Found at Scaling Bitcoin in Milan. On October 8th and 9th the Bitcoin-World met in Milan to listen to presentations about scalability and discuss in workshops. We report in several articles about the event. The first piece is about a surprising issue – fungibility – and its eye-opening correlation to scalability.

Time was a scarce resource at the Scaling Bitcoin workshop. Shortly after the south-wing of the Politecnico di Milano was opened at saturday morning, everybody got his document, his free T-Shirt, took place in the auditorium, started his laptop – and the presentations began.

Thanks to kanzure’s transcripts most of the presentations can be read online. On the youtube-channel of the coordinators you can also listen to them. On this blog I write about some interesting parts and the overall feeling of this intensive Bitcoin-weekend in Milan, beginning with an eye-opening session on saturday morning.

Adam Back and Matt Corallo startet the workshop with an issue that seemed to be surprising and somehow out of place: fungibility. It’s not that it is not important – it is – but, please: why is it presented on Scaling Bitcoin? And not just with one presentation, but with a whole session of four?

We’ll learn the reason.

„Without fungibility Bitcoin becomes basically an IOU of blacklist-providers“

Fungibility means that one coin is like every other coin. Like mycels of a fungus. Since the blockchain documents every transaction, it can happen – and already happens – that coins are tagged. Someone marks them as extortionist-coins, as drug-coin, hacker-coin, bomb-constructor-coin, and you see fungibility lost. Coins are no longer the same, and you can never be sure that the coin you receive really is a „clean“ Bitcoin and has no trails of terrorism, drugs or extortions in its history.

„Everyone needs fungibility,“ Adam Back told the audience, „or nobody has it.“ Fungibility is or is not. There is no middle-space. If it is broken, the CEO of Blockstream said, than the new reality is: „No permission, no Bitcoin.“ Permissionless is, Adam Back says grinningly, „a nice feature.“

Everybody knows what he means: Permissionless is the most important and most beautiful feature bitcoin can give the world. There is nobody you have to ask to use Bitcoin. Without fungibility Bitcoin becomes nothing more than „an IOU of blacklist-providers“.

Hand in Hand

Fungibility and scalability are – and here the circles closes – in some relation with each other. Some kind of commons sense often expressed in the last month is that scaling hurts fungibility in general. To remain private a chain and its amount of users have to be small.

A „nice recognition“ of the workshop – in fact an eye-opener – was, that this is wrong. Completely wrong.

In fact „better scaling is better fungibility“, like Matt Corallo tells. The „BlueMatt“ with his blue hair did show, how well the debated solutions for the fungibility-problem do scale:

Lightning : scales perfectly, since it is a – THE – scaling solution

: scales perfectly, since it is a – THE – scaling solution Coinjoin : Mixing inputs scales well too, as several transactions are melted into one transaction

: Mixing inputs scales well too, as several transactions are melted into one transaction TumbleBit however does scale badly when used as a mixer. It doubles transactions

however does scale badly when used as a mixer. It doubles transactions Ring-Signatures , like Monero uses, scale bad too, because transactions are bigger

, like Monero uses, scale bad too, because transactions are bigger MimbleWimble, a crazy new way to compose onchain transaction proofs, does scale very well

Basically and in tendency scalability is good for fungibiliy, explains Matt Corallo. Just for the reason that it is easier to hide in a bigger amount of transactions. Depending on the instrument that is used to enhance fungibility, it and scalability can – and should – go hand in hand.

After the overview by Matt Corallo the audience enjoyed presentations about Joinmarket, TumbleBit and MimbleWimble .

A Smart Contract for better privacy

JoinMarket was presented by Adlai Chandrasekhar. He painted a gloomy picture of privacy on the blockchain. „Your government will know, how many Bitcoin you have.“ Sure, you can try to mix and wash and obscure it, „but you have to go long ways to hide your Bitcoin,“ and if you use a mixer, you risk your coins to be tainted as dirty.

One possible solution is JoinMarket. This is an implementation of CoinJoin, a concept to mix different transaction’s inputs into one transaction so that blockchain-spies can’t tell how inputs and outputs are connected. JoinMarkets builds a market for this: I offer, to mix your inputs with mine, and you give me a tiny fee for it. „Joinmarket is a Smart Contracts solution“, as Chandrasekhar puts it.

Principally JoinMarket does scale well. If two people melt inputs, transactions become smaller and cheaper. Since CoinJoin does not only improve privacy, but also lowers fees and generates income, it could be THE incentive for users to use blockchain-space more efficient.

It could. In theory. In reality JoinMarket is not as private, as most people wish. As Chandrasekhar explains, you need to get through five or ten loops of CoinJoin to achieve real privacy. „Basically we are bloating the blockchain.“

So no. JoinMarket may need scalability to work properly, but in term of Scaling Bitcoin it is more of an obstacle than something helpful. How about other solutions?

MimbleWimble, some magic new block architecture

Ethan Heilmann and Leen Al-Shenibr from the University of Boston presented TumbleBit. The difference between TumbleBit and CoinJoin is easily told:

CoinJoin means, you and I huddle together our inputs to make it harder to follow transaction history

TumbleBit however means that you give me your inputs and I take mine and build the transaction you want to send. TumbleBit works like a mixer, with the difference, that thanks to smart cryptographic moves the mixer doesn’t know whose transaction it sends.

Since I already wrote a lengthy article about TumbleBit, I don’t want to write about it a second time. Instead I just mention that TumbleBit can be used as a mixer – and thus scales badly – and as a payment-channel – which scales well.

Now let’s jump to MimbleWimble, this strange, crazy and fascinating reconstruction of how the blockchain proofs the validity of a transaction.

MimbleWimble was presented by Andrew Poelstra. Poelstra is, once again, from Blockstream. MimbleWimbe was not developed by Poelstra, but by an anonymous developer, who on august 2th left a link on bitcointalk under the pseudonym Jon Elton Jedusor that leads to a Tor-hosted Whitepaper called MimbleWimble. The crazy title is, like the pseudonym, taken from Harry Potter.

MimbleWimble promises complete anonymity and better scaling. It implements Confidential Transactions and CoinJoin, thus hiding the amount of transactions and their history, while it reconstructs the blockchain in a way this stealthy transactions don’t need more but less space. Andrew Poelstra and his collegue Bryan Bishop looked over the paper and became fascinated as they realized that the descripted cryptographie could work.

How can it work? I’m really not the one to explain. I didn’t even read the whitepaper. You should read it, if you really want to know. I just can tell what I learned at Andrew’s presentation: A full node only needs to verify a minimum of information – that transactions can’t be changed afterwards, and that the set of unspent outputs is equal to the monetary base of the blockchain. That’s all. Verifying the history of each coin, transaction by transaction, like Bitcoin full nodes do, is more like a bonus-service for spy agencies. It is not necessary for digital money to work.

MimbleWimble reduces the data a node verifies. It deploys some cryptographic magic, cuts off the scripts, replaces amounts by blind proofs, I think relying on the difference between input and output, and mixes the inputs, so you maybe have no transactions left but just inputs and outputs. But I’m not sure on this.

The result is, as Andrew tells, nearly complete anonymity and better scalability. The proof is working and MimbleWimble kills two bird with one stone. According to Andrew Poelstra it may be possible to introduce MimbleWimble as a softfork or sidechain. If this works, it might be a very promising approach.

And with this presentation the first block of Scaling Bitcoin was over. An extremely inspiring morning ended.