photo credit Samson Mow

In the few days following the Retarget edition of the Scaling Bitcoin conference in Milan, it has been interesting to consider the feedback provided by various media outlets and other pundits who followed or attended the event. Some deplored the focus on Layer-2 solutions, others noted a refined understanding of the variables that make up the full scaling picture. A certain mining pool thought they just knew better and decided to flip the script on everyone & promote a Bitcoin implementation whose consensus rules are dubious at best. Go figure.

At this juncture in this long process of trying to help the ecosystem move forward I wanted to share my views on some interesting developments and maybe provide some contrast to some internet driven narratives that don’t quite fit my impressions of the weekend.

TumbleBit

TumbleBit is a privacy solution proposed by a team of Boston University academics represented at the conference by Ethan Heilman & Leen AlShenibr.

Their work follows in the long line of tumbling mechanism that have been proposed to improve the general fungibility and privacy of Bitcoin users. They generally attempt this using mixing techniques that obfuscate the transaction graph from payers to payee and therefore removes the links between them.

Standing on the shoulders of past contributions to the field, TumbleBit innovates by introducing a novel approach that sits on top of a payment hub and is partly inspired by classic Chaumian eCash. The method presented uses RSA blinding & other crypto-magic to enable true unlinkability and therefore protect the users from the tumbler itself.

This implies that TumbleBit cannot leak information about payment paths and also ensures fair exchange meaning the hub is prevented from stealing or inflating funds. Moreover the payment channel construct comes with significant throughput improvement given the off-chain nature of the transactions.

Payment hubs have been an innovation long waiting to bloom and I believe introducing trustless counter-parties the likes of TumbleBit can accelerate their adoption while improving both Bitcoin’s scalability and fungibility.

Overall it is an especially promising development in the realm of privacy-enhancing technologies and I am very encouraged to see that Ethan and his team are slowly working toward a production-ready implementation.

Schnorr signatures & Signature Aggregation

The use of Schnorr signatures in Bitcoin as a replacement for ECDSA is an idea that has been floating around for some years already. For an in-depth explanation I strongly recommend Aaron van Wirdum’s article here. Pieter Wuille’s presentation provided an update on the roadmap toward a potential implementation of these signatures into Bitcoin Core.

He proceeded first by explaining that the scheme, unlike ECDSA, has not been standardized and that therefore there remains work to be done with regards to documentation that will make it possible to properly assess the security assumptions and edge cases.

The magic of Schnorr signatures is most evident in their ability to aggregate signatures from multiple inputs into a single one to be validated for every individual transactions. The scaling implications of this are obvious: aggregation allows for non-trivial savings in terms of transmission, validation & storage for every peer on the network. The chart below illustrates the historical impact a switch to Schnorr signatures would have had in terms of space savings on the blockchain.

“A 20% reduction in block size” — Pieter Wuille

While these are interesting benefits, one other promising application of Schnorr signatures is the fact that they can incentivize privacy schemes that involve multiple inputs, such as CoinJoin. Individuals users could share the costs associated with larger join-transactions which therefore encourage others to contribute to the anonymity set.

Given that the introduction of Schnorr signatures is conditional on the roll-out and activation of SegWit on the network, its implementation is still at an early stage but its implications in terms of “on-chain” scaling and fungibility makes it worthy of everyone’s attention.

OpenTimestamps

OpenTimestamps is an open-source, Proof-of-Existence, service proposed by Bitcoin Core developer Peter Todd and presented at the conference by Eternitywall.it developer Riccardo Casatta. Most of you might be familiar with typical notarization services that leverage the OP_RETURN field. Of course, the issue with these is that they do not necessarily scale very well: at one transaction for every timestamp or certificate it becomes obvious very quickly that the room for notarization services using that method is severely limited.

In essence, OpenTimestamps uses Merkle trees to aggregate certificates of existence and then periodically commit them to the blockchain. Using Bitcoin as a trusted notary and public aggregating servers for redundancy and reliance, it can achieve scalable, efficient and cheap commitment of documents & records.

While the aggregation process works most efficiently with centralization, it’s still essentially trustless: the worst an aggregation server can do is go offline, an inconvenience. — Peter Todd

credit Ricardo Cassata

As Riccardo points out in his presentation, OpenTimestamps and other proposed notarization formats, such as Chainpoint, are representative of an underlying theme I observed during the event: through standardization of best known practices we can achieve significant scalability using the room already available to us.