Pettycoin Losing Tiny Amounts of Bitcoin At Scale!
Rusty Russell
[email protected]
Contents
Bitcoin Basics
An Adjunct Network
ProblemsWith some solutions
Status
Bitcoin Basics
Transactions:Take N inputs and provide M outputs
Broadcast in a peer-to-peer network
Create your private key and away you go!
Bitcoin Basics
Blocks:Bundle up transactions
Really hard to generate!Difficulty changes to keep it down to ~10 minutes
Bitcoin Block
Bitcoin Blockchain
Bitcoin Blockchain
Bitcoin Blockchain
If more than one chain, longest winsPresumably represents majority view
Bitcoin Blockchain
If more than one chain, longest winsPresumably represents majority view
Transactions are checked against previous:Inputs must not have already been used.
Value of inputs must be >= outputs
Bitcoin Blockchain
https://en.bitcoin.it/wiki/ScalabilityTo handle 10k tps, need ~ 40Mb/second
100,000 TPS?
100,000 TPS?
Is there a way to create a useful network without everyone
knowing everything?What if we trade robustness for
scalability?
100,000 TPS?
Is there a way to create a useful network without everyone
knowing everything?What if we trade robustness for
scalability?
What if we throw out the baby and the bathwater?
An Adjunct, Not An Altcoin!
Use real bitcoins
Mirrors bitcoin addresses
An Adjunct, Not An Altcoin!
An Adjunct, Not An Altcoin!
An Adjunct, Not An Altcoin!
An Adjunct, Not An Altcoin!
An Adjunct, Not An Altcoin!
Send bitcoin to gateway, it injects onto pettycoin network (minus support fee)
Send pettycoins to gateway, it injects onto bitcoin network
(minus transaction fee)
An Adjunct, Not An Altcoin!
Send bitcoin to gateway, it injects onto pettycoin network (minus support fee)
Send pettycoins to gateway, it injects onto bitcoin network
(minus transaction fee)
A transaction network, not a store of value!
Shrinking The Chain
Shrinking The Chain
13GB download!Unfair, should be a few hundred MB
Reduce Transaction Size
Reduce Transaction Size
Each input:Signed to prove you can spend (ECDSA: 64 bytes)
Identifies previous transaction (SHA256: 32 bytes)
Reduce Transaction Size
Each input:Signed to prove you can spend (ECDSA: 64 bytes)
Identifies previous transaction (SHA256: 32 bytes)
Each output:Identify destination (ECDSA: 33 bytes)
Specifies amount (1-9 bytes)
Reduce Transaction Size
Each input:Signed to prove you can spend (ECDSA: 64 bytes)
Identifies previous transaction (SHA256: 32 bytes)
Each output:Identify destination (ECDSA: 33 bytes)
Specifies amount (1-9 bytes)
Bitcoin inputs and outputs are actually scripts...
Reduce Transaction Size
Reduce Transaction Size
Only allow one signature for all inputsie. one input address.
Limit to 4 inputs
Only allow one output (implying change)
Reduce Transaction Size
Only allow one signature for all inputsie. one input address.
Limit to 4 inputs
Only allow one output (implying change)
=> 132 + 34N bytes
Reduce Chain Length?
Transactions only valid for ~1 month (10080 blocks)?
Reduce Chain Length?
Transactions only valid for ~1 month (10080 blocks)?
A transaction network, not a store of value!
Shard the Network
Shard the Network
Use upper 12 bits of addressBoth input(s) and output address
So a transaction appears on up to 5 of 4096 shards
Shard the Network
Use upper 12 bits of addressBoth input(s) and output address
So a transaction appears on up to 5 of 4096 shards
You can monitor a single network shard to find out what's happening for a given address
Shard the Network
Use upper 12 bits of addressBoth input(s) and output address
So a transaction appears on up to 5 of 4096 shards
You can monitor a single network shard to find out what's happening for a given addressBut you actually have to be on two, so it's all connected
Shard the Block
Order transactions by (output address) shard within block
Shard the Block
Order transactions by (output address) shard within blockTransactions with an input address on that shard will be scattered throughout block
Block in Batches
We divide block into batches of 4096 transactions
Block in Batches
Block in Batches
Merkle Tree
Pettycoin Block
Partial Knowledge
If I send you a batch of transactions, you can prove it is in the block
Partial Knowledge
If I send you a single transaction and 12 hashes you can also prove it is in the block.
Partial Knowledge
If I send you a single transaction and 12 hashes you can also prove it is in the block.
Partial Knowledge
If I send you a single transaction and 12 hashes you can also prove it is in the block.
Partial Knowledge
If I send you a single transaction and 12 hashes you can also prove it is in the block.
Partial Knowledge
If I send you a single transaction and 12 hashes you can also prove it is in the block.
Partial Knowledge
If I send you a single transaction and 12 hashes you can also prove it is in the block.
What Clients Need To Know
What Clients Need To Know
The block chain (of headers)About 1 new block every 10 minutes
74 bytes + ~44 per batch of 4096 transactions
650 kbytes for 100,000 TPSAround 8kbits
Sending A Transaction
Sending A Transaction
Send me your transaction
Sending A Transaction
Send me your transaction
Also send me transactions whose outputs you use
Sending A Transaction
Send me your transaction
Also send me transactions whose outputs you useAnd a 12-hash merkle proof for each one
Sending A Transaction
Send me your transaction
Also send me transactions whose outputs you useAnd a 12-hash merkle proof for each one
And the same for each transaction they use...
Sending A Transaction
If average transaction has 2.1 inputs
Sending A Transaction
If average transaction has 2.1 inputsAfter a coin has been spent 10 times, 1700 transactions
Each transaction is 200 bytes
Each proof is 264 bytes788k to send you a transaction
Sending A Transaction
If average transaction has 2.1 inputsAfter a coin has been spent 10 times, 1700 transactions
Each transaction is 200 bytes
Each proof is 264 bytes788k to send you a transaction!
After 1M, you have to send back to gateway.
Sending A Transaction
If average transaction has 2.1 inputsAfter a coin has been spent 10 times, 1700 transactions
Each transaction is 200 bytes
Each proof is 264 bytes788k to send you a transaction!
After 1M, you have to send back to gateway.A transaction network, not a store of value!
TODO: Sending A Transaction
Longer time inside pettycoin:
TODO: Sending A Transaction
Longer time inside pettycoin:Gateway reinject?
Larger transactions?
Less bits in merkle proof?
Incomplete proofs?
What Miners Need To Know
What Miners Need To Know
Double spends are illegal in the chainIf you can prove it, network will reject block
What Miners Need To Know
Double spends are illegal in the chainIf you can prove it, network will reject block
Thus, miners need to check transaction inputsOr trust the network to filter them!
What Miners Need To Know
Double spends are illegal in the chainIf you can prove it, network will reject block
Thus, miners need to check transaction inputsOr trust the network to filter them!
=> Miners need complete knowledge of chain
TODO: What Miners Need To Know
TODO: What Miners Need To Know
Optimization of block transmission based on known transactions
Problems With Partial Knowledge
Problems With Partial Knowledge
Double Spend Detection
Ensuring Honest Miners
Mining Rewards
Trusting Gateways
Double Spend Detection
Double Spend Detection
Easy to prove if you spot a duplicate in a block:
Double Spend Detection
Easy to prove if you spot a duplicate in a block:Send complaint packet with both proofs
Network will reject that block
Double Spend Detection
Mostly bitcoin network doesn't wait for transactions to enter blocks for small amounts
Double Spend Detection
Mostly bitcoin network doesn't wait for transactions to enter blocks for small amountsListen for 5 seconds to see if double spend
Double Spend Detection
Mostly bitcoin network doesn't wait for transactions to enter blocks for small amountsListen for 5 seconds to see if double spend
Can we do better?Karame, Ghassan, Elli Androulaki, and Srdjan Capkun. "Two Bitcoins at the Price of One? Double-Spending Attacks on Fast Payments in Bitcoin." IACR Cryptology ePrint Archive 2012 (2012): 248.
TODO: Double Spend Detection
TODO: Double Spend Detection
Rewards for reporting double spend?
TODO: Double Spend Detection
Rewards for reporting double spend?Can't be taken from actual double spendNoone would ever allow that to happen.
Would penalize recipient of first spend.
TODO: Double Spend Detection
Rewards for reporting double spend?Can't be taken from actual double spendNoone would ever allow that to happen.
Would penalize recipient of first spend.
Hard to prove who found the double spendTrust the majority to be honest?
Require a small PoW?
TODO: Double Spend Detection
Rewards for reporting double spend?Can't be taken from actual double spendNoone would ever allow that to happen.
Would penalize recipient of first spend.
Hard to prove who found the double spendTrust the majority to be honest?
Require a small PoW?
Need to inject double spends to provide incentive... (but not enough to cheat!)
Ensuring Honest Miners
Ensuring Honest Miners
Hide a batch from the network!
Ensuring Honest Miners
Hide a batch from the network!Later, miner reveals it to double spend.
Will invalidate a future block.
Ensuring Honest Miners
Hide a batch from the network!Later, miner reveals it to double spend.
Will invalidate a future block.
Prove you know last 10 blocks' transactions...Prepend your address to each previous transaction
Ensuring Honest Miners
TODO: Ensuring Honest Miners
TODO: Ensuring Honest Miners
10 blocks back insufficient?
TODO: Ensuring Honest Miners
10 blocks back insufficient?
Forgiveness if double spend old enough?Restrict number of transactions in a block?
Restrict amount transferred in any one transaction.
Mining Rewards
Mining Rewards
In bitcoin, miner gets 50/25/12.5...Plus leftover from transactions in block (transaction fees)
Mining Rewards
In bitcoin, miner gets 50/25/12.5...Plus leftover from transactions in block (transaction fees)
We can't mint bitcoins
Mining Rewards
In bitcoin, miner gets 50/25/12.5...Plus leftover from transactions in block (transaction fees)
We can't mint bitcoins
Without full knowledge, can't use transaction fees
Mining Rewards
In bitcoin, miner gets 50/25/12.5...Plus leftover from transactions in block (transaction fees)
We can't mint bitcoins
Without full knowledge, can't use transaction fees
If we offered flat fee, why bother collecting transactions?
TODO: Mining Rewards
TODO: Mining Rewards
Statistical rewards!
TODO: Mining Rewards
Statistical rewards!claim transaction:A valid transaction which was in your block
Proof that it was
A recent gateway injection transaction (last 20 blocks?)
TODO: Mining Rewards
Statistical rewards!claim transaction:A valid transaction which was in your block
Proof that it was
A recent gateway injection transaction (last 20 blocks?)
Reward amount depends on difference between hash of that transaction xor of hash of next 100 blocksMore similar the better
Encourages more transactions.
TODO: Mining Rewards
Miners also include a double spend report in their claim?
TODO: Mining Rewards
Miners also include a double spend report in their claim?Would be worth 1% of reward to claimant
An honor system...
TODO: Mining Rewards
Tax the future to pay for the present?
TODO: Mining Rewards
Tax the future to pay for the present?eg. after 4 years, pay 50% of rewards back to first two years blocks.
TODO: Mining Rewards
Tax the future to pay for the present?eg. after 4 years, pay 50% of rewards back to first two years blocks.
Needs smoothing of course, but it'll never be fair
Trusting Gateways
Trusting Gateways
The gateway is holding your bitcoin!
Trusting Gateways
The gateway is holding your bitcoin!You can monitor it, but you have to trust.
Will only relay small amounts.
A good reason for limiting history.
Trusting Gateways
The gateway is holding your bitcoin!You can monitor it, but you have to trust.
Will only relay small amounts.
A good reason for limiting history.
I don't want your money!
Trusting Gateways
The gateway is holding your bitcoin!You can monitor it, but you have to trust.
Will only relay small amounts.
A good reason for limiting history.
I don't want your money!
A transaction network, not a store of value!
TODO: Trusting Gateways
TODO: Trusting Gateways
Independent gateways with multisig transactions?
TODO: Trusting Gateways
Independent gateways with multisig transactions?
Clients could differentiate pettycoins by source gateway?
TODO: Trusting Gateways
Independent gateways with multisig transactions?
Clients could differentiate pettycoins by source gateway?Think harder!
Bootstrap
Bootstrap
Testnet
Bootstrap
Testnet
Full knowledge
Bootstrap
Testnet
Full knowledge
Gateway returns old funds
An Example Application
An Example Application
Tip 0.1c to every webpage you visit?
An Example Application
Tip 0.1c to every webpage you visit?Tip on way out (or delay!) so you can cancel it!
Status
Status
Domain name registered!
Status
Domain name registered!
Block generation code works.
Status
Domain name registered!
Block generation code works.
Nodes talk to each other.
Status
Domain name registered!
Block generation code works.
Nodes talk to each other.
World's worst CPU miner mostly works.
Status
Domain name registered!
Block generation code works.
Nodes talk to each other.
World's worst CPU miner mostly works.
Gateway transactions can be injected.
Status
Domain name registered!
Block generation code works.
Nodes talk to each other.
World's worst CPU miner mostly works.
Gateway transactions can be injected.
Normal transactions not yet handled.
Status
Domain name registered!
Block generation code works.
Nodes talk to each other.
World's worst CPU miner mostly works.
Gateway transactions can be injected.
Normal transactions not yet handled.
Bitcoin gateway not written
Status
Domain name registered!
Block generation code works.
Nodes talk to each other.
World's worst CPU miner mostly works.
Gateway transactions can be injected.
Normal transactions not yet handled.
Bitcoin gateway not written
Pettycoin explorer not written
Status
Domain name registered!
Block generation code works.
Nodes talk to each other.
World's worst CPU miner mostly works.
Gateway transactions can be injected.
Normal transactions not yet handled.
Bitcoin gateway not written
Pettycoin explorer not written
HTTP transaction receive not written.
FAQ
What if the pettycoin binary has a flaw?
What if pettycoin protocol has a flaw?
What if the gateways are hacked?
What if lawyers/governments/MIB shut it down?
What if someone threatens your family?
FAQ
What if the pettycoin binary has a flaw?YOU WILL LOSE YOUR MONEY
What if pettycoin protocol has a flaw?YOU WILL LOSE YOUR MONEY
What if the gateways are hacked?YOU WILL LOSE YOUR MONEY
What if lawyers/governments/MIB shut it down?YOU WILL LOSE YOUR MONEY
What if someone threatens your family?YOU WILL LOSE YOUR MONEY
Disclaimer
This is not a spec!
Almost-working incomplete code at:https://github.com/rustyrussell/pettycoin