Scaling Bitcoin to One Billion Users, Part I

The most important comparative properties of cryptocurrencies are decentralization, scalability, confidentiality, stability, usability, security.  But scalability is always in conflict with the rest of the properties. To scale higher, some blockchains sacrifice security, usability or privacy. For example, Bitcoin sacrifices some security because it lacks stateful smart-contracts, so users cannot set daily withdrawal limits or use covenants. Ethereum sacrifices privacy, because reusing destination accounts (in CALL payments) costs less than creating new accounts, incentivizing the former over the later. The Meltdown vulnerability, which affects CPUs, or the CRIME vulnerability, which affected the TLS protocol, are catastrophic examples of the difficulty of having both secure/private and maximally efficient systems in hardware and software.

When I designed QixCoin, the first Turing-complete cryptocurrency, I decided to create a blockchain than could be turned private, usable and efficient and let the free market decide the value of each feature with respect to its cost. Each feature would be priced according to the resources it consumed. This is the same stance later followed by Ethereum and by the RSK Bitcoin sidechain. Some niche cryptocurrencies adopt an opposed stance, subsidizing one feature, such as complete confidentiality, to conquer a niche market. But at the same time these cryptocurrencies are pricing out users who do not need that feature. As an example, the cost of a private zCash transaction is only a fraction higher than a zCash transparent transaction, but it consumes much more resources. But the cryptocurrency killer app is still to be discovered, so niche cryptocurrencies only fragment the market and reduce the network effect.

In last year Ethereum advanced one step in privacy by implementing elliptic curve and paring operations as native contracts. You can now implement a contract that enables private token transfers. But in order to use this contract, you still need to pay the transaction fees from a standard transparent account, which gets linked to your private transaction, so privacy is still limited. To enable the use of truly private tokens, you need enable the use of the same private tokens to pay for transaction fees. With the advent of account abstraction (in case of Ethereum) and SigVerCode (in case of RSK), the receiver can pay for the fees, so selective private transactions can be accomplished.  This sounds great, but when we take into account the costs of private transactions (in terms of gas consumption), we realize that private transactions cannot scale to all the transaction volume.

Luckily most of the transactions we daily do, like shopping or having meals, do not need to be private. For a billion of unbanked people in the world, what matters most is transaction cost, and selective privacy can be an option.

The Cost of Privacy

Private transactions are costly, both in terms of blockchain space and CPU consumption. Several different methods to achieve transaction privacy have been invented, Chaumian, zk-SNARKs based such as zCash, Ring Signatures based, such as Monero, Pedersen commitments based, such as MimbleWimble, universal re-encryption based, such as Appecoin. Each cryptographic construction has different resource requirements. In general, private transactions take around 1-10 millisecond to verify, so 100 tps can be achieved. The current technological bottleneck is not CPU consumption, but block size and blockchain growth rate. Private transactions tend to be about 2-8 Kbytes in size. There are three components of a standard payment transaction that need to be hidden: transaction source, destination and transaction amount. Hiding transaction source and destination is easy by using Ring signatures and Stealth Addresses. The harder part seems to be hiding the amount. Three problems arise when trying to hide the amount: first, it requires “range proofs” to allow to privately combine and split amounts. Second, the range proofs proposed are based on perfect-hiding, computationally-binding commitments, and not the reverse. This means that with sufficiently computational power (e.g. large quantum computers) an attacker can create coins from thin air. Third, range proofs consume large space. For comparison, a range proof may take 2-8 KBytes while a transparent transaction in RSK can be made as short as 10 bytes, using signature aggregation. Therefore, privacy is about 100 times more costly than transparency. Because of the homomorphic properties, both Pedersen and Appecoin commitments do not require range proofs to add two private values, so we may think we can reduce the cost when we’re adding value to a private savings account. The bad news is that to pay exact values, or to pay for the transaction fees, change is required, and splitting the change requires range proofs. Generally a transaction would need to split a hidden amount into a hidden payment, a hidden change, and an open transaction fee amount. Therefore there is no way to avoid the need to verify range-proofs, even for mostly additive accounts, as savings accounts are. A workaround is to use fixed denominations (e.g. powers of two), and pay with a list of coins. This solves the range proof problem, but it multiplies the number of  private coins a user sends and receive. A full private payment of 64-bits value would require the use of 64 private coins (some of them of zero value), and therefore the space consumed still stays around 4 KByte per transaction.

One method that can hopefully reduce the cost of private transactions is to create a zk-SNARK based system where many zk-SNARK verifications are aggregated by the end of the month with a mega zk-SNARK proof produced by the last miner, and the individual zk-SNARK proofs are afterward removed from the blockchain. These are proofs of proofs. More hope comes from the recent discovery of zk-STARKs. By using zk-STARTKs it is theoretically possible for a miner to create a proof that a certain blockchain state was correctly reached by compressing the validation of the blockchain of all blocks prior to the one being proven, into a single succinct proof.  If zk-STARKs that becomes practically possible, then the size of the blockchain won’t matter anymore, as the historic data won’t be needed anymore, and we’ll have a free pass for scalability and privacy.

So even if difficulties in reducing privacy overhead seem a bit depressing, cryptography is evolving fast, and new methods will be developed that will hopefully decrease the cost of privacy. For example,  a new resource optimized proof system that provides short and practically efficient range proofs called BulletProof was recently invented.

The Future

In 5-10 years one billion people will be using a blockchain along with an instant, global, and massive off-chain payment network. The one which win will be the one offering the cheapest payment cost, even without privacy. That’s how the market has worked for Google or Facebook for personal information gathering. People are willing to give personal information for cheaper or free services. But that doesn’t mean all users are forced to: the same blockchain can support on-chain and an off-chain payment network that offers fully private payments. The off-chain private-oriented payment layer will be multi-hop routed or use Bolt technology, or any other privacy-preserving technology yet to be invented, while the cheap payment layer will be more hub-and-spoke. If we can reach a billion cryptocurrency users, it just needs some small percentage of users to be willing to have some privacy for a private system to be bootstrapped, with a large enough anonymity set, and for the network effect to form.  I envision that each person with a smartphone will manage some semi-private payment channels and one private payment channel. Both private and transparent channels will be tied to a savings account (hopefully private, with the advent of more efficient cryptography).


It is highly probable that a decentralized financial system develops in the following years to serve one billion unbanked users. Bitcoin and the lightning network have the advantage. However, because of the limitation of on-chain volume, Bitcoin alone cannot serve one billion people, not even with an off-chain payment network. I estimate Bitcoin (the blockchain) can serve 10 million active users, at most. RSK, the first working Bitcoin sidechain, is specially well positioned to become the platform of choice for several reasons. First, Bitcoin has the most network effect, security and market cap, so it seems natural that people will prefer to use Bitcoin rather other cryptocurrencies. Second, RSK’s community core values are aligned with financial inclusion. Third, RSK allows selective privacy. Fourth, RSK is adding innovative technology for scalability. Several unique protocols will soon to be deployed for RSK, such as LTCP (Lumino Transaction Compression Protocol) and DSTCP (Double-Signed Transaction Compression Protocol). These protocols are targeted to reduce on-chain transaction costs to a minimum, freeing more space for payment channel top-ups and settlements.

Regarding the currency, I’m not sure if the billion unbanked people will be transacting in Bitcoin, in foreign or in local fiat-denominated tokens. I suppose the later. But even when transacting tokens, still people may be using Bitcoin under the hood to pay for transaction fees.  And if Bitcoin gets more stable in the forthcoming years, then maybe Bitcoin becomes the preferred unit of account.


, , ,

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: