Ripple CTO: Quantum computers will be a threat to Bitcoin ...

Technical: Taproot: Why Activate?

This is a follow-up on https://old.reddit.com/Bitcoin/comments/hqzp14/technical_the_path_to_taproot_activation/
Taproot! Everybody wants it!! But... you might ask yourself: sure, everybody else wants it, but why would I, sovereign Bitcoin HODLer, want it? Surely I can be better than everybody else because I swapped XXX fiat for Bitcoin unlike all those nocoiners?
And it is important for you to know the reasons why you, o sovereign Bitcoiner, would want Taproot activated. After all, your nodes (or the nodes your wallets use, which if you are SPV, you hopefully can pester to your wallet vendoimplementor about) need to be upgraded in order for Taproot activation to actually succeed instead of becoming a hot sticky mess.
First, let's consider some principles of Bitcoin.
I'm sure most of us here would agree that the above are very important principles of Bitcoin and that these are principles we would not be willing to remove. If anything, we would want those principles strengthened (especially the last one, financial privacy, which current Bitcoin is only sporadically strong with: you can get privacy, it just requires effort to do so).
So, how does Taproot affect those principles?

Taproot and Your /Coins

Most HODLers probably HODL their coins in singlesig addresses. Sadly, switching to Taproot would do very little for you (it gives a mild discount at spend time, at the cost of a mild increase in fee at receive time (paid by whoever sends to you, so if it's a self-send from a P2PKH or bech32 address, you pay for this); mostly a wash).
(technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash, so the Taproot output spends 12 bytes more; spending from a P2WPKH requires revealing a 32-byte public key later, which is not needed with Taproot, and Taproot signatures are about 9 bytes smaller than P2WPKH signatures, but the 32 bytes plus 9 bytes is divided by 4 because of the witness discount, so it saves about 11 bytes; mostly a wash, it increases blockweight by about 1 virtual byte, 4 weight for each Taproot-output-input, compared to P2WPKH-output-input).
However, as your HODLings grow in value, you might start wondering if multisignature k-of-n setups might be better for the security of your savings. And it is in multisignature that Taproot starts to give benefits!
Taproot switches to using Schnorr signing scheme. Schnorr makes key aggregation -- constructing a single public key from multiple public keys -- almost as trivial as adding numbers together. "Almost" because it involves some fairly advanced math instead of simple boring number adding, but hey when was the last time you added up your grocery list prices by hand huh?
With current P2SH and P2WSH multisignature schemes, if you have a 2-of-3 setup, then to spend, you need to provide two different signatures from two different public keys. With Taproot, you can create, using special moon math, a single public key that represents your 2-of-3 setup. Then you just put two of your devices together, have them communicate to each other (this can be done airgapped, in theory, by sending QR codes: the software to do this is not even being built yet, but that's because Taproot hasn't activated yet!), and they will make a single signature to authorize any spend from your 2-of-3 address. That's 73 witness bytes -- 18.25 virtual bytes -- of signatures you save!
And if you decide that your current setup with 1-of-1 P2PKH / P2WPKH addresses is just fine as-is: well, that's the whole point of a softfork: backwards-compatibility; you can receive from Taproot users just fine, and once your wallet is updated for Taproot-sending support, you can send to Taproot users just fine as well!
(P2WPKH and P2WSH -- SegWit v0 -- addresses start with bc1q; Taproot -- SegWit v1 --- addresses start with bc1p, in case you wanted to know the difference; in bech32 q is 0, p is 1)
Now how about HODLers who keep all, or some, of their coins on custodial services? Well, any custodial service worth its salt would be doing at least 2-of-3, or probably something even bigger, like 11-of-15. So your custodial service, if it switched to using Taproot internally, could save a lot more (imagine an 11-of-15 getting reduced from 11 signatures to just 1!), which --- we can only hope! --- should translate to lower fees and better customer service from your custodial service!
So I think we can say, very accurately, that the Bitcoin principle --- that YOU are in control of your money --- can only be helped by Taproot (if you are doing multisignature), and, because P2PKH and P2WPKH remain validly-usable addresses in a Taproot future, will not be harmed by Taproot. Its benefit to this principle might be small (it mostly only benefits multisignature users) but since it has no drawbacks with this (i.e. singlesig users can continue to use P2WPKH and P2PKH still) this is still a nice, tidy win!
(even singlesig users get a minor benefit, in that multisig users will now reduce their blockchain space footprint, so that fees can be kept low for everybody; so for example even if you have your single set of private keys engraved on titanium plates sealed in an airtight box stored in a safe buried in a desert protected by angry nomads riding giant sandworms because you're the frickin' Kwisatz Haderach, you still gain some benefit from Taproot)
And here's the important part: if P2PKH/P2WPKH is working perfectly fine with you and you decide to never use Taproot yourself, Taproot will not affect you detrimentally. First do no harm!

Taproot and Your Contracts

No one is an island, no one lives alone. Give and you shall receive. You know: by trading with other people, you can gain expertise in some obscure little necessity of the world (and greatly increase your productivity in that little field), and then trade the products of your expertise for necessities other people have created, all of you thereby gaining gains from trade.
So, contracts, which are basically enforceable agreements that facilitate trading with people who you do not personally know and therefore might not trust.
Let's start with a simple example. You want to buy some gewgaws from somebody. But you don't know them personally. The seller wants the money, you want their gewgaws, but because of the lack of trust (you don't know them!! what if they're scammers??) neither of you can benefit from gains from trade.
However, suppose both of you know of some entity that both of you trust. That entity can act as a trusted escrow. The entity provides you security: this enables the trade, allowing both of you to get gains from trade.
In Bitcoin-land, this can be implemented as a 2-of-3 multisignature. The three signatories in the multisgnature would be you, the gewgaw seller, and the escrow. You put the payment for the gewgaws into this 2-of-3 multisignature address.
Now, suppose it turns out neither of you are scammers (whaaaat!). You receive the gewgaws just fine and you're willing to pay up for them. Then you and the gewgaw seller just sign a transaction --- you and the gewgaw seller are 2, sufficient to trigger the 2-of-3 --- that spends from the 2-of-3 address to a singlesig the gewgaw seller wants (or whatever address the gewgaw seller wants).
But suppose some problem arises. The seller gave you gawgews instead of gewgaws. Or you decided to keep the gewgaws but not sign the transaction to release the funds to the seller. In either case, the escrow is notified, and if it can sign with you to refund the funds back to you (if the seller was a scammer) or it can sign with the seller to forward the funds to the seller (if you were a scammer).
Taproot helps with this: like mentioned above, it allows multisignature setups to produce only one signature, reducing blockchain space usage, and thus making contracts --- which require multiple people, by definition, you don't make contracts with yourself --- is made cheaper (which we hope enables more of these setups to happen for more gains from trade for everyone, also, moon and lambos).
(technology-wise, it's easier to make an n-of-n than a k-of-n, making a k-of-n would require a complex setup involving a long ritual with many communication rounds between the n participants, but an n-of-n can be done trivially with some moon math. You can, however, make what is effectively a 2-of-3 by using a three-branch SCRIPT: either 2-of-2 of you and seller, OR 2-of-2 of you and escrow, OR 2-of-2 of escrow and seller. Fortunately, Taproot adds a facility to embed a SCRIPT inside a public key, so you can have a 2-of-2 Taprooted address (between you and seller) with a SCRIPT branch that can instead be spent with 2-of-2 (you + escrow) OR 2-of-2 (seller + escrow), which implements the three-branched SCRIPT above. If neither of you are scammers (hopefully the common case) then you both sign using your keys and never have to contact the escrow, since you are just using the escrow public key without coordinating with them (because n-of-n is trivial but k-of-n requires setup with communication rounds), so in the "best case" where both of you are honest traders, you also get a privacy boost, in that the escrow never learns you have been trading on gewgaws, I mean ewww, gawgews are much better than gewgaws and therefore I now judge you for being a gewgaw enthusiast, you filthy gewgawer).

Taproot and Your Contracts, Part 2: Cryptographic Boogaloo

Now suppose you want to buy some data instead of things. For example, maybe you have some closed-source software in trial mode installed, and want to pay the developer for the full version. You want to pay for an activation code.
This can be done, today, by using an HTLC. The developer tells you the hash of the activation code. You pay to an HTLC, paying out to the developer if it reveals the preimage (the activation code), or refunding the money back to you after a pre-agreed timeout. If the developer claims the funds, it has to reveal the preimage, which is the activation code, and you can now activate your software. If the developer does not claim the funds by the timeout, you get refunded.
And you can do that, with HTLCs, today.
Of course, HTLCs do have problems:
Fortunately, with Schnorr (which is enabled by Taproot), we can now use the Scriptless Script constuction by Andrew Poelstra. This Scriptless Script allows a new construction, the PTLC or Pointlocked Timelocked Contract. Instead of hashes and preimages, just replace "hash" with "point" and "preimage" with "scalar".
Or as you might know them: "point" is really "public key" and "scalar" is really a "private key". What a PTLC does is that, given a particular public key, the pointlocked branch can be spent only if the spender reveals the private key of the given public key to you.
Another nice thing with PTLCs is that they are deniable. What appears onchain is just a single 2-of-2 signature between you and the developemanufacturer. It's like a magic trick. This signature has no special watermarks, it's a perfectly normal signature (the pledge). However, from this signature, plus some datta given to you by the developemanufacturer (known as the adaptor signature) you can derive the private key of a particular public key you both agree on (the turn). Anyone scraping the blockchain will just see signatures that look just like every other signature, and as long as nobody manages to hack you and get a copy of the adaptor signature or the private key, they cannot get the private key behind the public key (point) that the pointlocked branch needs (the prestige).
(Just to be clear, the public key you are getting the private key from, is distinct from the public key that the developemanufacturer will use for its funds. The activation key is different from the developer's onchain Bitcoin key, and it is the activation key whose private key you will be learning, not the developer's/manufacturer's onchain Bitcoin key).
So:
Taproot lets PTLCs exist onchain because they enable Schnorr, which is a requirement of PTLCs / Scriptless Script.
(technology-wise, take note that Scriptless Script works only for the "pointlocked" branch of the contract; you need normal Script, or a pre-signed nLockTimed transaction, for the "timelocked" branch. Since Taproot can embed a script, you can have the Taproot pubkey be a 2-of-2 to implement the Scriptless Script "pointlocked" branch, then have a hidden script that lets you recover the funds with an OP_CHECKLOCKTIMEVERIFY after the timeout if the seller does not claim the funds.)

Quantum Quibbles!

Now if you were really paying attention, you might have noticed this parenthetical:
(technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash...)
So wait, Taproot uses raw 32-byte public keys, and not public key hashes? Isn't that more quantum-vulnerable??
Well, in theory yes. In practice, they probably are not.
It's not that hashes can be broken by quantum computes --- they're still not. Instead, you have to look at how you spend from a P2WPKH/P2PKH pay-to-public-key-hash.
When you spend from a P2PKH / P2WPKH, you have to reveal the public key. Then Bitcoin hashes it and checks if this matches with the public-key-hash, and only then actually validates the signature for that public key.
So an unconfirmed transaction, floating in the mempools of nodes globally, will show, in plain sight for everyone to see, your public key.
(public keys should be public, that's why they're called public keys, LOL)
And if quantum computers are fast enough to be of concern, then they are probably fast enough that, in the several minutes to several hours from broadcast to confirmation, they have already cracked the public key that is openly broadcast with your transaction. The owner of the quantum computer can now replace your unconfirmed transaction with one that pays the funds to itself. Even if you did not opt-in RBF, miners are still incentivized to support RBF on RBF-disabled transactions.
So the extra hash is not as significant a protection against quantum computers as you might think. Instead, the extra hash-and-compare needed is just extra validation effort.
Further, if you have ever, in the past, spent from the address, then there exists already a transaction indelibly stored on the blockchain, openly displaying the public key from which quantum computers can derive the private key. So those are still vulnerable to quantum computers.
For the most part, the cryptographers behind Taproot (and Bitcoin Core) are of the opinion that quantum computers capable of cracking Bitcoin pubkeys are unlikely to appear within a decade or two.
So:
For now, the homomorphic and linear properties of elliptic curve cryptography provide a lot of benefits --- particularly the linearity property is what enables Scriptless Script and simple multisignature (i.e. multisignatures that are just 1 signature onchain). So it might be a good idea to take advantage of them now while we are still fairly safe against quantum computers. It seems likely that quantum-safe signature schemes are nonlinear (thus losing these advantages).

Summary

I Wanna Be The Taprooter!

So, do you want to help activate Taproot? Here's what you, mister sovereign Bitcoin HODLer, can do!

But I Hate Taproot!!

That's fine!

Discussions About Taproot Activation

submitted by almkglor to Bitcoin [link] [comments]

Zano Newcomers Introduction/FAQ - please read!

Welcome to the Zano Sticky Introduction/FAQ!

https://preview.redd.it/al1gy9t9v9q51.png?width=424&format=png&auto=webp&s=b29a60402d30576a4fd95f592b392fae202026ca
Hopefully any questions you have will be answered by the resources below, but if you have additional questions feel free to ask them in the comments. If you're quite technically-minded, the Zano whitepaper gives a thorough overview of Zano's design and its main features.
So, what is Zano? In brief, Zano is a project started by the original developers of CryptoNote. Coins with market caps totalling well over a billion dollars (Monero, Haven, Loki and countless others) run upon the codebase they created. Zano is a continuation of their efforts to create the "perfect money", and brings a wealth of enhancements to their original CryptoNote code.
Development happens at a lightning pace, as the Github activity shows, but Zano is still very much a work-in-progress. Let's cut right to it:
Here's why you should pay attention to Zano over the next 12-18 months. Quoting from a recent update:
Anton Sokolov has recently joined the Zano team. ... For the last months Anton has been working on theoretical work dedicated to log-size ring signatures. These signatures theoretically allows for a logarithmic relationship between the number of decoys and the size/performance of transactions. This means that we can set mixins at a level from up to 1000, keeping the reasonable size and processing speed of transactions. This will take Zano’s privacy to a whole new level, and we believe this technology will turn out to be groundbreaking!
If successful, this scheme will make Zano the most private, powerful and performant CryptoNote implementation on the planet. Bar none. A quantum leap in privacy with a minimal increase in resource usage. And if there's one team capable of pulling it off, it's this one.

What else makes Zano special?

You mean aside from having "the Godfather of CryptoNote" as the project lead? ;) Actually, the calibre of the developers/researchers at Zano probably is the project's single greatest strength. Drawing on years of experience, they've made careful design choices, optimizing performance with an asynchronous core architecture, and flexibility and extensibility with a modular code structure. This means that the developers are able to build and iterate fast, refining features and adding new ones at a rate that makes bigger and better-funded teams look sluggish at best.
Zano also has some unique features that set it apart from similar projects:
Privacy Firstly, if you're familiar with CryptoNote you won't be surprised that Zano transactions are private. The perfect money is fungible, and therefore must be untraceable. Bitcoin, for the most part, does little to hide your transaction data from unscrupulous observers. With Zano, privacy is the default.
The untraceability and unlinkability of Zano transactions come from its use of ring signatures and stealth addresses. What this means is that no outside observer is able to tell if two transactions were sent to the same address, and for each transaction there is a set of possible senders that make it impossible to determine who the real sender is.
Hybrid PoW-PoS consensus mechanism Zano achieves an optimal level of security by utilizing both Proof of Work and Proof of Stake for consensus. By combining the two systems, it mitigates their individual vulnerabilities (see 51% attack and "nothing at stake" problem). For an attack on Zano to have even a remote chance of success the attacker would have to obtain not only a majority of hashing power, but also a majority of the coins involved in staking. The system and its design considerations are discussed at length in the whitepaper.
Aliases Here's a stealth address: ZxDdULdxC7NRFYhCGdxkcTZoEGQoqvbZqcDHj5a7Gad8Y8wZKAGZZmVCUf9AvSPNMK68L8r8JfAfxP4z1GcFQVCS2Jb9wVzoe. I have a hard enough time remembering my phone number. Fortunately, Zano has an alias system that lets you register an address to a human-readable name. (@orsonj if you want to anonymously buy me a coffee)
Multisig
Multisignature (multisig) refers to requiring multiple keys to authorize a Zano transaction. It has a number of applications, such as dividing up responsibility for a single Zano wallet among multiple parties, or creating backups where loss of a single seed doesn't lead to loss of the wallet.
Multisig and escrow are key components of the planned Decentralized Marketplace (see below), so consideration was given to each of them from the design stages. Thus Zano's multisig, rather than being tagged on at the wallet-level as an afterthought, is part of its its core architecture being incorporated at the protocol level. This base-layer integration means months won't be spent in the future on complicated refactoring efforts in order to integrate multisig into a codebase that wasn't designed for it. Plus, it makes it far easier for third-party developers to include multisig (implemented correctly) in any Zano wallets and applications they create in the future.
(Double Deposit MAD) Escrow
With Zano's escrow service you can create fully customizable p2p contracts that are designed to, once signed by participants, enforce adherence to their conditions in such a way that no trusted third-party escrow agent is required.
https://preview.redd.it/jp4oghyhv9q51.png?width=1762&format=png&auto=webp&s=12a1e76f76f902ed328886283050e416db3838a5
The Particl project, aside from a couple of minor differences, uses an escrow scheme that works the same way, so I've borrowed the term they coined ("Double Deposit MAD Escrow") as I think it describes the scheme perfectly. The system requires participants to make additional deposits, which they will forfeit if there is any attempt to act in a way that breaches the terms of the contract. Full details can be found in the Escrow section of the whitepaper.
The usefulness of multisig and the escrow system may not seem obvious at first, but as mentioned before they'll form the backbone of Zano's Decentralized Marketplace service (described in the next section).

What does the future hold for Zano?

The planned upgrade to Zano's privacy, mentioned at the start, is obviously one of the most exciting things the team is working on, but it's not the only thing.
Zano Roadmap
Decentralized Marketplace
From the beginning, the Zano team's goal has been to create the perfect money. And money can't just be some vehicle for speculative investment, money must be used. To that end, the team have created a set of tools to make it as simple as possible for Zano to be integrated into eCommerce platforms. Zano's API’s and plugins are easy to use, allowing even those with very little coding experience to use them in their E-commerce-related ventures. The culmination of this effort will be a full Decentralized Anonymous Marketplace built on top of the Zano blockchain. Rather than being accessed via the wallet, it will act more as a service - Marketplace as a Service (MAAS) - for anyone who wishes to use it. The inclusion of a simple "snippet" of code into a website is all that's needed to become part a global decentralized, trustless and private E-commerce network.
Atomic Swaps
Just as Zano's marketplace will allow you to transact without needing to trust your counterparty, atomic swaps will let you to easily convert between Zano and other cyryptocurrencies without having to trust a third-party service such as a centralized exchange. On top of that, it will also lead to the way to Zano's inclusion in the many decentralized exchange (DEX) services that have emerged in recent years.

Where can I buy Zano?

Zano's currently listed on the following exchanges:
https://coinmarketcap.com/currencies/zano/markets/
It goes without saying, neither I nor the Zano team work for any of the exchanges or can vouch for their reliability. Use at your own risk and never leave coins on a centralized exchange for longer than necessary. Your keys, your coins!
If you have any old graphics cards lying around(both AMD & NVIDIA), then Zano is also mineable through its unique ProgPowZ algorithm. Here's a guide on how to get started.
Once you have some Zano, you can safely store it in one of the desktop or mobile wallets (available for all major platforms).

How can I support Zano?

Zano has no marketing department, which is why this post has been written by some guy and not the "Chief Growth Engineer @ Zano Enterprises". The hard part is already done: there's a team of world class developers and researchers gathered here. But, at least at the current prices, the team's funds are enough to cover the cost of development and little more. So the job of publicizing the project falls to the community. If you have any experience in community building/growth hacking at another cryptocurrency or open source project, or if you're a Zano holder who would like to ensure the project's long-term success by helping to spread the word, then send me a pm. We need to get organized.
Researchers and developers are also very welcome. Working at the cutting edge of mathematics and cryptography means Zano provides challenging and rewarding work for anyone in those fields. Please contact the project's Community Manager u/Jed_T if you're interested in joining the team.
Social Links:
Twitter
Discord Server
Telegram Group
Medium blog
I'll do my best to keep this post accurate and up to date. Message me please with any suggested improvements and leave any questions you have below.
Welcome to the Zano community and the new decentralized private economy!
submitted by OrsonJ to Zano [link] [comments]

Scaling Reddit Community Points with Arbitrum Rollup: a piece of cake

Scaling Reddit Community Points with Arbitrum Rollup: a piece of cake
https://preview.redd.it/b80c05tnb9e51.jpg?width=2550&format=pjpg&auto=webp&s=850282c1a3962466ed44f73886dae1c8872d0f31
Submitted for consideration to The Great Reddit Scaling Bake-Off
Baked by the pastry chefs at Offchain Labs
Please send questions or comments to [[email protected] ](mailto:[email protected])
1. Overview
We're excited to submit Arbitrum Rollup for consideration to The Great Reddit Scaling Bake-Off. Arbitrum Rollup is the only Ethereum scaling solution that supports arbitrary smart contracts without compromising on Ethereum's security or adding points of centralization. For Reddit, this means that Arbitrum can not only scale the minting and transfer of Community Points, but it can foster a creative ecosystem built around Reddit Community Points enabling points to be used in a wide variety of third party applications. That's right -- you can have your cake and eat it too!
Arbitrum Rollup isn't just Ethereum-style. Its Layer 2 transactions are byte-for-byte identical to Ethereum, which means Ethereum users can continue to use their existing addresses and wallets, and Ethereum developers can continue to use their favorite toolchains and development environments out-of-the-box with Arbitrum. Coupling Arbitrum’s tooling-compatibility with its trustless asset interoperability, Reddit not only can scale but can onboard the entire Ethereum community at no cost by giving them the same experience they already know and love (well, certainly know).
To benchmark how Arbitrum can scale Reddit Community Points, we launched the Reddit contracts on an Arbitrum Rollup chain. Since Arbitrum provides full Solidity support, we didn't have to rewrite the Reddit contracts or try to mimic their functionality using an unfamiliar paradigm. Nope, none of that. We launched the Reddit contracts unmodified on Arbitrum Rollup complete with support for minting and distributing points. Like every Arbitrum Rollup chain, the chain included a bridge interface in which users can transfer Community Points or any other asset between the L1 and L2 chains. Arbitrum Rollup chains also support dynamic contract loading, which would allow third-party developers to launch custom ecosystem apps that integrate with Community Points on the very same chain that runs the Reddit contracts.
1.1 Why Ethereum
Perhaps the most exciting benefit of distributing Community Points using a blockchain is the ability to seamlessly port points to other applications and use them in a wide variety of contexts. Applications may include simple transfers such as a restaurant that allows Redditors to spend points on drinks. Or it may include complex smart contracts -- such as placing Community Points as a wager for a multiparty game or as collateral in a financial contract.
The common denominator between all of the fun uses of Reddit points is that it needs a thriving ecosystem of both users and developers, and the Ethereum blockchain is perhaps the only smart contract platform with significant adoption today. While many Layer 1 blockchains boast lower cost or higher throughput than the Ethereum blockchain, more often than not, these attributes mask the reality of little usage, weaker security, or both.
Perhaps another platform with significant usage will rise in the future. But today, Ethereum captures the mindshare of the blockchain community, and for Community Points to provide the most utility, the Ethereum blockchain is the natural choice.
1.2 Why Arbitrum
While Ethereum's ecosystem is unmatched, the reality is that fees are high and capacity is too low to support the scale of Reddit Community Points. Enter Arbitrum. Arbitrum Rollup provides all of the ecosystem benefits of Ethereum, but with orders of magnitude more capacity and at a fraction of the cost of native Ethereum smart contracts. And most of all, we don't change the experience from users. They continue to use the same wallets, addresses, languages, and tools.
Arbitrum Rollup is not the only solution that can scale payments, but it is the only developed solution that can scale both payments and arbitrary smart contracts trustlessly, which means that third party users can build highly scalable add-on apps that can be used without withdrawing money from the Rollup chain. If you believe that Reddit users will want to use their Community Points in smart contracts--and we believe they will--then it makes the most sense to choose a single scaling solution that can support the entire ecosystem, eliminating friction for users.
We view being able to run smart contracts in the same scaling solution as fundamentally critical since if there's significant demand in running smart contracts from Reddit's ecosystem, this would be a load on Ethereum and would itself require a scaling solution. Moreover, having different scaling solutions for the minting/distribution/spending of points and for third party apps would be burdensome for users as they'd have to constantly shuffle their Points back and forth.
2. Arbitrum at a glance
Arbitrum Rollup has a unique value proposition as it offers a combination of features that no other scaling solution achieves. Here we highlight its core attributes.
Decentralized. Arbitrum Rollup is as decentralized as Ethereum. Unlike some other Layer 2 scaling projects, Arbitrum Rollup doesn't have any centralized components or centralized operators who can censor users or delay transactions. Even in non-custodial systems, centralized components provide a risk as the operators are generally incentivized to increase their profit by extracting rent from users often in ways that severely degrade user experience. Even if centralized operators are altruistic, centralized components are subject to hacking, coercion, and potential liability.
Massive Scaling. Arbitrum achieves order of magnitude scaling over Ethereum's L1 smart contracts. Our software currently supports 453 transactions-per-second for basic transactions (at 1616 Ethereum gas per tx). We have a lot of room left to optimize (e.g. aggregating signatures), and over the next several months capacity will increase significantly. As described in detail below, Arbitrum can easily support and surpass Reddit's anticipated initial load, and its capacity will continue to improve as Reddit's capacity needs grow.
Low cost. The cost of running Arbitrum Rollup is quite low compared to L1 Ethereum and other scaling solutions such as those based on zero-knowledge proofs. Layer 2 fees are low, fixed, and predictable and should not be overly burdensome for Reddit to cover. Nobody needs to use special equipment or high-end machines. Arbitrum requires validators, which is a permissionless role that can be run on any reasonable on-line machine. Although anybody can act as a validator, in order to protect against a “tragedy of the commons” and make sure reputable validators are participating, we support a notion of “invited validators” that are compensated for their costs. In general, users pay (low) fees to cover the invited validators’ costs, but we imagine that Reddit may cover this cost for its users. See more on the costs and validator options below.
Ethereum Developer Experience. Not only does Arbitrum support EVM smart contracts, but the developer experience is identical to that of L1 Ethereum contracts and fully compatible with Ethereum tooling. Developers can port existing Solidity apps or write new ones using their favorite and familiar toolchains (e.g. Truffle, Buidler). There are no new languages or coding paradigms to learn.
Ethereum wallet compatibility. Just as in Ethereum, Arbitrum users need only hold keys, but do not have to store any coin history or additional data to protect or access their funds. Since Arbitrum transactions are semantically identical to Ethereum L1 transactions, existing Ethereum users can use their existing Ethereum keys with their existing wallet software such as Metamask.
Token interoperability. Users can easily transfer their ETH, ERC-20 and ERC-721 tokens between Ethereum and the Arbitrum Rollup chain. As we explain in detail below, it is possible to mint tokens in L2 that can subsequently be withdrawn and recognized by the L1 token contract.
Fast finality. Transactions complete with the same finality time as Ethereum L1 (and it's possible to get faster finality guarantees by trading away trust assumptions; see the Arbitrum Rollup whitepaper for details).
Non-custodial. Arbitrum Rollup is a non-custodial scaling solution, so users control their funds/points and neither Reddit nor anyone else can ever access or revoke points held by users.
Censorship Resistant. Since it's completely decentralized, and the Arbitrum protocol guarantees progress trustlessly, Arbitrum Rollup is just as censorship-proof as Ethereum.
Block explorer. The Arbitrum Rollup block explorer allows users to view and analyze transactions on the Rollup chain.
Limitations
Although this is a bake-off, we're not going to sugar coat anything. Arbitrum Rollup, like any Optimistic Rollup protocol, does have one limitation, and that's the delay on withdrawals.
As for the concrete length of the delay, we've done a good deal of internal modeling and have blogged about this as well. Our current modeling suggests a 3-hour delay is sufficient (but as discussed in the linked post there is a tradeoff space between the length of the challenge period and the size of the validators’ deposit).
Note that this doesn't mean that the chain is delayed for three hours. Arbitrum Rollup supports pipelining of execution, which means that validators can keep building new states even while previous ones are “in the pipeline” for confirmation. As the challenge delays expire for each update, a new state will be confirmed (read more about this here).
So activity and progress on the chain are not delayed by the challenge period. The only thing that's delayed is the consummation of withdrawals. Recall though that any single honest validator knows immediately (at the speed of L1 finality) which state updates are correct and can guarantee that they will eventually be confirmed, so once a valid withdrawal has been requested on-chain, every honest party knows that the withdrawal will definitely happen. There's a natural place here for a liquidity market in which a validator (or someone who trusts a validator) can provide withdrawal loans for a small interest fee. This is a no-risk business for them as they know which withdrawals will be confirmed (and can force their confirmation trustlessly no matter what anyone else does) but are just waiting for on-chain finality.
3. The recipe: How Arbitrum Rollup works
For a description of the technical components of Arbitrum Rollup and how they interact to create a highly scalable protocol with a developer experience that is identical to Ethereum, please refer to the following documents:
Arbitrum Rollup Whitepaper
Arbitrum academic paper (describes a previous version of Arbitrum)
4. Developer docs and APIs
For full details about how to set up and interact with an Arbitrum Rollup chain or validator, please refer to our developer docs, which can be found at https://developer.offchainlabs.com/.
Note that the Arbitrum version described on that site is older and will soon be replaced by the version we are entering in Reddit Bake-Off, which is still undergoing internal testing before public release.
5. Who are the validators?
As with any Layer 2 protocol, advancing the protocol correctly requires at least one validator (sometimes called block producers) that is honest and available. A natural question is: who are the validators?
Recall that the validator set for an Arbitrum chain is open and permissionless; anyone can start or stop validating at will. (A useful analogy is to full nodes on an L1 chain.) But we understand that even though anyone can participate, Reddit may want to guarantee that highly reputable nodes are validating their chain. Reddit may choose to validate the chain themselves and/or hire third-party validators.To this end, we have begun building a marketplace for validator-for-hire services so that dapp developers can outsource validation services to reputable nodes with high up-time. We've announced a partnership in which Chainlink nodes will provide Arbitrum validation services, and we expect to announce more partnerships shortly with other blockchain infrastructure providers.
Although there is no requirement that validators are paid, Arbitrum’s economic model tracks validators’ costs (e.g. amount of computation and storage) and can charge small fees on user transactions, using a gas-type system, to cover those costs. Alternatively, a single party such as Reddit can agree to cover the costs of invited validators.
6. Reddit Contract Support
Since Arbitrum contracts and transactions are byte-for-byte compatible with Ethereum, supporting the Reddit contracts is as simple as launching them on an Arbitrum chain.
Minting. Arbitrum Rollup supports hybrid L1/L2 tokens which can be minted in L2 and then withdrawn onto the L1. An L1 contract at address A can make a special call to the EthBridge which deploys a "buddy contract" to the same address A on an Arbitrum chain. Since it's deployed at the same address, users can know that the L2 contract is the authorized "buddy" of the L1 contract on the Arbitrum chain.
For minting, the L1 contract is a standard ERC-20 contract which mints and burns tokens when requested by the L2 contract. It is paired with an ERC-20 contract in L2 which mints tokens based on whatever programmer provided minting facility is desired and burns tokens when they are withdrawn from the rollup chain. Given this base infrastructure, Arbitrum can support any smart contract based method for minting tokens in L2, and indeed we directly support Reddit's signature/claim based minting in L2.
Batch minting. What's better than a mint cookie? A whole batch! In addition to supporting Reddit’s current minting/claiming scheme, we built a second minting design, which we believe outperforms the signature/claim system in many scenarios.
In the current system, Reddit periodically issues signed statements to users, who then take those statements to the blockchain to claim their tokens. An alternative approach would have Reddit directly submit the list of users/amounts to the blockchain and distribute the tokens to the users without the signature/claim process.
To optimize the cost efficiency of this approach, we designed an application-specific compression scheme to minimize the size of the batch distribution list. We analyzed the data from Reddit's previous distributions and found that the data is highly compressible since token amounts are small and repeated, and addresses appear multiple times. Our function groups transactions by size, and replaces previously-seen addresses with a shorter index value. We wrote client code to compress the data, wrote a Solidity decompressing function, and integrated that function into Reddit’s contract running on Arbitrum.
When we ran the compression function on the previous Reddit distribution data, we found that we could compress batched minting data down to to 11.8 bytes per minting event (averaged over a 6-month trace of Reddit’s historical token grants)compared with roughly 174 bytes of on-chain data needed for the signature claim approach to minting (roughly 43 for an RLP-encoded null transaction + 65 for Reddit's signature + 65 for the user's signature + roughly 8 for the number of Points) .
The relative benefit of the two approaches with respect to on-chain call data cost depends on the percentage of users that will actually claim their tokens on chain. With the above figures, batch minting will be cheaper if roughly 5% of users redeem their claims. We stress that our compression scheme is not Arbitrum-specific and would be beneficial in any general-purpose smart contract platform.
8. Benchmarks and costs
In this section, we give the full costs of operating the Reddit contracts on an Arbitrum Rollup chain including the L1 gas costs for the Rollup chain, the costs of computation and storage for the L2 validators as well as the capital lockup requirements for staking.
Arbitrum Rollup is still on testnet, so we did not run mainnet benchmarks. Instead, we measured the L1 gas cost and L2 workload for Reddit operations on Arbitrum and calculated the total cost assuming current Ethereum gas prices. As noted below in detail, our measurements do not assume that Arbitrum is consuming the entire capacity of Ethereum. We will present the details of our model now, but for full transparency you can also play around with it yourself and adjust the parameters, by copying the spreadsheet found here.
Our cost model is based on measurements of Reddit’s contracts, running unmodified (except for the addition of a batch minting function) on Arbitrum Rollup on top of Ethereum.
On the distribution of transactions and frequency of assertions. Reddit's instructions specify the following minimum parameters that submissions should support:
Over a 5 day period, your scaling PoC should be able to handle:
  • 100,000 point claims (minting & distributing points)
  • 25,000 subscriptions
  • 75,000 one-off points burning
  • 100,000 transfers
We provide the full costs of operating an Arbitrum Rollup chain with this usage under the assumption that tokens are minted or granted to users in batches, but other transactions are uniformly distributed over the 5 day period. Unlike some other submissions, we do not make unrealistic assumptions that all operations can be submitted in enormous batches. We assume that batch minting is done in batches that use only a few percent on an L1 block’s gas, and that other operations come in evenly over time and are submitted in batches, with one batch every five minutes to keep latency reasonable. (Users are probably already waiting for L1 finality, which takes at least that long to achieve.)
We note that assuming that there are only 300,000 transactions that arrive uniformly over the 5 day period will make our benchmark numbers lower, but we believe that this will reflect the true cost of running the system. To see why, say that batches are submitted every five minutes (20 L1 blocks) and there's a fixed overhead of c bytes of calldata per batch, the cost of which will get amortized over all transactions executed in that batch. Assume that each individual transaction adds a marginal cost of t. Lastly assume the capacity of the scaling system is high enough that it can support all of Reddit's 300,000 transactions within a single 20-block batch (i.e. that there is more than c + 300,000*t byes of calldata available in 20 blocks).
Consider what happens if c, the per-batch overhead, is large (which it is in some systems, but not in Arbitrum). In the scenario that transactions actually arrive at the system's capacity and each batch is full, then c gets amortized over 300,000 transactions. But if we assume that the system is not running at capacity--and only receives 300,000 transactions arriving uniformly over 5 days-- then each 20-block assertion will contain about 200 transactions, and thus each transaction will pay a nontrivial cost due to c.
We are aware that other proposals presented scaling numbers assuming that 300,000 transactions arrived at maximum capacity and was executed in a single mega-transaction, but according to our estimates, for at least one such report, this led to a reported gas price that was 2-3 orders of magnitude lower than it would have been assuming uniform arrival. We make more realistic batching assumptions, and we believe Arbitrum compares well when batch sizes are realistic.
Our model. Our cost model includes several sources of cost:
  • L1 gas costs: This is the cost of posting transactions as calldata on the L1 chain, as well as the overhead associated with each batch of transactions, and the L1 cost of settling transactions in the Arbitrum protocol.
  • Validator’s staking costs: In normal operation, one validator will need to be staked. The stake is assumed to be 0.2% of the total value of the chain (which is assumed to be $1 per user who is eligible to claim points). The cost of staking is the interest that could be earned on the money if it were not staked.
  • Validator computation and storage: Every validator must do computation to track the chain’s processing of transactions, and must maintain storage to keep track of the contracts’ EVM storage. The cost of computation and storage are estimated based on measurements, with the dollar cost of resources based on Amazon Web Services pricing.
It’s clear from our modeling that the predominant cost is for L1 calldata. This will probably be true for any plausible rollup-based system.
Our model also shows that Arbitrum can scale to workloads much larger than Reddit’s nominal workload, without exhausting L1 or L2 resources. The scaling bottleneck will ultimately be calldata on the L1 chain. We believe that cost could be reduced substantially if necessary by clever encoding of data. (In our design any compression / decompression of L2 transaction calldata would be done by client software and L2 programs, never by an L1 contract.)
9. Status of Arbitrum Rollup
Arbitrum Rollup is live on Ethereum testnet. All of the code written to date including everything included in the Reddit demo is open source and permissively licensed under the Apache V2 license. The first testnet version of Arbitrum Rollup was released on testnet in February. Our current internal version, which we used to benchmark the Reddit contracts, will be released soon and will be a major upgrade.
Both the Arbitrum design as well as the implementation are heavily audited by independent third parties. The Arbitrum academic paper was published at USENIX Security, a top-tier peer-reviewed academic venue. For the Arbitrum software, we have engaged Trail of Bits for a security audit, which is currently ongoing, and we are committed to have a clean report before launching on Ethereum mainnet.
10. Reddit Universe Arbitrum Rollup Chain
The benchmarks described in this document were all measured using the latest internal build of our software. When we release the new software upgrade publicly we will launch a Reddit Universe Arbitrum Rollup chain as a public demo, which will contain the Reddit contracts as well as a Uniswap instance and a Connext Hub, demonstrating how Community Points can be integrated into third party apps. We will also allow members of the public to dynamically launch ecosystem contracts. We at Offchain Labs will cover the validating costs for the Reddit Universe public demo.
If the folks at Reddit would like to evaluate our software prior to our public demo, please email us at [email protected] and we'd be more than happy to provide early access.
11. Even more scaling: Arbitrum Sidechains
Rollups are an excellent approach to scaling, and we are excited about Arbitrum Rollup which far surpasses Reddit's scaling needs. But looking forward to Reddit's eventual goal of supporting hundreds of millions of users, there will likely come a time when Reddit needs more scaling than any Rollup protocol can provide.
While Rollups greatly reduce costs, they don't break the linear barrier. That is, all transactions have an on-chain footprint (because all calldata must be posted on-chain), albeit a far smaller one than on native Ethereum, and the L1 limitations end up being the bottleneck for capacity and cost. Since Ethereum has limited capacity, this linear use of on-chain resources means that costs will eventually increase superlinearly with traffic.
The good news is that we at Offchain Labs have a solution in our roadmap that can satisfy this extreme-scaling setting as well: Arbitrum AnyTrust Sidechains. Arbitrum Sidechains are similar to Arbitrum Rollup, but deviate in that they name a permissioned set of validators. When a chain’s validators agree off-chain, they can greatly reduce the on-chain footprint of the protocol and require almost no data to be put on-chain. When validators can't reach unanimous agreement off-chain, the protocol reverts to Arbitrum Rollup. Technically, Arbitrum Sidechains can be viewed as a hybrid between state channels and Rollup, switching back and forth as necessary, and combining the performance and cost that state channels can achieve in the optimistic case, with the robustness of Rollup in other cases. The core technical challenge is how to switch seamlessly between modes and how to guarantee that security is maintained throughout.
Arbitrum Sidechains break through this linear barrier, while still maintaining a high level of security and decentralization. Arbitrum Sidechains provide the AnyTrust guarantee, which says that as long as any one validator is honest and available (even if you don't know which one will be), the L2 chain is guaranteed to execute correctly according to its code and guaranteed to make progress. Unlike in a state channel, offchain progress does not require unanimous consent, and liveness is preserved as long as there is a single honest validator.
Note that the trust model for Arbitrum Sidechains is much stronger than for typical BFT-style chains which introduce a consensus "voting" protocols among a small permissioned group of validators. BFT-based protocols require a supermajority (more than 2/3) of validators to agree. In Arbitrum Sidechains, by contrast, all you need is a single honest validator to achieve guaranteed correctness and progress. Notice that in Arbitrum adding validators strictly increases security since the AnyTrust guarantee provides correctness as long as any one validator is honest and available. By contrast, in BFT-style protocols, adding nodes can be dangerous as a coalition of dishonest nodes can break the protocol.
Like Arbitrum Rollup, the developer and user experiences for Arbitrum Sidechains will be identical to that of Ethereum. Reddit would be able to choose a large and diverse set of validators, and all that they would need to guarantee to break through the scaling barrier is that a single one of them will remain honest.
We hope to have Arbitrum Sidechains in production in early 2021, and thus when Reddit reaches the scale that surpasses the capacity of Rollups, Arbitrum Sidechains will be waiting and ready to help.
While the idea to switch between channels and Rollup to get the best of both worlds is conceptually simple, getting the details right and making sure that the switch does not introduce any attack vectors is highly non-trivial and has been the subject of years of our research (indeed, we were working on this design for years before the term Rollup was even coined).
12. How Arbitrum compares
We include a comparison to several other categories as well as specific projects when appropriate. and explain why we believe that Arbitrum is best suited for Reddit's purposes. We focus our attention on other Ethereum projects.
Payment only Rollups. Compared to Arbitrum Rollup, ZK-Rollups and other Rollups that only support token transfers have several disadvantages:
  • As outlined throughout the proposal, we believe that the entire draw of Ethereum is in its rich smart contracts support which is simply not achievable with today's zero-knowledge proof technology. Indeed, scaling with a ZK-Rollup will add friction to the deployment of smart contracts that interact with Community Points as users will have to withdraw their coins from the ZK-Rollup and transfer them to a smart contract system (like Arbitrum). The community will be best served if Reddit builds on a platform that has built-in, frictionless smart-contract support.
  • All other Rollup protocols of which we are aware employ a centralized operator. While it's true that users retain custody of their coins, the centralized operator can often profit from censoring, reordering, or delaying transactions. A common misconception is that since they're non-custodial protocols, a centralized sequencer does not pose a risk but this is incorrect as the sequencer can wreak havoc or shake down users for side payments without directly stealing funds.
  • Sidechain type protocols can eliminate some of these issues, but they are not trustless. Instead, they require trust in some quorum of a committee, often requiring two-third of the committee to be honest, compared to rollup protocols like Arbitrum that require only a single honest party. In addition, not all sidechain type protocols have committees that are diverse, or even non-centralized, in practice.
  • Plasma-style protocols have a centralized operator and do not support general smart contracts.
13. Concluding Remarks
While it's ultimately up to the judges’ palate, we believe that Arbitrum Rollup is the bakeoff choice that Reddit kneads. We far surpass Reddit's specified workload requirement at present, have much room to optimize Arbitrum Rollup in the near term, and have a clear path to get Reddit to hundreds of millions of users. Furthermore, we are the only project that gives developers and users the identical interface as the Ethereum blockchain and is fully interoperable and tooling-compatible, and we do this all without any new trust assumptions or centralized components.
But no matter how the cookie crumbles, we're glad to have participated in this bake-off and we thank you for your consideration.
About Offchain Labs
Offchain Labs, Inc. is a venture-funded New York company that spun out of Princeton University research, and is building the Arbitrum platform to usher in the next generation of scalable, interoperable, and compatible smart contracts. Offchain Labs is backed by Pantera Capital, Compound VC, Coinbase Ventures, and others.
Leadership Team
Ed Felten
Ed Felten is Co-founder and Chief Scientist at Offchain Labs. He is on leave from Princeton University, where he is the Robert E. Kahn Professor of Computer Science and Public Affairs. From 2015 to 2017 he served at the White House as Deputy United States Chief Technology Officer and senior advisor to the President. He is an ACM Fellow and member of the National Academy of Engineering. Outside of work, he is an avid runner, cook, and L.A. Dodgers fan.
Steven Goldfeder
Steven Goldfeder is Co-founder and Chief Executive Officer at Offchain Labs. He holds a PhD from Princeton University, where he worked at the intersection of cryptography and cryptocurrencies including threshold cryptography, zero-knowledge proof systems, and post-quantum signatures. He is a co-author of Bitcoin and Cryptocurrency Technologies, the leading textbook on cryptocurrencies, and he has previously worked at Google and Microsoft Research, where he co-invented the Picnic signature algorithm. When not working, you can find Steven spending time with his family, taking a nature walk, or twisting balloons.
Harry Kalodner
Harry Kalodner is Co-founder and Chief Technology Officer at Offchain Labs where he leads the engineering team. Before the company he attended Princeton as a Ph.D candidate where his research explored economics, anonymity, and incentive compatibility of cryptocurrencies, and he also has worked at Apple. When not up at 3:00am writing code, Harry occasionally sleeps.
submitted by hkalodner to ethereum [link] [comments]

[ Bitcoin ] Technical: Taproot: Why Activate?

Topic originally posted in Bitcoin by almkglor [link]
This is a follow-up on https://old.reddit.com/Bitcoin/comments/hqzp14/technical_the_path_to_taproot_activation/
Taproot! Everybody wants it!! But... you might ask yourself: sure, everybody else wants it, but why would I, sovereign Bitcoin HODLer, want it? Surely I can be better than everybody else because I swapped XXX fiat for Bitcoin unlike all those nocoiners?
And it is important for you to know the reasons why you, o sovereign Bitcoiner, would want Taproot activated. After all, your nodes (or the nodes your wallets use, which if you are SPV, you hopefully can pester to your wallet vendoimplementor about) need to be upgraded in order for Taproot activation to actually succeed instead of becoming a hot sticky mess.
First, let's consider some principles of Bitcoin.
I'm sure most of us here would agree that the above are very important principles of Bitcoin and that these are principles we would not be willing to remove. If anything, we would want those principles strengthened (especially the last one, financial privacy, which current Bitcoin is only sporadically strong with: you can get privacy, it just requires effort to do so).
So, how does Taproot affect those principles?

Taproot and Your /Coins

Most HODLers probably HODL their coins in singlesig addresses. Sadly, switching to Taproot would do very little for you (it gives a mild discount at spend time, at the cost of a mild increase in fee at receive time (paid by whoever sends to you, so if it's a self-send from a P2PKH or bech32 address, you pay for this); mostly a wash).
(technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash, so the Taproot output spends 12 bytes more; spending from a P2WPKH requires revealing a 32-byte public key later, which is not needed with Taproot, and Taproot signatures are about 9 bytes smaller than P2WPKH signatures, but the 32 bytes plus 9 bytes is divided by 4 because of the witness discount, so it saves about 11 bytes; mostly a wash, it increases blockweight by about 1 virtual byte, 4 weight for each Taproot-output-input, compared to P2WPKH-output-input).
However, as your HODLings grow in value, you might start wondering if multisignature k-of-n setups might be better for the security of your savings. And it is in multisignature that Taproot starts to give benefits!
Taproot switches to using Schnorr signing scheme. Schnorr makes key aggregation -- constructing a single public key from multiple public keys -- almost as trivial as adding numbers together. "Almost" because it involves some fairly advanced math instead of simple boring number adding, but hey when was the last time you added up your grocery list prices by hand huh?
With current P2SH and P2WSH multisignature schemes, if you have a 2-of-3 setup, then to spend, you need to provide two different signatures from two different public keys. With Taproot, you can create, using special moon math, a single public key that represents your 2-of-3 setup. Then you just put two of your devices together, have them communicate to each other (this can be done airgapped, in theory, by sending QR codes: the software to do this is not even being built yet, but that's because Taproot hasn't activated yet!), and they will make a single signature to authorize any spend from your 2-of-3 address. That's 73 witness bytes -- 18.25 virtual bytes -- of signatures you save!
And if you decide that your current setup with 1-of-1 P2PKH / P2WPKH addresses is just fine as-is: well, that's the whole point of a softfork: backwards-compatibility; you can receive from Taproot users just fine, and once your wallet is updated for Taproot-sending support, you can send to Taproot users just fine as well!
(P2WPKH and P2WSH -- SegWit v0 -- addresses start with bc1q; Taproot -- SegWit v1 --- addresses start with bc1p, in case you wanted to know the difference; in bech32 q is 0, p is 1)
Now how about HODLers who keep all, or some, of their coins on custodial services? Well, any custodial service worth its salt would be doing at least 2-of-3, or probably something even bigger, like 11-of-15. So your custodial service, if it switched to using Taproot internally, could save a lot more (imagine an 11-of-15 getting reduced from 11 signatures to just 1!), which --- we can only hope! --- should translate to lower fees and better customer service from your custodial service!
So I think we can say, very accurately, that the Bitcoin principle --- that YOU are in control of your money --- can only be helped by Taproot (if you are doing multisignature), and, because P2PKH and P2WPKH remain validly-usable addresses in a Taproot future, will not be harmed by Taproot. Its benefit to this principle might be small (it mostly only benefits multisignature users) but since it has no drawbacks with this (i.e. singlesig users can continue to use P2WPKH and P2PKH still) this is still a nice, tidy win!
(even singlesig users get a minor benefit, in that multisig users will now reduce their blockchain space footprint, so that fees can be kept low for everybody; so for example even if you have your single set of private keys engraved on titanium plates sealed in an airtight box stored in a safe buried in a desert protected by angry nomads riding giant sandworms because you're the frickin' Kwisatz Haderach, you still gain some benefit from Taproot)
And here's the important part: if P2PKH/P2WPKH is working perfectly fine with you and you decide to never use Taproot yourself, Taproot will not affect you detrimentally. First do no harm!

Taproot and Your Contracts

No one is an island, no one lives alone. Give and you shall receive. You know: by trading with other people, you can gain expertise in some obscure little necessity of the world (and greatly increase your productivity in that little field), and then trade the products of your expertise for necessities other people have created, all of you thereby gaining gains from trade.
So, contracts, which are basically enforceable agreements that facilitate trading with people who you do not personally know and therefore might not trust.
Let's start with a simple example. You want to buy some gewgaws from somebody. But you don't know them personally. The seller wants the money, you want their gewgaws, but because of the lack of trust (you don't know them!! what if they're scammers??) neither of you can benefit from gains from trade.
However, suppose both of you know of some entity that both of you trust. That entity can act as a trusted escrow. The entity provides you security: this enables the trade, allowing both of you to get gains from trade.
In Bitcoin-land, this can be implemented as a 2-of-3 multisignature. The three signatories in the multisgnature would be you, the gewgaw seller, and the escrow. You put the payment for the gewgaws into this 2-of-3 multisignature address.
Now, suppose it turns out neither of you are scammers (whaaaat!). You receive the gewgaws just fine and you're willing to pay up for them. Then you and the gewgaw seller just sign a transaction --- you and the gewgaw seller are 2, sufficient to trigger the 2-of-3 --- that spends from the 2-of-3 address to a singlesig the gewgaw seller wants (or whatever address the gewgaw seller wants).
But suppose some problem arises. The seller gave you gawgews instead of gewgaws. Or you decided to keep the gewgaws but not sign the transaction to release the funds to the seller. In either case, the escrow is notified, and if it can sign with you to refund the funds back to you (if the seller was a scammer) or it can sign with the seller to forward the funds to the seller (if you were a scammer).
Taproot helps with this: like mentioned above, it allows multisignature setups to produce only one signature, reducing blockchain space usage, and thus making contracts --- which require multiple people, by definition, you don't make contracts with yourself --- is made cheaper (which we hope enables more of these setups to happen for more gains from trade for everyone, also, moon and lambos).
(technology-wise, it's easier to make an n-of-n than a k-of-n, making a k-of-n would require a complex setup involving a long ritual with many communication rounds between the n participants, but an n-of-n can be done trivially with some moon math. You can, however, make what is effectively a 2-of-3 by using a three-branch SCRIPT: either 2-of-2 of you and seller, OR 2-of-2 of you and escrow, OR 2-of-2 of escrow and seller. Fortunately, Taproot adds a facility to embed a SCRIPT inside a public key, so you can have a 2-of-2 Taprooted address (between you and seller) with a SCRIPT branch that can instead be spent with 2-of-2 (you + escrow) OR 2-of-2 (seller + escrow), which implements the three-branched SCRIPT above. If neither of you are scammers (hopefully the common case) then you both sign using your keys and never have to contact the escrow, since you are just using the escrow public key without coordinating with them (because n-of-n is trivial but k-of-n requires setup with communication rounds), so in the "best case" where both of you are honest traders, you also get a privacy boost, in that the escrow never learns you have been trading on gewgaws, I mean ewww, gawgews are much better than gewgaws and therefore I now judge you for being a gewgaw enthusiast, you filthy gewgawer).

Taproot and Your Contracts, Part 2: Cryptographic Boogaloo

Now suppose you want to buy some data instead of things. For example, maybe you have some closed-source software in trial mode installed, and want to pay the developer for the full version. You want to pay for an activation code.
This can be done, today, by using an HTLC. The developer tells you the hash of the activation code. You pay to an HTLC, paying out to the developer if it reveals the preimage (the activation code), or refunding the money back to you after a pre-agreed timeout. If the developer claims the funds, it has to reveal the preimage, which is the activation code, and you can now activate your software. If the developer does not claim the funds by the timeout, you get refunded.
And you can do that, with HTLCs, today.
Of course, HTLCs do have problems:
Fortunately, with Schnorr (which is enabled by Taproot), we can now use the Scriptless Script constuction by Andrew Poelstra. This Scriptless Script allows a new construction, the PTLC or Pointlocked Timelocked Contract. Instead of hashes and preimages, just replace "hash" with "point" and "preimage" with "scalar".
Or as you might know them: "point" is really "public key" and "scalar" is really a "private key". What a PTLC does is that, given a particular public key, the pointlocked branch can be spent only if the spender reveals the private key of the given private key to you.
Another nice thing with PTLCs is that they are deniable. What appears onchain is just a single 2-of-2 signature between you and the developemanufacturer. It's like a magic trick. This signature has no special watermarks, it's a perfectly normal signature (the pledge). However, from this signature, plus some datta given to you by the developemanufacturer (known as the adaptor signature) you can derive the private key of a particular public key you both agree on (the turn). Anyone scraping the blockchain will just see signatures that look just like every other signature, and as long as nobody manages to hack you and get a copy of the adaptor signature or the private key, they cannot get the private key behind the public key (point) that the pointlocked branch needs (the prestige).
(Just to be clear, the public key you are getting the private key from, is distinct from the public key that the developemanufacturer will use for its funds. The activation key is different from the developer's onchain Bitcoin key, and it is the activation key whose private key you will be learning, not the developer's/manufacturer's onchain Bitcoin key).
So:
Taproot lets PTLCs exist onchain because they enable Schnorr, which is a requirement of PTLCs / Scriptless Script.
(technology-wise, take note that Scriptless Script works only for the "pointlocked" branch of the contract; you need normal Script, or a pre-signed nLockTimed transaction, for the "timelocked" branch. Since Taproot can embed a script, you can have the Taproot pubkey be a 2-of-2 to implement the Scriptless Script "pointlocked" branch, then have a hidden script that lets you recover the funds with an OP_CHECKLOCKTIMEVERIFY after the timeout if the seller does not claim the funds.)

Quantum Quibbles!

Now if you were really paying attention, you might have noticed this parenthetical:
(technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash...)
So wait, Taproot uses raw 32-byte public keys, and not public key hashes? Isn't that more quantum-vulnerable??
Well, in theory yes. In practice, they probably are not.
It's not that hashes can be broken by quantum computes --- they're still not. Instead, you have to look at how you spend from a P2WPKH/P2PKH pay-to-public-key-hash.
When you spend from a P2PKH / P2WPKH, you have to reveal the public key. Then Bitcoin hashes it and checks if this matches with the public-key-hash, and only then actually validates the signature for that public key.
So an unconfirmed transaction, floating in the mempools of nodes globally, will show, in plain sight for everyone to see, your public key.
(public keys should be public, that's why they're called public keys, LOL)
And if quantum computers are fast enough to be of concern, then they are probably fast enough that, in the several minutes to several hours from broadcast to confirmation, they have already cracked the public key that is openly broadcast with your transaction. The owner of the quantum computer can now replace your unconfirmed transaction with one that pays the funds to itself. Even if you did not opt-in RBF, miners are still incentivized to support RBF on RBF-disabled transactions.
So the extra hash is not as significant a protection against quantum computers as you might think. Instead, the extra hash-and-compare needed is just extra validation effort.
Further, if you have ever, in the past, spent from the address, then there exists already a transaction indelibly stored on the blockchain, openly displaying the public key from which quantum computers can derive the private key. So those are still vulnerable to quantum computers.
For the most part, the cryptographers behind Taproot (and Bitcoin Core) are of the opinion that quantum computers capable of cracking Bitcoin pubkeys are unlikely to appear within a decade or two.
So:
For now, the homomorphic and linear properties of elliptic curve cryptography provide a lot of benefits --- particularly the linearity property is what enables Scriptless Script and simple multisignature (i.e. multisignatures that are just 1 signature onchain). So it might be a good idea to take advantage of them now while we are still fairly safe against quantum computers. It seems likely that quantum-safe signature schemes are nonlinear (thus losing these advantages).

Summary

I Wanna Be The Taprooter!

So, do you want to help activate Taproot? Here's what you, mister sovereign Bitcoin HODLer, can do!

But I Hate Taproot!!

That's fine!

Discussions About Taproot Activation

almkglor your post has been copied because one or more comments in this topic have been removed. This copy will preserve unmoderated topic. If you would like to opt-out, please send a message using [this link].
[deleted comment]
[deleted comment]
[deleted comment]
submitted by anticensor_bot to u/anticensor_bot [link] [comments]

ABCMint is a quantum resistant cryptocurrency with the Rainbow Multivariable Polynomial Signature Scheme.

Good day, the price is going up to 0.3USDT.

ABCMint Second Foundation

ABCMint has been a first third-party organization that focuses on post-quantum cryptography research and technology and aims to help improve the ecology of ABCMint technology since 2018.


https://abcmintsf.com

https://abcmintsf.com/exchange


What is ABCMint?

ABCMint is a quantum resistant cryptocurrency with the Rainbow Multivariable Polynomial Signature Scheme.

Cryptocurrencies and blockchain technology have attracted a significant amount of attention since 2009. While some cryptocurrencies, including Bitcoin, are used extensively in the world, these cryptocurrencies will eventually become obsolete and be replaced when the quantum computers avail. For instance, Bitcoin uses the elliptic curved signature (ECDSA). If a bitcoin user?s public key is exposed to the public chain, the quantum computers will be able to quickly reverse-engineer the private key in a short period of time. It means that should an attacker decide to use a quantum computer to decrypt ECDSA, he/she will be able to use the bitcoin in the wallet.

The ABCMint Foundation has improved the structure of the special coin core to resist quantum computers, using the Rainbow Multivariable Polynomial Signature Scheme, which is quantum resisitant, as the core. This is a fundamental solution to the major threat to digital money posed by future quantum computers. In addition, the ABCMint Foundation has implemented a new form of proof of arithmetic (mining) "ABCardO" which is different from Bitcoin?s arbitrary mining. This algorithm is believed to be beneficial to the development of the mathematical field of multivariate.


Rainbow Signature - the quantum resistant signature based on Multivariable Polynomial Signature Scheme

Unbalanced Oil and Vinegar (UOV) is a multi-disciplinary team of experts in the field of oil and vinegar. One of the oldest and most well researched signature schemes in the field of variable cryptography. It was designed by J. Patarin in 1997 and has withstood more than two decades of cryptanalysis. The UOV scheme is a very simple, smalls and fast signature. However, the main drawback of UOV is the large public key, which will not be conducive to the development of block practice technology.

The rainbow signature is an improvement on the oil and vinegar signature which increased the efficiency of unbalanced oil and vinegar. The basic concept is a multi-layered structure and generalization of oil and vinegar.


PQC - Post Quantum Cryptography

The public key cryptosystem was a breakthrough in modern cryptography in the late 1970s. It has become an increasingly important part of our cryptography communications network over The Internet and other communication systems rely heavily on the Diffie-Hellman key exchange, RSA encryption, and the use of the DSA, ECDSA or related algorithms for numerical signatures. The security of these cryptosystems depends on the difficulty level of number theory problems such as integer decomposition and discrete logarithm problems. In 1994, Peter Shor demonstrated that quantum computers can solve all these problems in polynomial time, which made this security issue related to the cryptosystems theory irrelevant. This development is known as the "post-quantum cryptography" (PQC)

In August 2015, the U.S. National Security Agency (NSA) released an announcement regarding its plans to transition to quantum-resistant algorithms. In December 2016, the National Institute of Standards and Technology (NIST) announced a call for proposals for quantum-resistant algorithms. The deadline was November 30, 2017, which also included the rainbow signatures used for ABCMint.
submitted by WrapBeautiful to ABCMint [link] [comments]

RiB Newsletter #14 – Are We Smart (Contract) Yet?

We’re seeing a bunch of interesting Rust blockchain and crypto projects, so this month the “Interesting Things” section is loaded up with news, papers, and project links.
This month, Elrond, appeared on our radar with the launch of their mainnet. Although not written in Rust, it runs Rust smart contracts on its Arwen WASM VM, which itself is based on the Rust Wasmer VM. Along with NEAR, Nervos, and Enigma (and probably others), this continues an encouraging trend of blockchains enabling smart contracts in Rust. See the “Interesting Things” section for examples of Elrond’s Rust contracts.
Rust continues to be popular for research into zero-knowledge proofs, with Microsoft releasing Spartan, a zk-SNARK system without trusted setup.
In RiB news, we published a late one-year anniversary blog post. It has some reflection on the changes to, and growth of, RiB over the last year.
The Awesome Blockchain Rust project, which is maintained by Sun under the rust-in-blockchain GitHub org, has received a stream of updates recently, and is now published as the Awesome-RiB page on rustinblockchain.org.
It’s a pretty good resource for finding blockchain-related Rust projects, with links to many of the more prominent and mature projects noted in the RiB newsletter. It could use more eyes on it though.

Project Spotlight

Each month we like to shine a light on a notable Rust blockchain project. This month that project is…
ethers.rs
ethers.rs is an Ethereum & Celo library and wallet implementation, implemented as a port of the ethers.js library to Rust.
Ethereum client programming is usually done in JavaScript with either web3.js or ethers.js, with ethers.js being the newer of the two. These clients communicate to an Ethereum node, typically via JSON-RPC (or, when in the browser, via an “injected” client provider that follows EIP-1193, like MetaMask).
ethers.rs then provides a strongly-typed alternative for writing software that interacts with the Ethereum network.
As of now it is only suited for non-browser use cases, but if you prefer hacking in Rust to JavaScript, as some of us surely do, it is worth looking into for your next Ethereum project.
The author of ethers.rs, Georgios Konstantopoulos, accepts donations to sponsor their work.
Note that there is also a Rust alternative to web3.js, rust-web3.

Interesting Things

News

Blog Posts

Papers

Projects

Podcasts and Videos


Read more: https://rustinblockchain.org/newsletters/2020-08-05-are-we-smart-contract-yet/
submitted by Aimeedeer to rust [link] [comments]

What is Blockchain Technology?

What is Blockchain Technology?
The original article appeared here: https://www.securities.io/what-is-blockchain-technology/
Its been almost ten years since Satoshi Nakamoto first introduced Blockchain technology to the world in his 2008 Bitcoin Whitepaper. Since that time, these revolutionary networks have gained popularity in both the corporate and governmental sectors. This growth is easily explained when you consider that blockchain technology provides the world with some unique advantages that were previously unimaginable. Consequently, today, you can find blockchain technology in nearly every sector of the global economy.

What is Blockchain Technology?

A blockchain is a network of computers that share a distributed ledger across all network participants (nodes). This strategy is far different than say, fiat currencies that originate from a centralized authority figure. Importantly, this ledger keeps an unbroken chain of transactions since the birth of the network. This “chain” of transactions grows larger as new “blocks” of transactions are approved and added to it.
Bitcoin Whitepaper
In order to approve new transactions, each node works together with others to validate new blocks. Additionally, the nodes also validate the current state of the entire blockchain. In order for a new block of transactions to be added to the blockchain, they must receive approval from 51% of the network’s nodes. Nodes are also referred to as miners. In this manner, blockchain networks are decentralized networks that provide unmatched security to the world of digital assets.

Security via Decentralization

Decentralization is an important aspect of blockchain technology because it makes these revolutionary ledgers immutable and unalterable. In fact, since there is no centralized attack vector, hacking a blockchain is nearly impossible. The larger the blockchain network, the more secure the data on it remains.
For example, let’s look at the world’s largest blockchain, Bitcoin. Currently, the Bitcoin blockchain has over 10,000 active nodes located across the globe. This distribution means that in order for an attacker to alter even just one tiny piece of information on the blockchain, they would need to successfully hack 5,000+ computers at once.
While this task may not be impossible for the quantum computers of the future, it’s so unprofitable that it makes no sense to even attempt such a monumental task. Additionally, on top of successfully hacking 5000+ computers at once, an attacker would also need a supercomputer to recalculate the new blockchain transactions in time to introduce them into the network. It would literally be more affordable to create a new cryptocurrency from scratch.

Consensus Mechanisms

One of the reasons why blockchain networks are so secure is the integration of consensus mechanisms. Consensus mechanisms are cryptographic protocols that leverage the participants of a blockchain network in securing its data. In the case of Bitcoin, the Proof-of-Work (PoW) consensus mechanism is used.

Proof-of-Work (PoW)

The Proof-of-Work consensus mechanism was revolutionary to the world of cryptography when it was first introduced years prior by Adam Back in his Hashcash whitepaper. In the concept, Back describes the integration of a mathematical equation to the network’s security protocols. In this way, every computer can show “proof” of their work securing the network.

Miner Rewards

It’s important to understand that nodes receive a reward for their mining efforts. These rewards adjust automatically depending on the network’s difficulty and value. In the case of Bitcoin, miners originally received 50 Bitcoin for their efforts. Today, this seems like fortune, but back in 2009, Bitcoin was only worth pennies. As the value of the token rises and the network goes, the mining rewards shrink. Today, Bitcoin miners receive 6.5 BTC if they add the next block to the chain.

SHA-256

Notably, every node validates and secures the blockchain, but only one gets to add the next block of transactions to the network. To determine who the next miner is that gets to add this block, every computer competes in a mathematical race to figure out the PoW equation. In the case of Bitcoin, the equation is known as SHA-256. Importantly, the first SHA algorithm dates back to Hashcash. This early version of the equation was known as SHA-1.
Notably, the SHA-256 equation is so difficult that it’s easier and more efficient for your computer to just make random guesses rather than attempting to figure out the equation directly. The answer to the equation must begin with a predetermined amount of 0s. In the Bitcoin blockchain, the equation’s answer must start with four zeros. However, if the network’s congestion rises, so does the difficulty of these equations. This difficulty adjusts by the addition of another zero at the beginning of the required SHA-256 answer.
Similarly to traditional commodities such as gold, there are costs that are associated with the creation and introduction of these digital assets into the market. These random guesses utilize intense computational power. This power equates to real-world costs such as electricity bills. Studies have shown that securing the Bitcoin network can use more electricity than required by entire countries. Luckily, over 80% of Bitcoin’s power consumption comes from renewable sources such as solar or hydroelectric. This cost of mining also adds measurable value to each Bitcoin.

Miners

As Bitcoin began to gain in profitability, its network’s computing power expanded significantly. In the beginning, nodes, also known as miners, could mine for Bitcoin using nothing more than your home PC. Eventually, miners realized that graphic cards were far better at the repetitive guessing required to figure out the SHA-256 algorithm. This led to a computational race in the market.

ASIC

Eventually, large blockchain firms such as Bitmain introduced Application Specific Integrated Circuit (ASIC) miners into the equation. These purpose-built miners were thousands of times more efficient at guessing the SHA-256 algorithm than the GPUs and CPUs before them. Consequently, their introduction created a scenario in which the average miner now needed to invest thousands in mining equipment to stay relevant.

Mining Pools

Luckily, some creative minds in the field began to think of ways to level the playing field out again. They developed “mining pools.” A mining pool is a network of miners that all share computational power for the common goal of mining blockchain transactions. Importantly, mining pool participants receive a percentage of the reward based on their contributions to the network’s overall hash (computational power).
Importantly, over the last three years, there has been a push to move away from power-hungry consensus mechanisms such as PoW. This desire to secure blockchains in a more efficient manner has led to the development of some truly unique consensus mechanisms in the sector.

Proof-of-Stake (PoS)

The Proof-of-Stake mechanism does away with the difficult mathematical algorithms and instead utilizes a more psychological approach to securing the network. In a PoS blockchain, users don’t need to compete mathematically to add the next block to the blockchain. Instead, PoS users “stake” their coins via network wallets to secure the network. The way staking works is simple.
Keeping a certain amount of coins in your wallet allows you to participate in transaction validations. The more coins you stake, the more likely the chances are you get to add the next block of transactions to the network. In most PoS systems, a miner from those with the most tokens staked at the time receives the chance to add the blocks.
The advantages of a PoS consensus mechanism are immediately evident. For one, you don’t need to pour tons of resources into your network to keep it safe. Additionally, since nodes are chosen based on their amount of staked coins, there is never a scenario in which a node gains anything from validating incorrect transactions. Basically, a hacker would have to fully invest in the cryptocurrency prior to attacking the network. In this way, PoS systems create a huge deterrent to attackers.

The Future of Blockchain Technology

Blockchain technology has come a long way from its early days as a means to secure cryptocurrency networks. Today, blockchain technology has numerous uses across every type of industry imaginable. Specifically, blockchain programs have impacted the logistical, financial, and data security sectors in a major way.

Blockchain Technology Logistics

Blockchain logistical systems are more efficient and cost-effective to operate than traditional paper-based models. In fact, the immutable and unalterable nature of blockchain tech makes it ideally suited to logistical tasks. Soon, you may be able to ascertain much more information regarding the creation and delivery of your products thanks to these new-age systems emerging.

Fundraising

Blockchain technology has also altered the way in which businesses raise funds. In a traditional corporate crowdfunding strategy such as an IPO, companies must balance between cost-effectiveness and participation. The inability to process smaller transactions meant that for the longest time, companies had to turn away potential investors. Nowadays, blockchain technology enables businesses to easily automate these procedures via smart contracts.

Smart Contracts

Smart Contracts feature preprogrammed protocols that execute when they receive a certain amount of cryptocurrency sent to their address. These contracts live on the blockchain and enable remarkable functionality. For example, in the case of fundraising, a smart contract can automate processes such as the approval of investors and the distribution of funds.

Blockchain Technology Today

You can expect to see further expansion of the blockchain sector in the coming months as more governments and institutions explore its benefits. For now, the blockchain revolution is well underway.
submitted by BlockDotCo to u/BlockDotCo [link] [comments]

Erik Voorhees on Twitter: Can we take a moment to reflect on the fact that the Bitcoin protocol STILL hasn't been hacked? One of the greatest comp sci accomplishments

Erik Voorhees on Twitter: Can we take a moment to reflect on the fact that the Bitcoin protocol STILL hasn't been hacked? One of the greatest comp sci accomplishments submitted by dvno1 to Bitcoin [link] [comments]

How exactly is Neo quantum computer proof?

I know the whitepaper claims Neo will be able to withstand quantum computational attacks, but I don't see how any blockchain would be able to prevent a quantum computer from deciphering peoples' private keys through fast paced trial and error.
Any insight on this would be much appreciated as I believe it is an important yet rarely discussed factor of Neo's brilliance.
submitted by rederr0r3 to NEO [link] [comments]

Which cryptocurrencies have the potential for quantum resistance?

The title. I've read about quantum resistant cryptocurrencies like QRL, IOTA and NEO(?), but what about other cryptocurrencies? Do public blockchain cryptos like BTC, ETH, etc. have the potential for being updated into being quantum resistant. What about cryptos like XRP and XLM? How difficult is this to achieve in practice?
submitted by ParanoidPurchaser to CryptoCurrencies [link] [comments]

Threshold Signature Explained— Bringing Exciting Applications with TSS

Threshold Signature Explained— Bringing Exciting Applications with TSS
— A deep dive into threshold signature without mathematics by ARPA’s cryptographer Dr. Alex Su

https://preview.redd.it/cp0wib2mk0q41.png?width=757&format=png&auto=webp&s=d42056f42fb16041bc512f10f10fed56a16dc279
Threshold signature is a distributed multi-party signature protocol that includes distributed key generation, signature, and verification algorithms.
In recent years, with the rapid development of blockchain technology, signature algorithms have gained widespread attention in both academic research and real-world applications. Its properties like security, practicability, scalability, and decentralization of signature are pored through.
Due to the fact that blockchain and signature are closely connected, the development of signature algorithms and the introduction of new signature paradigms will directly affect the characteristics and efficiency of blockchain networks.
In addition, institutional and personal account key management requirements stimulated by distributed ledgers have also spawned many wallet applications, and this change has also affected traditional enterprises. No matter in the blockchain or traditional financial institutions, the threshold signature scheme can bring security and privacy improvement in various scenarios. As an emerging technology, threshold signatures are still under academic research and discussions, among which there are unverified security risks and practical problems.
This article will start from the technical rationale and discuss about cryptography and blockchain. Then we will compare multi-party computation and threshold signature before discussing the pros and cons of different paradigms of signature. In the end, there will be a list of use cases of threshold signature. So that, the reader may quickly learn about the threshold signature.
I. Cryptography in Daily Life
Before introducing threshold signatures, let’s get a general understanding of cryptography. How does cryptography protect digital information? How to create an identity in the digital world? At the very beginning, people want secure storage and transmission. After one creates a key, he can use symmetric encryption to store secrets. If two people have the same key, they can achieve secure transmission between them. Like, the king encrypts a command and the general decrypts it with the corresponding key.
But when two people do not have a safe channel to use, how can they create a shared key? So, the key exchange protocol came into being. Analogously, if the king issues an order to all the people in the digital world, how can everyone proves that the sentence originated from the king? As such, the digital signature protocol was invented. Both protocols are based on public key cryptography, or asymmetric cryptographic algorithms.


“Tiger Rune” is a troop deployment tool used by ancient emperor’s, made of bronze or gold tokens in the shape of a tiger, split in half, half of which is given to the general and the other half is saved by the emperor. Only when two tiger amulets are combined and used at the same time, will the amulet holder get the right to dispatch troops.
Symmetric and asymmetric encryption constitute the main components of modern cryptography. They both have three fixed parts: key generation, encryption, and decryption. Here, we focus on digital signature protocols. The key generation process generates a pair of associated keys: the public key and the private key. The public key is open to everyone, and the private key represents the identity and is only revealed to the owner. Whoever owns the private key has the identity represented by the key. The encryption algorithm, or signature algorithm, takes the private key as input and generate a signature on a piece of information. The decryption algorithm, or signature verification algorithm, uses public keys to verify the validity of the signature and the correctness of the information.
II. Signature in the Blockchain
Looking back on blockchain, it uses consensus algorithm to construct distributed books, and signature provides identity information for blockchain. All the transaction information on the blockchain is identified by the signature of the transaction initiator. The blockchain can verify the signature according to specific rules to check the transaction validity, all thanks to the immutability and verifiability of the signature.
For cryptography, the blockchain is more than using signature protocol, or that the consensus algorithm based on Proof-of-Work uses a hash function. Blockchain builds an infrastructure layer of consensus and transaction through. On top of that, the novel cryptographic protocols such as secure multi-party computation, zero-knowledge proof, homomorphic encryption thrives. For example, secure multi-party computation, which is naturally adapted to distributed networks, can build secure data transfer and machine learning platforms on the blockchain. The special nature of zero-knowledge proof provides feasibility for verifiable anonymous transactions. The combination of these cutting-edge cryptographic protocols and blockchain technology will drive the development of the digital world in the next decade, leading to secure data sharing, privacy protection, or more applications now unimaginable.
III. Secure Multi-party Computation and Threshold Signature
After introducing how digital signature protocol affects our lives, and how to help the blockchain build identities and record transactions, we will mention secure multi-party computation (MPC), from where we can see how threshold signatures achieve decentralization. For more about MPC, please refer to our previous posts which detailed the technical background and application scenarios.
MPC, by definition, is a secure computation that several participants jointly execute. Security here means that, in one computation, all participants provide their own private input, and can obtain results from the calculation. It is not possible to get any private information entered by other parties. In 1982, when Prof. Yao proposed the concept of MPC, he gave an example called the “Millionaires Problem” — two millionaires who want to know who is richer than the other without telling the true amount of assets. Specifically, the secure multiparty computation would care about the following properties:
  • Privacy: Any participant cannot obtain any private input of other participants, except for information that can be inferred from the computation results.
  • Correctness and verifiability: The computation should ensure correct execution, and the legitimacy and correctness of this process should be verifiable by participants or third parties.
  • Fairness or robustness: All parties involved in the calculation, if not agreed in advance, should be able to obtain the computation results at the same time or cannot obtain the results.
Supposing we use secure multi-party computation to make a digital signature in a general sense, we will proceed as follows:
  • Key generation phase: all future participants will be involved together to do two things: 1) each involved party generates a secret private key; 2) The public key is calculated according to the sequence of private keys.
  • Signature phase: Participants joining in a certain signature use their own private keys as private inputs, and the information to be signed as a public input to perform a joint signature operation to obtain a signature. In this process, the privacy of secure multi-party computing ensures the security of private keys. The correctness and robustness guarantee the unforgeability of the signature and everyone can all get signatures.
  • Verification phase: Use the public key corresponding to the transaction to verify the signature as traditional algorithm. There is no “secret input” during the verification, this means that the verification can be performed without multi-party computation, which will become an advantage of multi-party computation type distributed signature.
The signature protocol constructed on the idea of ​​secure multiparty computing is the threshold signature. It should be noted that we have omitted some details, because secure multiparty computing is actually a collective name for a type of cryptographic protocol. For different security assumptions and threshold settings, there are different construction methods. Therefore, the threshold signatures of different settings will also have distinctive properties, this article will not explain each setting, but the comparative result with other signature schemes will be introduced in the next section.
IV. Single Signature, Multi-Signature and Threshold Signature
Besides the threshold signature, what other methods can we choose?
Bitcoin at the beginning, uses single signature which allocates each account with one private key. The message signed by this key is considered legitimate. Later, in order to avoid single point of failure, or introduce account management by multiple people, Bitcoin provides a multi-signature function. Multi-signature can be simply understood as each account owner signs successively and post all signatures to the chain. Then signatures are verified in order on the chain. When certain conditions are met, the transaction is legitimate. This method achieves a multiple private keys control purpose.
So, what’s the difference between multi-signature and threshold signature?
Several constraints of multi-signature are:
  1. The access structure is not flexible. If an account’s access structure is given, that is, which private keys can complete a legal signature, this structure cannot be adjusted at a later stage. For example, a participant withdraws, or a new involved party needs to change the access structure. If you must change, you need to complete the initial setup process again, which will change the public key and account address as well.
  2. Less efficiency. The first is that the verification on chain consumes power of all nodes, and therefore requires a processing fee. The verification of multiple signatures is equivalent to multiple single signatures. The second is performance. The verification obviously takes more time.
  3. Requirements of smart contract support and algorithm adaptation that varies from chain to chain. Because multi-sig is not naturally supported. Due to the possible vulnerabilities in smart contracts, this support is considered risky.
  4. No anonymity, this is not able to be trivially called disadvantage or advantage, because anonymity is required for specific conditions. Anonymity here means that multi-signature directly exposes all participating signers of the transaction.
Correspondingly, the threshold signature has the following features:
  1. The access structure is flexible. Through an additional multi-party computation, the existing private key sequence can be expanded to assign private keys to new participants. This process will not expose the old and newly generated private key, nor will it change the public key and account address.
  2. It provides more efficiency. For the chain, the signature generated by the threshold signature is not different from a single signature, which means the following improvements : a) The verification is the same as the single signature, and needs no additional fee; b ) the information of the signer is invisible, because for other nodes, the information is decrypted with the same public key; c) No smart contract on chain is needed to provide additional support.
In addition to the above discussion, there is a distributed signature scheme supported by Shamir secret sharing. Secret sharing algorithm has a long history which is used to slice information storage and perform error correction information. From the underlying algorithm of secure computation to the error correction of the disc. This technology has always played an important role, but the main problem is that when used in a signature protocol, Shamir secret sharing needs to recover the master private key.
As for multiple signatures or threshold signature, the master private key has never been reconstructed, even if it is in memory or cache. this short-term reconstruction is not tolerable for vital accounts.
V. Limitations
Just like other secure multi-party computation protocols, the introduction of other participants makes security model different with traditional point-to-point encrypted transmission. The problem of conspiracy and malicious participants were not taken into account in algorithms before. The behavior of physical entities cannot be restricted, and perpetrators are introduced into participating groups.
Therefore, multi-party cryptographic protocols cannot obtain the security strength as before. Effort is needed to develop threshold signature applications, integrate existing infrastructure, and test the true strength of threshold signature scheme.
VI. Scenarios
1. Key Management
The use of threshold signature in key management system can achieve a more flexible administration, such as ARPA’s enterprise key management API. One can use the access structure to design authorization pattern for users with different priorities. In addition, for the entry of new entities, the threshold signature can quickly refresh the key. This operation can also be performed periodically to level up the difficulty of hacking multiple private keys at the same time. Finally, for the verifier, the threshold signature is not different from the traditional signature, so it is compatible with old equipments and reduces the update cost. ARPA enterprise key management modules already support Elliptic Curve Digital Signature Scheme secp256k1 and ed25519 parameters. In the future, it will be compatible with more parameters.

https://preview.redd.it/c27zuuhdl0q41.png?width=757&format=png&auto=webp&s=26d46e871dadbbd4e3bea74d840e0198dec8eb1c
2. Crypto Wallet
Wallets based on threshold signature are more secure because the private key doesn’t need to be rebuilt. Also, without all signatures posted publicly, anonymity can be achieved. Compared to the multi-signature, threshold signature needs less transaction fees. Similar to key management applications, the administration of digital asset accounts can also be more flexible. Furthermore, threshold signature wallet can support various blockchains that do not natively support multi-signature, which reduces the risk of smart contracts bugs.

Conclusion

This article describes why people need the threshold signature, and what inspiring properties it may bring. One can see that threshold signature has higher security, more flexible control, more efficient verification process. In fact, different signature technologies have different application scenarios, such as aggregate signatures not mentioned in the article, and BLS-based multi-signature. At the same time, readers are also welcomed to read more about secure multi-party computation. Secure computation is the holy grail of cryptographic protocols. It can accomplish much more than the application of threshold signatures. In the near future, secure computation will solve more specific application questions in the digital world.

About Author

Dr. Alex Su works for ARPA as the cryptography researcher. He got his Bachelor’s degree in Electronic Engineering and Ph.D. in Cryptography from Tsinghua University. Dr. Su’s research interests include multi-party computation and post-quantum cryptography implementation and acceleration.

About ARPA

ARPA is committed to providing secure data transfer solutions based on cryptographic operations for businesses and individuals.
The ARPA secure multi-party computing network can be used as a protocol layer to implement privacy computing capabilities for public chains, and it enables developers to build efficient, secure, and data-protected business applications on private smart contracts. Enterprise and personal data can, therefore, be analyzed securely on the ARPA computing network without fear of exposing the data to any third party.
ARPA’s multi-party computing technology supports secure data markets, precision marketing, credit score calculations, and even the safe realization of personal data.
ARPA’s core team is international, with PhDs in cryptography from Tsinghua University, experienced systems engineers from Google, Uber, Amazon, Huawei and Mitsubishi, blockchain experts from the University of Tokyo, AIG, and the World Bank. We also have hired data scientists from CircleUp, as well as financial and data professionals from Fosun and Fidelity Investments.
For more information about ARPA, or to join our team, please contact us at [email protected].
Learn about ARPA’s recent official news:
Telegram (English): https://t.me/arpa_community
Telegram (Việt Nam): https://t.me/ARPAVietnam
Telegram (Russian): https://t.me/arpa_community_ru
Telegram (Indonesian): https://t.me/Arpa_Indonesia
Telegram (Thai): https://t.me/Arpa_Thai
Telegram (Philippines):https://t.me/ARPA_Philippines
Telegram (Turkish): https://t.me/Arpa_Turkey
Korean Chats: https://open.kakao.com/o/giExbhmb (Kakao) & https://t.me/arpakoreanofficial (Telegram, new)
Medium: https://medium.com/@arpa
Twitter: u/arpaofficial
Reddit: https://www.reddit.com/arpachain/
Facebook: https://www.facebook.com/ARPA-317434982266680/54
submitted by arpaofficial to u/arpaofficial [link] [comments]

I thought Quantum was not a big threat to bitcoin?

I thought Quantum was not a big threat to bitcoin? submitted by arganam to btc [link] [comments]

Subreddit Stats: CryptoTechnology top posts from 2017-12-23 to 2020-01-20 15:51 PDT

Period: 758.36 days
Submissions Comments
Total 956 13660
Rate (per day) 1.26 18.01
Unique Redditors 584 3144
Combined Score 21553 44566

Top Submitters' Top Submissions

  1. 1166 points, 43 submissions: Neophyte-
    1. "Do you need a Blockchain?" - this paper is fantastic, everyone should read this before evaluating a coin and if requires a block chain to solve a solution the coin is promising to solve. (136 points, 41 comments)
    2. Do any of you foresee a crypto being widely adopted as a general purpose payment coin? nano, btc, btccash etc (take your pick). I think it won't happen for reasons in this post. What do you think? (59 points, 54 comments)
    3. Noticed the huge rise of EOS lately what does it have over NEO and ethereum and to a lesser extent Cardano? I tried researching it, but wasn't sold. (54 points, 55 comments)
    4. Hard Problems in Cryptocurrency: Five Years Later ~Vitalik (46 points, 1 comment)
    5. I had a Q&A with Bruno head architect / CEO of oyster, thought you guys might like it. (45 points, 2 comments)
    6. A good article that explains in simple terms how Eth2 works, how it will be rolled out and migrated from eth1 (42 points, 4 comments)
    7. DAI the stablecoin can now be transferred GAS free (article explaining how it works via new MCD DAI contract). This holds alot of promise for the so called "Web3" (40 points, 8 comments)
    8. Veriblock is consuming 27% of bitcoins block space - what does this mean for bitcoins future? (39 points, 16 comments)
    9. Vitalik: Alternative proposal for early eth1 <-> eth2 merge (38 points, 3 comments)
    10. Is launching a PoW permissionless blockchain still possible today? or would it be too susceptible to a 51% attack? (37 points, 37 comments)
  2. 578 points, 16 submissions: crypto_ha
    1. Why is Ripple considered a cryptocurrency (by many)? (109 points, 63 comments)
    2. So reportedly there are serious vulnerabilities found in EOS’ code. And it seems like those are more than just random software bugs. (97 points, 29 comments)
    3. Guide: How to get started with Blockchain development? (60 points, 6 comments)
    4. A newly found vulnerability in Nano's Android wallet (44 points, 12 comments)
    5. The history and state of Ethereum's Casper research - Vitalik Buterin (39 points, 4 comments)
    6. What is the difference between Sidechain vs Child Chain vs Off Chain? (39 points, 12 comments)
    7. EOS mainnet is official live (finally), but... (36 points, 24 comments)
    8. Bitcoin's "doomsday" economics - Bank of International Settlements (34 points, 23 comments)
    9. How Wall Street’s embrace could undermine Bitcoin (30 points, 9 comments)
    10. Ethereum ERC 1497: DApp Dispute Evidence Standard (24 points, 0 comments)
  3. 513 points, 20 submissions: ndha1995
    1. Ethereum Classic is currently being 51% attacked (103 points, 31 comments)
    2. Why are there so many garbage posts the past 24 hours? (58 points, 10 comments)
    3. Google Unveils 72-Qubit Quantum Processor With Low Error Rates (48 points, 24 comments)
    4. IOTA's Network-Bound PoW consensus, is it feasible? (42 points, 13 comments)
    5. The Challenges of Investigating Cryptocurrencies and Blockchain Related Crime (29 points, 7 comments)
    6. Deep dive into zk-STARKs with Vitalik Buterin's blog posts (26 points, 3 comments)
    7. Tether discussion thread (26 points, 21 comments)
    8. Vitalik Buterin Proposes a Consensus Algorithm That Requires Only 1% to Be Honest (24 points, 8 comments)
    9. Can somebody compare Qtum vs. NEO, technology-wise? (E.g. PoS vs. PoW; smart contract protocols...) (21 points, 15 comments)
    10. Introduction to Non Fungible Tokens (NFTs) (21 points, 9 comments)
  4. 377 points, 16 submissions: turtleflax
    1. Around 13% of DASH's privateSends are traceable to their origin (69 points, 3 comments)
    2. "Big Bang" attack could leverage Monero's dynamic blocksize to bloat the blockchain to 30TB in only 36 hours (52 points, 3 comments)
    3. The case for the obsolescence of Proof of Work and why 2018 will be the year of Proof of Stake (41 points, 29 comments)
    4. Monero vs PIVX: The First Scheduled Privacy Coin Debate Thread on /CryptoCurrency (38 points, 12 comments)
    5. Introducing the Privacy Coin Matrix, a cross-team collaboration comparing 20 privacy coins in 100 categories (26 points, 25 comments)
    6. Do permissioned blockchains have any merits? (25 points, 23 comments)
    7. The State of Hashing Algorithms — The Why, The How, and The Future (21 points, 4 comments)
    8. How Zerocoin Works in 5 Minutes (19 points, 5 comments)
    9. Errors made by Satoshi (17 points, 8 comments)
    10. How Much Privacy is Enough? Threats, Scaling, and Trade-offs in Blockchain Privacy Protocols - Ian Miers (Cornell Tech, Zerocoin, Zerocash) (17 points, 4 comments)
  5. 321 points, 6 submissions: Qwahzi
    1. Technical comparison of LIGHTNING vs TANGLE vs HASHGRAPH vs NANO (133 points, 37 comments)
    2. Addressing Nano's weaknesses (bandwidth usage and disk IO). Nano voting traffic to be reduced by 99.9% by implementing vote by hash, lazy bootstrapping, and reduced vote rebroadcasting (x-post CryptoCurrency) (78 points, 8 comments)
    3. Emergent centralization due to economies of scale (PoW vs DPoS) – Colin LeMahieu (52 points, 37 comments)
    4. Nano community member developing a distributed "mining" service to pay people to do PoW for third-parties (e.g. exchanges, light wallet services, etc) (32 points, 20 comments)
    5. What do you think about OpenCAP, the cryptocurrency alias protocol that mirrors traditional email addresses? (15 points, 12 comments)
    6. Bitcoin would be a calamity, not an economy (11 points, 52 comments)
  6. 256 points, 4 submissions: rockyrainy
    1. Bitcoin Gold hit by Double Spend Attack (51% attack). The Attacker reversed 22 blocks. (179 points, 102 comments)
    2. ZK-starks white paper published (44 points, 16 comments)
    3. [Q] How does a network reach consensus on what time it is? (21 points, 17 comments)
    4. Stateless (no history) Cryptocurrency via snapshots? (12 points, 7 comments)
  7. 244 points, 3 submissions: HSPremier
    1. From a technical standpoint: Why does every blockchain projects need their own coins? (181 points, 50 comments)
    2. What is Reddit's obsession with REQ? (61 points, 43 comments)
    3. What is the technological difference between a privacy coin and a privacy coin platform? Won't a privacy coin platform be more superior than a privacy coin? (2 points, 3 comments)
  8. 234 points, 2 submissions: Realness100
    1. A Guided Reading of Bitcoin’s Original White Paper (202 points, 10 comments)
    2. A Guided Reading of Ethereum's Original White Paper! (32 points, 5 comments)
  9. 185 points, 4 submissions: tracyspacygo
    1. My brief observation of most common Consensus Algorithms (159 points, 49 comments)
    2. What are the main Trends/Challenges for Bitcoin and whole crytpocurrencies industry? (12 points, 33 comments)
    3. Guideline for Newbies: Trying out Bitcoin transactions with TESTNET (7 points, 1 comment)
    4. Most advanced Cryptocurrencies Comparison Table (7 points, 8 comments)
  10. 177 points, 9 submissions: benmdi
    1. What's the best argument against cryptotechnology? I.e. Steelman the cryptocurrency skeptic (43 points, 42 comments)
    2. Would there be interest from this community in crypto resources aimed at developers? If so, what topics? (29 points, 14 comments)
    3. Has the window for bootstrapping a new PoW coin closed? (24 points, 57 comments)
    4. What can we, as a community, learn from the rise & acquisition of GitHub (23 points, 8 comments)
    5. 🍱 Rollup Roundup: Understanding Ethereum's Emerging Layer 2 (19 points, 1 comment)
    6. Video Tutorial: Introducing An Experience Dev To Smart Contract Coding (17 points, 3 comments)
    7. Do we need a blockchain to be decentralized? What questions would you ask a self described fan of decentralization, but blockchain skeptic? (11 points, 19 comments)
    8. ETH Block Rewards And Second Order Effects On Hardware Availability (7 points, 8 comments)
    9. Which Of The Big Tech Companies Is Most Likely To Bring Crypto Mainstream? Here's Why I Think It's Apple (4 points, 7 comments)
  11. 175 points, 9 submissions: galan77
    1. Is the Lightning Network a massive threat to the blockchain? (49 points, 66 comments)
    2. TPS of Lightning Network vs. Sharding, which one does better? (28 points, 7 comments)
    3. Are there any major downsides to sharding? (21 points, 33 comments)
    4. What's the difference between trustlessness and permissionlessness (19 points, 7 comments)
    5. Which consensus algorithm is the best, PoW, PoS, PoAuthority, PoAsset? (18 points, 57 comments)
    6. How can XRP reach 50,000 TPS when they have no sharding and every node has to validate every single transaction. (15 points, 14 comments)
    7. A few questions about the Lightning Network (14 points, 6 comments)
    8. Pascalcoin can do 72,000 tps apparently. Is this legit? The new Nano? (8 points, 39 comments)
    9. How does Ripple's (XRB's) consensus algorithm Proof of Correctness work, are there any downsides? (3 points, 23 comments)
  12. 175 points, 1 submission: ilielezi
    1. Why white papers in crypto world are so unprofessional? (175 points, 88 comments)
  13. 165 points, 6 submissions: CryptoMaximalist
    1. Facebook's Libra (48 points, 55 comments)
    2. “Fake Stake” attacks on some Proof-of-Stake cryptocurrencies responsibly disclosed by researchers from the Decentralized Systems Lab at UIUC (31 points, 9 comments)
    3. Quantum Computing and the Cryptography in Crypto (27 points, 14 comments)
    4. PING and REJECT attacks on ZCash (Patch available) | Stanford Applied Crypto Group (22 points, 1 comment)
    5. Introduction to Cryptography: Part 1 - Jinglan Wang (19 points, 1 comment)
    6. New site howmanyconfs.com shows the amount of time and confirmations of Proof of Work coins to match 6 confirmations on Bitcoin (18 points, 11 comments)
  14. 163 points, 10 submissions: GainsLean
    1. Videos For Developers Who Want To Learn Blockchain In A Practical Way (36 points, 17 comments)
    2. What Do You Want To Learn? (32 points, 20 comments)
    3. Get Involved With The Smart Contract Coding Challenge (25 points, 4 comments)
    4. Solution To $10K Art Prize (25 points, 3 comments)
    5. Blockchain Course Outline Has Been Released - Feedback warranted (22 points, 12 comments)
    6. Introduction To Distributed Systems And Consensus Protocols (9 points, 2 comments)
    7. Are there any closed source crypto wallets? (4 points, 19 comments)
    8. Are there any successful proof of identity projects? (4 points, 8 comments)
    9. SPV Wallets Vs API Wallets (4 points, 1 comment)
    10. 12 Popular Consensus Algorithms - Explained (2 points, 0 comments)
  15. 163 points, 7 submissions: QRCollector
    1. Part 5. I'm writing a series about blockchain tech and possible future security risks. This is the fifth part of the series talking about an advanced vulnerability of BTC. (43 points, 43 comments)
    2. I'm writing a series about blockchain tech and possible future security risks. This is the third part of the series introducing Quantum resistant blockchains. (36 points, 4 comments)
    3. Part 4B. I’m writing a series about blockchain tech and possible future security risks. This is the fourth part of the series explaining the special quality of going quantum resistant from genesis block. (25 points, 21 comments)
    4. Part 6. (Last part) I'm writing a series about blockchain tech and possible future security risks. Failing shortcuts in an attempt to accomplish Quantum Resistance (24 points, 38 comments)
    5. I'm writing a series about blockchain tech and possible future security risks. This is the first part of the series introducing the basic concept of blockchain and what makes it reliable. (23 points, 10 comments)
    6. I'm writing a series about blockchain tech and possible future security risks. This is the fourth part of the series explaining the special quality of going quantum resistant from genesis block. (7 points, 1 comment)
    7. Part 2. I'm writing a series about blockchain tech and possible future security risks. This is the second part of the series: An accessible description of hashing and signature schemes. (5 points, 0 comments)
  16. 162 points, 3 submissions: FashionistaGuru
    1. How do we change the culture around cryptocurrency? (118 points, 54 comments)
    2. Which cryptos have the best new user experience? (30 points, 34 comments)
    3. Why does Apple prevent many crypto apps from entering the App Store? (14 points, 8 comments)
  17. 157 points, 7 submissions: SamsungGalaxyPlayer
    1. Breaking Monero Episodes 1-3: Introduction, Ring Signatures, 0-Decoy and Chain Reactions (45 points, 1 comment)
    2. "No, dPoW Isn't a Perfect Solution" (35 points, 48 comments)
    3. Breaking Mimblewimble’s Privacy Model - Dragonfly Research (27 points, 10 comments)
    4. Breaking Monero (and Zcash) Episodes 7-9: Remote Nodes, Timing Attacks, Poisoned Outputs (EAE Attack) (21 points, 2 comments)
    5. "Attacker Collection of IP Metadata" (18 points, 10 comments)
    6. "Tracing Transactions Across Cryptocurrency Ledgers" Using Shapeshift and Changelly (6 points, 4 comments)
    7. Breaking Monero Episodes 4-6: Chain Splits (Key Image Attack), Input Selection Algorithm, Unusual Ringsize (5 points, 2 comments)
  18. 147 points, 1 submission: shunsaitakahashi
    1. Proof-of-Approval: Stake Based, 1 Block Finality & History Attack Defense (147 points, 4 comments)
  19. 146 points, 6 submissions: themoderndayhercules
    1. "The selfish mining fallacy" explained and debunked (60 points, 8 comments)
    2. A Discussion of Stable coins and Decentralized Oracles (35 points, 8 comments)
    3. A Selfish Mining Double Spending attack Simulator (25 points, 2 comments)
    4. Why reputation systems don't work (15 points, 12 comments)
    5. A better incentivization for Swarm (6 points, 0 comments)
    6. When Mises met Szabo - A Discussion of the value of Bitcoin (5 points, 16 comments)
  20. 143 points, 7 submissions: KomodoWorld
    1. Komodo Platform's core developer and founder jl777 has started his own blog on Medium. The blog is aimed for senior developers who want to learn about blockchain. (46 points, 15 comments)
    2. Delayed Proof of Work (dPoW) security explained (36 points, 46 comments)
    3. Proof-of-Gameplay (19 points, 3 comments)
    4. Good guide for getting started with the Custom Consensus tech for Komodo-based blockchains (17 points, 0 comments)
    5. Cross-chain migration of coins with Crypto Conditions - by smk762 (12 points, 0 comments)
    6. A step-by-step example of working with a Crypto Conditions based Oracle - by smk762 (10 points, 0 comments)
    7. Changing consensus rules on the fly with Crypto Conditions (3 points, 0 comments)
  21. 141 points, 8 submissions: Stormy1997
    1. What technical/business advantages does a private blockchain have over a SQL server? (49 points, 79 comments)
    2. Is sharding to scale bad? (24 points, 28 comments)
    3. How would one create a fiat gateway theoretically? (19 points, 19 comments)
    4. Looking for Stellar smart contract/side chain code examples (16 points, 1 comment)
    5. Question - Securing personal information on a centralized server with user-owned keys (13 points, 3 comments)
    6. How do blockchains/smart contracts communicate with oracles? (10 points, 4 comments)
    7. Bandwidth scaling for TPS (8 points, 2 comments)
    8. Best method to transmit detailed data between two parties via existing platforms (2 points, 1 comment)
  22. 141 points, 3 submissions: seventyfiver
    1. Why does Ethereum use Solidity while other ecosystems like NEO stick with popular ones like Java and C#? (94 points, 26 comments)
    2. Chainlink's initial Go implementation went live this morning. Has anyone reviewed the code and can comment on it's quality? (40 points, 3 comments)
    3. What are some great books on cryptoeconomics or blockchain technology? (7 points, 4 comments)
  23. 134 points, 6 submissions: johnny_milkshakes
    1. Sub dedicated to DAG based coins (42 points, 8 comments)
    2. Thoughts on this? (28 points, 38 comments)
    3. This is very interesting (24 points, 19 comments)
    4. Educational presentation by Clara Shikhelman (18 points, 0 comments)
    5. Ethics question. (12 points, 40 comments)
    6. How to scale on chain? (10 points, 30 comments)
  24. 127 points, 4 submissions: sukitrebek
    1. What are you currently obsessed with, and why? (58 points, 150 comments)
    2. Crypto-based social network without a cryptocurrency. (42 points, 23 comments)
    3. How does underlying architecture affect what kinds of applications are possible? (17 points, 3 comments)
    4. Holochain vs. Radix DLT (10 points, 11 comments)
  25. 126 points, 1 submission: RufusTheFirefly
    1. Everytime I try to investigate the technology behind Cardano(Ada), I come across the words "scientific" and "peer-reviewed" over and over but almost no actual details. Can someone fill how this coin actually works and where they are in development? (126 points, 49 comments)
  26. 112 points, 1 submission: rocksolid77
    1. Can we have a real debate about the Bitcoin scaling issue? (112 points, 89 comments)
  27. 110 points, 4 submissions: kelluk
    1. What one can learn from browsing 30 million Ethereum addresses (72 points, 21 comments)
    2. I wanted to categorize all coins/tokens, and this is my proposal (23 points, 33 comments)
    3. Should whitepapers be understood by ordinary people? (10 points, 41 comments)
    4. Querying the Ethereum blockchain: how to & what to? (5 points, 5 comments)
  28. 107 points, 1 submission: NewDietTrend
    1. Outside of currency and voting, blockchain is awful and shouldnt be used. Can anyone explain where blockchain is worth the cost? (107 points, 166 comments)
  29. 105 points, 1 submission: insette
    1. /CryptoTech PSA: there are broadly TWO TYPES of Decentralized Exchanges. Which type are you investing in? (105 points, 55 comments)
  30. 103 points, 3 submissions: dtheme
    1. How to accept crypto payments for digital downloads if you are a small business? Solutions, e-commerce sites are lacking (46 points, 38 comments)
    2. How many 24 letter seeds and "Bitcoin" keys can there be? (34 points, 24 comments)
    3. Is there any reason why the big tech companies are not getting into crypto? (23 points, 36 comments)
  31. 103 points, 3 submissions: dvnielng
    1. Why do so many of these businesses need a token? (Unsure) (61 points, 86 comments)
    2. DAPPS - Only coins that have intrinsic value? Ethereum , Neo? (31 points, 10 comments)
    3. How could blockchain work for expensive purchases/escrow? (11 points, 2 comments)
  32. 101 points, 1 submission: kickso
    1. Is NANO everything it says it is? (101 points, 96 comments)
  33. 98 points, 3 submissions: heart_mind_body
    1. How can we breathe some life into this sub? (56 points, 22 comments)
    2. Can anyone give an example for a technology that provides a "public permissioned blockchain"? (28 points, 16 comments)
    3. Can we do a discussion on ICON and "clusters of private chains connected to a public chain" ? (14 points, 13 comments)
  34. 97 points, 8 submissions: kelraku
    1. Thoughts on Mimblewimble? (23 points, 13 comments)
    2. Has anyone looked at the lelantus protocol? (18 points, 6 comments)
    3. How much control do developers have over the coins (18 points, 6 comments)
    4. Lesser known protocols? (11 points, 17 comments)
    5. Zerocoin and Blockchain Analysis (9 points, 5 comments)
    6. Zerocoin vs Cryptonote (7 points, 14 comments)
    7. Lightning network privacy (6 points, 13 comments)
    8. Integrity of the DAG (5 points, 17 comments)
  35. 96 points, 6 submissions: blockstasy
    1. How to Get to One Million Devs (32 points, 12 comments)
    2. The Decade in Blockchain — 2010 to 2020 in Review (27 points, 4 comments)
    3. Ethereum by the Numbers – The Year of 2019 (26 points, 9 comments)
    4. Knowledge Drop: Mining and the role it plays with the Ethereum blockchain (5 points, 0 comments)
    5. A great article that explains Ethereum’s Muir Glacier Update (4 points, 0 comments)
    6. Youtube Silences Crypto Community (2 points, 6 comments)
  36. 93 points, 3 submissions: OneOverNever
    1. Which is the last WHITE PAPER you've read that's truly impacted you? (77 points, 81 comments)
    2. [CMV] Bitcoin's intrinsic technological value. (14 points, 29 comments)
    3. What are some weak points that still hold XVG back from becoming a top player in crypto? (Technically speaking, not marketing and etc.) (2 points, 19 comments)
  37. 93 points, 3 submissions: ryano-ark
    1. (ARK) ACES Completes Integration of ARK Channels for Two-way Transfers for Easy ICOs When Paired With ARK Deployer (Push-Button-Blockchains) (57 points, 5 comments)
    2. (ARK) ACES Releases Fast (Ansible) Deployments for all ACES Applications. (23 points, 4 comments)
    3. A Future of Cryptocurrencies and Blockchains (13 points, 3 comments)
  38. 92 points, 2 submissions: BobUltra
    1. Our blockchains are all centralized! (51 points, 34 comments)
    2. List of qualities needed to dethrone Bitcoin. (41 points, 43 comments)
  39. 90 points, 1 submission: refreshx2
    1. CMV: It doesn't make sense for (crypto)companies to create coins linked to their tech (90 points, 18 comments)
  40. 89 points, 1 submission: perceptron01
    1. What does Nano do better than Steem? (89 points, 55 comments)
  41. 87 points, 1 submission: Shuk
    1. How does one begin to develop an employable skill in blockchain development? (87 points, 25 comments)
  42. 87 points, 1 submission: conorohiggins
    1. I spent three weeks researching and writing a huge guide to stablecoins. Enjoy! (87 points, 36 comments)
  43. 86 points, 1 submission: Bacon_Hero
    1. ELI5: Why did it take so long for blockchain technology to be created? (86 points, 66 comments)
  44. 85 points, 3 submissions: theFoot58
    1. If crypto now is like 'the Internet' of the past, where are we? (65 points, 53 comments)
    2. If the Internet had its Genesis Block, what would it be? (14 points, 9 comments)
    3. Coin grouping - ruby and CryptoCompare API (6 points, 1 comment)
  45. 85 points, 1 submission: youngm2
    1. Which decentralised exchange has the most promise for 2018? (85 points, 89 comments)
  46. 84 points, 4 submissions: bLbGoldeN
    1. On Mass Adoption of Cryptocurrencies (28 points, 68 comments)
    2. Join the Bloom team for our first tech AMA tomorrow (Tuesday, March 13th) at 7 PM GMT! (23 points, 2 comments)
    3. Join the Decred team for an AMA - Friday, June 1st from 19:00 to 22:00 UTC (17 points, 10 comments)
    4. Join the district0x team for an AMA Monday, April 2nd at 5:00 PM (GMT) (16 points, 0 comments)
  47. 82 points, 2 submissions: SubsequentDownfall
    1. Has a 51% attack ever been witnessed? (45 points, 46 comments)
    2. Is a DAG coin like RaiBlocks able to be private like Monero? (37 points, 40 comments)
  48. 82 points, 2 submissions: guidre
    1. Tron and other source Code (42 points, 24 comments)
    2. Why Will companies adopt blockchain, the user interface is complex and i'm not sure that many companies want all their internal dealings made public. (40 points, 19 comments)
  49. 81 points, 4 submissions: solar128
    1. New Atomic Swap Tools Released (35 points, 4 comments)
    2. Using Blockchain to make a censorship-resistant Reddit (28 points, 14 comments)
    3. Best security practices for addressing Spectre & Meltdown (13 points, 0 comments)
    4. Influence of on-chain governance weighted by wealth - good or bad? (5 points, 2 comments)
  50. 81 points, 2 submissions: Blockchainsapiens
    1. Blockchain study finds 0.00% success rate and vendors don't call back when asked for evidence (47 points, 30 comments)
    2. The elephant in the room: would the public ever use a volatile currency over a stable currency? (34 points, 45 comments)
  51. 81 points, 1 submission: Mycryptopedia
    1. Understanding the Tech Behind RaiBlocks (81 points, 7 comments)
  52. 81 points, 1 submission: davidvanbeveren
    1. Article thoroughly analysing / comparing IOTA and RaiBlocks (x-post /CryptoCurrency) (81 points, 10 comments)
  53. 77 points, 4 submissions: DeleteMyOldAccount
    1. HD Wallets Explained: What they are, and how to make them coin agnostic (28 points, 11 comments)
    2. Bitcoin Cash May 15th fork (23 points, 22 comments)
    3. So you want to build a Bitcoin HD wallet? Part 1 (23 points, 3 comments)
    4. Applications of Blockchain in Supply Chain (3 points, 9 comments)
  54. 76 points, 3 submissions: kryptofinger
    1. Why would anyone bother using any DPOS coins for dapps like Eos over normal systems like AWS? (44 points, 104 comments)
    2. Could a state backed privacy coin work? (22 points, 32 comments)
    3. Thoughts on Elastos? (10 points, 8 comments)
  55. 76 points, 1 submission: francohab
    1. 55% of the Nano representative nodes are "official representatives", presumably held by developers. How big of an issue is that? (76 points, 46 comments)
  56. 75 points, 2 submissions: MerkleChainsaw
    1. The biggest challenge for cryptocurrencies and how to mitigate it (73 points, 37 comments)
    2. Short and long term design tradeoffs in crypto (2 points, 2 comments)
  57. 75 points, 1 submission: jatsignwork
    1. Raiblocks & Spam (75 points, 60 comments)
  58. 74 points, 1 submission: behindtext
    1. Hello, this is Jake Yocom-Piatt. Ask me anything about Decred! (74 points, 49 comments)
  59. 73 points, 2 submissions: TexasRadical83
    1. Why use a new "currency" at all? (40 points, 48 comments)
    2. Why are big price increases for crypto a good thing? (33 points, 41 comments)

Top Commenters

  1. Neophyte- (1649 points, 746 comments)
  2. ndha1995 (583 points, 98 comments)
  3. turtleflax (406 points, 116 comments)
  4. senzheng (326 points, 193 comments)
  5. holomntn (294 points, 40 comments)
  6. manly_ (286 points, 43 comments)
  7. signos_de_admiracion (250 points, 18 comments)
  8. fgiveme (231 points, 77 comments)
  9. crypto_kang (222 points, 45 comments)
  10. jatsignwork (220 points, 37 comments)
  11. GainsLean (218 points, 76 comments)
  12. benthecarman (211 points, 48 comments)
  13. rockyrainy (200 points, 39 comments)
  14. hungryforitalianfood (197 points, 58 comments)
  15. rocksolid77 (190 points, 20 comments)
  16. bannercoin (189 points, 11 comments)
  17. insette (181 points, 47 comments)
  18. DiogenicOrder (175 points, 41 comments)
  19. islanavarino (173 points, 51 comments)
  20. behindtext (172 points, 14 comments)
  21. takitus (171 points, 25 comments)
  22. sukitrebek (170 points, 42 comments)
  23. UnknownEssence (170 points, 31 comments)
  24. crypto_ha (170 points, 26 comments)
  25. AlexCoventry (167 points, 17 comments)
  26. DragonWhsiperer (165 points, 38 comments)
  27. stop-making-accounts (164 points, 57 comments)
  28. KnifeOfPi2 (157 points, 13 comments)
  29. Edgegasm (156 points, 42 comments)
  30. ippond (152 points, 15 comments)
  31. dontlikecomputers (151 points, 61 comments)
  32. QRCollector (150 points, 46 comments)
  33. alexrecuenco (145 points, 18 comments)
  34. BobUltra (144 points, 88 comments)
  35. SpamCamel (135 points, 22 comments)
  36. InterdisciplinaryHum (133 points, 107 comments)
  37. theglitteringone (132 points, 10 comments)
  38. ChocolateSunrise (128 points, 23 comments)
  39. PM_ME_UR_QUINES (125 points, 4 comments)
  40. narwhale111 (122 points, 15 comments)
  41. pepe_le_shoe (121 points, 47 comments)
  42. Darius510 (119 points, 39 comments)
  43. glen-hodl (118 points, 21 comments)
  44. HOG_ZADDY (117 points, 23 comments)
  45. coranos2 (116 points, 44 comments)
  46. etherenvoy (116 points, 15 comments)
  47. johnny_milkshakes (115 points, 55 comments)
  48. galan77 (115 points, 52 comments)
  49. hybridsole (113 points, 40 comments)
  50. funciton (113 points, 8 comments)
  51. Mr0ldy (110 points, 24 comments)
  52. Corm (109 points, 42 comments)
  53. cryptoscopia (109 points, 7 comments)
  54. ReportFromHell (106 points, 39 comments)
  55. broscientologist (105 points, 26 comments)
  56. straytjacquet (104 points, 28 comments)
  57. Quadling (101 points, 24 comments)
  58. BlockEnthusiast (101 points, 17 comments)
  59. thats_not_montana (99 points, 37 comments)
  60. TheRealMotherOfOP (98 points, 27 comments)
  61. yarauuta (96 points, 11 comments)
  62. pegasuspect93 (96 points, 1 comment)
  63. andrew_bao (93 points, 40 comments)
  64. samdotla (93 points, 6 comments)
  65. melodious_punk (91 points, 34 comments)
  66. Mquantum (91 points, 31 comments)
  67. TJ_Hooker15 (91 points, 27 comments)
  68. NoFaptain99 (91 points, 3 comments)
  69. ilielezi (87 points, 10 comments)
  70. Raapop (87 points, 2 comments)
  71. Allways_Wrong (86 points, 36 comments)
  72. bLbGoldeN (86 points, 19 comments)
  73. ResIpsaLoquiturrr (86 points, 15 comments)
  74. kabelman93 (85 points, 29 comments)
  75. no_pants_gamer (84 points, 9 comments)
  76. AnkurTechracers (83 points, 16 comments)
  77. ric2b (83 points, 11 comments)
  78. Big_Goose (83 points, 10 comments)
  79. Lifeistooshor1 (82 points, 21 comments)
  80. vornth (82 points, 11 comments)
  81. Sargos (81 points, 25 comments)
  82. refreshx2 (81 points, 16 comments)
  83. Qwahzi (78 points, 27 comments)
  84. StupidRandomGuy (77 points, 35 comments)
  85. WikiTextBot (77 points, 24 comments)
  86. SnootyEuropean (77 points, 5 comments)
  87. cryptogainz (76 points, 14 comments)
  88. frequentlywrong (76 points, 4 comments)
  89. the_defiant (76 points, 4 comments)
  90. BrangdonJ (75 points, 28 comments)
  91. hendrik_v (75 points, 7 comments)
  92. solar128 (74 points, 18 comments)
  93. foobazzler (74 points, 8 comments)
  94. ginger_beer_m (73 points, 35 comments)
  95. kAhmij (73 points, 25 comments)
  96. DeleteMyOldAccount (73 points, 20 comments)
  97. sn0wr4in (73 points, 9 comments)
  98. Dyslectic_Sabreur (72 points, 5 comments)
  99. X7spyWqcRY (71 points, 8 comments)
  100. Krapser (70 points, 5 comments)

Top Submissions

  1. A Guided Reading of Bitcoin’s Original White Paper by Realness100 (202 points, 10 comments)
  2. From a technical standpoint: Why does every blockchain projects need their own coins? by HSPremier (181 points, 50 comments)
  3. Bitcoin Gold hit by Double Spend Attack (51% attack). The Attacker reversed 22 blocks. by rockyrainy (179 points, 102 comments)
  4. Why white papers in crypto world are so unprofessional? by ilielezi (175 points, 88 comments)
  5. My brief observation of most common Consensus Algorithms by tracyspacygo (159 points, 49 comments)
  6. Proof-of-Approval: Stake Based, 1 Block Finality & History Attack Defense by shunsaitakahashi (147 points, 4 comments)
  7. "Do you need a Blockchain?" - this paper is fantastic, everyone should read this before evaluating a coin and if requires a block chain to solve a solution the coin is promising to solve. by Neophyte- (136 points, 41 comments)
  8. Technical comparison of LIGHTNING vs TANGLE vs HASHGRAPH vs NANO by Qwahzi (133 points, 37 comments)
  9. Everytime I try to investigate the technology behind Cardano(Ada), I come across the words "scientific" and "peer-reviewed" over and over but almost no actual details. Can someone fill how this coin actually works and where they are in development? by RufusTheFirefly (126 points, 49 comments)
  10. How do we change the culture around cryptocurrency? by FashionistaGuru (118 points, 54 comments)

Top Comments

  1. 160 points: holomntn's comment in ELI5: Why did it take so long for blockchain technology to be created?
  2. 121 points: KnifeOfPi2's comment in How do we change the culture around cryptocurrency?
  3. 105 points: theglitteringone's comment in Outside of currency and voting, blockchain is awful and shouldnt be used. Can anyone explain where blockchain is worth the cost?
  4. 102 points: benthecarman's comment in If crypto now is like 'the Internet' of the past, where are we?
  5. 96 points: pegasuspect93's comment in If crypto now is like 'the Internet' of the past, where are we?
  6. 95 points: bannercoin's comment in Realistically, why would anybody expect the startup crypto platforms to beat out the corporate giants who are developing their own Blockchain as a Service (BaaS) solutions? Ex. IBM, SAP, JP Morgan...
  7. 83 points: AlexCoventry's comment in Ethereum private key with all zeroes leads to an account with 5000$ on it
  8. 82 points: deleted's comment in Is blockchain really useful ?
  9. 81 points: signos_de_admiracion's comment in Why white papers in crypto world are so unprofessional?
  10. 78 points: NoFaptain99's comment in Why do so many of these businesses need a token? (Unsure)
Generated with BBoe's Subreddit Stats
submitted by subreddit_stats to subreddit_stats [link] [comments]

Bitcoin Q&A Migrating To Post Quantum Cryptography ... Bitcoin Price Falls on Panic over Quantum Computers, Bakkt Failure, & Miner Exodus aantonop - YouTube Litecoin Wallet (Electrum) einfach erklärt (Beginner/Einsteigertutorial) SLP84 Stepan Snigirev - Quantum Computing Threat to Bitcoin and Next Generation Bitcoin Hardware Wa

What size of a quantum computer can break bitcoin? How big does this quantum computer bitcoin killer need to be? Microsoft Research has shown fewer qubits are needed for computing elliptic curve discrete logarithms – as few as about 2500 for a standard 256-bit key than 2048-bit RSA, which needs 4000. However, these are perfect, “logical ... In a chapter of the Modern CTO podcast, Ripple’s CTO, David Schwartz, expressed concerns about the development of quantum computers. Ripple’s CTO believes this technology is a threat to the security of Bitcoin, XRP, and cryptocurrencies.This is primarily because the consensus algorithms behind cryptocurrencies rely on conventional cryptography, as Schwartz stated: Bitcoin’s security relies on the computational difficulty of the public-private key cryptography function (ECDSA), which becomes computationally feasible to solve with quantum computing capabilities. More specifically, it is vulnerable to a modified Schor’s algorithm (which normally makes integer factorization much easier) for solving discrete logarithm problems. Signatures in Bitcoin. In many ways, this is the traditional cryptography in Bitcoin. We ask the question, “How do we know that Alice was authorized to transfer 100 Bitcoins to Bob,” and anyone who has used public-key cryptography knows the answer is, “Alice signs the transaction with her private key and publishes this signature for the Bitcoin network to verify with her public key.” This is a condition sufficient to solve those hard problems and break most public-key cryptography systems currently used. No classical computer could run such algorithm, so there’s currently not one computer which could hack your Bitcoin wallet. Quantum computers, instead, are immensely more powerful than the classical ones. Instead of ...

[index] [40608] [22983] [7170] [38189] [13528] [43280] [4327] [24475] [49092] [12900]

Bitcoin Q&A Migrating To Post Quantum Cryptography ...

Eine einfache, Schritt für Schritt Erklärung zum Erstellen eines Electrum Litecoin Wallets und zum Empfangen und Versenden von Litecoins mit diesem. Ich erkläre Punkt für Punkt die wichtigsten ... PODCAST: Quantum Computing 2019: With innovations being made consistently in the quantum computing environment, the same questions continue to come up. Will quantum computers break bitcoin? WIll ... We’ll stop supporting this browser soon. For the best experience please update your browser. Keywords/phrases: Quantum cryptography, quantum cryptoanalysis, quantum computing. Bitcoin uses SHA-256. In cryptography there is a 20-30 year lifecycle for ... Stepan Snigirev, Quantum Physicist and CTO of CryptoAdvance joins me in this episode to talk about the Quantum threat to Bitcoin, and we also talk about Bitcoin Hardware Wallets. This interview ...

#