This augments my blog’s analysis of transaction volume compression and/or sharding proposals (QuarkChain, OmniLedger and Elastico were analysed in the blog).

Chainspace

Facebook has hired 4 of the researchers who published the Chainspace sharding research (and acquired their Chainspace company).

Chainspace employs Byzantine agreement where the Sybil attack isn’t prevented by proof-of-stake (PoS) driven voting but instead each contract creator has to be trusted to select enough honest nodes for the shards it will run on. Thus it’s not a secure chain and is subject to repudiation. This is extremely vulnerable to the nothing-at-stake attack, because there’s no single-point-of-truth objectivity. The consensus aspect of this published research is trash. And exemplifies that Facebook isn’t likely close to doing anything useful with permissionless, decentralized ledgers. Maybe Facebook wants it for a permissioned distributed ledger system instead. The paper’s smart contract conceptualization appears to be decent, so perhaps that’s the focus of the acquisition. The §IX. Comparisons With Related Work section of the paper is interesting because it discusses OmniLedger, Elastico and other sharding proposals.

P.S. Elastico’s research paper is entitled A Secure Sharding Protocol For Open Blockchains just in case anyone is searching for that title on this blog page.

MimbleWimble (implemented in Grin and Beam)

Grin is a new proof-of-work (PoW) altcoin that implements MimbleWimble (MW) and John Tromp’s ASIC-resistant Cuckoo cycle PoW. My initial cursory analysis of MW was circa 2016–2017 (as I began the toxic 6 months of tuberculosis antibiotics).

MW achieves blockchain pruning and anonymity of the multisig signers somewhat analogous to Schnorr signatures. The advantage over Schnorr is that it doesn’t require coordination of the signers— a new signer of a transaction can hide the past signers without coordinating with them. This enables the blockchain pruning of securely discarding lineal inputs and outputs. This actually also reduces the validation cost of the blockchain, since this consolidation can be done by the miner before committing the consolidated transaction(s) to a block.

Tangential Note: One might posit MW to be unbounded off-chain scaling by presuming any party can consolidate unbounded number of zero-transaction-free off-chain transactions lineage consolidated into a single transaction submitted on-chain to a block. But MW only achieves massive pruning and not compression for on-chain transactions. Only the on-chain consolidated transaction is charged a fee. But the posited unbounded off-chain transaction volume scaling is useless because it can’t prevent ephemeral off-chain double-spending. Fortunately MW doesn’t have unbounded on-chain transaction scaling, because that would otherwise destroy the transaction fee market and destroy the security of mining as the minted block reward is reduced by the declining minted reward value emission schedule. MW is a pruning technology, but not a transaction scaling technology.

Disadvantages of MW:

• Unlike Monero’s stealth addresses which the payer can sign autonomously even if the receiver is offline, MW transactions requires interaction between the payer and payee because there’s no public addresses.

• Privacy/anonymity is dependent on P2P relay mixnets (analogous to Tor or I2P), which are inherently known to suffer many varieties of deanonymizing attacks (c.f. also) and generally are admitted to be honeypots. Inventing/creating another relay mixnet won’t solve their insoluble, inherent vulnerabilities. Even the MW paper admits this problem:

  though it is unclear how to design a safe peer-to-peer network capable of exploiting this ability

  Note Monero has this same attack vulnerability. I posit it’s possible to entirely remove this anonymity vulnerability with a Zcash-like design.

• Privacy/anonymity and security are in tension with the declining tail reward (as a % of money supply) with analogous vulnerabilities that I outlined for Monero. In a dubious attempt to address this 50+% attack aspect, MW/Grin makes the minted mining reward constant— effectively a declining reward as the money supply inexorably grows. The money supply grows more slowly over time, so the decline decelerates into a small tail reward and thus a dubious level of security (such as against rented hashrate attacks and the Cuckoo cycle may be vulnerable to botnets while it’s ASIC resistant). Note this posited insecurity is a problem perhaps a decade or two from launch when the constant minted reward has become a small tail reward value.

• Although the CoinJoin mixing for the privacy/anonymity is made non-interactive, the mix set isn’t under offline autonomous control of the transaction signer, unlike Monero’s ring signatures which are offline autonomous.

• No Turing-complete smart contracts possible, but there’s a way to achieve HTLCs. EDIT: modified because Andrew Poelstra refuted in his later work, his earlier statement from the video I cited.

• Doesn’t have low-latency confirmation.

• Pruning isn’t transaction volume scaling nor does Grin/MW have improved transaction confirmation latency. Monero’s adaptive block size algorithm doesn’t require a hardfork to in theory confirm up to 100X more transactions-per-second (TPS) than Grin, yet isn’t transaction scaling either.

Advantages:

• Massive pruning means that it will require much less time to download and validate the entire blockchain history since its inception. Some people who are fanatical about unnecessary redundant security do not want to trust any set of full nodes (aka a web-of-trust) and thus want to be able to always validate the entire blockchain themselves.

Tangentially I posit that I know how to achieve transaction scaling and the massive pruning for self-validating the entire chain in PoS. Objective discernment of the longest chain isn’t ever possible in any PoS system other than via a “statistically objective” web-of-trust. Even a SPV client in PoW can objectively self-validate the longest-chain without any reliance on trust, unless of course if the SPV client is isolated from the global network indefinitely (unlike in PoS when even ephemeral isolation from the real-time global network replaces objectivity about the longest chain with reliance on trust). So MW has a unique feature for that one facet of less bloat for self-validating the longest chain, but I find this to be of low value relative to scaling and low-latency transactions for a transactional system. I will correct @dinofelis’ erroneous statement:

If you are willing to download the latest Core software […] If these entities or similar entities tell you that a recent consensus was X, you’ve not been losing your trustlessness, you didn’t have if from the start.

PoW’s relevant advantage is that the longest chain can be objectively triangulated without any trust.

For the reserve asset HODL system, I doubt $millionaires will prefer to trust their net worth in MW because it doesn’t hash the public keys for protection against quantum computing as Bitcoin does (c.f. also my follow-up rebuttal to @dinofelis¹). They can afford to download and validate the entire Bitcoin blockchain even with its relative bloat compared to MW. The power-law distribution of wealth dictates that those who can’t afford to do so, do not matter to Bitcoin (and they’ll get kicked off-chain by high transaction fees eventually). Bitcoin likely already has insurmountable network effects in terms of being the de facto unit-of-account reserve asset. Anonymity is in tension with the declining block reward and the posited fact that PoW becomes entirely centralized at the end game. Some claim that stronger anonymity features will be a disadvantage in terms of regulatory acceptance in some nation-states— a risk the wealthy would avoid.

So appears that MW is stuck in the middle of being not the best at any of the major market categories:

• secure store-of-value
• anonymity/privacy
• scaling

MW is clearly the leader only are for those who want both massively pruned (i.e. validation scaling)+privacy. Although Monero’s anonymity may be superior (and anonymity doesn’t exist for Monero nor Grin if they’re surreptitiously 51% controlled by an oligarchy for the reasons I explained for Monero as linked above where the miners pay the transaction fees to themselves and spam all the mixnets…only the Zcash-like technology has reliably anonymous, intractably large mix nets), perhaps MW provides a weak form of privacy enhancement. Yet that remains to be proven (and I’m very skeptical for reasons I already enumerated). And I speculate (with some confidence since I’m working on it) that eventually MW will only be the leader for the narrow combination of objective discernment of longest chain combined with inferior privacy.

Although Grin doesn’t have Bitcoin’s token supply hardcap (21 million), the debasement rate will decrease asymptotically as a percentage of the token supply over time— which is effectively similar to a hardcap and also the inexorable minted reward offers some protection against the researched incentives incompatibility of PoW.

¹ _{Let’s continue the refutations of @dinofelis. He wrote recently:}

^{It is obvious that the spam limit is a joke. In fact, it makes spam worse. The excuse was that if a fool mined a single block of 10 GB full of nonsense, the blockchain would be spammed to an incredible size in no time. That was clearly wrong, because in order for that block to be incorporated into the chain, other miners would have to agree with it. There's no reason why honest miners would mine on top of a crazy block. In other words, implicitly, there would be a gross maximum size set by miners and that would grow dynamically […] By putting a hard limit on block size, you actually increase drastically the effect of spam, as we saw. Once the block is full of spam, transactions are hindered. This is an efficient DDOS of bitcoin. If the blocks are elastic, you can spam a lot, that will increase the size to some point, but transactions can go through unhampered, and you'd have to spam like crazy in order to have an efficient DDOS. Hard limits make DDOSsing of bitcoin in fact much easier.}

_{Discord (even if just at the minute margins) of the maximum block size accepted at any given time would AFAICT break the immutability Nash Equilibrium that gives Bitcoin its reliable store-of-value, because it opens the interpretation of the protocol to disagreement that doesn’t have a Schelling point. Orphan rate would increase due to ambiguity and miners would not be able to triangulate from the competing forks of different de facto protocols which block size limit is the de facto economic majority. There would likely be destructive orphaning wars (not so unlike the Scalepocalypse forkathon ongoing) between mining oligarchies trying to leverage this ambiguity via the anonymity of mining to wreck each other. In short, the security model of Bitcoin would be trashed. Please don’t be overconfident in your pronouncements w.r.t. the design of a complex economically driven, game theoretic system.}

_{Perhaps @dinofelis is starting to realize why I posited that Bitcoin was created for the end game to usher in a de facto world currency that would incentivize the creation of a world government legal framework and potentially eventually evolve into the 666 control system:}

^{But let us now think of something else. Let us now think of bitcoin being legally accepted everywhere, and is legally framed, and recognized as a form of legal tender. Let us also suppose that you get legal permits to be a bitcoin miner. Given the huge amounts of energy that go into bitcoin mining, it is not a “do it in your basement” kind of activity, and you cannot do that underground. We're talking about industrial installations, and these can very well be legally framed. You might even get preferential electricity prices on the condition that you are registered. Nothing tells you that this legal frame may include a clause that puts you in a legal difficulty if ever your mining contributes to forbidden transactions. As such, as a miner, you better connect to a mining pool that respects those engagements. You can set up a contract, and the mining pool engages in only using your hash rate if it doesn't approve transactions given by an international committee (say, linked to Interpol or the likes). Your mining pool is now legally bond to not include such transactions, and not mine on top of blocks that do include such a transaction. But if you respect that, you're not only legally OK, you even have advantages like cheap power. You pay taxes on your benefits, and you can enjoy your rich life of a miner in all legality. If there is enough international collaboration over this, a majority of hash rate can fall in the hands of such legalized mining pools. If they reject a transaction, they have a good legal reason to do so. If the 4 or 5 most important mining pools are legalized that way, they will also be very attractive for industrial miners (they have contractually to do so).}