of the network becomes disrupted, transactions can flow through other parts. Even if the entire network goes down, information about transactions is still stored on many thousands of independent computers and no one’s money is lost. When people connect with each other again, they can continue sending transactions like nothing happened. Both Bitcoin and Bittorrent can survive a nuclear war because information does not become radioactive and can be safely replicated.

Bitcoin is unlike Bittorrent: instead of many independent “files”, there is one file that always grows: the blockchain. Also, the most important participants: miners are actually getting rewarded for their work with real money.

Bitcoin is like freedom of speech: every transaction is a short public message that can be pronounced no matter where or how. If some miners hear it, they will add it in the blockchain and that message will be forever in the history. Everyone will see it and no one will be able to erase it.

Bitcoin is unlike freedom of speech: saying something comes with a cost. Transaction moves coins that you must have to start with. So not every moron is allowed to shout, but only those who had a merit to acquire some coins in the first place. Also, miners may reject transaction if it’s spammy or does not contain enough fees. So no one provides anyone with freedom as “in beer”, but everyone tries to cooperate on a voluntary basis.

Bitcoin is like magic internet money: it simply is.

Reverse-spamming

"Another factor that would mitigate spam if POW tokens have value: there would be a profit motive for people to set up massive quantities of fake e-mail accounts to harvest POW tokens from spam. They’d essentially be reverse-spamming the spammers with automated mailboxes that collect their POW and don’t read the message. The ratio of fake mailboxes to real people could become too high for spam to be cost effective."

Satoshi Nakamoto (Jan 25, 2009) http://satoshi.nakamotoinstitute.org/emails/cryptography/18/

Selected articles on Bitcoin

Introductory posts

Bitcoin non-technical FAQ. When I learned about Bitcoin for the first time, I immediately started digging articles, forums and wiki pages for answers to many of my questions. While doing that, I compiled a list of answers which turned out to be quite valuable. Bitcoin Magazine publishes it in every printed issue for over a year now. This is a good place to start learning about Bitcoin.

See also my Bitcoin glossary — the most complete reference of Bitcoin-related terms and abbreviations.

Bitcoin is like… Understand Bitcoin by comparing it to paper cash, banks, gold, Git and Bittorrent.

Satoshi on Bitcoin design. “The nature of Bitcoin is such that once version 0.1 was released, the core design was set in stone for the rest of its lifetime.”

Journalist’s guide to describe Bitcoin and not look like an idiot. Must-read for anyone confronted with a task of describing Bitcoin to people in a few sentences.

How to keep your bitcoins safe. Slightly outdated, but still valuable overview of security options and precautions.

Finally, my only advice about Bitcoin to newcomers.

Economics of Bitcoin

Bitcoin and Gold. How Bitcoin relates to gold and why only one will survive.

The universe wants one money. Money is a standard that everyone wants to share with the whole world. Various intermediaries and restrictions make people use local currencies while everyone would be better off with one most universally accepted token.

Real crypto-anarchy without anonymity. How crypto-anarchy can happen worldwide without everyone remaining actually anonymous.

Money and Security. Money is a measure of personal security against risks created by nature, people and institutions.

You can own Bitcoin, you can’t own your dollars. What does it mean to “own” your money.

Arguments for Litecoin are fraudulent. While Litecoin itself is just as good as Bitcoin, most prominent arguments about its superiority are plain wrong.

Economics of block size limit and part two. People worry about block size limit: should it remain as it is, or be raised? How much? We do not answer these questions, but we show what will happen, regardless of our opinions on this matter.

Last, but not least, three important notes on “deflation” and “circulation”:

1) Murray Rothbard on circulation of money

2) A thought experiment on deflationary spiral

3) Transactional Currency and Store of Value

Technical articles

Blind ECDSA signatures for Bitcoin. The ultimate solution to secure and private Bitcoin storage. Use many semi-trusted friends to sign your transactions, but keep information about your funds completely private.

Idea of a useful altcoin. How to make an altcoin based on existing Bitcoin blockchain, inherit the entire userbase and stay compatible with their wallets.

Complimentary reading: soft-fork way to fix transaction malleability.

Contracts without trust or third parties. How to make Ebay without Ebay, where two persons can secure promises to each other by committing to a single bilateral insurance deposit (that can be unlocked only simultaneously by both parties when agreement is reached).

How to launder Bitcoins perfectly. A theoretically perfect way to mix Bitcoin in a way that does not leave any “suspicious” transactions on the blockchain or a server.

Money and Security

When comparing Bitcoin to traditional financial tech, people always notice that Bitcoin makes them think about security way more than they have to think about their cash or bank account. They feel that in the established system the security is “being taken care of”, while Bitcoin makes you worry about weird things like private keys or malware on your phone. For a normal person it seems like a downgrade; only rare crazy libertarians ignore all these difficulties because Bitcoin cannot me manipulated by “the powers that be”.

What many people, even bitcoiners, do not realize, is the fundamental relation of money to personal security. Not just how to store your savings or pay online safely, but in a big way: what money is and how it protects your health, wealth and sanity.

In a safe, certain world, where lightnings do not strike you in the head, crop is not destroyed by dry weather, computers do not have bugs and where people understand each other perfectly and always keep their promises, we do not need worthless tokens called “money”. We can simply agree on how we allocate our food, shelter, personal time and labor and from time to time adjust to new desires or conditions. I can go every day to the baker and take one bread, then go to my work and do something useful for someone else. Everyone gets what they could agree to and there is no shortage of anything. (And if there is, people help each other promptly and efficiently.)

But the world is far from being safe and certain. It is dynamic and unpredictable. And it is populated with people, who are even less predictable and many of them are greedy, selfish and untrustworthy. They have always been and probably always will be. In this world your bakery may disappear tomorrow, or your job may become irrelevant, or your house can catch on fire, or your friend may not hold his promise or someone may not lend you a hand when you are in trouble.

To address these issues, people invented money. As Richard Dawkins once said, “money is a formal token of delayed reciprocal altruism”.

Money is a virtual token that holds a speculative value. It can be a rock, a coin, a piece of paper, a promise from a bank, or a cryptographically signed abstraction. What matters is that it is rare enough, so if it is demanded, it can only be collected and transferred, but cannot be easily produced. If it can be produced to satisfy increasing demand, like bread, then it would only be good for direct consumption and be worthless as a collectible. Hence, it won’t be a token holding speculative value.

How does money help us? Money is a sort of a social agreement: when enough people value the token and ready to accept it in exchange for their services, then money becomes a measure of your personal security. When you can work, you can earn money and save it for later. When you cannot work, if you saved some money, you can buy yourself some food. If some accident happens, savings will save you: buy you a medical help, new clothes, shelter, MacBook Pro 15” to replace a broken one etc.

The more money you have, the safer you are. Money is not luxury. Cash flow is: if you earn a lot of money and spend all of it on your lifestyle, it says nothing about your security. Security is only how much savings you have at all times. The more liquid those savings are, the more security you have. If you own an expensive house, good thing for you, but you cannot efficiently trade it for something you will urgently need tomorrow. A briefcase full of american presidents, however, is very liquid and allows you to buy anything very quickly. (However, there’s now a problem with security of the briefcase itself.)

When you think about money as a way to insure yourself against starvation, illness, infections, bad weather, sluggish computers, shitty boss, ugly girlfriends and mob revolutions, you will see which properties of money are most important to you. First of all, the fundamentals should be strong: if demand for money stays the same, its value should stay the same. This means, your money should be sufficiently hard to produce or to counterfeit, so some wise guys do not dilute your personal security without your permission. Secondly, this money should be fairly easy to protect, for the exact same reason. If your security is way too expensive to afford, you are not secure. Wearable beads, shells, paper bills, small gold and silver coins are secure because you can hold them with yourself (a would-be thief would have to risk his ass being kicked if he tries to steal them from you). Finally, the money should be easily and cheaply transferrable. If it is not, then it’s like a house or a painting: a fine collectible, but a shitty insurance against running out of chips while enjoying nachos (https://xkcd.com/140/). That’s all properties that matter. And the history of money shows that humanity was consistently trying to improve on them.

People used local collectibles: beads, shells until they started trading globally. A more universal material then prevailed: precious metals. Then, trade became even more global and transaction costs needed to be lowered. Banking was invented. Trusted third parties enabled instantly transferrable money across the globe, fueling industrial revolution that created an unbelievable wealth on the planet: cars, robots, airplanes and free image hosting for internet memes. Unfortunately, this all was done at a huge expense: concentrating disproportionate amount of power in the hands of banks and governments resulted in the non-stop wars, worldwide economic catastrophes, and nonsensical restrictions on individuals. We have achieved a lot of things in the past few hundred years, but mostly despite of, not thanks to trusted third parties who have the power over our money. Now we finally have technology to solve the problem with trusted monetary authorities and achieve consensus on what money we want: even cheaper to protect, even cheaper to transfer and even harder to counterfeit. We have portable networking computers with every person, at all times, so we don’t really need beads, metal coins or paper bills. We can go all digital. And our computers are powerful enough and our mathematicians were smart enough to allow us to implement fancy cryptographical tricks to replace trusted authorities with independent and objective proofs.

The goal of Bitcoin is the same as the goal of money 75000 years ago: to protect the person against systemic risk of his environment. Against natural disasters, against his own faults, and against faults or malice of anyone around him. When you dislike Bitcoin for making you think more about personal security, it is only because you were ignorant to systemic risk and decades of exploitation of that risk. If you take a look at the whole picture, at the core concept of money, at all opportunity cost of trusted third parties, then you will realize that you might be better off if you could wear those necklaces of virtual beads yourself instead of you and all your neighbors giving up their security at the discretion of a small group of people who you don’t even know. It does not mean you would have to learn cryptography and math. But it means, that as more people take that path, more entrepreneurs will be there to improve the security and ease-of-use of this new technology. But the first step is to understand the fundamental problem of money and evaluate the old and new solutions with this new understanding in mind.

PS. You should read this masterpiece by Nick Szabo on concepts of “starvation insurance” and origins of money: http://szabo.best.vwh.net/shell.html

BitUndo can destroy instant 0-confirmation transactions

BitUndo (http://www.bitundo.com) is a service allowing to double-spend your own transactions for a fee. So that you can “undo” your supposedly mistaken transaction. It is of questionable value and works as a direct attack on current practice of accepting 0-confirmation transactions for small purchases.

Right now nodes do not accept double spending transactions, no matter how much they pay in mining fees. This makes simple security promise for 0-conf transactions: the most relayed version is the one that most probably will be included in the block. So merchants can accept such transactions because they know that reversing it would cost much more than 100% of the transaction value.

If enough nodes on the network replace transactions when the mining fee is, say, 10% higher than the previous version (or 10% of the total amount, or whatever), then for the user it is much cheaper to “take money back”. You will send $5 for your coffee and get back $4 with no sweat. Merchant will lose all $5. You can say goodbye to 0-confirmation transactions.

So what do we have:

1) Users get some sort of “undo” function which is nobody was asking for. In my view, if there’s a problem with accidental button clicking in the UI, it’s simpler to fix right there, not by changing the entire network.

2) No one can rely on 0-confirmation transactions anymore. Even today they are not safe, but for small purchases the risks are pretty low, so they work for many people to everyone’s satisfaction. But with network-wide “replace with higher-fee transaction” the risk will go up significantly to make this feature unusable.

However, in the long run, 0-conf transactions won’t be the future of instant micropayments (we’ll have some sort of distributed clearing network instead), so we might not care that much. But the value of “undo” is still very questionable to throw away usefulness of 0-conf transactions today.

Final note: Bitundo can’t be useful when it’s small. It’s either working more than 90% of the time for legitimate “undos” (which makes 0-conf txs useless) or it’s used marginally only by those who wish to rob merchants who accept 0-conf transactions. In which case they still may render 0-conf transactions useless.

A million-dollar problem for Bitcoin exchanges

(… apart from not being shut down by the financial authorities :-)

Normal people should never hold all their coins on exchanges. Day traders, however, by the very nature of their business, have to keep as many coins as possible all the time on exchange to be able to trade with maximum liquidity.

Regular audits and fancy proofs-of-reserve (e.g. https://www.kraken.com/security/audit) are helpful to keep traders feeling good, but do not help much the minute when funds are actually stolen. You cannot really steal anything from NYSE — both stocks and dollars are virtual items on books at public companies; all transactions can be frozen or reversed (see also http://blog.oleganza.com/post/67362431718/you-can-own-bitcoin-you-cant-own-your-dollars). However you can steal bitcoins and own them for real. When there’s the right amount of money deposited on the exchange, however licensed it is and however public its owners are, there is a real risk they take all the funds and run (and easily buy cops, politicians and other sorts of protection on their way). Once funds are stolen, there is no one who can give them back to the traders. I doubt we’ll ever see an insurance company promising a refund of a significant portion of stolen funds. It would rather be a warehouse service, but it would either have funds locked in a multisignature transaction with their clients (which prevents instant trading), or they would have all funds held by themselves, which brings us to the original problem.

What we need is a realtime protection for the deposits, allowing partial control over funds by traders (so operators of the exchange cannot take all of the funds), but at the same time allowing quick off-the-blockchain exchange (within a millisecond). It won’t be ever as fast as the state of the art HFT systems, but those never deal with irreversible assets. The important outcome is that traders need real protection against theft (not just a promise from a police department). This will allow much bigger amounts of money to be traded safely, making the entire market more liquid and prices more stable.

I don’t have a ready solution for this, but one idea is to utilize a group transaction similar to one used in p2pool — a peer-to-peer mining pool, where reward is split fairly between all members as they search for hashes without trusting a single server to distribute the reward. Traders may have their money locked with the exchange in a 2-of-2 multisignature transaction, so both parties (trader and the exchange) must decide how the funds can be spent. As usual, an exchange will keep the order book and match trades. However, to actually ensure that coins are transferred from the seller to the buyer, exchange will require traders to sign off a part of a bulk transaction that moves the coins between accounts. This transaction (or a chain or a tree of transactions) would get mined from time to time to ensure new distribution of funds. But even before it is actually mined, a buyer would have a cryptographic proof of owning some bitcoins and will be able to broadcast such transaction at any time. If exchange builds a complex tree of unconfirmed transactions, it would be wise to partner with some mining pool to include those transactions at once and not allowing malleability issues to break the references.

To prevent man-in-the-middle attack, exchange would publish anonymous tree of all active traders, their balances and their public keys in real time, so every trader can check that they are included and thus can trust that they do not sign money to the exchange itself, but to actual buyers. Additionally, traders can verify public keys of each other independently, via other services.

The scheme would also have an unusual requirement: traders must have their computers always connected to the exchange, otherwise their orders couldn’t be possibly matched and would be kicked out of the order book. But that’s not a concern for professional traders as they stay connected all the time anyway (at least, trading bots are).

Like I mentioned, this is just a rough sketch and it may very well not be viable. But the problem is out there and it is very important: enabling rapid trading of bitcoins without fully entrusting them to a centralized counter-party.

CoreBitcoin, Bitcore and Bitcoin Core

In August 2013, 7 months ago, I have released my open source project CoreBitcoin. It is a Bitcoin framework designed with the excellent API and great documentation. Its name is chosen in line with Apple’s own frameworks: CoreFoundation, CoreGraphics, CoreAnimation. If Apple ever decides to integrate Bitcoin support right in their OS, they could simply take CoreBitcoin as is, since it matches their own high standards for framework API.

In January 2014, Bitpay released Node.js-based Bitcoin toolkit called “bitcore”.

In March 2014, developers of BitcoinQT (the “official” full node implementation) released version 0.9.0 and renamed the application in “Bitcoin Core”.

As of today, the amount of confusion around terms “core” and “bitcoin” was deliberately increased for no good reason.

Idea of a useful altcoin

Lets invent a good altcoin with a real chance to take off and maybe even replace Bitcoin.

We will design a new scripting engine, mostly backwards compatible with existing Bitcoin scripts, but it will have some bugs fixed and new features: “strip” opcodes and checks on canonical encoding of data and signatures to prevent malleability, references to past and future transactions (so we can lock up outputs for a specific future transaction), improved SIGHASH_* flags and some additional ones, enabled more complex arithmetic and boolean opcodes, isStandard checks replaced by a dynamic mining fee requirement proportional to complexity of opcodes and memory used (inspired by Ethereum), Ed25519 signatures, blind signatures/accumulators like in Zerocoin and even Lamport signatures to allow swift transition to post-quantum crypto if needed.

This scripting engine should be implemented for all major Bitcoin implementation platforms: C++, C, Ruby, Python, Node.js, Objective-C and Go.

This altcoin will use standard Bitcoin scripts by default and only use the new scripting engine via a versioned P2SH-like output script compatible with Bitcoin:

OP_HASH {hash of the altcoin script} OP_EQUALVERIFY {version}

{version} will be OP_1, OP_2 etc till OP_16. Version 17 will be “OP_1 OP_1”, version 18 — “OP_1 OP_2” and so on. Version will be increased when scripting engine is updated with new features or incompatible improvements.

This altcoin will inherit existing Bitcoin wealth distribution. All existing wallets will be compatible with this altcoin from day one. Only miners will need to perform a “soft fork”, by agreeing to enforce new P2SH scripts using new scripting engine (like they did in early 2012 with BIP16). Once super-majority of existing miners enforces specific interpretation of such scripts, it will be safe for users to create transactions using the new scripting engine. Legacy wallets will acknowledge and validate such scripts, even if they won’t be able to create new scripts and contracts themselves.

Unlike many other altcoins, this one will have better chances acquiring big market and hashing power, and thus would be potentially more useful than other altcoins designed to enrich founders at the expense of naïve enthusiasts who do not understand economics and money.

Unfortunate brand names in the Bitcoin world

Blockchain is a wallet service named after the Bitcoin ledger of all transactions called “the blockchain”. Their website blockchain.info nicely visualizes the blockchain, but since it also provides other services like web wallet, its name causes some confusion among newcomers: “is it the Bitcoin company”?

Bitcoin-Central is a EU-based Bitcoin exchange. Its name sounds like it’s the Bitcoin company. Some newcomers are getting confused.

Bitcoin Foundation is a non-profit organization that promotes Bitcoin among humans and politicians. Its name sounds like it’s the Bitcoin organization. California even sent a Cease and Desist letter to Bitcoin Foundation in July 2013 thinking they were the people behind Bitcoin.

Coinbase is a US-based web wallet and exchange service named after “coinbase transaction”, a technical name for a special kind of transaction that creates new bitcoins. Such transactions can only be created by miners, but Coinbase does not run a mining service.

Kraken is a EU-based Bitcoin exchange. Its name just does not sound serious at all while it is being one of the few exchanges positioned for professional traders.

MtGox (pronounced empty gox) was a Japan-based Bitcoin exchange, before mid-2013 the largest in the world. The name originally meant Magic The Gathering Online Exchange. However, even that name was unfortunate as MtGox never actually traded MtG cards and launched as a Bitcoin exchange from the start. Ironically, the name was appropriate for the level of their communication skills (poor), customer support (poor) and multiple technical issues that haunted the exchange over the years. Nevertheless, MtGox allowed the Bitcoin market to develop dramatically throughout 2010-2013 by being the single more or less stable marketplace. That made MtGox being associated closely with Bitcoin itself and its unfortunate name (among other things) was making a lot of people not to take Bitcoin seriously.

Zerocoin is a Bitcoin-like decentralized currency project that enables completely anonymous transactions: unlike Bitcoin, there is no observable link between one transaction and another. The name stems from a cryptographical term “zero-knowledge proof”, but sounds like a “worthless coin”.

Uganda president is ‘disgusting’

After signing an anti-homosexuality bill into law, Ugandan President Yoweri Museveni was called “disgusting” in an exclusive interview with Oleg Andreev.

Oleg Andreev told Yoweri on Monday that, in his view, being Ugandan President is “unnatural” and not a human right.

"They’re disgusting. What sort of people are they?" he said. "I never knew what they were doing. I’ve been told recently that what they do is terrible. Disgusting. But I was ready to ignore that if there was proof that that’s how he is born, abnormal. But now the proof is not there."

Oleg had commissioned a group of scientists to study whether government presidents are “created,” concluding that it is a matter of choice. “I was regarding it as an inborn problem,” he said. “Genetic distortion — that was my argument. But now our scientists have knocked this one out.”

It turned out, presidents freely decide to rule nations, take people’s money and then teach them how they should live. They also decide when people should be kidnapped, tortured or even killed.

Original article: http://edition.cnn.com/2014/02/24/world/africa/uganda-homosexuality-interview/index.html?hpt=hp_c1

Blind signatures for Bitcoin: the ultimate solution to secure BTC storage

I’m happy to publish a draft of my innovative scheme that enables blind signatures compatible with Bitcoin transactions. Primary motivation is secure storage for bitcoins. You can lock your funds with multiple friends/custodians (in a M-of-N multisignature transaction) and ask them to unlock your funds later. If done naïvely, custodians will be able to see which transaction they signed and how much money you have. Blind signatures allow you to completely hide your transactions from custodians who sign them. The scheme differs from existing blind signature proposals in two important aspects: 1) it is compatible with ECDSA while others are not and 2) it completely unlinks resulting signature and public keys from the signing parties, providing absolute privacy.

Paper describes motivation, core protocol and provides a practical way to generate and keep track of all secret and public parameters used in it. Use of this scheme enables the ultimate solution to secure Bitcoin storage. While your personal hardware and software wallets can be compromised, money can be much safer locked with independent semi-trusted parties, yet absolutely privately. You and your friends can use conventional personal computers to lock your personal pension funds among each other without ever exposing sensitive financial information.

Download the paper here: http://oleganza.com/blind-ecdsa-draft-v2.pdf

EDIT: Timestamped SHA256 of the second draft on June, 16 2014. Used SHA256 of the PDF as a private key and sent 0.0002 BTC to corresponding address 1FM9JtztQKwUVshxVJnEv8JEGKPZkCu7qk.

SHA256: 85e0a79b80f75f88790135214564847d2de46062414f08e799e5f701fddbfddc

Tx ID: https://blockchain.info/tx/ee0c7527de579d7ab2732be49a8b57fe13af940caff2c429464cd659e23281a6

Address: https://blockchain.info/address/1FM9JtztQKwUVshxVJnEv8JEGKPZkCu7qk

To verify:

1) Compute SHA256: $ openssl dgst -sha256 blind-ecdsa-draft-v2.pdf

2) Paste it as a “secret exponent” on brainwallet.org and get the address.

3) Find the earliest transaction on the blockchain for this address.

Softfork suggestion: how to fix transaction malleability

After conversation in #bitcoin-dev with Luke-Jr, we may have a soft-fork change (only super-majority of miners need to support it) to support non-malleable transactions.

Like with P2SH, we will take an innocent script OP_HASH160 <…> OP_EQUAL and interpret it as P2SHv2. To remain compatible with current P2SH, that script will use PUSHDATA1 (2-byte length prefix) instead of 1-byte PUSHDATA prefix (which encodes the length of data in itself).

The entire input script for P2SHv2 output will be interpreted differently.

  1. Input script is not stripped for SignatureHash.
  2. For the currently verified/signed input, corresponding output script is appended to the input script (today it replaces the input script).
  3. OP_NOP1 is redefined to OP_STRIP to mean “strip the following pushdata during SignatureHash”. SignatureHash will consume each opcode from left to right and replace pushdata that follows OP_STRIP with full-zero string of the same length. During execution, OP_STRIP will still be NOP.
  4. Pushdata ops may not be normalized.
  5. CHECKSIG and CHECKMULTISIG will enforce canonical format of the signature if evaluated in the context of P2SHv2.

Voting process can be identical to P2SH. Miners will put string “/P2SHv2/” in their coinbase to support the change. Once super-majority of miners support it, it will be safe for people to issue P2SH-version2 transactions. Old style transactions will still be malleable. Regular payments will be softly protected against malleability by isStandard check. Complex contracts like rapidly-adjusted micropayments would need to use P2SHv2 in order to rely on chains of unconfirmed transactions.

This change does not require regular users to upgrade their software.