2023 Feb 20

• Dang I forgot february is only 28 days, march is so soon!

• Realized soft fork activations risk network splits and double spends temporarily. When there is a fairly even split between those rejecting blocks based on new rules and those who haven’t soft forked, competing chains will last longer and people will be more easily subjected to double spends. When the vast majority of the network is switched over, then even if old nodes are accepting no longer valid blocks, they will still find the right chain as majority of the hashpower will be growing a single chain.

  • The users ultimately decide what is valid bitcoin, but miners are needed to grow the work of a single chain, which is particularly important during a soft fork activation.

• Taproot is cool! It introduced a standard for schnorr signatures on secp256k1 which has several benefits over ECDSA and also unlocks new abilities! It allows for outputs to commit to script hashes with multiple branching paths, but spend from any path by only providing the necessary data for that path, obfuscating not only whether an output was to a script at all, but also the construction obfuscates whether a payment is to a multisig or a single public key.

  • The construction is as follows (as summarized on the mailing list proposal): C = A + B where C is the aggregated public key of public keys A and B, P = R + H(C || S)G where G is a base point, R is a random point (rG), S is the script, and P is the point that is paid to, appended to a version signaling Taproot.

  • Two parties can sign (apparently all you have to do is add H(C || S) to one secret key to be able to sign for P = A + B + H(C || S)G??), or one person can sign for their path as long as S is provided and the conditions of S are met.

  • Learned segwit v0 only had people sign for spending an input, but segwit v1 enforced signing an input plus the outputs.

  • The full taproot upgrade is split amongst three BIPs, 340, 341 (segwit v1), and 342.

  • There are many things in the future that will come from taproot. Cross input signature aggregation could aggregate many signatures into one, making coinjoin spending cheaper than a normal transaction. More advanced signing protocols - musig for multi-signatures (n-of-n), and frost for threshold signatures (t-of-n). Batch validation (validate many signatures at once, doesn’t matter which signature is invalid, just want to know if all are valid or not, perfect for Bitcoin).

  • Definitely a lot more to be said but these are my notes for now.

  • It’s interesting, I remember when I was still fairly new to Bitcoin I heard Taproot “introduced smart contracts to Bitcoin.” Hilarious.

• All of the discrete log schemes based on finite cyclic groups of the set of integers modulo large prime p I learned in CS 407 require p to be 2048-bits! In practice a group of points over an elliptic curve with set size q of 256-bits provides similar security as AES-128. I still have to learn more, but apparently certain properties of elliptic curves allow for all the same discrete log constructions to work on these groups, and elliptic curve groups is what is used in practice on the internet today! After learning about all these constructions in CS 407 I was curious as to why Bitcoin used elliptic curve cryptography but this all makes sense now! (Beginning of chapter 15 in Boneh-Shoup textbook)

• I think for a while now I’ve struggled with not knowing enough about the future of Bitcoin to be certain in my decision to work on it (or really, pursue a career in it). And a lot of my effort has been spent on trying to learn more in the hopes of gaining insight to be more confident in my decision. But I realize, you don’t have to know absolutely everything about something to want to work on it. I of course don’t know everything. I sometimes realize I haven’t realized very important aspects of Bitcoin. But that doesn’t mean I shouldn’t work on it. I find it really interesting, and it’s solving real problems. That’s compelling enough for me to want to work on it.

  • Possibly even more importantly, I think no one should feel that it’s required to personally believe in the success of Bitcoin to work on it. I think it makes sense to work on it if you’re interested in helping it move forward. If anything, I want to get away from growing a stronger personally belief in Bitcoin, and just be along for the ride, searching for truth along the way.

  • Meanwhile, it’s important to still form beliefs and it’s great to come to informed beliefs. I really think a fixed supply of money makes a lot of sense. I also think it makes a lot of sense that no single authority should be able to print money at will. I think it’s important for the ability to use bitcoin non-custodially to be accessible for as many people as possible. For many of these things, I don’t think we must do Bitcoin (there are probably mixed solutions that could make progress in many of the directions Bitcoin tackles), but Bitcoin does a lot of these things very well.

  • I think Bitcoin is really interesting. I don’t think it will solve everything, but the things it does solve it seems to do quite well. I will continue to update my beliefs on surrounding topics. I want to be along for the ride. That’s why I want to work on Bitcoin.

• I’m continuing to think about energy and Bitcoin. The more available it becomes to mine Bitcoin with excess energy produced, the more market forces will push towards the price of energy being essentially pegged to Bitcoin. My thinking: say you are an energy production company and it’s very easy to start using excess energy to mine Bitcoin. You might sell energy at some rate, but with the opportunity to mine Bitcoin, it raises that price to be at least the opportunity cost of not mining.

  • At the same time, nuclear fusion might make energy super abundant anyway, so that would make energy super cheap anyway. I guess this would still bid up the required energy needed to mine profitably, if everyone is able to amass tons of energy.

  • Also separately interesting, Bitcoin mining also pushes towards more effective energy production, because energy producers compete with each other to produce more energy to mine.

• secp256k1 is $y^2 = x^3 + 7$. Never knew the actual equation. Can even simply visualize it on desmos.

• The reason for censorship resistance.

• Read on stake and consensus. My biggest takeaway from my train of thought provoked from this: in Proof of Work, as long as you are able to access some relatively random selection of nodes, you have really high assurances that you will be able to find the source of truth and it is really difficult to produce a competing source of truth. In Proof of Stake, it isn’t costly to produce another source of truth, so there may be many competing histories. When coming online, to find the right one, you have to rely on some sort of trusted group to decide what is the right chain.

  • Proof of stake can probably “work” but as Poelstra says, it’s a different trust model. I’m honestly not certain on how this difference in trust model would play out over the long term and in the face of more adversaries. Nowadays, I feel like proof of work has so many benefits of being pegged with energy, and it’s tighter in terms of decentralization.

  • And in general it just feels like how can you have distributed consensus on an ordering, without the notion of time?

  • Links on node discovery that are relevant here: bitcoin wiki, saylor academy

• ChaCha20 is Rust’s default Rng?? Cipher and RNG?