Oleg Andreev

(… apart from not being shut down by the financial authorities :-)

Normal people should never hold all their coins on exchanges. Day traders, however, by the very nature of their business, have to keep as many coins as possible all the time on exchange to be able to trade with maximum liquidity.

Regular audits and fancy proofs-of-reserve (e.g. https://www.kraken.com/security/audit) are helpful to keep traders feeling good, but do not help much the minute when funds are actually stolen. You cannot really steal anything from NYSE — both stocks and dollars are virtual items on books at public companies; all transactions can be frozen or reversed (see also http://blog.oleganza.com/post/67362431718/you-can-own-bitcoin-you-cant-own-your-dollars). However you can steal bitcoins and own them for real. When there’s the right amount of money deposited on the exchange, however licensed it is and however public its owners are, there is a real risk they take all the funds and run (and easily buy cops, politicians and other sorts of protection on their way). Once funds are stolen, there is no one who can give them back to the traders. I doubt we’ll ever see an insurance company promising a refund of a significant portion of stolen funds. It would rather be a warehouse service, but it would either have funds locked in a multisignature transaction with their clients (which prevents instant trading), or they would have all funds held by themselves, which brings us to the original problem.

What we need is a realtime protection for the deposits, allowing partial control over funds by traders (so operators of the exchange cannot take all of the funds), but at the same time allowing quick off-the-blockchain exchange (within a millisecond). It won’t be ever as fast as the state of the art HFT systems, but those never deal with irreversible assets. The important outcome is that traders need real protection against theft (not just a promise from a police department). This will allow much bigger amounts of money to be traded safely, making the entire market more liquid and prices more stable.

I don’t have a ready solution for this, but one idea is to utilize a group transaction similar to one used in p2pool — a peer-to-peer mining pool, where reward is split fairly between all members as they search for hashes without trusting a single server to distribute the reward. Traders may have their money locked with the exchange in a 2-of-2 multisignature transaction, so both parties (trader and the exchange) must decide how the funds can be spent. As usual, an exchange will keep the order book and match trades. However, to actually ensure that coins are transferred from the seller to the buyer, exchange will require traders to sign off a part of a bulk transaction that moves the coins between accounts. This transaction (or a chain or a tree of transactions) would get mined from time to time to ensure new distribution of funds. But even before it is actually mined, a buyer would have a cryptographic proof of owning some bitcoins and will be able to broadcast such transaction at any time. If exchange builds a complex tree of unconfirmed transactions, it would be wise to partner with some mining pool to include those transactions at once and not allowing malleability issues to break the references.

To prevent man-in-the-middle attack, exchange would publish anonymous tree of all active traders, their balances and their public keys in real time, so every trader can check that they are included and thus can trust that they do not sign money to the exchange itself, but to actual buyers. Additionally, traders can verify public keys of each other independently, via other services.

The scheme would also have an unusual requirement: traders must have their computers always connected to the exchange, otherwise their orders couldn’t be possibly matched and would be kicked out of the order book. But that’s not a concern for professional traders as they stay connected all the time anyway (at least, trading bots are).

Like I mentioned, this is just a rough sketch and it may very well not be viable. But the problem is out there and it is very important: enabling rapid trading of bitcoins without fully entrusting them to a centralized counter-party.

Lets invent a good altcoin with a real chance to take off and maybe even replace Bitcoin.

We will design a new scripting engine, mostly backwards compatible with existing Bitcoin scripts, but it will have some bugs fixed and new features: “strip” opcodes and checks on canonical encoding of data and signatures to prevent malleability, references to past and future transactions (so we can lock up outputs for a specific future transaction), improved SIGHASH_* flags and some additional ones, enabled more complex arithmetic and boolean opcodes, isStandard checks replaced by a dynamic mining fee requirement proportional to complexity of opcodes and memory used (inspired by Ethereum), Ed25519 signatures, blind signatures/accumulators like in Zerocoin and even Lamport signatures to allow swift transition to post-quantum crypto if needed.

This scripting engine should be implemented for all major Bitcoin implementation platforms: C++, C, Ruby, Python, Node.js, Objective-C and Go.

This altcoin will use standard Bitcoin scripts by default and only use the new scripting engine via a versioned P2SH-like output script compatible with Bitcoin:

OP_HASH {hash of the altcoin script} OP_EQUALVERIFY {version}

{version} will be OP_1, OP_2 etc till OP_16. Version 17 will be “OP_1 OP_1”, version 18 — “OP_1 OP_2” and so on. Version will be increased when scripting engine is updated with new features or incompatible improvements.

This altcoin will inherit existing Bitcoin wealth distribution. All existing wallets will be compatible with this altcoin from day one. Only miners will need to perform a “soft fork”, by agreeing to enforce new P2SH scripts using new scripting engine (like they did in early 2012 with BIP16). Once super-majority of existing miners enforces specific interpretation of such scripts, it will be safe for users to create transactions using the new scripting engine. Legacy wallets will acknowledge and validate such scripts, even if they won’t be able to create new scripts and contracts themselves.

Unlike many other altcoins, this one will have better chances acquiring big market and hashing power, and thus would be potentially more useful than other altcoins designed to enrich founders at the expense of naïve enthusiasts who do not understand economics and money.