Craig Wright - Bitcoin and Quantum Computing

How do you think Quantum computing and AI could affect the value of Bitcoin in the future?

FYI I am very new to Bitcoin... 1 month into my belief/research
submitted by Joebin8 to Bitcoin [link] [comments]

Is it true that Bitcoin will loose value if quantum computing because a daily thing?

As far as i know:
The rate of btc mining is directly proportional to the computation power and quantum computing is far more powerful then normal mining. Then btc will become common at this stage will btc loose it's value?
Please current me if my assumptions are wrong.
submitted by Dking_293 to Bitcoin [link] [comments]

How do you perceive the impact of quantum computing on the value/volatility of BTC? /r/Bitcoin

How do you perceive the impact of quantum computing on the value/volatility of BTC? /Bitcoin submitted by BitcoinAllBot to BitcoinAll [link] [comments]

Is it true that Bitcoin will loose value if quantum computing because a daily thing? /r/Bitcoin

Is it true that Bitcoin will loose value if quantum computing because a daily thing? /Bitcoin submitted by BitcoinAllBot to BitcoinAll [link] [comments]

What will happen to Blockchain (Bitcoin) when first quantum computers start to appear (be used)? Will Bitcoin alone be able to support quantum-resistant upgrades to keep its value?

submitted by rockdrigoma to Bitcoin [link] [comments]

What will happen to Blockchain (Bitcoin) when first quantum computers start to appear (be used)? Will Bitcoin alone be able to support quantum-resistant upgrades to keep its value? /r/Bitcoin

What will happen to Blockchain (Bitcoin) when first quantum computers start to appear (be used)? Will Bitcoin alone be able to support quantum-resistant upgrades to keep its value? /Bitcoin submitted by BitcoinAllBot to BitcoinAll [link] [comments]

Would a quantum computer cause a crash in the value of a bitcoin?

submitted by closclos to explainlikeimfive [link] [comments]

Quantum Resistance

Before jumping to conclusions about this post, know that I am not looking to spread any FUD but rather am trying to understand a forthcoming risk and potential solutions from an unbiased standpoint. My research has not yielded any definitive answer so I am turning here to seek direction from those more knowledgable than me.
--
When it comes to predicting quantum computing's ability to break Bitcoin cryptographically, I've seen estimates as small as two years and as large as 25 years. Either way, it is easily conceivable that quantum processors will improve to the point of threatening Bitcoin as a reliable form of currency and store of value.
One way to prevent vulnerability to quantum threats is by storing Bitcoin in an address that has only ever received Bitcoin and never sent it. Although, this is an unrealistic mitigant for an asset/currency that is intended to be bought and sold, for all trust will be lost in the network once quantum computing becomes powerful enough to hack Bitcoin. Nobody will place any value in a currency that can be hacked by sending a transaction.
Another argument I've seen is that once quantum computing is strong enough to hack Bitcoin's cryptography, Bitcoin will be a non-factor compared to the other digital security breakdowns that will have transpired. For example, nuclear codes, bank accounts, digital privacy, etc. However, those centralized networks will have the ability to preemptively update their internal security to the standard required in a quantum computing world. In a similar manner, cryptocurrency and blockchain as a whole will survive such transition via improved cryptography.
But when it comes to Bitcoin specifically, will it be possible to generate consensus among the miners to switch to a quantum resistant protocol? My research has found conflicting perspectives - one side being that in order to upgrade Bitcoin's security, it would require manual movement of coins to a new address by all users, and a burning of the coins that did not move after a "sufficient" amount of time. Burning one's assets would undoubtedly not hold in a court of law. Even if we are still several years away, an unsolvable existential threat on the horizon would be priced into the value of Bitcoin and drive it down to zero.
With that being said, are there any feasible solutions to bring Bitcoin to quantum resistance? How can Bitcoin survive this threat in the long run? What is being done currently to resolve such problem?
submitted by fuegoblue to Bitcoin [link] [comments]

The list of best coins (in my humble opinion)

*This is not financial advice or suggestion. Just my opinion*
Legend:
"S" - super
"A" - really good
"B" - good
"C" - has potential
"D" - keeping an eye on it
"E" - coins to gamble on

Digibyte [DGB]: "S"
I mentioned this coin a few times already. It's because DGB is a true successor of Satoshi's philosophy. It's the purest coin in the market. DGB is the "people's money".

Dash [DASH]: "S"
DAO and masternodes are the future. Satoshi had a vision of altruism. But we cannot expect people to be altruists and lend their infrastructure for the wellbeing of others. The community is just not strong enough to do so. Masternodes are a meritatory focused system to reward those who are willing to lend their infrastructure to be a node in the network. It's a win-win situation for the network and the node owner. Besides acting as a node, it allowed the development of some other features like optional privacy and instant payments.

Monero [XMR]: "S"
When we think about cash, one of its best features that come to mind is privacy. Monero is probably the most famous privacy coin. Transactions are private by default. Another great thing that Monero is taking care of is the prevention of mining centralization. Being able to mine a coin with a CPU is probably one of the main concepts we forgot when it comes to allowing every person to participate in the network.

Vechain [VET]: "A"
If you think about the use-cases of blockchain, you cannot forget how impactful it will be for supply chains. So far, Vechain is one of the best solutions. It's also the most adopted for now.

Nexus [NXS]: "A"
NXS is a coin that deserves to be in the "S" category. But there's still a long way to go for it to achieve that rank. It's a forward-thinking project. They understood how far decentralization has to go to achieve the real meaning of the word. They even though of the quantum computer problem. Fast database, satellites, quantum-resistant, decentralized internet, and user-friendliness are just a few keywords they focus on while developing the coin.

Bitcoin [BTC]: "A"
I'm somehow ashamed to put Bitcoin this low. But let me explain why I did so, while still keeping it in my top list. First of all, I have to say: "Thank you Satoshi!". Bitcoin got this low on my list because I have a feeling too many powerful people got their hands on it. Some got in for the right reasons, while others are not so benevolent. Bitcoin is not "people money" anymore. IMO (very very humble opinion), Bitcoin was a demo project. A very successful demo project. Satoshi gave us an open-source code as a gift to do with it whatever we want. Blockchain is the gift he gave us, not Bitcoin. And we (the community) did it. Bitcoin became a brand. More people heard of the word "Bitcoin" then "cryptocurrency". On the bright side, Bitcoin is the biggest network in the world. While this is true, hodling some is a good idea.

Litecoin [LTC]: "B"
At its time, not many understood what Bitcoin is, and what potential blockchains as technology have. Imagine how forward-thinking was Mr. Charlie Lee. He created the first altcoin. Technology-wise, LTC is a different coin. Mr. Lee didn't just copy-paste the code and name it differently. In my eyes, LTC will always be the "crypto silver" making it a good store of value and medium of exchange.

Chainlink [LINK]: "B"
I believe the solution they are going to provide is too important for the crypto space to ignore it. Oracles are the future, but until we don't see real use-case, it will remain listed as "B". Another reason that doesn't give him the right to be higher in the list is that it's an Eth token.

Dogecoin [DOGE]: "C"
When you think about content creation, you'll see it's highly centralized. Creators depend on the platform's policies and bread crumbs those platforms leave them even after people click on ads. One of the solutions to reward good creators is to make a fast and easy to use tipping system. The first thing that crosses your mind are probably tokens. But imagine a blockchain of its own that enables fast and cheap transactions. Yes, DGB is the way to go. But there is a coin with higher inflation which you don't want to hold for a long time, but spent around to reward other's work that helped you in some way or you enjoy reading or watching. Dogecoin has the potential of becoming the chosen one for this exact purpose.

Verge [XVG]: "C"
When Wikileaks added BTC as a donation medium, Satoshi politely asked to remove it because we were poking the hornet's nest. I don't remember he's exact words, but this was the context. A similar thing happened to Verge. It was like the flight of Icarus. Pornhub listed it as an optional payment method drawing a lot of attention to it. Verge was not mature enough for that kind of exposure. After that, it suffered an attack, and people gave up on it. But if you look closely at the technology behind it, you'll see it's a really good coin. It offers privacy differently then Monero does. If you already haven't, I strongly encourage you to read about Verge's tech. You'll be amazed.

"D" coins:
Polkadot [DOT]
Ethereum [ETH]
Electroneum [ETN]
Cardano [ADA]
Siacoin [SC]

"E" coins:
Theta [THETA]
Zilliqa [ZIL]
Decred [DCR]
Golem [GNT]
Enjin [ENJ]
Zcoin [XZC]
Energi [NRG]

Thank you Satoshi!
submitted by BlueBloodStrawberry to SatoshisPhilosophy [link] [comments]

PT Super Public Chain has the potential to outperform all mainstream public chains

PT Super Public Chain has the potential to outperform all mainstream public chains
Public chains have become a topic that is widely discussed, and it used to be all about comparing who had the better headlines and everyone was talking about Blockchain 3.0. Their normal method was to take a prominent indicator and make comparisons between them and a mainstream public chain in the market, and then come to a predetermined conclusion. Few articles objectively and comprehensively compare the current mainstream public chains in the market and give the public an intuitive and credible conclusion. Today, we are going to break this bad habit of this industry and make a horizontal comparison of the current mainstream public chains, and thus intuitively and objectively tell you what the differences are between public chains.

https://preview.redd.it/heczp9tj29t51.jpg?width=1772&format=pjpg&auto=webp&s=cbac81221394b3d5294b8c6eb1be52581b0d725f
Contestants:
First generation public chain: BTC (father of blockchain)
Second generation public chain representatives: ETH, EOS
Third generation public chain representatives: polkaDOT, VDS, PT public chain
Criteria for the different generations: classification

  • First generation public chain: mainly referring to the transformation from theory to the implementation of blockchain, Bitcoin is recognized as the representative of the first generation of blockchain.
  • Second generation public chain: the main purpose is to explore the possibility of blockchain applications, among which ETH is the representative. Although EOS claims to be the third-generation public chain, it really should belong to the enhanced version of the second-generation public chain.
  • Third generation public chain is on top of the second generation. It has generally found its niche, and comes with more valuable technical public chains, such as VDS resonance, or polkaDOT’s superb cross chain innovation, PT public chain's full chain compatibility mode and ultra-high throughput.
Four dimensions for comparison:

  • Public chain consensus: the core indicator of public chain innovation, which directly affects the performance and security of the public chain, with a top score of five stars.
Usage scenarios of the public chain: it mainly reflects the commercial value of the public
  • TPS: before upgrading to the 2.0 network, the TPS of ETH can only handle 30 transactions per second, which is considered to be in the weak category, and thus I can only give 1.5 stars.

  • Influence: the representative of the second generation blockchain, giving it 4 stars.
To sum up, the average score of the second-generation public chain ETH is 3.625 stars.
EOS (Second generation public chain):

  • Consensus: OPOS is a new set of consensus created in addition to POW, which perfectly avoids the shortcomings of the POW consensus mechanism. However, its own security has not been recognized by the community. Coupled with the existence of a centralized "referee mechanism", DPOS on the EOS chain has always received mixed reviews in the industry. At this stage, it only deserves a 3-star rating.

  • Usage scenario: thanks to the improvement of the consensus mechanism, EOS has the possibility of being suitable for large-scale applications. There have also been popular applications such as Pixel Wars. However, due to the high rental costs of CPU resources, developers are becoming more and more distant from the EOS ecosystem, and it has been a long time since there have been any popular new applications, so only 2.5 stars.

  • TPS: EOS claimed to have a million concurrency at the beginning of development, but the actual tested volume is 3800 transactions per second at the moment. Compared with the first two public chains, this was a major breakthrough, scoring it 5 stars.

  • Influence: at the beginning when launched, there was a massive wave of interest but then there were no popular applications and the ecosystem has gradually withered away, so influence gets only 2 stars.
To sum up, the average score of the second-generation public chain EOS is 3.125 stars.
polkaDOT (Third generation public chain)

  • Consensus: NPOS is an updated consensus, based on an improved DPOS. The double confirmation mechanism makes it more difficult for nodes to be corrupted, but the cost is higher, so taking into account the utility of the public chain performance, I’ll give it 4 stars.

  • Usage scenarios: polkaDOT provides a cross-chain relay chain mode, and its own positioning is to connect highways without public chains. At present, there is still a lack of real demand in terms of practical scenarios. So far, polkaDOT has been in a tepid state, giving it 3.5 stars.

  • TPS: the processing is 1000 transactions per second on the chain, and taking into account the safety and efficiency, this is a relatively ideal performance, giving an overall score is 4 stars. United States, but at present, based on its budding state, it can only score 2 stars for the time being.
    To sum up, the average score of the third-generation public chain PT is 3.5 stars.
In summary, from the score point of view, the scores of the three generations of public chain are beyond my original expectations. The second-generation public chain is still the preferred platform for mainstream applications, with mature technology, a friendly development environment and low user education costs being the key advantages. However, the third-generation public chain, as a latecomer, generally has a lower score. The technical purposes of the third-generation public chain are very obvious, so there is the phenomenon of partiality. Some of the main functions came close to a full score, while the rest scored relatively low.
https://preview.redd.it/vic3k7j049t51.jpg?width=3334&format=pjpg&auto=webp&s=27a24ce91445d25881d25a8ac8abbbdffbf82a8f
I am very optimistic about the PT public chain. As a latecomer, PT public chain has the first decentralized Dpos+Spos consensus mechanism in the blockchain circle. It has high security, high privacy levels, high efficiency, high capacity expansion, supports compatibility and cross chain technologies, which makes it easier to carry out multi technology development. It also innovates the efficiency of the destruction mechanism of mining coalescence, effectively improving the shortcomings of the traditional mining allocation mechanism, eliminating speculative players, and increasing the participation rate of consensus innovation in the technology and methodology. However, due to the weakness of the latecomers themselves, the ecosystem is in its infancy, and there has not been enough time for all of the innovative mechanisms to be tested by the market, so I can
chain and is an important basis for measuring the commercial prospects of the public chain, with a top score of five stars.
  • TPS of public chain: represents the maximum potential upper limit of the public chain, with top score of five stars.
Influence / achievement of public chain: represents the contribution value of the public chain to the blockchain industry, with a top score of five stars.
These four dimensions mainly consider the practicability of the public chain, and focus on the commercial value itself, as I believe that productivity is the only standard by which to measure technology.
BTC (first generation public chain)

  • Consensus: POW (workload proof mechanism) this is a consensus with the highest degree of security and decentralization so far. The disadvantage is that it is less efficient, because it is the pioneer of POW, so we will give it a great score of 4 stars.

  • Usage scenario: digital currency (payments, transfers, asset management) although BTC is currently the most commonly accepted digital currency, it has a single purpose. We give it a score of 2.5 stars.

  • TPS: it can only process 7 transactions per second, which is also the major factor restricting the popularity of BTC at present. This was a technology compromise in the initial start-up stage, we can only rate it 1.5 stars.

  • Influence: the father of blockchain, the founder of digital currency, it has to be the top score of 5 stars.
To sum up, the average score of the first-generation public chain is 3.25 stars.
ETH (Second generation public chain)

  • Consensus: POW (Proof of Workload) it is the same as bitcoin's consensus mechanism, and its advantages and disadvantages are also basically the same. The difference is that ETH has added an algorithm against mining machines, which makes the computing power more decentralized. In addition, the witness mechanism of DPOS was introduced in the era of ETH2.0, which means I can give a score of 4 stars.

  • Usage scenario: in terms of applications, ETH is invincible. It has the largest user group and developer team in the industry. It has produced popular and even quasi killer applications like Cryptocat, FOMO3D and DEFI, which is the king of blockchain applications. This gives it a full score of five stars.
  • Influence: the influence is limited to a small portion of the technology exploration community, giving it a 2.5-star rating.
To sum up, the average score of the third-generation public chain polkaDOT is 3.5 stars.
VDS (Third generation public chain)

  • Consensus: due to the lack of powerful computing power to support it, the safety and the performance of the public chain have basically not been considered, so, only 1.5 stars can be given.

  • Usage scenario: it has its own resonance mechanism, and it is no exaggeration to say that VDS was the most popular public chain in 2019. It immediately gained explosive popularity in the industry. We have to give credit to this kind of strength, scoring it 4.5 stars.

  • TPS: the official marker is 60,000 transactions per second, but there is no way to evaluate it, and only one star is given.

  • Influence: the once explosive project is now a thing of the past. All of the ecological hot spots have already been extinguished and only one star can be given.
To sum up, the average score of the third-generation public chain VDS is 1.875 stars.
PT Public Chain (Third generation public chain)

  • Consensus: DPOS+SPOS, double consensus. This is the application of the latest blockchain research results, which effectively balances the differing demands of security, efficiency and decentralization. It may become the mainstream in the future. Here I’m giving a high score of 4.5 stars.

  • Usage scenario: built-in cross chain, quantum computer confrontation, and has the first multi-currency aggregate mining mode. At present, PT public chain is the only fair chain in existence with zero pre-mining, zero reservations and zero handling charges. It is a public chain with long-term development potential. The PT public chain has just been put online, and the current ecosystem is still far from perfect, so, only scoring 4 stars.

  • TPS: under the normal condition of the main chain, the processing speed of 4,000 transactions per second is excellent, but the PT public chain also has a hidden power-up mode. Once the fragmentation mechanism is enabled, processing speed of up to 100,000 transactions per second can be achieved, which is quite amazing data. At present, it can only be given 3.5 stars based on the normal state.
Influence: as a public chain, PT has utilized a lot of new technology research, and also has a lot of innovation built into the operations. Recently, it has become popular in Europe and the only give it a low score unfortunately.
However, this score can only be used as a reference based on the specific current environment. Over time, the public chain ecosystem has had its ups and downs, user migration, pop-ups, technology iterations, etc., I still believe that the public chain, with its technical advantages and model innovations, such as PT, can stand out in the market, and time will be the best witness. Just as the PT white paper says, you will slowly get rich together if you make the right choice.
submitted by According_Ticket7936 to u/According_Ticket7936 [link] [comments]

Cryptocurrencies are going to loose their value instantly somewhen in the next two decades.

Hi folks. So I just stumbled upon this subreddit and I hope this doesnt break the "no repetition" rule. So Im a computer science student and do some stuff concerning quantum computing. Some of you can probably guess what comes next, for those who dont I'll give a very brief explanation how that is related to bitcoin and so on. Im sure you all know the value of e.g. Bitcoins comes from the time it take to "mine" them. The reason for that being so relatively time-intensive is that current computers arent actually very good for these kind of computation. Thats a whole different matter with quantum computers though. Unfortunately the kind of computations which are required to mine Bitcoins are exactely the kind which comes incredibly easy for this the kind of technology. The times it takes even shrinks exponantially with the amount available quantum bits. While veing able to solve stuff better in new ways we werent able to before seems gemerally like a good think that means pretty bad news for everything concerning encryption, which means crypto currencies too. This would result in all emcryption becoming essentially worthless. Some is safely encrypted now a days because without the corresponding key a modern encryption would take literally millenia to brute force with normal computers. Quantum computers would make that a matter of days or even hours. Same goes for Bitcoins making them unreliable and unsafe, not to mention that the inflation would be unimaginable and be probably enough to destroy the whole concept on itself. Also recent successfull experimental setups have made it pretty clear that quantum computers with the expected capabilities Im describing here really are to be expected in the next 10-20 years.
Now I'd be interested in how aware the whole bitcoin community is on that matter and what the generel attitude about that is.
(also sorry for any bad english)
submitted by sinistercrowd to Bitcoin [link] [comments]

How to escape the failing banking system that is enslaving us all...

Bitcoin,
Please take time to learn about Bitcoin, it will have a major impact on our society. Feel free to ask questions!
submitted by Sailmountainer to conspiracy [link] [comments]

Technical: Taproot: Why Activate?

This is a follow-up on https://old.reddit.com/Bitcoin/comments/hqzp14/technical_the_path_to_taproot_activation/
Taproot! Everybody wants it!! But... you might ask yourself: sure, everybody else wants it, but why would I, sovereign Bitcoin HODLer, want it? Surely I can be better than everybody else because I swapped XXX fiat for Bitcoin unlike all those nocoiners?
And it is important for you to know the reasons why you, o sovereign Bitcoiner, would want Taproot activated. After all, your nodes (or the nodes your wallets use, which if you are SPV, you hopefully can pester to your wallet vendoimplementor about) need to be upgraded in order for Taproot activation to actually succeed instead of becoming a hot sticky mess.
First, let's consider some principles of Bitcoin.
I'm sure most of us here would agree that the above are very important principles of Bitcoin and that these are principles we would not be willing to remove. If anything, we would want those principles strengthened (especially the last one, financial privacy, which current Bitcoin is only sporadically strong with: you can get privacy, it just requires effort to do so).
So, how does Taproot affect those principles?

Taproot and Your /Coins

Most HODLers probably HODL their coins in singlesig addresses. Sadly, switching to Taproot would do very little for you (it gives a mild discount at spend time, at the cost of a mild increase in fee at receive time (paid by whoever sends to you, so if it's a self-send from a P2PKH or bech32 address, you pay for this); mostly a wash).
(technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash, so the Taproot output spends 12 bytes more; spending from a P2WPKH requires revealing a 32-byte public key later, which is not needed with Taproot, and Taproot signatures are about 9 bytes smaller than P2WPKH signatures, but the 32 bytes plus 9 bytes is divided by 4 because of the witness discount, so it saves about 11 bytes; mostly a wash, it increases blockweight by about 1 virtual byte, 4 weight for each Taproot-output-input, compared to P2WPKH-output-input).
However, as your HODLings grow in value, you might start wondering if multisignature k-of-n setups might be better for the security of your savings. And it is in multisignature that Taproot starts to give benefits!
Taproot switches to using Schnorr signing scheme. Schnorr makes key aggregation -- constructing a single public key from multiple public keys -- almost as trivial as adding numbers together. "Almost" because it involves some fairly advanced math instead of simple boring number adding, but hey when was the last time you added up your grocery list prices by hand huh?
With current P2SH and P2WSH multisignature schemes, if you have a 2-of-3 setup, then to spend, you need to provide two different signatures from two different public keys. With Taproot, you can create, using special moon math, a single public key that represents your 2-of-3 setup. Then you just put two of your devices together, have them communicate to each other (this can be done airgapped, in theory, by sending QR codes: the software to do this is not even being built yet, but that's because Taproot hasn't activated yet!), and they will make a single signature to authorize any spend from your 2-of-3 address. That's 73 witness bytes -- 18.25 virtual bytes -- of signatures you save!
And if you decide that your current setup with 1-of-1 P2PKH / P2WPKH addresses is just fine as-is: well, that's the whole point of a softfork: backwards-compatibility; you can receive from Taproot users just fine, and once your wallet is updated for Taproot-sending support, you can send to Taproot users just fine as well!
(P2WPKH and P2WSH -- SegWit v0 -- addresses start with bc1q; Taproot -- SegWit v1 --- addresses start with bc1p, in case you wanted to know the difference; in bech32 q is 0, p is 1)
Now how about HODLers who keep all, or some, of their coins on custodial services? Well, any custodial service worth its salt would be doing at least 2-of-3, or probably something even bigger, like 11-of-15. So your custodial service, if it switched to using Taproot internally, could save a lot more (imagine an 11-of-15 getting reduced from 11 signatures to just 1!), which --- we can only hope! --- should translate to lower fees and better customer service from your custodial service!
So I think we can say, very accurately, that the Bitcoin principle --- that YOU are in control of your money --- can only be helped by Taproot (if you are doing multisignature), and, because P2PKH and P2WPKH remain validly-usable addresses in a Taproot future, will not be harmed by Taproot. Its benefit to this principle might be small (it mostly only benefits multisignature users) but since it has no drawbacks with this (i.e. singlesig users can continue to use P2WPKH and P2PKH still) this is still a nice, tidy win!
(even singlesig users get a minor benefit, in that multisig users will now reduce their blockchain space footprint, so that fees can be kept low for everybody; so for example even if you have your single set of private keys engraved on titanium plates sealed in an airtight box stored in a safe buried in a desert protected by angry nomads riding giant sandworms because you're the frickin' Kwisatz Haderach, you still gain some benefit from Taproot)
And here's the important part: if P2PKH/P2WPKH is working perfectly fine with you and you decide to never use Taproot yourself, Taproot will not affect you detrimentally. First do no harm!

Taproot and Your Contracts

No one is an island, no one lives alone. Give and you shall receive. You know: by trading with other people, you can gain expertise in some obscure little necessity of the world (and greatly increase your productivity in that little field), and then trade the products of your expertise for necessities other people have created, all of you thereby gaining gains from trade.
So, contracts, which are basically enforceable agreements that facilitate trading with people who you do not personally know and therefore might not trust.
Let's start with a simple example. You want to buy some gewgaws from somebody. But you don't know them personally. The seller wants the money, you want their gewgaws, but because of the lack of trust (you don't know them!! what if they're scammers??) neither of you can benefit from gains from trade.
However, suppose both of you know of some entity that both of you trust. That entity can act as a trusted escrow. The entity provides you security: this enables the trade, allowing both of you to get gains from trade.
In Bitcoin-land, this can be implemented as a 2-of-3 multisignature. The three signatories in the multisgnature would be you, the gewgaw seller, and the escrow. You put the payment for the gewgaws into this 2-of-3 multisignature address.
Now, suppose it turns out neither of you are scammers (whaaaat!). You receive the gewgaws just fine and you're willing to pay up for them. Then you and the gewgaw seller just sign a transaction --- you and the gewgaw seller are 2, sufficient to trigger the 2-of-3 --- that spends from the 2-of-3 address to a singlesig the gewgaw seller wants (or whatever address the gewgaw seller wants).
But suppose some problem arises. The seller gave you gawgews instead of gewgaws. Or you decided to keep the gewgaws but not sign the transaction to release the funds to the seller. In either case, the escrow is notified, and if it can sign with you to refund the funds back to you (if the seller was a scammer) or it can sign with the seller to forward the funds to the seller (if you were a scammer).
Taproot helps with this: like mentioned above, it allows multisignature setups to produce only one signature, reducing blockchain space usage, and thus making contracts --- which require multiple people, by definition, you don't make contracts with yourself --- is made cheaper (which we hope enables more of these setups to happen for more gains from trade for everyone, also, moon and lambos).
(technology-wise, it's easier to make an n-of-n than a k-of-n, making a k-of-n would require a complex setup involving a long ritual with many communication rounds between the n participants, but an n-of-n can be done trivially with some moon math. You can, however, make what is effectively a 2-of-3 by using a three-branch SCRIPT: either 2-of-2 of you and seller, OR 2-of-2 of you and escrow, OR 2-of-2 of escrow and seller. Fortunately, Taproot adds a facility to embed a SCRIPT inside a public key, so you can have a 2-of-2 Taprooted address (between you and seller) with a SCRIPT branch that can instead be spent with 2-of-2 (you + escrow) OR 2-of-2 (seller + escrow), which implements the three-branched SCRIPT above. If neither of you are scammers (hopefully the common case) then you both sign using your keys and never have to contact the escrow, since you are just using the escrow public key without coordinating with them (because n-of-n is trivial but k-of-n requires setup with communication rounds), so in the "best case" where both of you are honest traders, you also get a privacy boost, in that the escrow never learns you have been trading on gewgaws, I mean ewww, gawgews are much better than gewgaws and therefore I now judge you for being a gewgaw enthusiast, you filthy gewgawer).

Taproot and Your Contracts, Part 2: Cryptographic Boogaloo

Now suppose you want to buy some data instead of things. For example, maybe you have some closed-source software in trial mode installed, and want to pay the developer for the full version. You want to pay for an activation code.
This can be done, today, by using an HTLC. The developer tells you the hash of the activation code. You pay to an HTLC, paying out to the developer if it reveals the preimage (the activation code), or refunding the money back to you after a pre-agreed timeout. If the developer claims the funds, it has to reveal the preimage, which is the activation code, and you can now activate your software. If the developer does not claim the funds by the timeout, you get refunded.
And you can do that, with HTLCs, today.
Of course, HTLCs do have problems:
Fortunately, with Schnorr (which is enabled by Taproot), we can now use the Scriptless Script constuction by Andrew Poelstra. This Scriptless Script allows a new construction, the PTLC or Pointlocked Timelocked Contract. Instead of hashes and preimages, just replace "hash" with "point" and "preimage" with "scalar".
Or as you might know them: "point" is really "public key" and "scalar" is really a "private key". What a PTLC does is that, given a particular public key, the pointlocked branch can be spent only if the spender reveals the private key of the given public key to you.
Another nice thing with PTLCs is that they are deniable. What appears onchain is just a single 2-of-2 signature between you and the developemanufacturer. It's like a magic trick. This signature has no special watermarks, it's a perfectly normal signature (the pledge). However, from this signature, plus some datta given to you by the developemanufacturer (known as the adaptor signature) you can derive the private key of a particular public key you both agree on (the turn). Anyone scraping the blockchain will just see signatures that look just like every other signature, and as long as nobody manages to hack you and get a copy of the adaptor signature or the private key, they cannot get the private key behind the public key (point) that the pointlocked branch needs (the prestige).
(Just to be clear, the public key you are getting the private key from, is distinct from the public key that the developemanufacturer will use for its funds. The activation key is different from the developer's onchain Bitcoin key, and it is the activation key whose private key you will be learning, not the developer's/manufacturer's onchain Bitcoin key).
So:
Taproot lets PTLCs exist onchain because they enable Schnorr, which is a requirement of PTLCs / Scriptless Script.
(technology-wise, take note that Scriptless Script works only for the "pointlocked" branch of the contract; you need normal Script, or a pre-signed nLockTimed transaction, for the "timelocked" branch. Since Taproot can embed a script, you can have the Taproot pubkey be a 2-of-2 to implement the Scriptless Script "pointlocked" branch, then have a hidden script that lets you recover the funds with an OP_CHECKLOCKTIMEVERIFY after the timeout if the seller does not claim the funds.)

Quantum Quibbles!

Now if you were really paying attention, you might have noticed this parenthetical:
(technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash...)
So wait, Taproot uses raw 32-byte public keys, and not public key hashes? Isn't that more quantum-vulnerable??
Well, in theory yes. In practice, they probably are not.
It's not that hashes can be broken by quantum computes --- they're still not. Instead, you have to look at how you spend from a P2WPKH/P2PKH pay-to-public-key-hash.
When you spend from a P2PKH / P2WPKH, you have to reveal the public key. Then Bitcoin hashes it and checks if this matches with the public-key-hash, and only then actually validates the signature for that public key.
So an unconfirmed transaction, floating in the mempools of nodes globally, will show, in plain sight for everyone to see, your public key.
(public keys should be public, that's why they're called public keys, LOL)
And if quantum computers are fast enough to be of concern, then they are probably fast enough that, in the several minutes to several hours from broadcast to confirmation, they have already cracked the public key that is openly broadcast with your transaction. The owner of the quantum computer can now replace your unconfirmed transaction with one that pays the funds to itself. Even if you did not opt-in RBF, miners are still incentivized to support RBF on RBF-disabled transactions.
So the extra hash is not as significant a protection against quantum computers as you might think. Instead, the extra hash-and-compare needed is just extra validation effort.
Further, if you have ever, in the past, spent from the address, then there exists already a transaction indelibly stored on the blockchain, openly displaying the public key from which quantum computers can derive the private key. So those are still vulnerable to quantum computers.
For the most part, the cryptographers behind Taproot (and Bitcoin Core) are of the opinion that quantum computers capable of cracking Bitcoin pubkeys are unlikely to appear within a decade or two.
So:
For now, the homomorphic and linear properties of elliptic curve cryptography provide a lot of benefits --- particularly the linearity property is what enables Scriptless Script and simple multisignature (i.e. multisignatures that are just 1 signature onchain). So it might be a good idea to take advantage of them now while we are still fairly safe against quantum computers. It seems likely that quantum-safe signature schemes are nonlinear (thus losing these advantages).

Summary

I Wanna Be The Taprooter!

So, do you want to help activate Taproot? Here's what you, mister sovereign Bitcoin HODLer, can do!

But I Hate Taproot!!

That's fine!

Discussions About Taproot Activation

submitted by almkglor to Bitcoin [link] [comments]

Technical: Confidential Transactions and Their Implementation Tradeoffs

As requested by estradata here: https://old.reddit.com/Bitcoin/comments/iylou9/what_are_some_of_the_latest_innovations_in_the/g6heez1/
It is a general issue that crops up at the extremes of cryptography, with quantum breaks being just one of the extremes of (classical) cryptography.

Computational vs Information-Theoretic

The dichotomy is between computationally infeasible vs informationally-theoretic infeasible. Basically:
Quantum breaks represent a possible reduction in computational infeasibility of certain things, but not information-theoretic infeasibility.
For example, suppose you want to know what 256-bit preimages map to 256-bit hashes. In theory, you just need to build a table with 2256 entries and start from 0x0000000000000000000000000000000000000000000000000000000000000000 and so on. This is computationally infeasible, but not information-theoretic infeasible.
However, suppose you want to know what preimages, of any size, map to 256-bit hashes. Since the preimages can be of any size, after finishing with 256-bit preimages, you have to proceed to 257-bit preimages. And so on. And there is no size limit, so you will literally never finish. Even if you lived forever, you would not complete it. This is information-theoretic infeasible.

Commitments

How does this relate to confidential transactions? Basically, every confidential transaction simply hides the value behind a homomorphic commitment. What is a homomorphic commitment? Okay, let's start with commitments. A commitment is something which lets you hide something, and later reveal what you hid. Until you reveal it, even if somebody has access to the commitment, they cannot reverse it to find out what you hid. This is called the "hiding property" of commitments. However, when you do reveal it (or "open the commitment"), then you cannot replace what you hid with some other thing. This is called the "binding property" of commitments.
For example, a hash of a preimage is a commitment. Suppose I want to commit to something. For example, I want to show that I can predict the future using the energy of a spare galaxy I have in my pocket. I can hide that something by hashing a description of the future. Then I can give the hash to you. You still cannot learn the future, because it's just a hash, and you can't reverse the hash ("hiding"). But suppose the future event occurs. I can reveal that I did, in fact, know the future. So I give you the description, and you hash it and compare it to the hash I gave earlier. Because of preimage resistance, I cannot retroactively change what I hid in the hash, so what I gave must have been known to me at the time that I gave you the commitment i..e. hash ("binding").

Homomorphic Commitments

A homomorphic commitment simply means that if I can do certain operations on preimages of the commitment scheme, there are certain operations on the commitments that would create similar ("homo") changes ("morphic") to the commitments. For example, suppose I have a magical function h() which is a homomorphic commitment scheme. It can hide very large (near 256-bit) numbers. Then if h() is homomorphic, there may be certain operations on numbers behind the h() that have homomorphisms after the h(). For example, I might have an operation <+> that is homomorphic in h() on +, or in other words, if I have two large numbers a and b, then h(a + b) = h(a) <+> h(b). + and <+> are different operations, but they are homomorphic to each other.
For example, elliptic curve scalars and points have homomorphic operations. Scalars (private keys) are "just" very large near-256-bit numbers, while points are a scalar times a standard generator point G. Elliptic curve operations exist where there is a <+> between points that is homomorphic on standard + on scalars, and a <*> between a scalar and a point that is homomorphic on standard * multiplication on scalars.
For example, suppose I have two large scalars a and b. I can use elliptic curve points as a commitment scheme: I can take a <*> G to generate a point A. It is hiding since nobody can learn what a is unless I reveal it (a and A can be used in standard ECDSA private-public key cryptography, with the scalar a as the private key and the point A as the public key, and the a cannot be derived even if somebody else knows A). Thus, it is hiding. At the same time, for a particular point A and standard generator point G, there is only one possible scalar a which when "multiplied" with G yields A. So scalars and elliptic curve points are a commitment scheme, with both hiding and binding properties.
Now, as mentioned there is a <+> operation on points that is homomorphic to the + operation on corresponding scalars. For example, suppose there are two scalars a and b. I can compute (a + b) <*> G to generate a particular point. But even if I don't know scalars a and b, but I do know points A = a <*> G and B = b <*> G, then I can use A <+> B to derive (a + b) <*> G (or equivalently, (a <*> G) <+> (b <*> G) == (a + b) <*> G). This makes points a homomorphic commitment scheme on scalars.

Confidential Transactions: A Sketch

This is useful since we can easily use the near-256-bit scalars in SECP256K1 elliptic curves to easily represent values in a monetary system, and hide those values by using a homomorphic commitment scheme. We can use the hiding property to prevent people from learning the values of the money we are sending and receiving.
Now, in a proper cryptocurrency, a normal, non-coinbase transaction does not create or destroy coins: the values of the input coins are equal to the value of the output coins. We can use a homomorphic commitment scheme. Suppose I have a transaction that consumes an input value a and creates two output values b and c. That is, a = b + c, i.e. the sum of all inputs a equals the sum of all outputs b and c. But remember, with a homomorphic commitment scheme like elliptic curve points, there exists a <+> operation on points that is homomorphic to the ordinary school-arithmetic + addition on large numbers. So, confidential transactions can use points a <*> G as input, and points b <*> G and c <*> G as output, and we can easily prove that a <*> G = (b <*> G) <+> (c <*> G) if a = b + c, without revealing a, b, or c to anyone.

Pedersen Commitments

Actually, we cannot just use a <*> G as a commitment scheme in practice. Remember, Bitcoin has a cap on the number of satoshis ever to be created, and it's less than 253 satoshis, which is fairly trivial. I can easily compute all values of a <*> G for all values of a from 0 to 253 and know which a <*> G corresponds to which actual amount a. So in confidential transactions, we cannot naively use a <*> G commitments, we need Pedersen commitments.
If you know what a "salt" is, then Pedersen commitments are fairly obvious. A "salt" is something you add to e.g. a password so that the hash of the password is much harder to attack. Humans are idiots and when asked to generate passwords, will output a password that takes less than 230 possibilities, which is fairly easy to grind. So what you do is that you "salt" a password by prepending a random string to it. You then hash the random string + password, and store the random string --- the salt --- together with the hash in your database. Then when somebody logs in, you take the password, prepend the salt, hash, and check if the hash matches with the in-database hash, and you let them log in. Now, with a hash, even if somebody copies your password database, the can't get the password. They're hashed. But with a salt, even techniques like rainbow tables make a hacker's life even harder. They can't hash a possible password and check every hash in your db for something that matches. Instead, if they get a possible password, they have to prepend each salt, hash, then compare. That greatly increases the computational needs of a hacker, which is why salts are good.
What a Pedersen commitment is, is a point a <*> H, where a is the actual value you commit to, plus <+> another point r <*> G. H here is a second standard generator point, different from G. The r is the salt in the Pedersen commitment. It makes it so that even if you show (a <*> H) <+> (r <*> G) to somebody, they can't grind all possible values of a and try to match it with your point --- they also have to grind r (just as with the password-salt example above). And r is much larger, it can be a true near-256-bit number that is the range of scalars in SECP256K1, whereas a is constrained to "reasonable" numbers of satoshi, which cannot exceed 21 million Bitcoins.
Now, in order to validate a transaction with input a and outputs b and c, you only have to prove a = b + c. Suppose we are hiding those amounts using Pedersen commitments. You have an input of amount a, and you know a and r. The blockchain has an amount (a <*> H) <+> (r <*> G). In order to create the two outputs b and c, you just have to create two new r scalars such that r = r[0] + r[1]. This is trivial, you just select a new random r[0] and then compute r[1] = r - r[0], it's just basic algebra.
Then you create a transaction consuming the input (a <*> H) <+> (r <*> G) and outputs (b <*> H) <+> (r[0] <*> G) and (c <*> H) <+> (r[1] <*> G). You know that a = b + c, and r = r[0] + r[1], while fullnodes around the world, who don't know any of the amounts or scalars involved, can just take the points (a <*> H) <+> (r <*> G) and see if it equals (b <*> H) <+> (r[0] <*> G) <+> (c <*> H) <+> (r[1] <*> G). That is all that fullnodes have to validate, they just need to perform <+> operations on points and comparison on points, and from there they validate transactions, all without knowing the actual values involved.

Computational Binding, Information-Theoretic Hiding

Like all commitments, Pedersen Commitments are binding and hiding.
However, there are really two kinds of commitments:
What does this mean? It's just a measure of how "impossible" binding vs hiding is. Pedersen commitments are computationally binding, meaning that in theory, a user of this commitment with arbitrary time and space and energy can, in theory, replace the amount with something else. However, it is information-theoretic hiding, meaning an attacker with arbitrary time and space and energy cannot figure out exactly what got hidden behind the commitment.
But why?
Now, we have been using a and a <*> G as private keys and public keys in ECDSA and Schnorr. There is an operation <*> on a scalar and a point that generates another point, but we cannot "revrese" this operation. For example, even if I know A, and know that A = a <*> G, but do not know a, I cannot derive a --- there is no operation between A G that lets me know a.
Actually there is: I "just" need to have so much time, space, and energy that I just start counting a from 0 to 2256 and find which a results in A = a <*> G. This is a computational limit: I don't have a spare universe in my back pocket I can use to do all those computations.
Now, replace a with h and A with H. Remember that Pedersen commitments use a "second" standard generator point. The generator points G and H are "not really special" --- they are just random points on the curve that we selected and standardized. There is no operation H G such that I can learn h where H = h <*> G, though if I happen to have a spare universe in my back pocket I can "just" brute force it.
Suppose I do have a spare universe in my back pocket, and learn h = H G such that H = h <*> G. What can I do in Pedersen commitments?
Well, I have an amount a that is committed to by (a <*> H) <+> (r <*> G). But I happen to know h! Suppose I want to double my money a without involving Elon Musk. Then:
That is what we mean by computationally binding: if I can compute h such that H = h <*> G, then I can find another number which opens the same commitment. And of course I'd make sure that number is much larger than what I originally had in that address!
Now, the reason why it is "only" computationally binding is that it is information-theoretically hiding. Suppose somebody knows h, but has no money in the cryptocurrency. All they see are points. They can try to find what the original amounts are, but because any amount can be mapped to "the same" point with knowledge of h (e.g. in the above, a and 2 * a got mapped to the same point by "just" replacing the salt r with r - a * h; this can be done for 3 * a, 4 * a etc.), they cannot learn historical amounts --- the a in historical amounts could be anything.
The drawback, though, is that --- as seen above --- arbitrary inflation is now introduced once somebody knows h. They can multiply their money by any arbitrary factor with knowledge of h.
It is impossible to have both perfect hiding (i.e. historical amounts remain hidden even after a computational break) and perfect binding (i.e. you can't later open the commitment to a different, much larger, amount).
Pedersen commitments just happen to have perfect hiding, but only computationally-infeasible binding. This means they allow hiding historical values, but in case of anything that allows better computational power --- including but not limited to quantum breaks --- they allow arbitrary inflation.

Changing The Tradeoffs with ElGamal Commitments

An ElGamal commitment is just a Pedersen commitment, but with the point r <*> G also stored in a separate section of the transaction.
This commits the r, and fixes it to a specific value. This prevents me from opening my (a <*> H) <+> (r <*> G) as ((2 * a) <*> H) <+> ((r - a * h) <*> G), because the (r - a * h) would not match the r <*> G sitting in a separate section of the transaction. This forces me to be bound to that specific value, and no amount of computation power will let me escape --- it is information-theoretically binding i.e. perfectly binding.
But that is now computationally hiding. An evil surveillor with arbitrary time and space can focus on the r <*> G sitting in a separate section of the transaction, and grind r from 0 to 2256 to determine what r matches that point. Then from there, they can negate r to get (-r) <*> G and add it to the (a <*> H) <+> (r <*> G) to get a <*> H, and then grind that to determine the value a. With massive increases in computational ability --- including but not limited to quantum breaks --- an evil surveillor can see all the historical amounts of confidential transactions.

Conclusion

This is the source of the tradeoff: either you design confidential transactions so in case of a quantum break, historical transactions continue to hide their amounts, but inflation of the money is now unavoidable, OR you make the money supply sacrosanct, but you potentially sacrifice amount hiding in case of some break, including but not limited to quantum breaks.
submitted by almkglor to Bitcoin [link] [comments]

Cryptocurrencies: the Past Reinvented

Cryptocurrencies: the Past Reinvented

https://preview.redd.it/io0mkfpayel51.jpg?width=2560&format=pjpg&auto=webp&s=839666f628a9ae85fa3ef4ffb020c1c2ba598683
As the first country to industrialise in the 1760s, Britain’s manufacturing revolution set the world on one of the greatest practical and ubiquitous changes in human history. Even more extraordinary is the fact that Britain’s industrialisation remained way ahead of potential competition for decades. Only in the early 1900s did historians get to grips with the issues of causation. Max Weber’s pithy answer “the Protestant work ethic” pointed to Puritan seriousness, diligence, fiscal prudence and hard work. Others include the establishment of the Bank of England in 1694 as an essentially corollary by creating the necessary conditions for financial stability. In contrast, Continental Europe lurched from one national debt crisis to another, then through itself headlong into the Napoleonic wars. Unsurprisingly, it was not until after 1815 industrialisation took place on the European mainland where it was spearheaded by the new country of Belgium.
250 years latter with the launch of Bitcoin another revolution had begun; though this one more commercial in nature than industrial. Though the full impact has yet to be played out, the parallels between these two historical events are already striking. Bitcoin may not match the obviousness of industrialisation, but the underlying pragmatics touch on the very foundations of the non-barter economy. Like the establishment of the Bank of England, the creation of the cryptocurrency infrastructure has been prompted by ongoing and worsening threats to financial instability; systemic fault-lines created by macroeconomic challenges flowing from the 2008 crash.
For those who could “join the dots” in 2008, there was the realisation that central banks no longer existed as guardians and protectors of national currencies but the tools of creating politicised market distortions; abandoning their duty to preserve wealth in favour of creating the conditions for limitless, cheap government debt. While many of the underlying intentions were benign, inherently the process worked to punish savers and reward reckless debt.
This anticipation of on-going instability surrounding fiat currencies and the viability of crypto alternatives has proved more prescient than could have ever been previously imagined. Within a short space of time a wave of undercurrents gave rise to new vocabularies, outlooks and expectations which have impacted commercial and investment transactions, a change never more acutely observed than today, when even against the backdrop of the COVID crisis Central Banks are rushing to create their own “digital” krona, pound, dollar etc. “Digital” may represent a confusing nomenclature, however, as these are not cryptocurrencies in the true sense, and certainly not part of decentralised finance (DeFi). The digital krona does, however, manifest the increasingly powerful impact that the cryptocurrency ecosystem is having on mainstream banking and government behaviour.
As with Britain’s industrial revolution, it has taken time for the potential of cryptocoins to find more energetic traction. Over the past 12 years cryptocurrencies have moved from unknown, to novel, to significant and growing interest. As a result, profound changes are underway affecting the mechanics by which investors, the investment industry, wealth mangers and even the commercial banking sector is engaging with cryptocurrencies. This interest has quickened as we enter into a period of deep economic unknown and growing awareness that structural soundness is shifting away from traditional investment options.
Intelligent engagement requires cryptocurrency investors/wealth managers to accurately understand and correctly explicate the nature of these influences and assess their potential impact. This article suggests seven distinct elements (a non- exhaustive list) as currently ranking definitive importance:
  1. Cryptocurrencies comprise account for only a tiny fraction of the global economy. At an estimated value of $375 billion, this is several orders of magnitude smaller than a world GDP of $35 trillion (2019). Assuming other factors are favourable, there is clearly room for growth.
  2. Cryptocurrency success will mark the end of critical aspects of Central Banking monopoly; by revealing the fictitious nature of fiat currencies as a principle; by offering a more competitive vehicle for facilitating commercial transactions; and providing a more stable medium to store monetised assets. Apart from stability, cryptocurrencies offer real returns on “cash” deposits, something which the fiat banking system has long since abandoned. (The reasons for the latter are deeply significant and will be followed up in a subsequent article).
  3. Cryptocurrency success will hasten the end of the dollar monopoly in global commerce. Indeed, at current trending, changes in trading mechanics may speedily evolve to the point that such “reserve currencies” no longer have a function at all. Analysts once speculated that it was only a matter of time before the Chinese yuan displaced the dollar, in the same way that the dollar displaced the pound. The edifice which supports the concept of a “global reserve currency” is weakening. The latter’s demise will have significant implications regarding reducing political influence over global finance, as well as nations’ abilities to run longterm balance of payments deficits, current account deficits and borrow at little or no interest.
  4. Cryptocurrencies as an ecosystem—assuming the current direction of evolution continues—will increasingly constrain, redirect and set the parameters to government macroeconomic policies. Certainly sound alternatives to fiat currencies will drive the latter to the periphery of commercial life, concomitantly reducing the number of tools the nation state has at its disposal to regulate or respond to changing economic conditions. This especially means setting meaningful interest rates. Above all, it means that government financial engagement can no longer be a rule unto itself, it will have to engage by the same principles as everyone else. A level playing field here has dramatic implications—and will again be picked up in a subsequent article.
  5. Cryptocurrencies represent a wider range of disruptive elements affecting the commercial ecosystem. Among the most direct is the ability to raise finance or enter into other commercial transactions with little to no red tape, intrusive regulation or political interference. In short it de-politicises, de-institutionalises and de-centralises investment and payment options, while retaining many of the protective and other beneficial aspects present in traditional finance.
  6. Cryptocurrencies offer rapid commercial advances enfranchising the one- third of the global population who do not have a bank account—but do have a mobile phone—and concomitantly enable business that currently cannot accept electronic forms of payment to move into digital commerce. In the way that cellular communication revolutionised sub-saharan Africa in the early 2000s, so we may anticipate some parallel here as regards ease and ubiquity of payment “wallets” and their positive impact on developing economy dynamics.
  7. Cryptocurrency potential increasingly offers a route to security and liquid asset preservation/growth in a world where fundamentals are being shifted out of all recognition; driven by economic policies predicated firstly on the priority of COVID management and secondly on the move away from rules-based multilateralism towards bilateralism. Global cooperation is yielding to the demands of national integrity, security of supply and highly aggressive competition in key enabling technologies such as 5G, AI, quantum computing and encryption, which themselves will have as profound impact on cryptocurrency evolution as the creation of the bitcoin itself.
Against the backdrop of the essential limits of fiat currencies, current geo- macroeconomic policies and a new emerging world order, cryptocurrencies offer vast potential:
  • An efficiency facilitating frictionless commerce/investment.
  • A medium of stability against the backdrop of uncertainty and inflation.
  • Increased security in value transfer and wealth management.
  • Optimum autonomy in an increasing intrusive climate.
  • “Cash” asset preservation/growth in a world of negative interest rates.
In all this we may well have come full circle to 1694 and the stability and security that the establishment of the Bank of England was intended to entrench—but now it is now de-centralised finance that will get us there.
Article source: https://www.finxflo.com/news/detail/5127
submitted by JamesFXF to FXF [link] [comments]

Flatten the Curve. #49. Let's Dig into Jade Helm. AI. The Surveillance State. Internet of Things. FISA. Pentagon Preparing for Mass Civil Breakdown. What is Mob Excess Deterrent Using Silent Audio? Stay Aware and Get Ahead of the Curve.

Flatten the Curve. Part 48. Source Here
It's getting crazier day by day now, so are you following the Boy Scout motto?
On this topic, Baden-Powell says: Remember your motto, "Be Prepared." Be prepared for accidents by learning beforehand what you ought to do in the different kinds that are likely to occur. Be prepared to do that thing the moment the accident does occur. In Scouting for Boys, Baden-Powell wrote that to Be Prepared means “you are always in a state of readiness in mind and body to do your duty.”
Why should you be prepared? Because TPTB have been preparing, that’s why.
June 12, 2014: The Guardian • Pentagon preparing for mass civil breakdown. Social science is being militarised to develop 'operational tools' to target peaceful activists and protest movements Source Here
Pentagon preparing for mass civil breakdown. It seemed ludicrous back in 2014, didn't it? Inconceivable. Sure some preppers believed it, but they're always getting ready and nothing happened. Doomsday was always right around the corner, and then the next corner, and on and on. Televangelists have probably accused more politicians of being the antichrist than the number of politicians went to Epstein's Island.
But why would they be preparing for mass civil breakdown? Could it be the same reason as why the miltary is preparing for war, droughts and famines brought about by environmental collapse?
February 20, 2020: History Network • Here’s Why These Six Ancient Civilizations Mysteriously Collapsed. From the Maya to Greenland’s Vikings, check out six civilizations that seemingly disappeared without a trace. Source Here
All of these civilizations vanished because of some combination of exhausting their natural resources, drought, plauge, and the little ice age. Sound familiar? Don't tell me that the Rockefeller Foundation and BlackRock became environmentally aware out of a sense of obligation to the planet. They're setting the groundwork for what's coming down the pipe. This isn't about money anymore, this is about control and survival. Throw out the rulebook because the rules no longer apply.
Do you think the surveillance system is for your protection, or the protection of the state? Don't you think that an era of upcoming calamities will severely damage the communication networks, and thus the surveillance system? It might be prudent to consider that Starlink is being established to make the system redundant, so that they never lose track of the precious worker bees before they can be connected to the AI hive mind, right Elon? Neuralink, don't leave home without it.
But let's not forget about the wonderful world of the Internet of Things.
March 15, 2012 • More and more personal and household devices are connecting to the internet, from your television to your car navigation systems to your light switches. CIA Director David Petraeus cannot wait to spy on you through them. Earlier this month, Petraeus mused about the emergence of an "Internet of Things" -- that is, wired devices -- at a summit for In-Q-Tel, the CIA's venture capital firm. "'Transformational' is an overused word, but I do believe it properly applies to these technologies," Petraeus enthused, "particularly to their effect on clandestine tradecraft." All those new online devices are a treasure trove of data if you're a "person of interest" to the spy community. Once upon a time, spies had to place a bug in your chandelier to hear your conversation. With the rise of the "smart home," you'd be sending tagged, geolocated data that a spy agency can intercept in real time when you use the lighting app on your phone to adjust your living room's ambiance. "Items of interest will be located, identified, monitored, and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers, and energy harvesters -- all connected to the next-generation internet using abundant, low-cost, and high-power computing," Petraeus said, "the latter now going to cloud computing, in many areas greater and greater supercomputing, and, ultimately, heading to quantum computing." Petraeus allowed that these household spy devices "change our notions of secrecy" and prompt a rethink of "our notions of identity and secrecy." All of which is true -- if convenient for a CIA director. The CIA has a lot of legal restrictions against spying on American citizens. But collecting ambient geolocation data from devices is a grayer area, especially after the 2008 carve-outs to the Foreign Intelligence Surveillance Act. Hardware manufacturers, it turns out, store a trove of geolocation data; and some legislators have grown alarmed at how easy it is for the government to track you through your phone or PlayStation. That's not the only data exploit intriguing Petraeus. He's interested in creating new online identities for his undercover spies -- and sweeping away the "digital footprints" of agents who suddenly need to vanish. "Proud parents document the arrival and growth of their future CIA officer in all forms of social media that the world can access for decades to come," Petraeus observed. "Moreover, we have to figure out how to create the digital footprint for new identities for some officers." Source Here
December 19, 2019: New York Times • THE DATA REVIEWED BY TIMES OPINION didn’t come from a telecom or giant tech company, nor did it come from a governmental surveillance operation. It originated from a location data company, one of dozens quietly collecting precise movements using software slipped onto mobile phone apps. You’ve probably never heard of most of the companies — and yet to anyone who has access to this data, your life is an open book. They can see the places you go every moment of the day, whom you meet with or spend the night with, where you pray, whether you visit a methadone clinic, a psychiatrist’s office or a massage parlor. The Times and other news organizations have reported on smartphone tracking in the past. But never with a data set so large. Even still, this file represents just a small slice of what’s collected and sold every day by the location tracking industry — surveillance so omnipresent in our digital lives that it now seems impossible for anyone to avoid. It doesn’t take much imagination to conjure the powers such always-on surveillance can provide an authoritarian regime like China’s. Within America’s own representative democracy, citizens would surely rise up in outrage if the government attempted to mandate that every person above the age of 12 carry a tracking device that revealed their location 24 hours a day. Yet, in the decade since Apple’s App Store was created, Americans have, app by app, consented to just such a system run by private companies. Now, as the decade ends, tens of millions of Americans, including many children, find themselves carrying spies in their pockets during the day and leaving them beside their beds at night — even though the corporations that control their data are far less accountable than the government would be. Source Here
The IoT should be renamed to IoTT (Internet of Tracking Things), shouldn't it. But we can't have people figure out what's really happening, can we? It's a good thing that quantum computing isn't too close, isn’t it?
April 5, 2018: Global News • (Project Maven) Over 3,000 Google employees have a signed a petition in protest against the company’s involvement with a U.S. Department of Defense artificial intelligence (AI) project that studies imagery and could eventually be used to improve drone strikes in the battlefield. Source Here
December 12, 2019 • Palantir took over Project Maven defense contract after Google backed out. Source Here
December 29, 2020: Input • Palantir exec says its work is on par with the Manhattan Project. Comparing AI to most lethal weapon in human history isn’t comforting. SourceHere
August 14, 2020: Venture: • Google researchers use quantum computing to help improve image classification. Source Here
Hmmm. Maybe Apple will be for the little guy? They have always valued privacy rights, right?
October 2, 2013: Vice News • The hacktivist group Anonymous released a video statement with an accompanying Pastebin document claiming that there are definitive links between AuthenTec, the company that developed the iPhone 5S’s fingerprint scanner, and the US government. Source Here
An apple a day helps the NSA. Or Google. Or Microsoft. Or Amazon. Take your pick from the basket, because dem Apple's are all the same. But at least we have fundamental rights, right?
Foreign agent declaration not required • No mention of foreign agent status is made in the Protect America Act of 2007. Under prior FISA rules, persons targeted for surveillance must have been declared as foreign agents before a FISA warrant would be accorded by the FISC court.
'Quasi-anti-terrorism law' for all-forms of intelligence collection • Vastly marketed by U.S. federal and military agencies as a law to prevent terror attacks, the Protect America Act was actually a law focused on the 'acquisition' of desired intelligence information, of unspecified nature. The sole requirement is geolocation outside the United States at time of Directive invocation; pursuant to Authorization or Order invocation, surveillance Directives can be undertaken towards persons targeted for intelligence information gathering. Implementation of Directives can take place inside the United States or outside the United States. No criminal or terrorism investigation of the person need be in play at time of the Directive. All that need be required is that the target be related to an official desire for intelligence information gathering for actions on part of persons involved in surveillance to be granted full immunity from U.S. criminal or civil procedures, under Section 105B(l) of the Act.
Removal of FISA Strictures from warrant authorization; warrants not required • But the most striking aspect of the Protect America Act was the notation that any information gathering did not comprise electronic surveillance. This wording had the effect of removing FISA-related strictures from Protect America Act 2007-related Directives, serving to remove a number of protections for persons targeted, and requirements for persons working for U.S. intelligence agencies.
The acquisition does not constitute electronic surveillance • The removal of the term electronic surveillance from any Protect America Act Directive implied that the FISC court approval was no longer required, as FISA warrants were no longer required. In the place of a warrant was a certification, made by U.S. intelligence officers, which was copied to the Court. In effect, the FISC became less of a court than a registry of pre-approved certifications.Certifications (in place of FISA warrants) were able to be levied ex post facto, in writing to the Court no more than 72 hours after it was made. The Attorney General was to transmit as soon as possible to the Court a sealed copy of the certification that would remain sealed unless the certification was needed to determine the legality of the acquisition.Source Here
Oh. FISA is basically a rubber stamp. And even if it the stage play wasn't pretending to follow the script, would it matter? Who could actually stop it at this point? The cat's out of the bag and Pandoras Box is open.
Controversial debates arose as the Protect America Act was published. Constitutional lawyers and civil liberties experts expressed concerns that this Act authorized massive, wide-ranging information gathering with no oversight. Whereas it placed much focus on communications, the Act allowed for information gathering of all shapes and forms. The ACLU called it the "Police America Act" – "authorized a massive surveillance dragnet", calling the blank-check oversight provisions "meaningless," and calling them a "phony court review of secret procedures."
So the surveillance state doesn't have checks and balances anymore. The state is preparing for Massive Civil Breakdown. They keep warning us about environmental collapse. Got it? Good. Let's keep on keeping on.
The District of Columbia Organic Act of 1871 created a single new district corporation governing the entire federal territory, called the District of Columbia, thus dissolving the three major political subdivisions of the District (Port of Georgetown, the City of Washington, and Washington County) and their governments. Source Here)
The first big leap in corporate personhood from holding mere property and contract rights to possessing more expansive rights was a claim that the Equal Protection Clause applied to corporations. One of the strangest twists in American constitutional law was the moment that corporations gained personhood under the Equal Protection Clause of the Fourteenth Amendment. It occurred in a case called Santa Clara County, and what was odd was that the Supreme Court did not really even decide the matter in the actual opinion. It only appeared in a footnote to the case. What we are likely to have at the conclusion of the Supreme Court term is corporations that are empowered to spend in American elections because of Bellotti and Citizens United; corporations that can make religious objections thanks to Hobby Lobby; and if Jesner turns out as badly as I predict, corporations will be able to aid and abet human rights violations abroad with impunity. Source Here
"Having a corporation would allow people to put property into a collective ownership that could be held with perpetual existence," she says. "So it wouldn't be tied to any one person's lifespan, or subject necessarily to laws regarding inheriting property." Later on, in the United States and elsewhere, the advantages of incorporation were essential to efficient and secure economic development. Unlike partnerships, the corporation continued to exist even if a partner died; there was no unanimity required to do something; shareholders could not be sued individually, only the corporation as a whole, so investors only risked as much as they put into buying shares. Source Here
The way that the Arab Bank may get away with this alleged morally troubling behavior, even though it has a New York branch, is by reasserting the basic argument that was made in Nestle USA and Kiobel II: that the federal Alien Tort Statute was not intended to apply to corporations full stop. Given other cases in this area like Mohamad v. PLO, which held the word “individual” in the Torture Victim Protection Act means a natural person and does not impose any liability against organizations, the Arab Bank’s procorporate argument may well prevail. There are multiple federal Circuit Courts which have shot down the argument that corporations are immune from suit under the Alien Tort Statute. The lone outlier is the Second Circuit, which decided in 2010 that corporations are excused from suit in Kiobel I. This is the case that was appealed to the Supreme Court and became Kiobel II. Jesner v. Arab Bank was litigated in the Second Circuit. One question in Jesner was what exactly did Kiobel II do to Kiobel I. So far in the litigation, Jesner concluded that Kiobel I and its conclusion that corporations can’t be sued in federal court using the Alien Tort Statute remained the controlling law of the Second Circuit.
There's a reason people call lawyers snakes, it's because most of them speak with forked tounges. So the corporation isn't being held liable, but the shareholders can't be held liable either. That's too insane to even be called a Catch 22. We are literally being set up to have no recourse because there isn’t anybody who can be held responsible. Why is that important when I've been talking about the surveillance state?
July 14, 2020: The Intercept • Microsoft’s police surveillance services are often opaque because the company sells little in the way of its own policing products. It instead offers an array of “general purpose” Azure cloud services, such as machine learning and predictive analytics tools like Power BI (business intelligence) and Cognitive Services, which can be used by law enforcement agencies and surveillance vendors to build their own software or solutions. A rich array of Microsoft’s cloud-based offerings is on full display with a concept called “The Connected Officer.” Microsoft situates this concept as part of the Internet of Things, or IoT, in which gadgets are connected to online servers and thus made more useful. “The Connected Officer,” Microsoft has written, will “bring IoT to policing.” With the Internet of Things, physical objects are assigned unique identifiers and transfer data over networks in an automated fashion. If a police officer draws a gun from its holster, for example, a notification can be sent over the network to alert other officers there may be danger. Real Time Crime Centers could then locate the officer on a map and monitor the situation from a command and control center. Source Here
Uhm, I guess it's really is all connected, isn’t it?
June 18, 2020: The Guardian • How Target, Google, Bank of America and Microsoft quietly fund police through private donations. More than 25 large corporations in the past three years have contributed funding to private police foundations, new report says. Source Here
Long live the Military Industrial Techno Surveillance State. If you have nothing to hide, than you have nothing to worry about. Really? Are we still believing that line? Cause it's a load of crap. If we have nothing to worry about, then why are they worried enough to be implementing surveillance systems with corresponding units on the ground? Got your attention there, didn't I?
August 19, 2019: Big Think • Though the term "Orwellian" easily applies to such a technology, Michel's illuminating reporting touches something deeper. Numerous American cities have already been surveilled using these god-like cameras, including Gorgon Stare, a camera-enabled drone that can track individuals over a 50-square kilometer radius from 20,000 feet. Here's the real rub: the feature that allows users to pinch and zoom on Instagram is similar to what WAMI allows. Anything within those 50-square kilometers is now under the microscope. If this sounds like some futuristic tech, think again: Derivations of this camera system have been tested in numerous American cities. Say there is a big public protest. With this camera you can follow thousands of protesters back to their homes. Now you have a list of the home addresses of all the people involved in a political movement. If on their way home you witness them committing some crime—breaking a traffic regulation or frequenting a location that is known to be involved in the drug trade—you can use that surveillance data against them to essentially shut them up. That's why we have laws that prevent the use of surveillance technologies because it is human instinct to abuse them. That's why we need controls. Source Here
Want to know more about the Gorgon Stare? Flatten the Curve. Part 12. Source Here
Now, I'm not sure if you remember or know any Greek Mythology, but the Gorgons were three sisters, and one sister had Snakes on her head (she wasn't a lawyer) and she turned people to stone when she looked at them.
MEDUSA (Mob Excess Deterrent Using Silent Audio) is a directed-energy non-lethal weapon designed by WaveBand Corporation in 2003-2004 for temporary personnel incapacitation. The weapon is based on the microwave auditory effect resulting in a strong sound sensation in the human head when it is subject to certain kinds of pulsed/modulated microwave radiation. The developers claimed that through the combination of pulse parameters and pulse power, it is possible to raise the auditory sensation to a “discomfort” level, deterring personnel from entering a protected perimeter or, if necessary, temporarily incapacitating particular individuals. In 2005, Sierra Nevada Corporation acquired WaveBand Corporation.
Ok. Get it? The Gorgon eye in the sky stares at you while the Medusa makes you immobile. Not good, but at least it'll just freeze you in your tracks.
July 6, 2008: Gizmodo • The Sierra Nevada Corporation claimed this week that it is ready to begin production on the MEDUSA, a damned scary ray gun that uses the "microwave audio effect" to implant sounds and perhaps even specific messages inside people's heads. Short for Mob Excess Deterrent Using Silent Audio, MEDUSA creates the audio effect with short microwave pulses. The pulses create a shockwave inside the skull that's detected by the ears, and basically makes you think you're going balls-to-the-wall batshit insane. Source Here
Uhm. And drive you insane.
July 26, 2008: Gizmodo • The MEDUSA crowd control ray gun we reported on earlier this month sounded like some pretty amazing-and downright scary-technology. Using the microwave auditory effect, the beam, in theory, would have put sounds and voice-like noises in your head, thereby driving you away from the area. Crowd control via voices in your head. Sounds cool. However, it turns out that the beam would actually kill you before any of that happy stuff started taking place, most likely by frying or cooking your brain inside your skull. Can you imagine if this thing made it out into the field? Awkward! Source Here
Annnnnnnndddddd it'll kill you.
Guys, they're prepared. They've been prepared. They're ready. Remember the Doomsday Bunkers? The military moving into Cheyenne Mountain? Deep Underground Military Bunkers? The rapid rolling out of 5G? BITCOIN and UBI so neatly inserted into our minds over the last five years? They've directly told us to have three months of supplies in our homes. 2020 isn't going to be an anomaly? It's the start of the collapse of our natural resources. Take a look on Reddit and all the posts about crazy weather. Cyanobacteria blooms killing dogs and people. Toxic Super Pollution caused by atmospheric inversions killing people. This isn’t normal, this is New Normal. And they know it. They've known it for a while. Let me show you one last thing before I wrap it up.
From the earliest Chinese dynasties to the present, the jade deposits most used were not only those of Khotan in the Western Chinese province of Xinjiang but other parts of China as well, such as Lantian, Shaanxi.
Remember, words matter. Look at Gorgon Stare and Medusa. They don't randomly grab names out of a hat, or pick them because they think it sounds dystopian. They pick words for a reason.
July 7, 2017: The Warzone • There only appears to be one official news story on this exercise at all and it's available on the website of Air Mobility Command’s Eighteenth Air Force, situated at Joint Base Charleston. At the time of writing, a google shows that there were more than a half dozen more copies on other Air Force pages, as well as number of photographs. For some reason, someone appears to have taken these offline or otherwise broken all the links. Using Google to search the Defense Video Imagery Distribution System, which is the main U.S. military's public affairs hub, brings up more broken links. Oh, and unless there's been some sort of mistake, JADE HELM actually stands for the amazingly obtuse Joint Assistance for Deployment Execution Homeland Eradication of Local Militants. A separate web search for this phrase does not turn up any other results. Source Here
Now, using an acronym that indicates training to Eradicate Local Militants seems pretty dumb. It may be used in that manner if environmental collapse triggers riots, but i don't think they would warn everyone ahead of time, do you? So I dug a little bit more.
Joint Assistant for Development and Execution (JADE) is a U.S. military system used for planning the deployment of military forces in crisis situations. The U.S. military developed this automated planning software system in order to expedite the creation of the detailed planning needed to deploy military forces for a military operation. JADE uses Artificial Intelligence (AI) technology combining user input, a knowledge base of stored plans, and suggestions by the system to provide the ability to develop large-scale and complex plans in minimal time. JADE is a knowledge-based system that uses highly structured information that takes advantage of data hierarchies. An official 2016 document approved for public release titled Human Systems Roadmap Review describes plans to create autonomous weapon systems that analyze social media and make decisions, including the use of lethal force, with minimal human involvement. This type of system is referred to as a Lethal Autonomous Weapon System (LAWS). The name "JADE" comes from the jade green color seen on the island of Oahu in Hawaii where the U.S. Pacific Command (PACOM) is headquartered.
PACOM? Why isn't that command group responsible for the South China Sea?
Formerly known as United States Pacific Command (USPACOM) since its inception, the command was renamed to U.S. Indo-Pacific Command on 30 May 2018, in recognition of the greater emphasis on South Asia, especially India.
Now doesn't it look like Jade Helm is preparing for an invasion? And possibly insurrection later. Or at the same time? Or riots over WW3? Or food riots? And start thinking about why the laws are starting to exclude corporations? Then think about the mercenaries that are being contracted out by the government.
October 17, 2018: The Carolinan • In 2016, 75 percent of American forces were private contractors. In 2017, Erik Prince, former head of Blackwater, and Stephen Feinberg, head of Dyncorp, discussed plans for contractors completely taking over U.S. operations in Afghanistan. Although ultimately unsuccessful, it remains to be seen if the current administration will change its mind. Contractors are involved in almost every military task, such as intelligence analysis, logistics and training allied soldiers. Contractors are even involved in U.S. special ops missions. This is because contractors are essentially untraceable and unaccountable. Most are born in other countries; only 33 percent are registered U.S. citizens. Private military firms don’t have to report their actions to Congress, unlike the military or intelligence agencies. They also aren’t subject to the Freedom of Information Act, so private citizens and journalists aren’t allowed to access their internal documents. There are also no international laws to regulate private military firms. It’s been proven that many contractors are involved in illegal activities. The larger multinational companies sometimes hire local subcontractors. These contractors sometimes aren’t background-checked. A 2010 investigation by the Senate found that many subcontractors were linked to murders, kidnappings, bribery and anti-coalition activities. Some subcontractors even formed their own unlicensed mercenary groups after coalition forces leave. A 2010 House investigation showed evidence that the Department of Defense had hired local warlords for security services. In 2007, Blackwater contractors massacred 17 civilians. This eventually led Blackwater to being restructured and renamed as Academi. Source Here
Military Exercises. Private Defense Firms. No oversight. And it's all coming soon. Read more at Flatten the Curve. Part 20. Upcoming war and catastrophes. Source Here
Nah. I'm just fear mongering and Doomscrolling again.
Heads up and eyes open. Talk soon.
submitted by biggreekgeek to conspiracy [link] [comments]

Scaling Reddit Community Points with Arbitrum Rollup: a piece of cake

Scaling Reddit Community Points with Arbitrum Rollup: a piece of cake
https://preview.redd.it/b80c05tnb9e51.jpg?width=2550&format=pjpg&auto=webp&s=850282c1a3962466ed44f73886dae1c8872d0f31
Submitted for consideration to The Great Reddit Scaling Bake-Off
Baked by the pastry chefs at Offchain Labs
Please send questions or comments to [[email protected] ](mailto:[email protected])
1. Overview
We're excited to submit Arbitrum Rollup for consideration to The Great Reddit Scaling Bake-Off. Arbitrum Rollup is the only Ethereum scaling solution that supports arbitrary smart contracts without compromising on Ethereum's security or adding points of centralization. For Reddit, this means that Arbitrum can not only scale the minting and transfer of Community Points, but it can foster a creative ecosystem built around Reddit Community Points enabling points to be used in a wide variety of third party applications. That's right -- you can have your cake and eat it too!
Arbitrum Rollup isn't just Ethereum-style. Its Layer 2 transactions are byte-for-byte identical to Ethereum, which means Ethereum users can continue to use their existing addresses and wallets, and Ethereum developers can continue to use their favorite toolchains and development environments out-of-the-box with Arbitrum. Coupling Arbitrum’s tooling-compatibility with its trustless asset interoperability, Reddit not only can scale but can onboard the entire Ethereum community at no cost by giving them the same experience they already know and love (well, certainly know).
To benchmark how Arbitrum can scale Reddit Community Points, we launched the Reddit contracts on an Arbitrum Rollup chain. Since Arbitrum provides full Solidity support, we didn't have to rewrite the Reddit contracts or try to mimic their functionality using an unfamiliar paradigm. Nope, none of that. We launched the Reddit contracts unmodified on Arbitrum Rollup complete with support for minting and distributing points. Like every Arbitrum Rollup chain, the chain included a bridge interface in which users can transfer Community Points or any other asset between the L1 and L2 chains. Arbitrum Rollup chains also support dynamic contract loading, which would allow third-party developers to launch custom ecosystem apps that integrate with Community Points on the very same chain that runs the Reddit contracts.
1.1 Why Ethereum
Perhaps the most exciting benefit of distributing Community Points using a blockchain is the ability to seamlessly port points to other applications and use them in a wide variety of contexts. Applications may include simple transfers such as a restaurant that allows Redditors to spend points on drinks. Or it may include complex smart contracts -- such as placing Community Points as a wager for a multiparty game or as collateral in a financial contract.
The common denominator between all of the fun uses of Reddit points is that it needs a thriving ecosystem of both users and developers, and the Ethereum blockchain is perhaps the only smart contract platform with significant adoption today. While many Layer 1 blockchains boast lower cost or higher throughput than the Ethereum blockchain, more often than not, these attributes mask the reality of little usage, weaker security, or both.
Perhaps another platform with significant usage will rise in the future. But today, Ethereum captures the mindshare of the blockchain community, and for Community Points to provide the most utility, the Ethereum blockchain is the natural choice.
1.2 Why Arbitrum
While Ethereum's ecosystem is unmatched, the reality is that fees are high and capacity is too low to support the scale of Reddit Community Points. Enter Arbitrum. Arbitrum Rollup provides all of the ecosystem benefits of Ethereum, but with orders of magnitude more capacity and at a fraction of the cost of native Ethereum smart contracts. And most of all, we don't change the experience from users. They continue to use the same wallets, addresses, languages, and tools.
Arbitrum Rollup is not the only solution that can scale payments, but it is the only developed solution that can scale both payments and arbitrary smart contracts trustlessly, which means that third party users can build highly scalable add-on apps that can be used without withdrawing money from the Rollup chain. If you believe that Reddit users will want to use their Community Points in smart contracts--and we believe they will--then it makes the most sense to choose a single scaling solution that can support the entire ecosystem, eliminating friction for users.
We view being able to run smart contracts in the same scaling solution as fundamentally critical since if there's significant demand in running smart contracts from Reddit's ecosystem, this would be a load on Ethereum and would itself require a scaling solution. Moreover, having different scaling solutions for the minting/distribution/spending of points and for third party apps would be burdensome for users as they'd have to constantly shuffle their Points back and forth.
2. Arbitrum at a glance
Arbitrum Rollup has a unique value proposition as it offers a combination of features that no other scaling solution achieves. Here we highlight its core attributes.
Decentralized. Arbitrum Rollup is as decentralized as Ethereum. Unlike some other Layer 2 scaling projects, Arbitrum Rollup doesn't have any centralized components or centralized operators who can censor users or delay transactions. Even in non-custodial systems, centralized components provide a risk as the operators are generally incentivized to increase their profit by extracting rent from users often in ways that severely degrade user experience. Even if centralized operators are altruistic, centralized components are subject to hacking, coercion, and potential liability.
Massive Scaling. Arbitrum achieves order of magnitude scaling over Ethereum's L1 smart contracts. Our software currently supports 453 transactions-per-second for basic transactions (at 1616 Ethereum gas per tx). We have a lot of room left to optimize (e.g. aggregating signatures), and over the next several months capacity will increase significantly. As described in detail below, Arbitrum can easily support and surpass Reddit's anticipated initial load, and its capacity will continue to improve as Reddit's capacity needs grow.
Low cost. The cost of running Arbitrum Rollup is quite low compared to L1 Ethereum and other scaling solutions such as those based on zero-knowledge proofs. Layer 2 fees are low, fixed, and predictable and should not be overly burdensome for Reddit to cover. Nobody needs to use special equipment or high-end machines. Arbitrum requires validators, which is a permissionless role that can be run on any reasonable on-line machine. Although anybody can act as a validator, in order to protect against a “tragedy of the commons” and make sure reputable validators are participating, we support a notion of “invited validators” that are compensated for their costs. In general, users pay (low) fees to cover the invited validators’ costs, but we imagine that Reddit may cover this cost for its users. See more on the costs and validator options below.
Ethereum Developer Experience. Not only does Arbitrum support EVM smart contracts, but the developer experience is identical to that of L1 Ethereum contracts and fully compatible with Ethereum tooling. Developers can port existing Solidity apps or write new ones using their favorite and familiar toolchains (e.g. Truffle, Buidler). There are no new languages or coding paradigms to learn.
Ethereum wallet compatibility. Just as in Ethereum, Arbitrum users need only hold keys, but do not have to store any coin history or additional data to protect or access their funds. Since Arbitrum transactions are semantically identical to Ethereum L1 transactions, existing Ethereum users can use their existing Ethereum keys with their existing wallet software such as Metamask.
Token interoperability. Users can easily transfer their ETH, ERC-20 and ERC-721 tokens between Ethereum and the Arbitrum Rollup chain. As we explain in detail below, it is possible to mint tokens in L2 that can subsequently be withdrawn and recognized by the L1 token contract.
Fast finality. Transactions complete with the same finality time as Ethereum L1 (and it's possible to get faster finality guarantees by trading away trust assumptions; see the Arbitrum Rollup whitepaper for details).
Non-custodial. Arbitrum Rollup is a non-custodial scaling solution, so users control their funds/points and neither Reddit nor anyone else can ever access or revoke points held by users.
Censorship Resistant. Since it's completely decentralized, and the Arbitrum protocol guarantees progress trustlessly, Arbitrum Rollup is just as censorship-proof as Ethereum.
Block explorer. The Arbitrum Rollup block explorer allows users to view and analyze transactions on the Rollup chain.
Limitations
Although this is a bake-off, we're not going to sugar coat anything. Arbitrum Rollup, like any Optimistic Rollup protocol, does have one limitation, and that's the delay on withdrawals.
As for the concrete length of the delay, we've done a good deal of internal modeling and have blogged about this as well. Our current modeling suggests a 3-hour delay is sufficient (but as discussed in the linked post there is a tradeoff space between the length of the challenge period and the size of the validators’ deposit).
Note that this doesn't mean that the chain is delayed for three hours. Arbitrum Rollup supports pipelining of execution, which means that validators can keep building new states even while previous ones are “in the pipeline” for confirmation. As the challenge delays expire for each update, a new state will be confirmed (read more about this here).
So activity and progress on the chain are not delayed by the challenge period. The only thing that's delayed is the consummation of withdrawals. Recall though that any single honest validator knows immediately (at the speed of L1 finality) which state updates are correct and can guarantee that they will eventually be confirmed, so once a valid withdrawal has been requested on-chain, every honest party knows that the withdrawal will definitely happen. There's a natural place here for a liquidity market in which a validator (or someone who trusts a validator) can provide withdrawal loans for a small interest fee. This is a no-risk business for them as they know which withdrawals will be confirmed (and can force their confirmation trustlessly no matter what anyone else does) but are just waiting for on-chain finality.
3. The recipe: How Arbitrum Rollup works
For a description of the technical components of Arbitrum Rollup and how they interact to create a highly scalable protocol with a developer experience that is identical to Ethereum, please refer to the following documents:
Arbitrum Rollup Whitepaper
Arbitrum academic paper (describes a previous version of Arbitrum)
4. Developer docs and APIs
For full details about how to set up and interact with an Arbitrum Rollup chain or validator, please refer to our developer docs, which can be found at https://developer.offchainlabs.com/.
Note that the Arbitrum version described on that site is older and will soon be replaced by the version we are entering in Reddit Bake-Off, which is still undergoing internal testing before public release.
5. Who are the validators?
As with any Layer 2 protocol, advancing the protocol correctly requires at least one validator (sometimes called block producers) that is honest and available. A natural question is: who are the validators?
Recall that the validator set for an Arbitrum chain is open and permissionless; anyone can start or stop validating at will. (A useful analogy is to full nodes on an L1 chain.) But we understand that even though anyone can participate, Reddit may want to guarantee that highly reputable nodes are validating their chain. Reddit may choose to validate the chain themselves and/or hire third-party validators.To this end, we have begun building a marketplace for validator-for-hire services so that dapp developers can outsource validation services to reputable nodes with high up-time. We've announced a partnership in which Chainlink nodes will provide Arbitrum validation services, and we expect to announce more partnerships shortly with other blockchain infrastructure providers.
Although there is no requirement that validators are paid, Arbitrum’s economic model tracks validators’ costs (e.g. amount of computation and storage) and can charge small fees on user transactions, using a gas-type system, to cover those costs. Alternatively, a single party such as Reddit can agree to cover the costs of invited validators.
6. Reddit Contract Support
Since Arbitrum contracts and transactions are byte-for-byte compatible with Ethereum, supporting the Reddit contracts is as simple as launching them on an Arbitrum chain.
Minting. Arbitrum Rollup supports hybrid L1/L2 tokens which can be minted in L2 and then withdrawn onto the L1. An L1 contract at address A can make a special call to the EthBridge which deploys a "buddy contract" to the same address A on an Arbitrum chain. Since it's deployed at the same address, users can know that the L2 contract is the authorized "buddy" of the L1 contract on the Arbitrum chain.
For minting, the L1 contract is a standard ERC-20 contract which mints and burns tokens when requested by the L2 contract. It is paired with an ERC-20 contract in L2 which mints tokens based on whatever programmer provided minting facility is desired and burns tokens when they are withdrawn from the rollup chain. Given this base infrastructure, Arbitrum can support any smart contract based method for minting tokens in L2, and indeed we directly support Reddit's signature/claim based minting in L2.
Batch minting. What's better than a mint cookie? A whole batch! In addition to supporting Reddit’s current minting/claiming scheme, we built a second minting design, which we believe outperforms the signature/claim system in many scenarios.
In the current system, Reddit periodically issues signed statements to users, who then take those statements to the blockchain to claim their tokens. An alternative approach would have Reddit directly submit the list of users/amounts to the blockchain and distribute the tokens to the users without the signature/claim process.
To optimize the cost efficiency of this approach, we designed an application-specific compression scheme to minimize the size of the batch distribution list. We analyzed the data from Reddit's previous distributions and found that the data is highly compressible since token amounts are small and repeated, and addresses appear multiple times. Our function groups transactions by size, and replaces previously-seen addresses with a shorter index value. We wrote client code to compress the data, wrote a Solidity decompressing function, and integrated that function into Reddit’s contract running on Arbitrum.
When we ran the compression function on the previous Reddit distribution data, we found that we could compress batched minting data down to to 11.8 bytes per minting event (averaged over a 6-month trace of Reddit’s historical token grants)compared with roughly 174 bytes of on-chain data needed for the signature claim approach to minting (roughly 43 for an RLP-encoded null transaction + 65 for Reddit's signature + 65 for the user's signature + roughly 8 for the number of Points) .
The relative benefit of the two approaches with respect to on-chain call data cost depends on the percentage of users that will actually claim their tokens on chain. With the above figures, batch minting will be cheaper if roughly 5% of users redeem their claims. We stress that our compression scheme is not Arbitrum-specific and would be beneficial in any general-purpose smart contract platform.
8. Benchmarks and costs
In this section, we give the full costs of operating the Reddit contracts on an Arbitrum Rollup chain including the L1 gas costs for the Rollup chain, the costs of computation and storage for the L2 validators as well as the capital lockup requirements for staking.
Arbitrum Rollup is still on testnet, so we did not run mainnet benchmarks. Instead, we measured the L1 gas cost and L2 workload for Reddit operations on Arbitrum and calculated the total cost assuming current Ethereum gas prices. As noted below in detail, our measurements do not assume that Arbitrum is consuming the entire capacity of Ethereum. We will present the details of our model now, but for full transparency you can also play around with it yourself and adjust the parameters, by copying the spreadsheet found here.
Our cost model is based on measurements of Reddit’s contracts, running unmodified (except for the addition of a batch minting function) on Arbitrum Rollup on top of Ethereum.
On the distribution of transactions and frequency of assertions. Reddit's instructions specify the following minimum parameters that submissions should support:
Over a 5 day period, your scaling PoC should be able to handle:
  • 100,000 point claims (minting & distributing points)
  • 25,000 subscriptions
  • 75,000 one-off points burning
  • 100,000 transfers
We provide the full costs of operating an Arbitrum Rollup chain with this usage under the assumption that tokens are minted or granted to users in batches, but other transactions are uniformly distributed over the 5 day period. Unlike some other submissions, we do not make unrealistic assumptions that all operations can be submitted in enormous batches. We assume that batch minting is done in batches that use only a few percent on an L1 block’s gas, and that other operations come in evenly over time and are submitted in batches, with one batch every five minutes to keep latency reasonable. (Users are probably already waiting for L1 finality, which takes at least that long to achieve.)
We note that assuming that there are only 300,000 transactions that arrive uniformly over the 5 day period will make our benchmark numbers lower, but we believe that this will reflect the true cost of running the system. To see why, say that batches are submitted every five minutes (20 L1 blocks) and there's a fixed overhead of c bytes of calldata per batch, the cost of which will get amortized over all transactions executed in that batch. Assume that each individual transaction adds a marginal cost of t. Lastly assume the capacity of the scaling system is high enough that it can support all of Reddit's 300,000 transactions within a single 20-block batch (i.e. that there is more than c + 300,000*t byes of calldata available in 20 blocks).
Consider what happens if c, the per-batch overhead, is large (which it is in some systems, but not in Arbitrum). In the scenario that transactions actually arrive at the system's capacity and each batch is full, then c gets amortized over 300,000 transactions. But if we assume that the system is not running at capacity--and only receives 300,000 transactions arriving uniformly over 5 days-- then each 20-block assertion will contain about 200 transactions, and thus each transaction will pay a nontrivial cost due to c.
We are aware that other proposals presented scaling numbers assuming that 300,000 transactions arrived at maximum capacity and was executed in a single mega-transaction, but according to our estimates, for at least one such report, this led to a reported gas price that was 2-3 orders of magnitude lower than it would have been assuming uniform arrival. We make more realistic batching assumptions, and we believe Arbitrum compares well when batch sizes are realistic.
Our model. Our cost model includes several sources of cost:
  • L1 gas costs: This is the cost of posting transactions as calldata on the L1 chain, as well as the overhead associated with each batch of transactions, and the L1 cost of settling transactions in the Arbitrum protocol.
  • Validator’s staking costs: In normal operation, one validator will need to be staked. The stake is assumed to be 0.2% of the total value of the chain (which is assumed to be $1 per user who is eligible to claim points). The cost of staking is the interest that could be earned on the money if it were not staked.
  • Validator computation and storage: Every validator must do computation to track the chain’s processing of transactions, and must maintain storage to keep track of the contracts’ EVM storage. The cost of computation and storage are estimated based on measurements, with the dollar cost of resources based on Amazon Web Services pricing.
It’s clear from our modeling that the predominant cost is for L1 calldata. This will probably be true for any plausible rollup-based system.
Our model also shows that Arbitrum can scale to workloads much larger than Reddit’s nominal workload, without exhausting L1 or L2 resources. The scaling bottleneck will ultimately be calldata on the L1 chain. We believe that cost could be reduced substantially if necessary by clever encoding of data. (In our design any compression / decompression of L2 transaction calldata would be done by client software and L2 programs, never by an L1 contract.)
9. Status of Arbitrum Rollup
Arbitrum Rollup is live on Ethereum testnet. All of the code written to date including everything included in the Reddit demo is open source and permissively licensed under the Apache V2 license. The first testnet version of Arbitrum Rollup was released on testnet in February. Our current internal version, which we used to benchmark the Reddit contracts, will be released soon and will be a major upgrade.
Both the Arbitrum design as well as the implementation are heavily audited by independent third parties. The Arbitrum academic paper was published at USENIX Security, a top-tier peer-reviewed academic venue. For the Arbitrum software, we have engaged Trail of Bits for a security audit, which is currently ongoing, and we are committed to have a clean report before launching on Ethereum mainnet.
10. Reddit Universe Arbitrum Rollup Chain
The benchmarks described in this document were all measured using the latest internal build of our software. When we release the new software upgrade publicly we will launch a Reddit Universe Arbitrum Rollup chain as a public demo, which will contain the Reddit contracts as well as a Uniswap instance and a Connext Hub, demonstrating how Community Points can be integrated into third party apps. We will also allow members of the public to dynamically launch ecosystem contracts. We at Offchain Labs will cover the validating costs for the Reddit Universe public demo.
If the folks at Reddit would like to evaluate our software prior to our public demo, please email us at [email protected] and we'd be more than happy to provide early access.
11. Even more scaling: Arbitrum Sidechains
Rollups are an excellent approach to scaling, and we are excited about Arbitrum Rollup which far surpasses Reddit's scaling needs. But looking forward to Reddit's eventual goal of supporting hundreds of millions of users, there will likely come a time when Reddit needs more scaling than any Rollup protocol can provide.
While Rollups greatly reduce costs, they don't break the linear barrier. That is, all transactions have an on-chain footprint (because all calldata must be posted on-chain), albeit a far smaller one than on native Ethereum, and the L1 limitations end up being the bottleneck for capacity and cost. Since Ethereum has limited capacity, this linear use of on-chain resources means that costs will eventually increase superlinearly with traffic.
The good news is that we at Offchain Labs have a solution in our roadmap that can satisfy this extreme-scaling setting as well: Arbitrum AnyTrust Sidechains. Arbitrum Sidechains are similar to Arbitrum Rollup, but deviate in that they name a permissioned set of validators. When a chain’s validators agree off-chain, they can greatly reduce the on-chain footprint of the protocol and require almost no data to be put on-chain. When validators can't reach unanimous agreement off-chain, the protocol reverts to Arbitrum Rollup. Technically, Arbitrum Sidechains can be viewed as a hybrid between state channels and Rollup, switching back and forth as necessary, and combining the performance and cost that state channels can achieve in the optimistic case, with the robustness of Rollup in other cases. The core technical challenge is how to switch seamlessly between modes and how to guarantee that security is maintained throughout.
Arbitrum Sidechains break through this linear barrier, while still maintaining a high level of security and decentralization. Arbitrum Sidechains provide the AnyTrust guarantee, which says that as long as any one validator is honest and available (even if you don't know which one will be), the L2 chain is guaranteed to execute correctly according to its code and guaranteed to make progress. Unlike in a state channel, offchain progress does not require unanimous consent, and liveness is preserved as long as there is a single honest validator.
Note that the trust model for Arbitrum Sidechains is much stronger than for typical BFT-style chains which introduce a consensus "voting" protocols among a small permissioned group of validators. BFT-based protocols require a supermajority (more than 2/3) of validators to agree. In Arbitrum Sidechains, by contrast, all you need is a single honest validator to achieve guaranteed correctness and progress. Notice that in Arbitrum adding validators strictly increases security since the AnyTrust guarantee provides correctness as long as any one validator is honest and available. By contrast, in BFT-style protocols, adding nodes can be dangerous as a coalition of dishonest nodes can break the protocol.
Like Arbitrum Rollup, the developer and user experiences for Arbitrum Sidechains will be identical to that of Ethereum. Reddit would be able to choose a large and diverse set of validators, and all that they would need to guarantee to break through the scaling barrier is that a single one of them will remain honest.
We hope to have Arbitrum Sidechains in production in early 2021, and thus when Reddit reaches the scale that surpasses the capacity of Rollups, Arbitrum Sidechains will be waiting and ready to help.
While the idea to switch between channels and Rollup to get the best of both worlds is conceptually simple, getting the details right and making sure that the switch does not introduce any attack vectors is highly non-trivial and has been the subject of years of our research (indeed, we were working on this design for years before the term Rollup was even coined).
12. How Arbitrum compares
We include a comparison to several other categories as well as specific projects when appropriate. and explain why we believe that Arbitrum is best suited for Reddit's purposes. We focus our attention on other Ethereum projects.
Payment only Rollups. Compared to Arbitrum Rollup, ZK-Rollups and other Rollups that only support token transfers have several disadvantages:
  • As outlined throughout the proposal, we believe that the entire draw of Ethereum is in its rich smart contracts support which is simply not achievable with today's zero-knowledge proof technology. Indeed, scaling with a ZK-Rollup will add friction to the deployment of smart contracts that interact with Community Points as users will have to withdraw their coins from the ZK-Rollup and transfer them to a smart contract system (like Arbitrum). The community will be best served if Reddit builds on a platform that has built-in, frictionless smart-contract support.
  • All other Rollup protocols of which we are aware employ a centralized operator. While it's true that users retain custody of their coins, the centralized operator can often profit from censoring, reordering, or delaying transactions. A common misconception is that since they're non-custodial protocols, a centralized sequencer does not pose a risk but this is incorrect as the sequencer can wreak havoc or shake down users for side payments without directly stealing funds.
  • Sidechain type protocols can eliminate some of these issues, but they are not trustless. Instead, they require trust in some quorum of a committee, often requiring two-third of the committee to be honest, compared to rollup protocols like Arbitrum that require only a single honest party. In addition, not all sidechain type protocols have committees that are diverse, or even non-centralized, in practice.
  • Plasma-style protocols have a centralized operator and do not support general smart contracts.
13. Concluding Remarks
While it's ultimately up to the judges’ palate, we believe that Arbitrum Rollup is the bakeoff choice that Reddit kneads. We far surpass Reddit's specified workload requirement at present, have much room to optimize Arbitrum Rollup in the near term, and have a clear path to get Reddit to hundreds of millions of users. Furthermore, we are the only project that gives developers and users the identical interface as the Ethereum blockchain and is fully interoperable and tooling-compatible, and we do this all without any new trust assumptions or centralized components.
But no matter how the cookie crumbles, we're glad to have participated in this bake-off and we thank you for your consideration.
About Offchain Labs
Offchain Labs, Inc. is a venture-funded New York company that spun out of Princeton University research, and is building the Arbitrum platform to usher in the next generation of scalable, interoperable, and compatible smart contracts. Offchain Labs is backed by Pantera Capital, Compound VC, Coinbase Ventures, and others.
Leadership Team
Ed Felten
Ed Felten is Co-founder and Chief Scientist at Offchain Labs. He is on leave from Princeton University, where he is the Robert E. Kahn Professor of Computer Science and Public Affairs. From 2015 to 2017 he served at the White House as Deputy United States Chief Technology Officer and senior advisor to the President. He is an ACM Fellow and member of the National Academy of Engineering. Outside of work, he is an avid runner, cook, and L.A. Dodgers fan.
Steven Goldfeder
Steven Goldfeder is Co-founder and Chief Executive Officer at Offchain Labs. He holds a PhD from Princeton University, where he worked at the intersection of cryptography and cryptocurrencies including threshold cryptography, zero-knowledge proof systems, and post-quantum signatures. He is a co-author of Bitcoin and Cryptocurrency Technologies, the leading textbook on cryptocurrencies, and he has previously worked at Google and Microsoft Research, where he co-invented the Picnic signature algorithm. When not working, you can find Steven spending time with his family, taking a nature walk, or twisting balloons.
Harry Kalodner
Harry Kalodner is Co-founder and Chief Technology Officer at Offchain Labs where he leads the engineering team. Before the company he attended Princeton as a Ph.D candidate where his research explored economics, anonymity, and incentive compatibility of cryptocurrencies, and he also has worked at Apple. When not up at 3:00am writing code, Harry occasionally sleeps.
submitted by hkalodner to ethereum [link] [comments]

[ Bitcoin ] Technical: Taproot: Why Activate?

Topic originally posted in Bitcoin by almkglor [link]
This is a follow-up on https://old.reddit.com/Bitcoin/comments/hqzp14/technical_the_path_to_taproot_activation/
Taproot! Everybody wants it!! But... you might ask yourself: sure, everybody else wants it, but why would I, sovereign Bitcoin HODLer, want it? Surely I can be better than everybody else because I swapped XXX fiat for Bitcoin unlike all those nocoiners?
And it is important for you to know the reasons why you, o sovereign Bitcoiner, would want Taproot activated. After all, your nodes (or the nodes your wallets use, which if you are SPV, you hopefully can pester to your wallet vendoimplementor about) need to be upgraded in order for Taproot activation to actually succeed instead of becoming a hot sticky mess.
First, let's consider some principles of Bitcoin.
I'm sure most of us here would agree that the above are very important principles of Bitcoin and that these are principles we would not be willing to remove. If anything, we would want those principles strengthened (especially the last one, financial privacy, which current Bitcoin is only sporadically strong with: you can get privacy, it just requires effort to do so).
So, how does Taproot affect those principles?

Taproot and Your /Coins

Most HODLers probably HODL their coins in singlesig addresses. Sadly, switching to Taproot would do very little for you (it gives a mild discount at spend time, at the cost of a mild increase in fee at receive time (paid by whoever sends to you, so if it's a self-send from a P2PKH or bech32 address, you pay for this); mostly a wash).
(technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash, so the Taproot output spends 12 bytes more; spending from a P2WPKH requires revealing a 32-byte public key later, which is not needed with Taproot, and Taproot signatures are about 9 bytes smaller than P2WPKH signatures, but the 32 bytes plus 9 bytes is divided by 4 because of the witness discount, so it saves about 11 bytes; mostly a wash, it increases blockweight by about 1 virtual byte, 4 weight for each Taproot-output-input, compared to P2WPKH-output-input).
However, as your HODLings grow in value, you might start wondering if multisignature k-of-n setups might be better for the security of your savings. And it is in multisignature that Taproot starts to give benefits!
Taproot switches to using Schnorr signing scheme. Schnorr makes key aggregation -- constructing a single public key from multiple public keys -- almost as trivial as adding numbers together. "Almost" because it involves some fairly advanced math instead of simple boring number adding, but hey when was the last time you added up your grocery list prices by hand huh?
With current P2SH and P2WSH multisignature schemes, if you have a 2-of-3 setup, then to spend, you need to provide two different signatures from two different public keys. With Taproot, you can create, using special moon math, a single public key that represents your 2-of-3 setup. Then you just put two of your devices together, have them communicate to each other (this can be done airgapped, in theory, by sending QR codes: the software to do this is not even being built yet, but that's because Taproot hasn't activated yet!), and they will make a single signature to authorize any spend from your 2-of-3 address. That's 73 witness bytes -- 18.25 virtual bytes -- of signatures you save!
And if you decide that your current setup with 1-of-1 P2PKH / P2WPKH addresses is just fine as-is: well, that's the whole point of a softfork: backwards-compatibility; you can receive from Taproot users just fine, and once your wallet is updated for Taproot-sending support, you can send to Taproot users just fine as well!
(P2WPKH and P2WSH -- SegWit v0 -- addresses start with bc1q; Taproot -- SegWit v1 --- addresses start with bc1p, in case you wanted to know the difference; in bech32 q is 0, p is 1)
Now how about HODLers who keep all, or some, of their coins on custodial services? Well, any custodial service worth its salt would be doing at least 2-of-3, or probably something even bigger, like 11-of-15. So your custodial service, if it switched to using Taproot internally, could save a lot more (imagine an 11-of-15 getting reduced from 11 signatures to just 1!), which --- we can only hope! --- should translate to lower fees and better customer service from your custodial service!
So I think we can say, very accurately, that the Bitcoin principle --- that YOU are in control of your money --- can only be helped by Taproot (if you are doing multisignature), and, because P2PKH and P2WPKH remain validly-usable addresses in a Taproot future, will not be harmed by Taproot. Its benefit to this principle might be small (it mostly only benefits multisignature users) but since it has no drawbacks with this (i.e. singlesig users can continue to use P2WPKH and P2PKH still) this is still a nice, tidy win!
(even singlesig users get a minor benefit, in that multisig users will now reduce their blockchain space footprint, so that fees can be kept low for everybody; so for example even if you have your single set of private keys engraved on titanium plates sealed in an airtight box stored in a safe buried in a desert protected by angry nomads riding giant sandworms because you're the frickin' Kwisatz Haderach, you still gain some benefit from Taproot)
And here's the important part: if P2PKH/P2WPKH is working perfectly fine with you and you decide to never use Taproot yourself, Taproot will not affect you detrimentally. First do no harm!

Taproot and Your Contracts

No one is an island, no one lives alone. Give and you shall receive. You know: by trading with other people, you can gain expertise in some obscure little necessity of the world (and greatly increase your productivity in that little field), and then trade the products of your expertise for necessities other people have created, all of you thereby gaining gains from trade.
So, contracts, which are basically enforceable agreements that facilitate trading with people who you do not personally know and therefore might not trust.
Let's start with a simple example. You want to buy some gewgaws from somebody. But you don't know them personally. The seller wants the money, you want their gewgaws, but because of the lack of trust (you don't know them!! what if they're scammers??) neither of you can benefit from gains from trade.
However, suppose both of you know of some entity that both of you trust. That entity can act as a trusted escrow. The entity provides you security: this enables the trade, allowing both of you to get gains from trade.
In Bitcoin-land, this can be implemented as a 2-of-3 multisignature. The three signatories in the multisgnature would be you, the gewgaw seller, and the escrow. You put the payment for the gewgaws into this 2-of-3 multisignature address.
Now, suppose it turns out neither of you are scammers (whaaaat!). You receive the gewgaws just fine and you're willing to pay up for them. Then you and the gewgaw seller just sign a transaction --- you and the gewgaw seller are 2, sufficient to trigger the 2-of-3 --- that spends from the 2-of-3 address to a singlesig the gewgaw seller wants (or whatever address the gewgaw seller wants).
But suppose some problem arises. The seller gave you gawgews instead of gewgaws. Or you decided to keep the gewgaws but not sign the transaction to release the funds to the seller. In either case, the escrow is notified, and if it can sign with you to refund the funds back to you (if the seller was a scammer) or it can sign with the seller to forward the funds to the seller (if you were a scammer).
Taproot helps with this: like mentioned above, it allows multisignature setups to produce only one signature, reducing blockchain space usage, and thus making contracts --- which require multiple people, by definition, you don't make contracts with yourself --- is made cheaper (which we hope enables more of these setups to happen for more gains from trade for everyone, also, moon and lambos).
(technology-wise, it's easier to make an n-of-n than a k-of-n, making a k-of-n would require a complex setup involving a long ritual with many communication rounds between the n participants, but an n-of-n can be done trivially with some moon math. You can, however, make what is effectively a 2-of-3 by using a three-branch SCRIPT: either 2-of-2 of you and seller, OR 2-of-2 of you and escrow, OR 2-of-2 of escrow and seller. Fortunately, Taproot adds a facility to embed a SCRIPT inside a public key, so you can have a 2-of-2 Taprooted address (between you and seller) with a SCRIPT branch that can instead be spent with 2-of-2 (you + escrow) OR 2-of-2 (seller + escrow), which implements the three-branched SCRIPT above. If neither of you are scammers (hopefully the common case) then you both sign using your keys and never have to contact the escrow, since you are just using the escrow public key without coordinating with them (because n-of-n is trivial but k-of-n requires setup with communication rounds), so in the "best case" where both of you are honest traders, you also get a privacy boost, in that the escrow never learns you have been trading on gewgaws, I mean ewww, gawgews are much better than gewgaws and therefore I now judge you for being a gewgaw enthusiast, you filthy gewgawer).

Taproot and Your Contracts, Part 2: Cryptographic Boogaloo

Now suppose you want to buy some data instead of things. For example, maybe you have some closed-source software in trial mode installed, and want to pay the developer for the full version. You want to pay for an activation code.
This can be done, today, by using an HTLC. The developer tells you the hash of the activation code. You pay to an HTLC, paying out to the developer if it reveals the preimage (the activation code), or refunding the money back to you after a pre-agreed timeout. If the developer claims the funds, it has to reveal the preimage, which is the activation code, and you can now activate your software. If the developer does not claim the funds by the timeout, you get refunded.
And you can do that, with HTLCs, today.
Of course, HTLCs do have problems:
Fortunately, with Schnorr (which is enabled by Taproot), we can now use the Scriptless Script constuction by Andrew Poelstra. This Scriptless Script allows a new construction, the PTLC or Pointlocked Timelocked Contract. Instead of hashes and preimages, just replace "hash" with "point" and "preimage" with "scalar".
Or as you might know them: "point" is really "public key" and "scalar" is really a "private key". What a PTLC does is that, given a particular public key, the pointlocked branch can be spent only if the spender reveals the private key of the given private key to you.
Another nice thing with PTLCs is that they are deniable. What appears onchain is just a single 2-of-2 signature between you and the developemanufacturer. It's like a magic trick. This signature has no special watermarks, it's a perfectly normal signature (the pledge). However, from this signature, plus some datta given to you by the developemanufacturer (known as the adaptor signature) you can derive the private key of a particular public key you both agree on (the turn). Anyone scraping the blockchain will just see signatures that look just like every other signature, and as long as nobody manages to hack you and get a copy of the adaptor signature or the private key, they cannot get the private key behind the public key (point) that the pointlocked branch needs (the prestige).
(Just to be clear, the public key you are getting the private key from, is distinct from the public key that the developemanufacturer will use for its funds. The activation key is different from the developer's onchain Bitcoin key, and it is the activation key whose private key you will be learning, not the developer's/manufacturer's onchain Bitcoin key).
So:
Taproot lets PTLCs exist onchain because they enable Schnorr, which is a requirement of PTLCs / Scriptless Script.
(technology-wise, take note that Scriptless Script works only for the "pointlocked" branch of the contract; you need normal Script, or a pre-signed nLockTimed transaction, for the "timelocked" branch. Since Taproot can embed a script, you can have the Taproot pubkey be a 2-of-2 to implement the Scriptless Script "pointlocked" branch, then have a hidden script that lets you recover the funds with an OP_CHECKLOCKTIMEVERIFY after the timeout if the seller does not claim the funds.)

Quantum Quibbles!

Now if you were really paying attention, you might have noticed this parenthetical:
(technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash...)
So wait, Taproot uses raw 32-byte public keys, and not public key hashes? Isn't that more quantum-vulnerable??
Well, in theory yes. In practice, they probably are not.
It's not that hashes can be broken by quantum computes --- they're still not. Instead, you have to look at how you spend from a P2WPKH/P2PKH pay-to-public-key-hash.
When you spend from a P2PKH / P2WPKH, you have to reveal the public key. Then Bitcoin hashes it and checks if this matches with the public-key-hash, and only then actually validates the signature for that public key.
So an unconfirmed transaction, floating in the mempools of nodes globally, will show, in plain sight for everyone to see, your public key.
(public keys should be public, that's why they're called public keys, LOL)
And if quantum computers are fast enough to be of concern, then they are probably fast enough that, in the several minutes to several hours from broadcast to confirmation, they have already cracked the public key that is openly broadcast with your transaction. The owner of the quantum computer can now replace your unconfirmed transaction with one that pays the funds to itself. Even if you did not opt-in RBF, miners are still incentivized to support RBF on RBF-disabled transactions.
So the extra hash is not as significant a protection against quantum computers as you might think. Instead, the extra hash-and-compare needed is just extra validation effort.
Further, if you have ever, in the past, spent from the address, then there exists already a transaction indelibly stored on the blockchain, openly displaying the public key from which quantum computers can derive the private key. So those are still vulnerable to quantum computers.
For the most part, the cryptographers behind Taproot (and Bitcoin Core) are of the opinion that quantum computers capable of cracking Bitcoin pubkeys are unlikely to appear within a decade or two.
So:
For now, the homomorphic and linear properties of elliptic curve cryptography provide a lot of benefits --- particularly the linearity property is what enables Scriptless Script and simple multisignature (i.e. multisignatures that are just 1 signature onchain). So it might be a good idea to take advantage of them now while we are still fairly safe against quantum computers. It seems likely that quantum-safe signature schemes are nonlinear (thus losing these advantages).

Summary

I Wanna Be The Taprooter!

So, do you want to help activate Taproot? Here's what you, mister sovereign Bitcoin HODLer, can do!

But I Hate Taproot!!

That's fine!

Discussions About Taproot Activation

almkglor your post has been copied because one or more comments in this topic have been removed. This copy will preserve unmoderated topic. If you would like to opt-out, please send a message using [this link].
[deleted comment]
[deleted comment]
[deleted comment]
submitted by anticensor_bot to u/anticensor_bot [link] [comments]

Will Quantum Computers BREAK Bitcoin Someday? (Explained For Beginners) Bitcoin Price Falls on Panic over Quantum Computers, Bakkt Failure, & Miner Exodus 3 MILLION BITCOIN IN 2 SECONDS: GOOGLE QUANTUM COMPUTER  $1,000 BTC Price Analysis Can the Google Quantum Computer Hack Bitcoin? Miners Move 9,000 BTC, Quantum Computing Advances: The Bitcoin.com Weekly Update

Bitcoin and Quantum Computing. Craig Wright (Bitcoin SV is Bitcoin.) Follow. Jan 23, 2019 · 4 min read. Even if a quantum computer existed — they do not — Bitcoin would be fine. Quantum ... Quantum computers have arrived, and new models are introduced every year. Most recently, IBM demonstrated a brand new model at this year’s Consumer Electronics Show.Most quantum computing research is currently limited to academic institutions and major corporations, but the technology will become more widely available in the not-so-distant future. When two qubits are entangled with each other, measuring the value of one qubit will automatically tell you the value of the other qubit as well. Entangling all the superpositioned qubits of a quantum computer will give you every possible state involved. How Does Quantum Computing Affect Bitcoin? Quantum computers are exceptionally skilled at solving cryptographic calculations. To fully ... How Quantum Computing Works: An even Briefer overview. ... or in the case of bitcoin mining, less than some target value y. The bitcoin algorithm, relies on an input shown in Figure 1 (source: bitcoinmining.com), if you think of a potential new block of transactions, you have to generate a header. The header of a block consists of several components, including a nonce which is a random 32 bit ... Whether Bitcoin and its’ forks can resist quantum computing? This question divides the crypto community into two opposing groups. On the one hand, crypto-enthusiasts believe Bitcoin can resist quantum technologies. On the other hand, crypto-realists pay much more attention to quantum safety. Let’s look at the arguments of both groups and try to draw conclusions.

[index] [7737] [4881] [27881] [7850] [36597] [49942] [24790] [6579] [8815] [25330]

Will Quantum Computers BREAK Bitcoin Someday? (Explained For Beginners)

3 MILLION BITCOIN IN 2 SECONDS: GOOGLE QUANTUM COMPUTER $1,000 BTC Price Analysis - Duration: 12:21. ... Can Quantum Computers Hack Bitcoin / Ethereum? - Duration: 8:07. Boxmining 44,022 views ... This is a topic that has been covered quite a bit but it is VERY TECHNICAL. So in this video I'll cover the potential risks from quantum computers that Bitcoin and other similar cryptocurrencies face! Bitcoin price falls hard on panic over Quantum computing, bakkt failure, and fears over miner exodus. $50 FREE BITCOIN BLOCKFI https://blockfi.com/?ref=912fa... “The problem isn’t really Bitcoin. If we get quantum computers that can do thousands of qubits without a correction and consistent results, we have a much bigger problem. The bigger problem we ... Bitcoin Broke the descending triangle and dropped below $8,000, the main reason why this happened is when came out regarding google quantum computer. In this video I will explain what is quantum ...

#