What if one bitcoin isn’t like the others? That’s what Pete Rizzo, my editor at CoinDesk, asked in his coverage of the Scaling Bitcoin event held in Milan. And it’s an important question to ask because if one bitcoin is not like the others, Bitcoin is as good as dead.

{Don’t miss future essays by subscribing to Crypto Brief, my weekly newsletter about bitcoin, digital currencies, and the blockchain.}

The fungibility of Bitcoin has always been discussed as one of its prime merits for good reason. As the definition says, “[fungibility] is the property of a good or a commodity whose individual units are capable of mutual substitution. That is, it is the property of essences or goods which are capable of being substituted in place on one another.”

Fungibility is a core attribute of any successful currency. The $20 that I handed the bartender yesterday has the same value as the $20 I’ll hand the guy charging me for lunch tomorrow. If it doesn’t, the $20 bill and, truthfully, all United States currency would lose its place as a safe currency.

Gold is one of the most talked about fungible commodities on the planet. If you take one kilogram of gold, melt it down, and then make a new one kilogram brick of gold, both will be worth the exact same much.

Yet, the fungibility of Bitcoin is at risk because, in increasing instances, one bitcoin does not equal another.

At Scaling Bitcoin, Adam Back, CEO of Blockstream, said:

“Some of the exchanges and hosted wallets are using tracing services and up-to four hops deep away from you, if something is associated with Silk Road, they will freeze your account.”

He summed it up perfectly by saying: “Other people’s actions, which have got nothing to do with you and you have essentially, potentially no connection with, four hops is a very long way away.”

And while I hate to admit it, I understand why some of these exchanges and hosted wallets are using these tracing services. Companies like Coinbase and Circle are forced to deal with the regulation of the countries they work in. And since Bitcoin is a public ledger that allows you to trace every move of a coin, these companies are concerned about regulators coming after them for allowing money that was, at one point, associated with drugs to flow through their services.

Nevertheless, this sets a dangerous precedent for those that believe in Bitcoin’s potential. If the average user cannot trust that the bitcoin they hold is going to be spendable, they are far less likely to trust in bitcoin as a whole. If I don’t trust that the $20 is going to be universally accepted, regardless of which $20 bill it is, why would I trust the U.S. dollar?

Balancing Fungibility & Scaling

There are quite a few other altcoins that have taken fungibility and privacy very seriously. One, for example, is Monero, which uses what’s known as a ring signature. A ring signature is:

“A type of digital signature that can be performed by any member of a group of users that each have keys. Therefore, a message signed with a ring signature is endorsed by someone in a particular group of people.”

What makes ring signatures appealing is that “it should be computationally infeasible to determine which of the group members’ keys was used to produce the signature.”

In other words, if ten of us are sending a transaction, only one of our signatures is needed to actual sign that series of transactions. And because only one signature is used, it’s essentially impossible for anyone to know whose signature is whose.

Unfortunately, ring signatures don’t exactly scale all that well. According to Greg Maxwell, a co-founder of Blockstream and a Core developer, “I mostly don’t think of the ring signature stuff as a high contender because of its adverse impact on scaling (it adds a perpetually growing spent coin accumulator, and makes the utxo set perpetually growing.”

In other words, as the UTXO set continues to grow, it reduces the number of transactions that can fit into a block.

Look at the above image from Bitcoin.org. In transaction 0, there is an output-0 and output-1. These are then included in TX1 and TX2. The bigger these outputs are, the bigger those transactions will appear, thus reducing the number of transactions in a block.

Therefore, it can be problematic to balance fungibility with scalability. For improved privacy, we may have to suffer with reduced transactability.

Or maybe not …

Schnorr Signatures: Improving Fungibility & Scale

A Schnorr signature is an incredibly innovative approach to managing signatures that could make it possible to achieve both scale and fungibility all at the same time.

Consider the above image about transaction propagation with all of the inputs in a new bitcoin transaction. Assume there are five total inputs. What a Schnorr signature, otherwise known as signature aggregation, does is essentially create a single signature to represent all of these signatures. Therefore, the five separate signatures become a single one.

How does this help with scale?

Well, when you go from five signature to one, you can pack more into the block. Signatures are a big part of the size of a transaction; therefore, when you can reduce the total number, you’re in a good position.

Aaron van Wirdum, in his in depth explanation about Schnorr, offered the following math to explain the benefits of Schnorr signatures:

“If aggregated Schnorr signatures reduce the total size of witness data, say from 1 megabyte to .5 megabyte, this .5 megabyte would then be discounted to 0.125 megabyte, leaving room for up to 0.875 megabyte in the original block.”

The benefit is simple: Segregated Witness already increased capacity, but when coupled with Schnorr signatures, the capacity becomes even greater.

But what about fungibility?

Remember, the reason that these exchanges and hosted wallets are able to ban people is because of how easy it is to trace the transaction. If you remove the ease of trace, banning people becomes that much harder.

Greg Maxwell, again, has an answer for this. By utilizing CoinJoin, multiple people pool their transactions together and make a joint payment. Thus, being able to connect an input and an output becomes virtually impossible.

Combine that with Schnorr signatures and you have multiple inputs from multiple people that then only have a single signature that is available to be analyzed.

What’s nice about this particular implementation is that there is an economic incentive to adopt Schnorr signatures & CoinJoin. By combining signatures into one new signature, it would reduce the transaction fee for everyone.

Thus, it becomes cheaper to send a bitcoin transaction, fungibility is greatly improved, and more transactions are packed into every block.

Maxwell is hoping that Schnorr will be implemented into Bitcoin by next year, but there are numerous factors that could interfere with this rollout.

Voldermort to the Rescue?

I only presented one of the options that I find particularly appealing. One thing left unanswered about the Schnorr signature & CoinJoin mixture is how to create a user experience that does this automatically. I use a Ledger Nano Wallet; therefore, for me to truly gain from this, those developers would have to implement these capabilities into their software.

Fortunately, there is a lot of work being done about fungibility with a wide variety of different proposals. While many might not work, there are still others that will gain steam.

One proposal that has had a lot of discussion is called Mimblewimble. This effectively takes Schnorr signatures and combines it with a technology called Confidential Transactions.

A confidential transaction essentially makes it possible for only the sender and recipient to see how much was transferred. The problem is that confidential transactions require proofs on every output; these proofs carry weight, so this could result in block bloat.

But by aggregating these confidential transactions signatures into one new signature, we effectively get a very lean, very private transaction. Ultimately, this creates exactly what we’re looking for: great fungibility and the ability to add more transactions to the blockchain.

Here’s the problem that, perhaps, even Voldermort can’t get past. Mimblewimble requires a change to the scripting languages that Bitcoin currently uses and the only currently known way around that is a hard fork. While my opinion on hard forks is not black and white, the current landscape, especially with the failed Ethereum hard fork, doesn’t seem to support using a hard fork.

Fungibility Needs Work

If Bitcoin is to succeed and last for years to come, people need to believe that the bitcoin they receive is equal to any other bitcoin. Otherwise, they’re not likely to use it.

I am confident that a solution will be found. While I am particularly bullish on the mix of Schnorr signatures and CoinJoin, it’s not the only option. There are certainly others that will be proposed going forward.

While we’re not there yet, it will be there soon. And it will make Bitcoin even stronger.

{This is a new series of essays that I will be writing each week about topics that are of significant importance regarding bitcoin, digital currencies, and the blockchain. Subscribe to my weekly newsletter, Crypto Brief, so you don’t miss any future newsletters!}