Preethi Kasireddy has covered this ground before. We should first learn from her wisdom before we set out again:

I’ve come to realize that the term “trustless” is ambiguous, confusing, and most importantly, inaccurate. (Blockchains) distribute trust (by using economics to) incentivize actors to cooperate with the rules defined by the protocol.

This post will demonstrate that decentralized apps also use incentives and rules to produce cooperation such that everyone is benefited. Trusting the rules doesn’t mean we blindly trust the individual actors.

The next time someone asks me, “Is your app trustless?”

I will likely be tempted to ask them, “can you please be more specific?” Unfortunately I’m not presented with this question but more commonly the accusation, “why isn’t your app trustless?” To which I’m tempted to respond, “why isn’t your question accurate?” I’m not trying to be rude but you don’t walk into a factory and tell the owner, “gee this is a really nice factory you have here, why isn’t it workerless?”

Myths such as the workerless factory, the paperless office or the cashless society have been with us for more than a decade and we’ve yet to see them manifest themselves in any absolute way at scale. We have factories with greater automation, offices with greener policies and societies that rely more on digital transactions. We do not yet have absolute demonstrations of the ideal. This is because implementation exists to varying degrees and rarely in absolute terms. A term is poorly defined if it means different things to different people and trustless is one of these words. A perfectly trustless app does not exist. Every decentralized app is on a spectrum of trust where complete trustlessness for all threat models is an ideal. No one has yet achieved it, anyone who would tell you otherwise is lying to you.

I’ve had a few contacts since my prior blog post make this type of suggestion. At first my reaction was that some non-technical people may not understand this concept. But someone who I believed was technical asked me the following question,

Colleague, “Do you have any intention on creating a trustless version of the app?”

To which I responded, “Where a sci-fi AI approves policyholders and awards claims or something like that? Your kidding right?”

He clarified by saying, “No. What I meant was, have you ever considered removing your reliance on the secretary?”

I took a deep breath and I considered that there are a few potential reasons why he asked me that question:

I didn’t do a good job of explaining TandaPay’s checks and balances in the blog post. He didn’t bother to read what I wrote very carefully. This concept is too new for someone to create an accurate mental model of how it operates after a single read through. When people try to oversimplify something the nuance is lost.

After our conversation I realized that this same dialogue had come up several times with other individuals. “Trustless” has apparently become a common buzzword. As soon as someone sees some feature they think is “centralized” they may be quick to assume that trust is required by the participants. This would be similar to a foreigner making the assumption that, because the President’s signature is required in the US for any bill to become a law, the President is the de facto dictator of America. Many American’s would balk at such a erroneous oversimplification. Yet, these are the same people who have been quick to come to the conclusion that if any app utilizes a central coordinator it must not be “trustless.”

Oversimplification = Bad

The Where’s Waldo approach to solving Pythagoras theorem :)

Incentive architecture can be complex. If we are serious about making an honest attempt at understanding the role a central coordinator might play, we should take into consideration some guiding principles. The goal of this blog post is to help my reader realize:

Asking if an app is trustless is like asking for the marriage status of the color blue. It makes absolutely no sense without some specific context. The right context is, “who is holding my money?” Relying on humans to hold other peoples money is bad. Good architecture should remove this unnecessary liability. Use of a central coordinator does not necessarily require that parties trust anyone. If the coordinator is never in custody of participants’ funds see #2.

This post will not mention the secretary or the role of the secretary. I’ve written over 10,000 words on this and repeating myself isn’t going to help anyone. Instead I’m going to approach the problem from a completely different direction.

Forget that there is a central coordinator called the secretary, instead “follow the money.” Do you see a third party custodian of other people’s money in the architecture? If so, there might be good reason to believe that participants are required to trust this custodian. If you don’t see one then policyholders should be in direct custody of their funds. Whose authorization is required to transfer a policyholder’s premium to the claimants? Is it the secretary’s or the individual policyholders’? If authorization of payments allows for direct transfer of funds, then this makes a strong case that the system has no third party custodians.

If you’ve never tried to imagine how a payment system might work without relying on banks then this might be completely new. In which case I will try and keep my explanation simple even thou the illustrations are complex. Don’t try to understand the illustrations if they don’t immediately seem familiar to you. Rather, I hope you can “trust” that my explanation of the illustrations is an accurate simplification that doesn’t misrepresent how these systems actually work. If you can trust my explanation then I think we can both reach the same conclusion together.

What really requires trust: the banking network

Part 1 — Understanding the chain of custody for fiat

The only takeaway from the above picture is that contractual agreements allow third parties to hold our funds. Besides an insurance policy which is a contract that sets out specific guarantees in return for the payment of a premium, there are contracts that allow money to move:

From you to your bank From your bank to any other bank

Other than the cash we may have in our wallet, we almost never hold funds directly. People in modern societies have decided to entrust nearly all of their wealth with third parties. What allows us to entrust our funds with third parties is a guarantee that we will get these funds back. This guarantee is known as a contract. This contract is enforced by our legal system. The rulings of our courts are enforced by the DOJ and various local police departments entrusted with the practical enforcement of the law.

In sum total we refer to this system as the rule of law. In countries where the rule of law is weak you cannot easily trust third party custodians. This is because without a system to enforce contractual agreements there is no guarantee that your property will be returned to you. Corrupt courts or law enforcement weaken the rule of law and the ability for individuals to reliably own property.

Funny story, man walks into a bank with a junk check and attempts to cash it. Bank gives man $95,093.35 💲cha-ching💲. Man then converts this to a cashiers check before the bank realizes their mistake. This was an error on the part of the bank, but it caused many to wonder if the money was actually his.

The check that resulted in Patrick Combs writing Man 1 Bank 0

It’s stories like these that make you wonder how easy it is to commit actual check fraud just by having someone else’s valid account and routing numbers on the bottom of a false check. The reality is that 15 years ago the knowledge of anyone's account and routing number was all you needed in many cases to commit real check fraud. Since there was (almost) no technology protecting people from fraud this created the need for banks to carry insurance against fraudulent payments. More contracts in other words. Banks also needed to be tightly integrated into the legal system to pursue lawful enforcement of these contracts and to track down and capture offenders.

Banking networks which have enabled every form of non-cash payment until 2010 depend entirely on human institutions. These human institutions enforce contracts and these contracts provide guarantees. But this type of payment system is incredibly expensive to protect because historically it has been so vulnerable to fraud. Regulations are put in place for all financial operators who use the banking network regardless of who they are. Regulatory compliance is also very expensive. If we can simply avoid using traditional payment networks then we can circumvent billions of dollars of regulatory overhead.

What we will see in the next section is that it is the power of an unforgeable signature which eliminates fraud from our cryptocurrency payment networks. So rather than relying on man-made contracts enforced by human institutions, there is another option. We can opt for digital contracts enforced by cryptography. This technological route offers the following benefits:

Cheaper to enforce

Safer for participants

Faster resolution of problems

Part 2— Understanding the chain of custody for digital property

As I said previously:

Individual lock box architecture allows for custody to remain in the possession of the policyholder.

These next two graphics are a bit complicated (chain of custody for digital property). The point is not to understand the graphics. The point is to use the graphics to see the big picture. The big picture you should take away from all four graphics is:

With the banking network we have man-made contracts enforced by human institutions .

. With the blockchain network we have digital contracts using digital signatures and global records enforced by technology.

If that is all you want to understand you can just skip over the these two complicated graphics right now. Also I highly recommend you read Preethi Kasireddy’s article as her graphics are simpler and more concise in their explanation of blockchain. The complicated part is trying to understand two aspects of how custody for digital property works:

Understanding the implications of blockchain payment technology.

What relevant meaning does the technology have for how we transact?

What relevant meaning does the technology have for how we transact? Understanding the mechanism of blockchain payment technology.

How does the technology actually work?

To understand the implications of blockchain technology for how TandaPay functions we need to ask these questions:

What is a digital signature? Why is a digital signature important? How does it remove the need for human institutions to enforce man-made contracts?

To understand the mechanism of how blockchain technology enables the payments that TandaPay uses we should ask these questions:

Where does the ability to produce a digital signature come from? Where are the private keys stored? Can they be stolen? How do I know I can trust the blockchain to record my transactions?

Once you have an answer to these six questions you will be able to determine for yourself if policyholders have direct custody of their funds. If you carefully study these two graphics and the graphic in my last blog post: TandaPay Escrow Layer, then you can conclude for yourself that there is no third party custodians.

Policyholders are in direct control of their funds until they authorize payment to an approved claimant. That’s all we ever cared to discover by looking at these infographics and if you can see that then my job is done!

This post is already quite long. Cryptographic signature systems and blockchain technologies are far too complex to be embodied in a single authoritative post. Just by googling you can find more expert and well written articles than this one. I will come back to update this post with additional information if I feel it is relevant. For now, simply knowing the right questions to ask is half of the struggle when it comes to understanding the technology.