summaryrefslogtreecommitdiff
path: root/d3/379cac2851d8e0f403616b6f104281515fdf69
blob: dd47438504939aea990339bc35e263e91bb7e2d2 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
Return-Path: <zaki@manian.org>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 38C56279
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Mon, 20 Jun 2016 16:21:54 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-qk0-f177.google.com (mail-qk0-f177.google.com
	[209.85.220.177])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id DFC2E1CD
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Mon, 20 Jun 2016 16:21:49 +0000 (UTC)
Received: by mail-qk0-f177.google.com with SMTP id a186so168625900qkf.0
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Mon, 20 Jun 2016 09:21:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=manian-org.20150623.gappssmtp.com; s=20150623;
	h=mime-version:references:in-reply-to:from:date:message-id:subject:to; 
	bh=NkLtpkPZoiNqXWFKypf+0WdwEb6lsauIfTCJJh4wypM=;
	b=xlR7f8vVXdQnR2ws8hXo//NZ+PNWYkQzttcCn6iZZAQzHc7WzbGg3mE84/TdWDk+xs
	jPqxMAeYCflp5tlUaTTlPdiCalDKAZsgXlZvFybNWPhYKs/8RMPov1nSaQu0/lsKSrMV
	FwgQuajjgUO3XnTgG6nNlIX2d7LtkILAusJXL5qPI5NSyqMLxd9COqWqzIQTmUwa8NHo
	zmi2GYusduW8/lZgUB9ppRT3c+PoxiZZ5/lt+8F7wtiJJLUyJqiM2DYkUW9BprQNgQl+
	Tz1iuDSp4oZoJAbrQ2DivaViH/CHpzzklcUaA+z4V11lvk7Aveigo57FBd1qBRqQUtHU
	odtw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:mime-version:references:in-reply-to:from:date
	:message-id:subject:to;
	bh=NkLtpkPZoiNqXWFKypf+0WdwEb6lsauIfTCJJh4wypM=;
	b=i7ZoHv2p0Gnh9dr0XyFdLDRwQdIYUaQKjuRbktjvHuDGZeYPbfkFHQoMIvNRVI24rq
	LP8irTmvUKzXSl7Ths8ZVJcCvQ6pIdEiRqjo/vXygpY15gwtFxnMm3SFw+I+d4b2TVTi
	hgVcPD6ktlZDISCb419Xwu49QFR+bbqhWj7N04+ytS/tg8J8jfo/i/GpYAQnfvB+w3xi
	J3wFZZkBikfa3+oHUU/9WSa/WprH88z97bKB4RKt1hHKF9rRske90NvqEMiA/NP960h4
	+YF7zHaDXAWAeBFCa/X+lYNT956IdKbb6styPJt+c/zua8SRrPV5MBd6HD4NK1b3+bGw
	N0jg==
X-Gm-Message-State: ALyK8tL1Y5FJMHTikmu7llgbhMZ1JVOtjZIshcoLlWCoV6QypAj763jskSqYIwt/XF5LLaBjovz/GwFnaOYWQA==
X-Received: by 10.55.104.213 with SMTP id d204mr23020765qkc.208.1466439708852; 
	Mon, 20 Jun 2016 09:21:48 -0700 (PDT)
MIME-Version: 1.0
References: <20160620085649.GA29964@fedora-21-dvm> <5767EEFE.7060103@dyne.org>
In-Reply-To: <5767EEFE.7060103@dyne.org>
From: "zaki@manian.org" <zaki@manian.org>
Date: Mon, 20 Jun 2016 16:21:39 +0000
Message-ID: <CAJQ8TmBw3PdCYv=fsyiXMTNO_sHZEj__n0Rsra6id+ORxQworA@mail.gmail.com>
To: Police Terror <PoliceTerror@dyne.org>, 
	Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary=94eb2c055adaee59a80535b81968
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,HTML_MESSAGE,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
X-Mailman-Approved-At: Mon, 20 Jun 2016 16:22:33 +0000
Subject: Re: [bitcoin-dev] Building Blocks of the State Machine Approach to
	Consensus
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jun 2016 16:21:54 -0000

--94eb2c055adaee59a80535b81968
Content-Type: text/plain; charset=UTF-8

Hi Peter,

I didn't entirely understand the process of transaction linearization.

What I see is a potential process where when the miner assembles the block,
he strips all but one sigscript per tx. The selection of which  sigscript
is retained is determined by the random oracle.  Is this is primary benefit
you are suggesting?

It appears to me that blocks still need to contain a list of full TX Input
and Tx Outputs with your approach. Some of the description seems to
indicate that there are opportunities to elide further data but it's
unclear to me how.

On Mon, Jun 20, 2016 at 7:14 AM Police Terror via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> Bitcoin could embed a lisp interpreter such as Scheme, reverse engineer
> the current protocol into lisp (inside C++), run this alternative engine
> alongside the current one as an option for some years (only for fine
> tuning) then eventually fade this lisp written validation code instead
> of the current one.
>
> Scheme is small and minimal, and embeds easily in C++. This could be a
> better option than the libconsensus library - validation in a functional
> scripting language.
>
> That doesn't mean people can't program the validation code in other
> languages (maybe they'd want to optimize), but this code would be the
> standard.
>
> It's really good how you are thinking deeply how Bitcoin can be used,
> and the implications of everything. Also there's a lot of magical utopic
> thinking in Ethereum, which is transhumanist nonsense that is life
> denying. Bitcoin really speaks to me because it is real and a great tool
> following the UNIX principle.
>
> I wouldn't be so quick to deride good engineering over systematic
> provable systems for all domains. Bitcoin being written in C++ is not a
> defect. It's actually a strong language for what it does. Especially
> when used correctly (which is not often and takes years to master).
>
> With the seals idea- am I understand this correctly?: Every transaction
> has a number (essentially the index starting from 0 upwards) depending
> on where it is in the blockchain.
>
> Then there is an array (probably an on disk array mapping transaction
> indexes to hashes). Each hash entry in the array must be unique (the
> hashes) otherwise the transaction will be denied. This is a great idea
> to solve transaction hash collisions and simple to implement.
>
> Probabilistic validation is a good idea, although the real difficulty
> now seems to be writing and indexing all the blockchain data for
> lookups. And validation is disabled for most of the blocks. Pruning is
> only a stop gap measure (which loses data) that doesn't solve the issue
> of continually growing resource consumption. Hardware and implementation
> can only mitigate this so much. If only there was a way to simplify the
> underlying protocol to make it more resource efficient...
>
> Peter Todd via bitcoin-dev:
> > In light of Ethereum's recent problems with its imperative,
> account-based,
> > programming model, I thought I'd do a quick writeup outlining the
> building
> > blocks of the state-machine approach to so-called "smart contract"
> systems, an
> > extension of Bitcoin's own design that I personally have been developing
> for a
> > number of years now as my Proofchains/Dex research work.
> >
> >
> > # Deterministic Code / Deterministic Expressions
> >
> > We need to be able to run code on different computers and get identical
> > results; without this consensus is impossible and we might as well just
> use a
> > central authoritative database. Traditional languages and surrounding
> > frameworks make determinism difficult to achieve, as they tend to be
> filled
> > with undefined and underspecified behavior, ranging from signed integer
> > overflow in C/C++ to non-deterministic behavior in databases. While some
> > successful systems like Bitcoin are based on such languages, their
> success is
> > attributable to heroic efforts by their developers.
> >
> > Deterministic expression systems such as Bitcoin's scripting system and
> the
> > author's Dex project improve on this by allowing expressions to be
> precisely
> > specified by hash digest, and executed against an environment with
> > deterministic results. In the case of Bitcoin's script, the expression
> is a
> > Forth-like stack-based program; in Dex the expression takes the form of a
> > lambda calculus expression.
> >
> >
> > ## Proofs
> >
> > So far the most common use for deterministic expressions is to specify
> > conditions upon which funds can be spent, as seen in Bitcoin
> (particularly
> > P2SH, and the upcoming Segwit). But we can generalize their use to
> precisely
> > defining consensus protocols in terms of state machines, with each state
> > defined in terms of a deterministic expression that must return true for
> the
> > state to have been reached. The data that causes a given expression to
> return
> > true is then a "proof", and that proof can be passed from one party to
> another
> > to prove desired states in the system have been reached.
> >
> > An important implication of this model is that we need deterministic, and
> > efficient, serialization of proof data.
> >
> >
> > ## Pruning
> >
> > Often the evaluation of an expression against a proof doesn't require
> all all
> > data in the proof. For example, to prove to a lite client that a given
> block
> > contains a transaction, we only need the merkle path from the
> transaction to
> > the block header. Systems like Proofchains and Dex generalize this
> process -
> > called "pruning" - with built-in support to both keep track of what data
> is
> > accessed by what operations, as well as support in their underlying
> > serialization schemes for unneeded data to be elided and replaced by the
> hash
> > digest of the pruned data.
> >
> >
> > # Transactions
> >
> > A common type of state machine is the transaction. A transaction history
> is a
> > directed acyclic graph of transactions, with one or more genesis
> transactions
> > having no inputs (ancestors), and one or more outputs, and zero or more
> > non-genesis transactions with one or more inputs, and zero or more
> outputs. The
> > edges of the graph connect inputs to outputs, with every input connected
> to
> > exactly one output. Outputs with an associated input are known as spent
> > outputs; outputs with out an associated input are unspent.
> >
> > Outputs have conditions attached to them (e.g. a pubkey for which a valid
> > signature must be produced), and may also be associated with other
> values such
> > as "# of coins". We consider a transaction valid if we have a set of
> proofs,
> > one per input, that satisfy the conditions associated with each output.
> > Secondly, validity may also require additional constraints to be true,
> such as
> > requiring the coins spent to be >= the coins created on the outputs.
> Input
> > proofs also must uniquely commit to the transaction itself to be secure
> - if
> > they don't the proofs can be reused in a replay attack.
> >
> > A non-genesis transaction is valid if:
> >
> > 1. Any protocol-specific rules such as coins spent >= coins output are
> >    followed.
> >
> > 2. For every input a valid proof exists.
> >
> > 3. Every input transaction is itself valid.
> >
> > A practical implementation of the above for value-transfer systems like
> Bitcoin
> > could use two merkle-sum trees, one for the inputs, and one for the
> outputs,
> > with inputs simply committing to the previous transaction's txid and
> output #
> > (outpoint), and outputs committing to a scriptPubKey and output amount.
> > Witnesses can be provided separately, and would sign a signature
> committing to
> > the transaction or optionally, a subset of of inputs and/or outputs (with
> > merkle trees we can easily avoid the exponential signature validation
> problems
> > bitcoin currently has).
> >
> > As so long as all genesis transactions are unique, and our hash function
> is
> > secure, all transaction outputs can be uniquely identified (prior to
> BIP34 the
> > Bitcoin protocol actually failed at this!).
> >
> >
> > ## Proof Distribution
> >
> > How does Alice convince Bob that she has done a transaction that puts the
> > system into the state that Bob wanted? The obvious answer is she gives
> Bob data
> > proving that the system is now in the desired state; in a transactional
> system
> > that proof is some or all of the transaction history. Systems like
> Bitcoin
> > provide a generic flood-fill messaging layer where all participants have
> the
> > opportunity to get a copy of all proofs in the system, however we can
> also
> > implement more fine grained solutions based on peer-to-peer message
> passing -
> > one could imagine Alice proving to Bob that she transferred title to her
> house
> > to him by giving him a series of proofs, not unlike the same way that
> property
> > title transfer can be demonstrated by providing the buyer with a series
> of deed
> > documents (though note the double-spend problem!).
> >
> >
> > # Uniqueness and Single-Use Seals
> >
> > In addition to knowing that a given transaction history is valid, we
> also want
> > to know if it's unique. By that we mean that every spent output in the
> > transaction history is associated with exactly one input, and no other
> valid
> > spends exist; we want to ensure no output has been double-spent.
> >
> > Bitcoin (and pretty much every other cryptocurrency like it) achieves
> this goal
> > by defining a method of achieving consensus over the set of all (valid)
> > transactions, and then defining that consensus as valid if and only if no
> > output is spent more than once.
> >
> > A more general approach is to introduce the idea of a cryptographic
> Single-Use
> > Seal, analogous to the tamper-evidence single-use seals commonly used for
> > protecting goods during shipment and storage. Each individual seals is
> > associated with a globally unique identifier, and has two states, open
> and
> > closed. A secure seal can be closed exactly once, producing a proof that
> the
> > seal was closed.
> >
> > All practical single-use seals will be associated with some kind of
> condition,
> > such as a pubkey, or deterministic expression, that needs to be
> satisfied for
> > the seal to be closed. Secondly, the contents of the proof will be able
> to
> > commit to new data, such as the transaction spending the output
> associated with
> > the seal.
> >
> > Additionally some implementations of single-use seals may be able to also
> > generate a proof that a seal was _not_ closed as of a certain
> > time/block-height/etc.
> >
> >
> > ## Implementations
> >
> > ### Transactional Blockchains
> >
> > A transaction output on a system like Bitcoin can be used as a
> single-use seal.
> > In this implementation, the outpoint (txid:vout #) is the seal's
> identifier,
> > the authorization mechanism is the scriptPubKey of the output, and the
> proof
> > is the transaction spending the output. The proof can commit to
> additional
> > data as needed in a variety of ways, such as an OP_RETURN output, or
> > unspendable output.
> >
> > This implementation approach is resistant to miner censorship if the
> seal's
> > identifier isn't made public, and the protocol (optionally) allows for
> the
> > proof transaction to commit to the sealed contents with unspendable
> outputs;
> > unspendable outputs can't be distinguished from transactions that move
> funds.
> >
> >
> > ### Unbounded Oracles
> >
> > A trusted oracle P can maintain a set of closed seals, and produce signed
> > messages attesting to the fact that a seal was closed. Specifically, the
> seal
> > is identified by the tuple (P, q), with q being the per-seal
> authorization
> > expression that must be satisfied for the seal to be closed. The first
> time the
> > oracle is given a valid signature for the seal, it adds that signature
> and seal
> > ID to its closed seal set, and makes available a signed message
> attesting to
> > the fact that the seal has been closed. The proof is that message (and
> > possibly the signature, or a second message signed by it).
> >
> > The oracle can publish the set of all closed seals for
> transparency/auditing
> > purposes. A good way to do this is to make a merkelized key:value set,
> with the
> > seal identifiers as keys, and the value being the proofs, and in turn
> create a
> > signed certificate transparency log of that set over time. Merkle-paths
> from
> > this log can also serve as the closed seal proof, and for that matter, as
> > proof of the fact that a seal has not been closed.
> >
> >
> > ### Bounded Oracles
> >
> > The above has the problem of unbounded storage requirements as the
> closed seal
> > set grows without bound. We can fix that problem by requiring users of
> the
> > oracle to allocate seals in advance, analogous to the UTXO set in
> Bitcoin.
> >
> > To allocate a seal the user provides the oracle P with the authorization
> > expression q. The oracle then generates a nonce n and adds (q,n) to the
> set of
> > unclosed seals, and tells the user that nonce. The seal is then uniquely
> > identified by (P, q, n)
> >
> > To close a seal, the user provides the oracle with a valid signature
> over (P,
> > q, n). If the open seal set contains that seal, the seal is removed from
> the
> > set and the oracle provides the user with a signed message attesting to
> the
> > valid close.
> >
> > A practical implementation would be to have the oracle publish a
> transparency
> > log, with each entry in the log committing to the set of all open seals
> with a
> > merkle set, as well as any seals closed during that entry. Again, merkle
> paths
> > for this log can serve as proofs to the open or closed state of a seal.
> >
> > Note how with (U)TXO commitments, Bitcoin itself is a bounded oracle
> > implementation that can produce compact proofs.
> >
> >
> > ### Group Seals
> >
> > Multiple seals can be combined into one, by having the open seal commit
> to a
> > set of sub-seals, and then closing the seal over a second set of closed
> seal
> > proofs. Seals that didn't need to be closed can be closed over a special
> > re-delegation message, re-delegating the seal to a new open seal.
> >
> > Since the closed sub-seal proof can additionally include a proof of
> > authorization, we have a protcol where the entity with authorization to
> close
> > the master seal has the ability to DoS attack sub-seals owners, but not
> the
> > ability to fraudulently close the seals over contents of their choosing.
> This
> > may be useful in cases where actions on the master seal is expensive -
> such as
> > seals implemented on top of decentralized blockchains - by amortising
> the cost
> > over all sub-seals.
> >
> >
> > ## Atomicity
> >
> > Often protocols will require multiple seals to be closed for a
> transaction to
> > be valid. If a single entity controls all seals, this is no problem: the
> > transaction simply isn't valid until the last seal is closed.
> >
> > However if multiple parties control the seals, a party could attack
> another
> > party by failing to go through with the transaction, after another party
> has
> > closed their seal, leaving the victim with an invalid transaction that
> they
> > can't reverse.
> >
> > We have a few options to resolve this problem:
> >
> > ### Use a single oracle
> >
> > The oracle can additionally guarantee that a seal will be closed iff
> some other
> > set of seals are also closed; seals implemented with Bitcoin can provide
> this
> > guarantee. If the parties to a transaction aren't already all on the same
> > oracle, they can add an additional transaction reassigning their outputs
> to a
> > common oracle.
> >
> > Equally, a temporary consensus between multiple mutually trusting
> oracles can
> > be created with a consensus protocol they share; this option doesn't
> need to
> > change the proof verification implementation.
> >
> >
> > ### Two-phase Timeouts
> >
> > If a proof to the fact that a seal is open can be generated, even under
> > adversarial conditions, we can make the seal protocol allow a close to be
> > undone after a timeout if evidence can be provided that the other
> seal(s) were
> > not also closed (in the specified way).
> >
> > Depending on the implementation - especially in decentralized systems -
> the
> > next time the seal is closed, the proof it has been closed may in turn
> provide
> > proof that a previous close was in fact invalid.
> >
> >
> > # Proof-of-Publication and Proof-of-Non-Publication
> >
> > Often we need to be able to prove that a specified audience was able to
> receive
> > a specific message. For example, the author's PayPub protocol[^paypub],
> > Todd/Taaki's timelock encryption protocol[^timelock], Zero-Knowledge
> Contingent
> > Payments[^zkcp], and Lightning, among others work by requiring a secret
> key to
> > be published publicly in the Bitcoin blockchain as a condition of
> collecting a
> > payment. At a much smaller scale - in terms of audience - in certain
> FinTech
> > applications for regulated environments a transaction may be considered
> invalid
> > unless it was provably published to a regulatory agency.  Another
> example is
> > Certificate Transparency, where we consider a SSL certificate to be
> invalid
> > unless it has been provably published to a transparency log maintained
> by a
> > third-party.
> >
> > Secondly, many proof-of-publication schemes also can prove that a
> message was
> > _not_ published to a specific audience. With this type of proof
> single-use
> > seals can be implemented, by having the proof consist of proof that a
> specified
> > message was not published between the time the seal was created, and the
> time
> > it was closed (a proof-of-publication of the message).
> >
> > ## Implementations
> >
> > ### Decentralized Blockchains
> >
> > Here the audience is all participants in the system. However miner
> censorship
> > can be a problem, and compact proofs of non-publication aren't yet
> available
> > (requires (U)TXO commitments).
> >
> > The authors treechains proposal is a particularly generic and scalable
> > implementation, with the ability to make trade offs between the size of
> > audience (security) and publication cost.
> >
> > ### Centralized Public Logs
> >
> > Certificate Transparency works this way, with trusted (but auditable)
> logs run
> > by well known parties acting as the publication medium, who promise to
> allow
> > anyone to obtain copies of the logs.
> >
> > The logs themselves may be indexed in a variety of ways; CT simply
> indexes logs
> > by time, however more efficient schemes are possible by having the
> operator
> > commit to a key:value mapping of "topics", to allow publication (and
> > non-publication) proofs to be created for specified topics or topic
> prefixes.
> >
> > Auditing the logs is done by verifying that queries to the state of the
> log
> > return the same state at the same time for different requesters.
> >
> > ### Receipt Oracles
> >
> > Finally publication can be proven by a receipt proof by the oracle,
> attesting
> > to the fact that the oracle has successfully received the message. This
> is
> > particularly appropriate in cases where the required audience is the
> oracle
> > itself, as in the FinTech regulator case.
> >
> >
> > # Validity Oracles
> >
> > As transaction histories grow longer, they may become impractical to
> move from
> > one party to another. Validity oracles can solve this problem by
> attesting to
> > the validity of transactions, allowing history prior to the attested
> > transactions to be discarded.
> >
> > A particularly generic validity oracle can be created using deterministic
> > expressions systems. The user gives the oracle an expression, and the
> oracle
> > returns a signed message attesting to the validity of the expression.
> > Optionally, the expression may be incomplete, with parts of the
> expression
> > replaced by previously generated attestations. For example, an
> expression that
> > returns true if a transaction is valid could in turn depend on the
> previous
> > transaction also being valid - a recursive call of itself - and that
> recursive
> > call can be proven with a prior attestation.
> >
> > ## Implementations
> >
> > ### Proof-of-Work Decentralized Consensus
> >
> > Miners in decentralized consensus systems act as a type of validity
> oracle, in
> > that the economic incentives in the system are (supposed to be) designed
> to
> > encourage only the mining of valid blocks; a user who trusts the
> majority of
> > hashing power can trust that any transaction with a valid merkle path to
> a
> > block header in the most-work chain is valid. Existing decentralized
> consensus
> > systems like Bitcoin and Ethereum conflate the roles of validity oracle
> and
> > single-use seal/anti-replay oracle, however in principle that need not
> be true.
> >
> >
> > ### Trusted Oracles
> >
> > As the name suggests. Remote-attestation-capable trusted hardware is a
> > particularly powerful implementation - a conspiracy theory is that the
> reason
> > why essentially zero secure true remote attestation implementations
> exist is
> > because they'd immediately make untraceable digital currency systems
> easy to
> > implement (Finney's RPOW[^rpow] is a rare counter-example).
> >
> > Note how a single-use seal oracle that supports a generic deterministic
> > expressions scheme for seal authorization can be easily extended to
> provide a
> > validity oracle service as well. The auditing mechanisms for a
> single-use seal
> > oracle can also be applied to validity oracles.
> >
> >
> > # Fraud Proofs
> >
> > Protocols specified with deterministic expressions can easily generate
> "fraud
> > proofs", showing that claimed states/proof in the system are actually
> invalid.
> > Additionally many protocols can be specified with expressions of
> k*log2(n)
> > depth, allowing these fraud proofs to be compact.
> >
> > A simple example is proving fraud in merkle-sum tree, where the validity
> > expression would be something like:
> >
> >     (defun valid? (node)
> >         (or (== node.type leaf)
> >             (and (== node.sum (+ node.left.sum node.right.sum))
> >                  (and (valid? node.left)
> >                       (valid? node.right)))))
> >
> > To prove the above expression evaluates to true, we'll need the entire
> contents
> > of the tree. However, to prove that it evaluates to false, we only need a
> > subset of the tree as proving an and expression evaluates to false only
> > requires one side, and requires log2(n) data. Secondly, with pruning, the
> > deterministic expressions evaluator can automatically keep track of
> exactly
> > what data was needed to prove that result, and prune all other data when
> > serializing the proof.
> >
> >
> > ## Validity Challenges
> >
> > However how do you guarantee it will be possible to prove fraud in the
> first
> > place? If pruning is allowed, you may simply not have access to the data
> > proving fraud - an especially severe problem in transactional systems
> where a
> > single fraudulent transaction can counterfeit arbitrary amounts of value
> out of
> > thin air.
> >
> > A possible approach is the validity challenge: a subset of proof data,
> with
> > part of the data marked as "potentially fraudulent". The challenge can be
> > satisfied by providing the marked data and showing that the proof in
> question
> > is in fact valid; if the challenge is unmet participants in the system
> can
> > choose to take action, such as refusing to accept additional
> transactions.
> >
> > Of course, this raises a whole host of so-far unsolved issues, such as
> DoS
> > attacks and lost data.
> >
> >
> > # Probabilistic Validation
> >
> > Protocols that can tolerate some fraud can make use of probabilistic
> > verification techniques to prove that the percentage of undetected fraud
> within
> > the system is less than a certain amount, with a specified probability.
> >
> > A common way to do this is the Fiat-Shamir transform, which repeatedly
> samples
> > a data structure deterministically, using the data's own hash digest as
> a seed
> > for a PRNG. Let's apply this technique to our merkle-sum tree example.
> We'll
> > first need a recursive function to check a sample, weighted by value:
> >
> >     (defun prefix-valid? (node nonce)
> >         (or (== node.type leaf)
> >             (and (and (== node.sum (+ node.left.sum node.right.sum))
> >                       (> 0 node.sum)) ; mod by 0 is invalid, just like
> division by zero
> >                                       ; also could guarantee this with a
> type system
> >                  (and (if (< node.left.sum (mod nonce node.sum))
> >                           (prefix-valid? node.right (hash nonce))
> >                           (prefix-valid? node.left (hash nonce)))))))
> >
> > Now we can combine multiple invocations of the above, in this case 256
> > invocations:
> >
> >     (defun prob-valid? (node)
> >         (and (and (and .... (prefix-valid? node (digest (cons (digest
> node) 0)))
> >              (and (and ....
> >                             (prefix-valid? node (digest (cons (digest
> node) 255)))
> >
> > As an exercise for a reader: generalize the above with a macro, or a
> suitable
> > types/generics system.
> >
> > If we assume our attacker can grind up to 128 bits, that leaves us with
> 128
> > random samples that they can't control. If the (value weighted)
> probability of
> > a given node is fraudulent q, then the chance of the attacker getting
> away with
> > fraud is (1-q)^128 - for q=5% that works out to 0.1%
> >
> > (Note that the above analysis isn't particularly well done - do a better
> > analysis before implementing this in production!)
> >
> >
> > ## Random Beacons and Transaction History Linearization
> >
> > The Fiat-Shamir transform requires a significant number of samples to
> defeat
> > grinding attacks; if we have a random beacon available we can
> significantly
> > reduce the size of our probabilistic proofs. PoW blockchains can
> themselves act
> > as random beacons, as it is provably expensive for miners to manipulate
> the
> > hash digests of blocks they produce - to do so requires discarding
> otherwise
> > valid blocks.
> >
> > An example where this capability is essential is the author's transaction
> > history linearization technique. In value transfer systems such as
> Bitcoin, the
> > history of any given coin grows quasi-exponentially as coins are mixed
> across
> > the entire economy. We can linearize the growth of history proofs by
> redefining
> > coin validity to be probabilistic.
> >
> > Suppose we have a transaction with n inputs. Of those inputs, the total
> value
> > of real inputs is p, and the total claimed value of fake inputs is q. The
> > transaction commits to all inputs in a merkle sum tree, and we define the
> > transaction as valid if a randomly chosen input - weighted by value - can
> > itself be proven valid. Finally, we assume that creating a genuine input
> is a
> > irrevocable action which irrevocable commits to the set of all inputs,
> real and
> > fake.
> >
> > If all inputs are real, 100% of the time the transaction will be valid;
> if all
> > inputs are fake, 100% of the time the transaction will be invalid. In
> the case
> > where some inputs are real and some are fake the probability that the
> fraud
> > will be detected is:
> >
> >     q / (q + p)
> >
> > The expected value of the fake inputs is then the sum of the potential
> upside -
> > the fraud goes detected - and the potential downside - the fraud is
> detected
> > and the real inputs are destroyed:
> >
> >     E = q(1 - q/(q + p)) - p(q/(q + p)
> >       = q(p/(q + p)) - p(q/(q + p)
> >       = (q - q)(p/(q + p))
> >       = 0
> >
> > Thus so long as the random beacon is truly unpredictable, there's no
> economic
> > advantage to creating fake inputs, and it is sufficient for validity to
> only
> > require one input to be proven, giving us O(n) scaling for transaction
> history
> > proofs.
> >
> >
> > ### Inflationary O(1) History Proofs
> >
> > We can further improve our transaction history proof scalability by
> taking
> > advantage of inflation. We do this by occasionally allowing a
> transaction proof
> > to be considered valid without validating _any_ of the inputs; every
> time a
> > transaction is allowed without proving any inputs the size of the
> transaction
> > history proof is reset. Of course, this can be a source of inflation, but
> > provided the probability of this happening can be limited we can limit
> the
> > maximum rate of inflation to the chosen value.
> >
> > For example, in Bitcoin as of writing every block inflates the currency
> supply
> > by 25BTC, and contains a maximum of 1MB of transaction data,
> 0.025BTC/KB. If we
> > check the prior input proof with probability p, then the expected value
> of a
> > transaction claiming to spend x BTC is:
> >
> >     E = x(1-p)
> >
> > We can rewrite that in terms of the block reward per-byte R, and the
> transaction size l:
> >
> >     lR = x(1-p)
> >
> > And solving for p:
> >
> >     p = 1 - lR/x
> >
> > For example, for a 1KB transaction proof claiming to spending 10BTC we
> can omit
> > checking the input 0.25% of the time without allowing more monetary
> inflation
> > than the block reward already does. Secondly, this means that after n
> > transactions, the probability that proof shortening will _not_ happen is
> p^n,
> > which reaches 1% after 1840 transactions.
> >
> > In a system like Bitcoin where miners are expected to validate, a
> transaction
> > proof could consist of just a single merkle path showing that a
> single-use seal
> > was closed in some kind of TXO commitment - probably under 10KB of data.
> That
> > gives us a history proof less than 18.4MB in size, 99% of the time, and
> less
> > than 9.2MB in size 90% of the time.
> >
> > An interesting outcome of thing kind of design is that we can
> institutionalize
> > inflation fraud: the entire block reward can be replaced by miners
> rolling the
> > dice, attempting to create valid "fake" transactions. However, such a
> pure
> > implementation would put a floor on the lowest transaction fee possible,
> so
> > better to allow both transaction fee and subsidy collection at the same
> time.
> >
> >
> > # References
> >
> > [^paypub] https://github.com/unsystem/paypub
> > [^timelock] https://github.com/petertodd/timelock
> > [^zkcp]
> https://bitcoincore.org/en/2016/02/26/zero-knowledge-contingent-payments-announcement/
> > [^rpow] https://cryptome.org/rpow.htm
> >
> >
> >
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev@lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>

--94eb2c055adaee59a80535b81968
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi Peter,<br><br>I didn&#39;t entirely understand the proc=
ess of transaction linearization.<br><br>What I see is a potential process =
where when the miner assembles the block, he strips all but one sigscript p=
er tx. The selection of which =C2=A0sigscript is retained is determined by =
the random oracle.=C2=A0 Is this is primary benefit you are suggesting?=C2=
=A0<br><br>It appears to me that blocks still need to contain a list of ful=
l TX Input and Tx Outputs with your approach. Some of the description seems=
 to indicate that there are opportunities to elide further data but it&#39;=
s unclear to me how.</div><br><div class=3D"gmail_quote"><div dir=3D"ltr">O=
n Mon, Jun 20, 2016 at 7:14 AM Police Terror via bitcoin-dev &lt;<a href=3D=
"mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.linuxfound=
ation.org</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=
=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Bitcoin =
could embed a lisp interpreter such as Scheme, reverse engineer<br>
the current protocol into lisp (inside C++), run this alternative engine<br=
>
alongside the current one as an option for some years (only for fine<br>
tuning) then eventually fade this lisp written validation code instead<br>
of the current one.<br>
<br>
Scheme is small and minimal, and embeds easily in C++. This could be a<br>
better option than the libconsensus library - validation in a functional<br=
>
scripting language.<br>
<br>
That doesn&#39;t mean people can&#39;t program the validation code in other=
<br>
languages (maybe they&#39;d want to optimize), but this code would be the<b=
r>
standard.<br>
<br>
It&#39;s really good how you are thinking deeply how Bitcoin can be used,<b=
r>
and the implications of everything. Also there&#39;s a lot of magical utopi=
c<br>
thinking in Ethereum, which is transhumanist nonsense that is life<br>
denying. Bitcoin really speaks to me because it is real and a great tool<br=
>
following the UNIX principle.<br>
<br>
I wouldn&#39;t be so quick to deride good engineering over systematic<br>
provable systems for all domains. Bitcoin being written in C++ is not a<br>
defect. It&#39;s actually a strong language for what it does. Especially<br=
>
when used correctly (which is not often and takes years to master).<br>
<br>
With the seals idea- am I understand this correctly?: Every transaction<br>
has a number (essentially the index starting from 0 upwards) depending<br>
on where it is in the blockchain.<br>
<br>
Then there is an array (probably an on disk array mapping transaction<br>
indexes to hashes). Each hash entry in the array must be unique (the<br>
hashes) otherwise the transaction will be denied. This is a great idea<br>
to solve transaction hash collisions and simple to implement.<br>
<br>
Probabilistic validation is a good idea, although the real difficulty<br>
now seems to be writing and indexing all the blockchain data for<br>
lookups. And validation is disabled for most of the blocks. Pruning is<br>
only a stop gap measure (which loses data) that doesn&#39;t solve the issue=
<br>
of continually growing resource consumption. Hardware and implementation<br=
>
can only mitigate this so much. If only there was a way to simplify the<br>
underlying protocol to make it more resource efficient...<br>
<br>
Peter Todd via bitcoin-dev:<br>
&gt; In light of Ethereum&#39;s recent problems with its imperative, accoun=
t-based,<br>
&gt; programming model, I thought I&#39;d do a quick writeup outlining the =
building<br>
&gt; blocks of the state-machine approach to so-called &quot;smart contract=
&quot; systems, an<br>
&gt; extension of Bitcoin&#39;s own design that I personally have been deve=
loping for a<br>
&gt; number of years now as my Proofchains/Dex research work.<br>
&gt;<br>
&gt;<br>
&gt; # Deterministic Code / Deterministic Expressions<br>
&gt;<br>
&gt; We need to be able to run code on different computers and get identica=
l<br>
&gt; results; without this consensus is impossible and we might as well jus=
t use a<br>
&gt; central authoritative database. Traditional languages and surrounding<=
br>
&gt; frameworks make determinism difficult to achieve, as they tend to be f=
illed<br>
&gt; with undefined and underspecified behavior, ranging from signed intege=
r<br>
&gt; overflow in C/C++ to non-deterministic behavior in databases. While so=
me<br>
&gt; successful systems like Bitcoin are based on such languages, their suc=
cess is<br>
&gt; attributable to heroic efforts by their developers.<br>
&gt;<br>
&gt; Deterministic expression systems such as Bitcoin&#39;s scripting syste=
m and the<br>
&gt; author&#39;s Dex project improve on this by allowing expressions to be=
 precisely<br>
&gt; specified by hash digest, and executed against an environment with<br>
&gt; deterministic results. In the case of Bitcoin&#39;s script, the expres=
sion is a<br>
&gt; Forth-like stack-based program; in Dex the expression takes the form o=
f a<br>
&gt; lambda calculus expression.<br>
&gt;<br>
&gt;<br>
&gt; ## Proofs<br>
&gt;<br>
&gt; So far the most common use for deterministic expressions is to specify=
<br>
&gt; conditions upon which funds can be spent, as seen in Bitcoin (particul=
arly<br>
&gt; P2SH, and the upcoming Segwit). But we can generalize their use to pre=
cisely<br>
&gt; defining consensus protocols in terms of state machines, with each sta=
te<br>
&gt; defined in terms of a deterministic expression that must return true f=
or the<br>
&gt; state to have been reached. The data that causes a given expression to=
 return<br>
&gt; true is then a &quot;proof&quot;, and that proof can be passed from on=
e party to another<br>
&gt; to prove desired states in the system have been reached.<br>
&gt;<br>
&gt; An important implication of this model is that we need deterministic, =
and<br>
&gt; efficient, serialization of proof data.<br>
&gt;<br>
&gt;<br>
&gt; ## Pruning<br>
&gt;<br>
&gt; Often the evaluation of an expression against a proof doesn&#39;t requ=
ire all all<br>
&gt; data in the proof. For example, to prove to a lite client that a given=
 block<br>
&gt; contains a transaction, we only need the merkle path from the transact=
ion to<br>
&gt; the block header. Systems like Proofchains and Dex generalize this pro=
cess -<br>
&gt; called &quot;pruning&quot; - with built-in support to both keep track =
of what data is<br>
&gt; accessed by what operations, as well as support in their underlying<br=
>
&gt; serialization schemes for unneeded data to be elided and replaced by t=
he hash<br>
&gt; digest of the pruned data.<br>
&gt;<br>
&gt;<br>
&gt; # Transactions<br>
&gt;<br>
&gt; A common type of state machine is the transaction. A transaction histo=
ry is a<br>
&gt; directed acyclic graph of transactions, with one or more genesis trans=
actions<br>
&gt; having no inputs (ancestors), and one or more outputs, and zero or mor=
e<br>
&gt; non-genesis transactions with one or more inputs, and zero or more out=
puts. The<br>
&gt; edges of the graph connect inputs to outputs, with every input connect=
ed to<br>
&gt; exactly one output. Outputs with an associated input are known as spen=
t<br>
&gt; outputs; outputs with out an associated input are unspent.<br>
&gt;<br>
&gt; Outputs have conditions attached to them (e.g. a pubkey for which a va=
lid<br>
&gt; signature must be produced), and may also be associated with other val=
ues such<br>
&gt; as &quot;# of coins&quot;. We consider a transaction valid if we have =
a set of proofs,<br>
&gt; one per input, that satisfy the conditions associated with each output=
.<br>
&gt; Secondly, validity may also require additional constraints to be true,=
 such as<br>
&gt; requiring the coins spent to be &gt;=3D the coins created on the outpu=
ts. Input<br>
&gt; proofs also must uniquely commit to the transaction itself to be secur=
e - if<br>
&gt; they don&#39;t the proofs can be reused in a replay attack.<br>
&gt;<br>
&gt; A non-genesis transaction is valid if:<br>
&gt;<br>
&gt; 1. Any protocol-specific rules such as coins spent &gt;=3D coins outpu=
t are<br>
&gt;=C2=A0 =C2=A0 followed.<br>
&gt;<br>
&gt; 2. For every input a valid proof exists.<br>
&gt;<br>
&gt; 3. Every input transaction is itself valid.<br>
&gt;<br>
&gt; A practical implementation of the above for value-transfer systems lik=
e Bitcoin<br>
&gt; could use two merkle-sum trees, one for the inputs, and one for the ou=
tputs,<br>
&gt; with inputs simply committing to the previous transaction&#39;s txid a=
nd output #<br>
&gt; (outpoint), and outputs committing to a scriptPubKey and output amount=
.<br>
&gt; Witnesses can be provided separately, and would sign a signature commi=
tting to<br>
&gt; the transaction or optionally, a subset of of inputs and/or outputs (w=
ith<br>
&gt; merkle trees we can easily avoid the exponential signature validation =
problems<br>
&gt; bitcoin currently has).<br>
&gt;<br>
&gt; As so long as all genesis transactions are unique, and our hash functi=
on is<br>
&gt; secure, all transaction outputs can be uniquely identified (prior to B=
IP34 the<br>
&gt; Bitcoin protocol actually failed at this!).<br>
&gt;<br>
&gt;<br>
&gt; ## Proof Distribution<br>
&gt;<br>
&gt; How does Alice convince Bob that she has done a transaction that puts =
the<br>
&gt; system into the state that Bob wanted? The obvious answer is she gives=
 Bob data<br>
&gt; proving that the system is now in the desired state; in a transactiona=
l system<br>
&gt; that proof is some or all of the transaction history. Systems like Bit=
coin<br>
&gt; provide a generic flood-fill messaging layer where all participants ha=
ve the<br>
&gt; opportunity to get a copy of all proofs in the system, however we can =
also<br>
&gt; implement more fine grained solutions based on peer-to-peer message pa=
ssing -<br>
&gt; one could imagine Alice proving to Bob that she transferred title to h=
er house<br>
&gt; to him by giving him a series of proofs, not unlike the same way that =
property<br>
&gt; title transfer can be demonstrated by providing the buyer with a serie=
s of deed<br>
&gt; documents (though note the double-spend problem!).<br>
&gt;<br>
&gt;<br>
&gt; # Uniqueness and Single-Use Seals<br>
&gt;<br>
&gt; In addition to knowing that a given transaction history is valid, we a=
lso want<br>
&gt; to know if it&#39;s unique. By that we mean that every spent output in=
 the<br>
&gt; transaction history is associated with exactly one input, and no other=
 valid<br>
&gt; spends exist; we want to ensure no output has been double-spent.<br>
&gt;<br>
&gt; Bitcoin (and pretty much every other cryptocurrency like it) achieves =
this goal<br>
&gt; by defining a method of achieving consensus over the set of all (valid=
)<br>
&gt; transactions, and then defining that consensus as valid if and only if=
 no<br>
&gt; output is spent more than once.<br>
&gt;<br>
&gt; A more general approach is to introduce the idea of a cryptographic Si=
ngle-Use<br>
&gt; Seal, analogous to the tamper-evidence single-use seals commonly used =
for<br>
&gt; protecting goods during shipment and storage. Each individual seals is=
<br>
&gt; associated with a globally unique identifier, and has two states, open=
 and<br>
&gt; closed. A secure seal can be closed exactly once, producing a proof th=
at the<br>
&gt; seal was closed.<br>
&gt;<br>
&gt; All practical single-use seals will be associated with some kind of co=
ndition,<br>
&gt; such as a pubkey, or deterministic expression, that needs to be satisf=
ied for<br>
&gt; the seal to be closed. Secondly, the contents of the proof will be abl=
e to<br>
&gt; commit to new data, such as the transaction spending the output associ=
ated with<br>
&gt; the seal.<br>
&gt;<br>
&gt; Additionally some implementations of single-use seals may be able to a=
lso<br>
&gt; generate a proof that a seal was _not_ closed as of a certain<br>
&gt; time/block-height/etc.<br>
&gt;<br>
&gt;<br>
&gt; ## Implementations<br>
&gt;<br>
&gt; ### Transactional Blockchains<br>
&gt;<br>
&gt; A transaction output on a system like Bitcoin can be used as a single-=
use seal.<br>
&gt; In this implementation, the outpoint (txid:vout #) is the seal&#39;s i=
dentifier,<br>
&gt; the authorization mechanism is the scriptPubKey of the output, and the=
 proof<br>
&gt; is the transaction spending the output. The proof can commit to additi=
onal<br>
&gt; data as needed in a variety of ways, such as an OP_RETURN output, or<b=
r>
&gt; unspendable output.<br>
&gt;<br>
&gt; This implementation approach is resistant to miner censorship if the s=
eal&#39;s<br>
&gt; identifier isn&#39;t made public, and the protocol (optionally) allows=
 for the<br>
&gt; proof transaction to commit to the sealed contents with unspendable ou=
tputs;<br>
&gt; unspendable outputs can&#39;t be distinguished from transactions that =
move funds.<br>
&gt;<br>
&gt;<br>
&gt; ### Unbounded Oracles<br>
&gt;<br>
&gt; A trusted oracle P can maintain a set of closed seals, and produce sig=
ned<br>
&gt; messages attesting to the fact that a seal was closed. Specifically, t=
he seal<br>
&gt; is identified by the tuple (P, q), with q being the per-seal authoriza=
tion<br>
&gt; expression that must be satisfied for the seal to be closed. The first=
 time the<br>
&gt; oracle is given a valid signature for the seal, it adds that signature=
 and seal<br>
&gt; ID to its closed seal set, and makes available a signed message attest=
ing to<br>
&gt; the fact that the seal has been closed. The proof is that message (and=
<br>
&gt; possibly the signature, or a second message signed by it).<br>
&gt;<br>
&gt; The oracle can publish the set of all closed seals for transparency/au=
diting<br>
&gt; purposes. A good way to do this is to make a merkelized key:value set,=
 with the<br>
&gt; seal identifiers as keys, and the value being the proofs, and in turn =
create a<br>
&gt; signed certificate transparency log of that set over time. Merkle-path=
s from<br>
&gt; this log can also serve as the closed seal proof, and for that matter,=
 as<br>
&gt; proof of the fact that a seal has not been closed.<br>
&gt;<br>
&gt;<br>
&gt; ### Bounded Oracles<br>
&gt;<br>
&gt; The above has the problem of unbounded storage requirements as the clo=
sed seal<br>
&gt; set grows without bound. We can fix that problem by requiring users of=
 the<br>
&gt; oracle to allocate seals in advance, analogous to the UTXO set in Bitc=
oin.<br>
&gt;<br>
&gt; To allocate a seal the user provides the oracle P with the authorizati=
on<br>
&gt; expression q. The oracle then generates a nonce n and adds (q,n) to th=
e set of<br>
&gt; unclosed seals, and tells the user that nonce. The seal is then unique=
ly<br>
&gt; identified by (P, q, n)<br>
&gt;<br>
&gt; To close a seal, the user provides the oracle with a valid signature o=
ver (P,<br>
&gt; q, n). If the open seal set contains that seal, the seal is removed fr=
om the<br>
&gt; set and the oracle provides the user with a signed message attesting t=
o the<br>
&gt; valid close.<br>
&gt;<br>
&gt; A practical implementation would be to have the oracle publish a trans=
parency<br>
&gt; log, with each entry in the log committing to the set of all open seal=
s with a<br>
&gt; merkle set, as well as any seals closed during that entry. Again, merk=
le paths<br>
&gt; for this log can serve as proofs to the open or closed state of a seal=
.<br>
&gt;<br>
&gt; Note how with (U)TXO commitments, Bitcoin itself is a bounded oracle<b=
r>
&gt; implementation that can produce compact proofs.<br>
&gt;<br>
&gt;<br>
&gt; ### Group Seals<br>
&gt;<br>
&gt; Multiple seals can be combined into one, by having the open seal commi=
t to a<br>
&gt; set of sub-seals, and then closing the seal over a second set of close=
d seal<br>
&gt; proofs. Seals that didn&#39;t need to be closed can be closed over a s=
pecial<br>
&gt; re-delegation message, re-delegating the seal to a new open seal.<br>
&gt;<br>
&gt; Since the closed sub-seal proof can additionally include a proof of<br=
>
&gt; authorization, we have a protcol where the entity with authorization t=
o close<br>
&gt; the master seal has the ability to DoS attack sub-seals owners, but no=
t the<br>
&gt; ability to fraudulently close the seals over contents of their choosin=
g. This<br>
&gt; may be useful in cases where actions on the master seal is expensive -=
 such as<br>
&gt; seals implemented on top of decentralized blockchains - by amortising =
the cost<br>
&gt; over all sub-seals.<br>
&gt;<br>
&gt;<br>
&gt; ## Atomicity<br>
&gt;<br>
&gt; Often protocols will require multiple seals to be closed for a transac=
tion to<br>
&gt; be valid. If a single entity controls all seals, this is no problem: t=
he<br>
&gt; transaction simply isn&#39;t valid until the last seal is closed.<br>
&gt;<br>
&gt; However if multiple parties control the seals, a party could attack an=
other<br>
&gt; party by failing to go through with the transaction, after another par=
ty has<br>
&gt; closed their seal, leaving the victim with an invalid transaction that=
 they<br>
&gt; can&#39;t reverse.<br>
&gt;<br>
&gt; We have a few options to resolve this problem:<br>
&gt;<br>
&gt; ### Use a single oracle<br>
&gt;<br>
&gt; The oracle can additionally guarantee that a seal will be closed iff s=
ome other<br>
&gt; set of seals are also closed; seals implemented with Bitcoin can provi=
de this<br>
&gt; guarantee. If the parties to a transaction aren&#39;t already all on t=
he same<br>
&gt; oracle, they can add an additional transaction reassigning their outpu=
ts to a<br>
&gt; common oracle.<br>
&gt;<br>
&gt; Equally, a temporary consensus between multiple mutually trusting orac=
les can<br>
&gt; be created with a consensus protocol they share; this option doesn&#39=
;t need to<br>
&gt; change the proof verification implementation.<br>
&gt;<br>
&gt;<br>
&gt; ### Two-phase Timeouts<br>
&gt;<br>
&gt; If a proof to the fact that a seal is open can be generated, even unde=
r<br>
&gt; adversarial conditions, we can make the seal protocol allow a close to=
 be<br>
&gt; undone after a timeout if evidence can be provided that the other seal=
(s) were<br>
&gt; not also closed (in the specified way).<br>
&gt;<br>
&gt; Depending on the implementation - especially in decentralized systems =
- the<br>
&gt; next time the seal is closed, the proof it has been closed may in turn=
 provide<br>
&gt; proof that a previous close was in fact invalid.<br>
&gt;<br>
&gt;<br>
&gt; # Proof-of-Publication and Proof-of-Non-Publication<br>
&gt;<br>
&gt; Often we need to be able to prove that a specified audience was able t=
o receive<br>
&gt; a specific message. For example, the author&#39;s PayPub protocol[^pay=
pub],<br>
&gt; Todd/Taaki&#39;s timelock encryption protocol[^timelock], Zero-Knowled=
ge Contingent<br>
&gt; Payments[^zkcp], and Lightning, among others work by requiring a secre=
t key to<br>
&gt; be published publicly in the Bitcoin blockchain as a condition of coll=
ecting a<br>
&gt; payment. At a much smaller scale - in terms of audience - in certain F=
inTech<br>
&gt; applications for regulated environments a transaction may be considere=
d invalid<br>
&gt; unless it was provably published to a regulatory agency.=C2=A0 Another=
 example is<br>
&gt; Certificate Transparency, where we consider a SSL certificate to be in=
valid<br>
&gt; unless it has been provably published to a transparency log maintained=
 by a<br>
&gt; third-party.<br>
&gt;<br>
&gt; Secondly, many proof-of-publication schemes also can prove that a mess=
age was<br>
&gt; _not_ published to a specific audience. With this type of proof single=
-use<br>
&gt; seals can be implemented, by having the proof consist of proof that a =
specified<br>
&gt; message was not published between the time the seal was created, and t=
he time<br>
&gt; it was closed (a proof-of-publication of the message).<br>
&gt;<br>
&gt; ## Implementations<br>
&gt;<br>
&gt; ### Decentralized Blockchains<br>
&gt;<br>
&gt; Here the audience is all participants in the system. However miner cen=
sorship<br>
&gt; can be a problem, and compact proofs of non-publication aren&#39;t yet=
 available<br>
&gt; (requires (U)TXO commitments).<br>
&gt;<br>
&gt; The authors treechains proposal is a particularly generic and scalable=
<br>
&gt; implementation, with the ability to make trade offs between the size o=
f<br>
&gt; audience (security) and publication cost.<br>
&gt;<br>
&gt; ### Centralized Public Logs<br>
&gt;<br>
&gt; Certificate Transparency works this way, with trusted (but auditable) =
logs run<br>
&gt; by well known parties acting as the publication medium, who promise to=
 allow<br>
&gt; anyone to obtain copies of the logs.<br>
&gt;<br>
&gt; The logs themselves may be indexed in a variety of ways; CT simply ind=
exes logs<br>
&gt; by time, however more efficient schemes are possible by having the ope=
rator<br>
&gt; commit to a key:value mapping of &quot;topics&quot;, to allow publicat=
ion (and<br>
&gt; non-publication) proofs to be created for specified topics or topic pr=
efixes.<br>
&gt;<br>
&gt; Auditing the logs is done by verifying that queries to the state of th=
e log<br>
&gt; return the same state at the same time for different requesters.<br>
&gt;<br>
&gt; ### Receipt Oracles<br>
&gt;<br>
&gt; Finally publication can be proven by a receipt proof by the oracle, at=
testing<br>
&gt; to the fact that the oracle has successfully received the message. Thi=
s is<br>
&gt; particularly appropriate in cases where the required audience is the o=
racle<br>
&gt; itself, as in the FinTech regulator case.<br>
&gt;<br>
&gt;<br>
&gt; # Validity Oracles<br>
&gt;<br>
&gt; As transaction histories grow longer, they may become impractical to m=
ove from<br>
&gt; one party to another. Validity oracles can solve this problem by attes=
ting to<br>
&gt; the validity of transactions, allowing history prior to the attested<b=
r>
&gt; transactions to be discarded.<br>
&gt;<br>
&gt; A particularly generic validity oracle can be created using determinis=
tic<br>
&gt; expressions systems. The user gives the oracle an expression, and the =
oracle<br>
&gt; returns a signed message attesting to the validity of the expression.<=
br>
&gt; Optionally, the expression may be incomplete, with parts of the expres=
sion<br>
&gt; replaced by previously generated attestations. For example, an express=
ion that<br>
&gt; returns true if a transaction is valid could in turn depend on the pre=
vious<br>
&gt; transaction also being valid - a recursive call of itself - and that r=
ecursive<br>
&gt; call can be proven with a prior attestation.<br>
&gt;<br>
&gt; ## Implementations<br>
&gt;<br>
&gt; ### Proof-of-Work Decentralized Consensus<br>
&gt;<br>
&gt; Miners in decentralized consensus systems act as a type of validity or=
acle, in<br>
&gt; that the economic incentives in the system are (supposed to be) design=
ed to<br>
&gt; encourage only the mining of valid blocks; a user who trusts the major=
ity of<br>
&gt; hashing power can trust that any transaction with a valid merkle path =
to a<br>
&gt; block header in the most-work chain is valid. Existing decentralized c=
onsensus<br>
&gt; systems like Bitcoin and Ethereum conflate the roles of validity oracl=
e and<br>
&gt; single-use seal/anti-replay oracle, however in principle that need not=
 be true.<br>
&gt;<br>
&gt;<br>
&gt; ### Trusted Oracles<br>
&gt;<br>
&gt; As the name suggests. Remote-attestation-capable trusted hardware is a=
<br>
&gt; particularly powerful implementation - a conspiracy theory is that the=
 reason<br>
&gt; why essentially zero secure true remote attestation implementations ex=
ist is<br>
&gt; because they&#39;d immediately make untraceable digital currency syste=
ms easy to<br>
&gt; implement (Finney&#39;s RPOW[^rpow] is a rare counter-example).<br>
&gt;<br>
&gt; Note how a single-use seal oracle that supports a generic deterministi=
c<br>
&gt; expressions scheme for seal authorization can be easily extended to pr=
ovide a<br>
&gt; validity oracle service as well. The auditing mechanisms for a single-=
use seal<br>
&gt; oracle can also be applied to validity oracles.<br>
&gt;<br>
&gt;<br>
&gt; # Fraud Proofs<br>
&gt;<br>
&gt; Protocols specified with deterministic expressions can easily generate=
 &quot;fraud<br>
&gt; proofs&quot;, showing that claimed states/proof in the system are actu=
ally invalid.<br>
&gt; Additionally many protocols can be specified with expressions of k*log=
2(n)<br>
&gt; depth, allowing these fraud proofs to be compact.<br>
&gt;<br>
&gt; A simple example is proving fraud in merkle-sum tree, where the validi=
ty<br>
&gt; expression would be something like:<br>
&gt;<br>
&gt;=C2=A0 =C2=A0 =C2=A0(defun valid? (node)<br>
&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(or (=3D=3D node.type leaf)<br>
&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(and (=3D=3D node.sum (=
+ node.left.sum node.right.sum))<br>
&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (and (va=
lid? node.left)<br>
&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0(valid? node.right)))))<br>
&gt;<br>
&gt; To prove the above expression evaluates to true, we&#39;ll need the en=
tire contents<br>
&gt; of the tree. However, to prove that it evaluates to false, we only nee=
d a<br>
&gt; subset of the tree as proving an and expression evaluates to false onl=
y<br>
&gt; requires one side, and requires log2(n) data. Secondly, with pruning, =
the<br>
&gt; deterministic expressions evaluator can automatically keep track of ex=
actly<br>
&gt; what data was needed to prove that result, and prune all other data wh=
en<br>
&gt; serializing the proof.<br>
&gt;<br>
&gt;<br>
&gt; ## Validity Challenges<br>
&gt;<br>
&gt; However how do you guarantee it will be possible to prove fraud in the=
 first<br>
&gt; place? If pruning is allowed, you may simply not have access to the da=
ta<br>
&gt; proving fraud - an especially severe problem in transactional systems =
where a<br>
&gt; single fraudulent transaction can counterfeit arbitrary amounts of val=
ue out of<br>
&gt; thin air.<br>
&gt;<br>
&gt; A possible approach is the validity challenge: a subset of proof data,=
 with<br>
&gt; part of the data marked as &quot;potentially fraudulent&quot;. The cha=
llenge can be<br>
&gt; satisfied by providing the marked data and showing that the proof in q=
uestion<br>
&gt; is in fact valid; if the challenge is unmet participants in the system=
 can<br>
&gt; choose to take action, such as refusing to accept additional transacti=
ons.<br>
&gt;<br>
&gt; Of course, this raises a whole host of so-far unsolved issues, such as=
 DoS<br>
&gt; attacks and lost data.<br>
&gt;<br>
&gt;<br>
&gt; # Probabilistic Validation<br>
&gt;<br>
&gt; Protocols that can tolerate some fraud can make use of probabilistic<b=
r>
&gt; verification techniques to prove that the percentage of undetected fra=
ud within<br>
&gt; the system is less than a certain amount, with a specified probability=
.<br>
&gt;<br>
&gt; A common way to do this is the Fiat-Shamir transform, which repeatedly=
 samples<br>
&gt; a data structure deterministically, using the data&#39;s own hash dige=
st as a seed<br>
&gt; for a PRNG. Let&#39;s apply this technique to our merkle-sum tree exam=
ple. We&#39;ll<br>
&gt; first need a recursive function to check a sample, weighted by value:<=
br>
&gt;<br>
&gt;=C2=A0 =C2=A0 =C2=A0(defun prefix-valid? (node nonce)<br>
&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(or (=3D=3D node.type leaf)<br>
&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(and (and (=3D=3D node.=
sum (+ node.left.sum node.right.sum))<br>
&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0(&gt; 0 node.sum)) ; mod by 0 is invalid, just like division b=
y zero<br>
&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0; also=
 could guarantee this with a type system<br>
&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (and (if=
 (&lt; node.left.sum (mod nonce node.sum))<br>
&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0(prefix-valid? node.right (hash nonce))<br>
&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0(prefix-valid? node.left (hash nonce)))))))<br>
&gt;<br>
&gt; Now we can combine multiple invocations of the above, in this case 256=
<br>
&gt; invocations:<br>
&gt;<br>
&gt;=C2=A0 =C2=A0 =C2=A0(defun prob-valid? (node)<br>
&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(and (and (and .... (prefix-valid? no=
de (digest (cons (digest node) 0)))<br>
&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (and (and ....<br>
&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(prefix-valid? node (digest (cons (digest=
 node) 255)))<br>
&gt;<br>
&gt; As an exercise for a reader: generalize the above with a macro, or a s=
uitable<br>
&gt; types/generics system.<br>
&gt;<br>
&gt; If we assume our attacker can grind up to 128 bits, that leaves us wit=
h 128<br>
&gt; random samples that they can&#39;t control. If the (value weighted) pr=
obability of<br>
&gt; a given node is fraudulent q, then the chance of the attacker getting =
away with<br>
&gt; fraud is (1-q)^128 - for q=3D5% that works out to 0.1%<br>
&gt;<br>
&gt; (Note that the above analysis isn&#39;t particularly well done - do a =
better<br>
&gt; analysis before implementing this in production!)<br>
&gt;<br>
&gt;<br>
&gt; ## Random Beacons and Transaction History Linearization<br>
&gt;<br>
&gt; The Fiat-Shamir transform requires a significant number of samples to =
defeat<br>
&gt; grinding attacks; if we have a random beacon available we can signific=
antly<br>
&gt; reduce the size of our probabilistic proofs. PoW blockchains can thems=
elves act<br>
&gt; as random beacons, as it is provably expensive for miners to manipulat=
e the<br>
&gt; hash digests of blocks they produce - to do so requires discarding oth=
erwise<br>
&gt; valid blocks.<br>
&gt;<br>
&gt; An example where this capability is essential is the author&#39;s tran=
saction<br>
&gt; history linearization technique. In value transfer systems such as Bit=
coin, the<br>
&gt; history of any given coin grows quasi-exponentially as coins are mixed=
 across<br>
&gt; the entire economy. We can linearize the growth of history proofs by r=
edefining<br>
&gt; coin validity to be probabilistic.<br>
&gt;<br>
&gt; Suppose we have a transaction with n inputs. Of those inputs, the tota=
l value<br>
&gt; of real inputs is p, and the total claimed value of fake inputs is q. =
The<br>
&gt; transaction commits to all inputs in a merkle sum tree, and we define =
the<br>
&gt; transaction as valid if a randomly chosen input - weighted by value - =
can<br>
&gt; itself be proven valid. Finally, we assume that creating a genuine inp=
ut is a<br>
&gt; irrevocable action which irrevocable commits to the set of all inputs,=
 real and<br>
&gt; fake.<br>
&gt;<br>
&gt; If all inputs are real, 100% of the time the transaction will be valid=
; if all<br>
&gt; inputs are fake, 100% of the time the transaction will be invalid. In =
the case<br>
&gt; where some inputs are real and some are fake the probability that the =
fraud<br>
&gt; will be detected is:<br>
&gt;<br>
&gt;=C2=A0 =C2=A0 =C2=A0q / (q + p)<br>
&gt;<br>
&gt; The expected value of the fake inputs is then the sum of the potential=
 upside -<br>
&gt; the fraud goes detected - and the potential downside - the fraud is de=
tected<br>
&gt; and the real inputs are destroyed:<br>
&gt;<br>
&gt;=C2=A0 =C2=A0 =C2=A0E =3D q(1 - q/(q + p)) - p(q/(q + p)<br>
&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0=3D q(p/(q + p)) - p(q/(q + p)<br>
&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0=3D (q - q)(p/(q + p))<br>
&gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0=3D 0<br>
&gt;<br>
&gt; Thus so long as the random beacon is truly unpredictable, there&#39;s =
no economic<br>
&gt; advantage to creating fake inputs, and it is sufficient for validity t=
o only<br>
&gt; require one input to be proven, giving us O(n) scaling for transaction=
 history<br>
&gt; proofs.<br>
&gt;<br>
&gt;<br>
&gt; ### Inflationary O(1) History Proofs<br>
&gt;<br>
&gt; We can further improve our transaction history proof scalability by ta=
king<br>
&gt; advantage of inflation. We do this by occasionally allowing a transact=
ion proof<br>
&gt; to be considered valid without validating _any_ of the inputs; every t=
ime a<br>
&gt; transaction is allowed without proving any inputs the size of the tran=
saction<br>
&gt; history proof is reset. Of course, this can be a source of inflation, =
but<br>
&gt; provided the probability of this happening can be limited we can limit=
 the<br>
&gt; maximum rate of inflation to the chosen value.<br>
&gt;<br>
&gt; For example, in Bitcoin as of writing every block inflates the currenc=
y supply<br>
&gt; by 25BTC, and contains a maximum of 1MB of transaction data, 0.025BTC/=
KB. If we<br>
&gt; check the prior input proof with probability p, then the expected valu=
e of a<br>
&gt; transaction claiming to spend x BTC is:<br>
&gt;<br>
&gt;=C2=A0 =C2=A0 =C2=A0E =3D x(1-p)<br>
&gt;<br>
&gt; We can rewrite that in terms of the block reward per-byte R, and the t=
ransaction size l:<br>
&gt;<br>
&gt;=C2=A0 =C2=A0 =C2=A0lR =3D x(1-p)<br>
&gt;<br>
&gt; And solving for p:<br>
&gt;<br>
&gt;=C2=A0 =C2=A0 =C2=A0p =3D 1 - lR/x<br>
&gt;<br>
&gt; For example, for a 1KB transaction proof claiming to spending 10BTC we=
 can omit<br>
&gt; checking the input 0.25% of the time without allowing more monetary in=
flation<br>
&gt; than the block reward already does. Secondly, this means that after n<=
br>
&gt; transactions, the probability that proof shortening will _not_ happen =
is p^n,<br>
&gt; which reaches 1% after 1840 transactions.<br>
&gt;<br>
&gt; In a system like Bitcoin where miners are expected to validate, a tran=
saction<br>
&gt; proof could consist of just a single merkle path showing that a single=
-use seal<br>
&gt; was closed in some kind of TXO commitment - probably under 10KB of dat=
a. That<br>
&gt; gives us a history proof less than 18.4MB in size, 99% of the time, an=
d less<br>
&gt; than 9.2MB in size 90% of the time.<br>
&gt;<br>
&gt; An interesting outcome of thing kind of design is that we can institut=
ionalize<br>
&gt; inflation fraud: the entire block reward can be replaced by miners rol=
ling the<br>
&gt; dice, attempting to create valid &quot;fake&quot; transactions. Howeve=
r, such a pure<br>
&gt; implementation would put a floor on the lowest transaction fee possibl=
e, so<br>
&gt; better to allow both transaction fee and subsidy collection at the sam=
e time.<br>
&gt;<br>
&gt;<br>
&gt; # References<br>
&gt;<br>
&gt; [^paypub] <a href=3D"https://github.com/unsystem/paypub" rel=3D"norefe=
rrer" target=3D"_blank">https://github.com/unsystem/paypub</a><br>
&gt; [^timelock] <a href=3D"https://github.com/petertodd/timelock" rel=3D"n=
oreferrer" target=3D"_blank">https://github.com/petertodd/timelock</a><br>
&gt; [^zkcp] <a href=3D"https://bitcoincore.org/en/2016/02/26/zero-knowledg=
e-contingent-payments-announcement/" rel=3D"noreferrer" target=3D"_blank">h=
ttps://bitcoincore.org/en/2016/02/26/zero-knowledge-contingent-payments-ann=
ouncement/</a><br>
&gt; [^rpow] <a href=3D"https://cryptome.org/rpow.htm" rel=3D"noreferrer" t=
arget=3D"_blank">https://cryptome.org/rpow.htm</a><br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; _______________________________________________<br>
&gt; bitcoin-dev mailing list<br>
&gt; <a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_bl=
ank">bitcoin-dev@lists.linuxfoundation.org</a><br>
&gt; <a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-=
dev" rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org=
/mailman/listinfo/bitcoin-dev</a><br>
&gt;<br>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>

--94eb2c055adaee59a80535b81968--