Oleg Andreev

This is a very nice article about several Bitcoin protocol improvement proposals (BIPs), but it also explains how scripts work.

http://bitcoinmedia.com/the-truth-behind-bip-16-and-17/

The last post was filled with different ideas and did not show clearly the single principle behind it. Here I will try to explain it on a simple example.

Imagine you are selling apples. You are selling, like 100 apples per day for $1 each. Suddenly the demand for apples grows. People want to buy more than 100 apples per day. If you haven’t yet increased the supply of apples, people will try to outbid each other. Say, the most prominent apple lovers are willing to pay $1,5 per apple. For you it means an immediate increase in revenue: up to $150 per day instead of $100.

For a minute lets suppose that your apples are special and you have no competition. Will you earn even more if you increase supply of apples? You cannot really know in advance because you never know the “demand curve” (because it does not really exist and demand changes over time). On one hand, your revenue may drop down: more apples mean less competition for them and a lower price. On the other hand, the price may get lower, but the increase of purchases will be greater, so the total revenue would be even bigger. Also, if you reduce supply to 10 apples per day, it does not mean that you will find customers willing to pay $15 or more to make a bigger revenue. Maybe at some point they’ll buy something else or abstain from buying at all.

The important point is that the only way to know the best price and the best amount of supply is to try different amounts and settle at the optimum point. In other words, when demand grows, you should always be able to increase the supply to see if it increases your revenue or not. If it does not, you may lower the supply back to optimal amount.

Back to the block size. Today, miners and customers do not hit the limit of 1 Mb per block. The limit virtually does not exist (blocks are typically under 250 Kb due to optional limit). The limit could be 100 Gb and the blocks would still have the same size we have today. So nobody would take the risk to change the rule because the rule does not affect anyone.

Fast forward a year or two from now: the amount of transactions is growing. If the miners do not find it efficient to send bigger blocks (due to bandwidth latencies causing more orphaned blocks, or storage costs, or time spent on verification or something else), they will not send bigger blocks. So the limit still would not matter. But if they find it efficient to send blocks up to 1 Mb in size, they will “feel” the limit. Block size cannot be arbitrarily increased, so transactions will begin competing for a place in the block. Transaction fees will rise. But we don’t know how much they will rise. At some point, for some people it would be cheaper to use external clearing houses that will offer lower fees and sync with blockchain less frequently. For miners that would mean uncertainty. How much would they earn in fees if the block size can be increased? Will they have bandwidth problems? Will they have bigger or smaller revenue? The only way to know for sure is to try, but you cannot try it unless you increase the limit. So they would naturally be motivated to increase the limit to be allowed to find an optimal block size.

Who else would be motivated to do so? Customers, of course. They would like to pay lower fees for non-mediated transactions instead of relying too much on clearing houses. Even clearing houses would like to have a bigger limit so they pay lower fees. Because clearing house provides additional service of instant confirmation (vs. 10-20 minute confirmation by the blockchain) and there would always be people willing to pay for that service. In addition, clearing houses may provide arbitration and many other extra services. In other words, everyone who creates raw transactions is interested in having lower mining fees.

The only people in disadvantage are nodes that have bandwidth/storage problems. Those who mine on lower bandwidth are having the same economical disadvantage as having slower computer. The fastest miners earn more and that’s what matter for clients. It is absolutely the same as with people who mined on a single GPU and now have to switch to ASIC or drop out. The non-miners would have to compare their costs of delayed validation with the costs of upgrading their network. If they choose slow network and delays, their customer base will be limited: customers who want faster validations will switch to faster competitors. In the end, if the majority of miners and other users sees it economically more profitable to try bigger blocks, they will switch and the minority would have to adjust. But since there is some level of uncertainty here, the limit will never be abolished or raised too much. Most probably, it will be increased by a factor of two, so everyone can easily calculate their costs and risks. And if the 2 Mb block turns out to be too expensive, miners would simply create smaller blocks until we have better networks or faster computers.

And the last point: the hard fork does not imply that everyone should switch some other rules at the same time. Updating software is not that expensive. It is expensive to come to a consensus. And the more stuff you put into a proposal, the harder it will be to get a consensus. However, if people feel need to update two simple lines of code and bump the limit from 1 Mb to 2 Mb, it will be much easier to come to an agreement. And repeat again when necessary.

Summary: no one will change the block size limit until it is reached. And when it is reached, Bitcoin users will switch to a slightly higher limit (e.g. from 1 Mb to 2 MB), so everyone can try and see if it is profitable. If it is not, then miners will simply mine smaller blocks. But if it is profitable, more transactions will go through, until we hit the limit again and repeat. Most probably, the block size limit will never be abolished because of the fear, uncertainty and doubt that people generate in a hard fork discussion.

Bitcoin blockchain has a built-in limit of 1 MB per block of transactions. Bigger blocks are rejected by other nodes as invalid. This means that at 10 minutes per block and with average transaction size of 400 bytes, Bitcoin network registers about 40 transactions per second.

The limit was set in place initially to make sure that the network is not spammed with huge blocks with useless transactions when people were just starting playing with Bitcoin and mining blocks was possible on personal computers. Huge blocks could lead to excessive use of bandwidth which could lead to higher percentage of orphaned blocks due to higher synchronization delays. There was no empirical proof for this limit, it was mostly an intuitive safety mechanism, “good enough” in the short run. Satoshi, the initial developer, suggested that the limit is temporary and should be raised or removed once the network becomes more powerful and could sustain larger amount of transactions.

It is important to keep in mind, that the limit was almost never exercised. So even if there was no hard limit, the blockchain would not grow faster. It was just a precaution. (Assuming, the soft limit of 250 Kb which is not enforced, would still be there.)

Today the number of transactions is steadily growing and may hit the block limit within a year or two. So people start discussing whether the block size limit should be raised, eliminated or if there should be scheme to adjust it dynamically. To change the limit, a consensus will be required. More than 50% of nodes running the full chain must agree to a new rule to switch to it.

What are the factors at play?

Some people fear that if block size will become unlimited, miners will include a lot of spammy transactions, eat everybody’s bandwidth, fees will get lower (thus undermining sustainability of the blockchain in the future) and some miners with poorer connection will be forced out of the market which is supposedly unfair to them.

In reality though, Bitcoin as any other free market, has nothing to do with fairness, but everything to do with mutual satisfaction of self-interests. Miners are motivated by increasing their revenue short term as long as ensuring their investment and raising value of BTC in the long term.

Is there any natural limit on the block size? Sure there is: it is network bandwidth and the costs of storage and transaction verification. The more transactions you need to verify and transmit, the higher your operating costs and (most importantly) the higher the risk of orphaning a block. If the block is too big to be distributed and verified by other peers, the risk of somebody else creating a shorter block in parallel gets higher. If the shorter block gets validated by majority faster than the longer one, the latter will become orphaned. Orphaned blocks mean immediate loss of time and money for miner, and since transactions are rescheduled and delayed, frequently orphaned blocks undermine market value of miner’s savings.

Miners already can choose any block size within the limit and many use the default soft limit of 250 Kb. If it was profitable for some of them to create bigger blocks, they would do that already. Since they do not, it shows that there are market forces at play and hard limit does not matter yet. Even if it was 100 Mb, the blocks would still be compact.

As the base reward is still comparatively big (25 BTC till 2017), miners are even more likely to keep the blocks as small as it does not hurt the market price. Transaction fees contribute 1.12% of the revenue, while bigger blocks with more transactions increase risk of losing 25 BTC. As time goes by, more transactions would compete with 25 BTC reward, increasing average transaction fees. Increasing fees will motivate miners to allow slightly larger blocks (until the risk of losing reward is balanced by the amount of fees). Halving days would only increase motivation to include more transactions. And as blocks and fees get larger, miners would take care of ensuring better connectivity to keep risk of losing blocks low.

It is true that the miner cares about propagating the block as fast as possible to reach the 50%+ of other miners. Some people think the bigger block sizes will favor miners with better connectivity and poor miners somewhere in Botswana will be out of luck. This is shortsighted speculation. A miner with slower connection can always create smaller blocks than other miners to compensate for the connection problems. If it is not profitable for him, it’s not a problem of other users. If I want to mine from a middle of Siberian forest, no one has any obligation to respect my decision. It is entirely possible that in the future 90% of mining will happen in Iceland where the electricity is cheap. There could be great connection between miners, blocks could be bigger and allow a lot of transactions to be put in with lower fees. The rest of the world could download the whole chain without worrying about its delays and sizes. If you want to verify it yourself, just pay for the bandwidth and storage. There is no real threat that by being closer to each other, miners will form a cartel (they can do that today already). Even if they do, arbitrarily raised transaction fees would lower the market value of their own savings, and also any member of cartel can undercut everyone by dropping his fee requirements and earning much more than the rest of them.

What about poor geeks on slow connections with old clunky hard drives that protect our freedom by chatting on Bitcoin forums and sharing 0.0001% of a mining pool? They would need to adjust. Just like CPU miners were losing to GPU miners, and both of them — to ASICs, they would need to adjust to a bigger blockchain. This does not hurt anybody’s freedom except their own. Millions of regular customers would never bother downloading blockchain. They would either trust others, or use escrow payment systems anyway. And those people will provide real value on the market and will make sure that they have their connections faster, drives harder and operations as cheap as possible. Being a lonely chatty geek in Botswana does not bring any value to anybody.

If the miners hit the block limit, it would only mean one thing: there is a desire to process more transactions, but historical untested agreement does not allow it. Then miners and other full nodes will either raise the limit (the smaller the increment, the bigger support it will have), or transaction fees will go up as people compete for the space in blocks. As transaction fees go up, not only miners, but also regular users and service companies using the full blockchain would desire increment of the limit. So it will be even easier to achieve a consensus about raising the limit.

My prediction is that the block size limit will probably never be abolished, but will be constantly pushed up by a factor of two as amount of transactions approaches the limit. Maybe after a couple of updates, people would decide that it’s safe to abolish the limit completely if it is cheaper to account for it, than to have uncertainty of a hard fork.

There is no philosophy in Bitcoin. It is not anarchic, libertarian, Austrian or anonymous. It is just an internet protocol and a bunch of people that use it to transact between each other.

The protocol has purely technical and monetary measures to prevent spam, DoS, double spending and reversal of transactions. Transactions themselves do not advertise their purpose or identities of people involved.

It is not “against Bitcoin spirit” to have non-anonymous service built on top of Bitcoin. It is not a “hack” to use Bitcoin addresses generated not from random numbers, but from document hashes to implement secure document timestamping.

You can do whatever you want with Bitcoin as long as your transactions are compliant with the protocol and you pay the fees when needed. You can use it as a currency. Or as a payment system. Or as an investment. Or not use any of its monetary properties whatsoever, but use it to register predictions about the future. You can use it in clear to accept donations for a good cause, or you can use it through Tor network to buy illegal stuff. You may require others to identify themselves before accepting payments, or you may allow your customers to hide their identities from you. After all, you can avoid the whole thing completely and live a happy life.

If there is a single philosophical thing about Bitcoin, it is this one: voluntarism. On the internet, across oceans and thousands of walls, you cannot force another person to do what you want. And neither can he or she. Therefore, to make a deal with another person, you have to negotiate and find consensus. And if you envision risks and potential problems, you are free to creatively find voluntary solutions to them, which will also be part of negotiation. No amount of unilateral declarations, laws or appeals to objectivist philosophy will make another person send you bitcoins. Only negotiation and reasoning give you a chance to get what you want.

In Bitcoin all transactions and balances are visible to everyone. If you want to spend someone else’s coins, you just need to pick any unspent transaction, figure out a secret key and make another transaction moving money to some of your addresses. How hard can it be?

First of all, all transactions use elliptic curve crypto for creating public/private key pairs (ECDSA). The idea is that it is easy to compute a public key from a private one, but very hard to do it in reverse. Unfortunately, we cannot know for sure that in the future we will not discover a relatively fast way to find private keys. Also, there is already efficient quantum algorithm to do just that (provided you have big enough quantum computer).

But ECDSA public keys are not exposed. Every publicly visible address is a hash of a public key, not the key itself. More specifically, the public key is hashed with two algorithms: RIPEMD160(SHA256(pubkey)). If you wish to spend money from any given address, you not only have to find a private key, but also find a public key which produces the exact same address. It is called “pre image attack”. (Pedantic note: if you spend coins from an address, you expose its public key, so it is one more reason not to reuse addresses, but always generate new ones for accepting payments.)

Obviously, two different hash functions are used in case one of them becomes weak to preimage attacks. Lets say, you have efficient way to find preimages for RIPEMD-160 (faster than brute force). Then, you would have to attack SHA-256 in order to find its preimage. And even if you succeed there, you will have to start searching for ECDSA private key matching the SHA-256 preimage you have just discovered.

The interesting question is why these two specific hash functions were chosen? RIPEMD160 is nice because it produces the shortest possible hash among non-broken hash functions (which makes the address as compact as possible). But I couldn’t find any definitive answer why need for SHA-256 as well, so here’s my understanding.

Both algorithms are widely used and no weaknesses were found in them yet (although, there are known weaknesses in the reduced versions of them). Moreover, SHA-256 is designed in US by NIST while RIPEMD-160 in KU Leuven university in Belgium. In other words, both functions come from very different places and were designed for different customers. This reduces the likelihood of finding the common weakness and also acts as a precaution against potential backdoor left by US or EU.

In the end, all coins are available for everyone to inspect, but each address is protected by 3 independent unique algorithms. So if there is an intentional or accidental weakness in any of them, other two are likely to remain strong.

When talking about money, people usually say something like “money has no or very little direct use value and is only useful as a medium of exchange”. For instance, you value your silver spoon for its immediate use during the dinner, but the dollar bills do not have any value in themselves — they are useful only when there are other people around who are willing to trade some of their stuff for these bills.

Generally, people perceive Bitcoin as currency which makes them think that the same arguments about its value apply. That is, in itself Bitcoin is some digital dust which can only have value as a monetary instrument. But that’s not the case at all.

Bitcoin network has very interesting properties that allow you to use it not only as a currency. For example, the block chain (decentralized transaction history) is designed to be extremely hard to forge and very easy to verify. This, with some crypto features, allows it to be used for secure time-stamping, proving ownership of tangible property, decentralized DNS and new ways to sign contracts without having to fully trust any one party. Some of these things are already possible using existing software, some require already planned and compatible modifications.

These things are not possible with any commodity-based currency (metals or paper bills), but possible and very easy to use with Bitcoin. Just think about it: in case of a contract dispute, you can provably verify the details of some contractual agreement in a matter of seconds across the ocean to anyone, without sending paper documents with ink signatures by mail. The only requirement for this is to leave a trace of your contract up front in the Bitcoin block chain by making a small transaction back and forth to an address, uniquely derived from the document contents. It costs almost nothing, can be done in a minute and the trace cannot be forged or erased by anyone in the entire world.

Edit: rephrased a couple of sentences according to the comments on HN.