Oleg Andreev

Some people feel bad about Bitcoin being harder to scale than any successful centralized system such as Myspace or Altavista. They often claim that “I signed up for a P2P Electronic Cash System, not a settlement layer” which is a way to say that Satoshi envisioned something else than what we have today.

I’d like to challenge this argument, even though I realize that it is absolutely irrelevant: whatever Satoshi thought he was doing, existence and evolution of Bitcoin is not subject to anyone’s wishful thinking, but to a humankind’s ability to actually improve it.

So Satoshi called Bitcoin an “electronic cash system”. What does that mean?

First of all, “cash” means something else than “quick settlement”. It primarily means a bearer instrument as opposed to a contract with a third party providing credit (as with credit cards, for instance). When accepting “cash” instead of a credit card, I am somewhat protected against reversal of the transaction by a third party — a credit card company. But how exactly am I protected? Turns out, there is another third party involved: a centrally controlled mint (e.g. a central bank) that provides difficult-to-counterfeit notes and uses a subsidized (by taxes) police force to discover and eliminate counterfeiters. So instead of two third parties (CB + CC company), cash leaves only one (CB) in our threat model. CB also adds a risk of debasement of currency, so if you receive 0.10% of total currency today, tomorrow it may turn out to be just 0.09%. You are essentially paying a rent on money with little assurances of stability of that rent. Also note a somewhat hidden cost of tax-subsidized minting and law enforcement to protect authenticity of the money.

Lets scroll back a few hundred years to the age of silver and gold coins. “Cash” was more decentralized: gold is gold no matter what face is printed on it. But why have faces on gold coins at all? Elementary, Watson: because it’s a huge pain in the arse to verify the coin on the spot. So central mints were used to provide hard-to-counterfeit stamps that allow quicker verification of coin validity. Mints were still a source of debasement risk, but at least some independent verification was more possible and debasement could not have been done overnight (as the saying goes, Rome was not debased in one day).

So even precious metal coins are not better than paper cash (if they were, paper would never take off in the first place): they seem to be decentralized, but related costs are so high, that to make them useful we still need centralized authorities built around them.

Is it the kind of cash Satoshi attempted to turn into electronic form? Lets read bitcoin.pdf from the very beginning:

A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution.

Note that the Mint (or Central Bank) involved in coinage and printing paper bills is as much a financial institution as your bank or Visa.

If one is to create a truly decentralized bearer instrument, one must make both issuance and authenticity checks decentralized, not simply the transfer mechanism. And the only workable way that we know so far is to collectively (as a civilization) continuously build a proof-of-work chain of transfers authenticated via public key cryptography.

Folks who focus on payments without discussing issuance and corresponding holding costs (risks of debasement) are like grasshoppers who spend before saving, so when winter comes they all go to ants begging for the share of what the ants saved. This has happened all the time in the history: first, ants abstain from unnecessary spending in order to save some food for later, then ants are forced to abstain even more by all the stupid and hungry grasshoppers who come to take their savings. A truly decentralized cash would prevent the most badass grasshoppers issuing and debasing their own currency and asymmetric security of public key cryptography allows all ants, no matter how poor or rich, have equally cheap protection against even the strongest of grasshoppers.

But lets get back to our “original vision of Bitcoin”. We now clearly see that it is not fair to compare Bitcoin’s performance to performance of Visa electronic payments (large throughput, but a lot of trusted third parties and risks of reversal and censorship) or even paper bills or minted coins.

So how does Bitcoin compare to a fully decentralized gold bullion then, the best known decentralized money before Bitcoin? How many transactions a day can the naked chunks of gold settle around the world? How quick is each payment verification? How do costs scale with different amounts of payments, from the smallest to the largest? We will leave answering these questions as an exercise to the reader and jump right to the conclusion:

Decentralized physical cash sucks in all ways imaginable compared to Bitcoin. Bitcoin is faster, cheaper and safer than any other forms of decentralized cash that ever existed.

In addition, if you take Bitcoin and build payment layers on top of it by relaxing some underlying security requirements, you will still get better electronic cash than the paper cash today: faster, easier to verify, better protected against debasement etc etc.

Satoshi was building a basis layer for electronic cash by eliminating trusted third parties as a requirement. He succeeded. Everything else is simply an optimization. If some optimizations relax security requirements of Bitcoin (e.g. need some level of centralization), then they do not belong to Bitcoin, but to additional layers around Bitcoin.

Bitcoin is designed to be free from intervention as in “fuck you”.

Discuss: Reddit, HN.

The problem with “voting by coins” is that most coins do not vote. This leaves a small fraction of UTXO to actually vote which is not representative and highly volatile since anyone risking to use idle keys to a large stash of coins can dramatically affect the voting outcome.

Most coins are locked up well “under matress” with multisig, time locks and possibly even with HSM-controlled keys. Also, pubkeys to long-term stashes do not want to be exposed from under their hashes in order to be better protected against a QC development in the long term.

In other words, most coins that matter, cannot and will not vote.

This leaves only the least important coins to perform voting. Obviously, the result of such voting will be worthless.

UPDATE: it is possible that people annotate output scripts with a dummy “voting hash” that commits to a separate pubkey, intended only for voting and stored elsewhere. But then security of the voting keys is not equivalent to the security of bitcoin keys which is what we want to begin with: that voters perfectly map to actual bitcoin holders.

First, it is very easy to prove if you are Satoshi:

1. Take the key from genesis block or from transaction paying to Hal Finney.
2. Sign a message that includes your meatspace name, your relation to Bitcoin and the recent timestamp in a form of a recent block hash (that’s how you prove that the message could not be fabricated long time ago and/or with careful choice of contents).
3. Publish the message and the signature anywhere.

No one has done that yet.

Second, it’s quite easy to prove that all claims by Mr. Wright regarding his link to Satoshi are either irrelevant (such as general knowledge of how Bitcoin works) or outright fabricated (such as backdated PGP key demonstrated last year, or a signature copy-pasted from a Satoshi’s transaction).

Third, it’s easy to see how mass media and some prominent voices in the Bitcoin space are turning “burden of proof” upside down. Some express doubts, but still prefer to trust (!) and believe (!!) even after being educated about the invalidity of the presented “evidence”. They still wait for a “better proof” coming from Mr. Wright.

In this story Mr. Wright brilliantly demonstrated who should not be trusted anymore on any matters in finance, cryptography or Bitcoin. Oh, what the heck, who is not to be trusted, period.

PS. This video is just perfect: https://www.youtube.com/watch?v=H2euMNmsb_s

Yesterday I was bored and tweeted that people flood reddit and blogs with concerns about the block limit in order to buy as many coins as possible before July’s halving that will trigger a huge price increase and expose to the whole world how important and valuable Bitcoin has become.

Seriously speaking, I don’t see another explanation for seemingly inconsistent behaviour on part of some people than either outright stupidity or participation in a mild short term conspiracy aimed at supressing the price until the next mining reward drop.

1. If someone’s business model is really at stake, they’d be coding real scalability solutions rather than debating opinions and appealing to authority.

I can understand how respectable Bitcoin businesses such as online exchanges and payment processors earn fees from the users’ activity. They obviously would like to process as many transactions as possible in order to earn as much commission as possible. Nothing wrong with it. However, if that’s really the case, then these companies should really invest into better codebase, improved block propagation techniques, better wallets etc - in order to be able to say “hey, we’ve improved the overall infrastructure and now we can raise the stupid limit” .

However, the only people who actually fix the infrastructure are those who care about long-term value of Bitcoin which is self-consistent and does not need any conspiracy theory to explain.

2. Some people point to ETH pumping as an evidence that people sell BTC for ETH.

This is total bullshit. Ethereum is much harder to scale. Dumping BTC for ETH because of scaling concerns makes no sense.

3. Some think that miner’s hashrate should decide hard fork matters, but yet do not like miner-enforced soft fork that improves Bitcoin in multiple ways

If miners “should” decide some matters, wouldn’t it be easier to just implement whatever you want using their existing powers (soft forks) rather than demanding that they have more power?

These inconsistent arguments can be explained either by total stupidity, by a big conspiracy theory (“USG wants to sabotage Bitcoin”) or by a small conspiracy theory (“Bitcoin is going to eat the world in a few months and we need to win some time to improve our position in it ahead of Chinese/Russians/Americans”).

Discussion on Reddit

“Segregated witness” (“segwit”) is a proposed feature to improve transaction mutability, enable smooth script upgrades and double Bitcoin capacity by moving signature scripts out of the transaction inputs into a separate data structure committed to a block using a new rule compatible with older nodes.

Bumping block size limit is a hard fork: first, everyone must agree to follow new rules, then everyone willing to verify a payment to themselves has to download and verify bigger blocks. So a minority of less-powerful miners and/or recipients is out of luck: they have to beef up their bandwidth and CPU resources or disconnect from the network. This is how “hard fork” works.

Segregated witness, among other things, increases capacity of the blocks without forcing everyone to validate bigger blocks. If you expect old-style transactions, you can still validate 1 Mb base blocks as you always did. However, if you wish to accept payments using segwit transactions, you have two options: 1) either validate additional data (that is, loading and validating all segregated signature scripts that do not fit into base blocks); 2) or trust majority of miners to validate these for you, then you can validate only base blocks ignoring segwit data, or even just use SPV proofs.

Segregated witness can only be used safely if the super-majority of miners enforce it. This can be done in two ways: validating segwit transactions according to the new rules, or not mining segwit transactions yourself and only trusting other miners to mine segwit transactions correctly (see below on why it’s not a huge security hole).

If you are a miner with sufficient resources, you can fully enforce and validate segwit transactions at the expense of larger consumed bandwidth and higher CPU consumption.

If you receive payments and have sufficient resources, you can accept both old-style and segwit transactions doing full validation yourself (at the expense of higher consumed bandwidth and higher CPU consumption).

If you wish to receive only old-style transactions, you can safely ignore all extra overhead of segwit transactions.

If your resources are very constrained, you can opt into accepting old-style transactions at old costs and using SPV proofs (trusting miners) to validate segwit payments. You may choose supporting segwit transactions for lower-value payments and require old-style transactions for higher-value payments if you only can afford old-style validation.

If you are mining with constrained resources, then you may resort to not mining segwit transactions at all and trust other miners to validate segwit transactions (if any) correctly. You can validate old-style transactions at no extra cost. Why can you trust others not to mess with you? It’s easy. Imagine some miner with 20% hashrate directs half of their hashrate (10%) to create blocks with invalid segwit data. They make you lose 10% of earnings, but they themselves lose 50% of their income because half of their blocks are invalid. The cost of attacking a constrained minority of miners is hugely asymmetric: large-scale attack makes the attacker run out of money much faster than the victim.

As a result, segwit allows scaling Bitcoin capacity in a opt-in way. Those who want to take advantage of extra capacity need to expend extra resources, but those who do not want to use the feature (no matter how small that minority is), do not need to expend any extra resources at all. Therefore, censorship-resistance property of Bitcoin remains unchanged.

— Would you like to know why it is called “Bitcoin”?

Jane touched her glasses to show she’s preparing for one of those lengthy and passionate discussions. She sipped her orange juice and continued, without waiting for an answer.

— The closest who has ever come to creating Bitcoin was Nick Szabo. Have you read his pieces on bit gold, secure property titles and smart contracts?

— I’ve heard of bit gold. It was a precursor of Bitcoin which did not take off, right?

— Not quite. Nick never proposed any specific protocol or an algorithm, only an overview. Bit gold was just an open-ended idea. It was not clear how exactly such bit gold “coins” should be generated in a trustless manner and how their ownership could be verified. Also, in his proposal gold coins were not fungible. Their value depended on scarcity defined by complexity of per-coin proof-of-work. There were a few other problems. Nick identified the need for a secure title registry, but never proposed a concrete protocol to make it work on a global scale.

— So what ingredient was missing then?

Mike started feeling impatient. It’s not the first time he would be involved in a conversation filled with words “trustless”, “ledger” or “coins”. He prepared to listen for a hundredth time about mechanics of Bitcoin, signatures, hashing and all that.

— Ha! There was none.

Mike looked genuinely puzzled.

— Look, Nick actually laid down all the ideas necessary for a functional system: proof of work for scarcity, need for secure decentralized title registry, smart contracts. All pieces of the puzzle were there, just not arranged as needed.

Jane’s eyes sparkled and she made a dramatic pause.

— Enlighten me :)

— What if you make scarce not the bit gold coins themselves, but the entire title registry? And make it so scarce that there could only be one, which automatically solves the synchronization problem. Individual coins then become perfectly fungible because they all (eventually) share the same proof of work. And since the proof of work gets stale over time and we need to add new transactions, we could timestamp new transactions with extra proof of work thus maintaining the scarcity by piling up all proofs of work into a one giant proof. Issuance of new units follows naturally: some programmed amount could be allocated for each batch of proof-of-work.

— Impressive. Does that mean that Nick is Satoshi?

— I’m not sure. Satoshi did not mention Nick Szabo’s writings at all. Either Nick naively tried to hide his relation to Bitcoin, or it was someone inspired by Nick who tried to direct attention to him.

— Or it is still Nick and he tries to make us think precisely that :)

— Either way, Bitcoin is clearly a result of studying Nick Szabo’s work which was incomplete without this tiny, but powerful unifying idea.

— You promised to tell me why it is called “Bitcoin”.

— Don’t you see it already? The ledger, blockchain, is just a single coin of bit gold with scarcity maintained by a growing proof of work. Hence “bit coin”, singular.

— Whoa. And this coin records its own history of ownership in itself. Fascinating! Sounds like a science fiction.

— It gets better! There are a few other interesting things that become evident from that perspective.

— I’m all ears.

— It’s getting late now. Lets continue next time.

The purpose of the blockchain is to help those who are interested to continuously establish global consensus on an ever-growing dataset without trusting any authority and assuming presence of active attackers that may gain measurable advantage by manipulating that consensus.

Consensus is securely established because every updated version of the dataset has a sufficiently large proof of work attached to it. Contrary to a popular belief, this proof of work should not simply be marginally larger than any alternative version. Active attacker may not advertise their version equally to all nodes so you could comfortably choose the most difficult one. What we need from the proof of work is to be infeasible to redo. There should not be even a possibility for someone to build a secret facility that can redo the same amount of proof of work that was produced by all “honest” (i.e. open) participants.

Lets imagine I receive $1M on a Bitcoin address and wait 1 week for it to be buried under a 1-week worth amount of work. What we need is to make redoing this work cost more than $1M. The amount of work done in one week should really cost more than $1M. In other words, for a blockchain to be actually secure, there must be a huge gap in cost between that blockchain and the next best competitor. In addition, number 2 blockchain cannot be considered secure or valuable because it has a dramatically lower cost of attack and the very existence of number 1 shows how feasible that attack is.

Note that choosing an incompatible PoW algorithm does not change that. In a well-developed Bitcoin world where mining is done with highly-specialized hardware, mining algorithms do not matter. Both Bitcoin and your scrypt altcoin are measured in amount of bucks to be invested to rewrite their histories.

This gap between number 1 and number 2 keeps growing because of opportunity cost. Those who invest in mining have to invest 100% into the most potentially profitable blockchain. Those who speculatively invest in coins themselves have to invest in the most promising and most secure storage (i.e. blockchain), inviting more miners to make it even more secure and more speculative investors to make it more valuable.

In the end there could only be one blockchain worth talking about and so far it seems like Bitcoin is winning that title.

After designing a Bitcoin wallet for over a year, I’ve came up with 9 core ingredients that make up a perfect Bitcoin wallet: easy to use and ultimately secure.

We understand that any additional security measure removes from simplicity. The key to smooth user experience is to spread inconvenience over several security tiers and do so in a smart way.

Overall checklist looks like this:

1) Personal pocket device (iPhone, Android).

2) Secure UI.

3) Fully-auditable wallet behaviour.

4) Password-encrypted master key private backup.

5) Self-encrypted automatic wallet backup.

6) Unencrypted 2-of-3 paper master backup.

7) Two-tier keys (system-encrypted and user-encrypted).

8) Bitcoin Wallet API.

9) Blind multisignature custody for long-term savings.

To learn more, see the PDF:

http://oleganza.com/SecureWalletSeptember2014.pdf

In Italian: http://www.partito-pirata.it/2014/11/bitcoin-vs-stato/
In Russian: http://bitnovosti.com/2014/08/16/bitcoin-i-gosudarstvo/

Bitcoin and State do not go together at all. Neither logically, nor economically.

Logically, if you think that the state is a useful and viable institution and Bitcoin is a useful and viable technology, you are lying to yourself. State is a hierarchical construction of “trusted third parties” (TTPs). In theory, some social interactions may involve a conflict that may be resolved by a trusted third party (arbiter). In a nation state it is ultimately some government agency (e.g. a cop). In case there’s a conflict between a citizen and a government agency, there is another government agency to watch over it. Thus, a cop is watched by his chief, a chief is watched by a court, court is watched by a parliament or a president, and those are being overthrown by an angry mob from time to time. The theory goes that every single conflict can be justly resolved by the state if parties cannot resolve it by themselves.

Bitcoin is an attempt to remove some trusted third parties from equation. That is all sorts of financial institutions including government regulators. From the Bitcoin perspective, it is a moral hazard to enable control over money supply and monetary flows to a hierarchy of trusted third parties. History is full of examples when private banks and government agencies could manipulate and destroy entire economies by being able to produce money without limits or censor its use. Bitcoin is strange and a bit complicated way to protect all users of money. Users can transact without need for any third party to record and acknowledge their transactions, and what’s more, no one can even become a third party by hijacking the system and imposing controls and rules on its usage. The former is not possible without the latter.

So if you support the idea of Bitcoin, you acknowledge the hazard of entrusting the entire economy to trusted third parties. You acknowledge that the ultimate power must be spread thin among every single participant and never be entrusted in hands of a few, even if it’s a democratically elected government. (Trusted third parties on top of decentralized foundation are fine as long as every person has equal access to that foundation and can jump off anytime.) But if you acknowledge the hazard of TTPs, then what arguments are left for any other government activity? Government is the ultimate trusted third party to resolve disputes in the entire economy. If there’s a conflict in a monetary system and we need Bitcoin to resolve it so no banker, judge or president could have personal interest in it, then the same applies to any other conflict. Every conflict could have someone’s personal interest in it to screw things up. The fact that we rely on the government to resolve it only shows that we couldn’t find a safer way yet. By supporting Bitcoin you give up all arguments for validity of the State.

If you, however, prefer the State, then supporting Bitcoin is illogical: why do you need such a complex and hard to understand (for non-hackers) system if every problem can be solved with trusted third parties? Look, Visa processes bazillion of transaction per day by just flipping the bits in their database. Bitcoin cannot do that, it is a consensus network that needs everyone to be aware of all transactions. Making instant payments requires extra complexity on top of that existing complexity. Also, there’s constant hazard of computer viruses and backdoors that steal your coins. If you believe that problems can be efficiently solved simply by electing trusted people, than Bitcoin is a huge overhead. So you should pick one: Bitcoin or State.

But most importantly, Bitcoin and State will never survive together for economical reasons.

State exists because it can. It can pay for its expenses, pay for those who enforce the laws, write the laws, brainwash children in schools and adults in evening news.

How does the state pay for its expenses? First, the government controls money supply. If needed, money is just being “borrowed” from the government’s puppet bank under promise to repay the debt (with interest!) from the extracted taxes (or by borrowing even more from the same place). When the state wants to go to war, enormous amount of money can’t be just extracted and is being printed. Extra money flows into markets, prices go up, business plans get messed up, people’s savings get destroyed and they lose their jobs at the same time. But we are at war, so folks are better to work harder “for the children” and maybe even join the army (you lost your job, after all).

Second, the state is paid by all those good businesses that must use banking system to operate. And the banking system is all heavily licensed and cooperative with the state. A lot of monetary flows are monitored by the tax collectors. Natural greed makes people avoid taxation just like all other costs, but taxes are avoided only in black market and by small businesses working with cash. Everyone who accepts cash hides some percentage from the taxman. If not for personal greed, but at least under competitive pressure by tax evaders (e.g. your café cannot survive if you don’t increase your profit margin by not paying 10% of the taxes like all your competitors do). If you business has to work with partners over the wire, you had to use banks and pay 100% of your taxes. With Bitcoin banks are not necessary. Bitcoin allows you to trade with anyone on the entire planet with near-zero costs. More businesses would bypass Banks and as a side effect, more businesses would be able to withhold their taxes from the state. Competition would force other businesses to drive their costs down the same way. Bitcoin will become a black hole that grows and attracts more and more people in it.

From the point of view of tax collectors, however, it’s the other way around. In Bitcoin world government cannot pay cops IOUs it makes up. It must pay real bitcoins that it must extract first from the businesses. But as more and more businesses avoid paying more and more taxes, there is less money being left for the government. That means that extraction will become increasingly less effective and therefore allowing even more people to avoid taxation on even larger scale. This cycle would repeat until all government employees will run away to seek real jobs because their bosses wouldn’t be able to pay them a single penny.

So if Bitcoin continues to grow, the nation state would peacefully dissolve. If state is to be preserved, Bitcoin must be stopped and never allowed again. However, the more people invest in Bitcoin, the more interest, wealth and power is on its side to protect it against any aggression. They didn’t invest in Bitcoin to try it out. They invested to make it ubiquitous and global phenomenon and they all will fight hard to make it happen. At some point we will witness a critical mass of supporters that no one will be able to stop. And then there will be no state anymore.

Here are some ideas for services around Bitcoin that are highly interesting to me.

1. Truly secure wallet & vault. Protected from institutional risks, backdoors in software and hardware, losing backups and forgetting passwords. Works on regular computers (phones, laptops). Multisig with blind signatures for privacy. Authenticating with a circle of friends or arbitrary services instead of a single centralized institution. Only this can make people safely invest in Bitcoin and push the entire economies to it unlocking the rest of the features (low fees, autonomous agents, smart contracts etc.)

Btw, I have a working implementation of blind signatures already with a demo app: Code: https://github.com/oleganza/CoreBitcoin/blob/master/CoreBitcoin/BTCBlindSignature.h Paper: http://blog.oleganza.com/post/77474860538/blind-signatures-for-bitcoin-the-ultimate-solution-to Demo app: https://github.com/oleganza/blindsignaturedemo

2. Wallet API for web sites and native apps. A standard way for any app to request user’s wallet to allocate and sign certain amount of bitcoins to be used in a custom transaction. The unified API would allow maximum flexibility for any sorts of schemes and contracts while preserving user’s keys secure and his financial details completely private. Wallet requests approval from the user and gives the absolute minimum of information to the app. Wallet will also sign its inputs only if all the change outputs are respected. Use case: your app does some fancy scripts and needs user’s coins. Today you have to make your own wallet in which the user must send coins (and you have to reinvent all security measures as described above). Tomorrow you could simply request what you need from an existing wallet without having user to do extra movements.

I helped to develop a draft of the spec: http://bitcoin-wallet-api.github.io

3. Decentralized clearing mesh network for frequent and instant payments. Similar to Ripple, but without made-up currency and without any trust. Nodes form point-to-point contracts using bilateral 2-of-2 deposits that put a limit on IOUs issued between two nodes. Thus nodes can connect anonymously without any trust. When two people pay each other, they simply find the cheapest path (every node may ask for any fee) between them and propagate an IOU denominated in BTC. There’s no global consensus and no single point of failure. If you owe 50% of the amount deposited, you have to clear the debt with real BTC transaction. Any amount of money can be moved back and forth and all IOUs are 200% insured. This mesh could be used to buy a latte or for one automated service to pay another automated service.

4. Decentralized markets. People can use the same bilateral insurance scheme to create a “nash equilibrium” escrow without any 3rd party. This makes free trade possible without risk of fraud or censorship. My friends in San Francisco already have a working prototype that uses Bitmessage to post products and bids. And it works great!

When released, the app will be published here: http://voluntary.net/

5. Crowdfunding protocol and apps where majority vote controls the funds. Bitcoin already allows some neat schemes to crowdfund money directly by the founders, but these schemes do not allow for X% (typically 50%) vote to unlock, or otherwise control funds. If that was possible, then founders could still have a comfortable guarantee of funds for their enterprise, but wouldn’t be able to waste them all at once. If their business plan is no longer aligned with the interest of majority of stakeholders, they could take the remaining money back or redirect to entirely different managers. This is a very big thing! If done in absolutely p2p manner, it will enable fantastic possibilities for mankind. For instance, non-targeted crowdfunding will become possible: “someone please repair our road and we’ll pay you $5000”. The funds can be directed to the guys who solved the problem by a majority vote of the backers (unless all backers turn out to be total jerks, of course).

The problem with modern corporations is that they are de-jure owned by stakeholders, but the real power to make decisions is on managers who are hired to manage the capital. In other words, it is really hard for thousands of small stakeholders to coordinate and affect decisions of the top management. More strict crowdfunding protocol with direct democracy built in would allow all stakeholders, small and large, to better control the flow of funds.

Bitcoin is like physical cash: it is not reversible and you are responsible for handling it. If you lose your wallet, you lose your money. You can give bitcoins to someone to hold them for you, but it will be like with any bank: you have to trust them that they won’t run away with your cash.

Bitcoin is unlike physical cash: you can store as much as you want and it will not take any space. You can send it over the wire to anyone. It is impossible to counterfeit. You can’t give it in one second: to actually guarantee that transaction has happened, you have to wait 10-15 minutes for the cryptographic proof to be produced by the network. However, for small in-person payments you sometimes can accept zero-confirmation payments with relatively low risk of transaction being cancelled.

Bitcoin is like gold: it cannot be produced at will, there’s a limited amount of it and this amount is scattered in spacetime continuum (mostly time). To get some bitcoins someone should give them to you, or you should mine them. Like gold, Bitcoin is shiny: it attracts people with its beautiful engineering, built-in contract programming language, wise incentives, and libertarian promise of freedom from coercion.

Bitcoin is unlike gold: supply of Bitcoin is completely fixed via scheduled mining (only so much bitcoins are created per hour). You have a guarantee that no one will suddenly find a mountain of bitgold or mine it on asteroids. Unlike gold, Bitcoin difficulty is adjusted to the mining efforts to keep the schedule fixed. You may dig up all the gold in one day, but it will never be possible with Bitcoin no matter how fast computers will ever become. Growing mining efforts can only bend schedule slightly (network adjusts difficulty to producing 6 blocks per hour, but if network constantly grows it may produce 7-8 blocks per hour).

Bitcoin is like bank: there are computers, a database and transactions. Database stores entire history of all incoming and outgoing payments: who send how much to whom. Everything is digital. There are no vaults with gold or personal deposit boxes, only bookkeeping in a single “ledger”.

Bitcoin is unlike bank: everyone can verify the integrity of the ledger. There is no manager in charge of updating the ledger and making sure it is not tampered with. Any person may have as many accounts as they like and all accounts are anonymous (unless one reveals his identity himself). Ledger does not store names, only balances and account numbers. There is no possibility of “fractional reserve” when bank loans out more money than it actually has. In fact, there are no debts on bitcoin ledger: either you have money on your address and it is fully yours, or you don’t and you can’t use it at all. Also, Bitcoin allows to lock money with “contracts”: cryptographic puzzles designed to spread the decision making between several people or across time.

Bitcoin is like Monopoly money: there are abstract tokens that are not claims to any value. People value them because they choose to play the game. In fact, the same is true for gold or any other money.

Bitcoin is unlike Monopoly money: there is a limited supply of tokens and no one can counterfeit them. This makes them a good candidate for a universally recognized collectible like gold or silver coins.

Bitcoin is like Git: in Git (a distributed version control system) all your changes are organized in a chain protected by cryptographic hashes. If you trust the latest hash, you can get all the previous information (or any part of it) from any source and still verify that it is what you expect. Similarly, in Bitcoin, all transactions are organized in a chain (the blockchain) and once validated, no matter where they are stored, you can always trust any piece of blockchain by checking a chain of hashes that link to a hash you already trust. This naturally enables distributed storage and easy integrity checks.

Bitcoin is unlike Git in a way that everyone strives to work on a single branch. In Git everyone may have several branches and fork and merge them all day long. In Bitcoin one cannot “merge” forks. Blockchain is a actually a tree of transaction histories, but there is always one biggest branch (which has the value) and some accidental mini-branches (no more than one-two blocks long) that have no value at all. In Git content matters (regardless of the branch), in Bitcoin consensus matters (regardless of the content).

Bitcoin is like Bittorrent: the network is fully decentralized, there is no single “mint” or “bank”. The blockchain is like a single file on bittorrent: cryptographically authenticated and shared across many computers. Every participant, including miners are acting on equal grounds. If one part of the network becomes disrupted, transactions can flow through other parts. Even if the entire network goes down, information about transactions is still stored on many thousands of independent computers and no one’s money is lost. When people connect with each other again, they can continue sending transactions like nothing happened. Both Bitcoin and Bittorrent can survive a nuclear war because information does not become radioactive and can be safely replicated.

Bitcoin is unlike Bittorrent: instead of many independent “files”, there is one file that always grows: the blockchain. Also, the most important participants: miners are actually getting rewarded for their work with real money.

Bitcoin is like freedom of speech: every transaction is a short public message that can be pronounced no matter where or how. If some miners hear it, they will add it in the blockchain and that message will be forever in the history. Everyone will see it and no one will be able to erase it.

Bitcoin is unlike freedom of speech: saying something comes with a cost. Transaction moves coins that you must have to start with. So not every moron is allowed to shout, but only those who had a merit to acquire some coins in the first place. Also, miners may reject transaction if it’s spammy or does not contain enough fees. So no one provides anyone with freedom as “in beer”, but everyone tries to cooperate on a voluntary basis.

Bitcoin is like magic internet money: it simply is.

“Another factor that would mitigate spam if POW tokens have value: there would be a profit motive for people to set up massive quantities of fake e-mail accounts to harvest POW tokens from spam. They’d essentially be reverse-spamming the spammers with automated mailboxes that collect their POW and don’t read the message. The ratio of fake mailboxes to real people could become too high for spam to be cost effective.”

Satoshi Nakamoto (Jan 25, 2009) http://satoshi.nakamotoinstitute.org/emails/cryptography/18/

Introductory posts

Bitcoin non-technical FAQ. When I learned about Bitcoin for the first time, I immediately started digging articles, forums and wiki pages for answers to many of my questions. While doing that, I compiled a list of answers which turned out to be quite valuable. Bitcoin Magazine publishes it in every printed issue for over a year now. This is a good place to start learning about Bitcoin.

See also my Bitcoin glossary — the most complete reference of Bitcoin-related terms and abbreviations.

Bitcoin is like… Understand Bitcoin by comparing it to paper cash, banks, gold, Git and Bittorrent.

Original vision of Bitcoin: what Bitcoin is, what it is not and why is that so.

Satoshi on Bitcoin design. “The nature of Bitcoin is such that once version 0.1 was released, the core design was set in stone for the rest of its lifetime.”

Journalist’s guide to describe Bitcoin and not look like an idiot. Must-read for anyone confronted with a task of describing Bitcoin to people in a few sentences.

How to keep your bitcoins safe. Slightly outdated, but still valuable overview of security options and precautions.

Finally, my only advice about Bitcoin to newcomers.

Economics of Bitcoin

Bitcoin and Gold. How Bitcoin relates to gold and why only one will survive.

The universe wants one money. Money is a standard that everyone wants to share with the whole world. Various intermediaries and restrictions make people use local currencies while everyone would be better off with one most universally accepted token.

There is only one blockchain and it’s called Bitcoin. Informal proof of how alternative blockchains are not viable in the long term.

Real crypto-anarchy without anonymity. How crypto-anarchy can happen worldwide without everyone remaining actually anonymous.

Money and Security. Money is a measure of personal security against risks created by nature, people and institutions.

You can own Bitcoin, you can’t own your dollars. What does it mean to “own” your money.

Bitcoin is not compatible with the State. Bitcoin and State do not go together at all. Neither logically, nor economically. Choose one.

Arguments for Litecoin are fraudulent. While Litecoin itself is just as good as Bitcoin, most prominent arguments about its superiority are plain wrong.

Economics of block size limit and part two. People worry about block size limit: should it remain as it is, or be raised? How much? We do not answer these questions, but we show what will happen, regardless of our opinions on this matter.

Last, but not least, three important notes on “deflation” and “circulation”:

1) Murray Rothbard on circulation of money

2) A thought experiment on deflationary spiral

3) Transactional Currency and Store of Value

Technical articles

Blind ECDSA signatures for Bitcoin. The ultimate solution to secure and private Bitcoin storage. Use many semi-trusted friends to sign your transactions, but keep information about your funds completely private.

Idea of a useful altcoin. How to make an altcoin based on existing Bitcoin blockchain, inherit the entire userbase and stay compatible with their wallets.

Complimentary reading: soft-fork way to fix transaction malleability.

Contracts without trust or third parties. How to make Ebay without Ebay, where two persons can secure promises to each other by committing to a single bilateral insurance deposit (that can be unlocked only simultaneously by both parties when agreement is reached).

How to launder Bitcoins perfectly. A theoretically perfect way to mix Bitcoin in a way that does not leave any “suspicious” transactions on the blockchain or a server.

The Ultimate Wallet. My personal checklist for every Bitcoin wallet to be considered safe and secure (such wallet does not exist yet).

По-русски: http://bitnovosti.com/2014/06/01/dengi-i-bezopasnost/

When comparing Bitcoin to traditional financial tech, people always notice that Bitcoin makes them think about security way more than they have to think about their cash or bank account. They feel that in the established system the security is “being taken care of”, while Bitcoin makes you worry about weird things like private keys or malware on your phone. For a normal person it seems like a downgrade; only rare crazy libertarians ignore all these difficulties because Bitcoin cannot me manipulated by “the powers that be”.

What many people, even bitcoiners, do not realize, is the fundamental relation of money to personal security. Not just how to store your savings or pay online safely, but in a big way: what money is and how it protects your health, wealth and sanity.

In a safe, certain world, where lightnings do not strike you in the head, crop is not destroyed by dry weather, computers do not have bugs and where people understand each other perfectly and always keep their promises, we do not need worthless tokens called “money”. We can simply agree on how we allocate our food, shelter, personal time and labor and from time to time adjust to new desires or conditions. I can go every day to the baker and take one bread, then go to my work and do something useful for someone else. Everyone gets what they could agree to and there is no shortage of anything. (And if there is, people help each other promptly and efficiently.)

But the world is far from being safe and certain. It is dynamic and unpredictable. And it is populated with people, who are even less predictable and many of them are greedy, selfish and untrustworthy. They have always been and probably always will be. In this world your bakery may disappear tomorrow, or your job may become irrelevant, or your house can catch on fire, or your friend may not hold his promise or someone may not lend you a hand when you are in trouble.

To address these issues, people invented money. As Richard Dawkins once said, “money is a formal token of delayed reciprocal altruism”.

Money is a virtual token that holds a speculative value. It can be a rock, a coin, a piece of paper, a promise from a bank, or a cryptographically signed abstraction. What matters is that it is rare enough, so if it is demanded, it can only be collected and transferred, but cannot be easily produced. If it can be produced to satisfy increasing demand, like bread, then it would only be good for direct consumption and be worthless as a collectible. Hence, it won’t be a token holding speculative value.

How does money help us? Money is a sort of a social agreement: when enough people value the token and ready to accept it in exchange for their services, then money becomes a measure of your personal security. When you can work, you can earn money and save it for later. When you cannot work, if you saved some money, you can buy yourself some food. If some accident happens, savings will save you: buy you a medical help, new clothes, shelter, MacBook Pro 15" to replace a broken one etc.

The more money you have, the safer you are. Money is not luxury. Cash flow is: if you earn a lot of money and spend all of it on your lifestyle, it says nothing about your security. Security is only how much savings you have at all times. The more liquid those savings are, the more security you have. If you own an expensive house, good thing for you, but you cannot efficiently trade it for something you will urgently need tomorrow. A briefcase full of american presidents, however, is very liquid and allows you to buy anything very quickly. (However, there’s now a problem with security of the briefcase itself.)

When you think about money as a way to insure yourself against starvation, illness, infections, bad weather, sluggish computers, shitty boss, ugly girlfriends and mob revolutions, you will see which properties of money are most important to you. First of all, the fundamentals should be strong: if demand for money stays the same, its value should stay the same. This means, your money should be sufficiently hard to produce or to counterfeit, so some wise guys do not dilute your personal security without your permission. Secondly, this money should be fairly easy to protect, for the exact same reason. If your security is way too expensive to afford, you are not secure. Wearable beads, shells, paper bills, small gold and silver coins are secure because you can hold them with yourself (a would-be thief would have to risk his ass being kicked if he tries to steal them from you). Finally, the money should be easily and cheaply transferrable. If it is not, then it’s like a house or a painting: a fine collectible, but a shitty insurance against running out of chips while enjoying nachos (https://xkcd.com/140/). That’s all properties that matter. And the history of money shows that humanity was consistently trying to improve on them.

People used local collectibles: beads, shells until they started trading globally. A more universal material then prevailed: precious metals. Then, trade became even more global and transaction costs needed to be lowered. Banking was invented. Trusted third parties enabled instantly transferrable money across the globe, fueling industrial revolution that created an unbelievable wealth on the planet: cars, robots, airplanes and free image hosting for internet memes.

Unfortunately, this all was done at a huge expense: concentrating disproportionate amount of power in the hands of banks and governments resulted in non-stop wars, worldwide economic catastrophes, and nonsensical restrictions on individuals. We have achieved a lot of things in the past few hundred years, but mostly despite of, not thanks to trusted third parties who have the power over our money.

Today, we finally have a technology to solve the problem of trusting monetary authorities that lets us achieve consensus on what money we want: even cheaper to protect, cheaper to transfer and even harder to counterfeit. We all have portable networking computers in our pockets, at all times, so we don’t really need beads, metal coins or paper bills. We can go all digital. And our computers are powerful enough and our mathematicians were smart enough to allow us to implement fancy cryptographical tricks to replace trusted authorities with independent and objective proofs.

The goal of Bitcoin is the same as the goal of money 75000 years ago: to protect the person against systemic risk of his environment. Against natural disasters, against his own faults, and against faults or malice of anyone around him. When you dislike Bitcoin for making you think more about personal security, it is only because you were ignorant to systemic risk and decades of exploitation of that risk. If you take a look at the whole picture, at the core concept of money, at all opportunity cost of trusted third parties, then you will realize that you might be better off if you could wear those digital necklaces of virtual beads yourself instead of you and all your neighbors giving up their security at the discretion of a small group of people who you don’t even know. It does not mean you would have to learn cryptography and math. But it means, that as more people take that path, more entrepreneurs will be there to improve the security and ease-of-use of this new technology. But the first step is to understand the fundamental problem of money and evaluate the old and new solutions with this new understanding in mind.

PS. You should read this masterpiece by Nick Szabo on concepts of “starvation insurance” and origins of money: http://szabo.best.vwh.net/shell.html

(… apart from not being shut down by the financial authorities :-)

Normal people should never hold all their coins on exchanges. Day traders, however, by the very nature of their business, have to keep as many coins as possible all the time on exchange to be able to trade with maximum liquidity.

Regular audits and fancy proofs-of-reserve (e.g. https://www.kraken.com/security/audit) are helpful to keep traders feeling good, but do not help much the minute when funds are actually stolen. You cannot really steal anything from NYSE — both stocks and dollars are virtual items on books at public companies; all transactions can be frozen or reversed (see also http://blog.oleganza.com/post/67362431718/you-can-own-bitcoin-you-cant-own-your-dollars). However you can steal bitcoins and own them for real. When there’s the right amount of money deposited on the exchange, however licensed it is and however public its owners are, there is a real risk they take all the funds and run (and easily buy cops, politicians and other sorts of protection on their way). Once funds are stolen, there is no one who can give them back to the traders. I doubt we’ll ever see an insurance company promising a refund of a significant portion of stolen funds. It would rather be a warehouse service, but it would either have funds locked in a multisignature transaction with their clients (which prevents instant trading), or they would have all funds held by themselves, which brings us to the original problem.

What we need is a realtime protection for the deposits, allowing partial control over funds by traders (so operators of the exchange cannot take all of the funds), but at the same time allowing quick off-the-blockchain exchange (within a millisecond). It won’t be ever as fast as the state of the art HFT systems, but those never deal with irreversible assets. The important outcome is that traders need real protection against theft (not just a promise from a police department). This will allow much bigger amounts of money to be traded safely, making the entire market more liquid and prices more stable.

I don’t have a ready solution for this, but one idea is to utilize a group transaction similar to one used in p2pool — a peer-to-peer mining pool, where reward is split fairly between all members as they search for hashes without trusting a single server to distribute the reward. Traders may have their money locked with the exchange in a 2-of-2 multisignature transaction, so both parties (trader and the exchange) must decide how the funds can be spent. As usual, an exchange will keep the order book and match trades. However, to actually ensure that coins are transferred from the seller to the buyer, exchange will require traders to sign off a part of a bulk transaction that moves the coins between accounts. This transaction (or a chain or a tree of transactions) would get mined from time to time to ensure new distribution of funds. But even before it is actually mined, a buyer would have a cryptographic proof of owning some bitcoins and will be able to broadcast such transaction at any time. If exchange builds a complex tree of unconfirmed transactions, it would be wise to partner with some mining pool to include those transactions at once and not allowing malleability issues to break the references.

To prevent man-in-the-middle attack, exchange would publish anonymous tree of all active traders, their balances and their public keys in real time, so every trader can check that they are included and thus can trust that they do not sign money to the exchange itself, but to actual buyers. Additionally, traders can verify public keys of each other independently, via other services.

The scheme would also have an unusual requirement: traders must have their computers always connected to the exchange, otherwise their orders couldn’t be possibly matched and would be kicked out of the order book. But that’s not a concern for professional traders as they stay connected all the time anyway (at least, trading bots are).

Like I mentioned, this is just a rough sketch and it may very well not be viable. But the problem is out there and it is very important: enabling rapid trading of bitcoins without fully entrusting them to a centralized counter-party.

Lets invent a good altcoin with a real chance to take off and maybe even replace Bitcoin.

We will design a new scripting engine, mostly backwards compatible with existing Bitcoin scripts, but it will have some bugs fixed and new features: “strip” opcodes and checks on canonical encoding of data and signatures to prevent malleability, references to past and future transactions (so we can lock up outputs for a specific future transaction), improved SIGHASH_* flags and some additional ones, enabled more complex arithmetic and boolean opcodes, isStandard checks replaced by a dynamic mining fee requirement proportional to complexity of opcodes and memory used (inspired by Ethereum), Ed25519 signatures, blind signatures/accumulators like in Zerocoin and even Lamport signatures to allow swift transition to post-quantum crypto if needed.

This scripting engine should be implemented for all major Bitcoin implementation platforms: C++, C, Ruby, Python, Node.js, Objective-C and Go.

This altcoin will use standard Bitcoin scripts by default and only use the new scripting engine via a versioned P2SH-like output script compatible with Bitcoin:

OP_HASH {hash of the altcoin script} OP_EQUALVERIFY {version}

{version} will be OP_1, OP_2 etc till OP_16. Version 17 will be “OP_1 OP_1”, version 18 — “OP_1 OP_2” and so on. Version will be increased when scripting engine is updated with new features or incompatible improvements.

This altcoin will inherit existing Bitcoin wealth distribution. All existing wallets will be compatible with this altcoin from day one. Only miners will need to perform a “soft fork”, by agreeing to enforce new P2SH scripts using new scripting engine (like they did in early 2012 with BIP16). Once super-majority of existing miners enforces specific interpretation of such scripts, it will be safe for users to create transactions using the new scripting engine. Legacy wallets will acknowledge and validate such scripts, even if they won’t be able to create new scripts and contracts themselves.

Unlike many other altcoins, this one will have better chances acquiring big market and hashing power, and thus would be potentially more useful than other altcoins designed to enrich founders at the expense of naïve enthusiasts who do not understand economics and money.

Blockchain is a wallet service named after the Bitcoin ledger of all transactions called “the blockchain”. Their website blockchain.info nicely visualizes the blockchain, but since it also provides other services like web wallet, its name causes some confusion among newcomers: “is it the Bitcoin company”?

Bitcoin-Central is a EU-based Bitcoin exchange. Its name sounds like it’s the Bitcoin company. Some newcomers are getting confused.

Bitcoin Foundation is a non-profit organization that promotes Bitcoin among humans and politicians. Its name sounds like it’s the Bitcoin organization. California even sent a Cease and Desist letter to Bitcoin Foundation in July 2013 thinking they were the people behind Bitcoin.

Coinbase is a US-based web wallet and exchange service named after “coinbase transaction”, a technical name for a special kind of transaction that creates new bitcoins. Such transactions can only be created by miners, but Coinbase does not run a mining service.

Kraken is a EU-based Bitcoin exchange. Its name just does not sound serious at all while it is being one of the few exchanges positioned for professional traders.

MtGox (pronounced empty gox) was a Japan-based Bitcoin exchange, before mid-2013 the largest in the world. The name originally meant Magic The Gathering Online Exchange. However, even that name was unfortunate as MtGox never actually traded MtG cards and launched as a Bitcoin exchange from the start. Ironically, the name was appropriate for the level of their communication skills (poor), customer support (poor) and multiple technical issues that haunted the exchange over the years. Nevertheless, MtGox allowed the Bitcoin market to develop dramatically throughout 2010-2013 by being the single more or less stable marketplace. That made MtGox being associated closely with Bitcoin itself and its unfortunate name (among other things) was making a lot of people not to take Bitcoin seriously.

Zerocoin is a Bitcoin-like decentralized currency project that enables completely anonymous transactions: unlike Bitcoin, there is no observable link between one transaction and another. The name stems from a cryptographical term “zero-knowledge proof”, but sounds like a “worthless coin”.

After signing an anti-homosexuality bill into law, Ugandan President Yoweri Museveni was called “disgusting” in an exclusive interview with Oleg Andreev.

Oleg Andreev told Yoweri on Monday that, in his view, being Ugandan President is “unnatural” and not a human right.

“They’re disgusting. What sort of people are they?” he said. “I never knew what they were doing. I’ve been told recently that what they do is terrible. Disgusting. But I was ready to ignore that if there was proof that that’s how he is born, abnormal. But now the proof is not there.”

Oleg had commissioned a group of scientists to study whether government presidents are “created,” concluding that it is a matter of choice. “I was regarding it as an inborn problem,” he said. “Genetic distortion – that was my argument. But now our scientists have knocked this one out.”

It turned out, presidents freely decide to rule nations, take people’s money and then teach them how they should live. They also decide when people should be kidnapped, tortured or even killed.

Original article: http://edition.cnn.com/2014/02/24/world/africa/uganda-homosexuality-interview/index.html?hpt=hp_c1

I’m happy to publish a draft of my innovative scheme that enables blind signatures compatible with Bitcoin transactions. Primary motivation is secure storage for bitcoins. You can lock your funds with multiple friends/custodians (in a M-of-N multisignature transaction) and ask them to unlock your funds later. If done naïvely, custodians will be able to see which transaction they signed and how much money you have. Blind signatures allow you to completely hide your transactions from custodians who sign them. The scheme differs from existing blind signature proposals in two important aspects: 1) it is compatible with ECDSA while others are not and 2) it completely unlinks resulting signature and public keys from the signing parties, providing absolute privacy.

Paper describes motivation, core protocol and provides a practical way to generate and keep track of all secret and public parameters used in it. Use of this scheme enables the ultimate solution to secure Bitcoin storage. While your personal hardware and software wallets can be compromised, money can be much safer locked with independent semi-trusted parties, yet absolutely privately. You and your friends can use conventional personal computers to lock your personal pension funds among each other without ever exposing sensitive financial information.

Download the paper here: http://oleganza.com/blind-ecdsa-draft-v2.pdf

Demo app: https://github.com/oleganza/blindsignaturedemo

I timestamped SHA256 of the second draft on June, 16 2014. Used SHA256 of the PDF as a private key and sent 0.0002 BTC to corresponding address 1FM9JtztQKwUVshxVJnEv8JEGKPZkCu7qk.

SHA256: 85e0a79b80f75f88790135214564847d2de46062414f08e799e5f701fddbfddc

Tx ID: https://blockchain.info/tx/ee0c7527de579d7ab2732be49a8b57fe13af940caff2c429464cd659e23281a6

Address: https://blockchain.info/address/1FM9JtztQKwUVshxVJnEv8JEGKPZkCu7qk

To verify:

1) Compute SHA256: $ openssl dgst -sha256 blind-ecdsa-draft-v2.pdf

2) Paste it as a “secret exponent” on brainwallet.org and get the address.

3) Find the earliest transaction on the blockchain for this address.

After conversation in #bitcoin-dev with Luke-Jr, we may have a soft-fork change (only super-majority of miners need to support it) to support non-malleable transactions.

Like with P2SH, we will take an innocent script OP_HASH160 <…> OP_EQUAL and interpret it as P2SHv2. To remain compatible with current P2SH, that script will use PUSHDATA1 (2-byte length prefix) instead of 1-byte PUSHDATA prefix (which encodes the length of data in itself).

The entire input script for P2SHv2 output will be interpreted differently.

1. Input script is not stripped for SignatureHash.
2. For the currently verified/signed input, corresponding output script is appended to the input script (today it replaces the input script).
3. OP_NOP1 is redefined to OP_STRIP to mean “strip the following pushdata during SignatureHash”. SignatureHash will consume each opcode from left to right and replace pushdata that follows OP_STRIP with full-zero string of the same length. During execution, OP_STRIP will still be NOP.
4. Pushdata ops may not be normalized.
5. CHECKSIG and CHECKMULTISIG will enforce canonical format of the signature if evaluated in the context of P2SHv2.

Voting process can be identical to P2SH. Miners will put string “/P2SHv2/” in their coinbase to support the change. Once super-majority of miners support it, it will be safe for people to issue P2SH-version2 transactions. Old style transactions will still be malleable. Regular payments will be softly protected against malleability by isStandard check. Complex contracts like rapidly-adjusted micropayments would need to use P2SHv2 in order to rely on chains of unconfirmed transactions.

This change does not require regular users to upgrade their software.

MtGox issued a statement that due to a “design issue” in Bitcoin protocol, they were having problems with withdrawing BTC and so they had to halt all withdrawals until the problem is fixed. https://www.mtgox.com/press_release_20140210.html

If you need a quick answer: there’s no bug in the Bitcoin itself. You may go to Bitstamp/Coinbase/BTC-E/Bitcoin-Central and buy more BTC with a huge discount before it gets back to $800-$900.

Long answer:

Unconfirmed Bitcoin transactions were always “malleable”, that is you can slightly change a transaction that “floats around” (not yet in the blockchain) and you wouldn’t break its signatures. You can’t change something important about it, like source transactions, amounts, order of inputs and outputs or other important metadata. What you can do is to add some bogus data or flip a sign on a signature that doesn’t change the meaning of the transaction, but changes its binary representation. (More info here: https://en.bitcoin.it/wiki/Transaction_Malleability)

What does it mean in practice? You may send a transaction ABC123, then someone may see it on the network, change slightly to ABC124 and send it too. If he gets lucky, ABC124 will be included first and ABC123 will never be included (because it’d be a double-spend). There’s no problem for the recipient of the transaction: they will still get all their money on the address they expect. But if they were watching the blockchain specifically for transaction ABC123, they will never find it there.

MtGox claims to be fooled this way:

1. User asks MtGox to withdraw some bitcoins to some address of the user’s choice.
2. MtGox takes some of its own “unspent transaction outputs” and composes a transaction which sends funds to the user’s address.
3. MtGox remembers a hash of that transaction (unique fingerprint of its contents) and begins to watch the blockchain for this hash to appear in it.
4. User or someone else sees unconfirmed MtGox transaction in the p2p network. He changes some bytes in it to keep it valid, but make it different to change its hash.
5. New, modified transaction gets included in the blockchain. MtGox has sent money where needed, but does not know about it. User also got the funds no problem - his personal wallet will show that he has the funds.
6. Then, user goes to MtGox support and complains that the money did not go through. Or, MtGox themselves see that they’ve been watching for transaction for too long and could automatically re-send another transaction that sends some other “unspent tx outputs” to the same address (sort of, to “retry” the transaction). One way or another, it creates a lot of confusion for MtGox and initially may even lead them to sending the same money twice, or multiple times to the same user.

Is it a design issue in Bitcoin to allow slight changes in unconfirmed transactions? Yes, probably is. But it’s not entirely clear how it can be prevented at all. An immediate fix would disallow potentially useful more complex transactions and require a global network consensus to enforce new behavior. Zero-confirmation transactions were always known to be malleable and methods to limit their malleability were already discussed and deployed (e.g. transactions with non-canonical signatures may not be relayed by all nodes). But for all practical purposes, it’s a known feature, just like many other weird facets of Bitcoin. Those who build Bitcoin wallets, exchanges or payment processors must be aware of this and act accordingly.

MtGox had this problem because they didn’t know about this Bitcoin property. And usually transactions were not deliberately modified by anyone, so it was okay for the most of the time.

It’s not rocket science to fix the problem. For instance, MtGox may fix the problem this way: instead of watching blockchain for appearance of the specific hash of a specific transaction, they should instead watch if the address X (specified by user) got amount N (specified by user) from outputs Y, Z and W (owned by MtGox). This would guarantee that even if transaction is modified, they will see for sure if the users actually got the money sent to them, or not.

Thanks to Bitcoin scripts (little programs specifying conditions under which a transaction is valid), people can come up with many sorts of never-seen before protocols. Multi-party escrows, “nash equilibrium” insurance deposits, rapidly adjusted micropayments, crowdfunding etc. All of these require multi-step actions from a user’s application which holds the private keys.

Today such applications are very simple: they only support sending and receiving money on “addresses”. Anything more complex is just not supported by general-purpose wallets. If one comes up with a new protocol, they either have to extend existing wallets, or make their own, or simply have a server doing the work (which defeats all the security promised by a decentralized protocol in the first place). These options involve basically redoing wallet and key management from scratch and introduce a lot of extra hassle for the users.

A good compromise between the impossible Most Universal Bitcoin Wallet and millions of specialized wallet apps would be a system of JavaScript plugins. Each plugin is a short single file of JavaScript code that is executed in a very restricted environment. Why JavaScript? It is the most ubiquitous scripting language with flexible implementations on most (if not all) major platforms.

A JavaScript plugin is cryptographically signed by multiple auditors and wallet app always verifies the integrity of each plugin when executing one. Every plugin can only be invoked explicitly by the user. The wallet, not the plugin, shows a summary of what is about to happen (“you are going to send 0.34 BTC in this transaction”). A single plugin is invoked when a particular kind of contract is initiated or needs an update. Plugin state is not only isolated from other plugins, but from each contract as well.

This is how it may look like. Take for a example a simple escrow. You send money to 2-of-3 multisignature script, where two keys belong to you and your counterparty and the third key belongs to a semi-trusted third party which may act as an arbiter if needed. When the contract is completed, depending on the result, user must be able to provide a signature for a particular outcome (either money goes to a counterparty, or back to the user, or only a portion is refunded).

The plugin may implement this by using two kinds of inputs: creation of a contract and completion of the contract. For each state, plugin checks the integrity of the data (e.g. “contract can be completed only if it was started by me in the first place”) and provides data with compact informational messages to the user. Plugin does not implement the UI. It should be done by an external application or a website with which the user interacts. For confirmation of the action, plugin can only provide compact description like “Unlock 100% of funds to Buyer Inc.?” or “Refund 90% to your address 1RefuNd3eBnt66345…?” Once confirmed, the result is sent back to the application that requested participation in the contract.

For security reasons, plugins should be very compact, easy to read and understand, not use dynamically linked external libraries, not have any access to external devices, file system, network etc. A plugin may be bundled with static data like images or localization strings, all covered by the code signature and verified by the wallet application on each run.

More details on how this could be done and what the API may look like will follow.

По-русски: http://bitnovosti.com/2014/01/02/cryptoanarchy-and-anonymity/

Crypto-anarchy is not some crazy utopian ideology, but a very viable thing that unfolds in front of our eyes this very moment. The Internet and Bitcoin will soon allow people solve social problems in a novel way: instead of ancient formula “the strongest wins and beats the shit out of the loser” we all can achieve a peaceful society where both rich and poor, strong and weak can protect their property and freedom on more equal grounds without relying on violent institutions like governments.

But first, lets start with some history.

Cypherpunk movement started as a mailing list in 1992. In 1993 Eric Hughes publishes a “A Cypherpunk’s Manifesto” [1]. In 1994 Timothy C. May publishes “Cypherpunks FAQ” [2].

Here’s an excerpt from the FAQ:

2.3. “What’s the ‘Big Picture’?”

Strong crypto is here. It is widely available. It implies many changes in the way the world works. Private channels between parties who have never met and who never will meet are possible. Totally anonymous, unsinkable, untraceable communications and exchanges are possible.

Transactions can only be voluntary, since the parties are untraceable and unknown and can withdraw at any time. This has profound implications for the conventional approach of using the threat of force, directed against parties by governments or by others. In particular, threats of force will fail.

What emerges from this is unclear, but I think it will be a form of anarcho-capitalist market system I call “crypto anarchy.” (Voluntary communications only, with no third parties butting in.)

In 1994 Nick Szabo coins the term “smart contract” [3] and describes all use case categories that are talking about today: from digital cash to synthetic financial assets and smart property.

In 1998 Wei Dai & Nick Szabo came up with the ideas for “b-money” [4] and “bit gold” [5] during their conversation on the libtech-l mailing list. Wei Dai captured the essence of the movement in an immortal quote:

I am fascinated by Tim May’s crypto-anarchy. Unlike the communities traditionally associated with the word “anarchy”, in a crypto-anarchy the government is not temporarily destroyed but permanently forbidden and permanently unnecessary. It’s a community where the threat of violence is impotent because violence is impossible, and violence is impossible because its participants cannot be linked to their true names or physical locations.

In 1999 Nick Szabo coins term “intrapolynomial cryptography” [6] for the entirety of proof-of-work algorithms and describes what we call now a “private blockchain”, a chain of property ownership enforced by a consensus of “property club” members [7]. The latter article is especially valuable today as it explicitly states that the job of voting in the consensus mechanism is used only for secure execution of the agreed-upon rules and database replication, but not for changing the rules themselves.

In 2004 Hal Finney implements a RPOW server [8] (“Reusable proof of work”) inspired by the bit gold proposal. The RPOW scheme uses a secure processing module that simultaneously acts as a mint and as a custodian for the ledger of proof-of-work tokens.

In late 2008 Satoshi Nakamoto publishes an overview of Bitcoin [9] and on January 3rd, 2009 releases the code and begins the blockchain.

Bitcoin is the exact implementation of the system envisioned by Tim C. May, Wei Dai and Nick Szabo. The only requirement is for transacting parties to remain anonymous. If there’s no trace to physical persons, there is no place for the violent intervention and thus the contracts can only be enforced according to the voluntarily agreed-upon rules between the parties. Bitcoin allows encoding these rules right in the transactions so they are automatically enforced by the whole network.

In practice, we cannot imagine living in full anonymity. Human beings live in a physical world and enjoy a lot of physical things. Anonymity is not something you can easily manage like a single encryption key. It must be maintained via careful dissemination of one’s actions among actions of others. And since the network activity is easily recordable, one mistake is enough to reveal oneself. In other words, the cost of anonymity is rather high compared to the benefits. Does this mean crypto-anarchy is an utopia?

I would argue, it’s far from it. Cypherpunks being rigorous scientists made a much stronger assumption than needed in practice. For transacting parties it is enough to have costs of cheating (e.g. resorting to violent coercion) meaningfully higher than the cost of following the contract (that is, keeping the promise). If that condition holds for the majority of interactions in society, there will be a great incentive for people to protect themselves against remaining rare cases of cheating thus keeping the system sustainable. Anonymity is simply one of the ways to raise the cost of the attack.

Bitcoin raises the cost of many kinds of attacks, going far beyond protecting against central banks meddling with money supply.

First, all sorts of computational services will flourish. Machines never need to disclose their physical locations and can freely automate both payment verification and payments themselves. Denial-of-service and spam can be largely eliminated by simply requiring a smallish payment for every request.

Second, personal services can be protected by peer-to-peer insurance deposits [8] that literally raises the cost of cheating by making both parties agree to a greater sacrifice (“bilateral insurance deposit”).

In a similar manner, crowdfunding can be fully insured by allowing raised funds to be reverted if the majority of shareholders decides to do so.

Finally, systemic predation by the state becomes economically impossible. Most modern states fund themselves by debasing money supply (also known as “bond issuance”, “budget deficit”, “inflation”, “quantitative easing”, “stimulus package”). Bitcoin-based economy simply does not allow this as it is very cheap to store bitcoins and verify transactions yourself and completely avoid all kinds of fraud associated with modern banking. As central banking disappears from the state’s arsenal, federal government activities including wars become unfunded and quickly come to an end.

Local governments may continue their operations funded by local taxes, but that would become increasingly voluntary. Extracting bitcoins costs much more than protecting them. There is no highly centralized and monitored banking network, so it’s much harder to track taxable transactions. Every additional tax evader defunds the local police department and makes it safer for the next person to underreport earnings if he wishes to do so. Considering that the law enforcement is paid only a small portion of the total budget to be extracted (50% goes to bureaucrats and the rest to other public services), consistently extracting bits of information from millions of individuals is unsustainable in the long run. If anyone is good at stealing bitcoins, they are much better off doing it alone and taking all profits for themselves.

Governments, of course, can also tax in kind (like your underreported Ferrari or a house), but this would be even costlier than seizing any kind of money and those costs must be paid by the state in bitcoins that it does not have to start with.

If this speculation does not sound to you like a complete lunacy yet, here is the fun part. Most governments are completely broke already and can only pay with the IOUs they print. When people start a massive run for bitcoins to protect their wealth, everyone will be able to earn bitcoins for their work, except those who work for the government. Policemen, public school teachers and alike will be the first ones to notice prices rising faster than their salaries. They will be the first ones to switch jobs or become largely corrupt on all levels, like it was in Russia after the fall of the Soviet Union. Bureaucrats will smell the approaching panic and, instead of trying to retain control over the employees, will privatize as much public goods as possible. Again, exactly like during the fall of the Soviet Union. People will see how all promised public services are either abandoned or stolen, and this time everyone will have a method to protect their own property and do business voluntarily and in an even safer and cheaper way than before. Crypto-anarchy will quickly become a boring reality without the need for anyone to remain fully anonymous.

[1] http://www.activism.net/cypherpunk/manifesto.html

[2] http://www.cypherpunks.to/faq/cyphernomicron/cyphernomicon.txt

[3] http://www.virtualschool.edu/mon/Economics/SmartContracts.html

[4] http://www.weidai.com/bmoney.txt

[5] http://unenumerated.blogspot.co.uk/2005/12/bit-gold.html

[6] https://web.archive.org/web/20011217091748/http://szabo.best.vwh.net/intrapoly.html

[7] https://web.archive.org/web/20020202165211/http://szabo.best.vwh.net/securetitle.html

[8] http://cryptome.org/rpow.htm

[9] http://bitcoin.org/bitcoin.pdf

UPDATE on March 22, 2016: correct attribution and timeline for Nick Szabo’s proposals.

More people are willing to “invest in Bitcoin”. Before doing that they need to understand what it is and what it isn’t. Someone asked me if it’s okay to “invest in BTC for a year at current prices”. This way to put it is to admit that you do not understand the value of Bitcoin. You will buy at $1000 and sell all at $800 during a sharp reaction to some piece of bad news. Don’t do that.

Bitcoin is a great bet. If most people own a little bit of Bitcoin, we will wake up tomorrow in a new world. If they don’t and everyone goes home, your investment is fundamentally worthless. Bitcoin is as pure as money can ever get: it’s either a global standard, or it’s purely an object of art valued by few. You do not invest in Bitcoin, you switch into it.

If Bitcoin becomes the world money, people will massively sell off their currencies, gold, silver and some low-risk investments (like bonds or extra real estate). Rough calculations give us a figure higher than $10M of today’s dollars per bitcoin.

But what fascinates me personally about Bitcoin is not a nice monetary reward, but a transformation in our society that comes as a side effect. Even if me and you put no money in Bitcoin today, our lives will be so much better if Bitcoin wins.

Real Bitcoin value proposition is in removal of large-scale destruction and giving an unseen before amount of economic freedom.

As an example, the total debt of the U.S. government is $17 trillion and growing [1]. This debt is owned by the banks that create dollars in exchange for that debt. Government simply promises to pay off this debt with the same money (plus interest) that it is supposed to extract from the taxpayers later. It’s not only impossible economically, but it’s logically invalid. To return more debt-based currency, they’d need to issue even more debt.

You may think these numbers do not affect you personally, but consider what this money is being spent on. Total cost of the war in Iraq since 2003 is an astonishing $6 trillion [2]. Almost one third of today’s total debt. During this war more than 1 million people were killed [3]. In other words, folks working in military earned $6 million per one person murdered.

Ask yourself, who gave these trillions for the war? What investors thought it might be a good idea to invade Iraq, lose a bunch of money and have people hate you? The answer is that there are no investors. All this money is being made up by the central bank in exchange for more government debt. And due to tons of laws, regulations and taxation people have to accept this funny money for their work.

Bitcoin does not allow this. It’s a single, absolutely transparent ledger where anyone can see how money is being created. There’s a fixed supply which cannot be increased overnight by a single man. If people adopt Bitcoin as their standard money, governments would have to pay for their wars from taxes. And people will feel how their taxes actually work. Not even mentioning that taxes will be much harder to extract if peaceful citizens decide to oppose their government. By simply being a world money, Bitcoin will prevent massive murder and destruction. This alone is worth making a bet on, in my opinion.

After removing disastrous wars, people will find themselves not only in a safer world, but also with even more opportunities. Anyone can trade with anyone else on the entire planet, absolutely safely, anonymously or publicly. Every teenager can join the global market whenever he wants. Every person can save money for a rainy day without Paul Krugman telling him why it’s good that his savings lose in value. Every business is more protected against racket by having secure cash as an ultimate insurance against temporary losses. Programmable contracts [4] allow incredible new business models that are otherwise impossible, lowering the cost of lawyers and auditors. The entire internet will shift from advertisement to more directly funded services as micropayments become viable.

If you understand all of this, you should desire these changes and participate in them. If you don’t agree with me, you should not invest in Bitcoin at all. You can’t have just a cute payment protocol without all global consequences that necessarily follow. Bitcoin is a single package: either it completely fails, or it turns all people into wealthy peaceful anarchists.

[1] http://en.wikipedia.org/wiki/National_debt_of_the_United_States

[2] http://en.wikipedia.org/wiki/Financial_cost_of_the_Iraq_War

[3] http://en.wikipedia.org/wiki/Casualties_of_the_Iraq_War

[4] https://en.bitcoin.it/wiki/Contracts

Nick Szabo:

“Often the protocol designer can’t figure out how to fix a vulnerability. If the attack one needs a trusted third party to protect against is not a serious real-world threat in the context of the application the designer is trying to secure, it is better to simply leave the small hole unplugged than to assign the task to a trusted third party. In the case of public key cryptography, for example, protocol designers haven’t figured out how to prevent a "man-in-the-middle” (MITM) attack during the initial key exchange. SSL tried to prevent this by requiring CAs as trusted third parties, as described above, and this solution cost the web community billions of dollars in certificate fees and lost opportunities to secure communications. SSH, on the other hand, decided to simply leave this small hole unplugged. The MITM hole has, to the best of my knowledge, never even once been exploited to compromise the privacy of an SSH user, yet SSH is far more widely used to protect privacy than SSL, at a tiny fraction of the cost. This economical approach to security has been looked at at greater length by Ian Grigg.“

http://szabo.best.vwh.net/ttps.html

Some people say that volatility of Bitcoin prices makes it poor “store of value”. You never know how much exactly do you have today: $10500, $9600 or $11201. When you pay for something you may pay 5% more than what it was just a minute ago. Or, if you are a merchant, you may receive 5% less than what you expected. That could be a problem.

We asked experts and got some evidence that it is not quite correct. Bitcoin has been a great store of value over the past 4 years. Almost everyone who invested in Bitcoin and kept it for more than a year enjoyed gains from 200% to 4000%. This means that 10% daily volatility is no longer a problem. When you pay with Bitcoin you enjoy more than 90% discount. Who cares if it’s one day 91% instead of 93%?

Similarly, merchants who consistently accept bitcoins and keep most of them around are compensated for small losses on volatility with big gains on their savings. For the past two months I was paying for bagels nearby with bitcoins and half of the time the price was going slightly down one hour after the payment. However, in overall, the guy accepting them finally made more than three times what he would receive in euros. Of course, last two months were better than in average, but over a one-two year period everyone was better off no matter when they invested.

Those merchants who do not want to invest in Bitcoin, but wish to enjoy zero-fee transactions without fraud, can use BitPay or Coinbase.

Bitcoin is both volatile and is a great store of value so far.

PS. This is not an endorsement to buy Bitcoin. You should not do that based only on the price history. If it was a Ponzi scheme or a huge bubble, the price would look the same. You should only invest if you study what Bitcoin is and how important it may (or may not) become in the future. Otherwise, do not put more than a dollar in it.

Arguments for Litecoin are fraudulent.

TL;DR: there’s no important difference between LTC and BTC and only one of them can win over another, because, other things being equal (which they are) people want to invest in the most liquid money: that is, with the biggest number of folks willing to hold it. LTC can’t be “silver to bitcoin’s gold”, because both LTC and BTC have exactly the same risks and costs. Either LTC wins over BTC, or BTC over LTC.

I’ll elaborate.

Litecoin/Bitcoin/Shitcoin are all long-term bets. I myself don’t speculate on daily basis, most of us bet for value of these things in the multi-year time frame. So let’s focus on that.

1) In long term security is not measured in “block interval time” or number of blocks. It’s measured in amount of money to be spent on double spending. Today hashrate of Bitcoin is many-many times more expensive than that of Litecoin. So one block confirmation in Litecoin is not just 4x less secure, but hundreds times less secure: you need smaller investment to fork the chain, than with BTC. So anyone who brings up security argument is lying to you.

2) Litecoin is not “faster” either. For the same level of security as in BTC, you have to wait hundred times longer (see #1). Instant transactions are the same and also less secure than in BTC: zero-conf, with less nodes and less connectivity between them to limit double-spend attempts. Anyone bragging about “LTC being faster” is a liar. It can only be slower due to less number of nodes and currently lower hashrate, not faster. LTC can only be faster if BTC is being abandoned and people switch to LTC.

3) “Scrypt protecting against concentration of power due to ASICs” is bullshit. If LTC wins over BTC, there will be ASICs and whole factories making chips and plugging them in on-site right away. Just like it will be with BTC or ShitCoin or else. Long-term LTC is either dead or is full of chinese ASICs, like BTC. Anyone arguing otherwise is a liar.

4) “Scrypt more secure than SHA256” is bullshit in the context of mining. If there’s a better optimization in SHA256, it’ll be like a better hardware. But this can equally happen to Salsa in Scrypt too. If the breakthrough is significant, all BTC stakeholders will vote for adjusting the protocol to fix the problem, not lose everything by panic selling. Huge price of BTC is a great motivator to find the weakness in double-round SHA256 and mine faster. Every day it doesn’t happen is only a practical proof it’s as good as it can be (just like Scrypt or whatever), everything else is unfounded FUD.

5) “More fair distribution of wealth” - this is unfounded FUD. For average Joe, LTC is less widely accepted, so its concentration, however “fair” it was, is still higher than in BTC. And who knows how much of early mined BTC are lost forever (we know that’s a lot) or were sold during 2011 bubble and slow price rundown the same year. I bet very few were sticking to their holdings that time and thus were taking huge risks “fairly”.

6) “Diversification” (based on all points above) - newbies who don’t know economics are made to think they diversify by investing in some altcoins. But the risks and costs are all the same for all coins. If Bitcoin is completely broken, most likely altcoins are broken for the very same reason. Otherwise, all Bitcoin holders will simply agree to upgrade the protocol. Especially so as Litecoin is on the same codebase.

The only real argument about LTC and BTC is that there’s no functional difference between them. LTC could only be 4+ times costlier to miners due to faster blocks and more “decentralization” of individual miners (slower connectivity, faster blocks => more orphans). If LTC was released before BTC and took off, everyone would be using LTC no problem. The only thing that matters here is liquidity, number of holders of money. If people are betting it is BTC with more hands, they send a signal to others about that by holding too. This moves all the “cryptoinvestments” into BTC in long term. If people see that LTC is gaining more hands, then everyone will converge on LTC. LTC and BTC cannot coexist together, it makes no economic sense both for miners (who want to invest 100% in the most valuable currency in long term) and for users (who want money only because it’s widely exchangable for many goods at any later dates).

Right now there’s a lot of excitement about Bitcoin and not many people understand economics. Some folks are lied to and “diversify” into altcoins, which gives them short-term bubble. But in years to come, when they see, that Bitcoin has bigger adoption, they’ll move their savings to BTC and then all altcoins will crash. Or for some mysterious reason BTC will not be viable and people jump to LTC en masse and abandon BTC.

People often talk about privacy problems with Bitcoin: all transactions are public and every move is watched by millions of eyes. Where’s a problem, there’s a solution.

Lets first define the problem more rigorously. There are two situations (ok, three) when you want to launder your coins.

First: you receive monthly salary on a single address and then want to do regular purchases with it. When buying a cup of coffee, shop owner will see how much money do you have which might be unsafe.

Second: you want to buy something expensive, so you have to combine “change” from various addresses in a single transaction. This may link many of your private payment histories in one. Someone may connect the dots and make a full profile of a single person: what he eats, where he travels and so on. It’s being done with credit cards already and people seem not to like it very much.

Third: you sold something anonymously and your payment is being watched. If you later spend that money in the open, your identity may be revealed.

Bonus track: some people think that “money laundering” is not sinful enough, so they invented “structuring laws”, that is laws that forbid not only buying bad things, but also to hide the monetary trails even if you don’t do anything illegal at all. If your method to launder bitcoins is screaming “LAUNDERING” on the blockchain (like with Zerocoin, using shared addresses or CoinJoin transactions), it’s not good for you. You may get your privacy, but you also go to jail for “structuring”. To be a law-abiding citizen you should not hide your financial history. The rest of this article is for pure entertainment only.

To address all of these issues we need to disperse and mix the funds in way that their source or destination becomes statistically indistinguishable form any ordinary transaction.

You might do that with these ingredients: discover, insurance, split and swap.

Disclaimer: this is not an advice, it’s a technological overview for all those who are interested in privacy aspects of Bitcoin. Anyone can implement this or come with even a better idea. This is not even my original idea. I recommend governments to shut down the entire network to prevent people from doing nasty things with Bitcoin. At the same time, there’s an opportunity to use this scheme by undercover FBI agents to detect anyone mixing their bitcoins. Dear reader, please obey the laws and be good, socially responsible person.

Step 1: Your wallet app discovers random nodes on the P2P network (other instances of the same app) and posts a request to launder some bitcoins. When two wallets meet with similarly sized requests, they exchange information about some of the available coins. Each of them does statistical analysis of those coins and decides if the coin is “good enough”. For instance, if this coin’s history correlates as little as possible with the histories of the coins already owned.

Step 2. When both nodes like each other’s coins, they enter an insurance contract. Each party locks up equal amount of coins in a single special transaction where coins can only be unlocked atomically and by mutual agreement. At the same time, each party can destroy both deposits (e.g. in case of timeout or misbehaviour of another node). Amount of each deposit should be 200-300% of the amount to be exchanged. I wrote about such contract here: http://blog.oleganza.com/post/58240549599/contracts-without-trust-or-third-parties

Step 3: Each node splits their coin in two parts. One part is to be exchanged now, another part is to be exchanged with some other node later. Parts of the coins should be equal. (This produces some correlation detectable on blockchain, but that’s easy to fix with multiple independent transactions instead of just one.)

Step 4: Each node tells another one an address on which to send a part of the coin. Each of them does that transaction. All the other nodes don’t know about this swap of coins and therefore cannot link them together. If your coin was “tainted” (watched by adversary), half of it anonymously goes to someone else and in return you get some absolutely different coin. Insurance contract prevents a node from receiving a payment, but not making a payment back. Since there is no human supervision, anyone trying to cheat the scheme will get punished by an automatic destruction of his deposit (which is worth much more than just received money).

During one session (one insurance contract), nodes can swap more coins until they run out of coins or cannot provide each other with a statistically good ones. When the session is over, insurance deposits are unlocked and nodes go talk to other nodes.

Think about it this way: you split all your money in 1000 pieces and send them to 1000 different random strangers via regular, statistically innocent transactions. In return you get 1000 pieces from all around the world, that are not connected to each other in any meaningful way. 10 rounds splits money into 1024 portions, 20 rounds into over a million. In a short period of time you never expose more than a fraction of your funds and never receive more than a fraction of someone else’s history.

How does this address our examples?

When you receive a monthly salary payment, you mix it with 1000 random users and in return get 1000 smaller pieces. It’s like exchanging one $1000 bill for a thousand $1 bills. Then, you can go buy your coffee and no one will know how much money do you have.

When you need to spend a lot of money at once, you do the same: take all your small coins, swap anonymously for other small coins and make a single payment. Your individual spending histories will be dispersed among thousands of random people. And the recipient of your payment will link together totally uncorrelated histories having nothing to do with you personally.

Finally, if some of your money is being watched (“tainted”), it will be moved to someone else completely. You yourself has little risk of getting someone else’s tainted history because you never get more than 0.1% of it due to multiple rounds of splitting.

The UI for this can be quite simple. You install a special kind of wallet, load it with bitcoins, connect to the internet and click “Mix coins”. Next morning all your coins are perfectly mixed with thousands of random strangers.

Again, this is not a ready solution, but a theoretical possibility for those who are interested in solving puzzles. Don’t use this if the law forbids it. The law is very important.

See more questions and answers in this discussion on HN: https://news.ycombinator.com/item?id=6787603

Bitcoin will eventually replace gold as a globally recognized “store of value”. Gold prices will go down 90-95% to the levels supported by the use in production as “reservation demand” for gold would essentially disappear.

When Bitcoin becomes the world money there will be little reason to own gold. Bitcoin is as limited, as fungible and as non-counterfeitable as gold. It’s even cheaper to verify, store, transfer and divide.

Gold is always as difficult to protect as it is to confiscate. It’s symmetrical. That’s why throughout history only the strongest were accumulating gold. Pirates were robbing merchants, kings were robbing pirates. In the end, massive amounts of gold are owned by the biggest governments and banks. Small folks can only reliably own as much gold as they can keep in their own hands. (In 1933 US government confiscated most of the gold owned by population as an “emergency measure” in a declared attempt to save failing economy: http://en.wikipedia.org/wiki/Executive_Order_6102)

Bitcoin is asymmetrical. It’s much cheaper to personally own it and keep safe, than it is for someone to come and confiscate it (regardless of the amount you have). If you buy some bitcoins from 100 random people, there’s no one except you to know how much you have. There’s no big shiny vault to attract thieves, no bank account for TLAs to peek into. You can perfectly back it up in 10 places, split the encryption key to 10 of your closest friends and even put some money in a “brain wallet” that has no traces anywhere at all.

A friend of mine, Steve, noted that gold-backed economy logically evolved into the mess we are now. Libertarians who advocate return to the gold standard do not realise that the gold standard was the reason of accumulation of gold in few of the world’s biggest banks and everyone else getting worthless IOUs positioned as “sovereign currencies”. Gold is heavy and expensive to handle: only the wealthiest can afford to save a lot of it. And equally to take it by force from less powerful.

Bitcoin changes all of that. Like cryptography, which gives everyone possibility to have privacy, Bitcoin gives everyone equal possibility to save money and use money as they please. Without worrying if someone takes it from them, or censors their transactions. Rich and poor can have equal protection of whatever they earned.

Yes, if someone is against you personally, they will find a way to get you. But massive-scale theft and controls become way too costly. Inflation and QE robs savers without knocking on their doors. Capital controls and bank bail-ins need a discussion with just a couple of bankers, not millions of actual depositors. Taxation happens automatically on the level of the banking system as it’s used both for storage and transfer of money. When everyone personally holds bitcoins, it’s much easier to protest against taxation if it’s unfair or ineffective, it’s possible to avoid capital controls and it’s impossible to redistribute wealth by printing more money.

Bitcoin economy is not a revolution in a sense of violent redistribution of wealth in a “fairer” manner. It is a leap forward by forgetting about how much was destroyed or stolen and focusing on how much can be preserved and protected. It’s a truly peace-making tool for the whole humanity. People who think about Bitcoin as only a money-moving tool, or a get-rich-quick scheme grossly underestimate it. It enables much more than what the web gives. The web gives us freedom to exchange information. Bitcoin gives us freedom to exchange everything.

People are always wondering how safe is buying Bitcoin if there are constant heists on exchanges and no website has perfect reputation. They draw analogy with the banks: which organisation can I trust to handle my money?

The right answer is: with Bitcoin you don’t need to hold your money on an exchange for longer than a minute. You wire your government currency to an exchange (bitstamp, coinbase, bitcoin-central, btc-e, kraken, btcchina), buy some bitcoins at a current price and move them hell out of there to your personal wallet. The exchange can be hacked next day, but it won’t matter to you. You are not storing money there anymore. Your private keys are only stored in your encrypted backups and only you know the password. As long as the applications you use are not infested by viruses or backdoors, and you have enough of separate physical backups, you are pretty safe. PS. Don’t use Windows!

Another question people ask: why can’t I simply use my Visa card like I do with the rest of my purchases? Or PayPal. The answer is because this money is never owned by you and all transfers are reversible. Bitcoin transaction is confirmed by the network and buried in the blockchain in 10 minutes. Visa transaction is reversible within 90 days. There were people who tried to sell Bitcoin (ultra-liquid asset that you can own) for PayPal (highly controlled asset that is owned by a chain of banks and payment processors). People grab your bitcoins and call PayPal to reverse a transaction (“someone stole my password!”).

People who start learning about Bitcoin should understand one thing. You don’t own your usual money. You may own paper bills to some degree, although, government does devalue them all the time by printing more of them and restricting movement of large enough sums. Your bank account you don’t own at all. Even wire transfers may get reversed, although, rarely. All your transfers are basically promises from one banker to another. The entire banking system is a complex network of mutual promises not backed by anything except desire to not break the law (yet another system of promises to reward or to punish). And these promises are being broken or revisited all the time on every level. Laws and regulations are not consistent even with each other, not only with every particular decision.

Bitcoin, on the other hand, is like air-thin gold on steroids: you can fully control your transfers and the entire network forces everyone to follow very strict rules to ensure validity of all bitcoins and the rate of their creation. The shitty C++ code of BitcoinQT (original and the most used client) is infinitely more compact, rigid, logical and consistent than all regulatory environment with millions of account managers in the entire financial system.

You can also own gold, but that ownership comes with huge costs and risks. Someone needs to guard the vault, transport the vault, verify the purity of the bars and coins. All of this makes it impossible to use gold in the global economy. Which is precisely why we arrived at the modern all-controlling banking system — it grew up out of the necessity to reduce costs of handling gold by entrusting it to the biggest vaults. To use gold as money you have to trust someone to store or transfer it for you. So you are back to the current very fragile system.

The only money you can truly own today regardless of the amount is Bitcoin.

Next Monday, on November 18th, 2013 the Congress of the United States will have hearings on Bitcoin. How it works, what it means and what government should or can do about it.

Here is a gist of what a lawmaker should understand about Bitcoin.

1. Bitcoin is a protocol without central managing organisation. Anyone can issue currency and validate transactions from any place in the world. Censoring transactions will be as effective as stopping Bittorrent file sharing. Technologically, Bitcoin is impossible to control or shut down (in practice and to high degree in theory too).

2. Bitcoin tracks every transaction in a public ledger. If you know identities of certain addresses, then a transaction between them is publicly visible and acts as an immediate proof of activity between these identities. However, identities are not recorded in the ledger and anyone can use as many addresses as they like. Many wallet applications automatically create new addresses for every transaction.

3. Bitcoins can be very effectively split in small pieces and mixed between large number of users thus making any statistical analysis almost useless. So far there are no easy and cheap practical ways to do that, so not many people bother. But that’s entirely possible nonetheless. Those who need to protect their privacy will do so easily as soon as some serious attacks on privacy emerge. It’s similar to how Bittorrent magnet links appeared after attempts to shut down Bittorrent trackers. Now nobody needs a tracker at all to discover available files and access them. Bitcoin mixing will become built-in feature in many free wallet applications if it will become much needed.

4. Bitcoin protocol rules are enforced by the entire network of millions of computers. Changing the rules by one computer will not allow it to participate in the rest of the network. If transaction is not considered valid by everyone, it will be accepted by no one.

5. Black market will become even bigger with Bitcoin. Everything that law enforcement cannot reach will be even safer to trade and many more activities will become possible with Bitcoin that were not possible before.

6. Regulations may realistically only affect law-abiding consumers and producers. And the only thing they can do is to increase friction and costs for both of them. Some legit businesses under regulations will become impossible, while others will go to the black market or foreign jurisdictions.

7. Forbidding Bitcoin completely is just a degree of regulation. It will have no effect on black market that will only grow, but it will shift innovative businesses to other jurisdictions, where there is more freedom. Today, Argentinian government imposes strict capital controls and inflates their currency and forces people to get dollars and bitcoins on black market. Since Bitcoins are much easier to sell and use than dollars, they are being deployed much quicker. If that continues, bitcoins and dollars will completely replace pesos in the entire economy and the government will go bankrupt.

Policymakers are interested in preserving their image of people who protect citizens and need to collect taxes to keep the government running. If one needs to keep innovation and growing wealth within a country and tax it, then Bitcoin transactions should be left as free as possible. Regulators should provide clear and simple guidelines on how to report all taxable revenues and provide assurances that businesses are free to transact as efficiently as they can, provided they pay their taxes. Anything more than that will only increase the size of black market or shift wealth to other places (thus reducing tax revenues for the government).

Countries that embrace Bitcoin will attract enormous amount of capital in a very short period of time. Countries failing to do so will quickly lose that exact amount of capital.

When the world starts using hard non-depreciating currency, people will keep savings in it instead of risky or non-liquid investments like jewelry, houses and stocks.

If the currency is programmable (Bitcoin), then the savings are programmable too.

Programmable savings can be used as a great collateral in all sorts of social interactions.

When two persons sign a contract they can mutually lock up some portion of their savings “in the air” as a collateral without using any third party for that and without relying on a powerful dispute mediator (maybe only for consultation, but not for enforcement). Each party can destroy both collateral deposits which creates an incentive to peacefully resolve disputes to mutual satisfaction.

In crowdfunded project every person on the receiving side can lock up part of his savings (that can be affected by stakeholders) before taking any amount from the fund. The collateral is released when it is “resold” to further party down the production chain.

Today directors, managers and presidents of publicly-traded companies and governments have control over not only their own money (salary and dividends), but also over someone else’s money insured only by reputation and highly inefficient government law enforcement. Programmable collateral makes it possible that every piece of resource controlled by non-owner is fully insured with real cash.

Programmable savings allow world to be much safer without any need for brutal violent intervention.

Satoshi, on June 17, 2010:

The nature of Bitcoin is such that once version 0.1 was released, the core design was set in stone for the rest of its lifetime. Because of that, I wanted to design it to support every possible transaction type I could think of. The problem was, each thing required special support code and data fields whether it was used or not, and only covered one special case at a time. It would have been an explosion of special cases. The solution was script, which generalizes the problem so transacting parties can describe their transaction as a predicate that the node network evaluates. The nodes only need to understand the transaction to the extent of evaluating whether the sender’s conditions are met.

The script is actually a predicate. It’s just an equation that evaluates to true or false. Predicate is a long and unfamiliar word so I called it script.

The receiver of a payment does a template match on the script. Currently, receivers only accept two templates: direct payment and bitcoin address. Future versions can add templates for more transaction types and nodes running that version or higher will be able to receive them. All versions of nodes in the network can verify and process any new transactions into blocks, even though they may not know how to read them.

The design supports a tremendous variety of possible transaction types that I designed years ago. Escrow transactions, bonded contracts, third party arbitration, multi-party signature, etc. If Bitcoin catches on in a big way, these are things we’ll want to explore in the future, but they all had to be designed at the beginning to make sure they would be possible later.

I don’t believe a second, compatible implementation of Bitcoin will ever be a good idea. So much of the design depends on all nodes getting exactly identical results in lockstep that a second implementation would be a menace to the network. The MIT license is compatible with all other licenses and commercial uses, so there is no need to rewrite it from a licensing standpoint.

When you use private keys, people trust your digital signatures because they expect that you keep these keys secret. If someone steals your keys, he can impersonate you and harm your reputation. As a precaution, whenever you feel like your keys were compromised, you can publicly revoke them (by signing a message “this public key XYZ123 is now revoked” and securely timestamping it with Bitcoin blockchain). All signatures from that moment can be repudiated and you may start using entirely new private key.

Today the iPhone 5s was announced and some people started freaking out about it collecting your fingerprints and sending to NSA. We have a lot of documentation about how NSA infiltrates companies to steal data or takes it using an order of some secret “court”, so these fears are not entirely unfounded. However, it’s even worse because many foreigners coming to U.S. (and maybe some other countries too) have to give up their fingerprints at the customs. Anyone who was brought to a police department for whatever reason was also scanned. Now mentioning corporate security systems that use fingerprint scanners for some years now. Your fingerprints could have been recorded in several places already.

The problem with fingerprints is that you only have one set of them and someone may damage you by impersonating you on a crime scene. Just like with a private keys, when you think your fingerprints could have been compromised, you have to revoke them. The solution is not to try to cut off your fingers, of course, but to publish them as widely as possible. Then, if someone uses them somewhere, you have perfect protection: your fingerprints are not longer your private property and could not be used against you.

Of course, publishing your fingerprint will diminish the usefulness of the Touch ID sensor in iPhone 5s, but that’s the price to pay when our governments keep people in jail for decades based on some biometric evidence.

EDIT: The up-to date version of this idea is presented here: http://oleganza.com/bitcoin-epita-2014.pdf Scripts are slightly different and take into account transaction malleability.

EDIT2: Video is available: http://www.bitcoinomie.fr/2014/02/18/compte-rendu-paris-bitcoin-startups-1/

This is a very powerful idea for our troubled times. I hope you will enjoy it as much as I do.

Our usual relationships are with those who have made some investment. Your friends demonstrated they prefer to keep friendship going, so you can trust them. Your local bakery demonstrated investment in their setup, employees and advertising and they want to earn that money back. So you can trust them with your money. Apple has invested billions of dollars in producing iPhones, so you send them your money via online store without worrying that they might take it an run. It also works the other way around: if you have an investment in your reputation, you may ask for payment up front and people will give it to you.

For some relationships this does not work. Sometimes you want to buy something on Ebay from a guy like you. You both don’t know each other, you have no interest in building Ebay reputation, but you wish you could safely come together and exchange stuff. Or, you are a freelance designer making a website for some small business in another country. Both of you have little ways to influence each others’ reputation. And if you have a disagreement, no one except you could reliably judge who was right or wrong.

Historically, this was solved in two ways: either by meeting in a crowded place in person for immediate exchange, or by going to a third party. Both approaches are very limited and unsatisfactory. In-person exchange bears high risk of being robbed on a way home and it does not work well with some kinds of services or across the ocean. Third party escrow is better, but it is very limited. It’s very cheap for a scammer to create many identities on Ebay and successfully cheat 5-10% of the time. Profit for scammer, loss for everyone else who now pays 5-10% premium. Also, escrow cannot be an expert in everything. If you have a complex or not very well defined contract (like in any intellectual job), you would never find a reputable agency to solve your problem (or, it would be too expensive). Usually, that would be a second party itself. For instance, a design studio.

So how would we solve it for two strangers?

Lets think. We negotiate fairly well when we maintain a status quo. For instance, before making a contract, we discuss the details and can walk away being friends because we don’t lose anything but the time spent negotiating (and that time is expended by both parties, so both have incentive to finish it sooner than later). But whenever one gets an advance, it may be enough of incentive to run away without finishing the job. Another example: if we are friends and enjoy long-term relationship, we may expect that small advances on anyone’s part are not enough to break the relationship.

Notice a pattern here?

The value of the deal should be noticeably smaller than an investment at risk.

Obviously, when none of us made any investment, we should make one. But since it is just one deal, we don’t want to make sacrifices unilaterally. We want that both of us make an investment which can be paid back to both of us at once when the deal is successfully finished.

(If you have followed my blog for some time, you already know what technology we will talk about.)

Bitcoin allows not only moving money from a person to a person securely, without risk of reversal, but it also allows expressing sophisticated contracts using its scripting language and digital signatures.

Bitcoin is the only technology that makes this possible:

1. Two parties independently lock some amount of money in a single Bitcoin transaction without meeting in person or trusting anyone.
2. This money can be unlocked only when both agree with that. If at least one party does not want to unlock the deposit, another party cannot do anything about it.
3. Both parties can unlock deposit only atomically, for both of them. No one can unlock just for himself.
4. No one else has access to the deposits and neither party can access other party’s money.

This scheme is inspired by NashX, though they are acting as a third party that we try to avoid.

The cost of the procedure is 2 small exchanges of data over the internet (no encryption required), 1-2 hours of wait time till the transaction is included in the Bitcoin blockchain (not every miner includes non-standard transactions) and a small transaction fee around 5-10 cents at current prices (110 USD/BTC), regardless of the amount in question.

How will it work? Both parties should have a fancy wallet application that automates transaction creation (we are working on that). Alice and Bob agree on the amount to be locked (typically 200-300% of the value at stake). Lets say the amount is 2 BTC. Then, Alice sends to Bob a public key and a hash of her random secret number. Bob constructs a transaction with this data and his own public key and a hash of his random number. Transaction has two outputs: one for Bob with 2 BTC and another one for Alice with 2 BTC. Bob signs his part of the transaction with appropriate amount in the input and sends it to Alice to sign hers. Alice checks that Bob has specified all amounts and included her public key and her random number hash accurately. If the transaction is correct, Alice adds her 2 BTC in the input and signs it. Transaction is never valid until both parties sign it and the sum of the inputs matches the sum of outputs (or slightly more to allow a mining fee). Once signed, Alice sends this transaction to Bitcoin network and both parties wait till it gets included in the blockchain. I will show the scrips in detail below, but before doing that, lets do some analysis.

Once transaction is in the blockchain, both Alice and Bob are 2 BTC short while the value of their contract is, say, 1 BTC.

They can still negotiate on equal grounds, but now the money at risk is higher than any advance payment anyone does. If Alice sends Bob some good before receiving a payment, Bob cannot be sure that Alice would agree to unlock the deposit if Bob does not pay her. Bob has more to lose than just 1 BTC to pay her. So he pays. When both Alice and Bob get what they want, they unlock the money and the deal is over.

Of course, strictly speaking, the victim will lose less if he/she agrees to unlock the funds no matter what, but the same logic applies to personal relationships or to two businesses with equal investments. No one can be sure if the other party wouldn’t want to wait indefinitely till the conflict is resolved or destroy the investment. To know if this scheme actually works, we have to try it and see how people behave. If everyone is always perfectly rational, then people either would never steal from each other, or always steal and agree to unlock deposits and never use such scheme again. But the real life is more complex.

We can see that both parties need to have more bitcoins locked than will be moved during the contract. This may not be acceptable in some cases. For instance, when buying an expensive house. (Cannot really put 2 houses in the escrow.) But for some expensive contracts it can still work. A contract can be broken down into 10 steps when after each step the payment is made. Then, the amount of money to be locked needs to match 1/10 of the whole price.

Now, lets see how to do that. For simplicity, lets say we have no problem of “change” (when extra money from one input is sent back to its owner using additional output script). Then transaction has two inputs and two outputs.

Each input signs the whole transaction, except for another input (using SIGHASH_ANYONECANPAY modifier) to allow another party to sign their input independently without extra round-trip.

Output scripts are symmetrical and prepared at once by one of the parties. Each output sends a predefined amount of bitcoins.

AlicePK CHECKSIGVERIFY SHA256 HashA EQUALVERIFY SHA256 HashB EQUALVERIFY

BobPK CHECKSIGVERIFY SHA256 HashA EQUALVERIFY SHA256 HashB EQUALVERIFY

Note: please find the discussion and minor improvement to the scheme here: https://bitcointalk.org/index.php?topic=273539.0

AlicePK and BobPK are their public keys (to ensure the ownership). HashA is a SHA256 hash of Alice’s secret number. HashB is a SHA256 hash of Bob’s secret number.

Each script checks that the future transaction is signed by a proper key and that both numbers are provided: number B and number A. To redeem such a script, one would need to know both numbers. Let’s say Alice and Bob finished their business and Alice sends her number to Bob. Bob does not need to send his number to Alice because he would have to reveal it in the blockchain anyway when he tries to redeem his output. Alice then can see his number and redeem her output too. If one party is not satisfied yet, they just hold their secret number to themselves.

This scheme also allows partial unlock. If both want to reclaim 80% of the deposit, they can simply create another transaction for 20% of the amount and then unlock the first one.

This scheme was never tried before, but can be very useful in many circumstances. Examples:

1. Selling things in person for cash. If both parties lock 3x the price and unlock it only when both get home, there is little incentive to steal the cash (or the good) in a dark alley.

2. Selling anything to strangers over the internet without Ebay. One party sends a product by mail. When it’s received, buyer sends back the payment (via Bitcoin, Western Union, PayPal or wire transfer).

3. Not well-defined contracts with freelancers. Customer does not really know what he wants and how to do a website, so he with freelancer lock in some amount and then have mutual interest to be nice to each other and resolve problems using common sense.

4. Airbnb without airbnb: the amount is unlocked when the apartment turned out to be what was ordered and the payment is done in full. The website now only needs to put up pictures and ratings and take a fee for that.

The possibilities are endless. The same idea can apply to a group of people to agree with another group of people on something. E.g. a “social contract” where a group of neighbours hire several guards to protect their district.

The cost of such transaction is very low. There is no counter-party risk, it allows one to remain anonymous, time to register is measured in minutes and the cost is less than a dollar. If it becomes popular, more miners will include it in the blockchain, so it will become even faster and cheaper.

I myself plan to add support for such transactions in my future wallet application for OS X and iOS. I have opened a part of it called CoreBitcoin and will build on top of it. Others may try the same or similar ideas in their own applications and services. If it turns out to be useful, we can come up with a standard way to express such contracts so even more people can use them easily.

Now, what crazy idea would you build on top of Bitcoin?

PS. David Friedman responded: http://daviddfriedman.blogspot.fr/2013/08/a-bilateral-hostage-via-bitcoin.html

In this post I address issues of competing government currencies, competing private currencies, gold, silver, bitcoin and alternative “crypto-currencies”.

We all know that variety and competion is a good thing. We all want slightly different things, value the same things differently or make different trade-offs. That’s why we have a wide variety of products, prices, quality, colors and materials on the market. Interestingly, money is different. We all want one single universal money. It may not be obvious to many people, so let me explain.

How money is different from everything else? On one hand, money is just an asset. You can produce, buy, sell or hold it. On the other hand, money is a medium of exchange. It allows you to trade your 8 hours in the office for a new iPhone. It also allows you to delay consumption decision. You can spend 8 hours of work today, but then be free to decide when and for what to spend your salary. If suddenly you need to buy a ticket to Hong Kong, you can do it without working extra couple of hours to earn it.

The function of money is to exchange the widest variety of products between each other. iTunes credits allow you to choose between many songs. This make them money to some degree. But dollars are even better money because they can buy all those songs, but also a myriad of other things as well. Therefore, people tend to keep savings in dollars, not in iTunes credits.

It seems obvious that the best money is the cheapest and the most widely recognized and accepted one. Cheapest in a sense of handling it. If your money is a huge stone you have to carry around, it is more expensive than a small gold coin (provided they both have the same price in terms of goods they can buy). Piece of paper named “gold certificate” could be even cheaper than gold itself, but carries a risk of fraud, so in some cases it could be even more expensive to hold than the gold itself.

For a huge part of the civilized human history we used two metals as money: gold and silver. They were not perfect, but universally accepted and recognized. All other things like seashells, diamonds, IOU papers were less universally recognized, so they were naturally used in some very niche markets while everyone was keeping cash in gold or silver.

Both gold and silver were durable, easy verify, easy to cut and melt together, compact enough to be stored and moved around cheaply. And they were very hard to obtain, so there was very low inflation cost (every new gram of gold created eats into everyone’s savings because it increases purchasing power of its owner comparing to everyone else around). Other things were either easy to produce, or not durable, or hard to split in arbitrary parts.

Why gold did not outcompete silver? Or vice versa? That’s because they both had weight. For small purchases gold would have to be split in tiny difficult to handle pieces, while to make big purchases one would need to move several kilograms of silver comparing to much smaller amount of gold. This naturally created two parallel global markets: one for small purchases where the silver was used (and small droplets of gold would be impossible to handle) and another market for big purchases where silver was too heavy, so the gold was used instead.

Make a thought experiment now: if there was a gold-like metal that allowed moving both big and small amounts equally cheaply, it would be useful on both “small” and “big” markets. Thus it would be more marketable (more exchangeable) which by definition would make it a better money. Better than gold and better than silver. People would then tend to keep their cash in that magic metal because it would allow them access to bigger variety of goods: from bread to houses. And they would not lose money on conversion rate like when they sell some silver for gold or the other way around.

There was a competition in private coinage. Kings and private merchants were making their own coins in gold and silver and selling them for premium. The well-recognized coin was easier store and to verify if you trust the issuer. Instead of measuring each coin, you could simply read the number on its face. Names like “dollar”, “pound sterling” and others were all names for private coins or bullion and meant particular weight of the metal. That is, dollar was not some sort of separate money, it was simply a name for a certain amount of silver, like “gram” or “ounce”. The money was still the same — gold or silver, but there was a big variety of shapes of that money.

Of course, gold and silver were still quite limited. You could not drop a bag of gold across the ocean. That’s why people invented banking. Bank was simply a warehouse for your metal. You give them gold, they give you a receipt. Then, if the bank had good reputation and connections with other banks in the world, you could transfer those receipts of any face value quite cheaply anywhere. The only real cost was trust in those banks. Because if the bank is robbed or steals your metal, your receipt becomes worthless. If the bank prints additional receipts for the same amount of metal, the value of your receipt goes down proportionally (or you face a risk of bank run, when more people try to redeem their receipts than is available in the vault).

In old days, private currencies were simply those receipts for gold or silver. Each currency could have different name and different reputation. Bigger bank’s notes had more value on the market because they had less risk associated with them and as a result, wider acceptance. But ultimately, they all were receipts for the same metals that you could redeem at any time and move to any bank or under a mattress. Because people valued receipts only for their ability to represent readily accessible metal. Without the metal, those pieces of paper would be worthless.

Today things are different. After several huge economic disasters created by the governments of Russia, Europe and U.S. in the beginning of 20th century, we now have state-issued money in almost every country with a nice twist that now the money is not redeemable for metals. People use that money, though, because various controls and regulations make it almost impossible to use gold, silver or respective certificates in daily transactions. Every bank needs expensive license and must not be very creative at what it can offer to its clients.

Dollars can buy things in U.S., euros can buy things in E.U., but if you try to use them in inappropriate places, you would have to pay very high conversion fees. (Setting up your own clearing house or exchange with the lowest fees is not possible due to regulation.) It should be clear now that if, for instance, U.S. Dollar can buy more than Russian Ruble, Russians would tend to use Dollars in daily life. The reason why it does not happen anymore (it used to during liberal times in the 1990s) is stricter controls on currency exchange that make it illegal to price goods in dollars and expensive to exchange currencies frequently. For the same reason, gold and silver are not used: they are too expensive or illegal in some contexts, or there is a huge risk and cost on those who are going to store them. Several years ago, Liberty Dollar, alternative silver-based currency was shut down and all silver was confiscated by U.S. government. Founder was pronounced guilty of “making, possessing, and selling his own currency”.

Here we do not discuss whether it is good or moral to make your own currency or store other people’s money. The point is about demand for a single, most universally accepted money. If gold, silver and foreign currencies need violent intervention to not be used, it’s only a proof of existing demand. Because if there was no natural demand, no government would care setting up restrictions in the first place.

Now we enter crypto-currencies. It is a fancy name for Bitcoin and its many clones based on the same source code. Bitcoin itself is very different to ubiquitous government money, application-specific “credits” (like in multiplayer games) or gold and silver. It is absolutely digital, does not have a single controlling entity and is very cheap to store and transfer both huge and tiny amounts of money. This property makes Bitcoin very useful on certain markets: be it illegal market, or “sending money to family in another country”, or a market where banking is unavailable or too expensive.

What about alternative Bitcoin-like currencies? They all provide the same security risks and benefits. Nominally, they all have different divisibility (so called “larger number of coins”), but at the scale of trillions of smallest units in total money supply extra divisibility does not really matter.

Economically, all Bitcoin clones (altcoins) have the same problem: they all have much smaller market exposure than Bitcoin while not technically superior. When people decide in which one to keep their money, they would keep it in the money with the biggest market. There is not point in “diversification” in the long term. If Bitcoin fails for some reason, all its clones fail for the same reason automatically. If Bitcoin works well, any amount in altcoins is simply inferior in its purchasing power. It does not mean there won’t be any market. You can always keep some empty plastic bottles for selling later, but the bottles can only buy cash, while cash can buy anything.

Second problem of alt coins is mining. In the long term, any miner will throw 100% of computing resources into the most profitable currency. Even if Bitcoin is only 1% more profitable than Litecoin, since there is no fundamental difference between them, all the resources will be thrown into Bitcoin. In the short term, there are plenty of enthusiasts who find themselves equipped with a lot of outdated GPU hardware that was once used for Bitcoin, but now cannot compete with specialized ASIC hardware. These people now mine Litecoin in short-term expectation for any amount of reward. It is sort of a private club of people trading in their own funny money. All new miners devote all their energy to Bitcoin, while people who will sell or retire their GPUs will make Litecoin network weaker and less technically stable.

In the end, it is clear that we want the single money to be able to sell anything and buy anything. We all want it to be cheap to store, move and verify. And secure. With as little trust in middlemen as possible. Today we find ourselves with a lot of artificial barricades in the sphere of money, which causes artificial demand for various local currencies. Gold is being seized or moved from the country. Foreign currency is prohibited for merchants to price their goods at. Legal tender laws force you to accept government-issued currency as a payment for debts. Regulations and licensing limit variety of private currencies or money substitutes. But all that trouble only proves almost universal desire to use the single virtual entity for buying food and saving for the future. Bitcoin gives us a mechanism to overcome all these regulations and trade as freely as was ever possible. Maybe it will allow us to achieve that single, most marketable entity that we all so desire.

A moral argument must be universal, or it’s just bigotry.

“If you do nothing wrong, you have nothing to hide” either applies to everyone, including those who snoop around, or is not a moral argument.

“Thou shalt not kill” either applies to everyone, or it’s a lie to let some people to kill others without much resistance.

History of the world shows that really universal activity never had any moral commandments (e.g. “thou shalt eat”). History is full of people who use moral arguments to use other people. Starting with ancient religions till nowadays with laws, bills and constitutions.

Therefore, almost any moral argument you have ever heard or will hear is not a real universal argument, but an instrument using which some people want to hold you by the balls.

When no one steals, it’s easy to be a thief. If somebody is stealing from you, then you either put a bigger lock, or you figure out why so many people hate you so much. That’s why only thief will go to great lengths to educate people to not steal to have a whole territory open only to him.

You don’t have “right to privacy”. Rights are invention of the rulers. In your normal life you connect to people on a “be nice” basis. You tolerate their oddities, they tolerate yours. You try to stay closer to people you like and farther from people you don’t like. There is no black and white morality. People in Texas love carrying guns, but I don’t. So what? I simply do not live in Texas.

If you believe you have rights, you are supporting a person who wants to enforce such right using a threat, not a dialog. If you hate that someone’s watching you, simply close the window. Do not go and demand even more violence to be directed on “bad guys”. In such case you would simply add to an uncontrollable chaotic killing structure operated by maniacs.

Do not like stealing? Close the door. Do not like watching your emails? Use crypto. Don’t like violence? Do not be violent, avoid bad districts, do not go rioting on the streets to be killed by the mob or cops. Don’t like some people? Avoid giving them anything voluntarily. Tell others to boycott them. Do not like what banks do with your money? Use some other money. Do not like uneducated people? Educate them nicely, so they would want to listen. Need support? Go, ask for it. Hedge the risks, save for rainy day, be careful and respect people around you.

But don’t you be afraid of being angry when people attack you. Don’t cover someone’s lies. Look in the eyes of truth. Your emotions are real. If someone’s kicking you, protect yourself, expose the lie covering it. Do not look for a conflict, avoid it. But never lie to yourself and others about what is going on.