Oleg Andreev

Software designer with focus on user experience and security.

You may start with my selection of articles on Bitcoin.

Переводы некоторых статей на русский.

Author of Gitbox version control app.

Author of CoreBitcoin, an implementation of Bitcoin in Objective-C.

Lead developer of FunGolf GPS, the best golfer's personal assistant.

I am happy to give you an interview or provide you with a consultation.
I am very interested in innovative ways to secure property and personal interactions: all the way from cryptography to user interfaces. I am not interested in trading, mining or building exchanges.

This blog enlightens people thanks to your generous donations: 1TipsuQ7CSqfQsjA9KU5jarSB1AnrVLLo

Uganda president is ‘disgusting’

After signing an anti-homosexuality bill into law, Ugandan President Yoweri Museveni was called “disgusting” in an exclusive interview with Oleg Andreev.

Oleg Andreev told Yoweri on Monday that, in his view, being Ugandan President is “unnatural” and not a human right.

"They’re disgusting. What sort of people are they?" he said. "I never knew what they were doing. I’ve been told recently that what they do is terrible. Disgusting. But I was ready to ignore that if there was proof that that’s how he is born, abnormal. But now the proof is not there."

Oleg had commissioned a group of scientists to study whether government presidents are “created,” concluding that it is a matter of choice. “I was regarding it as an inborn problem,” he said. “Genetic distortion — that was my argument. But now our scientists have knocked this one out.”

It turned out, presidents freely decide to rule nations, take people’s money and then teach them how they should live. They also decide when people should be kidnapped, tortured or even killed.

Original article: http://edition.cnn.com/2014/02/24/world/africa/uganda-homosexuality-interview/index.html?hpt=hp_c1

Blind signatures for Bitcoin: the ultimate solution to secure BTC storage

I’m happy to publish a draft of my innovative scheme that enables blind signatures compatible with Bitcoin transactions. Primary motivation is secure storage for bitcoins. You can lock your funds with multiple friends/custodians (in a M-of-N multisignature transaction) and ask them to unlock your funds later. If done naïvely, custodians will be able to see which transaction they signed and how much money you have. Blind signatures allow you to completely hide your transactions from custodians who sign them. The scheme differs from existing blind signature proposals in two important aspects: 1) it is compatible with ECDSA while others are not and 2) it completely unlinks resulting signature and public keys from the signing parties, providing absolute privacy.

Paper describes motivation, core protocol and provides a practical way to generate and keep track of all secret and public parameters used in it. Use of this scheme enables the ultimate solution to secure Bitcoin storage. While your personal hardware and software wallets can be compromised, money can be much safer locked with independent semi-trusted parties, yet absolutely privately. You and your friends can use conventional personal computers to lock your personal pension funds among each other without ever exposing sensitive financial information.

Download the paper here: http://oleganza.com/blind-ecdsa-draft-v2.pdf

Demo app: https://github.com/oleganza/blindsignaturedemo

I timestamped SHA256 of the second draft on June, 16 2014. Used SHA256 of the PDF as a private key and sent 0.0002 BTC to corresponding address 1FM9JtztQKwUVshxVJnEv8JEGKPZkCu7qk.

SHA256: 85e0a79b80f75f88790135214564847d2de46062414f08e799e5f701fddbfddc

Tx ID: https://blockchain.info/tx/ee0c7527de579d7ab2732be49a8b57fe13af940caff2c429464cd659e23281a6

Address: https://blockchain.info/address/1FM9JtztQKwUVshxVJnEv8JEGKPZkCu7qk

To verify:

1) Compute SHA256: $ openssl dgst -sha256 blind-ecdsa-draft-v2.pdf

2) Paste it as a “secret exponent” on brainwallet.org and get the address.

3) Find the earliest transaction on the blockchain for this address.

Softfork suggestion: how to fix transaction malleability

After conversation in #bitcoin-dev with Luke-Jr, we may have a soft-fork change (only super-majority of miners need to support it) to support non-malleable transactions.

Like with P2SH, we will take an innocent script OP_HASH160 <…> OP_EQUAL and interpret it as P2SHv2. To remain compatible with current P2SH, that script will use PUSHDATA1 (2-byte length prefix) instead of 1-byte PUSHDATA prefix (which encodes the length of data in itself).

The entire input script for P2SHv2 output will be interpreted differently.

  1. Input script is not stripped for SignatureHash.
  2. For the currently verified/signed input, corresponding output script is appended to the input script (today it replaces the input script).
  3. OP_NOP1 is redefined to OP_STRIP to mean “strip the following pushdata during SignatureHash”. SignatureHash will consume each opcode from left to right and replace pushdata that follows OP_STRIP with full-zero string of the same length. During execution, OP_STRIP will still be NOP.
  4. Pushdata ops may not be normalized.
  5. CHECKSIG and CHECKMULTISIG will enforce canonical format of the signature if evaluated in the context of P2SHv2.

Voting process can be identical to P2SH. Miners will put string “/P2SHv2/” in their coinbase to support the change. Once super-majority of miners support it, it will be safe for people to issue P2SH-version2 transactions. Old style transactions will still be malleable. Regular payments will be softly protected against malleability by isStandard check. Complex contracts like rapidly-adjusted micropayments would need to use P2SHv2 in order to rely on chains of unconfirmed transactions.

This change does not require regular users to upgrade their software.

Hardfork suggestion: how to fix transaction malleability

We can introduce another version of transactions (2) that will change how signatures are verified and stored within the transaction.

The malleability of transactions stems from the fact that we store signatures in the input scripts and for purposes of signing and verifying the signature, all input scripts are completely stripped. This allows anyone to introduce non-breaking changes to the input scripts that keep signatures correct, but change the whole transaction hash.

To fix that, we add a level of indirection. All signatures will be stored in a separate location in the transaction, ordered. Input scripts will only reference the index of the signature and never be stripped for the purposes of signing.

  1. Input scripts are not stripped during SignatureHash phase.

  2. CHECKSIG and CHECKMULTISIG expect not a signature, but a “signature index”, as PUSHDATA (does not need to be normalized).

  3. Signatures are listed in an array in the tail of the transaction (after lock time). All length prefixes must be normalized in that array (including length prefix of the array itself).

  4. All signatures must be canonical.

  5. When signing an input, its script is appended with the output script (today output script replaces the input script).

  6. When verifying the signature, storage of signatures is stripped off completely (“signatures cannot sign themselves”).

Transaction ID remains the same: a double-SHA256 of the entire transaction, so no changes in the transaction inputs or merkle trees is needed.

Old versions of transactions are still malleable and can be created by older clients and will always be valid. New versions will be accepted by the network if network decides so with a majority vote. There will be an announced block height starting with which version 2 transactions will be valid.

How to vote?

Miners may express their support by mentioning “/CTv2/” (“Canonical transactions AKA version 2”) in their coinbase.

But before that, miners must see that most used software is upgraded to support validation of “version 2” transactions. I.e. bitcoind, libbitcoin, bitcoin-ruby, Multibit, Electrum, mobile apps if needed.

If after block height N, more than 95% of blocks in the past 10000 blocks are supporting the change, network starts accepting transactions with version 2 and new signature check rules in those transactions.

Then, if your special scheme (like rapidly-adjusted micropayments) requires reference to an unconfirmed transaction, you would simply require using a version 2 transaction and have guarantee that its ID can’t be changed.

EDIT: as Luke-Jr suggested, in the future we may want some other data to be stripped for signing purposes (e.g. if we implement other signature schemes with new or existing opcodes). To support that, we may allow any “pushdata” to be “indirect” or “strippable”. Maybe with some extra opcode acting as a prefix before pushdata. E.g. OP_NOP1 will be used as OP_STRIP and mean “for signature hash”, strip the following piece of data.

MtGox and malleable transactions

MtGox issued a statement that due to a “design issue” in Bitcoin protocol, they were having problems with withdrawing BTC and so they had to halt all withdrawals until the problem is fixed. https://www.mtgox.com/press_release_20140210.html

If you need a quick answer: there’s no bug in the Bitcoin itself. You may go to Bitstamp/Coinbase/BTC-E/Bitcoin-Central and buy more BTC with a huge discount before it gets back to $800-$900.

Long answer:

Unconfirmed Bitcoin transactions were always “malleable”, that is you can slightly change a transaction that “floats around” (not yet in the blockchain) and you wouldn’t break its signatures. You can’t change something important about it, like source transactions, amounts, order of inputs and outputs or other important metadata. What you can do is to add some bogus data or flip a sign on a signature that doesn’t change the meaning of the transaction, but changes its binary representation. (More info here: https://en.bitcoin.it/wiki/Transaction_Malleability)

What does it mean in practice? You may send a transaction ABC123, then someone may see it on the network, change slightly to ABC124 and send it too. If he gets lucky, ABC124 will be included first and ABC123 will never be included (because it’d be a double-spend). There’s no problem for the recipient of the transaction: they will still get all their money on the address they expect. But if they were watching the blockchain specifically for transaction ABC123, they will never find it there.

MtGox claims to be fooled this way:

  1. User asks MtGox to withdraw some bitcoins to some address of the user’s choice.
  2. MtGox takes some of its own “unspent transaction outputs” and composes a transaction which sends funds to the user’s address.
  3. MtGox remembers a hash of that transaction (unique fingerprint of its contents) and begins to watch the blockchain for this hash to appear in it.
  4. User or someone else sees unconfirmed MtGox transaction in the p2p network. He changes some bytes in it to keep it valid, but make it different to change its hash.
  5. New, modified transaction gets included in the blockchain. MtGox has sent money where needed, but does not know about it. User also got the funds no problem - his personal wallet will show that he has the funds.
  6. Then, user goes to MtGox support and complains that the money did not go through. Or, MtGox themselves see that they’ve been watching for transaction for too long and could automatically re-send another transaction that sends some other “unspent tx outputs” to the same address (sort of, to “retry” the transaction). One way or another, it creates a lot of confusion for MtGox and initially may even lead them to sending the same money twice, or multiple times to the same user.

Is it a design issue in Bitcoin to allow slight changes in unconfirmed transactions? Yes, probably is. But it’s not entirely clear how it can be prevented at all. An immediate fix would disallow potentially useful more complex transactions and require a global network consensus to enforce new behavior. Zero-confirmation transactions were always known to be malleable and methods to limit their malleability were already discussed and deployed (e.g. transactions with non-canonical signatures may not be relayed by all nodes). But for all practical purposes, it’s a known feature, just like many other weird facets of Bitcoin. Those who build Bitcoin wallets, exchanges or payment processors must be aware of this and act accordingly.

MtGox had this problem because they didn’t know about this Bitcoin property. And usually transactions were not deliberately modified by anyone, so it was okay for the most of the time.

It’s not rocket science to fix the problem. For instance, MtGox may fix the problem this way: instead of watching blockchain for appearance of the specific hash of a specific transaction, they should instead watch if the address X (specified by user) got amount N (specified by user) from outputs Y, Z and W (owned by MtGox). This would guarantee that even if transaction is modified, they will see for sure if the users actually got the money sent to them, or not.

Idea: signed JavaScript plugins to wallet apps

Thanks to Bitcoin scripts (little programs specifying conditions under which a transaction is valid), people can come up with many sorts of never-seen before protocols. Multi-party escrows, “nash equilibrium” insurance deposits, rapidly adjusted micropayments, crowdfunding etc. All of these require multi-step actions from a user’s application which holds the private keys.

Today such applications are very simple: they only support sending and receiving money on “addresses”. Anything more complex is just not supported by general-purpose wallets. If one comes up with a new protocol, they either have to extend existing wallets, or make their own, or simply have a server doing the work (which defeats all the security promised by a decentralized protocol in the first place). These options involve basically redoing wallet and key management from scratch and introduce a lot of extra hassle for the users.

A good compromise between the impossible Most Universal Bitcoin Wallet and millions of specialized wallet apps would be a system of JavaScript plugins. Each plugin is a short single file of JavaScript code that is executed in a very restricted environment. Why JavaScript? It is the most ubiquitous scripting language with flexible implementations on most (if not all) major platforms.

A JavaScript plugin is cryptographically signed by multiple auditors and wallet app always verifies the integrity of each plugin when executing one. Every plugin can only be invoked explicitly by the user. The wallet, not the plugin, shows a summary of what is about to happen (“you are going to send 0.34 BTC in this transaction”). A single plugin is invoked when a particular kind of contract is initiated or needs an update. Plugin state is not only isolated from other plugins, but from each contract as well.

This is how it may look like. Take for a example a simple escrow. You send money to 2-of-3 multisignature script, where two keys belong to you and your counterparty and the third key belongs to a semi-trusted third party which may act as an arbiter if needed. When the contract is completed, depending on the result, user must be able to provide a signature for a particular outcome (either money goes to a counterparty, or back to the user, or only a portion is refunded).

The plugin may implement this by using two kinds of inputs: creation of a contract and completion of the contract. For each state, plugin checks the integrity of the data (e.g. “contract can be completed only if it was started by me in the first place”) and provides data with compact informational messages to the user. Plugin does not implement the UI. It should be done by an external application or a website with which the user interacts. For confirmation of the action, plugin can only provide compact description like “Unlock 100% of funds to Buyer Inc.?” or “Refund 90% to your address 1RefuNd3eBnt66345…?” Once confirmed, the result is sent back to the application that requested participation in the contract.

For security reasons, plugins should be very compact, easy to read and understand, not use dynamically linked external libraries, not have any access to external devices, file system, network etc. A plugin may be bundled with static data like images or localization strings, all covered by the code signature and verified by the wallet application on each run.

More details on how this could be done and what the API may look like will follow.

Real crypto-anarchy without anonymity

По-русски: http://bitnovosti.com/2014/01/02/cryptoanarchy-and-anonymity/

Crypto-anarchy is not some crazy utopian ideology, but a very viable thing that unfolds in front of our eyes this very moment. The Internet and Bitcoin will soon allow people solve social problems in a novel way: instead of ancient formula “the strongest wins and beats the shit out of the loser” we all can achieve a peaceful society where both rich and poor, strong and weak can protect their property and freedom on more equal grounds without relying on violent institutions like governments.

But first, lets start with some history.

Cypherpunk movement started as a mailing list in 1992. In 1993 Eric Hughes publishes a “A Cypherpunk’s Manifesto” [1]. In 1994 Timothy C. May publishes “Cypherpunks FAQ” [2].

Here’s an excerpt from the FAQ:

2.3. “What’s the ‘Big Picture’?”

Strong crypto is here. It is widely available. It implies many changes in the way the world works. Private channels between parties who have never met and who never will meet are possible. Totally anonymous, unsinkable, untraceable communications and exchanges are possible.

Transactions can only be voluntary, since the parties are untraceable and unknown and can withdraw at any time. This has profound implications for the conventional approach of using the threat of force, directed against parties by governments or by others. In particular, threats of force will fail.

What emerges from this is unclear, but I think it will be a form of anarcho-capitalist market system I call “crypto anarchy.” (Voluntary communications only, with no third parties butting in.)

In 1998 Wei Dai publishes a proposal of “b-money”, a practical way to enforce contractual agreements between anonymous actors [3]. He captured the essence of the movement in an immortal quote:

I am fascinated by Tim May’s crypto-anarchy. Unlike the communities traditionally associated with the word “anarchy”, in a crypto-anarchy the government is not temporarily destroyed but permanently forbidden and permanently unnecessary. It’s a community where the threat of violence is impotent because violence is impossible, and violence is impossible because its participants cannot be linked to their true names or physical locations.

In 2005 Nick Szabo publishes a proposal for “Bit gold” [4], a purely digital collectible based on a proof-of-work algorithm borrowing ideas from RPOW server (“Reusable proof of work”) by Hal Finney [5]. Proposal does not mention contract enforcement mechanism, but Nick Szabo himself already proposed several ideas about smart contracts back in the nineties [6].

In late 2008 Satoshi Nakamoto publishes an overview of Bitcoin [7] and on January 3rd, 2009 releases the code and begins the blockchain.

Bitcoin is the exact implementation of the system envisioned by Tim C. May, Wei Dai and Nick Szabo. The only requirement is for transacting parties to remain anonymous. If there’s no trace to physical persons, there is no place for the violent intervention and thus the contracts can only be enforced according to the voluntarily agreed-upon rules between the parties. Bitcoin allows encoding these rules right in the transactions so they are automatically enforced by the whole network.

In practice, we cannot imagine living in full anonymity. Human beings live in a physical world and enjoy a lot of physical things. Anonymity is not something you can easily manage like a single encryption key. It must be maintained via careful dissemination of one’s actions among actions of others. And since the network activity is easily recordable, one mistake is enough to reveal oneself. In other words, the cost of anonymity is rather high compared to the benefits. Does this mean crypto-anarchy is an utopia?

I would argue, it’s far from it. Cypherpunks being rigorous scientists made a much stronger assumption than needed in practice. For transacting parties it is enough to have costs of cheating (e.g. resorting to violent coercion) meaningfully higher than the cost of following the contract (that is, keeping the promise). If that condition holds for the majority of interactions in society, there will be a great incentive for people to protect themselves against remaining rare cases of cheating thus keeping the system sustainable. Anonymity is simply one of the ways to raise the cost of the attack.

Bitcoin raises the cost of many kinds of attacks, going far beyond protecting against central banks meddling with money supply.

First, all sorts of computational services will flourish. Machines never need to disclose their physical locations and can freely automate both payment verification and payments themselves. Denial-of-service and spam can be largely eliminated by simply requiring a smallish payment for every request.

Second, personal services can be protected by peer-to-peer insurance deposits [8] that literally raises the cost of cheating by making both parties agree to a greater sacrifice (“bilateral insurance deposit”).

In a similar manner, crowdfunding can be fully insured by allowing raised funds to be reverted if the majority of shareholders decides to do so.

Finally, systemic predation by the state becomes economically impossible. Most modern states fund themselves by debasing money supply (also known as “bond issuance”, “budget deficit”, “inflation”, “quantitative easing”, “stimulus package”). Bitcoin-based economy simply does not allow this as it is very cheap to store bitcoins and verify transactions yourself and completely avoid all kinds of fraud associated with modern banking. As central banking disappears from the state’s arsenal, federal government activities including wars become unfunded and quickly come to an end.

Local governments may continue their operations funded by local taxes, but that would become increasingly voluntary. Extracting bitcoins costs much more than protecting them. There is no highly centralized and monitored banking network, so it’s much harder to track taxable transactions. Every additional tax evader defunds the local police department and makes it safer for the next person to underreport earnings if he wishes to do so. Considering that the law enforcement is paid only a small portion of the total budget to be extracted (50% goes to bureaucrats and the rest to other public services), consistently extracting bits of information from millions of individuals is unsustainable in the long run. If anyone is good at stealing bitcoins, they are much better off doing it alone and taking all profits for themselves.

Governments, of course, can also tax in kind (like your underreported Ferrari or a house), but this would be even costlier than seizing any kind of money and those costs must be paid by the state in bitcoins that it does not have to start with.

If this speculation does not sound to you like a complete lunacy yet, here is the fun part. Most governments are completely broke already and can only pay with the IOUs they print. When people start a massive run for bitcoins to protect their wealth, everyone will be able to earn bitcoins for their work, except those who work for the government. Policemen, public school teachers and alike will be the first ones to notice prices rising faster than their salaries. They will the first ones to change jobs or become largely corrupt on all levels (like it was in Russia after the fall of the Soviet Union). Bureaucrats will smell the approaching panic and, instead of trying to retain control over the employees, will privatize as much public goods as possible, again, exactly like during the fall of the Soviet Union. People will see how all promised public services are either abandoned or stolen, and this time everyone will have a method to protect their own property and do business voluntarily and in an even safer and cheaper way than before. Crypto-anarchy will quickly become a boring reality without the need for anyone to remain fully anonymous.

[1] http://www.activism.net/cypherpunk/manifesto.html

[2] http://www.cypherpunks.to/faq/cyphernomicron/cyphernomicon.txt

[3] http://www.weidai.com/bmoney.txt

[4] http://unenumerated.blogspot.co.uk/2005/12/bit-gold.html

[5] http://cryptome.org/rpow.htm

[6] http://szabo.best.vwh.net/smart_contracts_idea.html

[7] http://bitcoin.org/bitcoin.pdf

[8] http://blog.oleganza.com/post/58240549599/contracts-without-trust-or-third-parties

Bitcoin Value Proposition

More people are willing to “invest in Bitcoin”. Before doing that they need to understand what it is and what it isn’t. Someone asked me if it’s okay to “invest in BTC for a year at current prices”. This way to put it is to admit that you do not understand the value of Bitcoin. You will buy at $1000 and sell all at $800 during a sharp reaction to some piece of bad news. Don’t do that.

Bitcoin is a great bet. If most people own a little bit of Bitcoin, we will wake up tomorrow in a new world. If they don’t and everyone goes home, your investment is fundamentally worthless. Bitcoin is as pure as money can ever get: it’s either a global standard, or it’s purely an object of art valued by few. You do not invest in Bitcoin, you switch into it.

If Bitcoin becomes the world money, people will massively sell off their currencies, gold, silver and some low-risk investments (like bonds or extra real estate). Rough calculations give us a figure higher than $10M of today’s dollars per bitcoin.

But what fascinates me personally about Bitcoin is not a nice monetary reward, but a transformation in our society that comes as a side effect. Even if me and you put no money in Bitcoin today, our lives will be so much better if Bitcoin wins.

Real Bitcoin value proposition is in removal of large-scale destruction and giving an unseen before amount of economic freedom.

As an example, the total debt of the U.S. government is $17 trillion and growing [1]. This debt is owned by the banks that create dollars in exchange for that debt. Government simply promises to pay off this debt with the same money (plus interest) that it is supposed to extract from the taxpayers later. It’s not only impossible economically, but it’s logically invalid. To return more debt-based currency, they’d need to issue even more debt.

You may think these numbers do not affect you personally, but consider what this money is being spent on. Total cost of the war in Iraq since 2003 is an astonishing $6 trillion [2]. Almost one third of today’s total debt. During this war more than 1 million people were killed [3]. In other words, folks working in military earned $6 million per one person murdered.

Ask yourself, who gave these trillions for the war? What investors thought it might be a good idea to invade Iraq, lose a bunch of money and have people hate you? The answer is that there are no investors. All this money is being made up by the central bank in exchange for more government debt. And due to tons of laws, regulations and taxation people have to accept this funny money for their work.

Bitcoin does not allow this. It’s a single, absolutely transparent ledger where anyone can see how money is being created. There’s a fixed supply which cannot be increased overnight by a single man. If people adopt Bitcoin as their standard money, governments would have to pay for their wars from taxes. And people will feel how their taxes actually work. Not even mentioning that taxes will be much harder to extract if peaceful citizens decide to oppose their government. By simply being a world money, Bitcoin will prevent massive murder and destruction. This alone is worth making a bet on, in my opinion.

After removing disastrous wars, people will find themselves not only in a safer world, but also with even more opportunities. Anyone can trade with anyone else on the entire planet, absolutely safely, anonymously or publicly. Every teenager can join the global market whenever he wants. Every person can save money for a rainy day without Paul Krugman telling him why it’s good that his savings lose in value. Every business is more protected against racket by having secure cash as an ultimate insurance against temporary losses. Programmable contracts [4] allow incredible new business models that are otherwise impossible, lowering the cost of lawyers and auditors. The entire internet will shift from advertisement to more directly funded services as micropayments become viable.

If you understand all of this, you should desire these changes and participate in them. If you don’t agree with me, you should not invest in Bitcoin at all. You can’t have just a cute payment protocol without all global consequences that necessarily follow. Bitcoin is a single package: either it completely fails, or it turns all people into wealthy peaceful anarchists.

[1] http://en.wikipedia.org/wiki/National_debt_of_the_United_States

[2] http://en.wikipedia.org/wiki/Financial_cost_of_the_Iraq_War

[3] http://en.wikipedia.org/wiki/Casualties_of_the_Iraq_War

[4] https://en.bitcoin.it/wiki/Contracts

Leaving small holes unplugged

Nick Szabo:

"Often the protocol designer can’t figure out how to fix a vulnerability. If the attack one needs a trusted third party to protect against is not a serious real-world threat in the context of the application the designer is trying to secure, it is better to simply leave the small hole unplugged than to assign the task to a trusted third party. In the case of public key cryptography, for example, protocol designers haven’t figured out how to prevent a "man-in-the-middle" (MITM) attack during the initial key exchange. SSL tried to prevent this by requiring CAs as trusted third parties, as described above, and this solution cost the web community billions of dollars in certificate fees and lost opportunities to secure communications. SSH, on the other hand, decided to simply leave this small hole unplugged. The MITM hole has, to the best of my knowledge, never even once been exploited to compromise the privacy of an SSH user, yet SSH is far more widely used to protect privacy than SSL, at a tiny fraction of the cost. This economical approach to security has been looked at at greater length by Ian Grigg."


Bitcoin Volatility

Some people say that volatility of Bitcoin prices makes it poor “store of value”. You never know how much exactly do you have today: $10500, $9600 or $11201. When you pay for something you may pay 5% more than what it was just a minute ago. Or, if you are a merchant, you may receive 5% less than what you expected. That could be a problem.

We asked experts and got some evidence that it is not quite correct. Bitcoin has been a great store of value over the past 4 years. Almost everyone who invested in Bitcoin and kept it for more than a year enjoyed gains from 200% to 4000%. This means that 10% daily volatility is no longer a problem. When you pay with Bitcoin you enjoy more than 90% discount. Who cares if it’s one day 91% instead of 93%?

Similarly, merchants who consistently accept bitcoins and keep most of them around are compensated for small losses on volatility with big gains on their savings. For the past two months I was paying for bagels nearby with bitcoins and half of the time the price was going slightly down one hour after the payment. However, in overall, the guy accepting them finally made more than three times what he would receive in euros. Of course, last two months were better than in average, but over a one-two year period everyone was better off no matter when they invested.

Those merchants who do not want to invest in Bitcoin, but wish to enjoy zero-fee transactions without fraud, can use BitPay or Coinbase.

Bitcoin is both volatile and is a great store of value so far.

PS. This is not an endorsement to buy Bitcoin. You should not do that based only on the price history. If it was a Ponzi scheme or a huge bubble, the price would look the same. You should only invest if you study what Bitcoin is and how important it may (or may not) become in the future. Otherwise, do not put more than a dollar in it.

Arguments for Litecoin are fraudulent

Arguments for Litecoin are fraudulent.

TL;DR: there’s no important difference between LTC and BTC and only one of them can win over another, because, other things being equal (which they are) people want to invest in the most liquid money: that is, with the biggest number of folks willing to hold it. LTC can’t be “silver to bitcoin’s gold”, because both LTC and BTC have exactly the same risks and costs. Either LTC wins over BTC, or BTC over LTC.

I’ll elaborate.

Litecoin/Bitcoin/Shitcoin are all long-term bets. I myself don’t speculate on daily basis, most of us bet for value of these things in the multi-year time frame. So let’s focus on that.

1) In long term security is not measured in “block interval time” or number of blocks. It’s measured in amount of money to be spent on double spending. Today hashrate of Bitcoin is many-many times more expensive than that of Litecoin. So one block confirmation in Litecoin is not just 4x less secure, but hundreds times less secure: you need smaller investment to fork the chain, than with BTC. So anyone who brings up security argument is lying to you.

2) Litecoin is not “faster” either. For the same level of security as in BTC, you have to wait hundred times longer (see #1). Instant transactions are the same and also less secure than in BTC: zero-conf, with less nodes and less connectivity between them to limit double-spend attempts. Anyone bragging about “LTC being faster” is a liar. It can only be slower due to less number of nodes and currently lower hashrate, not faster. LTC can only be faster if BTC is being abandoned and people switch to LTC.

3) “Scrypt protecting against concentration of power due to ASICs” is bullshit. If LTC wins over BTC, there will be ASICs and whole factories making chips and plugging them in on-site right away. Just like it will be with BTC or ShitCoin or else. Long-term LTC is either dead or is full of chinese ASICs, like BTC. Anyone arguing otherwise is a liar.

4) “Scrypt more secure than SHA256” is bullshit in the context of mining. If there’s a better optimization in SHA256, it’ll be like a better hardware. But this can equally happen to Salsa in Scrypt too. If the breakthrough is significant, all BTC stakeholders will vote for adjusting the protocol to fix the problem, not lose everything by panic selling. Huge price of BTC is a great motivator to find the weakness in double-round SHA256 and mine faster. Every day it doesn’t happen is only a practical proof it’s as good as it can be (just like Scrypt or whatever), everything else is unfounded FUD.

5) “More fair distribution of wealth” - this is unfounded FUD. For average Joe, LTC is less widely accepted, so its concentration, however “fair” it was, is still higher than in BTC. And who knows how much of early mined BTC are lost forever (we know that’s a lot) or were sold during 2011 bubble and slow price rundown the same year. I bet very few were sticking to their holdings that time and thus were taking huge risks “fairly”.

6) “Diversification” (based on all points above) - newbies who don’t know economics are made to think they diversify by investing in some altcoins. But the risks and costs are all the same for all coins. If Bitcoin is completely broken, most likely altcoins are broken for the very same reason. Otherwise, all Bitcoin holders will simply agree to upgrade the protocol. Especially so as Litecoin is on the same codebase.

The only real argument about LTC and BTC is that there’s no functional difference between them. LTC could only be 4+ times costlier to miners due to faster blocks and more “decentralization” of individual miners (slower connectivity, faster blocks => more orphans). If LTC was released before BTC and took off, everyone would be using LTC no problem. The only thing that matters here is liquidity, number of holders of money. If people are betting it is BTC with more hands, they send a signal to others about that by holding too. This moves all the “cryptoinvestments” into BTC in long term. If people see that LTC is gaining more hands, then everyone will converge on LTC. LTC and BTC cannot coexist together, it makes no economic sense both for miners (who want to invest 100% in the most valuable currency in long term) and for users (who want money only because it’s widely exchangable for many goods at any later dates).

Right now there’s a lot of excitement about Bitcoin and not many people understand economics. Some folks are lied to and “diversify” into altcoins, which gives them short-term bubble. But in years to come, when they see, that Bitcoin has bigger adoption, they’ll move their savings to BTC and then all altcoins will crash. Or for some mysterious reason BTC will not be viable and people jump to LTC en masse and abandon BTC.

How to launder bitcoins perfectly

People often talk about privacy problems with Bitcoin: all transactions are public and every move is watched by millions of eyes. Where’s a problem, there’s a solution.

Lets first define the problem more rigorously. There are two situations (ok, three) when you want to launder your coins.

First: you receive monthly salary on a single address and then want to do regular purchases with it. When buying a cup of coffee, shop owner will see how much money do you have which might be unsafe.

Second: you want to buy something expensive, so you have to combine “change” from various addresses in a single transaction. This may link many of your private payment histories in one. Someone may connect the dots and make a full profile of a single person: what he eats, where he travels and so on. It’s being done with credit cards already and people seem not to like it very much.

Third: you sold something anonymously and your payment is being watched. If you later spend that money in the open, your identity may be revealed.

Bonus track: some people think that “money laundering” is not sinful enough, so they invented “structuring laws”, that is laws that forbid not only buying bad things, but also to hide the monetary trails even if you don’t do anything illegal at all. If your method to launder bitcoins is screaming “LAUNDERING” on the blockchain (like with Zerocoin, using shared addresses or CoinJoin transactions), it’s not good for you. You may get your privacy, but you also go to jail for “structuring”. To be a law-abiding citizen you should not hide your financial history. The rest of this article is for pure entertainment only.

To address all of these issues we need to disperse and mix the funds in way that their source or destination becomes statistically indistinguishable form any ordinary transaction.

You might do that with these ingredients: discover, insurance, split and swap.

Disclaimer: this is not an advice, it’s a technological overview for all those who are interested in privacy aspects of Bitcoin. Anyone can implement this or come with even a better idea. This is not even my original idea. I recommend governments to shut down the entire network to prevent people from doing nasty things with Bitcoin. At the same time, there’s an opportunity to use this scheme by undercover FBI agents to detect anyone mixing their bitcoins. Dear reader, please obey the laws and be good, socially responsible person.

Step 1: Your wallet app discovers random nodes on the P2P network (other instances of the same app) and posts a request to launder some bitcoins. When two wallets meet with similarly sized requests, they exchange information about some of the available coins. Each of them does statistical analysis of those coins and decides if the coin is “good enough”. For instance, if this coin’s history correlates as little as possible with the histories of the coins already owned.

Step 2. When both nodes like each other’s coins, they enter an insurance contract. Each party locks up equal amount of coins in a single special transaction where coins can only be unlocked atomically and by mutual agreement. At the same time, each party can destroy both deposits (e.g. in case of timeout or misbehaviour of another node). Amount of each deposit should be 200-300% of the amount to be exchanged. I wrote about such contract here: http://blog.oleganza.com/post/58240549599/contracts-without-trust-or-third-parties

Step 3: Each node splits their coin in two parts. One part is to be exchanged now, another part is to be exchanged with some other node later. Parts of the coins should be equal. (This produces some correlation detectable on blockchain, but that’s easy to fix with multiple independent transactions instead of just one.)

Step 4: Each node tells another one an address on which to send a part of the coin. Each of them does that transaction. All the other nodes don’t know about this swap of coins and therefore cannot link them together. If your coin was “tainted” (watched by adversary), half of it anonymously goes to someone else and in return you get some absolutely different coin. Insurance contract prevents a node from receiving a payment, but not making a payment back. Since there is no human supervision, anyone trying to cheat the scheme will get punished by an automatic destruction of his deposit (which is worth much more than just received money).

During one session (one insurance contract), nodes can swap more coins until they run out of coins or cannot provide each other with a statistically good ones. When the session is over, insurance deposits are unlocked and nodes go talk to other nodes.

Think about it this way: you split all your money in 1000 pieces and send them to 1000 different random strangers via regular, statistically innocent transactions. In return you get 1000 pieces from all around the world, that are not connected to each other in any meaningful way. 10 rounds splits money into 1024 portions, 20 rounds into over a million. In a short period of time you never expose more than a fraction of your funds and never receive more than a fraction of someone else’s history.

How does this address our examples?

When you receive a monthly salary payment, you mix it with 1000 random users and in return get 1000 smaller pieces. It’s like exchanging one $1000 bill for a thousand $1 bills. Then, you can go buy your coffee and no one will know how much money do you have.

When you need to spend a lot of money at once, you do the same: take all your small coins, swap anonymously for other small coins and make a single payment. Your individual spending histories will be dispersed among thousands of random people. And the recipient of your payment will link together totally uncorrelated histories having nothing to do with you personally.

Finally, if some of your money is being watched (“tainted”), it will be moved to someone else completely. You yourself has little risk of getting someone else’s tainted history because you never get more than 0.1% of it due to multiple rounds of splitting.

The UI for this can be quite simple. You install a special kind of wallet, load it with bitcoins, connect to the internet and click “Mix coins”. Next morning all your coins are perfectly mixed with thousands of random strangers.

Again, this is not a ready solution, but a theoretical possibility for those who are interested in solving puzzles. Don’t use this if the law forbids it. The law is very important.

See more questions and answers in this discussion on HN: https://news.ycombinator.com/item?id=6787603

Bitcoin and Gold

Bitcoin will eventually replace gold as a globally recognized “store of value”. Gold prices will go down 90-95% to the levels supported by the use in production as “reservation demand” for gold would essentially disappear.

When Bitcoin becomes the world money there will be little reason to own gold. Bitcoin is as limited, as fungible and as non-counterfeitable as gold. It’s even cheaper to verify, store, transfer and divide.

Gold is always as difficult to protect as it is to confiscate. It’s symmetrical. That’s why throughout history only the strongest were accumulating gold. Pirates were robbing merchants, kings were robbing pirates. In the end, massive amounts of gold are owned by the biggest governments and banks. Small folks can only reliably own as much gold as they can keep in their own hands. (In 1933 US government confiscated most of the gold owned by population as an “emergency measure” in a declared attempt to save failing economy: http://en.wikipedia.org/wiki/Executive_Order_6102)

Bitcoin is asymmetrical. It’s much cheaper to personally own it and keep safe, than it is for someone to come and confiscate it (regardless of the amount you have). If you buy some bitcoins from 100 random people, there’s no one except you to know how much you have. There’s no big shiny vault to attract thieves, no bank account for TLAs to peek into. You can perfectly back it up in 10 places, split the encryption key to 10 of your closest friends and even put some money in a “brain wallet” that has no traces anywhere at all.

A friend of mine, Steve, noted that gold-backed economy logically evolved into the mess we are now. Libertarians who advocate return to the gold standard do not realise that the gold standard was the reason of accumulation of gold in few of the world’s biggest banks and everyone else getting worthless IOUs positioned as “sovereign currencies”. Gold is heavy and expensive to handle: only the wealthiest can afford to save a lot of it. And equally to take it by force from less powerful.

Bitcoin changes all of that. Like cryptography, which gives everyone possibility to have privacy, Bitcoin gives everyone equal possibility to save money and use money as they please. Without worrying if someone takes it from them, or censors their transactions. Rich and poor can have equal protection of whatever they earned.

Yes, if someone is against you personally, they will find a way to get you. But massive-scale theft and controls become way too costly. Inflation and QE robs savers without knocking on their doors. Capital controls and bank bail-ins need a discussion with just a couple of bankers, not millions of actual depositors. Taxation happens automatically on the level of the banking system as it’s used both for storage and transfer of money. When everyone personally holds bitcoins, it’s much easier to protest against taxation if it’s unfair or ineffective, it’s possible to avoid capital controls and it’s impossible to redistribute wealth by printing more money.

Bitcoin economy is not a revolution in a sense of violent redistribution of wealth in a “fairer” manner. It is a leap forward by forgetting about how much was destroyed or stolen and focusing on how much can be preserved and protected. It’s a truly peace-making tool for the whole humanity. People who think about Bitcoin as only a money-moving tool, or a get-rich-quick scheme grossly underestimate it. It enables much more than what the web gives. The web gives us freedom to exchange information. Bitcoin gives us freedom to exchange everything.

You can own Bitcoin, you can’t own your dollars.

People are always wondering how safe is buying Bitcoin if there are constant heists on exchanges and no website has perfect reputation. They draw analogy with the banks: which organisation can I trust to handle my money?

The right answer is: with Bitcoin you don’t need to hold your money on an exchange for longer than a minute. You wire your government currency to an exchange (bitstamp, coinbase, bitcoin-central, btc-e, kraken, btcchina), buy some bitcoins at a current price and move them hell out of there to your personal wallet. The exchange can be hacked next day, but it won’t matter to you. You are not storing money there anymore. Your private keys are only stored in your encrypted backups and only you know the password. As long as the applications you use are not infested by viruses or backdoors, and you have enough of separate physical backups, you are pretty safe. PS. Don’t use Windows!

Another question people ask: why can’t I simply use my Visa card like I do with the rest of my purchases? Or PayPal. The answer is because this money is never owned by you and all transfers are reversible. Bitcoin transaction is confirmed by the network and buried in the blockchain in 10 minutes. Visa transaction is reversible within 90 days. There were people who tried to sell Bitcoin (ultra-liquid asset that you can own) for PayPal (highly controlled asset that is owned by a chain of banks and payment processors). People grab your bitcoins and call PayPal to reverse a transaction (“someone stole my password!”).

People who start learning about Bitcoin should understand one thing. You don’t own your usual money. You may own paper bills to some degree, although, government does devalue them all the time by printing more of them and restricting movement of large enough sums. Your bank account you don’t own at all. Even wire transfers may get reversed, although, rarely. All your transfers are basically promises from one banker to another. The entire banking system is a complex network of mutual promises not backed by anything except desire to not break the law (yet another system of promises to reward or to punish). And these promises are being broken or revisited all the time on every level. Laws and regulations are not consistent even with each other, not only with every particular decision.

Bitcoin, on the other hand, is like air-thin gold on steroids: you can fully control your transfers and the entire network forces everyone to follow very strict rules to ensure validity of all bitcoins and the rate of their creation. The shitty C++ code of BitcoinQT (original and the most used client) is infinitely more compact, rigid, logical and consistent than all regulatory environment with millions of account managers in the entire financial system.

You can also own gold, but that ownership comes with huge costs and risks. Someone needs to guard the vault, transport the vault, verify the purity of the bars and coins. All of this makes it impossible to use gold in the global economy. Which is precisely why we arrived at the modern all-controlling banking system — it grew up out of the necessity to reduce costs of handling gold by entrusting it to the biggest vaults. To use gold as money you have to trust someone to store or transfer it for you. So you are back to the current very fragile system.

The only money you can truly own today regardless of the amount is Bitcoin.

What regulators should know about Bitcoin

Next Monday, on November 18th, 2013 the Congress of the United States will have hearings on Bitcoin. How it works, what it means and what government should or can do about it.

Here is a gist of what a lawmaker should understand about Bitcoin.

  1. Bitcoin is a protocol without central managing organisation. Anyone can issue currency and validate transactions from any place in the world. Censoring transactions will be as effective as stopping Bittorrent file sharing. Technologically, Bitcoin is impossible to control or shut down (in practice and to high degree in theory too).

  2. Bitcoin tracks every transaction in a public ledger. If you know identities of certain addresses, then a transaction between them is publicly visible and acts as an immediate proof of activity between these identities. However, identities are not recorded in the ledger and anyone can use as many addresses as they like. Many wallet applications automatically create new addresses for every transaction.

  3. Bitcoins can be very effectively split in small pieces and mixed between large number of users thus making any statistical analysis almost useless. So far there are no easy and cheap practical ways to do that, so not many people bother. But that’s entirely possible nonetheless. Those who need to protect their privacy will do so easily as soon as some serious attacks on privacy emerge. It’s similar to how Bittorrent magnet links appeared after attempts to shut down Bittorrent trackers. Now nobody needs a tracker at all to discover available files and access them. Bitcoin mixing will become built-in feature in many free wallet applications if it will become much needed.

  4. Bitcoin protocol rules are enforced by the entire network of millions of computers. Changing the rules by one computer will not allow it to participate in the rest of the network. If transaction is not considered valid by everyone, it will be accepted by no one.

  5. Black market will become even bigger with Bitcoin. Everything that law enforcement cannot reach will be even safer to trade and many more activities will become possible with Bitcoin that were not possible before.

  6. Regulations may realistically only affect law-abiding consumers and producers. And the only thing they can do is to increase friction and costs for both of them. Some legit businesses under regulations will become impossible, while others will go to the black market or foreign jurisdictions.

  7. Forbidding Bitcoin completely is just a degree of regulation. It will have no effect on black market that will only grow, but it will shift innovative businesses to other jurisdictions, where there is more freedom. Today, Argentinian government imposes strict capital controls and inflates their currency and forces people to get dollars and bitcoins on black market. Since Bitcoins are much easier to sell and use than dollars, they are being deployed much quicker. If that continues, bitcoins and dollars will completely replace pesos in the entire economy and the government will go bankrupt.

Policymakers are interested in preserving their image of people who protect citizens and need to collect taxes to keep the government running. If one needs to keep innovation and growing wealth within a country and tax it, then Bitcoin transactions should be left as free as possible. Regulators should provide clear and simple guidelines on how to report all taxable revenues and provide assurances that businesses are free to transact as efficiently as they can, provided they pay their taxes. Anything more than that will only increase the size of black market or shift wealth to other places (thus reducing tax revenues for the government).

Countries that embrace Bitcoin will attract enormous amount of capital in a very short period of time. Countries failing to do so will quickly lose that exact amount of capital.