Ripple Price 2020 | Ripple (XRP) Chart | Ripple Value
Ripple Price 2020 | Ripple (XRP) Chart | Ripple Value
ECDSA | bitFlyer USA
The Bitcoin Eternal Choice for the Dark Side Attack (ECDSA
ECDSA In Bitcoin
Cryptographic Security of ECDSA in Bitcoin
Anyswap - A completely decentralized swap exchange the supports all your coins
Hello crypto enthusiasts, After the recent run up of DEFI products and massive price movements, I’ve come across an innovative product with tremendous upside potential. If you have used Uniswap in the past, and are bound to only swapping Ethereum with Ethereum based tokens, a pressing problem arises... ‘How come I can’t use my Bitcoin, XRP, Litecoin, etc. to make the swap? Why do I have to trade into Ether, to gain access to these tokens?’ Enter Anyswap... Anyswap Anyswap is the first completely decentralized swap exchange that will allow you to use any coin or tokens (ECDSA and EDDSA as signature algorithms - 98% of all blockchains) with one another. No third party risk. The ANY token issued is a governance token, which will allow voting rights for holders to choose which coins will be listed next. No ICO, no fund raising, no airdrop, no premine. Get em while there hot. Mark your calendar... July 20th 2020, ANY token will be available for purchase. Join their telegram group for more info Anyswap TG Thanks for listening. And to the mooooon 🚀🚀🚀
[Tenant - NY] Qualifying for rent based on Bitcoin assets
I was an early adopter of Bitcoin and my small initial investment has luckily appreciated to the point where I no longer need to work. I'm trying to move to a high-end rental property owned by a mom & pop landlord with a few properties around town. Of course because of the price tag, especially during the current environment, they're very strict about making sure potential tenants are able to afford the rent. No problem there. My crypto holdings could easily cover the lease for several decades. Normally I suppose it's quite rare for rental tenants to have large asset holdings. So, already this is kind of an unusual situation, as they're more geared for verifying income. But the good news is they do have a procedure for qualifying tenants based on assets. I'm not sure if they've used it before... But anyway it requires that tenants have 40 times the monthly rent in liquid assets. No problem, I've got *way* more than that. They say all they require is seeing three months of financial statements. Uhh... The whole point of Bitcoin is that it isn't centralized inside a financial institution. I tried to explain, over the phone to the nice older lady landlord, how the blockchain works, and the basics of public-private encryption. I explained how it's actually very easy to prove ownership of my Bitcoin holdings. All I have to do is give her the address of my holdings, and prove ownership by signing a message with the corresponding ECDSA private keys. At that point all she has to do is check the latest mined block to verify that it contains enough BTC to satisfy her requirements. I don't see what the problem is here. Unlike sending copies of bank statements, which could easily be forged, this method is *far* more reliable and is literally cryptographically secure. She's acting like I'm some sort of lunatic, when she implicitly trusts the same crypto algorithms 100 times a day in her online banking, shopping and messages. Anyway, has anyone else been in this position? Either from the tenant or landlord side? I understand cryptocurrency is new technology, but by now surely people must realize Bitcoin isn't some made up fairy dust. I could just move on to a different property, but feel like I'd end up hitting the same wall. Any suggestions for proving to landlords that I'm quite far from a financial risk?
tBTC is a trustlessly Bitcoin-backed ERC-20 token. The goal of the project is to provide a stronger 2-way peg than federated sidechains like Liquid, expanding use cases possible via today’s Bitcoin network, while bringing superior money to other chains. This repo contains the Solidity smart contracts and specification.
tbtc.js provides JS bindings to the tBTC system. The tBTC system is a bonded, multi-federated peg made up of many deposits backed by single-use BTC wallets to enable their value’s corresponding usage on the Ethereum chain, primarily through the minting of a TBTC ERC20 token whose supply is guaranteed to be backed by at least 1 BTC per TBTC in circulation.
2020-04-01 tBTC incorporates novel design features that carry important implications for users. This piece explains four of these: TDT receipts, multiple lot sizes, Keep's random beacon, and threshold signatures. TBTC Deposit Token (TDT) The TBTC Deposit Token (TDT) is a non-fungible token that is minted when a user requests a deposit. A TDT is a non-fungible ERC-721 token that serves as a counterpart to TBTC. It represents a claim to a deposit's underlying UTXO on the Bitcoin blockchain. TBTC deposits can be locked or unlocked. A locked deposit can only be redeemed by the deposit owner with the corresponding TDT. Each TDT is unique to the deposit that mints it and carries the exclusive right for up to a 6 month term to redeem the deposit.
also this paragraph addresses creating wallets with the created tokens
Random Beacon for Signer Selection The Keep network requires a trusted source of randomness to select tBTC signers. This takes the form of a BLS Threshold Relay. When a request comes in to create a signing group, the tBTC system uses a random seed from a secure decentralized random beacon to randomly select signing group members from the eligible pool of signers. These signers coordinate a distributed key generation protocol that results in a public ECDSA key for the group, which is used to produce a wallet address that is then published to the host chain. This completes the signer selection phase.
my take away from this is that by using side chains that a trustless, not fedeared like liquid bitcoin sidechains sold by blockstream. it uses NFT erc-721 tokens as representation of the bitccoin UTXO from the bitcoin blockchain, store it in a wallet and mint it into tBTC. given this is all smart contracts generating wallets and minting the tBTC, it does away with the need of a centralised party to provide the funds of BTC to create a wrapped erc20 version on ethereum and so should be trustles. perhaps erc20 token trading is the way to go forward. just requires wrapping of exisitng tokens. this looks promising for DeXs and DeFi if it happens. also opens the possibiliy of multicollateral Dai (MCD) using tBTC in addition to eth and BAT. though personally i think btc should not be used in MCD. any thoughts on this? or if my understanding is off. thanks edit: got some more info from px403
I talked to James a bit about tBTC in Osaka, so I have a vague idea of how it works, so I might be able to explain it in a somewhat coherent way. Basically, the magic here is they reimplemented Bitcoin's SPV as an Ethereum smart contract, effectively letting them query the current state of the Bitcoin network, including validity of payments, directly in contract. Using this, they built an auction system where people can at any time claim ETH by paying BTC, or claim BTC by paying ETH. By design the spread is wide, so this isn't actually intended to be a high volume exchange, but what you do get is a pretty good price oracle. From the price oracle, I think there were doing some Maker style CDPs or something, where people could lock up their BTC on the Bitcoin network to redeem tBTC, and any of the locked BTC could be reclaimed by burning tBTC or something. Sorry it's not a complete picture of what's going on, but I think that's the general gist of what they're doing.
\These questions are sourced directly from Telegram* Q: How do I shutdown my Chaosnet Darknode?A: Please follow these directions: https://docs.renproject.io/chaosnet/chaosnet-darknode/untitled-3 Q: Can I run a Chaosnet Darknode and Mainnet Darknode at the same time (on the same computer).A: No, if you want to do that you’ll have to run them on separate computers. Q: You mentioned DCEP in your latest piece and "12 App Ideas", but it's going to run on a centralized private network. The Bank of England also just released a report on how they're thinking about their CBDC and DLT/centralization, and stress that a DLT could add resilience, but there's also no reason a currency couldn't be more centralized. The Block reported that other central banks (like the EU and Singapore) are considering third-party chains like Corda. Can you comment on which CBDC designs may or may not be compatible with RZL? You previously said "RZL sMPC provides ECDSA signatures because that’s what it is used by Ethereum, Bitcoin, etc. Whatever solution they come up with, will be the solution that RZL has to be upgraded to use (the whole point of RenVM is not to tell other chains how to do things, and still provide interop; this means waiting on them to define their solution and then working with that)." So, what does centralization mean for RZL, and how can we think about compatibility between these designs on the technical side? A: The topic of centralisation in interoperability comes down to the compounding effect of using multiple networks. Put another way “you’re only as decentralised as your most centralised component”. While there are nuances to this, the core idea rings true. RenVM can be used to interoperate many different kinds of chains (anything using ECDSA, or naturally supporting lively threshold signatures) is a candidate to be included in RenVM. However, a centralised currency that has been bridged to a decentralised chain is not decentralised. The centralised entity that controls the currency might say “nothing transferred to/from this other chain will be honoured”. That’s a risk that you take with centralised currencies (take a look at the T&Cs for USDC for example). The benefit of RenVM in these instances is to become a standard. Short-term, RenVM brings interoperability to some core chains. Medium-term, it expands that to other more interesting chains based on community demands. Long-term, it becomes the standard for how to implement interop. For example: you create a new chain and don’t worry about interop explicitly because you know RenVM will have your back. For centralised currencies this is still advantageous, because the issuing entity only has to manage one chain (theirs) but can still get their currency onto other chains/ecosystems. From a technical perspective, the Darknodes just have to be willing to adopt the chain/currency. Q: dApps will have their own risk tolerances for centralized assets. Eg USDC was a bigger deal for MakerDAO than Uniswap. If CBDC liquidity were suddenly bridgeable, some dApps would be more eager to adopt it than others - even despite the risks - because they provide native liquidity and can be used to store/hedge in it without cashing it out. My question is more technical as it relates to RenVM as the "Universal Stablecoin Converter". You sound convinced that RenVM can bridge Libra, DCEP, maybe other CBDCs in the future, but I'm skeptical how RenVM works with account-based currencies. (1) Are we even sure of DCEP's underlying design and whether it or other CBDCs even plan to use digital signatures? And (2) wouldn't RenVM need a KYC-approved account to even get an address on these chains? It seems like DCEP would have to go through a Chinese Circle, who would just issue an ERC20. A: As far as underlying blockchain technology goes (eg the maths of it) I don’t see there being any issues. Until we know more about whether or not KYCd addresses are required (and if they are, how they work), then I can’t specifically comment on that. However, it is more than possible not to require RenVM to be KYCd (just like you can’t “KYC Ethereum”) and instead move that requirement to addresses on the host blockchain (eg KYC Ethereum addresses for receiving the cross-chain asset). Whether this happens or not would ultimately be up to whether the issuer wanted interoperability to be possible. Q: In that scenario, how would RenVM even receive the funds to be transferred to the KYC'd Ethereum address? For Alice to send DCEP to Bob's KYC'd Ethereum address, RenVM would need a DCEP address of its own, no? A: Again, this is impossible to say for certain without knowing the implementation of the origin chain. You could whitelist known RenVM scripts (by looking at their form, like RenVM itself does on Bitcoin). But mostly likely, these systems will have some level of smart contract capabilities and this allows very flexible control. You can just whitelist the smart contract address that RenVM watches for cross-chain events. In origin chains with smart contracts, the smart contract holds the funds (and the keys the smart contract uses to authorise spends are handled as business logic). So there isn’t really a “RenVM public address” in the same sense that there is in Bitcoin. Q: The disbonding period for Darknodes seem long, what happens if there is a bug? A: It’s actually good for the network to have a long disbonding period in the face of a bug. If people were able to panic sell, then not only would the bug cause potential security issues, but so too would a mass exodus of Darknodes from the network. Having time to fix the bug means that Darknodes may as well stick around and continue securing the network as best they can. Because their REN is at stake (as you put it) they’re incentivised to take any of the recommended actions and update their nodes as necessary. This is also why it’s critical for the Greycore to exist in the early days of the network and why we are rolling out SubZero the way that we are. If such a bug becomes apparent (more likely in the early days than the later days), then the Greycore has a chance to react to it (the specifics of which would of course depend on the specifics of the bug). This becomes harder and slower as the network becomes more decentralised over time. Not mcap, but the price of bonded Ren. Furthermore, the price will be determined by how much fees darknodes have collected. BTW, loongy could you unveil based on what profits ratio/apr the price will be calculated? This is up to the Darknodes to governance softly. This means there isn’t a need for an explicit oracle. Darknodes assess L vs R individually and vote to increase fees to drive L down and drive R up. L is driven down by continue fees, whereas R is driven up by minting/burning fees. Q: How do you think renvm would perform on a day like today when even cexs are stretched. Would the system be able to keep up? A: This will really depend on the number of shards that RenVM is operating. Shards operate in parallel so more shards = more processing power. Q: The main limiting factor is the speed of the underlying chain, rather than RenVM? A: That’s generally the case. Bitcoin peaks at about 7 TPS so as long as we are faster than this, any extra TPS is “wasted”. And you actually don’t want to be faster than you have to be. This lets you drop hardware requirements, and lowering the cost of running a Darknode. This has two nice effects: (a) being an operator generates more profit because costs are lower, and (b) it’s more accessible to more people because it’s a little cheaper to get started (albeit this is minor). Q: Just getting caught up on governance, but what about: unbonded REN = 1 vote, bonded REN = (1 vote + time_served). That'd be > decentralization of Darknodes alone, an added incentive to be registered, and counter exchanges wielding too much control. A: You could also have different decaying rates. For example, assuming that REN holders have to vote by “backing” the vote of Darknodes: Let X be the amount of REN used to voted, backed behind a Darknode and bonded for T time. Let Y be the amount of time a Darknode has been active for. Voting power of the Darknode could = Sqrt(Y) * Log(X + T) Log(1,000,000,000) = ~21 so if you had every REN bonded behind you, your voting power would only be 21x the voting power of other nodes. This would force whales to either run Darknodes for a while and contribute actively to the ecosystem (or lock up their REN for an extended period for addition voting power), and would force exchanges to spread their voting out over many different nodes (giving power back to those running nodes). Obviously the exchange could just run lots of Darknodes, but they would have to do this over a long period of time (not feasible, because people need to be able to withdraw their REN). Q: Like having superdelegates, i.e, nodes trusted by the community with higher voting power? Maybe like council nodes A: Well, this is essentially what the Greycore is. Darknodes that have been voted in by the community to act as a secondary signature on everything. (And, interestingly enough, you could vote out all members to remove the core entirely.) Q: Think the expensive ren is a security feature as well. So, doubt this would impact security potentially? I don’t know. I wouldn’t vote to cut my earnings by 40% for example lol A: It can lead to centralisation over time though. If 100K REN becomes prohibitively expensive, then you will only see people running Darknodes that can afford a large upfront capital investment. In the mid/long-term this can have adverse effects on the trust in the system. It’s important that people “external” to the system (non-Darknodes) can get themselves into the system. Allowing non-Darknodes to have some governance (even if it’s not overall things) would be critical to this. Q: That darknode option sounds very interesting although it could get more centralized as the price of 100k Ren rises.For instance dark nodes may not want to vote to lower the threshold from 100k to 50k once Ren gets too expensive. A: A great point. And one of the reasons it would be ideal to be able to alter those parameters without just the Darknodes voting. Otherwise, you definitely risk long-term centralisation. Q: BTC is deposited into a native BTC address, but who controls this address (where/how is this address’s private key stored)? A: This is precisely the magic behind RenVM. RenVM uses an MPC algorithm to generate the controlling private key. No one ever sees this private key, and no one can sign things with it without consensus from everyone else.
\These questions are sourced directly from Telegram* Q: Are all the projects listed in the Ren Alliance, the final set of members? A: No, please do keep in mind this just our first round of partners, some larger orgs require a bit more DD (i.e our audit). We’ll release the final set of members when Mainnet goes live. Q: How do projects join the Ren Alliance? A: It’s simple, just fill out this application. It takes about five minutes, and all you need is your company’s logo files and your preferred area(s) of involvement. Joining the Alliance requires no binding commitments, only a desire to help bring cross-chain assets to DeFi. Q: For example let's say there is a crypto index which contains 1 BTC and 1 ZEC. I have 1 BTC and 1 ZEC and I would like to “mint” this index token with RenVM. Will something like this possible in the future? A: This is already possible today. RenVM allows you to mint renBTC and renZEC (and renBCH) on Ethereum. This result is an ERC20 like any other with the addition that when you burn it, you get real BTC and ZEC back. Another nice feature is that you can directly call smart contracts when minting. This is not possible in any other system, and results in a very clean and simple user experience. People can make a BTC transaction followed by a ZEC transaction and with no other blockchain actions end up with their BTC and ZEC in your example system (your example system would have functions for accepting BTC and ZEC and when receiving both, it would output some kind of index token; exactly how it functions is up to how you want to implement your contract!) Q: What blockchains does RenVM support? A: RenVM can support any ECDSA based blockchain but we'll be starting with BTC, ZEC, and BCH. More info here: https://github.com/renproject/ren/wiki/Supported-Blockchains Q: Another concern is chain rollback. In the case of MakerDAO getting hacked (unlikely, but not impossible), the Ethereum network could rollback just like with the DAO. (Unlikely, but not impossible). But what if the attacker already has deposited the hacked funds into RenVM and gotten a private coin? A: A roll-back would still revert that state. Privacy on-chain != no state tracking something (just in a way that doesn’t reveal information). So reverts don’t really matter in that sense. They do matter in a broader sense: you have renBTC and you burn it for BTC, then Ethereum rolls back to when you had renBTC still. This is something the Ethereum community has to consider very carefully these days if they were to ever do such a revert. This is an ultimately unavoidable truth RE interoperability; you are compounding risks of the chains you are using. In general, this is why it’s always safer to keep your BTC on Bitcoin unless there is a specific reason you need it on Ethereum at any given point in time. Q: If BTC can be transferred with zero confirmation how many transactions RenVM can handle? A: RenVMs throughput isn’t affected by conf-less transactions. This is a service provided by L2 technology (like the 0Conf team, who are building exactly this!). This doesn’t affect RenVM directly, but it does have the pleasant impact that users won’t notice network congestion if it happens. Q: Can you explain the over-collateralization security dynamic between tBTC and RenVM? Does this play into Maker using RenVM vs. tBTC to collaetize their CDP’s A1: It’s not the over collateralization that’s the problem. It’s that to get $X BTC they need 1.5x $X ETH locked up in their protocol. What about other places that give better ETH returns? What about the fact that ETH doesn’t go up in price just because tBTC is used? With REN, we are actually over collateralized (so they’re wrong that they are more secure in this regard). The big difference: BTC flowing through REN increases the value of the REN collateral, increasing the security, increasing the capacity of BTC that can flow through the system. It’s a positive feedback loop for capacity and security that simply doesn’t exist if you don’t use an isolated token. A2: Maker wants to use BTC to collateralise Dai, because it diversifies risk and expands the possible Dai supply (by expanding possible collateral). If you use tBTC, then tBTC is collateralised by ETH so you actually become less efficient at minting Dai, and you don’t diversify risk because tBTC gets liquidated by ETH price movements. You don’t want your network secured by collateral that has speculative value that is not correlated with the usage of the network. That makes things unstable. If RenVM is being used, the value of REN increases, and the more RenVM can be used (and Darknodes get the positive upside of their bond increasing in value). This means by pumping lots of BTC into RenVM, you gain more capacity to pump more BTC into RenVM. This creates a positive feedback loop for the returns earned by Darknodes, the value of their bond, and overall/capacity security of the network. Compare to tBTC: you are waiting for ETH to go up in value. It’s value, which does not correlate with the amount of BTC in the system, limits the AUM that the system can hold. You’re hoping it will go up independently of the usage of your network and if it doesn’t you’re out of luck. Network growth does not drive the ability for the network to grow. Your are also competing with the returns on ETH that other ecosystems allow you to get (why bond ETH in tBTC if you can get better returns on that ETH in other places; lending it or staking it in Eth2.0). (Btw: we’re doing research to get our collateralisation of REN to 150%. It’s already possible, and could be done today, but we are just seeing if we can make it safelivelier than the current best-in-class algorithms.) Q: How do we define the value of L and R if we don't use oracle price feed? A: It will be decided by the Darknodes. The best mechanism of doing this is still being decided upon. However, it won’t simply be taken from the current market price / third-party oracles as those are vulnerable to manipulation. Ultimately, the only valuation that matters is the Darknodes (because they’re the ones being potentially bribed). Q: In my opinion, RenVM (and tBTC adoption bottleneck: 300% collateral ratio» this ratio is important for security and decentralization» to sustain this ratio we need significant fees to be imposed on Renbtc holders» example: if there was 100m$ Renbtc total supply then we need 300m$ ren locked in darknodes» if 3-5% fees paid for those 300m$ then we need to extract 9-15 million fees from the 100m renbtc» that equal 9-15% annual fees» of course it will be lower with the minting and burning fees but I don't think it will cover half of the total needed fees» the result with the current design there are still too much economic friction IMO. A: The key thing to keep in mind is velocity. Not just TVL. Let’s take Kyber as an example: they have $4.9M AUM. But, they did $3.7M in trades in the last 24 hours. Over the year, that’s 275x their AUM. So, if RenVM is holding $100M AUM, and achieves a volume multiplier of 200x then it gets $1M p/a in holding fees but $40M in minting/burning fees. This is all assuming the minimum fee as well (it rises as TVL approaches the limit). So RenVM would need a $300M market cap on $41M in revenue. That’s 13% p/a, assuming we don’t make the move to only 150% collateral. If we do move to that, then it’s almost 33% p/a. RenVM is by far and away the best UX for instantly swapping BTC on DEXs (with no gas, and no confirmations). All of the interfaces we’re building and the tools we’re providing give people that native experience. This is precisely because high TVL is not what yields good returns and increases cap for the protocol. Even systems like MakerDAO/Compound have people moving BTC in/out. Their AUM is by no means static. People are constantly opening/closing/liquidating positions and all of this is would create velocity through RenVM. Q: How was ETHDenver? A: ETHDenver was great, and very productive, confirmed a lot of our thoughts on what needs to be done but also gave us a good amount of exposure, so overall it was a positive for the team and RenVM.
*These questions are sourced directly from Telegram Q: When you say RenVM is Trustless, Permissionless, and Decentralized, what does that actually mean? A: Trustless = RenVM is a virtual machine (a network of nodes, that do computations), this means if you ask RenVM to trade an asset via smart contract logic, it will. No trusted intermediary that holds assets or that you need to rely on. Because RenVM is a decentralized network and computes verified information in a secure environment, no single party can prevent users from sending funds in, withdrawing deposited funds, or computing information needed for updating outside ledgers. RenVM is an agnostic and autonomous virtual broker that holds your digital assets as they move between blockchains. Permissionless = RenVM is an open protocol; meaning anyone can use RenVM and any project can build with RenVM. You don't need anyone's permission, just plug RenVM into your dApp and you have interoperability. Decentralized = The nodes that power RenVM ( Darknodes) are scattered throughout the world. RenVM has a peak capacity of up to 10,000 Darknodes (due to REN’s token economics). Realistically, there will probably be 100 - 500 Darknodes run in the initial Mainnet phases, ample decentralized nonetheless. Q: Okay, so how can you prove this? A: The publication of our audit results will help prove the trustlessness piece; permissionless and decentralized can be proven today. Permissionless = https://github.com/renproject/ren-js Decentralized = https://chaosnet.renproject.io/ Q: How does Ren sMPC work? Sharmir's secret sharing? TSS? A: There is some confusion here that keeps arising so I will do my best to clarify.TL;DR: *SSS is just data. It’s what you do with the data that matters. RenVM uses sMPC on SSS to create TSS for ECDSA keys.*SSS and TSS aren’t fundamental different things. It’s kind of like asking: do you use numbers, or equations? Equations often (but not always) use numbers or at some point involve numbers. SSS by itself is just a way of representing secret data (like numbers). sMPC is how to generate and work with that data (like equations). One of the things you can do with that work is produce a form of TSS (this is what RenVM does). However, TSS is slightly different because it can also be done *without* SSS and sMPC. For example, BLS signatures don’t use SSS or sMPC but they are still a form of TSS. So, we say that RenVM uses SSS+sMPC because this is more specific than just saying TSS (and you can also do more with SSS+sMPC than just TSS). Specifically, all viable forms of turning ECDSA (a scheme that isn’t naturally threshold based) into a TSS needs SSS+sMPC. People often get confused about RenVM and claim “SSS can’t be used to sign transactions without making the private key whole again”. That’s a strange statement and shows a fundamental misunderstanding about what SSS is. To come back to our analogy, it’s like saying “numbers can’t be used to write a book”. That’s kind of true in a direct sense, but there are plenty of ways to encode a book as numbers and then it’s up to how you interpret (how you *use*) those numbers. This is exactly how this text I’m writing is appearing on your screen right now. SSS is just secret data. It doesn’t make sense to say that SSS *functions*. RenVM is what does the functioning. RenVM *uses* the SSSs to represent private keys. But these are generated and used and destroyed as part of sMPC. The keys are never whole at any point. Q: Thanks for the explanation. Based on my understanding of SSS, a trusted dealer does need to briefly put the key together. Is this not the case? A: Remember, SSS is just the representation of a secret. How you get from the secret to its representation is something else. There are many ways to do it. The simplest way is to have a “dealer” that knows the secret and gives out the shares. But, there are other ways. For example: we all act as dealers, and all give each other shares of our individual secret. If there are N of us, we now each have N shares (one from every person). Then we all individually add up the shares that we have. We now each have a share of a “global” secret that no one actually knows. We know this global secret is the sum of everyone’s individual secrets, but unless you know every individual’s secret you cannot know the global secret (even though you have all just collectively generates shares for it). This is an example of an sMPC generation of a random number with collusion resistance against all-but-one adversaries. Q: If you borrow Ren, you can profit from the opposite Ren gain. That means you could profit from breaking the network and from falling Ren price (because breaking the network, would cause Ren price to drop) (lower amount to be repaid, when the bond gets slashed) A: Yes, this is why it’s important there has a large number of Darknodes before moving to full decentralisation (large borrowing becomes harder). We’re exploring a few other options too, that should help prevent these kinds of issues. Q: What are RenVM’s Security and Liveliness parameters? A: These are discussed in detail in our Wiki, please check it out here: https://github.com/renproject/ren/wiki/Safety-and-Liveliness#analysis Q: What are the next blockchain under consideration for RenVM? A: These can be found here: https://github.com/renproject/ren/wiki/Supported-Blockchains Q: I've just read that Aztec is going to be live this month and currently tests txs with third parties. Are you going to participate in early access or you just more focused on bringing Ren to Subzero stage? A: At this stage, our entire focus is on Mainnet SubZero. But, we will definitely be following up on integrating with AZTEC once everything is out and stable. Q: So how does RenVM compare to tBTC, Thorchain, WBTC, etc..? A: An easy way to think about it is..RenVM’s functionality is a combination of tBTC (+ WBTC by extension), and Thorchain’s (proposed) capabilities... All wrapped into one. Just depends on what the end-user application wants to do with it. Q1: What are the core technical/security differences between RenVM and tBTC?A1: The algorithm used by tBTC faults if even one node goes offline at the wrong moment (and the whole “keep” of nodes can be penalised for this). RenVM can survive 1/3rd going offline at any point at any time. Advantage for tBTC is that collusion is harder, disadvantage is obviously availability and permissionlessness is lower. tBTC an only mint/burn lots of 1 BTC and requires an on-Ethereum SPV relay for Bitcoin headers (and for any other chain it adds). No real advantage trade-off IMO. tBTC has a liquidation mechanism that means nodes can have their bond liquidated because of ETH/BTC price ratio. Advantage means users can get 1 BTC worth of ETH. Disadvantage is it means tBTC is kind of a synthetic: needs a price feed, needs liquid markets for liquidation, users must accept exposure to ETH even if they only hold tBTC, nodes must stay collateralized or lose lots of ETH. RenVM doesn’t have this, and instead uses fees to prevent becoming under-collateralized. This requires a mature market, and assumed Darknodes will value their REN bonds fairly (based on revenue, not necessarily what they can sell it for at current —potentially manipulated—market value). That can be an advantage or disadvantage depending on how you feel. tBTC focuses more on the idea of a tokenized version of BTC that feels like an ERC20 to the user (and is). RenVM focuses more on letting the user interact with DeFi and use real BTC and real Bitcoin transactions to do so (still an ERC20 under the hood, but the UX is more fluid and integrated). Advantage of tBTC is that it’s probably easier to understand and that might mean better overall experience, disadvantage really comes back to that 1 BTC limit and the need for a more clunky minting/burning experience that might mean worse overall experience. Too early to tell, different projects taking different bets. tBTC supports BTC (I think they have ZEC these days too). RenVM supports BTC, BCH, and ZEC (docs discuss Matic, XRP, and LTC). Q2: This are my assumed differences between tBTC and RenVM, are they correct? Some key comparisons: -Both are vulnerable to oracle attacks -REN federation failure results in loss or theft of all funds -tBTC failures tend to result in frothy markets, but holders of tBTC are made whole -REN quorum rotation is new crypto, and relies on honest deletion of old key shares -tBTC rotates micro-quorums regularly without relying on honest deletion -tBTC relies on an SPV relay -REN relies on federation honesty to fill the relay's purpose -Both are brittle to deep reorgs, so expanding to weaker chains like ZEC is not clearly a good idea -REN may see total system failure as the result of a deep reorg, as it changes federation incentives significantly -tBTC may accidentally punish some honest micro-federations as the result of a deep reorg -REN generally has much more interaction between incentive models, as everything is mixed into the same pot. -tBTC is a large collection of small incentive models, while REN is a single complex incentive model A2: To correct some points: The oracle situation is different with RenVM, because the fee model is what determines the value of REN with respect to the cross-chain asset. This is the asset is what is used to pay the fee, so no external pricing is needed for it (because you only care about the ratio between REN and the cross-chain asset). RenVM does rotate quorums regularly, in fact more regularly than in tBTC (although there are micro-quorums, each deposit doesn’t get rotated as far as I know and sticks around for up to 6 months). This rotation involves rotations of the keys too, so it does not rely on honest deletion of key shares. Federated views of blockchains are easier to expand to support deep re-orgs (just get the nodes to wait for more blocks for that chain). SPV requires longer proofs which begins to scale more poorly. Not sure what you mean by “one big pot”, but there are multiple quorums so the failure of one is isolated from the failures of others. For example, if there are 10 shards supporting BTC and one of them fails, then this is equivalent to a sudden 10% fee being applied. Harsh, yes, but not total failure of the whole system (and doesn’t affect other assets). Would be interesting what RenVM would look like with lots more shards that are smaller. Failure becomes much more isolated and affects the overall network less. Further, the amount of tBTC you can mint is dependent on people who are long ETH and prefer locking it up in Keep for earning a smallish fee instead of putting it in Compound or leveraging with dydx. tBTC is competing for liquidity while RenVM isn't. Q: I understand correctly RenVM (sMPC) can get up to a 50% security threshold, can you tell me more? A: The best you can theoretically do with sMPC is 50-67% of the total value of REN used to bond Darknodes (RenVM will eventually work up to 50% and won’t go for 67% because we care about liveliness just as much as safety). As an example, if there’s $1M of REN currently locked up in bonded Darknodes you could have up to $500K of tokens shifted through RenVM at any one specific moment. You could do more than that in daily volume, but at any one moment this is the limit.Beyond this limit, you can still remain secure but you cannot assume that players are going to be acting to maximize their profit. Under this limit, a colluding group of adversaries has no incentive to subvert safety/liveliness properties because the cost to attack roughly outweighs the gain. Beyond this limit, you need to assume that players are behaving out of commitment to the network (not necessarily a bad assumption, but definitely weaker than the maximizing profits assumption). Q: Why is using ETH as collateral for RenVM a bad idea? A: Using ETH as collateral in this kind of system (like having to deposit say 20 ETH for a bond) would not make any sense because the collateral value would then fluctuate independently of what kind of value RenVM is providing. The REN token on the other hand directly correlates with the usage of RenVM which makes bonding with REN much more appropriate. DAI as a bond would not work as well because then you can't limit attackers with enough funds to launch as many darknodes as they want until they can attack the network. REN is limited in supply and therefore makes it harder to get enough of it without the price shooting up (making it much more expensive to attack as they would lose their bonds as well). A major advantage of Ren's specific usage of sMPC is that security can be regulated economically. All value (that's being interopped at least) passing through RenVM has explicit value. The network can self-regulate to ensure an attack is never worth it. Q: Given the fee model proposal/ceiling, might be a liquidity issue with renBTC. More demand than possible supply?A: I don’t think so. As renBTC is minted, the fees being earned by Darknodes go up, and therefore the value of REN goes up. Imagine that the demand is so great that the amount of renBTC is pushing close to 100% of the limit. This is a very loud and clear message to the Darknodes that they’re going to be earning good fees and that demand is high. Almost by definition, this means REN is worth more. Profits of the Darknodes, and therefore security of the network, is based solely on the use of the network (this is what you want because your network does not make or break on things outside the systems control). In a system like tBTC there are liquidity issues because you need to convince ETH holders to bond ETH and this is an external problem. Maybe ETH is pumping irrespective of tBTC use and people begin leaving tBTC to sell their ETH. Or, that ETH is dumping, and so tBTC nodes are either liquidated or all their profits are eaten by the fact that they have to be long on ETH (and tBTC holders cannot get their BTC back in this case). Feels real bad man. Q: I’m still wondering which asset people will choose: tbtc or renBTC? I’m assuming the fact that all tbtc is backed by eth + btc might make some people more comfortable with it. A: Maybe :) personally I’d rather know that my renBTC can always be turned back into BTC, and that my transactions will always go through. I also think there are many BTC holders that would rather not have to “believe in ETH” as an externality just to maximize use of their BTC. Q: How does the liquidation mechanism work? Can any party, including non-nodes act as liquidators? There needs to be a price feed for liquidation and to determine the minting fee - where does this price feed come from? A: RenVM does not have a liquidation mechanism. Q: I don’t understand how the price feeds for minting fees make sense. You are saying that the inputs for the fee curve depend on the amount of fees derived by the system. This is circular in a sense? A: By evaluating the REN based on the income you can get from bonding it and working. The only thing that drives REN value is the fact that REN can be bonded to allow work to be done to earn revenue. So any price feed (however you define it) is eventually rooted in the fees earned. Q: Who’s doing RenVM’s Security Audit? A: ChainSecurity | https://chainsecurity.com/ Q: Can you explain RenVM’s proposed fee model? A: The proposed fee model can be found here: https://github.com/renproject/ren/wiki/Safety-and-Liveliness#fees Q: Can you explain in more detail the difference between "execution" and "powering P2P Network". I think that these functions are somehow overlapping? Can you define in more detail what is "execution" and "powering P2P Network"? You also said that at later stages semi-core might still exist "as a secondary signature on everything (this can mathematically only increase security, because the fully decentralised signature is still needed)". What power will this secondary signature have? A: By execution we specifically mean signing things with the secret ECDSA keys. The P2P network is how every node communicates with every other node. The semi-core doesn’t have any “special powers”. If it stays, it would literally just be a second signature required (as opposed to the one signature required right now). This cannot affect safety, because the first signature is still required. Any attack you wanted to do would still have to succeed against the “normal” part of the network. This can affect liveliness, because the semi-core could decide not to sign. However, the semi-core follows the same rules as normal shards. The signature is tolerant to 1/3rd for both safety/liveliness. So, 1/3rd+ would have to decide to not sign. Members of the semi-core would be there under governance from the rest of our ecosystem. The idea is that members would be chosen for their external value. We’ve discussed in-depth the idea of L<3. But, if RenVM is used in MakerDAO, Compound, dYdX, Kyber, etc. it would be desirable to capture the value of these ecosystems too, not just the value of REN bonded. The semi-core as a second signature is a way to do this. Imagine if the members for those projects, because those projects want to help secure renBTC, because it’s used in their ecosystems. There is a very strong incentive for them to behave honestly. To attack RenVM you first have to attack the Darknodes “as per usual” (the current design), and then somehow convince 1/3rd of these projects to act dishonestly and collapse their own ecosystems and their own reputations. This is a very difficult thing to do. Worth reminding: the draft for this proposal isn’t finished. It would be great for everyone to give us their thoughts on GitHub when it is proposed, so we can keep a persistent record. Q: Which method or equation is used to calculate REN value based on fees? I'm interested in how REN value is calculated as well, to maintain the L < 3 ratio? A: We haven’t finalized this yet. But, at this stage, the plan is to have a smart contract that is controlled by the Darknodes. We want to wait to see how SubZero and Zero go before committing to a specific formulation, as this will give us a chance to bootstrap the network and field inputs from the Darknodes owners after the earnings they can make have become more apparent.
Technical: Upcoming Improvements to Lightning Network
Price? Who gives a shit about price when Lightning Network development is a lot more interesting????? One thing about LN is that because there's no need for consensus before implementing things, figuring out the status of things is quite a bit more difficult than on Bitcoin. In one hand it lets larger groups of people work on improving LN faster without having to coordinate so much. On the other hand it leads to some fragmentation of the LN space, with compatibility problems occasionally coming up. The below is just a smattering sample of LN stuff I personally find interesting. There's a bunch of other stuff, like splice and dual-funding, that I won't cover --- post is long enough as-is, and besides, some of the below aren't as well-known. Anyway.....
Yeah the exciting new Lightning Network channel update protocol!
Solves "toxic waste" problem. In the current Poon-Dryja update protocol, old state ("waste") is dangerous ("toxic") because if your old state is acquired by your most hated enemy, they can use that old state to publish a stale unilateral close transaction, which your counterparty must treat as a theft attempt and punish you, causing you to lose funds. With Decker-Russell-Osuntokun old state is not revoked, but is instead gainsaid by later state: instead of actively punishing old state, it simply replaces the old state with a later state.
Allows multiple participants in the update protocol. This can be used as the update protocol for a channel factory with 3 or more participants, for example (channels are not practical for multiple participants since the loss of any one participants makes the channel completely unuseable; it's more sensible to have a multiple-participant factory that splits up into 2-participant channels). Poon-Dryja only supports two participants. Another update protocol, Decker-Wattenhofer, also supports multiple participants, but requires much larger locktimes in case of a unilateral close (measurable in weeks, whereas Poon-Dryja and Decker-Russell-Osuntokun can be measured in hours or days).
It uses nLockTime in a very clever way.
No, it does not solve the "watchtower needed" problem. Decker-Russell-Osuntokun still requires watchtowers if you're planning to be offline for a long time.
What might be confused is that it was initially thought that watchtowers under Decker-Russell-Osuntokun could be made more efficient by having the channel participant update a single "slot" in the watchtower, rather than having to consume one "slot" per update in Poon-Dryja. However, the existence of the "poisoned blob" attack by ZmnSCPxj means that having a replaceable "slot" is risky if the other participant of the channel can spoof you. And the safest way to prevent spoofing somebody is to identify that somebody --- but now that means the watchtower can surveill the activities of somebody it has identified, losing privacy.
Requires base layer change --- SIGHASH_NOINPUT / SIGHASH_ANYPREVOUT. This is still being worked out and may potentially not reach Bitcoin anytime soon.
Determining costs of routes is somewhat harder, and may complicate routefinding algorithms. In particular: every channel today has a "CLTV Delta", a number of blocks by which the total maximum delay of the payment is increased. This maximum delay is the maximum amount of time by which an outgoing payment can be locked, and needs to be reduced for UX purposes. Decker-Russell-Osuntokun will also add a "CSV minimum", a number of blocks, which must be smaller than the delay of an HTLC going through the channel. Current routefinding algos are good at minimizing a summed-up cost (like the "CLTV Delta") so the "CSV minimum" may require discovering / developing new routefinding algos.
Due to the "CSV minimum" above, existing nodes that don't understand Decker-Russell-Osuntokun cannot reliably route over Decker-Russell-Osuntokun channels, as they might not impose this minimum properly.
Multipart payments / AMP
Splitting up large payments into smaller parts!
There are at least three variants of multipart payments: Original, Base, and High.
Original is the original AMP proposed by Lightning Labs. It sacrifices proof-of-payment in order to allow each path to have a different payment hash. This is done by having the payer use a derivation scheme to generate each part's payment preimage from a seed, then having the split the seed (using secret sharing) to each part. The receiver can only reconstruct the seed if all parts reach it.
Base simply uses the same payment hash for all routes. This retains proof-of-payment (i.e. an invoice is undeniably signed by the receiver, including a payment hash in the invoice; public knowledge of the payment preimage is proof that the receiver has in fact received money, and any third party can be convinced of this by being shown the signed invoice and the preimage). The receiver could just take one part of the payment and then claim to be underpaid by the payer and then deny service, but claiming any one part is enough to publish the payment preimage, creating a proof-of-payment: so the receiver can provably be made liable, even if it took just one part, thus the incentive of the receiver is to only take in the payment once all parts have arrived to it.
High requires elliptic curve points / scalars. It combines both Original and Base, retaining proof-of-payment (sacrificed by Original) and ensuring cryptographically-secure waiting for all parts (rather than the mere economically-incentivized of Base). This is done by using elliptic curve homomorphism to addition of scalars to add together the payer-provided preimage (really scalar) of Original with the payee-provided preimage (really scalar) of Base.
Better expected reliability. Channels are limited by capacity. By splitting up into many smaller payments, you can fit into more channels and be more likely to successfully reach the payee.
Capacity on mutiple of your channels can be used to pay. Currently if you have 0.05BTC on one channel and 0.05BTC on another channel, you can't pay 0.06BTC without first rebalancing your channels (and paying fees for the rebalance first, whether the payment succeeds or not). With multipart you can now combine the capacities of multiple of your channels, and only pay fees for combining them if the payment pushes through.
Wumbo payments (oversized payments) come "for free" without having to be explicitly supported by the nodes of the network: you just split up wumbo payments into parts smaller than the wumbo limit.
Multipart will have higher fees. Part of the feerate of each channel is a flat-rate fee. Going through multiple paths means paying more of this flat-rate fee.
It's not clear how to split up payments. Heuristics for payment splitting have to be derived and developed and tested.
Payment points / scalars
Using the magic of elliptic curve homomorphism for fun and Lightning Network profits! Basically, currently on Lightning an invoice has a payment hash, and the receiver reveals a payment preimage which, when inputted to SHA256, returns the given payment hash. Instead of using payment hashes and preimages, just replace them with payment points and scalars. An invoice will now contain a payment point, and the receiver reveals a payment scalar (private key) which, when multiplied with the standard generator point G on secp256k1, returns the given payment point. This is basically Scriptless Script usage on Lightning, instead of HTLCs we have Scriptless Script Pointlocked Timelocked Contracts (PTLCs).
Enables a shit-ton of improvements: payment decorrelation, stuckless payments, noncustodial escrow over Lightning (the Hodl Hodl Lightning escrow is custodial, read the fine print), High multipart.
It's the same coolness that makes Schnorr Signatures cool. ECDSA, despite being based on elliptic curves, is not cool because the hash-the-nonce operation needed to prevent it from infringing Schnorr's fatherfucking patent also prevents ECDSA from using the cool elliptic curve homomorphism of addition over scalars.
Requires Schnorr on Bitcoin layer.
Actually, we can work with 2p-ECDSA without waiting for Schnorr. We get back the nice elliptic curve homomorphism by passing the ECDSA nonce through another cryptosystem, Paillier. This gets us the ability to do Scriptless Script. I think it has only 80-bits security because of going through Paillier though.
Basically the conundrum is: we could implement 2p-ECDSA now, hope we never have to test the 80-bit security anytime soon, then switch to Schnorr with 128-bit security later (which means reimplementing a bunch of things, because the calculations are different and the data that needs to be exchanged between channel participants is very different between the 2p-ECDSA and Schnorr). Reimplementing is painful and is more dev work. If we don't implement with 2p-ECDSA now, though, we will be delaying all the nice elliptic curve goodness (stuckless, noncustodial escrow, payment decorrelation) until Bitcoin gets Schnorr.
Elliptic curve discrete log problem is theoretically quantum-vulnerable. If we can't find a qunatum-resistant homomorphic construction, we'll have to give up the advantages (payment decorrelation, stuckless payments, noncustodial escrow over Lightning) we got from using elliptic curve points and go back to boring old hashes.
Ensuring that payers cannot access data or other digital goods without proof of having paid the provider. In a nutshell: the payment preimage used as a proof-of-payment is the decryption key of the data. The provider gives the encrypted data, and issues an invoice. The buyer of the data then has to pay over Lightning in order to learn the decryption key, with the decryption key being the payment preimage.
Enables data providers to sell data. This could be sensors, livestreams, blogs, articles, whatever.
There's no scheme to determine if the data provider is providing actually-useful data. The data-provider could just stream https://random.org for example. This is a potentially-impossible problem. Even if the data-provider provides a "sample" of the data, and is able to derive some proof that the sample is indeed a true snippet of the encrypted data, the rest of the data outside of the sample might just be random junk.
No more payments getting stuck somewhere in the Lightning network without knowing whether the payee will ever get paid! (that's actually a bit overmuch claim, payments still can get stuck, but what "stuckless" really enables is that we can now safely run another parallel payment attempt until any one of the payment attempts get through). Basically, by using the ability to add points together, the payer can enforce that the payee can only claim the funds if it knows two pieces of information:
The payment scalar corresponding to the payment point in the invoice signed by the payee.
An "acknowledgment" scalar provided by the payer to the payee via another communication path.
This allows the payer to make multiple payment attempts in parallel, unlike the current situation where we must wait for an attempt to fail before trying another route. The payer only needs to ensure it generates different acknowledgment scalars for each payment attempt. Then, if at least one of the payment attempts reaches the payee, the payee can then acquire the acknowledgment scalar from the payer. Then the payee can acquire the payment. If the payee attempts to acquire multiple acknowledgment scalars for the same payment, the payer just gives out one and then tells the payee "LOL don't try to scam me", so the payee can only acquire a single acknowledgment scalar, meaning it can only claim a payment once; it can't claim multiple parallel payments.
Can safely run multiple parallel payment attempts as long as you have the funds to do so.
Needs payment point + scalar
Non-custodial escrow over Lightning
The "acknowledgment" scalar used in stuckless can be reused here. The acknowledgment scalar is derived as an ECDH shared secret between the payer and the escrow service. On arrival of payment to the payee, the payee queries the escrow to determine if the acknowledgment point is from a scalar that the escrow can derive using ECDH with the payer, plus a hash of the contract terms of the trade (for example, to transfer some goods in exchange for Lightning payment). Once the payee gets confirmation from the escrow that the acknowledgment scalar is known by the escrow, the payee performs the trade, then asks the payer to provide the acknowledgment scalar once the trade completes. If the payer refuses to give the acknowledgment scalar even though the payee has given over the goods to be traded, then the payee contacts the escrow again, reveals the contract terms text, and requests to be paid. If the escrow finds in favor of the payee (i.e. it determines the goods have arrived at the payer as per the contract text) then it gives the acknowledgment scalar to the payee.
True non-custodial escrow: the escrow service never holds any funds.
Needs payment point + scalar.
Because elliptic curve points can be added (unlike hashes), for every forwarding node, we an add a "blinding" point / scalar. This prevents multiple forwarding nodes from discovering that they have been on the same payment route. This is unlike the current payment hash + preimage, where the same hash is used along the route. In fact, the acknowledgment scalar we use in stuckless and escrow can simply be the sum of each blinding scalar used at each forwarding node.
Privacy! Multiple forwarding nodes cannot coordinate to try to uncover the payer and payee of each payment.
Price and Libra posts are shit boring, so let's focus on a technical topic for a change. Let me start by presenting a few of the upcoming Bitcoin consensus changes. (as these are consensus changes and not P2P changes it does not include erlay or dandelion) Let's hope the community strongly supports these upcoming updates!
The sexy new signing algo.
We have a simpler proof of the security of Schnorr than the current ECDSA: a general heuristic is that a simpler proof is better since simpler proofs have less complexity for vulnerabilities to hide in. In practice most cryptographers would consider these roughly equivalent in security.
Linear signatures. This lets you do some operations on signatures which include making it possible for a n-of-n signing group to construct a single pubkey and signature, as well as providing secret communications channels (i.e. you provide the difference between two scalars privately, then create a signature using one scalar and publish it, which reveals the other scalar, letting you communicate this scalar while providing a signature that validates a transaction).
As a completely new signing scheme we can optimize signatures and public keys a little more than the existing ECDSA Bitcoin signatures, to help reduce resource usage. For instance an SECP256K1 point requires 257 bits to store, which is typically stored as one byte for the "extra" 1 bit and 32 bytes as the remaining 256 bits, but this extra bit is really the "sign" of the point (positive or negative) and we can enforce certain restrictions like "always use positive points", and a scalar which produces a negative point can be "negated" to produce a positive point, letting us cut out one entire byte from precious onchain space.
The Schnorr patent strongly discouraged development of Schnorr signatures. For this reason there are still details that hadn't been hammered out. The bip-schnorr proposal by Pieter hammers down some details, but there are still some concerns about multisignature and more complex usages below that are still being investigated.
A provably-secure way for a group of n participants to form an aggregate pubkey and signature. Creating their group pubkey does not require their coordination other than getting individual pubkeys from each participant, but creating their signature does require all participants to be online near-simultaneously.
Provably-secure. We already knew from Schnorr's work that Schnorr signatures allow multiparticipant signing, but his original proposal was actually insecure (this is part of the disadvantage caused by Schnorr patenting the signature scheme, nobody bothered to correct his multiparticipant signing procedure because why give free work for him?).
We can create a group pubkey without telling the group we made such; we only need to get their individual pubkeys. This can be useful in some protocols, e.g. escrow protocols where we elect a group of n-of-n participants as a possible escrow signer; we create this group pubkey from the published pubkeys of the escrow services, but only reveal to them that this group pubkey involves them later in case of dispute (signing requires everyone's cooperation); if the trade has no dispute at all then the escrow group never needs to learn that the group pubkey included them or that the trade was potentially an escrow trade.
Creates just a single signature and pubkey, greatly reducing the space needed onchain for n-of-n groups.
No actual change in consensus needed, other than supporting Schnorr signatures as a consensus signing scheme.
Only n-of-n; m-of-n requires verifiable secret sharing in addition to MuSig. In particular, for m-of-n we require that the participants also cooperate while generating the group pubkey (unlike the n-of-n case where we can just get published pubkeys, the m-of-n case requires that we perform some cooperative calculation to generate the private key shares for each participant).
Unlike separate-signatures-and-pubkeys multisig (i.e. what current OP_CHECKMULTISIG does), participants cannot simply send a signature it generates by itself and then go offline in no specific order. Instead, participants have to cooperatively generate a temporary signing nonce and then generate the signature. This is what forces all participants to be online at the time of generating the signature. This can be mitigated somewhat since you can pass around partial signatures, so once you have gotten the agreed-upon nonce and then created your partial signature, you can then go offline. This might not be a particularly big disadvantage but existing protocols might require an extra message turnaround in order to handle the multiple-rounds nature of MuSig.
Hiding a Bitcoin SCRIPT inside a pubkey, letting you sign with the pubkey without revealing the SCRIPT, or reveal the SCRIPT without signing with the pubkey.
You can show a SCRIPT and ignore the pubkey, or sign with the pubkey and ignore (and never reveal) the SCRIPT. This can be simulated somewhat with current Bitcoin by using a separate transaction that pays from a pubkey (or m-of-n or n-of-n multisig) to a SCRIPT, which you only publish if you want to take the SCRIPT path, but Taproot optimizes this by letting you dispense with that separate transaction. Some protocols that want to have some privacy (CoinSwap in particular) will need to have some way to hide the SCRIPT path and just use a pubkey (or m-of-n or n-of-n) in the "best case", and Taproot allows the "worst case" SCRIPT path to be somewhat more optimized if we need to take that branch.
The exact proposed mechanism in bip-taproot by Pieter allows another version number to be embedded. So not only do we have current 16 available SegWit versions (v0 already in use, v1 is intended to be taken for Taproot, v2->15 are for future expansion) we also extend SegWit v1 to have 256 "script versions" too, only one of which will be used for MAST (see below). A new "script version" can completely drop the current stack-based SCRIPT language and replace it with a completely new language, for example.
As a new SegWit version we can change the rules of the SCRIPT language to clean up some infelicities of the existing SCRIPT. For example, instead of OP_NOP operations we have OP_SUCCESS operations in the Taproot SCRIPT. When a softfork changes an OP_NOP to a different opcode, it can only either fail the SCRIPT or do nothing to the stack. When a softfork changes an OP_SUCCESS to a different opcode, it can do anything, including put new items on the stack, rearrange the stack, and so on.
It uses the pay-to-contract construction, which is used to allow a UTXO to commit to a message (in Taproot's case, the SCRIPT) without spending more space other than the pubkey it pays to. However, other schemes might want to use pay-to-contract (because of the space savings of the ability to embed a message commitment without adding more space beyond the pubkey), so care must be taken to ensure that such schemes using pay-to-contract do not conflict with Taproot itself.
Having a "SCRIPT only" UTXO (i.e. one which cannot be spent using a simple signature, but requires some more complex SCRIPT) requires that we compute a "nothing up my sleeves" (NUMS) point, i.e. a pubkey which we generate in such a way that we, or anyone, cannot possibly learn the corresponding privkey. This is already doable but requires that we actually use NUMS if we want a UTXO that can only be spent via a particular SCRIPT.
Encode each possible branch of a Bitcoin contract separately, and only require revelation of the exact branch taken, without revealing any of the other branches. One of the Taproot script versions will be used to denote a MAST construction. If the contract has only one branch then MAST does not add more overhead.
Privacy; branches not taken are not revealed, potentially hiding the possible participation of some entity with known pubkey if that entity ends up not signing for that branch.
Can be used to emulate m-of-n while using only n-of-n MuSigs (remember, n-of-n MuSig can be set up by knowing only the pubkeys of all participants, but m-of-n requires that the participants split up an n-of-n MuSig key into m shares, and each participant has to remember its own share (which can be difficult for hardware wallets to safely do)). To emulate m-of-n, you just get every subgroup of m participants, create an m-of-m MuSig pubkey for each subgroup, then make multiple OP_CHECKSIG scripts, each of which you treat as a "separate branch" in the MAST (you probably want to use a NUMS point as the Taproot pubkey that hides the MAST scripts, or select which sub-group of m is the most likely to be online later and put that as the Taproot pubkey). You need to have m participants online at signing time. This has the side effect of not revealing participants who didn't sign.
Requires O(log n) data to be revealed for n branches. This mildly leaks some information: if you see q data to prove the MAST, then the number of branches is between 2q-1 and 2q . This can be twisted around to make unbalanced MAST trees, but unbalanced MAST trees imply that some branches are more likely than others (you'd put the more likely branches in the leaves that are nearer to the root, so fewer data revealed == more likely), which again can be a mild information leak. Might not be particularly bad information leak in practice, but for example Graftroot (which is not yet proposed) achieves O(1) data revelation for n branches, leaking no data at all on the number of other branches and/or the probability of the revealed branch.
In this post, I will prove that the two main arguments against the new CHECKDATASIG (CDS) op-codes are invalid. And I will prove that two common arguments for CDS are invalid as well. The proof requires only one assumption (which I believe will be true if we continue to reactive old op-codes and increase the limits on script and transaction sizes [something that seems to have universal support]): ASSUMPTION 1. It is possible to emmulate CDS with a big long raw script.
Why are the arguments against CDS invalid?
Easy. Let's analyse the two arguments I hear most often against CDS:
ARG #1. CDS can be used for illegal gambling.
This is not a valid reason to oppose CDS because it is a red herring. By Assumption 1, the functionality of CDS can be emulated with a big long raw script. CDS would not then affect what is or is not possible in terms of illegal gambling.
ARG #2. CDS is a subsidy that changes the economic incentives of bitcoin.
The reasoning here is that being able to accomplish in a single op-code, what instead would require a big long raw script, makes transactions that use the new op-code unfairly cheap. We can shoot this argument down from three directions:
(A) Miners can charge any fee they want.
It is true that today miners typically charge transaction fees based on the number of bytes required to express the transaction, and it is also true that a transaction with CDS could be expressed with fewer bytes than the same transaction constructed with a big long raw script. But these two facts don't matter because every miner is free to charge any fee he wants for including a transaction in his block. If a miner wants to charge more for transactions with CDS he can (e.g., maybe the miner believes such transactions cost him more CPU cycles and so he wants to be compensated with higher fees). Similarly, if a miner wants to discount the big long raw scripts used to emmulate CDS he could do that too (e.g., maybe a group of miners have built efficient ways to propagate and process these huge scripts and now want to give a discount to encourage their use). The important point is that the existence of CDS does not impeded the free market's ability to set efficient prices for transactions in any way.
(B) Larger raw transactions do not imply increased orphaning risk.
Some people might argue that my discussion above was flawed because it didn't account for orphaning risk due to the larger transaction size when using a big long raw script compared to a single op-code. But transaction size is not what drives orphaning risk. What drives orphaning risk is the amount of information (entropy) that must be communicated to reconcile the list of transactions in the next block. If the raw-script version of CDS were popular enough to matter, then transactions containing it could be compressed as ....CDS'(signature, message, public-key).... where CDS' is a code* that means "reconstruct this big long script operation that implements CDS." Thus there is little if any fundamental difference in terms of orphaning risk (or bandwidth) between using a big long script or a single discrete op code.
(C) More op-codes does not imply more CPU cycles.
Firstly, all op-codes are not equal. OP_1ADD (adding 1 to the input) requires vastly fewer CPU cycles than OP_CHECKSIG (checking an ECDSA signature). Secondly, if CDS were popular enough to matter, then whatever "optimized" version that could be created for the discrete CDS op-codes could be used for the big long version emmulating it in raw script. If this is not obvious, realize that all that matters is that the output of both functions (the discrete op-code and the big long script version) must be identical for all inputs, which means that is does NOT matter how the computations are done internally by the miner.
Why are (some of) the arguments for CDS invalid?
Let's go through two of the arguments:
ARG #3. It makes new useful bitcoin transactions possible (e.g., forfeit transactions).
If Assumption 1 holds, then this is false because CDS can be emmulated with a big long raw script. Nothing that isn't possible becomes possible.
ARG #4. It is more efficient to do things with a single op-code than a big long script.
This is basically Argument #2 in reverse. Argument #2 was that CDS would be too efficient and change the incentives of bitcoin. I then showed how, at least at the fundamental level, there is little difference in efficiency in terms of orphaning risk, bandwidth or CPU cycles. For the same reason that Argument #2 is invalid, Argument #4 is invalid as well. (That said, I think a weaker argument could be made that a good scripting language allows one to do the things he wants to do in the simplest and most intuitive ways and so if CDS is indeed useful then I think it makes sense to implement in compact form, but IMO this is really more of an aesthetics thing than something fundamental.) It's interesting that both sides make the same main points, yet argue in the opposite directions. Argument #1 and #3 can both be simplified to "CDS permits new functionality." This is transformed into an argument against CDS by extending it with "...and something bad becomes possible that wasn't possible before and so we shouldn't do it." Conversely, it is transformed to an argument for CDS by extending it with "...and something good becomes possible that was not possible before and so we should do it." But if Assumption 1 holds, then "CDS permits new functionality" is false and both arguments are invalid. Similarly, Arguments #2 and #4 can both be simplified to "CDS is more efficient than using a big long raw script to do the same thing." This is transformed into an argument against CDS by tacking on the speculation that "...which is a subsidy for certain transactions which will throw off the delicate balance of incentives in bitcoin!!1!." It is transformed into an argument for CDS because "... heck, who doesn't want to make bitcoin more efficient!"
What do I think?
If I were the emperor of bitcoin I would probably include CDS because people are already excited to use it, the work is already done to implement it, and the plan to roll it out appears to have strong community support. The work to emulate CDS with a big long raw script is not done. Moving forward, I think Andrew Stone's (thezerg1) approach outlined here is an excellent way to make incremental improvements to Bitcoin's scripting language. In fact, after writing this essay, I think I've sort of just expressed Andrew's idea in a different form. *youmightcallitan"opcode"teehee
The first iteration of the block reward scheme was announced in the previous weekly update. An immediate concern raised from the community was that the emission was too aggressive in the initial year and rewards dropped off fast beyond the 5 year mark. Taking Bitcoin’s emission as an example, the emission curve has been updated to target 2% emission after 10 years. !(https://miro.medium.com/max/2384/1*gqBLvJOl2G4n3IHW1rViKg.png) The Block Reward equation is given by the following recurrence equation: g(n+2) = ((R - (g(n+1) + g(n))) / x) / y Which evaluates to: !(https://miro.medium.com/max/1624/1*ttpsRd7HUs2-7hvDGO6elg.png) where: R = Reserve, x = 6 (Arbitrary Emission Factor) y = (seconds per day / seconds per block) / days per year y = (86400 / 5) * 365.2425 The final curve thus has a Day 0 emission of 25%, Year 1 emission of 20% and Year 10 emission of 2%.
The original plan for BEPSwap (prior to the Yggdrasil liquidity breakthrough) was to have it as a separate mainnet before launching the real THORChain in 2020 with cross-chain support. Now THORChain has in-built cross-chain support and a clear roadmap to 99 nodes. This means the mainnet launch will have public, community-run nodes at the start. The community has been fielding many questions about how to run a node, and the mechanics in doing so. Since the THORChain team will not be running any nodes, it is necessary to have a full-rehearsal with the community at launch. As such, the plan is for a public ChaosNet on 03 January 2020. ChaosNet will have the following key differences: * Minimum bond of 100k RUNE. * Maximum of 12 Nodes. * Churn cycle of 1 day. * Maximum stake amount of 600k RUNE total. * 2.7m RUNE Protocol Reserve to emit Bond and Stake rewards. * Hard-coded Ragnorök at 6 weeks. Any member who wishes to join ChaosNet to get accustomed to running a node can do so, and will receive Block Rewards roughly equivalent to mainnet (25%). They will be setting up nodes, churning in, servicing the network and earning rewards. The system will hold up to 600k Rune, at which point it will refund any additional staked amount. The community can stake small amounts of real assets, prepare arbitrage bots, set up telegram alert bots and more. In short, it is a public rehearsal with the entire community across all facets (nodes, stakers, traders) so that everyone will have access to the same information and not unfairly benefit when the real mainnet launches. Additionally, the system will be hard-coded to perform a Ragnorök 6 weeks later, which will refund all the remaining reserve as well as bonded and staked assets. This will go a long way in re-assuring the community that the system can tolerate all levels of risk, including black-swan events, and that funds are safe at all times.
A new feature will be launched that will allow users to use internal arbitrage. This is an asymmetrical withdrawal to Rune, then immediately followed by a asymmetrical stake of Rune in another pool. A trader may want to do this instead of doing transactional arbitrage in order to exploit price differences between two pools the fastest way possible. Instead of an outgoing transaction being processed, followed by another incoming transaction, Rune balances and stakeUnits are swapped internally, being completed inside of a few seconds.
Fee-based Transaction Prioritisation
Currently there is no prioritisation to the order of transactions, all transactions are simply processed in order of time received. In moments of high demand of network resources (such as when there are large arbitrage opportunities and users are racing to exploit them), transactions will queue in the mempool. If the system cannot respond fast enough, then the reason for high demand will persist (the large arbitrage opportunity). The solution is to remove the reason for high demand in the first place, which is the large arbitrage opportunity, at the same time as collecting the maximum revenue for the system. As such, in the checkTx method (which can triage the mempool), transactions will be sorted and ordered in the value of the fee of the swap transaction. Assuming rational actors, the following transactions will then be prioritised over all others: * A transaction from an impatient swapper who is willing to pay a large fee. * A transaction from a trader who is able to arbitrage out a price discrepancy (and still make a gain). This then means the system can collect as much income as possible (good for the stakers) at the same time as prioritising transactions that can arbitrage out large price discrepancies quickly. This then means swaps from transient swappers will experience a market price that accurately matches the reference price at all times.
The team are working on 4 parallel streams of effort. Cross-chain infrastructure has now been merged into a single repo called “THORNode”. * THORChain * Midgard Public API * Threshold Signature Scheme implementation * Front-end Integration for BEPSwap
Best General RenVM Questions | September 2019 *These questions are sourced directly from Telegram Q: Given the RenVM Mainnet Roll-out Plan, what are the differences between how Darknodes participate in the P2P Network, Consensus, and Execution within RenVM? A: An outline of each component and its role in RenVM system is outlined below:P2P NetworkThe peer-to-peer network is used for two core purposes: peer discovery, and message saturation. Peer discovery allows Darknodes to learn about other active Darknodes in their shard, and in the network at large. Message saturation ensures that all messages sent around the network are seen by everyone. ConsensusThe consensus engine is used to reach a strict ordering of transactions that go through RenVM. This ensures that the Darknodes powering RenVM are able to agree on what actions to take, and when. ExecutionThe execution engine is used to run secure multiparty computations. This is how actions in RenVM are ultimately taken. These actions involve generating private keys, signing interoperability transactions, and, in the future, running general-purpose application logic. And all of this in secret. Q: How do I shut down my current Darknode(s)? A: Follow this instruction set explicitly and you won't have any issues: https://renproject.zendesk.com/hc/en-us/articles/360020365234-How-to-Fully-Deregister-a-Darknode Q: Is running a Darknode on Chaosnet useful for the team? A: Yes, by running a Chaosnet Darknode you are inherently helping us test. One of the core purposes of Chaosnet is to the real world incentives of RenVM. Running (and continuing to run) a Chaosnet Darknode says something about the incentives at play: they’re enough to get people running Darknodes. And this helps us! In fact, by not running a Chaosnet Darknode you’re also inherently helping us test. It’s telling us there’s something not quite right with the incentives. Q: And what's the incentive for someone to collude and attack the network during Chaosnet? A: The ability to steal real BTC/ZEC/BCH, the want to help us test the network, the want to betray their fellow colluders and take their REN bonds, and of course, some (wo)men just want to watch the world burn. Q: All of this de-registering and re-registering for mainnet is a bit annoying, is it necessary? A: We do certainly understand the point as it's been discussed at length but registration for the RenVM Mainnet is a necessary component (applying automatic updates for current Darknodes to run RenVM is not technically feasible). This announcement is very much an administrative piece to ensure our community has plenty of time and notice to proceed at the speed they prefer. Chasonet is designed for testing and those willing to actively experiment, but certainly not mandatory and there is no pressure on the general community to be active during this period. In summary for those who prefer to be less active, should de-register their current Darknode(s) and wait patiently for activation at the release of Mainnet SubZero, no other action is needed. Q: Is RenVM secure against quantum computing? A: The core of RZL sMPC is theoretical secure. This means that no amount of compute power can break it (making it post-Q safe). There are some parts of it that are not (zkSNARKs and some hashes that aren’t known whether or not they’re post-Q safe) but these are easy to replace (with zkSTARKs and some post-Q safe hashes). RZL sMPC provides ECDSA signatures because that’s what it is used by Ethereum, Bitcoin, etc. Whatever solution they come up with, will be the solution that RZL has to be upgraded to use (the whole point of RenVM is not to tell other chains how to do things, and still provide interop; this means waiting on them to define their solution and then working with that). In short, if a QC can steal funds from RenVM, it’s because it can steal funds from any Ethereum/Bitcoin/etc. private key. Q: If I don't deregister my Darknode by RenVM Mainnet, will I lose my 100K REN? A: The REN bond is safe forever. You can deregister your Darknode from the legacy Mainnet whenever. We recommend doing it now, because it can take three days, and once Chaosnet rolls around that’s where our support focus will be. Q: When shifting in funds, say a user doesn't have eth funds and this call fails const newSigResult = await ethSig.submitToEthereum (web3.currentProvider). what is the best way for that user to pick up where they left off if they leave the web page to get some ETH, and then come back? Should the app generates a new shift in the object, override the params and gateway address objects, re-submit to RenVM, and then make the above call again? Assume the transaction info such as original params and gateway address are stored in local storage so those will be available when the user comes back. A: This is the approach we take. We store the RenVM tx in local storage and then when the user comes back we can construct the Ethereum tx and hand it to them for signing again. You can construct the RenVM tx locally and store it before asking the user to send their BTC to the gateway to protect against unexpected shutdowns. This way, you can recover from them leaving the app at any point in the process without loss of funds. (This also allows you to resend the RenVM tx in the event that the first send fails for any reason.) Q 1: Could you elaborate on the proportionality of (a) Total value of bonded REN (b) Total value of assets under RenVM control? Does RenVM require (b) <= (a) at all times? RenVM would need an Oracle to determine the USD value of both (a) and (b). A 1: The oraclisation is done by the Darknodes. Each of them assesses what they determine that value of (a) and (b) to be and if 2/3rds of them independently decide (b) can be increased then the network will be able to go ahead with the computation. We do require (b) < (a) but have not determined the exact ratio. Because Darknodes are randomly sampled (and constantly reshuffled) from the entire group, this value can consider the entire amount of REN bonded (not just the REN bonded by one shard). Q 2: There's potentially an incentive-misalignment issue here: Darknodes would want to bypass the (b) < (a) limit in order to continue to process more tx's and collect fees. A 2: True, but there’s also a natural incentive for Darknodes to want to keep the network secure. A hack would likely render their REN to drop dramatically in price and they’re REN will be locked for 2-3 months after deregistration. This is also true of users. They should be wary of keeping assets locked up when it nears the secure threshold. This can be encouraged by scaling down the burning fees/raising minting fees to encourage the movement of funds “in the right direction” Q: Quick question: right now, a developer can choose to wait for 0 confirmations before minting zBTC on Ethereum when shifting in real BTC. Will the RenVM network require a minimum number of bitcoin confirmations, or is that always up to the application developer? If it's up to the developer, what if the developer chooses 0 confirmations, mints zBTC, and then double spends on the bitcoin network, invalidating that original bitcoin transaction? shouldn't that invalidate the zBTC that was already minted from the original 0 conf transaction? A: The developer cannot choose. RenVM will wait for the appropriate number of confirmations. On Testnet, this number is currently set to zero because it makes testing easier. On Mainnet, there will be systems for people to take on the “confirmation risk” and provide float. Devs can also set it up so that people can deposit ahead-of-time. We are also exploring Lightning and similar concepts. Q: I've noticed an increase of tx's made through RenVm, how tests are going on; have you met any unexpected obstacles? A: We’ve encountered a few issues with nodes when they are rebooted/crash (we are constantly rebooting/crashing them to make sure the network continues to operate as expected under those circumstances). But, we have fixes in the work for all these issues and it hasn’t prevented us from being able to add new features (BCash and SegWit support has recently hit Devnet and will be arriving on Testnet soon). Q1: If home chain = destination chain, then RenVM is effectively a mixing service? A1: It can be used that way, definitely. But, it has to have a few more privacy features enabled, shifting alone won’t do. Q2: RenVM mints Aztec notes for example? A2: Yep, that’s the plan; we need to wait until the Ignition ceremony before this can be done. It’s one of the next features in our pipeline though! BTC would “appear” on Ethereum with no known owner. And, if you wait an amount of time between getting the authorizing from RenVM and using the signature, then it would be impossible to trace it back to the request that went to RenVM. Q: When I go to the Command Center, the page doesn't load? A: One has to be on the Kovan Testnet (on Metamask). To do this, select the top middle button on your Metamask tab and click Kovan Test Network (Purple circle). If you’d like to see it in action, submit a trade on our Testnet Dex Demo (https://renproject.github.io/renvm-demo/) and see it proceed through RenVM via the Hyperdrive tab: https://dcc-testnet.republicprotocol.com/hyperdrive Q: Mixicles & RenVM: It seems like Mixicles could be used to preserve privacy features for on and off-chain settlements in a blockchain agnostic way. Wouldn’t this be seen as a threat as smart contracts could now replace a darkpool while maintaining the element of anonymity? A: Mixicles (and all other ZK on-chain stuff we’ve seen) gives you privacy on the chain. So you can prove things have been done right (one of the things we like about public blockchains), without exposing any information about the thing (an issue with public blockchains). But, the prover still has access to the information. This rules it out for many kinds of private apps. RenVM gives you absolute privacy. You can do things with data, and prove things about data, without anyone anywhere ever knowing anything about the data. This is much more general. Q: Can’t people just fork RenVM? A: What ultimately prevents forks is the network effect. All projects that want to take decentralization seriously need to open-source their implementations. Almost by definition, a decentralized network is nothing but its community of people willing to work together; this is the very essence of “trust no-one except for the majority”. If you refuse to open-source you don’t have a community, you have hostages. Building up momentum and creating a large network and community is incredibly valuable and not something that can be forked. Bitcoin is still Bitcoin, despite the large number of forks that have been created, and most of the time forks don’t overtake or outpace the original because there is too much inertia in the original community. There are other, less philosophical, benefits too. Open-source code means you can get more feedback, people can help fix bugs, identify potential security issues, anyone can validate the implementation, people can build their own implementations (resulting in highly desirable “N versioning” which prevents a single bug compromising all nodes). https://renproject.zendesk.com/hc/en-us/articles/360001180915-General-RenVM-Questions-September-2019
Hey /Bitcoin, I don't know the code behind Bitcoin, however I was just wondering. all the lost Bitcoin that were lost when they were worth like a few pounds, Will they ever be regenerated?? Or have they been lost forever. Is the system coded to realise there is quite a few missing and release a few more into the system to make up the 21 million available, because in my opinion that is a bit of a waste, as I bet you millions of coins have been lost or deleted.
Bitcoin Cash Hard Fork 15 May 2019 | Know Everything About Upcoming BCH Fork
https://preview.redd.it/idsupgh4k7y21.png?width=1500&format=png&auto=webp&s=0a00b768fdbad52a99bfb7f041c79e109d2b1c44 The price of Bitcoin Cash (BCH) surged dramatically once the news of the upcoming Bitcoin Cash fork came out. BCH broke over 300 USD with an increase of 13% as the news of Schnorr upgrade broke the internet and the crypto space. Schnorr upgrade was initially being proposed by Peter Wuille, the Blockstream co-founder. The Bitcoin Cash community has voted for the Schnorr upgrade unlike their criticism on the past discussions on Lightning, Segregated Witnesses (SegWit) and other technologies. The Bitcoin Cash hard fork date scheduled is on May 15, 2019. Before that, a testnet has already been launched, which will help the developers test before the official launch. You can track the BCH hard fork time here, where you can find Bitcoin Cash hard fork countdown. Alysssa Hertig tweeted from CoinDesk that this change is going to be phenomenal, and is widely supported by the community members:
Let us understand what difference would it make to the BCH fork 2019 after the Schnorr Upgrade:
Cryptographically, to prove that you own Bitcoin and in order to send funds to others, you “sign” with a private key, which as of now, uses Elliptic Curve Digital Signature Algorithm (ECDSA) scheme which lacked scalability and privacy features. But Schnorr signatures will be able to verify several signatures at once, which is way faster than even verifying one signature eight times, which in turn will improve scalability and privacy, wherein there would be certain anonymity. Schnorr signatures will aggregate the signatures, public keys and messages of multiple transactions into one, enabling faster transactions. Read More - https://coinswitch.co/news/bitcoin-cash-hard-fork-15-may-2019-know-everything-about-upcoming-bch-fork
Peer-to-peer smart derivatives for any asset over any network!
Taurus0x Overview Distributed off-chain / on-chain protocol powering smart derivatives from end to end, for any asset over any network. Background of Taurus0x Remember around September 2017 when the world lost its cool over Bitcoin prices? It was nearly an ideological war for many. It occurred to me to create an app for people to bid on Bitcoin prices, and I would connect that app to a smart contract to execute bids on the blockchain. It took me a long couple of weeks to figure out how many licenses I would need to acquire to run such a business in the United States. It became evident that market making is a huge undertaking and is better off decentralized in a an open-standard protocol to generate liquidity. The protocol needed to be fully decentralized as a primary requirement. Why? because I believe in the philosophy of decentralization and creating fair market makers, governed by a public community. It is the right thing to do in order to create equal opportunity for consumers without centralized control and special privileges. It comes at no surprise to anyone at this point that the vast majority of “ICOs” were empty promises. Real life utility was and is a necessity for any viable project. Transitioning from a centralized world to a tokenized and decentralized one cannot be abrupt. The protocol needed to support both worlds and allow for a free market outcome as far as adoption. Scalability-wise and as of today, Ethereum could not handle a real-time full DEX that could compete with advanced and well-known centralized exchanges. And quite frankly, maybe it’s not meant to. This is when the off-chain thinking started, especially after witnessing a couple of the most successful projects adopting this approach, like Lighting and 0xProject. The trade-off was the complexity of handling cryptographic communications without the help of the blockchain. I had met my co-founder Brett Hayes at the time. I would need another 3 or 4 articles to explain Brett for you. To the substance. What is Asymmetrical Cryptography? Asymmetrical cryptography is a form of cryptography that uses public and private key pairs. Each public key comes with its associated and unique private key. If you encrypt a piece of data with a private, only the associated public key may be used to decrypt the data. And vice versa. If I send you a “hello” encrypted with my private key, and you try to decrypt it with my public key (which is no secret). If it decrypts fine, then you are positive that this “hello” came from me. This is what we call digital signatures. The figure below is from Taurus0x whitepaper and describes the chosen digital signature algorithm (ECDSA). https://preview.redd.it/n8kavgofbm211.png?width=1000&format=png&auto=webp&s=289695a17cd413b68105b249d615b82bae1fe1dc What are Smart Derivatives? Well, what are derivatives in the first place? In the financial world, a derivative is a contract between two or more parties based upon an asset. Its price is determined by fluctuations in the underlying asset. The most common underlying assets include stocks, bonds, commodities, currencies, interest rates and market indexes. Futures contracts, forward contracts, options, swaps, cryptocurrency prices and warrants are common derivatives. Smart Derivatives are smart contracts that behave like financial derivatives. They possess enough information and funds to allow for execution with guaranteed and trusted outcomes. What is Taurus0x? Taurus0x is a distributed off-chain / on-chain protocol powering smart derivatives from end to end. Taurus0x is both asset and network-agnostic. The philosophy is to also become blockchain-agnostic as more blockchains come to life. Distributed = fully decentralized set of smart contracts and libraries. Off-chain = ad-hoc protocol not limited to a blockchain. On-chain= trusted outcome without intermediaries. Asset-agnostic = supports any asset, not limited to cryptocurrency. Network-agnostic = contracts can be transmitted over any network (email, text, twitter, facebook, pen and paper, etc.) Who can use Taurus0x? Taurus0x protocol is ultimately built to serve end consumers who trade derivative contracts. Participants may engage in a peer-to-peer derivative contracts among each other without the need for a house in the middle. The Taurus0x team and advisory realize that the migration from a centralized world to a decentralized one cannot be abrupt, specifically in FinTech. Taurus0x is built to support existing business models as well as C2C peer-to-peer. Exchanges who want to take on the derivative market may use an open-source protocol without worrying about building a full backend to handle contract engagement and settlement. Taurus0x Exchanges would simply connect participants to each other, using matching algorithms. Taurus0x intends to standardize derivative trading in an open way. Having more exchanges using the protocol allows for creating public and permission-ed pools to generate compounded liquidity of contracts. This helps smaller exchanges by lowering the entry-to-market barrier. How does Taurus0x work? The process is simple and straightforward. Implementation details are masked by the protocol making it very easy to build on top. The first 2 steps represent off-chain contract agreement, while 3 and 4 solidify and execute the contract on-chain. 1- Create A producer creates a contract from any client using Taurus0x protocol, whether from an app, a website or a browser extension. The producer specifies a condition that is expected to happen sometime in the future. For example, I (the producer) might create a binary contract with the following condition: Apple stock > $200 by July 1, 2018 with a premium of 10 TOKENs (any ERC20 token) The contract will be automatically signed with my private key, which confirms that I created it. I can then share it (a long hexadecimal text) with anyone over any network I choose. 2- Sign When the consumer receives the signed contract, they will be able to load it via any client using Taurus0x. If the consumer disagrees with the producer on the specified condition, they will go ahead and sign the contract with their private key. Back to our example above, the consumer would think that Apple stock will remain under $200 by July 1, 2018. Now that the we have collected both signatures, the contract is ready to get published on blockchain. 3- Publish Anyone who possesses the MultiSig contract and its 2 signatures can go ahead and publish it to the Ethereum blockchain. That would most likely be either the producer, the consumer or a party like an exchange in the middle hosting off-chain orders. As soon as the contract is published, Taurus0x proxy (an open-source smart contract) will pull necessary funds from participating wallets into the newly created Smart Derivative. The funds will live in the derivative contract until successful execution. 4- Execute If at any point before the contract expiration date the specified condition becomes true (i.e. Apple Stock > $200), the producer can go ahead and execute the derivative contract. The contract will calculate the outcome and transfer funds accordingly. In this binary derivative example, the producer will receive 20 TOKENs in their wallet upon executing the contract. If the expiration date comes and the producer had never successfully executed the contract, the consumer may execute it themselves and collect the 20 TOKENs. This figure is from the Taurus0x whitepaper depicts the process: https://preview.redd.it/vr2y9b8ibm211.png?width=1250&format=png&auto=webp&s=1b7a8144fe2a41116a4f64d7418d3dacb4f42fc5 Summary Taurus0x is a highly versatile and modular protocol built using Ethereum-based smart contracts and wrapper JS libraries to bootstrap developer adoption. While Smart Derivatives are the first application of Taurus0x, it is worth noting that the protocol is not limited to cryptocurrencies or even derivatives for that matter. It is an ad-hoc and scalable contract management solution meant to guarantee trusted outcomes in the future based on conditions specified today. The semi off-chain nature of the protocol helps remediate Ethereum’s scalability limitations and makes it a viable product. Finally, the plan for Taurus0x is to be governed by a Decentralized Autonomous Organization or DAO as outlined in the roadmap on https://taurus0x.com. This is an area of research and development as of today. Decentralization does not fulfill its purpose if governance remains centralized, therefore it is without compromise that Taurus0x follows a decentralized governance structure.
Why I have decided to invest in Quantum Resistant Ledger (QRL) now
The topic of quantum resistance is a complex topic, at least for me. When QRL came up a month or so ago, I recall moving on fast. Today it came up again, and as a result, decided to stop and spend time on the official website (theqrl.org), and figure out if this is a project I want and should invest in. What is The QRL : “The QRL is a cryptocurrency ledger which is designed from the outset to be resistant to both classical and quantum computing attack. It uses a different system of cryptography to bitcoin (and all other altcoins) known as hash-based digital signatures which are quantum-resistant. The ledger will be the first to experiment with quantum-resistant signatures whilst providing an ultra secure backup store of value in the event of a sudden advance in quantum computing. The initial aim of the chain is to offer a low volume of ultra secure transactions in the first iteration with guaranteed longevity. “ More about QRL here: http://cryptopotato.com/qrl-taking-quantum-computers/ These facts convinced me today to invest: 1 - One of the key points I look for when evaluating a potential investment is timing, and it seems in that regard, my reacquaintance with QRL today, is incredibly well timed. Next month, or early October, QRL’s mainnet goes live with its Genesis block. The actual blockchain goes live! Kaushal Kumar Singh, one of the core developer on the team, confirmed the following in their Slack channel: “The first hardcoded block created into the blockchain is the Genesis block. This block includes the list of stake validators for the first epoch. Mainnet is expected to be on SeptembeOctober. Currently, it will be released with ephemeral messaging feature. As ephemeral messaging is in the roadmap for the month of October. Rest of the features such as VPN, VoIP would be planned between the year 2018 to 2019. The exact month would be released once the mainnet is live with ephemeral messaging”. 2 - Dr Peter Waterland, the founder and core developer of the project, explained to me the differences between the Quantum resistance offered by QRL, NEO and Ethereum’s upcoming Metropolis. NEO : “There are different candidate post-quantum signature schemes in existence. Hash-based signatures have minimal security requirements and XMSS which is used in the QRL is PQ-crypto recommended. Lattice- based crypto is another type of signature which is thought to be Quantum resistant (indeed we will be using it for our Ephemeral messaging layer. Our resident post-quantum cryptographer doesn't feel lattice-based crypto is mature enough to secure accounts/addresses. The bottom line is that currently NEO doesn't contain lattice-based addresses and what they are saying is they may add such address types in the future.” ETH Metropolis: “ETH has quantum-safe address types on their roadmap. Whether they appear in metropolis is anyone’s guess. Quantum-safe signatures are massive and so high volume blockchains like ethereum would immediately choke if they moved towards them..” If it does appear, is there still an advantage to QRL over it? “Yes. Firstly, we are using hash-based signatures, which only rely upon the cryptographic hash algorithm. In contrast, lattice-based signatures may in the future be broken. Secondly, once a fully error corrected QC emerges it will not matter if you have some addresses protected in QC-safe addresses. Prices of all tokens not completely secure will move to zero. If 5% of ETH is in unprotected standard ECDSA addresses with exposed public keys, then when a QC computer emerges those coins can be trivially stolen. Now if the other 95% of ETH are safely stored away in QC addresses then everyone might be feeling very safe.. But actually 5% is more than enough to crash the price to cents. The only true protection is 100% security of all ledger addresses. . So the QRL is taking the view that we are making our ledger completely 100% secure and are choosing the most robust signature scheme and hashing algorithm possible. This isn’t something major chains will want to do because it basically increases block sizes massively. So we get roadmaps and possible QC-safe address options..We are being proactive and building something irrefutably secure from genesis block. 3 - Market cap is at a small $29 mil (!!) with the token trading at around 55-60 cents $. Truly undervalued, with massive potential of gains in the short to medium run. QRL is an ERC-20 token for now until the blockchain launches, when one will be able to swap the tokens to new ones. I expect very nice gains with the launch of the blockchain next month or early October. I believe if the media catch up, things could get very interesting! Trading on Bittrex : https://bittrex.com/Market/Index?MarketName=eth-QRL https://bittrex.com/Market/Index?MarketName=btc-QRL
Cryptographic Security of ECDSA in Bitcoin P vs. NP • If you solve P vs. NP it: 1 M$. • Nobel price, Abel price in mathematics: roughly 1M$ • Break bitcoin ECC: About 4 BILLION $ . Cryptographic Security of ECDSA in Bitcoin How to Steal Bitcoins New attacks [Courtois et al. October 2014] Rumors will spread regarding the current insecurity of the network. The price will fluctuate, but will stabilize. Seven days later, the same announce is made, publishing the 6 block header branch. This time the market will react before the attack is even made. Bitcoin price will certainly decrease, even if afterwards the attack is unsuccessful. Ripple (XRP) Price 2020. The current price of Ripple (XRP) fluctuates around $0,191963; the total market capitalization is $8,313,502,329, which makes XRP the third most popular digital currency as of December 2019. ECDSA In Bitcoin Digital signatures are considered the foundation of online sovereignty. The advent of public-key cryptography in 1976 paved the way for the creation of a global communications tool – the Internet, and a completely new form of money – Bitcoin. Figure 1.1: Market Price of Bitcoin in USD from 2012-2014 9. 1.1 Motivation and Goal Because of the popularity of Bitcoin, one of its main building blocks, Elliptic Curve Digital Signature Algorithm (ECDSA) is hotly discussed as well. Since Bitcoin is decentralized, trans-
Bitcoin resistance - Current Bitcoin Price [May 18th 2020]
I will address this question in this video Also we will look at the realistic bitcoin price prediction by the end of 2020 and beyond. Get $10 when Sing up with DueDex Get $50 for the first time ... BREAKING: BITCOIN IS ABOUT TO DO SOMETHING IT HASN'T DONE SINCE $381 (btc price news today 2020 ta) - Duration: 35:24. Crypto Crew University 28,301 views 35:24 Bitcoin has traditionally used ECDSA signatures over the secp256k1 curve for authenticating transactions. These are standardized, but have a number of downsi... Bitcoin will crash 75% soon in 2020 before the 2021 BTC bull run can begin! price targets, TA & NYSE - Duration: 29:11. OPTICALARTdotCOM 74,782 views Bitcoin The Price Is RIGHT! June 2020 Price Prediction & News Analysis - Duration: 38:19. Krown's Crypto Cave 8,287 views. 38:19. Bitcoin WHEN REFUND SIR?!