Pettycoin Losing Tiny Amounts of Bitcoin At Scale!
Rusty Russell
rusty@rustcorp.com.au

Contents

Bitcoin Basics

An Adjunct Network

ProblemsWith some solutions

Status

Bitcoin Basics

Transactions:Take N inputs and provide M outputs

Broadcast in a peer-to-peer network

Create your private key and away you go!

Bitcoin Basics

Blocks:Bundle up transactions

Really hard to generate!Difficulty changes to keep it down to ~10 minutes

Bitcoin Block

Bitcoin Blockchain

Bitcoin Blockchain

Bitcoin Blockchain

If more than one chain, longest winsPresumably represents majority view

Bitcoin Blockchain

If more than one chain, longest winsPresumably represents majority view

Transactions are checked against previous:Inputs must not have already been used.

Value of inputs must be >= outputs

Bitcoin Blockchain

https://en.bitcoin.it/wiki/ScalabilityTo handle 10k tps, need ~ 40Mb/second

100,000 TPS?

100,000 TPS?

Is there a way to create a useful network without everyone knowing everything?What if we trade robustness for scalability?

100,000 TPS?

Is there a way to create a useful network without everyone knowing everything?What if we trade robustness for scalability?

What if we throw out the baby and the bathwater?

An Adjunct, Not An Altcoin!

Use real bitcoins

Mirrors bitcoin addresses

An Adjunct, Not An Altcoin!

An Adjunct, Not An Altcoin!

An Adjunct, Not An Altcoin!

An Adjunct, Not An Altcoin!

An Adjunct, Not An Altcoin!

Send bitcoin to gateway, it injects onto pettycoin network (minus support fee)

Send pettycoins to gateway, it injects onto bitcoin network (minus transaction fee)

An Adjunct, Not An Altcoin!

Send bitcoin to gateway, it injects onto pettycoin network (minus support fee)

Send pettycoins to gateway, it injects onto bitcoin network (minus transaction fee)

A transaction network, not a store of value!

Shrinking The Chain

Shrinking The Chain

13GB download!Unfair, should be a few hundred MB

Reduce Transaction Size

Reduce Transaction Size

Each input:Signed to prove you can spend (ECDSA: 64 bytes)

Identifies previous transaction (SHA256: 32 bytes)

Reduce Transaction Size

Each input:Signed to prove you can spend (ECDSA: 64 bytes)

Identifies previous transaction (SHA256: 32 bytes)

Each output:Identify destination (ECDSA: 33 bytes)

Specifies amount (1-9 bytes)

Reduce Transaction Size

Each input:Signed to prove you can spend (ECDSA: 64 bytes)

Identifies previous transaction (SHA256: 32 bytes)

Each output:Identify destination (ECDSA: 33 bytes)

Specifies amount (1-9 bytes)

Bitcoin inputs and outputs are actually scripts...

Reduce Transaction Size

Reduce Transaction Size

Only allow one signature for all inputsie. one input address.

Limit to 4 inputs

Only allow one output (implying change)

Reduce Transaction Size

Only allow one signature for all inputsie. one input address.

Limit to 4 inputs

Only allow one output (implying change)
=> 132 + 34N bytes

Reduce Chain Length?

Transactions only valid for ~1 month (10080 blocks)?

Reduce Chain Length?

Transactions only valid for ~1 month (10080 blocks)?

A transaction network, not a store of value!

Shard the Network

Shard the Network

Use upper 12 bits of addressBoth input(s) and output address

So a transaction appears on up to 5 of 4096 shards

Shard the Network

Use upper 12 bits of addressBoth input(s) and output address

So a transaction appears on up to 5 of 4096 shards

You can monitor a single network shard to find out what's happening for a given address

Shard the Network

Use upper 12 bits of addressBoth input(s) and output address

So a transaction appears on up to 5 of 4096 shards

You can monitor a single network shard to find out what's happening for a given addressBut you actually have to be on two, so it's all connected

Shard the Block

Order transactions by (output address) shard within block

Shard the Block

Order transactions by (output address) shard within blockTransactions with an input address on that shard will be scattered throughout block

Block in Batches

We divide block into batches of 4096 transactions

Block in Batches

Block in Batches

Merkle Tree

Pettycoin Block

Partial Knowledge

If I send you a batch of transactions, you can prove it is in the block

Partial Knowledge

If I send you a single transaction and 12 hashes you can also prove it is in the block.

Partial Knowledge

If I send you a single transaction and 12 hashes you can also prove it is in the block.

Partial Knowledge

If I send you a single transaction and 12 hashes you can also prove it is in the block.

Partial Knowledge

If I send you a single transaction and 12 hashes you can also prove it is in the block.

Partial Knowledge

If I send you a single transaction and 12 hashes you can also prove it is in the block.

Partial Knowledge

If I send you a single transaction and 12 hashes you can also prove it is in the block.

What Clients Need To Know

What Clients Need To Know

The block chain (of headers)About 1 new block every 10 minutes

74 bytes + ~44 per batch of 4096 transactions

650 kbytes for 100,000 TPSAround 8kbits

Sending A Transaction

Sending A Transaction

Send me your transaction

Sending A Transaction

Send me your transaction

Also send me transactions whose outputs you use

Sending A Transaction

Send me your transaction

Also send me transactions whose outputs you useAnd a 12-hash merkle proof for each one

Sending A Transaction

Send me your transaction

Also send me transactions whose outputs you useAnd a 12-hash merkle proof for each one

And the same for each transaction they use...

Sending A Transaction

If average transaction has 2.1 inputs

Sending A Transaction

If average transaction has 2.1 inputsAfter a coin has been spent 10 times, 1700 transactions

Each transaction is 200 bytes

Each proof is 264 bytes788k to send you a transaction

Sending A Transaction

If average transaction has 2.1 inputsAfter a coin has been spent 10 times, 1700 transactions

Each transaction is 200 bytes

Each proof is 264 bytes788k to send you a transaction!

After 1M, you have to send back to gateway.

Sending A Transaction

If average transaction has 2.1 inputsAfter a coin has been spent 10 times, 1700 transactions

Each transaction is 200 bytes

Each proof is 264 bytes788k to send you a transaction!

After 1M, you have to send back to gateway.A transaction network, not a store of value!

TODO: Sending A Transaction

Longer time inside pettycoin:

TODO: Sending A Transaction

Longer time inside pettycoin:Gateway reinject?

Larger transactions?

Less bits in merkle proof?

Incomplete proofs?

What Miners Need To Know

What Miners Need To Know

Double spends are illegal in the chainIf you can prove it, network will reject block

What Miners Need To Know

Double spends are illegal in the chainIf you can prove it, network will reject block

Thus, miners need to check transaction inputsOr trust the network to filter them!

What Miners Need To Know

Double spends are illegal in the chainIf you can prove it, network will reject block

Thus, miners need to check transaction inputsOr trust the network to filter them!

=> Miners need complete knowledge of chain

TODO: What Miners Need To Know

TODO: What Miners Need To Know

Optimization of block transmission based on known transactions

Problems With Partial Knowledge

Problems With Partial Knowledge

Double Spend Detection

Ensuring Honest Miners

Mining Rewards

Trusting Gateways

Double Spend Detection

Double Spend Detection

Easy to prove if you spot a duplicate in a block:

Double Spend Detection

Easy to prove if you spot a duplicate in a block:Send complaint packet with both proofs

Network will reject that block

Double Spend Detection

Mostly bitcoin network doesn't wait for transactions to enter blocks for small amounts

Double Spend Detection

Mostly bitcoin network doesn't wait for transactions to enter blocks for small amountsListen for 5 seconds to see if double spend

Double Spend Detection

Mostly bitcoin network doesn't wait for transactions to enter blocks for small amountsListen for 5 seconds to see if double spend

Can we do better?Karame, Ghassan, Elli Androulaki, and Srdjan Capkun. "Two Bitcoins at the Price of One? Double-Spending Attacks on Fast Payments in Bitcoin." IACR Cryptology ePrint Archive 2012 (2012): 248.

TODO: Double Spend Detection

TODO: Double Spend Detection

Rewards for reporting double spend?

TODO: Double Spend Detection

Rewards for reporting double spend?Can't be taken from actual double spendNoone would ever allow that to happen.

Would penalize recipient of first spend.

TODO: Double Spend Detection

Rewards for reporting double spend?Can't be taken from actual double spendNoone would ever allow that to happen.

Would penalize recipient of first spend.

Hard to prove who found the double spendTrust the majority to be honest?

Require a small PoW?

TODO: Double Spend Detection

Rewards for reporting double spend?Can't be taken from actual double spendNoone would ever allow that to happen.

Would penalize recipient of first spend.

Hard to prove who found the double spendTrust the majority to be honest?

Require a small PoW?

Need to inject double spends to provide incentive... (but not enough to cheat!)

Ensuring Honest Miners

Ensuring Honest Miners

Hide a batch from the network!

Ensuring Honest Miners

Hide a batch from the network!Later, miner reveals it to double spend.

Will invalidate a future block.

Ensuring Honest Miners

Hide a batch from the network!Later, miner reveals it to double spend.

Will invalidate a future block.

Prove you know last 10 blocks' transactions...Prepend your address to each previous transaction

Ensuring Honest Miners

TODO: Ensuring Honest Miners

TODO: Ensuring Honest Miners

10 blocks back insufficient?

TODO: Ensuring Honest Miners

10 blocks back insufficient?

Forgiveness if double spend old enough?Restrict number of transactions in a block?

Restrict amount transferred in any one transaction.

Mining Rewards

Mining Rewards

In bitcoin, miner gets 50/25/12.5...Plus leftover from transactions in block (transaction fees)

Mining Rewards

In bitcoin, miner gets 50/25/12.5...Plus leftover from transactions in block (transaction fees)

We can't mint bitcoins

Mining Rewards

In bitcoin, miner gets 50/25/12.5...Plus leftover from transactions in block (transaction fees)

We can't mint bitcoins

Without full knowledge, can't use transaction fees

Mining Rewards

In bitcoin, miner gets 50/25/12.5...Plus leftover from transactions in block (transaction fees)

We can't mint bitcoins

Without full knowledge, can't use transaction fees

If we offered flat fee, why bother collecting transactions?

TODO: Mining Rewards

TODO: Mining Rewards

Statistical rewards!

TODO: Mining Rewards

Statistical rewards!claim transaction:A valid transaction which was in your block

Proof that it was

A recent gateway injection transaction (last 20 blocks?)

TODO: Mining Rewards

Statistical rewards!claim transaction:A valid transaction which was in your block

Proof that it was

A recent gateway injection transaction (last 20 blocks?)

Reward amount depends on difference between hash of that transaction xor of hash of next 100 blocksMore similar the better

Encourages more transactions.

TODO: Mining Rewards

Miners also include a double spend report in their claim?

TODO: Mining Rewards

Miners also include a double spend report in their claim?Would be worth 1% of reward to claimant

An honor system...

TODO: Mining Rewards

Tax the future to pay for the present?

TODO: Mining Rewards

Tax the future to pay for the present?eg. after 4 years, pay 50% of rewards back to first two years blocks.

TODO: Mining Rewards

Tax the future to pay for the present?eg. after 4 years, pay 50% of rewards back to first two years blocks.

Needs smoothing of course, but it'll never be fair

Trusting Gateways

Trusting Gateways

The gateway is holding your bitcoin!

Trusting Gateways

The gateway is holding your bitcoin!You can monitor it, but you have to trust.

Will only relay small amounts.

A good reason for limiting history.

Trusting Gateways

The gateway is holding your bitcoin!You can monitor it, but you have to trust.

Will only relay small amounts.

A good reason for limiting history.

I don't want your money!

Trusting Gateways

The gateway is holding your bitcoin!You can monitor it, but you have to trust.

Will only relay small amounts.

A good reason for limiting history.

I don't want your money!

A transaction network, not a store of value!

TODO: Trusting Gateways

TODO: Trusting Gateways

Independent gateways with multisig transactions?

TODO: Trusting Gateways

Independent gateways with multisig transactions?

Clients could differentiate pettycoins by source gateway?

TODO: Trusting Gateways

Independent gateways with multisig transactions?

Clients could differentiate pettycoins by source gateway?Think harder!

Bootstrap

Bootstrap

Testnet

Bootstrap

Testnet

Full knowledge

Bootstrap

Testnet

Full knowledge

Gateway returns old funds

An Example Application

An Example Application

Tip 0.1c to every webpage you visit?

An Example Application

Tip 0.1c to every webpage you visit?Tip on way out (or delay!) so you can cancel it!

Status

Status

Domain name registered!

Status

Domain name registered!

Block generation code works.

Status

Domain name registered!

Block generation code works.

Nodes talk to each other.

Status

Domain name registered!

Block generation code works.

Nodes talk to each other.

World's worst CPU miner mostly works.

Status

Domain name registered!

Block generation code works.

Nodes talk to each other.

World's worst CPU miner mostly works.

Gateway transactions can be injected.

Status

Domain name registered!

Block generation code works.

Nodes talk to each other.

World's worst CPU miner mostly works.

Gateway transactions can be injected.

Normal transactions not yet handled.

Status

Domain name registered!

Block generation code works.

Nodes talk to each other.

World's worst CPU miner mostly works.

Gateway transactions can be injected.

Normal transactions not yet handled.

Bitcoin gateway not written

Status

Domain name registered!

Block generation code works.

Nodes talk to each other.

World's worst CPU miner mostly works.

Gateway transactions can be injected.

Normal transactions not yet handled.

Bitcoin gateway not written

Pettycoin explorer not written

Status

Domain name registered!

Block generation code works.

Nodes talk to each other.

World's worst CPU miner mostly works.

Gateway transactions can be injected.

Normal transactions not yet handled.

Bitcoin gateway not written

Pettycoin explorer not written

HTTP transaction receive not written.

FAQ

What if the pettycoin binary has a flaw?

What if pettycoin protocol has a flaw?

What if the gateways are hacked?

What if lawyers/governments/MIB shut it down?

What if someone threatens your family?

FAQ

What if the pettycoin binary has a flaw?YOU WILL LOSE YOUR MONEY

What if pettycoin protocol has a flaw?YOU WILL LOSE YOUR MONEY

What if the gateways are hacked?YOU WILL LOSE YOUR MONEY

What if lawyers/governments/MIB shut it down?YOU WILL LOSE YOUR MONEY

What if someone threatens your family?YOU WILL LOSE YOUR MONEY

Disclaimer

This is not a spec!

Almost-working incomplete code at:https://github.com/rustyrussell/pettycoin