Oleg Andreev

Software designer with focus on user experience and security.

Author of Gitbox version control app.

Author of CoreBitcoin, an implementation of Bitcoin in Objective-C.

Lead developer of FunGolf GPS, golfer's personal assistant on iOS.

If you want to learn about Bitcoin, start with my Bitcoin FAQ or guide for journalists. I can give you an interview or provide technical and long-term economical consulting.
I am not interested in trading, mining or building fiat-to-btc exchanges.

If you like my articles, send some love here: 1TipsuQ7CSqfQsjA9KU5jarSB1AnrVLLo

Arguments for Litecoin are fraudulent

Arguments for Litecoin are fraudulent.

TL;DR: there’s no important difference between LTC and BTC and only one of them can win over another, because, other things being equal (which they are) people want to invest in the most liquid money: that is, with the biggest number of folks willing to hold it. LTC can’t be “silver to bitcoin’s gold”, because both LTC and BTC have exactly the same risks and costs. Either LTC wins over BTC, or BTC over LTC.

I’ll elaborate.

Litecoin/Bitcoin/Shitcoin are all long-term bets. I myself don’t speculate on daily basis, most of us bet for value of these things in the multi-year time frame. So let’s focus on that.

1) In long term security is not measured in “block interval time” or number of blocks. It’s measured in amount of money to be spent on double spending. Today hashrate of Bitcoin is many-many times more expensive than that of Litecoin. So one block confirmation in Litecoin is not just 4x less secure, but hundreds times less secure: you need smaller investment to fork the chain, than with BTC. So anyone who brings up security argument is lying to you.

2) Litecoin is not “faster” either. For the same level of security as in BTC, you have to wait hundred times longer (see #1). Instant transactions are the same and also less secure than in BTC: zero-conf, with less nodes and less connectivity between them to limit double-spend attempts. Anyone bragging about “LTC being faster” is a liar. It can only be slower due to less number of nodes and currently lower hashrate, not faster. LTC can only be faster if BTC is being abandoned and people switch to LTC.

3) “Scrypt protecting against concentration of power due to ASICs” is bullshit. If LTC wins over BTC, there will be ASICs and whole factories making chips and plugging them in on-site right away. Just like it will be with BTC or ShitCoin or else. Long-term LTC is either dead or is full of chinese ASICs, like BTC. Anyone arguing otherwise is a liar.

4) “Scrypt more secure than SHA256” is bullshit in the context of mining. If there’s a better optimization in SHA256, it’ll be like a better hardware. But this can equally happen to Salsa in Scrypt too. If the breakthrough is significant, all BTC stakeholders will vote for adjusting the protocol to fix the problem, not lose everything by panic selling. Huge price of BTC is a great motivator to find the weakness in double-round SHA256 and mine faster. Every day it doesn’t happen is only a practical proof it’s as good as it can be (just like Scrypt, double MD5 or whatever), everything else is unfounded FUD.

5) “More fair distribution of wealth” - this is unfounded FUD. For average Joe, LTC is less widely accepted, so its concentration, however “fair” it was, is still higher than in BTC. And who knows how much of early mined BTC are lost forever (we know that’s a lot) or were sold during 2011 bubble and slow price rundown the same year. I bet very few were sticking to their holdings that time and thus were taking huge risks “fairly”.

6) “Diversification” (based on all points above) - newbies who don’t know economics are made to think they diversify by investing in some altcoins. But the risks and costs are all the same for all coins. If Bitcoin is completely broken, most likely altcoins are broken for the very same reason. Otherwise, all Bitcoin holders will simply agree to upgrade the protocol. Especially so as Litecoin is on the same codebase.

The only real argument about LTC and BTC is that there’s no functional difference between them. LTC could only be 4+ times costlier to miners due to faster blocks and more “decentralization” of individual miners (slower connectivity, faster blocks => more orphans). If LTC was released before BTC and took off, everyone would be using LTC no problem. The only thing that matters here is liquidity, number of holders of money. If people are betting it is BTC with more hands, they send a signal to others about that by holding too. This moves all the “cryptoinvestments” into BTC in long term. If people see that LTC is gaining more hands, then everyone will converge on LTC. LTC and BTC cannot coexist together, it makes no economic sense both for miners (who want to invest 100% in the most valuable currency in long term) and for users (who want money only because it’s widely exchangable for many goods at any later dates).

Right now there’s a lot of excitement about Bitcoin and not many people understand economics. Some folks are lied to and “diversify” into altcoins, which gives them short-term bubble. But in years to come, when they see, that Bitcoin has bigger adoption, they’ll move their savings to BTC and then all altcoins will crash. Or for some mysterious reason BTC will not be viable and people jump to LTC en masse and abandon BTC.

How to launder bitcoins perfectly

People often talk about privacy problems with Bitcoin: all transactions are public and every move is watched by millions of eyes. Where’s a problem, there’s a solution.

Lets first define the problem more rigorously. There are two situations (ok, three) when you want to launder your coins.

First: you receive monthly salary on a single address and then want to do regular purchases with it. When buying a cup of coffee, shop owner will see how much money do you have which might be unsafe.

Second: you want to buy something expensive, so you have to combine “change” from various addresses in a single transaction. This may link many of your private payment histories in one. Someone may connect the dots and make a full profile of a single person: what he eats, where he travels and so on. It’s being done with credit cards already and people seem not to like it very much.

Third: you sold something anonymously and your payment is being watched. If you later spend that money in the open, your identity may be revealed.

Bonus track: some people think that “money laundering” is not sinful enough, so they invented “structuring laws”, that is laws that forbid not only buying bad things, but also to hide the monetary trails even if you don’t do anything illegal at all. If your method to launder bitcoins is screaming “LAUNDERING” on the blockchain (like with Zerocoin, using shared addresses or CoinJoin transactions), it’s not good for you. You may get your privacy, but you also go to jail for “structuring”. To be a law-abiding citizen you should not hide your financial history. The rest of this article is for pure entertainment only.

To address all of these issues we need to disperse and mix the funds in way that their source or destination becomes statistically indistinguishable form any ordinary transaction.

You might do that with these ingredients: discover, insurance, split and swap.

Disclaimer: this is not an advice, it’s a technological overview for all those who are interested in privacy aspects of Bitcoin. Anyone can implement this or come with even a better idea. This is not even my original idea. I recommend governments to shut down the entire network to prevent people from doing nasty things with Bitcoin. At the same time, there’s an opportunity to use this scheme by undercover FBI agents to detect anyone mixing their bitcoins. Dear reader, please obey the laws and be good, socially responsible person.

Step 1: Your wallet app discovers random nodes on the P2P network (other instances of the same app) and posts a request to launder some bitcoins. When two wallets meet with similarly sized requests, they exchange information about some of the available coins. Each of them does statistical analysis of those coins and decides if the coin is “good enough”. For instance, if this coin’s history correlates as little as possible with the histories of the coins already owned.

Step 2. When both nodes like each other’s coins, they enter an insurance contract. Each party locks up equal amount of coins in a single special transaction where coins can only be unlocked atomically and by mutual agreement. At the same time, each party can destroy both deposits (e.g. in case of timeout or misbehaviour of another node). Amount of each deposit should be 200-300% of the amount to be exchanged. I wrote about such contract here: http://blog.oleganza.com/post/58240549599/contracts-without-trust-or-third-parties

Step 3: Each node splits their coin in two parts. One part is to be exchanged now, another part is to be exchanged with some other node later. Parts of the coins should be equal. (This produces some correlation detectable on blockchain, but that’s easy to fix with multiple independent transactions instead of just one.)

Step 4: Each node tells another one an address on which to send a part of the coin. Each of them does that transaction. All the other nodes don’t know about this swap of coins and therefore cannot link them together. If your coin was “tainted” (watched by adversary), half of it anonymously goes to someone else and in return you get some absolutely different coin. Insurance contract prevents a node from receiving a payment, but not making a payment back. Since there is no human supervision, anyone trying to cheat the scheme will get punished by an automatic destruction of his deposit (which is worth much more than just received money).

During one session (one insurance contract), nodes can swap more coins until they run out of coins or cannot provide each other with a statistically good ones. When the session is over, insurance deposits are unlocked and nodes go talk to other nodes.

Think about it this way: you split all your money in 1000 pieces and send them to 1000 different random strangers via regular, statistically innocent transactions. In return you get 1000 pieces from all around the world, that are not connected to each other in any meaningful way. 10 rounds splits money into 1024 portions, 20 rounds into over a million. In a short period of time you never expose more than a fraction of your funds and never receive more than a fraction of someone else’s history.

How does this address our examples?

When you receive a monthly salary payment, you mix it with 1000 random users and in return get 1000 smaller pieces. It’s like exchanging one $1000 bill for a thousand $1 bills. Then, you can go buy your coffee and no one will know how much money do you have.

When you need to spend a lot of money at once, you do the same: take all your small coins, swap anonymously for other small coins and make a single payment. Your individual spending histories will be dispersed among thousands of random people. And the recipient of your payment will link together totally uncorrelated histories having nothing to do with you personally.

Finally, if some of your money is being watched (“tainted”), it will be moved to someone else completely. You yourself has little risk of getting someone else’s tainted history because you never get more than 0.1% of it due to multiple rounds of splitting.

The UI for this can be quite simple. You install a special kind of wallet, load it with bitcoins, connect to the internet and click “Mix coins”. Next morning all your coins are perfectly mixed with thousands of random strangers.

Again, this is not a ready solution, but a theoretical possibility for those who are interested in solving puzzles. Don’t use this if the law forbids it. The law is very important.

See more questions and answers in this discussion on HN: https://news.ycombinator.com/item?id=6787603

Bitcoin and Gold

Bitcoin will eventually replace gold as a globally recognized “store of value”. Gold prices will go down 90-95% to the levels supported by the use in production as “reservation demand” for gold would essentially disappear.

When Bitcoin becomes the world money there will be little reason to own gold. Bitcoin is as limited, as fungible and as non-counterfeitable as gold. It’s even cheaper to verify, store, transfer and divide.

Gold is always as difficult to protect as it is to confiscate. It’s symmetrical. That’s why throughout history only the strongest were accumulating gold. Pirates were robbing merchants, kings were robbing pirates. In the end, massive amounts of gold are owned by the biggest governments and banks. Small folks can only reliably own as much gold as they can keep in their own hands. (In 1933 US government confiscated most of the gold owned by population as an “emergency measure” in a declared attempt to save failing economy: http://en.wikipedia.org/wiki/Executive_Order_6102)

Bitcoin is asymmetrical. It’s much cheaper to personally own it and keep safe, than it is for someone to come and confiscate it (regardless of the amount you have). If you buy some bitcoins from 100 random people, there’s no one except you to know how much you have. There’s no big shiny vault to attract thieves, no bank account for TLAs to peek into. You can perfectly back it up in 10 places, split the encryption key to 10 of your closest friends and even put some money in a “brain wallet” that has no traces anywhere at all.

A friend of mine, Steve, noted that gold-backed economy logically evolved into the mess we are now. Libertarians who advocate return to the gold standard do not realise that the gold standard was the reason of accumulation of gold in few of the world’s biggest banks and everyone else getting worthless IOUs positioned as “sovereign currencies”. Gold is heavy and expensive to handle: only the wealthiest can afford to save a lot of it. And equally to take it by force from less powerful.

Bitcoin changes all of that. Like cryptography, which gives everyone possibility to have privacy, Bitcoin gives everyone equal possibility to save money and use money as they please. Without worrying if someone takes it from them, or censors their transactions. Rich and poor can have equal protection of whatever they earned.

Yes, if someone is against you personally, they will find a way to get you. But massive-scale theft and controls become way too costly. Inflation and QE robs savers without knocking on their doors. Capital controls and bank bail-ins need a discussion with just a couple of bankers, not millions of actual depositors. Taxation happens automatically on the level of the banking system as it’s used both for storage and transfer of money. When everyone personally holds bitcoins, it’s much easier to protest against taxation if it’s unfair or ineffective, it’s possible to avoid capital controls and it’s impossible to redistribute wealth by printing more money.

Bitcoin economy is not a revolution in a sense of violent redistribution of wealth in a “fairer” manner. It is a leap forward by forgetting about how much was destroyed or stolen and focusing on how much can be preserved and protected. It’s a truly peace-making tool for the whole humanity. People who think about Bitcoin as only a money-moving tool, or a get-rich-quick scheme grossly underestimate it. It enables much more than what the web gives. The web gives us freedom to exchange information. Bitcoin gives us freedom to exchange everything.

You can own Bitcoin, you can’t own your dollars.

People are always wondering how safe is buying Bitcoin if there are constant heists on exchanges and no website has perfect reputation. They draw analogy with the banks: which organisation can I trust to handle my money?

The right answer is: with Bitcoin you don’t need to hold your money on an exchange for longer than a minute. You wire your government currency to an exchange (bitstamp, coinbase, bitcoin-central, btc-e, kraken, btcchina), buy some bitcoins at a current price and move them hell out of there to your personal wallet. The exchange can be hacked next day, but it won’t matter to you. You are not storing money there anymore. Your private keys are only stored in your encrypted backups and only you know the password. As long as the applications you use are not infested by viruses or backdoors, and you have enough of separate physical backups, you are pretty safe. PS. Don’t use Windows!

Another question people ask: why can’t I simply use my Visa card like I do with the rest of my purchases? Or PayPal. The answer is because this money is never owned by you and all transfers are reversible. Bitcoin transaction is confirmed by the network and buried in the blockchain in 10 minutes. Visa transaction is reversible within 90 days. There were people who tried to sell Bitcoin (ultra-liquid asset that you can own) for PayPal (highly controlled asset that is owned by a chain of banks and payment processors). People grab your bitcoins and call PayPal to reverse a transaction (“someone stole my password!”).

People who start learning about Bitcoin should understand one thing. You don’t own your usual money. You may own paper bills to some degree, although, government does devalue them all the time by printing more of them and restricting movement of large enough sums. Your bank account you don’t own at all. Even wire transfers may get reversed, although, rarely. All your transfers are basically promises from one banker to another. The entire banking system is a complex network of mutual promises not backed by anything except desire to not break the law (yet another system of promises to reward or to punish). And these promises are being broken or revisited all the time on every level. Laws and regulations are not consistent even with each other, not only with every particular decision.

Bitcoin, on the other hand, is like air-thin gold on steroids: you can fully control your transfers and the entire network forces everyone to follow very strict rules to ensure validity of all bitcoins and the rate of their creation. The shitty C++ code of BitcoinQT (original and the most used client) is infinitely more compact, rigid, logical and consistent than all regulatory environment with millions of account managers in the entire financial system.

You can also own gold, but that ownership comes with huge costs and risks. Someone needs to guard the vault, transport the vault, verify the purity of the bars and coins. All of this makes it impossible to use gold in the global economy. Which is precisely why we arrived at the modern all-controlling banking system — it grew up out of the necessity to reduce costs of handling gold by entrusting it to the biggest vaults. To use gold as money you have to trust someone to store or transfer it for you. So you are back to the current very fragile system.

The only money you can truly own today regardless of the amount is Bitcoin.

What regulators should know about Bitcoin

Next Monday, on November 18th, 2013 the Congress of the United States will have hearings on Bitcoin. How it works, what it means and what government should or can do about it.

Here is a gist of what a lawmaker should understand about Bitcoin.

  1. Bitcoin is a protocol without central managing organisation. Anyone can issue currency and validate transactions from any place in the world. Censoring transactions will be as effective as stopping Bittorrent file sharing. Technologically, Bitcoin is impossible to control or shut down (in practice and to high degree in theory too).

  2. Bitcoin tracks every transaction in a public ledger. If you know identities of certain addresses, then a transaction between them is publicly visible and acts as an immediate proof of activity between these identities. However, identities are not recorded in the ledger and anyone can use as many addresses as they like. Many wallet applications automatically create new addresses for every transaction.

  3. Bitcoins can be very effectively split in small pieces and mixed between large number of users thus making any statistical analysis almost useless. So far there are no easy and cheap practical ways to do that, so not many people bother. But that’s entirely possible nonetheless. Those who need to protect their privacy will do so easily as soon as some serious attacks on privacy emerge. It’s similar to how Bittorrent magnet links appeared after attempts to shut down Bittorrent trackers. Now nobody needs a tracker at all to discover available files and access them. Bitcoin mixing will become built-in feature in many free wallet applications if it will become much needed.

  4. Bitcoin protocol rules are enforced by the entire network of millions of computers. Changing the rules by one computer will not allow it to participate in the rest of the network. If transaction is not considered valid by everyone, it will be accepted by no one.

  5. Black market will become even bigger with Bitcoin. Everything that law enforcement cannot reach will be even safer to trade and many more activities will become possible with Bitcoin that were not possible before.

  6. Regulations may realistically only affect law-abiding consumers and producers. And the only thing they can do is to increase friction and costs for both of them. Some legit businesses under regulations will become impossible, while others will go to the black market or foreign jurisdictions.

  7. Forbidding Bitcoin completely is just a degree of regulation. It will have no effect on black market that will only grow, but it will shift innovative businesses to other jurisdictions, where there is more freedom. Today, Argentinian government imposes strict capital controls and inflates their currency and forces people to get dollars and bitcoins on black market. Since Bitcoins are much easier to sell and use than dollars, they are being deployed much quicker. If that continues, bitcoins and dollars will completely replace pesos in the entire economy and the government will go bankrupt.

Policymakers are interested in preserving their image of people who protect citizens and need to collect taxes to keep the government running. If one needs to keep innovation and growing wealth within a country and tax it, then Bitcoin transactions should be left as free as possible. Regulators should provide clear and simple guidelines on how to report all taxable revenues and provide assurances that businesses are free to transact as efficiently as they can, provided they pay their taxes. Anything more than that will only increase the size of black market or shift wealth to other places (thus reducing tax revenues for the government).

Countries that embrace Bitcoin will attract enormous amount of capital in a very short period of time. Countries failing to do so will quickly lose that exact amount of capital.

Transactional Currency and Store of Value

Some people say Bitcoin is not a good “store of wealth” because of its volatility. Since it’s not “backed” by anything, it is only good as a “transactional currency”. That is, to do some work, earn some bitcoins and then spend them in Walmart. The price does not matter as long as it’s stable enough between the moments of receiving and spending it.

Some other people say that Bitcoin is bad as a currency. It requires electricity, internet connection, it’s not good at micro-transactions, it’s not instant, it’s hard to exchange to and from government currencies, and it’s complex to understand for regular people. But as a store of value they say it’s okay. It can be safer and cheaper to store than gold, it’s hard to confiscate it, every year it was only growing in value.

Some others even say that Bitcoin growth hurts its use as a currency because people are not spending enough, but “hoarding” money in expectation of even bigger value in the future.

At least one of these groups must be wrong and, unfortunately, all of them do not understand economics at all.

For something (gold, paper, seashells) to become a medium of exchange, it must have some value and market acceptance (in addition to physical ability to transfer ownership, of course). Where does this value come from? People who do not want to hold an asset for a relatively long time do not care about it’s value, thus they do not have any effect on it. Only those who wish to hold an asset will decide what is the fair price for it. They are doing so for one of two reasons: either as a hedge against uncertainty in the future (who knows what you’d need to pay for next month), or as a bet that this asset will outperform alternatives (like Argentinians who buy dollars because their pesos are depreciating way too quickly).

The more people want to hold an asset (regardless of the price), the more liquid it is. Therefore, if someone offers you a payment in this asset, you are more likely to liquidate it, so you are more likely to accept it. Again, regardless of the price.

However, the supply of Bitcoins is very limited and long-term investors compete very hard for its current production. This means that every single new person who wants to hold some number of bitcoins, would have to not only outbid other newcomers, but also the existing holders and their time preferences. Growing demand for a good in a fixed supply have to raise the price.

This has two interesting effects.

First, growing price acts as an indicator of liquidity of Bitcoin. Since it is impossible to control the price of Bitcoin (there are multiple sovereign exchanges in multiple countries and a lot of private trade outside the exchanges), price can’t grow by a decree of a fixed group of speculators. Therefore, growing price means growing number of holders. Which means, growing number of people that will gladly accept Bitcoin from you if you do not intend to store it, but only receive as a payment from someone else.

Second, in a positive feedback loop, as more people are seeing liquidity of Bitcoin, they are getting more likely to hold Bitcoins for a little longer than usual. Either expecting a better value in the future, or as a more safe and easy way to store some cash. This, of course, increases number of people willing to hold bitcoins and thus increases the price even further.

In the end, to become a currency, Bitcoin must have value which only comes from speculators holding it for various reasons. The more people are holding it, the better currency it is. Hot potato that no one wants to hold will never be a medium of exchange because it’s value does not exist.

Of course, there are some physical limits on usage as a currency. Gold is the worst currency: it’s heavy and hard to check and expensive to move and store. Paper bills are much better but still do not fly over the oceans. Banks and clearing houses even better, but historically were very expensive due to risks of fraud, devaluing, fractional reserve lending etc. Bitcoin is much better comparing to what we had. It’s much cheaper to verify the authenticity, it’s faster to fully confirm than credit cards (chargebacks within 90 days) or bank wires, it requires very little infrastructure to work (the internet, laptops and smartphones are widely deployed) and it has some useful features that other assets will never have. Therefore, Bitcoin’s biggest barrier to become a widely used currency is simply number of hands that hold it. And as we see, it is getting into more and more hands very rapidly, just like Facebook or Twitter were attracting more and more people — almost exponentially.

Deflationary Spiral

Some people worry about Bitcoin being “deflationary”, that it appreciates over time. They think it would make people save more and spend less, thus reducing velocity of money and economic output. That economy would come to a halt if no one spends expecting future gains.

There is a simple thought experiment for anyone thinking this way. Imagine you find yourself in an economy where more and more people do not spend their precious coins and expect the price to grow. Everyone would give anything for a coin, but never give a coin for anything.

You, as an owner of some coins, will find yourself in a pretty curious situation. Since everyone values money so much, you can command enormous economic power. When people hear you can give them a little bit of money, they will rush to you and do whatever you say. You can build new factories, feed the poor, bring water to Africa and so on. You can change the world for the better, just like you wanted all the time. Deflationary spiral then will not lead to a global starvation and misery, but to a perfect society.

Of course, you may not be alone in this desire. Someone else would try to outbid you when buying goods and services. So you two would have to share enormous economic power. If anyone else wants to reshape the world, they will join you and compete with you. Ultimately, everyone who cares about building things will do so while everyone willing to work for precious coins will happily work and save money. And then, eventually, when their money appreciates enough, they might want to do something with a small portion of it just like you did.

Programmable Savings As Universal Insurance

When the world starts using hard non-depreciating currency, people will keep savings in it instead of risky or non-liquid investments like jewelry, houses and stocks.

If the currency is programmable (Bitcoin), then the savings are programmable too.

Programmable savings can be used as a great collateral in all sorts of social interactions.

When two persons sign a contract they can mutually lock up some portion of their savings “in the air” as a collateral without using any third party for that and without relying on a powerful dispute mediator (maybe only for consultation, but not for enforcement). Each party can destroy both collateral deposits which creates an incentive to peacefully resolve disputes to mutual satisfaction.

In crowdfunded project every person on the receiving side can lock up part of his savings (that can be affected by stakeholders) before taking any amount from the fund. The collateral is released when it is “resold” to further party down the production chain.

Today directors, managers and presidents of publicly-traded companies and governments have control over not only their own money (salary and dividends), but also over someone else’s money insured only by reputation and highly inefficient government law enforcement. Programmable collateral makes it possible that every piece of resource controlled by non-owner is fully insured with real cash.

Programmable savings allow world to be much safer without any need for brutal violent intervention.

UIKit in OS X

OS X is very old. It’s UI framework, AppKit is almost 20 years old (taking its roots in NeXTStep). AppKit has a lot of cruft and iterating it towards modern standards takes a lot of hard work. While UIKit was built on top of CoreAnimation from the start, AppKit had to incorporate it as an option which you can turn on and off. Or consider NSCells vs. recyclable views, or custom drawing code vs. configurable labels in UIKit.

iOS 7 shows how a complete rewrite may look like. If you want to update your app, you have to adapt it to new look and feel. And APIs. If you don’t want to adapt, the OS ships with fully compatible old frameworks to run your app as before.

OS X can use this trick in some future release. It can add to UIKit support of keyboard, mouse, menus and windows. Make it a default environment for the desktop and run older apps on AppKit which ships with OS for compatibility. New apps would have to be compiled and released with new tools and UIKit APIs. Older apps could still be maintained with older tools and compiled against AppKit, but AppKit would not get any enhancements.

This all would help with internals. On the surface users would only notice more advanced graphics and animations similar to iOS. This won’t change much the “feel” of OS X as it would still use keyboard, trackpad and mouse. But things like buttons and scroll views would essentially be the same. Having the same toolkit for both systems would reduce hassle by 80% at least.

Of course, since OS X would run on UIKit which knows about touch already, it would be interesting to think of a practical way to enable touch on conventional notebooks and desktops (if they are still around). That is, how and why vertical screens become horizontal, and how professional interfaces with lots of mouse-friendly elements can be adapted for touch (or why it’s not needed for them). Maybe in interim, OS X UIKit would not accept touches at all, but still provide a great deal of efficiency.

Satoshi on Bitcoin design

Satoshi, on June 17, 2010:

The nature of Bitcoin is such that once version 0.1 was released, the core design was set in stone for the rest of its lifetime. Because of that, I wanted to design it to support every possible transaction type I could think of. The problem was, each thing required special support code and data fields whether it was used or not, and only covered one special case at a time. It would have been an explosion of special cases. The solution was script, which generalizes the problem so transacting parties can describe their transaction as a predicate that the node network evaluates. The nodes only need to understand the transaction to the extent of evaluating whether the sender’s conditions are met.

The script is actually a predicate. It’s just an equation that evaluates to true or false. Predicate is a long and unfamiliar word so I called it script.

The receiver of a payment does a template match on the script. Currently, receivers only accept two templates: direct payment and bitcoin address. Future versions can add templates for more transaction types and nodes running that version or higher will be able to receive them. All versions of nodes in the network can verify and process any new transactions into blocks, even though they may not know how to read them.

The design supports a tremendous variety of possible transaction types that I designed years ago. Escrow transactions, bonded contracts, third party arbitration, multi-party signature, etc. If Bitcoin catches on in a big way, these are things we’ll want to explore in the future, but they all had to be designed at the beginning to make sure they would be possible later.

I don’t believe a second, compatible implementation of Bitcoin will ever be a good idea. So much of the design depends on all nodes getting exactly identical results in lockstep that a second implementation would be a menace to the network. The MIT license is compatible with all other licenses and commercial uses, so there is no need to rewrite it from a licensing standpoint.

Key revocation and fingerprints

When you use private keys, people trust your digital signatures because they expect that you keep these keys secret. If someone steals your keys, he can impersonate you and harm your reputation. As a precaution, whenever you feel like your keys were compromised, you can publicly revoke them (by signing a message “this public key XYZ123 is now revoked” and securely timestamping it with Bitcoin blockchain). All signatures from that moment can be repudiated and you may start using entirely new private key.

Today the iPhone 5s was announced and some people started freaking out about it collecting your fingerprints and sending to NSA. We have a lot of documentation about how NSA infiltrates companies to steal data or takes it using an order of some secret “court”, so these fears are not entirely unfounded. However, it’s even worse because many foreigners coming to U.S. (and maybe some other countries too) have to give up their fingerprints at the customs. Anyone who was brought to a police department for whatever reason was also scanned. Now mentioning corporate security systems that use fingerprint scanners for some years now. Your fingerprints could have been recorded in several places already.

The problem with fingerprints is that you only have one set of them and someone may damage you by impersonating you on a crime scene. Just like with a private keys, when you think your fingerprints could have been compromised, you have to revoke them. The solution is not to try to cut off your fingers, of course, but to publish them as widely as possible. Then, if someone uses them somewhere, you have perfect protection: your fingerprints are not longer your private property and could not be used against you.

Of course, publishing your fingerprint will diminish the usefulness of the Touch ID sensor in iPhone 5s, but that’s the price to pay when our governments keep people in jail for decades based on some biometric evidence.

Contracts without trust or third parties

EDIT: The up-to date version of this idea is presented here: http://oleganza.com/bitcoin-epita-2014.pdf Scripts are slightly different and take into account transaction malleability.

This is a very powerful idea for our troubled times. I hope you will enjoy it as much as I do.

Our usual relationships are with those who have made some investment. Your friends demonstrated they prefer to keep friendship going, so you can trust them. Your local bakery demonstrated investment in their setup, employees and advertising and they want to earn that money back. So you can trust them with your money. Apple has invested billions of dollars in producing iPhones, so you send them your money via online store without worrying that they might take it an run. It also works the other way around: if you have an investment in your reputation, you may ask for payment up front and people will give it to you.

For some relationships this does not work. Sometimes you want to buy something on Ebay from a guy like you. You both don’t know each other, you have no interest in building Ebay reputation, but you wish you could safely come together and exchange stuff. Or, you are a freelance designer making a website for some small business in another country. Both of you have little ways to influence each others’ reputation. And if you have a disagreement, no one except you could reliably judge who was right or wrong.

Historically, this was solved in two ways: either by meeting in a crowded place in person for immediate exchange, or by going to a third party. Both approaches are very limited and unsatisfactory. In-person exchange bears high risk of being robbed on a way home and it does not work well with some kinds of services or across the ocean. Third party escrow is better, but it is very limited. It’s very cheap for a scammer to create many identities on Ebay and successfully cheat 5-10% of the time. Profit for scammer, loss for everyone else who now pays 5-10% premium. Also, escrow cannot be an expert in everything. If you have a complex or not very well defined contract (like in any intellectual job), you would never find a reputable agency to solve your problem (or, it would be too expensive). Usually, that would be a second party itself. For instance, a design studio.

So how would we solve it for two strangers?

Lets think. We negotiate fairly well when we maintain a status quo. For instance, before making a contract, we discuss the details and can walk away being friends because we don’t lose anything but the time spent negotiating (and that time is expended by both parties, so both have incentive to finish it sooner than later). But whenever one gets an advance, it may be enough of incentive to run away without finishing the job. Another example: if we are friends and enjoy long-term relationship, we may expect that small advances on anyone’s part are not enough to break the relationship.

Notice a pattern here?

The value of the deal should be noticeably smaller than an investment at risk.

Obviously, when none of us made any investment, we should make one. But since it is just one deal, we don’t want to make sacrifices unilaterally. We want that both of us make an investment which can be paid back to both of us at once when the deal is successfully finished.

(If you have followed my blog for some time, you already know what technology we will talk about.)

Bitcoin allows not only moving money from a person to a person securely, without risk of reversal, but it also allows expressing sophisticated contracts using its scripting language and digital signatures.

Bitcoin is the only technology that makes this possible:

  1. Two parties independently lock some amount of money in a single Bitcoin transaction without meeting in person or trusting anyone.
  2. This money can be unlocked only when both agree with that. If at least one party does not want to unlock the deposit, another party cannot do anything about it.
  3. Both parties can unlock deposit only atomically, for both of them. No one can unlock just for himself.
  4. No one else has access to the deposits and neither party can access other party’s money.

This scheme is inspired by NashX, though they are acting as a third party that we try to avoid.

The cost of the procedure is 2 small exchanges of data over the internet (no encryption required), 1-2 hours of wait time till the transaction is included in the Bitcoin blockchain (not every miner includes non-standard transactions) and a small transaction fee around 5-10 cents at current prices (110 USD/BTC), regardless of the amount in question.

How will it work? Both parties should have a fancy wallet application that automates transaction creation (we are working on that). Alice and Bob agree on the amount to be locked (typically 200-300% of the value at stake). Lets say the amount is 2 BTC. Then, Alice sends to Bob a public key and a hash of her random secret number. Bob constructs a transaction with this data and his own public key and a hash of his random number. Transaction has two outputs: one for Bob with 2 BTC and another one for Alice with 2 BTC. Bob signs his part of the transaction with appropriate amount in the input and sends it to Alice to sign hers. Alice checks that Bob has specified all amounts and included her public key and her random number hash accurately. If the transaction is correct, Alice adds her 2 BTC in the input and signs it. Transaction is never valid until both parties sign it and the sum of the inputs matches the sum of outputs (or slightly more to allow a mining fee). Once signed, Alice sends this transaction to Bitcoin network and both parties wait till it gets included in the blockchain. I will show the scrips in detail below, but before doing that, lets do some analysis.

Once transaction is in the blockchain, both Alice and Bob are 2 BTC short while the value of their contract is, say, 1 BTC.

They can still negotiate on equal grounds, but now the money at risk is higher than any advance payment anyone does. If Alice sends Bob some good before receiving a payment, Bob cannot be sure that Alice would agree to unlock the deposit if Bob does not pay her. Bob has more to lose than just 1 BTC to pay her. So he pays. When both Alice and Bob get what they want, they unlock the money and the deal is over.

Of course, strictly speaking, the victim will lose less if he/she agrees to unlock the funds no matter what, but the same logic applies to personal relationships or to two businesses with equal investments. No one can be sure if the other party wouldn’t want to wait indefinitely till the conflict is resolved or destroy the investment. To know if this scheme actually works, we have to try it and see how people behave. If everyone is always perfectly rational, then people either would never steal from each other, or always steal and agree to unlock deposits and never use such scheme again. But the real life is more complex.

We can see that both parties need to have more bitcoins locked than will be moved during the contract. This may not be acceptable in some cases. For instance, when buying an expensive house. (Cannot really put 2 houses in the escrow.) But for some expensive contracts it can still work. A contract can be broken down into 10 steps when after each step the payment is made. Then, the amount of money to be locked needs to match 1/10 of the whole price.

Now, lets see how to do that. For simplicity, lets say we have no problem of “change” (when extra money from one input is sent back to its owner using additional output script). Then transaction has two inputs and two outputs.

Each input signs the whole transaction, except for another input (using SIGHASH_ANYONECANPAY modifier) to allow another party to sign their input independently without extra round-trip.

Output scripts are symmetrical and prepared at once by one of the parties. Each output sends a predefined amount of bitcoins.



Note: please find the discussion and minor improvement to the scheme here: https://bitcointalk.org/index.php?topic=273539.0

AlicePK and BobPK are their public keys (to ensure the ownership). HashA is a SHA256 hash of Alice’s secret number. HashB is a SHA256 hash of Bob’s secret number.

Each script checks that the future transaction is signed by a proper key and that both numbers are provided: number B and number A. To redeem such a script, one would need to know both numbers. Let’s say Alice and Bob finished their business and Alice sends her number to Bob. Bob does not need to send his number to Alice because he would have to reveal it in the blockchain anyway when he tries to redeem his output. Alice then can see his number and redeem her output too. If one party is not satisfied yet, they just hold their secret number to themselves.

This scheme also allows partial unlock. If both want to reclaim 80% of the deposit, they can simply create another transaction for 20% of the amount and then unlock the first one.

This scheme was never tried before, but can be very useful in many circumstances. Examples:

  1. Selling things in person for cash. If both parties lock 3x the price and unlock it only when both get home, there is little incentive to steal the cash (or the good) in a dark alley.

  2. Selling anything to strangers over the internet without Ebay. One party sends a product by mail. When it’s received, buyer sends back the payment (via Bitcoin, Western Union, PayPal or wire transfer).

  3. Not well-defined contracts with freelancers. Customer does not really know what he wants and how to do a website, so he with freelancer lock in some amount and then have mutual interest to be nice to each other and resolve problems using common sense.

  4. Airbnb without airbnb: the amount is unlocked when the apartment turned out to be what was ordered and the payment is done in full. The website now only needs to put up pictures and ratings and take a fee for that.

The possibilities are endless. The same idea can apply to a group of people to agree with another group of people on something. E.g. a “social contract” where a group of neighbours hire several guards to protect their district.

The cost of such transaction is very low. There is no counter-party risk, it allows one to remain anonymous, time to register is measured in minutes and the cost is less than a dollar. If it becomes popular, more miners will include it in the blockchain, so it will become even faster and cheaper.

I myself plan to add support for such transactions in my future wallet application for OS X and iOS. I have opened a part of it called CoreBitcoin and will build on top of it. Others may try the same or similar ideas in their own applications and services. If it turns out to be useful, we can come up with a standard way to express such contracts so even more people can use them easily.

Now, what crazy idea would you build on top of Bitcoin?

PS. David Friedman responded: http://daviddfriedman.blogspot.fr/2013/08/a-bilateral-hostage-via-bitcoin.html

The universe wants one money

In this post I address issues of competing government currencies, competing private currencies, gold, silver, bitcoin and alternative “crypto-currencies”.

We all know that variety and competion is a good thing. We all want slightly different things, value the same things differently or make different trade-offs. That’s why we have a wide variety of products, prices, quality, colors and materials on the market. Interestingly, money is different. We all want one single universal money. It may not be obvious to many people, so let me explain.

How money is different from everything else? On one hand, money is just an asset. You can produce, buy, sell or hold it. On the other hand, money is a medium of exchange. It allows you to trade your 8 hours in the office for a new iPhone. It also allows you to delay consumption decision. You can spend 8 hours of work today, but then be free to decide when and for what to spend your salary. If suddenly you need to buy a ticket to Hong Kong, you can do it without working extra couple of hours to earn it.

The function of money is to exchange the widest variety of products between each other. iTunes credits allow you to choose between many songs. This make them money to some degree. But dollars are even better money because they can buy all those songs, but also a myriad of other things as well. Therefore, people tend to keep savings in dollars, not in iTunes credits.

It seems obvious that the best money is the cheapest and the most widely recognized and accepted one. Cheapest in a sense of handling it. If your money is a huge stone you have to carry around, it is more expensive than a small gold coin (provided they both have the same price in terms of goods they can buy). Piece of paper named “gold certificate” could be even cheaper than gold itself, but carries a risk of fraud, so in some cases it could be even more expensive to hold than the gold itself.

For a huge part of the civilized human history we used two metals as money: gold and silver. They were not perfect, but universally accepted and recognized. All other things like seashells, diamonds, IOU papers were less universally recognized, so they were naturally used in some very niche markets while everyone was keeping cash in gold or silver.

Both gold and silver were durable, easy verify, easy to cut and melt together, compact enough to be stored and moved around cheaply. And they were very hard to obtain, so there was very low inflation cost (every new gram of gold created eats into everyone’s savings because it increases purchasing power of its owner comparing to everyone else around). Other things were either easy to produce, or not durable, or hard to split in arbitrary parts.

Why gold did not outcompete silver? Or vice versa? That’s because they both had weight. For small purchases gold would have to be split in tiny difficult to handle pieces, while to make big purchases one would need to move several kilograms of silver comparing to much smaller amount of gold. This naturally created two parallel global markets: one for small purchases where the silver was used (and small droplets of gold would be impossible to handle) and another market for big purchases where silver was too heavy, so the gold was used instead.

Make a thought experiment now: if there was a gold-like metal that allowed moving both big and small amounts equally cheaply, it would be useful on both “small” and “big” markets. Thus it would be more marketable (more exchangeable) which by definition would make it a better money. Better than gold and better than silver. People would then tend to keep their cash in that magic metal because it would allow them access to bigger variety of goods: from bread to houses. And they would not lose money on conversion rate like when they sell some silver for gold or the other way around.

There was a competition in private coinage. Kings and private merchants were making their own coins in gold and silver and selling them for premium. The well-recognized coin was easier store and to verify if you trust the issuer. Instead of measuring each coin, you could simply read the number on its face. Names like “dollar”, “pound sterling” and others were all names for private coins or bullion and meant particular weight of the metal. That is, dollar was not some sort of separate money, it was simply a name for a certain amount of silver, like “gram” or “ounce”. The money was still the same — gold or silver, but there was a big variety of shapes of that money.

Of course, gold and silver were still quite limited. You could not drop a bag of gold across the ocean. That’s why people invented banking. Bank was simply a warehouse for your metal. You give them gold, they give you a receipt. Then, if the bank had good reputation and connections with other banks in the world, you could transfer those receipts of any face value quite cheaply anywhere. The only real cost was trust in those banks. Because if the bank is robbed or steals your metal, your receipt becomes worthless. If the bank prints additional receipts for the same amount of metal, the value of your receipt goes down proportionally (or you face a risk of bank run, when more people try to redeem their receipts than is available in the vault).

In old days, private currencies were simply those receipts for gold or silver. Each currency could have different name and different reputation. Bigger bank’s notes had more value on the market because they had less risk associated with them and as a result, wider acceptance. But ultimately, they all were receipts for the same metals that you could redeem at any time and move to any bank or under a mattress. Because people valued receipts only for their ability to represent readily accessible metal. Without the metal, those pieces of paper would be worthless.

Today things are different. After several huge economic disasters created by the governments of Russia, Europe and U.S. in the beginning of 20th century, we now have state-issued money in almost every country with a nice twist that now the money is not redeemable for metals. People use that money, though, because various controls and regulations make it almost impossible to use gold, silver or respective certificates in daily transactions. Every bank needs expensive license and must not be very creative at what it can offer to its clients.

Dollars can buy things in U.S., euros can buy things in E.U., but if you try to use them in inappropriate places, you would have to pay very high conversion fees. (Setting up your own clearing house or exchange with the lowest fees is not possible due to regulation.) It should be clear now that if, for instance, U.S. Dollar can buy more than Russian Ruble, Russians would tend to use Dollars in daily life. The reason why it does not happen anymore (it used to during liberal times in the 1990s) is stricter controls on currency exchange that make it illegal to price goods in dollars and expensive to exchange currencies frequently. For the same reason, gold and silver are not used: they are too expensive or illegal in some contexts, or there is a huge risk and cost on those who are going to store them. Several years ago, Liberty Dollar, alternative silver-based currency was shut down and all silver was confiscated by U.S. government. Founder was pronounced guilty of “making, possessing, and selling his own currency”.

Here we do not discuss whether it is good or moral to make your own currency or store other people’s money. The point is about demand for a single, most universally accepted money. If gold, silver and foreign currencies need violent intervention to not be used, it’s only a proof of existing demand. Because if there was no natural demand, no government would care setting up restrictions in the first place.

Now we enter crypto-currencies. It is a fancy name for Bitcoin and its many clones based on the same source code. Bitcoin itself is very different to ubiquitous government money, application-specific “credits” (like in multiplayer games) or gold and silver. It is absolutely digital, does not have a single controlling entity and is very cheap to store and transfer both huge and tiny amounts of money. This property makes Bitcoin very useful on certain markets: be it illegal market, or “sending money to family in another country”, or a market where banking is unavailable or too expensive.

What about alternative Bitcoin-like currencies? They all provide the same security risks and benefits. Nominally, they all have different divisibility (so called “larger number of coins”), but at the scale of trillions of smallest units in total money supply extra divisibility does not really matter.

Economically, all Bitcoin clones (altcoins) have the same problem: they all have much smaller market exposure than Bitcoin while not technically superior. When people decide in which one to keep their money, they would keep it in the money with the biggest market. There is not point in “diversification” in the long term. If Bitcoin fails for some reason, all its clones fail for the same reason automatically. If Bitcoin works well, any amount in altcoins is simply inferior in its purchasing power. It does not mean there won’t be any market. You can always keep some empty plastic bottles for selling later, but the bottles can only buy cash, while cash can buy anything.

Second problem of alt coins is mining. In the long term, any miner will throw 100% of computing resources into the most profitable currency. Even if Bitcoin is only 1% more profitable than Litecoin, since there is no fundamental difference between them, all the resources will be thrown into Bitcoin. In the short term, there are plenty of enthusiasts who find themselves equipped with a lot of outdated GPU hardware that was once used for Bitcoin, but now cannot compete with specialized ASIC hardware. These people now mine Litecoin in short-term expectation for any amount of reward. It is sort of a private club of people trading in their own funny money. All new miners devote all their energy to Bitcoin, while people who will sell or retire their GPUs will make Litecoin network weaker and less technically stable.

In the end, it is clear that we want the single money to be able to sell anything and buy anything. We all want it to be cheap to store, move and verify. And secure. With as little trust in middlemen as possible. Today we find ourselves with a lot of artificial barricades in the sphere of money, which causes artificial demand for various local currencies. Gold is being seized or moved from the country. Foreign currency is prohibited for merchants to price their goods at. Legal tender laws force you to accept government-issued currency as a payment for debts. Regulations and licensing limit variety of private currencies or money substitutes. But all that trouble only proves almost universal desire to use the single virtual entity for buying food and saving for the future. Bitcoin gives us a mechanism to overcome all these regulations and trade as freely as was ever possible. Maybe it will allow us to achieve that single, most marketable entity that we all so desire.

You have no rights

A moral argument must be universal, or it’s just bigotry.

"If you do nothing wrong, you have nothing to hide" either applies to everyone, including those who snoop around, or is not a moral argument.

"Thou shalt not kill" either applies to everyone, or it’s a lie to let some people to kill others without much resistance.

History of the world shows that really universal activity never had any moral commandments (e.g. “thou shalt eat”). History is full of people who use moral arguments to use other people. Starting with ancient religions till nowadays with laws, bills and constitutions.

Therefore, almost any moral argument you have ever heard or will hear is not a real universal argument, but an instrument using which some people want to hold you by the balls.

When no one steals, it’s easy to be a thief. If somebody is stealing from you, then you either put a bigger lock, or you figure out why so many people hate you so much. That’s why only thief will go to great lengths to educate people to not steal to have a whole territory open only to him.

You don’t have “right to privacy”. Rights are invention of the rulers. In your normal life you connect to people on a “be nice” basis. You tolerate their oddities, they tolerate yours. You try to stay closer to people you like and farther from people you don’t like. There is no black and white morality. People in Texas love carrying guns, but I don’t. So what? I simply do not live in Texas.

If you believe you have rights, you are supporting a person who wants to enforce such right using a threat, not a dialog. If you hate that someone’s watching you, simply close the window. Do not go and demand even more violence to be directed on “bad guys”. In such case you would simply add to an uncontrollable chaotic killing structure operated by maniacs.

Do not like stealing? Close the door. Do not like watching your emails? Use crypto. Don’t like violence? Do not be violent, avoid bad districts, do not go rioting on the streets to be killed by the mob or cops. Don’t like some people? Avoid giving them anything voluntarily. Tell others to boycott them. Do not like what banks do with your money? Use some other money. Do not like uneducated people? Educate them nicely, so they would want to listen. Need support? Go, ask for it. Hedge the risks, save for rainy day, be careful and respect people around you.

But don’t you be afraid of being angry when people attack you. Don’t cover someone’s lies. Look in the eyes of truth. Your emotions are real. If someone’s kicking you, protect yourself, expose the lie covering it. Do not look for a conflict, avoid it. But never lie to yourself and others about what is going on.

How to deal with a deficit of available Bitcoin outputs

You just installed a Bitcoin wallet and received your first 10 bitcoins. Do you think you can easily spend these 10 bitcoins in 10 shops during a visit to a mall? Not really.

Bitcoins do not exist as individual items. Once you received your first bitcoin payment, all you have is a single “transaction output” that you can spend. Once spent, it is no longer valid. In its place you’ll have two new outputs: one as a payment to someone else and another one as a “change” sent to yourself. To pay the second person you need to use this new output (“change”). But this new transaction will not be accepted or even relayed by the network before its parent transaction (you first payment) is included in the blockchain. So to make a second payment you’d have to wait 5-15 minutes before the first one is included. And to make another one, you’d have to wait another 5-15 minutes after that.

In addition, if you try to send a small amount from a relatively “fresh” output, people would ask for transaction fees to relay or mine your transaction. This is done to prevent DDoS attacks on the network. If you wait 24 hours after creating a new “change” output, you could send it for free, but doing so earlier will result in unpredictable and lengthy delays. Although, the usual transaction fee is very-very small at current prices (around 5 cents), you’d still have to wait for all previous transactions to be included in the blockchain before you can successfully publish another transaction.

In a sense, you may call a single output a “coin” (with some amount written on it). The more “coins” you have, the cheaper and faster your transactions will be. Think of it like having a single $50 bill when you need a quarter to pay for parking. You’d need to go somewhere to exchange that $50 for smaller bills and coins. Unlike real coins, transaction outputs are not displayed in any wallet app, so you don’t know in advance how many transactions can you spend. And even if they were displayed, it would add unnecessary complexity for the user.

This side of Bitcoin obviously sucks, but can be managed easily.

First, you may ask to receive money in multiple outputs. E.g. if you receive a big monthly payroll, you may ask to send you money in a single transaction with 10–20 distinct outputs, so you could spend several of them right away. They all may use the same address and your wallet will figure everything out automatically. The only thing you’ll notice is that you don’t have to pay extra or wait longer to get a couple of your simultaneous payments to get through.

Secondly, you can split your money by yourself in multiple outputs. This will result in the same result as above, except now it’s you who will pay transaction fees (fees are calculated per Kb, and for smallest transactions they are rarely required).

Third, your bitcoin wallet can keep track of your spendable outputs and it is running short of them, it may add an extra “change” output to the next transaction to increase amount of outputs. I don’t know if any of the existing apps can do that already.

Also, bitcoin wallet can make automatic transactions on your behalf using rarely needed outputs to split them in a more useful collection of different “denominations”. It can also mix these coins with other users to increase you privacy (so that random merchants wouldn’t know how much do you have in your pocket).

As of today, people don’t pay ten times a day with Bitcoin, but when this happens, we would need an automatic solution to have our transactions relayed quickly and cheap. Hopefully, developers of bitcoin wallets will take a note and think on solving this problem.