Oleg Andreev

Software designer with focus on user experience and security.

You may start with my selection of articles on Bitcoin.

Author of Gitbox version control app.

Author of CoreBitcoin, an implementation of Bitcoin in Objective-C.

Lead developer of FunGolf GPS, golfer's personal assistant on iOS.

I am happy to give you an interview or provide you with a consultation.
I am very interested in innovative ways to secure property and personal interactions: all the way from cryptography to user interfaces. I am not interested in trading, mining or building exchanges.

This blog enlightens people thanks to your generous donations: 1TipsuQ7CSqfQsjA9KU5jarSB1AnrVLLo

Selected articles on Bitcoin

Introductory posts

Bitcoin non-technical FAQ. When I learned about Bitcoin for the first time, I immediately started digging articles, forums and wiki pages for answers to many of my questions. While doing that, I compiled a list of answers which turned out to be quite valuable. Bitcoin Magazine publishes it in every printed issue for over a year now. This is a good place to start learning about Bitcoin.

See also my Bitcoin glossary — the most complete reference of Bitcoin-related terms and abbreviations.

Satoshi on Bitcoin design. “The nature of Bitcoin is such that once version 0.1 was released, the core design was set in stone for the rest of its lifetime.”

Journalist’s guide to describe Bitcoin and not look like an idiot. Must-read for anyone confronted with a task of describing Bitcoin to people in a few sentences.

How to keep your bitcoins safe. Slightly outdated, but still valuable overview of security options and precautions.

Finally, my only advice about Bitcoin to newcomers.

Economics of Bitcoin

Bitcoin and Gold. How Bitcoin relates to gold and why only one will survive.

The universe wants one money. Money is a standard that everyone wants to share with the whole world. Various intermediaries and restrictions make people use local currencies while everyone would be better off with one most universally accepted token.

Real crypto-anarchy without anonymity. How crypto-anarchy can happen worldwide without everyone remaining actually anonymous.

Money and Security. Money is a measure of personal security against risks created by nature, people and institutions.

You can own Bitcoin, you can’t own your dollars. What does it mean to “own” your money.

Arguments for Litecoin are fraudulent. While Litecoin itself is just as good as Bitcoin, most prominent arguments about its superiority are plain wrong.

Economics of block size limit and part two. People worry about block size limit: should it remain as it is, or be raised? How much? We do not answer these questions, but we show what will happen, regardless of our opinions on this matter.

Last, but not least, three important notes on “deflation” and “circulation”:

1) Murray Rothbard on circulation of money

2) A thought experiment on deflationary spiral

3) Transactional Currency and Store of Value

Technical articles

Blind ECDSA signatures for Bitcoin. The ultimate solution to secure and private Bitcoin storage. Use many semi-trusted friends to sign your transactions, but keep information about your funds completely private.

Idea of a useful altcoin. How to make an altcoin based on existing Bitcoin blockchain, inherit the entire userbase and stay compatible with their wallets.

Complimentary reading: soft-fork way to fix transaction malleability.

Contracts without trust or third parties. How to make Ebay without Ebay, where two persons can secure promises to each other by committing to a single bilateral insurance deposit (that can be unlocked only simultaneously by both parties when agreement is reached).

How to launder Bitcoins perfectly. A theoretically perfect way to mix Bitcoin in a way that does not leave any “suspicious” transactions on the blockchain or a server.

Money and Security

When comparing Bitcoin to traditional financial tech, people always notice that Bitcoin makes them think about security way more than they have to think about their cash or bank account. They feel that in the established system the security is “being taken care of”, while Bitcoin makes you worry about weird things like private keys or malware on your phone. For a normal person it seems like a downgrade; only rare crazy libertarians ignore all these difficulties because Bitcoin cannot me manipulated by “the powers that be”.

What many people, even bitcoiners, do not realize, is the fundamental relation of money to personal security. Not just how to store your savings or pay online safely, but in a big way: what money is and how it protects your health, wealth and sanity.

In a safe, certain world, where lightnings do not strike you in the head, crop is not destroyed by dry weather, computers do not have bugs and where people understand each other perfectly and always keep their promises, we do not need worthless tokens called “money”. We can simply agree on how we allocate our food, shelter, personal time and labor and from time to time adjust to new desires or conditions. I can go every day to the baker and take one bread, then go to my work and do something useful for someone else. Everyone gets what they could agree to and there is no shortage of anything. (And if there is, people help each other promptly and efficiently.)

But the world is far from being safe and certain. It is dynamic and unpredictable. And it is populated with people, who are even less predictable and many of them are greedy, selfish and untrustworthy. They have always been and probably always will be. In this world your bakery may disappear tomorrow, or your job may become irrelevant, or your house can catch on fire, or your friend may not hold his promise or someone may not lend you a hand when you are in trouble.

To address these issues, people invented money. As Richard Dawkins once said, “money is a formal token of delayed reciprocal altruism”.

Money is a virtual token that holds a speculative value. It can be a rock, a coin, a piece of paper, a promise from a bank, or a cryptographically signed abstraction. What matters is that it is rare enough, so if it is demanded, it can only be collected and transferred, but cannot be easily produced. If it can be produced to satisfy increasing demand, like bread, then it would only be good for direct consumption and be worthless as a collectible. Hence, it won’t be a token holding speculative value.

How does money help us? Money is a sort of a social agreement: when enough people value the token and ready to accept it in exchange for their services, then money becomes a measure of your personal security. When you can work, you can earn money and save it for later. When you cannot work, if you saved some money, you can buy yourself some food. If some accident happens, savings will save you: buy you a medical help, new clothes, shelter, MacBook Pro 15” to replace a broken one etc.

The more money you have, the safer you are. Money is not luxury. Cash flow is: if you earn a lot of money and spend all of it on your lifestyle, it says nothing about your security. Security is only how much savings you have at all times. The more liquid those savings are, the more security you have. If you own an expensive house, good thing for you, but you cannot efficiently trade it for something you will urgently need tomorrow. A briefcase full of american presidents, however, is very liquid and allows you to buy anything very quickly. (However, there’s now a problem with security of the briefcase itself.)

When you think about money as a way to insure yourself against starvation, illness, infections, bad weather, sluggish computers, shitty boss, ugly girlfriends and mob revolutions, you will see which properties of money are most important to you. First of all, the fundamentals should be strong: if demand for money stays the same, its value should stay the same. This means, your money should be sufficiently hard to produce or to counterfeit, so some wise guys do not dilute your personal security without your permission. Secondly, this money should be fairly easy to protect, for the exact same reason. If your security is way too expensive to afford, you are not secure. Wearable beads, shells, paper bills, small gold and silver coins are secure because you can hold them with yourself (a would-be thief would have to risk his ass being kicked if he tries to steal them from you). Finally, the money should be easily and cheaply transferrable. If it is not, then it’s like a house or a painting: a fine collectible, but a shitty insurance against running out of chips while enjoying nachos (https://xkcd.com/140/). That’s all properties that matter. And the history of money shows that humanity was consistently trying to improve on them.

People used local collectibles: beads, shells until they started trading globally. A more universal material then prevailed: precious metals. Then, trade became even more global and transaction costs needed to be lowered. Banking was invented. Trusted third parties enabled instantly transferrable money across the globe, fueling industrial revolution that created an unbelievable wealth on the planet: cars, robots, airplanes and free image hosting for internet memes. Unfortunately, this all was done at a huge expense: concentrating disproportionate amount of power in the hands of banks and governments resulted in the non-stop wars, worldwide economic catastrophes, and nonsensical restrictions on individuals. We have achieved a lot of things in the past few hundred years, but mostly despite of, not thanks to trusted third parties who have the power over our money. Now we finally have technology to solve the problem with trusted monetary authorities and achieve consensus on what money we want: even cheaper to protect, even cheaper to transfer and even harder to counterfeit. We have portable networking computers with every person, at all times, so we don’t really need beads, metal coins or paper bills. We can go all digital. And our computers are powerful enough and our mathematicians were smart enough to allow us to implement fancy cryptographical tricks to replace trusted authorities with independent and objective proofs.

The goal of Bitcoin is the same as the goal of money 75000 years ago: to protect the person against systemic risk of his environment. Against natural disasters, against his own faults, and against faults or malice of anyone around him. When you dislike Bitcoin for making you think more about personal security, it is only because you were ignorant to systemic risk and decades of exploitation of that risk. If you take a look at the whole picture, at the core concept of money, at all opportunity cost of trusted third parties, then you will realize that you might be better off if you could wear those necklaces of virtual beads yourself instead of you and all your neighbors giving up their security at the discretion of a small group of people who you don’t even know. It does not mean you would have to learn cryptography and math. But it means, that as more people take that path, more entrepreneurs will be there to improve the security and ease-of-use of this new technology. But the first step is to understand the fundamental problem of money and evaluate the old and new solutions with this new understanding in mind.

PS. You should read this masterpiece by Nick Szabo on concepts of “starvation insurance” and origins of money: http://szabo.best.vwh.net/shell.html

BitUndo can destroy instant 0-confirmation transactions

BitUndo (http://www.bitundo.com) is a service allowing to double-spend your own transactions for a fee. So that you can “undo” your supposedly mistaken transaction. It is of questionable value and works as a direct attack on current practice of accepting 0-confirmation transactions for small purchases.

Right now nodes do not accept double spending transactions, no matter how much they pay in mining fees. This makes simple security promise for 0-conf transactions: the most relayed version is the one that most probably will be included in the block. So merchants can accept such transactions because they know that reversing it would cost much more than 100% of the transaction value.

If enough nodes on the network replace transactions when the mining fee is, say, 10% higher than the previous version (or 10% of the total amount, or whatever), then for the user it is much cheaper to “take money back”. You will send $5 for your coffee and get back $4 with no sweat. Merchant will lose all $5. You can say goodbye to 0-confirmation transactions.

So what do we have:

1) Users get some sort of “undo” function which is nobody was asking for. In my view, if there’s a problem with accidental button clicking in the UI, it’s simpler to fix right there, not by changing the entire network.

2) No one can rely on 0-confirmation transactions anymore. Even today they are not safe, but for small purchases the risks are pretty low, so they work for many people to everyone’s satisfaction. But with network-wide “replace with higher-fee transaction” the risk will go up significantly to make this feature unusable.

However, in the long run, 0-conf transactions won’t be the future of instant micropayments (we’ll have some sort of distributed clearing network instead), so we might not care that much. But the value of “undo” is still very questionable to throw away usefulness of 0-conf transactions today.

Final note: Bitundo can’t be useful when it’s small. It’s either working more than 90% of the time for legitimate “undos” (which makes 0-conf txs useless) or it’s used marginally only by those who wish to rob merchants who accept 0-conf transactions. In which case they still may render 0-conf transactions useless.

A million-dollar problem for Bitcoin exchanges

(… apart from not being shut down by the financial authorities :-)

Normal people should never hold all their coins on exchanges. Day traders, however, by the very nature of their business, have to keep as many coins as possible all the time on exchange to be able to trade with maximum liquidity.

Regular audits and fancy proofs-of-reserve (e.g. https://www.kraken.com/security/audit) are helpful to keep traders feeling good, but do not help much the minute when funds are actually stolen. You cannot really steal anything from NYSE — both stocks and dollars are virtual items on books at public companies; all transactions can be frozen or reversed (see also http://blog.oleganza.com/post/67362431718/you-can-own-bitcoin-you-cant-own-your-dollars). However you can steal bitcoins and own them for real. When there’s the right amount of money deposited on the exchange, however licensed it is and however public its owners are, there is a real risk they take all the funds and run (and easily buy cops, politicians and other sorts of protection on their way). Once funds are stolen, there is no one who can give them back to the traders. I doubt we’ll ever see an insurance company promising a refund of a significant portion of stolen funds. It would rather be a warehouse service, but it would either have funds locked in a multisignature transaction with their clients (which prevents instant trading), or they would have all funds held by themselves, which brings us to the original problem.

What we need is a realtime protection for the deposits, allowing partial control over funds by traders (so operators of the exchange cannot take all of the funds), but at the same time allowing quick off-the-blockchain exchange (within a millisecond). It won’t be ever as fast as the state of the art HFT systems, but those never deal with irreversible assets. The important outcome is that traders need real protection against theft (not just a promise from a police department). This will allow much bigger amounts of money to be traded safely, making the entire market more liquid and prices more stable.

I don’t have a ready solution for this, but one idea is to utilize a group transaction similar to one used in p2pool — a peer-to-peer mining pool, where reward is split fairly between all members as they search for hashes without trusting a single server to distribute the reward. Traders may have their money locked with the exchange in a 2-of-2 multisignature transaction, so both parties (trader and the exchange) must decide how the funds can be spent. As usual, an exchange will keep the order book and match trades. However, to actually ensure that coins are transferred from the seller to the buyer, exchange will require traders to sign off a part of a bulk transaction that moves the coins between accounts. This transaction (or a chain or a tree of transactions) would get mined from time to time to ensure new distribution of funds. But even before it is actually mined, a buyer would have a cryptographic proof of owning some bitcoins and will be able to broadcast such transaction at any time. If exchange builds a complex tree of unconfirmed transactions, it would be wise to partner with some mining pool to include those transactions at once and not allowing malleability issues to break the references.

To prevent man-in-the-middle attack, exchange would publish anonymous tree of all active traders, their balances and their public keys in real time, so every trader can check that they are included and thus can trust that they do not sign money to the exchange itself, but to actual buyers. Additionally, traders can verify public keys of each other independently, via other services.

The scheme would also have an unusual requirement: traders must have their computers always connected to the exchange, otherwise their orders couldn’t be possibly matched and would be kicked out of the order book. But that’s not a concern for professional traders as they stay connected all the time anyway (at least, trading bots are).

Like I mentioned, this is just a rough sketch and it may very well not be viable. But the problem is out there and it is very important: enabling rapid trading of bitcoins without fully entrusting them to a centralized counter-party.

CoreBitcoin, Bitcore and Bitcoin Core

In August 2013, 7 months ago, I have released my open source project CoreBitcoin. It is a Bitcoin framework designed with the excellent API and great documentation. Its name is chosen in line with Apple’s own frameworks: CoreFoundation, CoreGraphics, CoreAnimation. If Apple ever decides to integrate Bitcoin support right in their OS, they could simply take CoreBitcoin as is, since it matches their own high standards for framework API.

In January 2014, Bitpay released Node.js-based Bitcoin toolkit called “bitcore”.

In March 2014, developers of BitcoinQT (the “official” full node implementation) released version 0.9.0 and renamed the application in “Bitcoin Core”.

As of today, the amount of confusion around terms “core” and “bitcoin” was deliberately increased for no good reason.

Idea of a useful altcoin

Lets invent a good altcoin with a real chance to take off and maybe even replace Bitcoin.

We will design a new scripting engine, mostly backwards compatible with existing Bitcoin scripts, but it will have some bugs fixed and new features: “strip” opcodes and checks on canonical encoding of data and signatures to prevent malleability, references to past and future transactions (so we can lock up outputs for a specific future transaction), improved SIGHASH_* flags and some additional ones, enabled more complex arithmetic and boolean opcodes, isStandard checks replaced by a dynamic mining fee requirement proportional to complexity of opcodes and memory used (inspired by Ethereum), Ed25519 signatures, blind signatures/accumulators like in Zerocoin and even Lamport signatures to allow swift transition to post-quantum crypto if needed.

This scripting engine should be implemented for all major Bitcoin implementation platforms: C++, C, Ruby, Python, Node.js, Objective-C and Go.

This altcoin will use standard Bitcoin scripts by default and only use the new scripting engine via a versioned P2SH-like output script compatible with Bitcoin:

OP_HASH {hash of the altcoin script} OP_EQUALVERIFY {version}

{version} will be OP_1, OP_2 etc till OP_16. Version 17 will be “OP_1 OP_1”, version 18 — “OP_1 OP_2” and so on. Version will be increased when scripting engine is updated with new features or incompatible improvements.

This altcoin will inherit existing Bitcoin wealth distribution. All existing wallets will be compatible with this altcoin from day one. Only miners will need to perform a “soft fork”, by agreeing to enforce new P2SH scripts using new scripting engine (like they did in early 2012 with BIP16). Once super-majority of existing miners enforces specific interpretation of such scripts, it will be safe for users to create transactions using the new scripting engine. Legacy wallets will acknowledge and validate such scripts, even if they won’t be able to create new scripts and contracts themselves.

Unlike many other altcoins, this one will have better chances acquiring big market and hashing power, and thus would be potentially more useful than other altcoins designed to enrich founders at the expense of naïve enthusiasts who do not understand economics and money.

Unfortunate brand names in the Bitcoin world

Blockchain is a wallet service named after the Bitcoin ledger of all transactions called “the blockchain”. Their website blockchain.info nicely visualizes the blockchain, but since it also provides other services like web wallet, its name causes some confusion among newcomers: “is it the Bitcoin company”?

Bitcoin-Central is a EU-based Bitcoin exchange. Its name sounds like it’s the Bitcoin company. Some newcomers are getting confused.

Bitcoin Foundation is a non-profit organization that promotes Bitcoin among humans and politicians. Its name sounds like it’s the Bitcoin organization. California even sent a Cease and Desist letter to Bitcoin Foundation in July 2013 thinking they were the people behind Bitcoin.

Coinbase is a US-based web wallet and exchange service named after “coinbase transaction”, a technical name for a special kind of transaction that creates new bitcoins. Such transactions can only be created by miners, but Coinbase does not run a mining service.

Kraken is a EU-based Bitcoin exchange. Its name just does not sound serious at all while it is being one of the few exchanges positioned for professional traders.

MtGox (pronounced empty gox) was a Japan-based Bitcoin exchange, before mid-2013 the largest in the world. The name originally meant Magic The Gathering Online Exchange. However, even that name was unfortunate as MtGox never actually traded MtG cards and launched as a Bitcoin exchange from the start. Ironically, the name was appropriate for the level of their communication skills (poor), customer support (poor) and multiple technical issues that haunted the exchange over the years. Nevertheless, MtGox allowed the Bitcoin market to develop dramatically throughout 2010-2013 by being the single more or less stable marketplace. That made MtGox being associated closely with Bitcoin itself and its unfortunate name (among other things) was making a lot of people not to take Bitcoin seriously.

Zerocoin is a Bitcoin-like decentralized currency project that enables completely anonymous transactions: unlike Bitcoin, there is no observable link between one transaction and another. The name stems from a cryptographical term “zero-knowledge proof”, but sounds like a “worthless coin”.

Uganda president is ‘disgusting’

After signing an anti-homosexuality bill into law, Ugandan President Yoweri Museveni was called “disgusting” in an exclusive interview with Oleg Andreev.

Oleg Andreev told Yoweri on Monday that, in his view, being Ugandan President is “unnatural” and not a human right.

"They’re disgusting. What sort of people are they?" he said. "I never knew what they were doing. I’ve been told recently that what they do is terrible. Disgusting. But I was ready to ignore that if there was proof that that’s how he is born, abnormal. But now the proof is not there."

Oleg had commissioned a group of scientists to study whether government presidents are “created,” concluding that it is a matter of choice. “I was regarding it as an inborn problem,” he said. “Genetic distortion — that was my argument. But now our scientists have knocked this one out.”

It turned out, presidents freely decide to rule nations, take people’s money and then teach them how they should live. They also decide when people should be kidnapped, tortured or even killed.

Original article: http://edition.cnn.com/2014/02/24/world/africa/uganda-homosexuality-interview/index.html?hpt=hp_c1

Blind signatures for Bitcoin: the ultimate solution to secure BTC storage

I’m happy to publish a draft of my innovative scheme that enables blind signatures compatible with Bitcoin transactions. Primary motivation is secure storage for bitcoins. You can lock your funds with multiple friends/custodians (in a M-of-N multisignature transaction) and ask them to unlock your funds later. If done naïvely, custodians will be able to see which transaction they signed and how much money you have. Blind signatures allow you to completely hide your transactions from custodians who sign them. The scheme differs from existing blind signature proposals in two important aspects: 1) it is compatible with ECDSA while others are not and 2) it completely unlinks resulting signature and public keys from the signing parties, providing absolute privacy.

Paper describes motivation, core protocol and provides a practical way to generate and keep track of all secret and public parameters used in it. Use of this scheme enables the ultimate solution to secure Bitcoin storage. While your personal hardware and software wallets can be compromised, money can be much safer locked with independent semi-trusted parties, yet absolutely privately. You and your friends can use conventional personal computers to lock your personal pension funds among each other without ever exposing sensitive financial information.

Download the paper here: http://oleganza.com/blind-ecdsa-draft-v2.pdf

Softfork suggestion: how to fix transaction malleability

After conversation in #bitcoin-dev with Luke-Jr, we may have a soft-fork change (only super-majority of miners need to support it) to support non-malleable transactions.

Like with P2SH, we will take an innocent script OP_HASH160 <…> OP_EQUAL and interpret it as P2SHv2. To remain compatible with current P2SH, that script will use PUSHDATA1 (2-byte length prefix) instead of 1-byte PUSHDATA prefix (which encodes the length of data in itself).

The entire input script for P2SHv2 output will be interpreted differently.

  1. Input script is not stripped for SignatureHash.
  2. For the currently verified/signed input, corresponding output script is appended to the input script (today it replaces the input script).
  3. OP_NOP1 is redefined to OP_STRIP to mean “strip the following pushdata during SignatureHash”. SignatureHash will consume each opcode from left to right and replace pushdata that follows OP_STRIP with full-zero string of the same length. During execution, OP_STRIP will still be NOP.
  4. Pushdata ops may not be normalized.
  5. CHECKSIG and CHECKMULTISIG will enforce canonical format of the signature if evaluated in the context of P2SHv2.

Voting process can be identical to P2SH. Miners will put string “/P2SHv2/” in their coinbase to support the change. Once super-majority of miners support it, it will be safe for people to issue P2SH-version2 transactions. Old style transactions will still be malleable. Regular payments will be softly protected against malleability by isStandard check. Complex contracts like rapidly-adjusted micropayments would need to use P2SHv2 in order to rely on chains of unconfirmed transactions.

This change does not require regular users to upgrade their software.

Hardfork suggestion: how to fix transaction malleability

We can introduce another version of transactions (2) that will change how signatures are verified and stored within the transaction.

The malleability of transactions stems from the fact that we store signatures in the input scripts and for purposes of signing and verifying the signature, all input scripts are completely stripped. This allows anyone to introduce non-breaking changes to the input scripts that keep signatures correct, but change the whole transaction hash.

To fix that, we add a level of indirection. All signatures will be stored in a separate location in the transaction, ordered. Input scripts will only reference the index of the signature and never be stripped for the purposes of signing.

  1. Input scripts are not stripped during SignatureHash phase.

  2. CHECKSIG and CHECKMULTISIG expect not a signature, but a “signature index”, as PUSHDATA (does not need to be normalized).

  3. Signatures are listed in an array in the tail of the transaction (after lock time). All length prefixes must be normalized in that array (including length prefix of the array itself).

  4. All signatures must be canonical.

  5. When signing an input, its script is appended with the output script (today output script replaces the input script).

  6. When verifying the signature, storage of signatures is stripped off completely (“signatures cannot sign themselves”).

Transaction ID remains the same: a double-SHA256 of the entire transaction, so no changes in the transaction inputs or merkle trees is needed.

Old versions of transactions are still malleable and can be created by older clients and will always be valid. New versions will be accepted by the network if network decides so with a majority vote. There will be an announced block height starting with which version 2 transactions will be valid.

How to vote?

Miners may express their support by mentioning “/CTv2/” (“Canonical transactions AKA version 2”) in their coinbase.

But before that, miners must see that most used software is upgraded to support validation of “version 2” transactions. I.e. bitcoind, libbitcoin, bitcoin-ruby, Multibit, Electrum, mobile apps if needed.

If after block height N, more than 95% of blocks in the past 10000 blocks are supporting the change, network starts accepting transactions with version 2 and new signature check rules in those transactions.

Then, if your special scheme (like rapidly-adjusted micropayments) requires reference to an unconfirmed transaction, you would simply require using a version 2 transaction and have guarantee that its ID can’t be changed.

EDIT: as Luke-Jr suggested, in the future we may want some other data to be stripped for signing purposes (e.g. if we implement other signature schemes with new or existing opcodes). To support that, we may allow any “pushdata” to be “indirect” or “strippable”. Maybe with some extra opcode acting as a prefix before pushdata. E.g. OP_NOP1 will be used as OP_STRIP and mean “for signature hash”, strip the following piece of data.

MtGox and malleable transactions

MtGox issued a statement that due to a “design issue” in Bitcoin protocol, they were having problems with withdrawing BTC and so they had to halt all withdrawals until the problem is fixed. https://www.mtgox.com/press_release_20140210.html

If you need a quick answer: there’s no bug in the Bitcoin itself. You may go to Bitstamp/Coinbase/BTC-E/Bitcoin-Central and buy more BTC with a huge discount before it gets back to $800-$900.

Long answer:

Unconfirmed Bitcoin transactions were always “malleable”, that is you can slightly change a transaction that “floats around” (not yet in the blockchain) and you wouldn’t break its signatures. You can’t change something important about it, like source transactions, amounts, order of inputs and outputs or other important metadata. What you can do is to add some bogus data or flip a sign on a signature that doesn’t change the meaning of the transaction, but changes its binary representation. (More info here: https://en.bitcoin.it/wiki/Transaction_Malleability)

What does it mean in practice? You may send a transaction ABC123, then someone may see it on the network, change slightly to ABC124 and send it too. If he gets lucky, ABC124 will be included first and ABC123 will never be included (because it’d be a double-spend). There’s no problem for the recipient of the transaction: they will still get all their money on the address they expect. But if they were watching the blockchain specifically for transaction ABC123, they will never find it there.

MtGox claims to be fooled this way:

  1. User asks MtGox to withdraw some bitcoins to some address of the user’s choice.
  2. MtGox takes some of its own “unspent transaction outputs” and composes a transaction which sends funds to the user’s address.
  3. MtGox remembers a hash of that transaction (unique fingerprint of its contents) and begins to watch the blockchain for this hash to appear in it.
  4. User or someone else sees unconfirmed MtGox transaction in the p2p network. He changes some bytes in it to keep it valid, but make it different to change its hash.
  5. New, modified transaction gets included in the blockchain. MtGox has sent money where needed, but does not know about it. User also got the funds no problem - his personal wallet will show that he has the funds.
  6. Then, user goes to MtGox support and complains that the money did not go through. Or, MtGox themselves see that they’ve been watching for transaction for too long and could automatically re-send another transaction that sends some other “unspent tx outputs” to the same address (sort of, to “retry” the transaction). One way or another, it creates a lot of confusion for MtGox and initially may even lead them to sending the same money twice, or multiple times to the same user.

Is it a design issue in Bitcoin to allow slight changes in unconfirmed transactions? Yes, probably is. But it’s not entirely clear how it can be prevented at all. An immediate fix would disallow potentially useful more complex transactions and require a global network consensus to enforce new behavior. Zero-confirmation transactions were always known to be malleable and methods to limit their malleability were already discussed and deployed (e.g. transactions with non-canonical signatures may not be relayed by all nodes). But for all practical purposes, it’s a known feature, just like many other weird facets of Bitcoin. Those who build Bitcoin wallets, exchanges or payment processors must be aware of this and act accordingly.

MtGox had this problem because they didn’t know about this Bitcoin property. And usually transactions were not deliberately modified by anyone, so it was okay for the most of the time.

It’s not rocket science to fix the problem. For instance, MtGox may fix the problem this way: instead of watching blockchain for appearance of the specific hash of a specific transaction, they should instead watch if the address X (specified by user) got amount N (specified by user) from outputs Y, Z and W (owned by MtGox). This would guarantee that even if transaction is modified, they will see for sure if the users actually got the money sent to them, or not.

Idea: signed JavaScript plugins to wallet apps

Thanks to Bitcoin scripts (little programs specifying conditions under which a transaction is valid), people can come up with many sorts of never-seen before protocols. Multi-party escrows, “nash equilibrium” insurance deposits, rapidly adjusted micropayments, crowdfunding etc. All of these require multi-step actions from a user’s application which holds the private keys.

Today such applications are very simple: they only support sending and receiving money on “addresses”. Anything more complex is just not supported by general-purpose wallets. If one comes up with a new protocol, they either have to extend existing wallets, or make their own, or simply have a server doing the work (which defeats all the security promised by a decentralized protocol in the first place). These options involve basically redoing wallet and key management from scratch and introduce a lot of extra hassle for the users.

A good compromise between the impossible Most Universal Bitcoin Wallet and millions of specialized wallet apps would be a system of JavaScript plugins. Each plugin is a short single file of JavaScript code that is executed in a very restricted environment. Why JavaScript? It is the most ubiquitous scripting language with flexible implementations on most (if not all) major platforms.

A JavaScript plugin is cryptographically signed by multiple auditors and wallet app always verifies the integrity of each plugin when executing one. Every plugin can only be invoked explicitly by the user. The wallet, not the plugin, shows a summary of what is about to happen (“you are going to send 0.34 BTC in this transaction”). A single plugin is invoked when a particular kind of contract is initiated or needs an update. Plugin state is not only isolated from other plugins, but from each contract as well.

This is how it may look like. Take for a example a simple escrow. You send money to 2-of-3 multisignature script, where two keys belong to you and your counterparty and the third key belongs to a semi-trusted third party which may act as an arbiter if needed. When the contract is completed, depending on the result, user must be able to provide a signature for a particular outcome (either money goes to a counterparty, or back to the user, or only a portion is refunded).

The plugin may implement this by using two kinds of inputs: creation of a contract and completion of the contract. For each state, plugin checks the integrity of the data (e.g. “contract can be completed only if it was started by me in the first place”) and provides data with compact informational messages to the user. Plugin does not implement the UI. It should be done by an external application or a website with which the user interacts. For confirmation of the action, plugin can only provide compact description like “Unlock 100% of funds to Buyer Inc.?” or “Refund 90% to your address 1RefuNd3eBnt66345…?” Once confirmed, the result is sent back to the application that requested participation in the contract.

For security reasons, plugins should be very compact, easy to read and understand, not use dynamically linked external libraries, not have any access to external devices, file system, network etc. A plugin may be bundled with static data like images or localization strings, all covered by the code signature and verified by the wallet application on each run.

More details on how this could be done and what the API may look like will follow.

Real crypto-anarchy without anonymity

Cypherpunk movement started as a mailing list in 1992. In 1993 Eric Hughes publishes a “A Cypherpunk’s Manifesto” [1]. In 1994 Timothy C. May publishes “Cypherpunks FAQ” [2].

Here’s an excerpt from the FAQ:

2.3. “What’s the ‘Big Picture’?”

Strong crypto is here. It is widely available. It implies many changes in the way the world works. Private channels between parties who have never met and who never will meet are possible. Totally anonymous, unsinkable, untraceable communications and exchanges are possible.

Transactions can only be voluntary, since the parties are untraceable and unknown and can withdraw at any time. This has profound implications for the conventional approach of using the threat of force, directed against parties by governments or by others. In particular, threats of force will fail.

What emerges from this is unclear, but I think it will be a form of anarcho-capitalist market system I call “crypto anarchy.” (Voluntary communications only, with no third parties butting in.)

In 1998 Wei Dai publishes a proposal of “b-money”, a practical way to enforce contractual agreements between anonymous actors [3]. He captured the essence of the movement in an immortal quote:

I am fascinated by Tim May’s crypto-anarchy. Unlike the communities traditionally associated with the word “anarchy”, in a crypto-anarchy the government is not temporarily destroyed but permanently forbidden and permanently unnecessary. It’s a community where the threat of violence is impotent because violence is impossible, and violence is impossible because its participants cannot be linked to their true names or physical locations.

In 2005 Nick Szabo publishes a proposal for “Bit gold” [4], a purely digital collectible based on a proof-of-work algorithm borrowing ideas from RPOW server (“Reusable proof of work”) by Hal Finney [5]. Proposal does not mention contract enforcement mechanism, but Nick Szabo himself already proposed several ideas about smart contracts back in the nineties [6].

In late 2008 Satoshi Nakamoto publishes an overview of Bitcoin [7] and on January 3rd, 2009 releases the code and begins the blockchain.

Bitcoin is an exact implementation of the system envisioned by Tim C. May, Wei Dai and Nick Szabo. The only requirement is for transacting parties to remain anonymous. If there’s no trace to physical persons, there is no place for the violent intervention and thus the contracts can only be enforced according to the voluntarily agreed-upon rules between the parties. Bitcoin allows encoding these rules right in the transactions so they are automatically enforced by the whole network.

In practice, we cannot imagine living in full anonymity. Human beings live in a physical world and enjoy a lot of physical things. Anonymity is not something you can easily manage like a single encryption key. It must be maintained via careful dissemination of one’s actions among actions of others. And since the network activity is easily recordable, one mistake is enough to reveal oneself. In other words, the cost of anonymity is rather high compared to the benefits. Does this mean crypto-anarchy is an utopia?

I would argue, it’s far from it. Cypherpunks being rigorous scientists made a much stronger assumption than needed in practice. For transacting parties it is enough to have costs of cheating meaningfully higher than the cost of following the contract. If that condition holds for the majority of the interactions in society, there will be a great incentive for people to protect themselves against remaining rare cases of cheating thus keeping the system sustainable. Anonymity is simply one of the ways to raise the cost of the attack.

Bitcoin raises the cost of many kinds of attacks, going far beyond protecting against central banks meddling with money supply.

First, all sorts of computational services will flourish. Machines never need to disclose their physical locations and can freely automate both payment verification and payments themselves. Denial-of-service and spam can be largely eliminated by simply requiring a smallish payment for every request.

Second, personal services can be protected by peer-to-peer insurance deposits [8] that quite literally raise the cost of cheating by making both parties agree to a greater sacrifice.

Third, in a similar manner, crowdfunding can be fully insured by allowing raised funds to be reverted if the majority of shareholders decides to do so.

Finally, systemic predation by the state becomes economically impossible. Most modern states get their funding from debasing money supply (also known as “bond issuance”, “budget deficit”, “inflation”, “quantitative easing”, “stimulus package”). Bitcoin-based economy simply does not allow this as it is very cheap to store bitcoins and verify transactions yourself and completely avoid all kinds of fraud associated with modern banking. As central banking disappears from the state’s arsenal, federal government activities including wars become unfunded and quickly come to an end.

Local governments may continue their operations funded by local taxes, but that would become increasingly voluntary. Extracting bitcoins costs much more than protecting them. There is no highly centralized and monitored banking network, so it’s much harder to track taxable transactions. Every additional tax evader defunds the local police department and makes it safer for the next person to underreport earnings if he wishes to do so. Considering that the law enforcement is paid only a small portion of the total budget to be extracted (50% goes to bureaucrats and the rest to other public services), consistently extracting bits of information from millions of individuals is unsustainable in the long run. If anyone is good at stealing bitcoins, they are much better off doing it alone and taking all profits for themselves.

Governments, of course, can also tax in kind (like your underreported Ferrari or a house), but this would be even costlier than seizing any kind of money and those costs must be paid by the state in bitcoins that it does not have to start with.

If this speculation does not sound to you like a complete lunacy yet, here is the fun part. Most governments are completely broke already and can only pay with the IOUs they print. When people start a massive run for bitcoins to protect their wealth, everyone will be able to earn bitcoins for their work, except those who work for the government. Policemen, public school teachers and alike will be the first ones to notice prices rising faster than their salaries. They will the first ones to change jobs or become largely corrupt on all levels (like it was in Russia after the fall of the Soviet Union). Bureaucrats will smell the approaching panic and, instead of trying to retain control over the employees, will privatize as much public goods as possible, again, exactly like during the fall of the Soviet Union. People will see how all promised public services are either abandoned or stolen, and this time everyone will have a method to protect their own property and do business voluntarily and in an even safer and cheaper way than before. Crypto-anarchy will quickly become a boring reality without the need for anyone to remain fully anonymous.

[1] http://www.activism.net/cypherpunk/manifesto.html

[2] http://www.cypherpunks.to/faq/cyphernomicron/cyphernomicon.txt

[3] http://www.weidai.com/bmoney.txt

[4] http://unenumerated.blogspot.co.uk/2005/12/bit-gold.html

[5] http://cryptome.org/rpow.htm

[6] http://szabo.best.vwh.net/smart_contracts_idea.html

[7] http://bitcoin.org/bitcoin.pdf

[8] http://blog.oleganza.com/post/58240549599/contracts-without-trust-or-third-parties

Bitcoin Value Proposition

More people are willing to “invest in Bitcoin”. Before doing that they need to understand what it is and what it isn’t. Someone asked me if it’s okay to “invest in BTC for a year at current prices”. This way to put it is to admit that you do not understand the value of Bitcoin. You will buy at $1000 and sell all at $800 during a sharp reaction to some piece of bad news. Don’t do that.

Bitcoin is a great bet. If most people own a little bit of Bitcoin, we will wake up tomorrow in a new world. If they don’t and everyone goes home, your investment is fundamentally worthless. Bitcoin is as pure as money can ever get: it’s either a global standard, or it’s purely an object of art valued by few. You do not invest in Bitcoin, you switch into it.

If Bitcoin becomes the world money, people will massively sell off their currencies, gold, silver and some low-risk investments (like bonds or extra real estate). Rough calculations give us a figure higher than $10M of today’s dollars per bitcoin.

But what fascinates me personally about Bitcoin is not a nice monetary reward, but a transformation in our society that comes as a side effect. Even if me and you put no money in Bitcoin today, our lives will be so much better if Bitcoin wins.

Real Bitcoin value proposition is in removal of large-scale destruction and giving an unseen before amount of economic freedom.

As an example, the total debt of the U.S. government is $17 trillion and growing [1]. This debt is owned by the banks that create dollars in exchange for that debt. Government simply promises to pay off this debt with the same money (plus interest) that it is supposed to extract from the taxpayers later. It’s not only impossible economically, but it’s logically invalid. To return more debt-based currency, they’d need to issue even more debt.

You may think these numbers do not affect you personally, but consider what this money is being spent on. Total cost of the war in Iraq since 2003 is an astonishing $6 trillion [2]. Almost one third of today’s total debt. During this war more than 1 million people were killed [3]. In other words, folks working in military earned $6 million per one person murdered.

Ask yourself, who gave these trillions for the war? What investors thought it might be a good idea to invade Iraq, lose a bunch of money and have people hate you? The answer is that there are no investors. All this money is being made up by the central bank in exchange for more government debt. And due to tons of laws, regulations and taxation people have to accept this funny money for their work.

Bitcoin does not allow this. It’s a single, absolutely transparent ledger where anyone can see how money is being created. There’s a fixed supply which cannot be increased overnight by a single man. If people adopt Bitcoin as their standard money, governments would have to pay for their wars from taxes. And people will feel how their taxes actually work. Not even mentioning that taxes will be much harder to extract if peaceful citizens decide to oppose their government. By simply being a world money, Bitcoin will prevent massive murder and destruction. This alone is worth making a bet on, in my opinion.

After removing disastrous wars, people will find themselves not only in a safer world, but also with even more opportunities. Anyone can trade with anyone else on the entire planet, absolutely safely, anonymously or publicly. Every teenager can join the global market whenever he wants. Every person can save money for a rainy day without Paul Krugman telling him why it’s good that his savings lose in value. Every business is more protected against racket by having secure cash as an ultimate insurance against temporary losses. Programmable contracts [4] allow incredible new business models that are otherwise impossible, lowering the cost of lawyers and auditors. The entire internet will shift from advertisement to more directly funded services as micropayments become viable.

If you understand all of this, you should desire these changes and participate in them. If you don’t agree with me, you should not invest in Bitcoin at all. You can’t have just a cute payment protocol without all global consequences that necessarily follow. Bitcoin is a single package: either it completely fails, or it turns all people into wealthy peaceful anarchists.

[1] http://en.wikipedia.org/wiki/National_debt_of_the_United_States

[2] http://en.wikipedia.org/wiki/Financial_cost_of_the_Iraq_War

[3] http://en.wikipedia.org/wiki/Casualties_of_the_Iraq_War

[4] https://en.bitcoin.it/wiki/Contracts