1

Byteball:ADecentralizedSystemforStorageandTransferofValue

AntonChuryumovtonych@byteball.org

AbstractByteballisadecentralizedsystemthatallowstamperproofstorageofarbitrarydata,includingdatathatrepresentstransferrablevaluesuchascurrencies,propertytitles,debt,shares,etc.Storageunitsarelinkedtoeachothersuchthateachstorageunitincludesoneormorehashesofearlierstorageunits,whichservesbothtoconfirmearlierunitsandestablishtheirpartialorder.ThesetoflinksamongunitsformsaDAG(directedacyclicgraph).Thereisnosinglecentralentitythatmanagesorcoordinatesadmissionofnewunitsintothedatabase,everyoneisallowedtoaddanewunitprovidedthathesignsitandpaysafeeequaltothesizeofaddeddatainbytes.Thefeeiscollectedbyotheruserswholaterconfirmthenewlyaddedunitbyincludingitshashwithintheirownunits.Asnewunitsareadded,eachearlierunitreceivesmoreandmoreconfirmationsbylaterunitsthatincludeitshash,directlyorindirectly.

Thereisaninternalcurrencycalled‘bytes’thatisusedtopayforaddingdataintothedecentralizeddatabase.Othercurrencies(assets)canalsobefreelyissuedbyanyonetorepresentpropertyrights,debt,shares,etc.Userscansendbothbytesandothercurrenciestoeachothertopayforgoods/servicesortoexchangeonecurrencyforanother;thetransactionsthatmovethevalueareaddedtothedatabaseasstorageunits.Iftwotransactionstrytospendthesameoutput(double-spend)andthereisnopartialorderbetweenthem,bothareallowedintothedatabasebutonlytheonethatcomesearlierinthetotalorderisdeemedvalid.TotalorderisestablishedbyselectingasinglechainontheDAG(themainchain)thatisattractedtounitssignedbyknownuserscalledwitnesses.Aunitwhosehashisincludedearlieronthemainchainisdeemedearlieronthetotalorder.Userschoosethewitnessesbynamingtheuser-trustedwitnessesineverystorageunit.Witnessesarereputableuserswithreal-worldidentities,anduserswhonamethemexpectthemtonevertrytodouble-spend.Aslongasthemajorityofwitnessesbehaveasexpected,alldouble-spendattemptsaredetectedintimeandmarkedassuch.Aswitnesses-authoredunitsaccumulateafterauser’sunit,therearedeterministic(notprobabilistic)criteriawhenthetotalorderoftheuser’sunitisconsideredfinal.

Usersstoretheirfundsonaddressesthatmayrequiremorethanonesignaturetospend(multisig).Spendingmayalsorequireotherconditionstobemet,includingconditionsthatareevaluatedbylookingforspecificdatapostedtothedatabasebyotherusers(oracles).

Userscanissuenewassetsanddefinerulesthatgoverntheirtransferability.Therulescanincludespendingrestrictionssuchasarequirementforeachtransfertobecosignedbytheissueroftheasset,whichisonewayforfinancialinstitutionstocomplywithexistingregulations.Userscanalsoissueassetswhosetransfersarenotpublishedtothedatabase,andthereforenotvisibletothirdparties.Instead,theinformationaboutthetransferisexchangedprivatelybetweenusers,andonlyahashofthetransactionandaspendproof(topreventdouble-spends)arepublishedtothedatabase.

2

1. IntroductionInOrwell’s1984,theprotagonistWinstonSmithworksintheRecordsDepartmentoftheMinistryofTruthasaneditor,revisinghistoricalrecords,tomakethepastconformtotheever-changingpartylineanddeletingreferencestounpersons–peoplewhohavebeen"vaporised,"i.e.notonlykilledbythestatebutdeniedexistenceeveninhistoryormemory[1].Whatwepresenthereisdatastoragethatisnotrewritable.Itisadistributeddecentralizeddatabasewhererecordscanneitherberevisednordeletedentirely.

Bitcoin[2]wasthefirstsystemtointroducetamperproofrecordsdesignedforthespecificpurposeoftrackingtheownershipofelectroniccurrencyunitsknownasbitcoins.InBitcoin,alltransfersofthecurrencyarerepresentedastransactionsthataredigitallysignedbythecurrentownerofthecoin,transactionsarebundledintoblocks,andblocksarelinkedintoachain(blockchain)securedbyproofofwork(PoW)thatassuresthatlargecomputingresourceshavebeeninvestedintobuildingthechain.Anyattempttorewriteanythingcontainedinthechainwouldthereforerequireevenlargercomputingresourcesthanthosethathavealreadybeenexpended.

SoonafterBitcoinappeared,itbecameclearthatthiswasmorethanjustatrust-freeP2Pelectroniccurrency.Itstechnologybecameasourceofnewideasforsolvingotherproblems.Atthesametime,Bitcoin’sdeficienciesandlimitationsequallybecameclear.ByteballisdesignedtogeneralizeBitcointobecomeatamperproofstorageofanydata,notsolelytransfersofasingleelectroniccurrency,andremovesomeofthemostpressingdeficienciesthatimpedeawideradoptionandgrowthofBitcoin.

Blocks.InBitcoin,transactionsarebundledintoblocks,andblocksarelinkedintoasinglechain.Sincetheblocksarelinkedlinearly,theirspacingintimeandtheirsizeareoptimizedfornear-synchronyamongnodes,sothatthenodescanshareanewblockwitheachothermuchfasterthanittypicallytakestogenerateanewblock.Thisensuresthatnodesmostlikelyseethesameblockasthelastblock,andorphaningisminimized.AsBitcoingrows,blocksbecomeincreasinglyunwieldy.Theyareeithercappedinsize,inwhichcasethegrowthisalsocapped,ortheytaketoolongtopropagatetoallnodesofthenetwork,inwhichcasethereisgreateruncertaintyaboutwhichblockislast,andmoreresourcesarewastedonextendingchainsthatwouldlaterbeorphaned.InByteball,therearenoblocks,transactionsaretheirownblocks,andtheyneednotconnectintoasinglechain.Insteadatransactionmaybelinkedtomultipleprevioustransactions,andthewholesetoftransactionsisnotachainbutaDAG(directedacyclicgraph).DAG-baseddesignshavereceivedmuchattentionrecently[3-5].

Cost.BitcointransactionsaresecurebecauseitisprohibitivelyexpensivetoredoallthePoWincludedintheblockscreatedafterthetransaction.ButthatalsomeansthatitisnecessarytopaytobuildthelegitimatePoWthatisstrongenoughtowardoffanyattackers.ThispaymentisspentfortheelectricityrequiredtobuildthePoW.Whatisimportanttonotehere,isthatthismoneygoesoutsidetheBitcoinecosystem–toenergycompanies–meaningthatthecommunityofBitcoinholdersasawholeisbleedingcapital.InByteball,thereisnoPoW,insteadweuse

3

anotherconsensusalgorithmbasedonanoldideathatwasknownlongbeforeBitcoin.

Finality.TransactionfinalityinBitcoinisprobabilistic.Therearenostrictandsimplecriteriaforwhenyoucansaythatatransactionwillneverbereversed.Rather,youcanonlyarguethattheprobabilityofatransactionbeingreversedexponentiallydecaysasmoreblocksareadded.Whilethisconceptisperfectlycleartothoseversedinmath,itmightbeadifficultselltoanaverageJoewhoisusedtoexpectingablack-or-whitepictureinmattersofmoneyownership.Tocomplicatethingsevenfurther,transactionfinalityalsodependsonitsamount.Iftheamountissmall,youcanbereasonablysurenobodywilltrytodouble-spendagainstyou.However,iftheamountatstakeisgreaterthantheblockreward(12.5BTCatthetimeofwriting),youmightspeculatethatthepayercouldtemporarilyrenthashpowertomineanotherchainofblocksthatdoesn’tcontainthetransactionthatpaystoyou.Therefore,youhavetowaitformoreconfirmationsbeforebeingsureenoughthatahigh-valuetransactionisfinal.InByteball,therearedeterministiccriteriaforwhenatransactionisdeemedfinal,nomatterhowlargeitwas.

Exchangerate.TheBitcoinpriceisknowntobequitevolatile.Thebiggerproblemisthatthispriceisnotonlyvolatile,itisnotboundtoanything.Shareandcommoditypricesarealsoveryvolatilebuttherearefundamentalsbehindthem.Sharepriceislargelyafunctionofcompanyearnings,revenue,debt-to-capitalratio,etc.Commoditypricesdepend,amongotherfactors,oncostsofproductionwithvarioussuppliers.Forexample,iftheoilpricefallsbelowtheproductioncostsofsomesuppliersforalongtime,thesesupplierswilleventuallyshutdown,decreasingproductionandcausingthepricetogoup.Thereisanegativefeedbackloop.InBitcoin,therearenofundamentals,andnonegativefeedback.ABitcoinpriceof$500isnomorejustifiedthanapriceof$50,000or$5.IftheBitcoinpricemovesfromwhereitisnow,thismovementalonewillnotcreateanyeconomicforcesthatwouldpushthepriceback.It’sjustwild.InByteball,thebasecurrency,bytes,isusedtopayforaddingdataintotheByteballdatabase.Youpay1,000bytestoadd1Kbofdata.Itisameasureoftheutilityofthestorageinthisdatabase,andactualuserswillhavetheiropiniononwhatisareasonablepriceforthis.Ifthepriceofbyterisesabovewhatyouthinkisreasonableforyourneeds,youwillfindwaystostorelessbytes,thereforeyouneedtobuylessbytes,demanddecreases,andthepricefalls.Thisisnegativefeedback,commonforallgoods/serviceswhosedemandisdrivenbyneed,notspeculation.Besidespayinginbytes,onecanissueotherassetsandusethemasmeansofpayment.Theseassetsmightrepresent,forexample,debtexpressedinfiatcurrenciesorinnaturalunits(suchaskWhorbarrelsofoil).Thepriceofsuchassetsisnaturallyboundtotheunderlyingcurrenciesorcommodities.

Privacy.AllBitcointransactionsandbalancesofalladdressesarevisibleontheblockchain.Althoughtherearewaystoobfuscateone’stransactionsandbalances,itisnotwhatpeoplehavecometoexpectfromacurrency.Transactionsinbytes(thebasecurrency)inByteballareequallyvisible,butthereisasecondcurrency(blackbytes),whichissignificantlylesstraceable.

Compliance.Bitcoinwasdesignedasananonymouscurrencywherepeoplehaveabsolutecontrolovertheirmoney.Thatgoalwasachieved;however,itmade

4

Bitcoinincompatiblewithexistingregulations,andhenceinappropriateforuseinthefinancialindustry.InByteball,onecanissueassetswithanyrulesthatgoverntheirtransferability,fromnorestrictionsatall,likeBitcoin,toanythinglikerequiringeverytransfertobecosignedbytheissuer(e.g.thebank)orrestrictedtoalimitedsetofwhitelistedusers.

2. DatabasestructureWhenauserwantstoadddatatothedatabase,hecreatesanewstorageunitandbroadcastsittohispeers.Thestorageunitincludes(amongotherthings):

• Thedatatobestored.Aunitmayincludemorethanonedatapackagecalledamessage.Therearemanydifferenttypesofmessages,eachwithitsownstructure.Oneofthemessagetypesispayment,whichisusedtosendbytesorotherassetstopeers.

• Signature(s)ofoneormoreuserswhocreatedtheunit.Usersareidentifiedbytheiraddresses.Individualusersmay(andareencouragedto)havemultipleaddresses,likeinBitcoin.Inthesimplestcase,theaddressisderivedfromapublickey,againsimilartoBitcoin.

• Referencestooneormorepreviousunits(parents)identifiedbytheirhashes.Referencestoparentsiswhatestablishestheorder(onlypartialordersofar)

ofunitsandgeneralizestheblockchainstructure.Sincewearenotconfinedtoone-parent–one-childrelationshipsbetweenconsecutiveblocks,wedonothavetostrivefornear-synchronyandcansafelytoleratelargelatenciesandhighthroughputs:we’lljusthavemoreparentsperunitandmorechildrenperunit.Ifwegoforwardinhistoryalongparent-childlinks,we’llobservemanyforkswhenthesameunitisreferencedbymultiplelaterunits,andmanymergeswhenthesameunitreferencesmultipleearlierunits(developersarealreadyusedtoseeingthisingit).Thisstructureisknowningraphtheoryasdirectedacyclicgraph(DAG).Unitsarevertices,andparent-childlinksaretheedgesofthegraph.

Inthespecialcasewhennewunitsarriverarely,theDAGwilllookalmostlikeachain,withonlyoccasionalforksandquickmerges.

Figure1.StorageunitsconnectedintoaDAG.Arrowsarefromchildtoparent,Gisthegenesisunit.

G

5

Likeinblockchainswhereeachnewblockconfirmsallpreviousblocks(andtransactionstherein),everynewchildunitintheDAGconfirmsitsparents,allparentsofparents,parentsofparentsofparents,etc.Ifonetriestoeditaunit,hewillalsohavetochangeitshash.Inevitably,thiswouldbreakallchildunitswhoreferencethisunitbyitshashasbothsignaturesandhashesofchildrendependonparenthashes.Therefore,itisimpossibletoreviseaunitwithoutcooperatingwithallitschildrenorstealingtheirprivatekeys.Thechildren,inturn,cannotrevisetheirunitswithoutcooperatingwiththeirchildren(grandchildrenoftheoriginalunit),andsoon.Onceaunitisbroadcastintothenetwork,andotherusersstartbuildingtheirunitsontopofit(referencingitasparent),thenumberofsecondaryrevisionsrequiredtoeditthisunithencegrowslikeasnowball.That’swhywecallthisdesignByteball(oursnowflakesarebytesofdata).

Unlikeblockchainswhereissuingablockisarareeventandonlyaprivilegedcasteofusersisinpracticeengagedinthisactivity,inanewByteballunitstartsaccumulatingconfirmationsimmediatelyafteritisreleasedandconfirmationscancomefromanyone,everytimeanothernewunitisissued.Thereisnotwo-tiersystemofordinaryusersandminers.Instead,usershelpeachother:byaddinganewunititsauthoralsoconfirmsallpreviousunits.

UnlikeBitcoin,whereanattempttoreviseapasttransactionrequiresalargecomputationaleffort,anattempttoreviseapastrecordinByteballrequirescoordinationwithalargeandgrowingnumberofotherusers,mostofwhomareanonymousstrangers.Theimmutabilityofpastrecordsisthereforebasedonthesheercomplexityofcoordinatingwithsuchalargenumberofstrangers,whoaredifficulttoreach,havenointerestincooperation,andwhereeverysingleoneofthemcanvetotherevision.

Byreferencingitsparents,aunitincludestheparent.Itdoesn’tincludethefullcontentoftheparent;rather,itdependsonitsinformationthroughtheparent’shash.Inthesameway,theunitindirectlydependsonandthereforeincludestheparentsoftheparent,theirparents,andsoon,andeveryunitultimatelyincludesthegenesisunit.

Thereisaprotocolrulethataunitcannotreferenceredundantparents–thatissuchparentsthatoneparentincludesanother.Forexample,ifunitBreferencesunitA,thenunitCcannotreferencebothunitsAandBatthesametime.Aisalready,inaway,containedwithinB.Thisruleremovesunnecessarylinksthatdon’taddanynewusefulconnectivitytothegraph.

3. Nativecurrency:bytesNext,weneedtointroducesomefrictiontoprotectagainstspammingthedatabasewithuselessmessages.Thebarriertoentryshouldroughlyreflecttheutilityofstoragefortheuserandthecostofstorageforthenetwork.Thesimplestmeasureforbothoftheseisthesizeofthestorageunit.Thus,tostoreyourdataintheglobaldecentralizeddatabaseyouhavetopayafeeininternalcurrencycalledbytes,andtheamountyoupayisequaltothesizeofdatayouaregoingtostore(includingallheaders,signatures,etc).Similartopoundsterling,whichwasequaltoonepoundofsilverwhenitwasfirstintroduced,thenameofthecurrencyreflectsitsvalue.

6

Tokeeptheincentivesalignedwiththeinterestsofthenetwork,thereisoneexceptioninsizecalculationrules.Forthepurposesofcalculatingunitsize,itisassumedthattheunithasexactlytwoparents,nomattertherealnumber.Therefore,thesizeoftwohashesofparentunitsisalwaysincludedintheunitsize.Thisexceptionensuresthatuserswillnottrytoincludejustoneparentinanefforttominimizecost.Thecostisthesamenomatterhowmanyparentsareincluded.

TokeeptheDAGasnarrowaspossible,weincentivizeuserstoincludeasmanyparentsaspossible(asmentionedbefore,thisdoesnotnegativelyaffectpayablesize),andasrecentparentsaspossible,bypayingpartoftheunit’sfeestothosewhoarefirsttoincludeitasaparent.We’lldefinelaterwhatexactlyis‘first’.

Bytescanbeusednotonlyforpaymentofstoragefees(alsocalledcommissions),butalsocanbesenttootheruserstopayforgoodsorservicesorinexchangeforotherassets.Tosendapayment,theusercreatesanewunitthatincludesapaymentmessagesuchasthefollowing(fromnowon,weuseJSONtodescribedatastructures):{

inputs: [ {

unit: "hash of input unit", message_index: 2, // index of message where this utxo was created output_index: 0 // index of output where this utxo was created

}, …

], outputs: [

{ address: "RECEIVER ADDRESS", amount: 15000 // in bytes

}, …

] }

Themessagecontains:• Anarrayofoutputs:oneormoreaddressesthatreceivethebytesandthe

amountstheyreceive.• Anarrayofinputs:oneormorereferencestopreviousoutputsthatare

usedtofundthetransfer.Theseareoutputsthatweresenttotheauthoraddress(es)inthepastandarenotyetspent.

Thesumofinputsshouldbeequaltothesumofoutputspluscommissions(inputamountsarereadfrompreviousoutputsandarenotexplicitlyindicatedwhenspending).Theunitissignedwiththeauthor’sprivatekeys.

Thetotalnumberofbytesincirculationis1015,andthisnumberisconstant.Allbytesareissuedinthegenesisunit,thentransferredfromusertouser.Feesarecollectedbyotheruserswhohelptokeepthenetworkhealthy(moredetailsaboutthatlater),sotheystayincirculation.Thenumber1015wasselectedasthelargestroundintegerthatcanberepresentedinJavaScript.Amountscanonlybeonlyintegers.Largerunitsofthecurrencyarederivedbyapplyingstandardprefixes:1kilobyte(Kb)is1,000bytes,1megabyte(Mb)is1millionbytes,etc.

7

4. Double-spendsIfausertriestospendthesameoutputtwice,therearetwopossiblesituations:

1. Thereispartialorderbetweenthetwounitsthattrytospendthesameoutput,i.e.oneoftheunits(directlyorindirectly)includestheotherunit,andthereforecomesafterit.Inthiscase,itisobviousthatwecansafelyrejectthelaterunit.

2. Thereisnopartialorderbetweenthem.Inthiscase,weacceptboth.Weestablishatotalorderbetweentheunitslateron,whentheyareburieddeepenoughundernewerunits(seebelowhowwedoit).Theonethatappearsearlieronthetotalorderisdeemedvalid,whiletheotherisdeemedinvalid.

Thereisonemoreprotocolrulethatsimplifiesthedefinitionoftotalorder.Werequire,thatifthesameaddresspostsmorethanoneunit,itshouldinclude(directlyorindirectly)allitspreviousunitsineverysubsequentunit,i.e.thereshouldbepartialorderbetweenconsecutiveunitsfromthesameaddress.Inotherwords,allunitsfromthesameauthorshouldbeserial.

Ifsomeonebreaksthisruleandpoststwounitssuchthatthereisnopartialorderbetweenthem(nonserialunits),thetwounitsaretreatedlikedouble-spendseveniftheydon’ttrytospendthesameoutput.Suchnonserialsarehandledasdescribedinsituation2above.

Ifauserfollowsthisrulebutstilltriestospendthesameoutputtwice,thedouble-spendsbecomeunambiguouslyorderedandwecansafelyrejectthelateroneasinsituation1above.Thedouble-spendsthatarenotnonserialsatthesametimearehenceeasilyfilteredout.

Thisruleisinfactquitenatural.Whenausercomposesanewunit,heselectsthemostrecentotherunitsasparentsofhisunit.Byputtingthemonhisparentslist,hedeclareshispictureoftheworld,whichimpliesthathehasseentheseunits.Hehasthereforeseenallparentsofparents,parentsofparentsofparents,etcupuntilthegenesisunit.Thishugesetshouldobviouslyincludeeverythingthathehimselfhasproduced,andthereforehasseen.

Bynotincludingaunit(evenindirectly,throughparents)theuserdeniesthathehasseenit.Ifweseethatbynotincludinghisownpreviousunitauserdenies

Figure2.Double-spends.Thereisnopartialorderbetweenthem.

G

8

havingseenit,we’dsayit’sodd,somethingfishyisgoingon.Wediscouragesuchbehavior.

5. ThemainchainOurDAGisaspecialDAG.Innormaluse,peoplemostlylinktheirnewunitstoslightlylessrecentunits,meaningthattheDAGgrowsonlyinonedirection.Onecanpictureitasathickcordwithmanyinterlacedwiresinside.Thispropertysuggeststhatwecouldchooseasinglechainalongchild-parentlinkswithintheDAG,andthenrelateallunitstothischain.Alltheunitswilleitherliedirectlyonthischain,whichwe’llcallthemainchain,orbereachablefromitbyarelativelysmallnumberofhopsalongtheedgesofthegraph.It’slikeahighwaywithconnectingsideroads.

Onewaytobuildamainchainistodevelopanalgorithmthat,givenallparentsofaunit,selectsoneofthemasthe“bestparent”.Theselectionalgorithmshouldbebasedonlyonknowledgeavailabletotheunitinquestion,i.e.ondatacontainedintheunititselfandallitsancestors.Startingfromanytip(achildlessunit)oftheDAG,wethentravelbackwardsinhistoryalongthebestparentlinks.Travelingthisway,webuildamainchainandeventuallyarriveatthegenesisunit.Notethatthemainchainbuiltstartingfromaspecificunitwillneverchangeasnewunitsareadded.Thisisbecauseoneachstepwearetravelingfromchildtoparent,andanexistingunitcanneveracquirenewparents.

Ifwestartfromanothertip,we’llbuildanothermainchain.Ofnotehereisthatifthosetwomainchainseverintersectwhiletheygobackinhistory,theywillbothgoalongthesamepathaftertheintersectionpoint.Intheworstcase,themainchainswillintersectonlyingenesis.Giventhattheprocessofunitproductionisnotcoordinatedamongusers,however,onemightexpecttofindaclassofmainchainsthatdoconvergenottoofarfromthetips.

Oncewehaveamainchain(MC),wecanestablishatotalorderbetweentwoconflictingnonserialunits.Let’sfirstindextheunitsthatliedirectlyonthemainchain.Thegenesisunithasindex0,thenextMCunitthatisachildofgenesishas

Figure3.Mainchainsbuiltfromdifferentchildlessunitsintersectandthengoalongthesamepath.Ofthetwodouble-spends,theonewiththelowermainchainindex(5)wins,whiletheother(withMCI=6)isdeemedinvalid.

G 1

42

2

2

33

4

4

5

6

57

67

8

9

index1,andsoontravelingforwardalongtheMCweassignindexestounitsthatlieontheMC.ForunitsthatdonotlieontheMC,wecanfindanMCindexwherethisunitisfirstincluded(directlyorindirectly).Insuchaway,wecanassignanMCindex(MCI)toeveryunit.

Then,ofthetwononserials,theonethathasalowerMCIisconsideredtocomeearlieranddeemedvalid,whiletheotherisinvalid.IfbothnonserialshappentohavethesameMCI,thereistiebreakerrulethattheunitwiththelowerhashvalue(asrepresentedinbase64encoding)isvalid.Notethatwekeepallversionsofthedouble-spend,includingthosethateventuallylose.DagCoin[3]wasthefirstpublishedworkthatsuggestedstoringallconflictingtransactionsanddecidingwhichonetotreatasvalid.

TheMCbuiltfromaspecificunittellsuswhatthisunit’sauthorthinksabouttheorderofpastevents,i.e.hispointofviewaboutthehistory.Theorderthenimplieswhichnonserialunittoconsidervalid,asdescribedabove.Notethatbychoosingthebestparentamongallparentsofagivenunit,wearesimultaneouslymakingachoiceamongtheirMCs:theMCoftheunitinquestionwillbetheMCofitsbestparentextendedforwardbyonelink.

Recognizingthatmany(orevenall)parentunitsmightbecreatedbyanattacker,andrememberingthatthechoiceofbestparentisessentiallythechoiceamongversionsofhistory,weshouldrequirefromourbestparentselectionalgorithmthatitfavorshistoriesthatare“real”fromthepointofviewofthechildunit.Wehenceneedtodevisea“realitytest”thatouralgorithmwouldrunagainstallcandidateMCstoselecttheonethatscoresbest.

6. WitnessesLookingfora“realitytest”,observethatsomeoftheparticipantsofournetworkarenon-anonymousreputablepeopleorcompanieswhomighthavealongestablishedreputation,ortheyarebusinessesinterestedinkeepingthenetworkhealthy.We’llcallthemwitnesses.Whileitisreasonabletoexpectthemtobehavehonestly,itisalsounreasonabletototallytrustanysinglewitness.IfweknowtheByteballaddressesofseveralwitnesses,andalsoexpectthemtopostfrequentlyenough,thentomeasuretherealityofacandidateMConemighttravelalongtheMCbackintimeandcountthewitness-authoredunits(ifthesamewitnessisencounteredmorethanonce,heisnotcountedagain).Wewouldstoptravelingassoonaswehadencounteredthemajorityofwitnesses.Wewouldthenmeasurethelengthofthelongestpathonthegraphfromthepointatwhichwestoppedtothegenesis.We’llcallthislengththeleveloftheunitwherewestopped,andthewitnessedleveloftheparentwhoseMCwearetesting.ThecandidateMCthatyieldsthegreaterwitnessedlevelisconsideredmore“real”,andtheparentbearingthisMCisselectedasbestparent.Incasethereareseveralcontenderswithamaximumwitnessedlevel,wewouldselecttheparentwhoseownlevelisthelowest.Ifthetiepersists,wewouldselecttheparentwiththesmallestunithash(inbase64encoding).

ThisalgorithmallowstheselectionoftheMCthatgravitatestounitsauthoredbywitnesses,andthewitnessesareconsideredtoberepresentativeofreality.If,forexample,anattackerforksfromthehonestpartofthenetworkand

10

secretlybuildsalongchainofhisownunits(shadowchain),oneofthemcontainingadouble-spend,andlatermergeshisforkbackintothehonestDAG,thebestparentselectionalgorithmatthemergerpointwillchoosetheparentthatdrivestheMCintothehonestDAG,asthisiswherethewitnesseswereactive.Thewitnesseswerenotabletopostintotheshadowchainsimplybecausetheydidn’tseeitbeforethemerger.ThisselectionofMCreflectstheorderofeventsasseenbythewitnessesandtheuserwhoappointedthem.Aftertheattackisover,theentireshadowchainwilllandontheMCatonepoint,andthedouble-spend

containedintheshadowchainwillbedeemedinvalidbecauseitsvalidcounterpartcomesearlier,beforethemergerpoint.

Thisexampleshowswhythemajorityofwitnesseshastobetrustedtopostonlyserially.Themajorityshouldnotcolludewiththeattackerandpostonhisshadowchain.Notethatwetrustthewitnessesonlytobesignsofrealityandtonotpostnonserialunitsonanyshadowchains.Wearenotgivinganyofthemcontroloverthenetworkoranypartthereof.Evenforthissmallduty,itisuserswhoappointthewitnessesandtheycanchangetheirdecisionsatanytime.

Theideaoflookingatsomeknownentityasasignofrealityisnotnew.Ithaslongbeenknown,andsomecompanieshaveengagedinsuchactivity,thattoprovethatsomedataexistedbeforeaspecificdate,onecanhashthedataandpublishthehashinsomehard-to-modifyandwidelywitnessedmedia,likeprintednewspaper[6].WitnessesinByteballservethesamefunctionasthenewspaper.Likenewspapers,theyarewellknownandtrusted.Asfornewspaperswheretrustislimitedtotrustingthemtopublishthedatatheyaregiven,witnessesinByteballareonlytrustedtopostserially,andnotmuchmore.Likenewspapers,witnessesdon’tknowwhat’sbehindthehashestheyarewitnessingandhavefewreasonsto

Figure4.WhenanattackerrejoinshisshadowDAGintothelitDAG,hisunitslosecompetitiontobecomebestparentasthechoicefavorsthosepathsthathavemorewitnesses(markedwithw).

G w

42

2

2

33

w

4

5

6

57

w7

89

9

9999

9999

99

99

bestparent

11

care.Newspapersarehardtomodify(butpossible,andin1984theydoit),whileeverythingproducedbywitnessesisprotectedbydigitalsignatures,whichmakesanymodificationsimpossible.Forreliability,wehaveseveralwitnesses,notjustone,andforspeedandconvenience,theseareonline.

Havingdecidedonalistofwitnesses,wecanthenselectbesttheparentandthecorrespondinghistorythatbestfitsthedefinitionofrealityas“somewherewherethesewitnesseslive”.Atthesametime,theparentsthemselvesmighthavedifferentwitnesslistsandconsequentlydifferentdefinitionsofreality.Wewantthedefinitionsofreality,andhistoriesthatfollowfromthem,toconvergearoundsomethingcommon.Toachievethis,weintroducethefollowingadditionalprotocolrule.

The“near-conformityrule”:bestparentsmustbeselectedonlyamongthoseparentswhosewitnesslistdiffersfromthechild’switnesslistbynomorethanonemutation.ThisruleensuresthatwitnesslistsofneighboringunitsontheMCaresimilarenough,thereforetheirhistoriesmostlyagreewithoneanother.Theparentswhosewitnesslistdiffersby0or1mutationwillbecalledcompatible(withtheunitthatincludesthemdirectly),whiletheothersareincompatible.Incompatibleparentsarestillpermitted,buttheyhavenochanceofbecomingbestparent.Iftherearenocompatiblepotentialparentsamongchildlessunits(anattackercouldfloodthenetworkwithhisunitsthatcarryaradicallydifferentwitnesslist),oneshouldselectparentsfromolderunits.

Theabovemeansthateachunitmustlistitswitnessessothattheycanbecompared.Werequirethatthenumberofwitnessesisexactly12.Thisnumber12wasselectedbecause:

• itissufficientlylargetoprotectagainsttheoccasionalfailuresofafewwitnesses(theymightprovedishonest,orbehacked,orgoofflineforalongtime,orlosetheirprivatekeysandgoofflineforever);

• itissufficientlysmallthathumanscankeeptrackofallthewitnessestoknowwhoiswhoandchangethelistwhennecessary;

• theoneallowedmutationissufficientlysmallcomparedwiththe11unchangedwitnesses.Incaseauserthinksthatanyofthewitnesseshaslosthiscredibility,orthere

arejustbettercandidates,theusercanreplacethewitnesswithanewwitnessinhislist,bearinginmindthathiswitnesslistmaynotdifferfromthatofotherunitsbymorethanoneposition.Thismeansthatanychangescanhappenonlygradually,andageneralconsensusisrequiredforachangebiggerthanoneposition.

7. FinalityAsnewunitsarrive,eachuserkeepstrackofhiscurrentMCwhichisbuiltasifheweregoingtoissueanewunitbasedonallcurrentchildlessunits.ThecurrentMCmaybedifferentatdifferentnodesbecausetheymayseedifferentsetsofchildlessunits.WerequirethatthecurrentMCbebuiltwithoutregardofwitnesslists,i.e.theuser’sownwitnesslistdoesn’tmatterandevenincompatibleparentscanbeselectedasbestparents.Thatmeansthatiftwousershavethesamesetofchildlessunits,buthavedifferentwitnesslists,theircurrentMCswillstillbe

12

identical.ThecurrentMCwillconstantlychangeasnewunitsarrive.However,asweareabouttoshow,apartofthecurrentMCthatisoldenoughwillstayinvariant.

Weexpectwitnesses(orratherthemajoritythereof)tobehavehonestly,thereforenecessarilyincludetheirpreviousunitinthenextunitauthoredbythesamewitness.Thismeansthatwhenawitnesscomposesanewunit,onlyrecentunitsarecandidatestobechosenasparents.Wemightexpect,therefore,thatallfuturecurrentMCswillconvergenofarther(whentravelingbackintime)thanaparticularstabilitypoint.Indeed,thegenesisunitisanaturalinitialstabilitypoint.AssumewehavebuiltacurrentMCbasedonthecurrentsetofchildlessunits,andtherewassomepointonthisMCthatwaspreviouslybelievedtobestable,i.e.allfuturecurrentMCsarebelievedtoconvergeonorbeforethispoint(again,whentravelingbackintime),andthentravelalongthesameroute.Ifwecanfindawayofadvancingthispointforward(awayfromthegenesis),wecanprovebyinductionthatastabilitypointexists.

Notethatifweforgetaboutallparentsexceptthebestparent,ourDAGwillbereducedtoatreethatconsistsonlyofbestparentlinks.Obviously,allMCswillgoalongthebranchesofthistree.Wethenneedtoconsidertwocases–whenthetreedoesbranchinthecurrentstabilitypointandwhenitdoesnot–anddecideifwecanadvancethestabilitypointtothenextMCI.

First,assumethetreedoesnotbranch.Wethenneedtoconsiderthe

possibilitythatanewbranchwillstillbeaddedandsomehowsupportedbythewitnessessothatitoutgrowstheexistingbranch.Theotherpossibilityisthatthewitnessesputsomuchweightinsupportoftheexistingbranch,thattherequirementofincludingone’spreviousunitleavesthemnooptionsbutcontinuesupportingtheexistingbranch.Let’squantifythelatterpossibility.Rememberthatbestparentisselectedastheparentwiththegreatestwitnessedlevel.Let’stravelbackintimealongthecurrentMCfromthetipuntilwemeetthemajorityofwitnesses(wearereferringtowitnessesasdefinedbytheunitlyingonthecurrentstabilitypoint).Ifatleastoneofthemliesearlierthanthecurrentstabilitypoint,

Figure5.Atreecomposedofbest-parentlinks.Allbutonebranchesstopgrowingaftersomepoint.

G

13

wedonottrytoadvancethestabilitypoint,otherwiseweproceed.Inthiscase,allthesewitnessesarealready“invested”intothecurrentMC.Amongthesewitnesses,wefindtheminimumwitnessedlevelmin_wl.Whenanyofthesewitnessespostsanewunit,thisunitmighthaveparentswhoseMCleadstothecurrentMCandparentswhoseMCleadstoacompetingbranch,andtheparentwiththehighestwitnessedlevelwillbeselectedasbestparentandwilldefinethedirectionofthenextcurrentMC.Sincethewitnesshastoincludeitspreviousunit,thewitnessedleveloftheparentleadingtothecurrentMCwillbeatleastmin_wl.Thewitnessedlevelofanyparentleadingtothealternativebranchwillneverexceedthelevelofthecurrentstabilitypoint,evenifallremaining(minority)witnessesflocktothealternativebranch.Therefore,ifthecurrentMCgrowsfarenoughsothatmin_wlisgreaterthanthelevelofthecurrentstabilitypoint,themajorityofwitnesseswillhavetoincreasesupportfortheexistingcurrentMC,thealternativebranchhasthenlostallchancestowin,andwecanmovethestabilitypointforwardtothenextMCI.

Next,assumethetreedoesbranch.WeneedtofindaconditionwherethealternativebrancheswillloseanychancetooutgrowthecurrentMC.Let’sstartbydefiningmin_wlasinthepreviouscase.Amongallunitsonthealternativebranches,wethenselectthosethatincreasethewitnesslevel,i.e.theirownwitnessedlevelisgreaterthanthatofeveryparent.Amongthese,wefindthemaximumlevel.Then,evenifalltheremaining(minority)witnessesgatheronthealternativebranches,thewitnessedlevelonthealternativebrancheswillneverexceedthismaximumlevel.Therefore,ifthismaximumlevelislessthanmin_wl,gameisoverforthealternativebranches,andwecanadvancethestabilitypointalongthecurrentMC.

Thus,thereisapointonthecurrentMCbeforewhichtheMCwillneverchange(assumingthemajorityofwitnessesdon’tpostnonserialunits).ThetotalorderdefinedrelativetothisMCisthereforealsofinal.Ifwehadnonserials,ourdecisionaboutwhichoneofthemisvalid,isfinalaswell.IfanewnonserialeverappearsthatconflictswithanythingalreadyonthestableMC,thenewnonserialunitwilldefinitelybeorderedaftertheoldcounterpart,andthenewonewillbedeemedinvalid.Therefore,anypaymentmadeintheunitincludedonthestableMCisalreadyirreversible.UnlikeBitcoinwheretransactionfinalityisonlyprobabilistic,thisisdeterministictransactionfinality.

Everyuserbuildshisown(subjective)currentMCbasedontheunitsthathesees.Sincethepropagationofnewunitsisnotinstant,andtheymayarriveindifferentordertodifferentusers,theuserswillhavedifferentcurrentMCsanddifferentopinionsaboutthelaststablepointoftheMCatanygiventime.However,sincethecurrentMCisdefinedsolelybythesetofunitsknowntotheuser,incaseuserBhasn’tyetadvancedhisstabilitypointtothesameMCIasuserA,hewillinevitablydothatlater–i.e.assoonashereceivesthesameunitsasuserA,ormore.Thustheopinionsofdifferentusersaboutthestateofanygivenunitareeventuallyconsistent.

14

8. StorageofnonserialunitsWhenwedecidethataunitisanonserial,westillhavetostoreit.However,partofitsdataisreplacedwithahashofthedata.Thisruleservestwopurposes.First,toreducestorageconsumedbyaunitthatnobodypaidfor(theentirecontentofthenonserialunitisdeemedinvalid,includingitspaymentofcommissions).Second,toreducetheutilityofthenonserialtotheuserwhosentit,becausethehashreplacesallusefuldatathattheauthorwantedtostore(forfree).Thispreventsattackersfromabusingnonserialsasawaytostorelargeamountsofdataforfree.

Thehashthatisstoredinsteadofthefullcontentstillhassomeutilitytotheattacker,ashecanstoretheoriginaldatahimselfandusethehashtoprovethatthedataexisted.Butrememberthat:

1. Hestillhastopayforoneunitthatisdeemedvalid2. Iftheattackerisalreadyinternallystoringmetadatathatisnecessaryto

interpretByteballdata,hecoulddoequallywellbyjustcombiningallhisdataintoaMerkletreeandusingByteballtostoreonlyitsMerklerootforthecostofonesmallunit.

Underthisdesign,thereisthereforenoself-interestintryingtosendnonserials.Itoughttobementionedthatwecannotjustrejectnonserialsthefirsttime

weseethem.Ifwedid,anattackercouldsendhisnonserialstodifferentusersindifferentorder.Differentuserswouldthensticktotheversionstheyfirstreceivedandrejecteverythingbasedontheotherversion,sotheattackerwouldsucceedinpartitioningthenetwork.That’swhywehavetostorebothversionsandthendecideontheirorder.Evenmore,usersshouldforwardnonserialstopeersjustlikeanyotherunits,asthesoonerpeerslearnaboutthenonserialsthebetter.

Westilltrytoavoidincludingnonserialsifpossible:theparentselectionalgorithmexcludesnonserialsaslongastheyarechildless.Forthisreason,it’sdesirabletohelppeerslearnaboutnonserialsassoonaspossible.

9. BallsAfteraunitbecomesstable(i.e.itisincludedonthestablepartoftheMC)wecreateanewstructurebasedonthisunit,wecallitaball:ball: {

unit: "hash of unit", parent_balls: [array of hashes of balls based on parent units], is_nonserial: true, // this field included only if the unit is nonserial skiplist_balls: [array of earlier balls used to build skiplist]

}

Everyballincludesinformationaboutallitsancestorballs(viaparents),hencetheamountofinformationitdependsongrowslikesnowball.Wealsohaveaflagintheballthattellsusifitendedupbeinginvalid(nonserial),andwehavereferencestoolderballsthatwe’lluselatertobuildproofsforlightclients.

Wecanonlybuildaballwhenthecorrespondingunitbecomesstableandweknowforcertainwhetheritisserial.SincethecurrentMCsasviewedbydifferentusersareeventuallyconsistent,theywillallbuildexactlythesameballbasedonthesameunit.

15

10. LastballToprotecttheballs(mostimportantly,theis_nonserialflag)frommodification,werequireeachnewunittoincludeahashofthelastballthattheauthorknowsabout(whichistheballbuiltfromthelaststableunit,anditliesontheMC).Thisway,thelastballwillbeprotectedbytheauthor’ssignature.Lateron,thenewunititselfwillbe(directlyorindirectly)includedbywitnesses.

Ifsomeonewhodoesn’thavetheentireByteballdatabasewantstoknowifaparticularunitisserial,hewouldgiveusalistofwitnesseshetruststobehavehonestly,andwewouldbuildachainofrecentunitsthatincludesthemajorityofthesaidwitnesses,thenreadlastballfromtheoldestunitofthechain,anduseballstobuildahashtreethathasthelastballatthetopandincludestherequestedunitsomewherebelow.ThishashtreeissimilartoaverytallMerkletree,withadditionaldatafedinateachnode.Thetreecanbeoptimizedusingtheskiplist.

ThereferencetothelastballalsoletsusersseewhattheirpeersthinkaboutthestabilitypointoftheMCandcompareitwiththeirownvision.

Wealsorequirethatthelastballliesnosoonerthanlastballofeveryparent.ThisensuresthatthelastballeitheradvancesforwardalongtheMCorstaysinthesameposition,butneverretreats.

Tofurtherreducethedegreesoffreedomofadversaries,weaddonemorerequirement:aunit’switnesslistmustbecompatiblewiththatofeachunitthatliesonthetrailingpartoftheunit’sMCbetweenthisunitandthelastball’sunit.Thisrequirementensuresthatallchangestothewitnesslistfirstreachstabilitypointbeforetryinganotherchange.Otherwise,anattackermightinjectasignificantlymodifiedwitnesslistontotheMCandstoppostingfromtheaddressesofthenewwitnesses.Insuchinstances,thestabilitypointwouldnotbeabletoadvancepastthestretchoccupiedbytheattacker’switnesses.

Therequirementthatwitnesslistsofallcontemporaryunitsaremostlysimilarmeansthatallusershavemostlysimilarviewsaboutwhocanbetrustedtoserveaslighthousesforthecommunityatthecurrenttime.Thisissimilartobiology,whereorganismsofthesamespecieshavetohavemostlythesamegenes.Smallvarianceofthewitnesslistallowsforevolutionarychangethatstillpreservestheintegrityofthesystem.

11. WitnesslistunitItisexpectedthatmanyuserswillwanttouseexactlythesamewitnesslist.Inthiscase,tosavespace,theydon’tlisttheaddressesofall12witnesses.Rather,theygiveareferencetoanotherearlierunit,whichlistedthesewitnessesexplicitly.Thewitnesslistunitmustbestablefromthepointofviewofthereferencingunit,i.e.itmustbeincludedintothelastballunit.

12. UnitstructureThisisanexampleofaunit:{

version: '1.0', alt: '1',

16

messages: [ { app: 'payment', payload_location: 'inline', payload_hash: 'AegecfpDzh8xvdyIABdynrcP6CTd4Pt42gvRiv0Ftjg=', payload: {

inputs: [{ unit: '7yctnKyuAk5P+mFgFQDdDLza88nkceXYjsTs4e3doQA=', message_index: 0, output_index: 1

} ], outputs: [

{ address: 'DJ6LV5GPCLMGRW7ZB55IVGJRPDJPOQU6', amount: 208 }, { address: 'Z36JFFX2AH7X5JQ2V2C6AQUUOWFESKZ2', amount: 3505 }

] }

} ], authors: [ {

address: 'DJ6LV5GPCLMGRW7ZB55IVGJRPDJPOQU6', authentifiers: {

r: '3eQPIFiPVLRwBwEzxUR5thqn+zlFfLXUrzAmgemAqOk35UvDpa4h79Fd6TbPbGfb8VMiJzqdNGHCKyAjl786mw=='

} } ], parent_units: [

'B63mnJ4yNNAE+6J+L6AhQ3EY7EO1Lj7QmAM9PS8X0pg=', 'D6O1/D9L8vCMhv+8f70JecF93UoLKDp3e2+b92Yh2mI=', 'ZxqzWP6q6hDNF50Wax8HUK212lH/KSIRdW5a6T9h3DM='

], last_ball: '8S2ya9lULt5abF1Z4lIJ4x5zYY9MtEALCl+jPDLsnsw=', last_ball_unit: 'bhdxFqVUut6V3N2D6Tyt+/YD6X0W+QnC95dMcJJWdtw=', witness_list_unit: 'f252ZI2MN3xu8wFJ+LktVDGsay2Udzi/AUauE9ZaifY='

}

Here:• versionistheprotocolversionnumber.Theunitwillbeinterpreted

accordingtothisversionoftheprotocol;• altisanidentifierofalternativecurrency,we’lldiscussthislater;• messagesisanarrayofoneormoremessagesthatcontainactualdata;

o appisthetypeofmessage,e.g.‘payment’forpayments,‘text’forarbitrarytextmessages,etc;

o payload_locationsayswheretofindthemessagepayload.Itcanbe‘inline’ifthepayloadisincludedinthemessage,‘uri’ifthepayloadisavailableataninternetaddress,‘none’ifthepayloadisnotpublishedatall,isstoredand/orsharedprivately,andpayload_hashservestoproveitexistedataspecifictime;

o payload_hashisahashofthepayloadinbase64encoding;o payloadistheactualpayload(sinceitis‘inline’inthisexample).The

payloadstructureisapp-specific.Paymentsaredescribedasfollows:

17

§ inputsisanarrayofinputcoinsconsumedbythepayment.Allownersoftheinputcoinsmustbeamongthesigners(authors)oftheunit;

• unitishashoftheunitwherethecoinwasproduced.Tobespendable,theunitmustbeincludedinlast_ball_unit;

• message_indexisanindexintothemessagesarrayoftheinputunit.Itindicatesthemessagewherethecoinwasproduced;

• output_indexisanindexintotheoutputsarrayofthemessage_index’thmessageoftheinputunit.Itindicatestheoutputwherethecoinwasproduced;

§ outputsisanarrayofoutputsthatsaywhoreceivesthemoney;

• addressistheByteballaddressoftherecipient;• amountistheamounthereceives;

• authorsisanarrayoftheauthorswhocreatedandsignedthisunit.Allinputcoinsmustbelongtotheauthors;

o addressistheauthor’sByteballaddress;o authentifiersisadatastructurethatprovestheauthor’s

authenticity.MostcommonlytheseareECDSAsignatures;• parent_unitsisanarrayofhashesofparentunits.Itmustbesorted

alphabetically;• last_ballandlast_ball_unitarehashesoflastballanditsunit,respectively;• witness_list_unitishashoftheunitwhereonecanfindthewitnesslist.

Allhashesareinbase64encoding.Notethatthereisnotimestampfieldintheunitstructure.InByteball,there

arenoprotocolrulesthatrelyonclocktime.it’ssimplynotneeded,asitisenoughtorelyontheorderofeventsalone.

Timestampisstilladdedtounitswhentheyareforwardedfromnodetonode.However,thisisonlyadvisoryandusedbylightclientstoshowinwalletstheapproximatetimewhenaunitwasproduced,whichmaysignificantlydifferfromthetimeitwasreceivedaslightclientsmaygoofflineforextendedperiodsoftime.

13. CommissionsAsmentionedbefore,thecosttostoreaunitisitssizeinbytes.Thecommissionissplitintotwoparts:headerscommissionandpayloadcommission.Payloadcommissionisequaltothesizeofmessages;headerscommissionisthesizeofeverythingelse.Thetwotypesofcommissionsaredistributeddifferently.

Headerscommissiongoestooneofthefutureunitswhichtakesthepayerunitasparent.Thereceiverisselectedonlyafterboththepayerunit’sMCIandthenextMCIbecomestable.Todeterminethereceiver,wetakethosechildrenwhoseMCIisequaltoor1morethantheMCIofthepayer.ThehashesofeachofthesechildrenareconcatenatedwiththehashoftheunitlyingonthenextMCI(relativetothepayer),andthechildwiththesmallesthashvalue(inhex)winstheheaders

18

commission.ThishashingwiththenextMCunitisdesignedtointroduceunpredictability(thenextMCunitisnotknownbeforehand)andrenderuselessanyattemptstoimproveone’schancesofreceivingcommissionbyplayingwithone’sownunithash.Atthesametime,restrictingcandidatestothosewhoseMCIisnomorethan1greaterthantheMCIofthepayer,incentivizestheselectionofthemostrecentunitsasparents.ThisisusefultokeeptheDAGasnarrowaspossible.

Wepayonlytheheaderscommissionandnottheentirecommissiontothosewhoarequicktopickourunitasparent,forthefollowingreason.Ifwedidpaytheentirecommission,wewouldhaveincentivizedabusivebehavior:splitone’sdataintoseveralchunksandbuildalongchainofone’sownunitsstoringonechunkperunit.Allthecommissionspaidinapreviousunitwouldthenbeimmediatelycollectedbythesameuserinthenextunit.Aswepayonlytheheaderscommission,suchbehaviorisnotprofitablebecausetoproduceeachadditionalelementofthechainonehastospendadditionalheaderscommission–roughlythesameasoneearns.Weusetheremaining(payload)commissiontoincentivizeotherswhoseactivityisimportantforkeepingthenetworkhealthy.

Payloadcommissiongoestowitnesses.Toincentivizewitnessestopostfrequentlyenough,wesplitpayloadcommissionequallyamongallwitnesseswhoarequickenoughtopostwithin100MCindexesafterthepayingunit(thefastertheypost,thefasterthisunitbecomesstable).Ifall12witnesseshavepostedwithinthisinterval,eachreceives1/12ofthepayloadcommission.Ifonlyonewitnesshasposted,hereceivestheentirepayloadcommission.Inthespecialcasethatnowitnesshaspostedwithinthisinterval,theyallreceive1/12ofpayloadcommission.Ifthedivisionproducesafractionalnumber,itisroundedaccordingtomathematicalrules.Becauseofthisrounding,thetotalcommissionpaidouttowitnessesmaynotbeequaltothetotalpayloadcommissionreceivedfromtheunit’sauthor(s),sothetotalmoneysupplywillchangeslightlyaswell.Obviously,thedistributionhappensonlyafterMCI+100becomesstable,whereMCIistheMCIofthepayingunit.

Tospendtheearnedheaderscommissionsorwitnessingcommissions,thefollowinginputisused:inputs: [

{ type: "headers_commission", from_main_chain_index: 123, to_main_chain_index: 196

}, {

type: "witnessing", from_main_chain_index: 60, to_main_chain_index: 142

}, …

]

Suchinputssweepallheadersorwitnessingcommissionsearnedbytheauthorfromcommissionpayingunitsthatwereissuedbetweenmainchainindexesfrom_main_chain_indexandto_main_chain_index.Naturally,to_main_chain_indexmustbestable.

19

Whenaunitsignedbymorethanoneauthorearnsheaderscommission,thereissofarambiguityastohowthecommissionissplitamongtheauthors.Toremovetheambiguity,eachunitthatissignedbymorethanoneauthormustincludeadatastructurethatdescribestheproportionsofrevenuesharing:unit: {

… earned_headers_commission_recipients: [

{address: "ADDRESS1", earned_headers_commission_share: 30}, {address: "ADDRESS2", earned_headers_commission_share: 70}

], …

}

Theaddresseswhoreceivethecommissionsneedn’tbethesameastheauthoraddresses–thecommissioncanbesenttoanyaddress.Eveniftheunitissignedbyasingleauthor,itcanincludethisfieldtoredirectheaderscommissionselsewhere.

14. ConfirmationtimeConfirmationtimeisthetimefromaunitenteringthedatabasetoreachingstability.Itdependsonhowoftenthewitnessespost,sincetoreachstabilityweneedtoaccumulateenoughwitness-authoredunitsontheMCafterthenewlyaddedunit.Tominimizetheconfirmationperiod,thewitnessesshouldpostfrequentlyenough(whichtheyarealreadyincentivizedtodoviacommissiondistributionrules)butnottoofrequently.Iftwoormorewitnessesissuetheirunitsnearlysimultaneously(fasterthanittypicallytakestopropagateanewunittootherwitnesses),thismaycauseunnecessarybranchingofthetreecomposedofbest-parentlinks,whichwoulddelaystability.Forthisreason,thebestconfirmationtimesarereachedwhenthewitnessesarewellconnectedandrunonfastmachinessothattheyareabletoquicklyvalidatenewunits.Weestimatethebestconfirmationtimestobearound30seconds;thisisonlyreachableiftheflowofnewunitsislargeenoughsothatthewitnessesearnmorefromwitnessingcommissionsthantheyspendforpostingtheirownunits.

Despitetheperiodoffullconfirmationbeingratherlong,anodethattrustsitspeerstodeliverallnewunitswithoutfilteringmaybereasonablysurethatonceaunitwasincludedbyatleastonewitness,plusatypicallatencyhaselapsed(thetimeittakesanewunittotravelfrompeertopeer),theunitwillmostlikelyreachfinalityandbedeemedvalid.Evenifadouble-spendappearslater,itwillbelikelyorderedafterthisunit.

15. PartitioningriskThenetworkofByteballnodescanneverbepartitionedintotwopartsthatwouldbothcontinueoperatingwithoutnoticing.Evenintheeventofaglobalnetworkdisruptionsuchasasub-AtlanticratcuttingthecablethatconnectsEuropeandAmerica,atleastoneofthesidesofthesplitwillnoticethatithaslostthemajorityofwitnesses,meaningthatitcan’tadvancethestabilitypoint,andnobodycanspendoutputsstuckintheunstablepartoftheMC.Evenifsomeonetriestosenda

20

double-spend,itwillremainunstable(andthereforeunrecognized)untiltheconnectionisrestored.Theotherpartofthesplitwherethemajorityofwitnesseshappenstobe,willcontinueasnormal.

16. CensorshipBydesign,itisalreadyimpossibletomodifyoreraseanypastrecordsinByteball.Itisalsoquitehardtostopanyparticulartypesofdatafromenteringthedatabase.

First,thedataitselfcanbeconcealedandonlyitshashbeactuallypostedtothedatabasetoprovethatthedataexisted.Thedatamayonlyberevealedafterthehashisstoredanditsunithasbeenincludedbyotherunitssothatithasbecomeunrevisable.

Second,evenwhenthedataisopen,thedecisiontoincludeornotincludeitinthedatabaseisdelegatedtonumerousanonymoususerswhomight(andinfactareincentivizedto)takethenewunitasaparent.Someonewhotriestocensorundesirableunitswillhavetonotonlyavoidincludingthemdirectly(asparents)butalsoindirectly,throughotherunits.(ThisisdifferentfromBitcoinwhereminersorminingpoolscan,anddo,filterindividualtransactionsdirectly.Besides,Bitcoinusershavenosayinwhoistobecomeaminer.)Asthenumberofunitswhichincludethe“offending”unitsnowballs,anyattempttoavoiditwouldentailcensoringoneself.Onlythemajorityofwitnessescaneffectivelyimposeforbiddencontentrules–ifuserschoosesuchwitnesses.

17. ChoosingwitnessesRelianceonwitnessesiswhatmakesByteballrootedintherealworld.Atthesametime,itmakesithighlydependentonhumandecisions.Thehealthofthesystemdependsonusersresponsiblysettingthelistsofwitnessestheydotrust.Thisprocesscannotbesafelyautomated,forexampleifmostusersstartauto-updatingtheirwitnessliststomatchthelistsofmostrecentlyobservedunits,justtobecompatible,thiscanbeeasilyexploitedbyanattackerwhofloodsthenetworkwithhisownunitsthatgraduallychangethepredominantwitnesslisttosomethingoftheattacker’schoosing.

Whilethemaximalistrecommendationcouldbe“onlyeditwitnesslistsmanually”,whichistooburdensomeformostusers,amorepracticalapproachtowitnesslistmanagementistrackingandsomehowaveragingthewitnesslistsofafew“captainsofindustry”whoeitherhaveinterestincaringforthenetworkhealthorwhohaveearnedagoodreputationinactivitiesnotnecessarilyconnectedwithByteball.Someofthemmaybeactingwitnessesthemselves.Unlikewitnesslists,thelistsofcaptainsofindustrydon’thavetobecompatible,andfailingtoupdatethelistfrequentlyenoughdoesn’thaveanyimmediatenegativeimplicationssuchasbeingunabletofindcompatibleparentsandpostanewunit.Weexpectthatmostuserswilluseoneofarelativelysmallnumberofmostpopularwallets,andsuchwalletswillbesetupbydefaulttofollowthewitnesslistofthewalletvendor,whointurnlikelywatchesthewitnesslistsofotherprominentplayers.

21

Witnessesalsohavetheirwitnesslists,anditisrecommendedthatuserselectthosewitnesseswhotheytrusttokeeptheirwitnesslistsrepresentativeofordinaryusers’beliefs.Thisisveryimportantbecausenochangetothepredominantwitnesslistcanpasswithoutapprovalofthemajorityofthecurrentwitnesses.Itisrecommendedthatwitnessesandwould-bewitnessespubliclydeclaretheirwitnesslistpolicy(suchasfollowingandaveragingwitnesslistsofotherreputableusers),andthatusersevaluatetheirfitnessforthejobbasedonthispolicy,amongotherfactors.Anybreachofthedeclaredpolicywillbeimmediatelyvisibleandwilllikelytriggerawitnessreplacementcampaign.Thesameistrueforanunjustifiedamendmenttothepolicy.Thepolicybindsthewitnessandmakeshimfollowpublicopinion,evenwhenitturnsagainstthewitnesshimselforhisfriends.

Asmentionedbefore,ourprotocolrulesrequirethat:1. bestparentisselectedonlyamongparentswhosewitnesslisthasnomore

than1mutation;2. thereshouldbenomorethan1mutationrelativetothewitnesslistofthe

lastballunit;3. thereshouldbenomorethan1mutationrelativetothewitnesslistsofall

theunstableMCunitsuptothelastballunit;4. thestabilitypointadvancesonlywhenthecurrentwitnesses(asdefinedin

thecurrentstabilitypoint)postenoughunitsafterthecurrentstabilitypoint.

Theserulesaredesignedtoprotectagainstmaliciousandaccidentalforks.Atthesametime,theyimplythatanychangesofthepredominantwitnesslisthavetobegradual,andeachstephastobeapprovedbythemajorityofthecurrentwitnesses.Aone-positionchangehastofirstreachstabilityandrecognitionofthemajorityofoldwitnessesbeforeanotherchangecanbeundertaken.Ifthecommunitydecidesabruptlythattwowitnessesneedtobereplacedimmediately,thenafteronechangemakesitswayontotheMC,thesecondchangewillbeblockedbyrule3aboveuntilthefirstchangereachesstability.

Despitealltherecommendationsaboveitisstillpossiblethatduetothenegligenceofindustryleaders,suchwitnessesareelectedwholaterformacartelandcollectivelyblockallattemptstoreplaceanyoneoftheminanattempttokeeptheprofitstheyareearningfromwitnessingcommissions.Iftheydobehavethisway,itwillbeevidenttoeverybodybecausetheirwitnesslistswillremainunchanged,whilethewitnesslistsofmostotherindustryleaderswilldifferbyonemutation(themaximumallowedtoremaincompatible).Iftheoldwitnessesdonotgiveindespitesuchevidentpressure,theonlyrecourseofthepro-changeusersisa“revolution”–i.e.tostartanewcointhatinheritsallthebalances,useraddresses,etcfromtheoldcoinatsomepointbutstartswithanewwitnesslistandaddsaspecialprotocolruletohandlethisincompatiblechangeatthemomentoftheschism.Todistinguishfromtheoldcoin,theywouldthenassignanewvaluetothe‘alt’field(thiswhat‘alt’isfor)anduseitinallunitsissuedunderthenewcoin.Asaresult,userswillholdtwocoins(theoldalt=”1”,andthenewe.g.alt=”2”)andwillbeabletospendbothindependently.Ifthesplitwasjustified,theoldcoinwillprobablybeabandoned,butallthedataaccumulatedpriortotheschismwillbeavailableasnormalinthenewcoin.Sincetheprotocolisalmost

22

identical(exceptfortherulethathandlestheschismandthechangeofalt),itwillbeeasytoupdatesoftwareinstalledonalluserandmerchantdevices.

Ifsomeonejustwantstostartanewcointoexperimentwithanothersetofprotocolrules,hecanalsousethe‘alt’fieldtoinheriteverythingfromtheoldcoin,maketheswitchcomfortableforusers,andhavealargesetofuserswithbalancesfromdayone.

18. SkiplistSomeoftheballscontainaskiplistarraywhichenablesfasterbuildingofproofsforlightclients(seebelow).OnlythoseballsthatliedirectlyontheMC,andwhoseMCindexisdivisibleby10,haveaskiplist.TheskiplistliststhenearestpreviousMCballswhoseindexhasthesameorsmallernumberofzerosattheend.Forexample,theballatMCI190hasaskiplistthatreferencestheballatMCI180.TheballatMCI3000hasaskiplistthatreferencestheballsatMCIs2990,2900,and2000.

19. LightclientsLightclientsdonotstoretheentireByteballdatabase.Instead,theydownloadasubsetofdatatheyareinterestedin,suchasonlytransactionswhereanyoftheuser’saddressesarespendingorbeingfunded.

Lightclientsconnecttofullnodestodownloadtheunitstheyareinterestedin.Thelightclienttellsthefullnodethelistofwitnessesittrusts(notnecessarilythesamewitnessesitusestocreatenewunits)andthelistofitsownaddresses.Thefullnodesearchesforunitsthelightclientisinterestedinandconstructsaproofchainforeachunitinthefollowingway:

1. WalkbackintimealongtheMCuntilthemajorityofrequestedwitnessesaremet.CollectalltheseMCunits.

2. Fromthelastunitinthisset(whichisalsotheearliestintime),readthelastball.

3. Startingfromthislastball,walkbackintimealongtheMCuntilanyballwithaskiplistismet.Collectalltheseballs.

4. Usingtheskiplist,jumptoanearlierballreferencedfromtheskiplist.Thisballalsohasaskiplist,jumpagain.Wherethereareseveralballsinskiplistarray,alwaysjumpbythelargestdistancepossible,soweacceleratejumpingfirstby10indexes,thenby100,thenby1000,etc.

5. Ifthenextjumpbytheskiplistwouldthrowusbehindthetargetball,deceleratebyjumpingbyasmallerdistance.Ultimately,leavetheskiplistandwalkalongtheMConeindexatatimeusingjustparentlinks.

Thischainhaswitness-authoredunitsinthebeginning,makingittrustworthyfromthelightclient’spointofview.Alltheelementsofthechainarelinkedbyeitherparentunitlinks(whileaccumulatingthewitnesses),orbylastballreference,orbyparentballlinks,orbyskiplistlinks.Attheendofthechain,wehavetheunitwhoseexistencewastobeproved.

23

20. MultilateralsigningAunitcanbesignedbymultipleparties.Insuchinstances,theauthorsarrayintheunithastwoormoreelements.

Thiscanbeuseful,forexample.iftwoormorepartieswanttosignacontract(aplainolddumbcontract,notasmartone).Theywouldbothsignthesameunitthatcontainsatextmessage(app=’text’).Theydon’thavetostorethefulltextofthecontractinthepublicdatabase,andpayforit–ahashwouldsuffice(payload_location=’none’),andthepartiesthemselvescanstorethetextprivately.

Anotherapplicationofmultilateralsigningisanexchangeofassets.AssumeuserAwantstosendassetXtouserBinexchangeforassetY(thenativecurrency‘bytes’isalsoanasset–thebaseasset).Thentheywouldcomposeaunitthatcontainstwopaymentmessages:onepaymentsendsassetXfromAtoB,theotherpaymentsendsassetYfromBtoA.Theybothsignthedual-authoredunitandpublishit.Theexchangeisatomic–thatis,eitherbothpaymentsexecuteatthesametimeorbothfail.Ifoneofthepaymentsappearstobeadouble-spend,theentireunitisrenderedinvalidandtheotherpaymentisalsodeemedvoid.

Thissimpleconstructionallowsuserstoexchangeassetsdirectly,withouttrustingtheirmoneytoanycentralizedexchanges.

21. AddressesUsersareidentifiedbytheiraddresses,transactionoutputsaresenttoaddresses,and,likeinBitcoin,itisrecommendedthatusershavemultipleaddressesandavoidreusingthem.Insomecircumstances,however,reuseisnormal.Forexample,witnessesareexpectedtorepeatedlypostfromthesameaddress.

Anaddressrepresentsadefinition,whichisaBooleanexpression(remotelysimilartoBitcoinscript).Whenausersignsaunit,healsoprovidesasetofauthentifiers(usuallyECDSAsignatures)which,whenappliedtothedefinition,mustevaluateittotrueinordertoprovethatthisuserhadtherighttosignthisunit.WewritedefinitionsinJSON.Forexample,thisisthedefinitionforanaddressthatrequiresoneECDSAsignaturetosign:["sig",{"pubkey":"Ald9tkgiUZQQ1djpZgv2ez7xf1ZvYAsTLhudhvn0931w"}]

Thedefinitionindicatesthattheowneroftheaddresshasaprivatekeywhosepubliccounterpartisgiveninthedefinition(inbase64encoding),andhewillsignallunitswiththisprivatekey.Theabovedefinitionevaluatestotrueifthesignaturegiveninthecorrespondingauthentifierisvalid,orotherwisefalse.Thesignatureiscalculatedoveralldataoftheunitexcepttheauthentifiers.

Givenadefinitionobject,thecorrespondingaddressisjustahashoftheinitialdefinitionobjectplusachecksum.Thechecksumisaddedtoavoidtypingerrors.Unlikeusualchecksumdesigns,however,thechecksumbitsarenotjustappendedtotheendoftheunchecksummeddata.Rather,theyareinsertedintomultiplelocationsinsidethedata.Thisdesignmakesithardtoinsertlongstringsofillegaldatainfieldswhereanaddressisexpected.Theaddressiswritteninbase32encoding.TheabovedefinitioncorrespondstoaddressA2WWHN7755YZVMXCBLMFWRSLKSZJN3FU.

24

Whenanaddressisfunded,thesenderofthepaymentknowsandspecifiesonlytheaddress(thechecksummedhashofthedefinition)inthepaymentoutput.Thedefinitionisnotrevealedanditremainsunknowntoanyonebuttheowneruntiltheoutputisspent.

Whenausersendshisfirstunitfromanaddress,hemustrevealitsdefinition(soastomakesignatureverificationpossible)intheauthorsarray:unit: {

… authors: [ {

address: 'DJ6LV5GPCLMGRW7ZB55IVGJRPDJPOQU6', definition: [

"sig", {"pubkey":"AsnvZ3w7N1lZGJ+P+bDZU0DgOwJcGJ51bjsWpEqfqBg6"}

], authentifiers: {

r: '3eQPIFiPVLRwBwEzxUR5thqn+zlFfLXUrzAmgemAqOk35UvDpa4h79Fd6TbPbGfb8VMiJzqdNGHCKyAjl786mw=='

} } ], …

}

Iftheusersendsasecondunitfromthesameaddress,hemustomitthedefinition(itisalreadyknownonByteball).Hecansendthesecondunitonlyafterthedefinitionbecomesstable,i.e.theunitwherethedefinitionwasrevealedmustbeincludedinthelastballunitofthesecondunit.

Userscanupdatedefinitionsoftheiraddresseswhilekeepingtheoldaddress.Forexample,torotatetheprivatekeylinkedtoanaddress,theuserneedstopostaunitthatcontainsamessagesuchas:unit: {

… messages: [

… {

app: "address_definition_change", definition_chash: "I4Z7KFNIYTPHPJ5CA5OFC273JQFSZPOX"

}, …

], …

}

Here,definition_chashindicatesthechecksummedhashofthenewaddressdefinition(whichisnotrevealeduntillater),andtheunititselfmustbesignedbytheoldprivatekeys.Thenextunitfromthisaddressmust:

• includethisaddress_definition_changeunitinitslastballunit,i.e.itmustbealreadystable;

• revealthenewdefinitionintheauthorsarrayinthesamewayasforthefirstmessagefromanaddress.

25

Afterthechange,theaddressisnolongerequaltothechecksummedhashofitscurrentdefinition.Rather,itremainsequaltothechecksummedhashofitsinitialdefinition.

Thedefinitionchangeisusefuliftheuserwantstochangethekey(s)(e.g.whenmigratingtoanewdevice)whilekeepingtheoldaddress,e.g.ifthisaddressalreadyparticipatesinotherlong-liveddefinitions(seebelow).

21.1. Definitionsyntax

21.1.1. LogicaloperatorsAdefinitioncaninclude“and”conditions,forexample:["and", [

["sig", {pubkey: "one pubkey in base64"}], ["sig", {pubkey: "another pubkey in base64"}]

]]

whichisusefulwhen,inordertosigntransactions,signaturesfromtwoindependentdevicesarerequired,forexample,fromalaptopandfromasmartphone.

“Or”conditions,suchasthis:["or", [

["sig", {pubkey: "laptop pubkey"}], ["sig", {pubkey: "smartphone pubkey"}], ["sig", {pubkey: "tablet pubkey"}]

]]

areusefulwhenauserwantstousethesameaddressfromanyofhisdevices.Theconditionscanbenested:

["and", [ ["or", [

["sig", {pubkey: "laptop pubkey"}], ["sig", {pubkey: "tablet pubkey"}]

]], ["sig", {pubkey: "smartphone pubkey"}]

]]

Adefinitioncanrequireaminimumnumberofconditionstobetrueoutofalargerset,forexample,a2-of-3signature:["r of set", {

required: 2, set: [

["sig", {pubkey: "laptop pubkey"}], ["sig", {pubkey: "smartphone pubkey"}], ["sig", {pubkey: "tablet pubkey"}]

] }]

(“r”standsfor“required”)whichfeaturesboththesecurityoftwomandatorysignaturesandthereliability,sothatincaseoneofthekeysislost,theaddressisstillusableandcanbeusedtochangeitsdefinitionandreplacethelost3rdkeywithanewone.

Also,differentconditionscanbegivendifferentweight,ofwhichaminimumisrequired:

26

["weighted and", { required: 50, set: [

{weight: 40, value: ["sig", {pubkey: "CEO pubkey"}] }, {weight: 20, value: ["sig", {pubkey: "COO pubkey"}] }, {weight: 20, value: ["sig", {pubkey: "CFO pubkey"}] }, {weight: 20, value: ["sig", {pubkey: "CTO pubkey"}] }

] }]

21.1.2. DelegationtootheraddressesAnaddresscancontainreferencetoanotheraddress:["and", [

["address", "ADDRESS 1 IN BASE32"], ["address", "ADDRESS 2 IN BASE32"]

]]

whichdelegatessigningtoanotheraddressandisusefulforbuildingsharedcontroladdresses(addressescontrolledbyseveralusers).Thissyntaxgivestheuserstheflexibilitytochangedefinitionsoftheirowncomponentaddresseswhenevertheylike,withoutbotheringtheotheruser.

21.1.3. SignaturesandauthentifiersInmostcases,adefinitionwillincludeatleastonesignature(directlyorindirectly):["sig", {pubkey: "pubkey in base64"}]

Insteadofasignature,adefinitionmayrequireapreimageforahashtobeprovided:["hash",{"hash":"value of sha256 hash in base64"}]

whichcanbeusefulforcross-chainexchangealgorithms[7].Inthiscase,thehashpreimageisenteredasoneoftheauthentifiers.

ThedefaultsignaturealgorithmisECDSAoncurvesecp256k1(sameasBitcoin).Initially,itistheonlyalgorithmsupported.Ifotheralgorithmsareaddedinthefuture,algorithmidentifierwillbeusedinthecorrespondingpartofthedefinition,suchasforthequantumsecureNTRUalgorithm:["sig", {algo: "ntru", pubkey: "NTRU public key in base64"}]

Multisignaturedefinitionsallowonetosafelyexperimentwithunprovensignatureschemeswhentheyarecombinedwithmoreconventionalsignatures.

Theauthentifiersobjectinunitheaderscontainssignaturesorotherdata(suchashashpreimage)keyedbythepathoftheauthentifier-requiringsubdefinitionwithintheaddressdefinition.Forasingle-sigaddresssuchas["sig", {pubkey: "pubkey in base64"}]

thepathissimply“r”(rstandsforroot).Iftheauthentifier-requiringsubdefinitionisincludedwithinanotherdefinition(suchasand/or),thepathisextendedbyanindexintothearraywherethissubdefinitionisincluded,andpathcomponentsaredelimitedbyadot.Forexample,foraddressdefinition:["and", [

["sig", {pubkey: "one pubkey in base64"}],

27

["sig", {pubkey: "another pubkey in base64"}] ]]

thepathsare“r.0”and“r.1”.Foradeepernesteddefinition:["and", [

["or", [ ["sig", {pubkey: "laptop pubkey"}], ["sig", {pubkey: "tablet pubkey"}]

]], ["sig", {pubkey: "smartphone pubkey"}]

]]

thepathsare“r.0.0”,“r.0.1”,and“r.1”.Whenthereareoptionalsignatures,suchas2-of-3,thepathstelluswhichkeyswereactuallyused.

21.1.4. DefinitiontemplatesAdefinitioncanalsoreferenceadefinitiontemplate:["definition template", [

"hash of unit where the template was defined", {param1: "value1", param2: "value2"}

]]

Theparametersspecifyvaluesofvariablestobereplacedinthetemplate.Thetemplateneedstobesavedbefore(andasusual,bestablebeforeuse)withaspecialmessagetypeapp=’definition_template’,thetemplateitselfisinmessagepayload,andthetemplatelookslikenormaldefinitionbutmayincludereferencestovariablesinthesyntax@param1,@param2.Definitiontemplatesenablecodereuse.Theymayinturnreferenceothertemplates.

21.1.5. CosigningAsubdefinitionmayrequirethattheunitbecosignedbyanotheraddress:["cosigned by", "ANOTHER ADDRESS IN BASE32"]

21.1.6. QueryingwhetheranaddresswasusedAnotherpossiblerequirementforasubdefinition:thatanaddresswasseenasauthorinatleastoneunitincludedintothelastballunit:["seen address", "ANOTHER ADDRESS IN BASE32"]

21.1.7. DatafeedsOneveryusefulconditioncanbeusedtomakequeriesaboutdatapreviouslystoredinByteball:["in data feed", [

["ADDRESS1", "ADDRESS2", …], "data feed name", "=", "expected value"

]]

Thisconditionevaluatestotrueifthereisatleastonemessagethathas"datafeedname"equalto"expectedvalue"amongthedatafeedmessagesauthoredbythelistedaddresses"ADDRESS1","ADDRESS2",..(oracles).Datafeedisamessagetypethatlookslikethis:unit: {

28

… messages: [

… {

app: "data_feed", payload_location: "inline", payload_hash: "hash of payload", payload: {

"data feed name": "value", "another data feed name": "value2", …

} }, …

], …

}

Datafieldscanbeusedtodesigndefinitionsthatinvolveoracles.Iftwoormorepartiestrustaparticularentity(theoracle)toprovidetruedata,theycansetupasharedcontroladdressthatgivesthepartiesdifferentrightsdependingondatapostedbytheoracle(s).Forexample,thisaddressdefinitionrepresentsabinaryoption:["or", [

["and", [ ["address", "ADDRESS 1"], ["in data feed", [["EXCHANGE ADDRESS"], "EURUSD", ">", "1.1500"]]

]], ["and", [

["address", "ADDRESS 2"], ["in data feed", [["TIMESTAMPER ADDRESS"], "datetime", ">", "2016-10-01 00:00:00"]]

]] ]]

Initially,thetwopartiesfundtheaddressdefinedbythisdefinition(toremoveanytrustrequirements,theyusemultilateralsigningandsendtheirstakesinasingleunitsignedbybothparties).TheniftheEUR/USDexchangeratepublishedbytheexchangeaddresseverexceeds1.1500,thefirstpartycansweepthefunds.Ifthisdoesn’thappenbeforeOct1,2016andthetimestampingoraclepostsanylaterdate,thesecondpartycansweepallfundsstoredonthisaddress.Ifbothconditionsaretrueandtheaddressbalanceisstillnon-empty,bothpartiescantrytotakethemoneyfromitatthesametime,andthedouble-spendwillberesolvedasusual.

Thecomparisonoperatorscanbe"=","!=",">",">=","<",and"<=".Thedatafeedmessagemustcomebeforethelastballunitasusual.Toreducetherisksthatariseincaseanysingleoraclesuddenlygoesoffline,severalfeedprovideraddressescanbelisted.

Anotherexamplewouldbeacustomerwhobuysgoodsfromamerchantbuthedoesn’tquitetrustthatmerchantandwantshismoneybackincasethegoodsarenotdelivered.Thecustomerpaystoasharedaddressdefinedby:["or", [

["and", [

29

["address", "MERCHANT ADDRESS"], ["in data feed", [["FEDEX ADDRESS"], "tracking", "=", "123456"]]

]], ["and", [

["address", "BUYER ADDRESS"], ["in data feed", [["TIMESTAMPER ADDRESS"], "datetime", ">", "2016-10-01 00:00:00"]]

]] ]]

ThedefinitiondependsontheFedExoraclethatpoststrackingnumbersofallsuccessfullydeliveredshipments.Iftheshipmentisdelivered,themerchantwillbeabletounlockthemoneyusingthefirstcondition.Ifitisnotdeliveredbeforethespecifieddate,thecustomercantakehismoneyback.

ThisexampleissomewhatcrazybecauseitrequiresFedExtoposteachandeveryshipment.

21.1.8. MerkledatafeedsForamorerealisticwaytoachievethesamegoal,thereisanothersyntax:["in merkle", [

["ADDRESS1", "ADDRESS2", …], "data feed name", "hash of expected value"

]]

whichevaluatestotrueifthespecifiedhashofexpectedvalueisincludedinanyofthemerklerootspostedinthedatafeedfromaddresses"ADDRESS1","ADDRESS2",…Usingthissyntax,FedExwouldonlyperiodicallypostmerklerootsofallshipmentscompletedsincethepreviousposting.Tospendfromthisaddress,themerchantwouldhavetoprovidethemerklepaththatprovesthatthespecifiedvalueisindeedincludedinthecorrespondingmerkletree.Themerklepathissuppliedasoneoftheauthentifiers.

21.1.9. Self-inspectionAdefinitioncanalsoincludequeriesabouttheunititself.Thissubdefinition['has', {

what: 'input'|'output', asset: 'assetID in base64 or "base" for bytes', type: 'transfer'|'issue', own_funds: true, amount_at_least: 123, amount_at_most: 123, amount: 123, address: 'INPUT OR OUTPUT ADDRESS IN BASE32'

}]

evaluatestotrueiftheunithasatleastoneinputoroutput(dependingonthe‘what’field)thatpassesallthespecifiedfilters,withallfiltersbeingoptional.

Asimilarcondition‘hasone’requiresthatthereisexactlyoneinputoroutputthatpassesthefilters.

The‘has’conditioncanbeusedtoorganizeadecentralizedexchange.Previously,wediscussedtheuseofmultilateralsigningtoexchangeassets.

30

However,multilateralsigningalonedoesn’tincludeanymechanismforpricenegotiation.Assumethatauserwantstobuy1,200unitsofanotherassetforwhichheiswillingtopaynomorethan1,000bytes.Also,heisnotwillingtostayonlineallthetimewhileheiswaitingforaseller.Hewouldratherjustpostanorderatanexchangeandletitexecutewhenamatchingsellercomesalong.Hecancreatealimitorderbysending1,000bytestoanaddressdefinedbythisdefinition:["or", [

["address", "USER ADDRESS"], ["and", [

["address", "EXCHANGE ADDRESS"], ["has", {

what: "output", asset: "ID of alternative asset", amount_at_least: 1200, address: "USER ADDRESS"

}] ]]

]]

Thefirstor-alternativeletstheusertakebackhisbyteswheneverhelikes,thuscancellingtheorder.Thesecondalternativedelegatestheexchangetherighttospendthefunds,providedthatanotheroutputonthesameunitpaysatleast1,200unitsoftheotherassettotheuser’saddress.Theexchangewouldpubliclylisttheorder,asellerwouldfindit,composeaunitthatexchangesassets,andmultilaterallysignitwiththeexchange.

Onecanalsousethe‘has’conditionforcollateralizedlending.Assumeaborrowerholdssomeilliquidassetandneedssomebytes(oranotherliquidasset).Theborrowerandalendercanthenmultilaterallysignaunit.Onepartoftheunitsendsthebytesheneedstotheborrower,theotherpartoftheunitlockstheilliquidassetintoanaddressdefinedby:["or", [

["and", [ ["address", "LENDER ADDRESS"], ["in data feed", [["TIMESTAMPER ADDRESS"], "datetime", ">", "2017-06-01 00:00:00"]]

]], ["and", [

["address", "BORROWER ADDRESS"], ["has", {

what: "output", asset: "base", amount: 10000, address: "LENDER ADDRESS"

}] ]], ["and", [

["address", "LENDER ADDRESS"], ["address", "BORROWER ADDRESS"]

]] ]]

Thefirstor-alternativeallowsthelendertoseizethecollateraliftheloanisnotpaidbackintime.Thesecondalternativeallowstheborrowertotakebackthe

31

collateralifhealsomakesapaymentof10,000bytes(theagreedloansizeincludinginterest)tothelender.Thethirdalternativeallowsthepartiestoamendthetermsiftheybothagree.

Thefollowingrequirementcanalsobeincludedinasubdefinition:['has equal', {

equal_fields: ['address', 'amount'], search_criteria: [

{what: 'output', asset: 'asset1', address: 'BASE32'}, {what: 'input', asset: 'asset2', type: 'issue', own_funds: true, address: 'ANOTHERBASE32'}

] }]

Itevaluatestotrueifthereisatleastonepairofinputsoroutputsthatsatisfythesearchcriteria(thefirstelementofthepairissearchedbythefirstsetoffilters;thesecondbythesecond)andsomeoftheirfieldsareequal.

Asimilarcondition‘hasoneequal’requiresthatthereisexactlyonesuchpair.

Anothersubdefinitionmaycomparethesumofinputsoroutputsfilteredaccordingtocertaincriteriatoatargetvalueorvalues:['sum', {

filter: { what: 'input'|'output', asset: 'asset or base', type: 'transfer'|'issue', own_funds: true, address: 'ADDRESS IN BASE32'

}, at_least: 120, at_most: 130, equals: 123

}]

21.1.10. NegationAnyconditionthatdoesnotinclude“sig”,“hash”,“address”,“cosignedby”,or“inmerkle”canbenegated:["not", ["in data feed", [["NOAA ADDRESS"], "wind_speed", ">", "200"]]]

Sinceitislegaltoselectveryoldparents(thatdidn’tseethenewerdatafeedposts),oneusuallycombinesnegativeconditionssuchastheabovewiththerequirementthatthetimestampisafteracertaindate.

21.2. GeneralrequirementsAddressdefinitionmusthaveatleastone“sig”,explicitlyorimplicitly(such

asthroughan“address”).Toavoidconsumingtoomanyresourcesforvalidation,thetotalnumberof

operationsislimitedto100perdefinition,includingoperationsinreferenceddefinitionssuchas“address”and“definitiontemplate”.

Thisnumberisoneofjust9arbitraryconstantsthatwehaveinByteball,theother8being:totalnumberofwitnesses:12;maxallowedmutations:1;maxnumberofMCindexesforawitnesstogetpaid:100;numberofparentscounted

32

forheadersize:2;maxnumberofmessagesperunit:128;maxnumberofinputsoroutputspermessage:128;maxnumberofauthorsperunit:16;andtotalmoneysupply:1015.Forcomparison,Bitcoinhasatleast17constants[8],whileEthereumdefines30constantsforfeeschedulealone[9].

Notethatthedefinitionlanguagedescribedaboveisdeclarativeandconsists

entirelyofBooleanstatements,whichputsitclosertothelanguageofconventionallegalcontracts.However,intermsofitsexpressivepower,thelanguagedoesnotcomeanywhereclosetoEthereumsmartcontractslanguage.Infact,itdoesn’tevenallowforatrivial‘Helloworld’programtobewritten.Thiswasnotourgoal.TheByteballdefinitionlanguagewasnotdesignedtobecomprehensive;rather,itisdesignedtobecomprehensibletothegreatestpossiblenumberofpeople,whoarenotnecessarilyprogrammers.Itsstraightforwardsyntaxallowseveryonetointerpretandcomposesimpledefinitionswithoutthehelpofadeveloper(a“lawyer”fortheeraofsmartcontracts),andchancesofmistakesareminimized.

22. ProfilesUserscanstoretheirprofilesonByteballiftheywant.Theyuseamessagelikethis:unit: {

… messages: [

…. {

app: "profile", payload_location: "inline", payload_hash: "hash of payload", payload: {

name: "Joe Average", emails: ["joe@example.com", "joe@domain.com"], twitter: "joe"

} }, …

], …

}

Theamountofdatatheydiscloseaboutthemselves,aswellasitsveracity,isuptotheusersthemselves.Tobeassuredthatanyparticularinformationaboutauseristrue,onehastolookforattestations.

23. AttestationsAttestationsconfirmthattheuserwhoissuedtheattestation(theattestor)verifiedsomedataabouttheattesteduser(thesubject).Attestationsarestoredinmessageslikethis:unit: {

… messages: [

33

… {

app: "attestation", payload_location: "inline", payload_hash: "hash of payload", payload: {

address: "ADDRESS OF THE SUBJECT" profile: {

name: "Joe Average", emails: ["joe@example.com"]

} }

}, …

], …

}

Theinformationincludedintheattestationneednotbethesameasinuser’sself-publishedprofile.Indeed,theself-publishedprofilemightnotevenexistatall.

Thejobofattestorsissimilartothatofmoderncertificationauthoritieswhoverifythereal-worldidentitiesofsubjectsandcertifythataparticularpublickey(orByteballaddress)doesbelongtoapersonororganization.WeexpectthemtocontinuethesameactivityinByteballandchargeafeefromthosewhowanttoprovealinkbetweentheirreal-worldandByteballidentities.Witnessesandwould-bewitnesseswilllikelywanttoreceivesomeattestationstoincreasetheirtrust.Certainassettypesmayrequireattestationstotransactwiththeasset(seebelow).

Forapplicationswhereanattestationisrequiredbutthenameofthesubjectisnotimportant,itispossibletoomitthenameorotherpersonallyidentifiableinformationintheattestedprofile.Theattestedprofilemayevennotincludeanymeaningfulinformationaboutthesubjectatall,thusleavinghimanonymoustoeverybodybuttheattestor.Theattestorwillstillkeeprecordsaboutthesubjectandmaydisclosethemundercertaincircumstances,asspecifiedintheattestor’stermsorifrequiredbylaw.

24. AssetsWehavedesignedadatabasethatallowsimmutablestorageofanydata.Ofallclassesofdata,themostinterestingforstorageinacommondatabasearethosethathavesocialvalue,i.e.thedatathatisvaluableformorethanoneortwousers.Onesuchclassisassets.Assetscanbeownedbyanybodyamongalargenumberofpeople,andthepropertiesofimmutabilityandtotalorderingofeventsthatwehaveinByteballareveryimportantforestablishingthevalidityoflongchainsofownershiptransfers.AssetsinByteballcanbeissued,transferred,andexchanged,andtheybehavesimilarlytothenativecurrency‘bytes’.Theycanrepresentanythingthathasvalue,forexampledebt,shares,loyaltypoints,airtimeminutes,commodities,otherfiatorcryptocurrencies.

Todefineanewasset,thedefiningusersendsamessagelikethis:unit: {

…

34

messages: [ … {

app: "asset", payload_location: "inline", payload_hash: "hash of payload", payload: {

cap: 1000000, is_private: false, is_transferrable: true, auto_destroy: false, fixed_denominations: false, issued_by_definer_only: true, cosigned_by_definer: false, spender_name_attested: true, attestors: [

"2QLYLKHMUG237QG36Z6AWLVH4KQ4MEY6", "X5ZHWBYBF4TUYS35HU3ROVDQJC772ZMG"

] }

}, …

], …

}

Here:• capisthemaximumamountthatcanbeissued.Forcomparisonwiththe

predefinednativecurrencybytes,thebytescapis1015;• is_privateindicatesiftheassetistransferredprivatelyorpublicly(see

below).Bytesarepublic;• is_transferrableindicatesiftheassetcanbetransferredbetweenthird

partieswithoutpassingthroughthedefineroftheasset.Ifnottransferrable,thedefinermustalwaysbeeithertheonlysenderortheonlyreceiverofeverytransfer.Bytesaretransferrable;

• auto_destroyindicatesiftheassetisdestroyedwhenitissenttothedefiner.Bytesarenotauto-destroyed;

• fixed_denominationsindicatesiftheassetcanbesentinanyintegeramount(arbitraryamounts)oronlyinfixeddenominations(e.g.1,2,5,10,20,etc),whichisthecaseforpapercurrencyandcoins.Bytesareinarbitraryamounts;

• issued_by_definer_onlyindicatesiftheassetcanbeissuedbydefineronly.Forbytes,theentiremoneysupplyisissuedinthegenesisunit;

• cosigned_by_definerindicatesifeverytransfermustbecosignedbythedefineroftheasset.Thisisusefulforregulatedassets.Transfersinbytesneedn’tbecosignedbyanybody;

• spender_attestedindicatesifthespenderhastobeattestedinordertospend.Ifhehappenedtoreceivetheassetbutisnotyetattested,hehastopassattestationwithoneoftheattestorslistedunderthedefinition,inordertobeabletospend.Thisrequirementisalsousefulforregulatedassets.Bytesdonotrequireattestation;

35

• attestorsisthelistofattestoraddressesrecognizedbytheassetdefiner(onlyifspender_attestedistrue).Thelistcanbelateramendedbythedefinerbysendingan‘asset_attestors’messagethatreplacesthelistofattestors;

• denominations(notshowninthisexampleandusedonlyforfixed_denominationsassets)listsallalloweddenominationsandtotalnumberofcoinsofeachdenominationthatcanbeissued;

• transfer_conditionisadefinitionofaconditionwhentheassetisallowedtobetransferred.Thedefinitionisinthesamelanguageastheaddressdefinition,exceptthatitcannotreferenceanythingthatrequiresanauthentifier,suchas“sig”.Bydefault,therearenorestrictionsapartfromthosealreadydefinedbyotherfields;

• issue_conditionisthesameastransfer_conditionbutforissuetransactions.Therecanbenomorethan1‘asset’messageperunit.Aftertheassetis

defined,itisidentifiedbythehashoftheunitwhereitwasdefined(hencethe1assetperunitrequirement).

Atransferofanassetlookslikeatransferofbytes,thedifferencebeingthatthereisanextrafieldfortheassetID:unit: {

… messages: [

… {

app: "payment", payload_location: "inline", payload_hash: "hash of payload", payload: {

asset: "hash of unit where the asset was defined", inputs: [

{ unit: "hash of source unit", message_index: 0, output_index: 1

}, …

], outputs: [

{ address: "BENEFICIARY ADDRESS", amount: 12345

}, …

] }

}, …

], …

}

Beforeitcanbetransferred,anassetiscreatedwhenausersendsanissuetransaction.Issuetransactionshaveaslightlydifferentformatforinputs:

36

unit: { … messages: [

… {

app: "payment", payload_location: "inline", payload_hash: "hash of payload", payload: {

asset: "hash of unit where the asset was defined", inputs: [

{ type: "issue", amount: 1000000, serial_number: 1, address: "ISSUER ADDRESS" // only when multi-authored

}, …

], outputs: [

{ address: "BENEFICIARY ADDRESS", amount: 12345

}, …

] }

}, …

], …

}

Theentiresupplyofcappedarbitrary-amountsassetsmustbeissuedinasingletransaction.Inparticular,allbytesareissuedinthegenesisunit.Iftheassetiscapped,theserialnumberoftheissuemustbe1.Ifitisnotcapped,theserialnumbersofdifferentissuesbythesameaddressmustbeunique.

Anassetisdefinedonlyonceandcannotbeamendedlater,onlythelistofattestorscanbeamended.

It’suptothedefineroftheassetwhatthisassetrepresents.Ifitisissuer’sdebt,itisreasonabletoexpectthattheissuerisattestedorwaiveshisanonymitytoearnthetrustofthecreditors.

Whileendusersarefreetouseornottouseanasset,assetdefinerscanimposeanyrequirementsontransactionsinvolvingtheasset.

Bycombiningvariousassetpropertiesthedefinercandeviseassetsthatsatisfyawiderangeofrequirements,includingthosethatregulatedfinancialinstitutionshavetofollow.Forexample,byrequiringthateachtransferbecosignedbythedefiner,financialinstitutionscaneffectivelyvetoallpaymentsthatcontradictanyregulatoryorcontractualrules.Beforecosigningeachpayment,thefinancialinstitution(whoisalsothedefinerandtheissuer)wouldcheckthattheuserisindeeditsclient,thattherecipientofthefundsisalsoaclient,thatbothclientshavepassedalltheKnowYourClient(KYC)procedures,thatthefundsare

37

notarrestedbyacourtorder,aswellascarryoutanyotherchecksrequiredbytheconstantlychanginglaws,regulations,andinternalrules,includingthosethatwereintroducedaftertheassetwasdefined.

24.1. BankissuedassetsHavingthesecurityofbeingfullycompliant(andalsoassuredinthefamiliardeterministicfinalityofallfundstransfers),bankscanissueassetsthatarepeggedtonationalcurrenciesandbackedbythebank’sassets(whichareproperlyauditedandmonitoredbythecentralbanks).Thelegalnatureofanyoperationswithsuchassetsisexactlythesameaswithallotherbankmoney,andisfamiliartoeverybody.TheonlynoveltyisthatthebalancesandtransfersaretrackedinByteballdatabaseinsteadofthebank’sinternaldatabase.BeingtrackedinByteballdatabasehastwoconsequences:

• (anotsowelcomeone)alloperationsarepublic,whichisfamiliarfromBitcoinandmitigatedbyusingmultiplesemi-anonymousaddressesofwhichonlythebankknowstherealpersonsbehindtheaddresses.Anothermorerobustwaytopreserveprivacyisprivatepayments,whichwe’lldiscusslater;

• (agoodone)thebank-issuedassetcanbeexchangedforbytesorotherassetson-chain,inapeer-to-peermanner,withouthavingtotrustanythirdpartiessuchasexchanges.

ThebanksherearesimilartoRipplegateways.Intheexchangescenarioabove,onelegoftheexchangeispaymentfromone

usertoanotheruserinabank-issuedasset.Ifbothusersareclientsofthesamebank,thisprocessisstraightforward.Whenusersholdaccountsatdifferentbanks,thebanksmayfacilitatetheinterbanktransfersbyopeningcorrespondentaccountsateachother.Let’sassumeuserU1wantstotransfermoneytouserU2incircumstanceswhereuserU1holdsanaccountatbankB1anduserU2holdsanaccountatbankB2.BankB2alsoopensanaccountatB1.U1thentransfersthemoneytoB2’saccountatB1(itisaninternalbanktransferwithinB1whichiscosignedbyB1).Atthesametime,B2(whichhasjustincreaseditsassetsatB1)issuesnewmoneytoitsuserU2.Allthismustbeatomic.Allthreeparticipants:(U1,B1,andB2)mustthereforesignasingleunitthatbothtransfersB1’smoneyfromU1toB2andissuesB2’smoneytoU2.

ThenetresultisthatU1decreasedhisbalanceatB1,U2increasedhisbalanceatB2,andB2increasedhisbalanceatB1.ThebankB1willalsohaveacorrespondentaccountatB2,thebalanceofwhichwillgrowasreversepaymentsareprocessedfromusersofB2tousersofB1.Themutualobligations(B1atB2andB2atB1)canbepartiallycancelledbythebanksmutuallysigningatransactionthatsendsequalamountstotherespectiveissuer(itisconvenienttohavethemoneyauto-destroyedbysendingittotheissuer).Whatisnotcancelledcanbeperiodicallysettledthroughtraditionalinterbankpayments.Totriggerthesettlement,thebankwithapositivenetbalancesendshisbalancetotheissuerbank,andsincethereisnoreversetransferinthesametransaction,thistriggersatraditionalpaymentinfiatmoneyfromtheissuertotheholderbank.

Whentherearemanybanks,settingupdirectcorrespondentrelationswitheachpeerbankcanbecumbersome.Insuchinstances,thebanksagreeabouta

38

centralcounterpartyC(alargememberbankoranewinstitution)andpassallpaymentsexclusivelythroughthiscentralcounterpartyandsettleonlywithit.ThesametransferfromU1toU2willthenconsistof3transactions:

1. U1sendsmoneytoC’saccountatB1;2. CissuesownmoneytoB2(orCdestroysB2’smoneyitheldbyreturningit

toB2);3. B2issuesitsownmoneytoU2.

All3transactionsarebundledintoasingleunitandsignedbyU1,B1(astherequiredcosignerforallU1’stransactions),C,andB2.

24.2. Non-financialassetsOtherapplicationsthatarenotnecessarilyfinancialcanuseByteballassetsinternally.Forexample,loyaltyprogramsmayissueloyaltypointsasassetsanduseByteball’sexistinginfrastructuretoallowpeopletotransactinthesepoints,includingpeer-to-peer(ifallowedbytheprogram’srules).Thesameistrueforgamedevelopers,whocantrackgameassetsonByteball.

24.3. BondsBusinessescanissuebondsonByteball.Thelegalstructureoftheissueisthesameasforconventionalbonds,theonlydifferencebeingthatthedepositorywillnowtrackbondownershipusingByteballratherthananinternaldatabase(similartobanksabove).HavingbondsinByteballenablestheirholderstotradedirectly,withoutacentralizedexchange.WhenbankmoneyisalsoonByteball,aninstantdeliveryversuspayment(afiatpaymentinthiscontext)becomespossible,withoutcounterpartyriskandwithoutanycentralinstitution.Thetitletothebondandpaymentareexchangedsimultaneouslyasthepartiessignthesameunitthatperformsbothtransfers.

Bonds,ifliquidenough,canalsobeusedbythirdpartiesasameansofpayment.

Whenabondisissued,theissuerandtheinvestorwouldmultilaterallysignacommonunitthatsendsthenewlyissuedbondstotheinvestorandatthesametimesendsbytes(oranotherassetusedtopurchasethebonds,suchasabank-issuedfiat-peggedasset)fromtheinvestortotheborrower.Whenthebondisredeemed,theysignanothermultilateralunitthatreversestheexchange(mostlikely,atadifferentexchangerate).Thepriceofthebondpaidduringredemptionisitsfacevalue,whilethepriceitissoldforwhenissuedmustbelowerthanthefacevaluetoreflectinterest(assumingzerocouponbondforsimplicity).Duringitslifetime,thesecondarymarketpriceofthebondstaysbelowfacevalueandgraduallyapproachesit.

Inagrowingeconomywheretherearemanyprojectstofinance,bondsandotherdebtissuedonByteballtofinanceinvestmentwillbeissuedmoreoftenthantheyareredeemed.Whentheeconomyslowsdown,thetotalsupplyofallbondsshrinks,astherearefewerprojectstofinance.Thus,thetotalsupplyofbondsselfregulates,whichisimportantiftheyareactivelyusedasameansofpayment.

Iftwobusinessestransactonnet-30terms,bothbuyerandsellerhavetheoptiontosecuritizethetradecreditduringthe30-dayperiod.Forexample,thebuyercanissue30-daybondsandusethemtopaythesellerimmediately.Thesellercantheneitherwaitforthe30daystopassandredeemthebonds,orusethe

39

bondsasameansofpaymenttoitsownsuppliers.Inthiscase,itwillbethesupplierswhoredeemthebondswhentheymature.

24.4. CommoditybondsBondscanbeissuedinnaturalunits,notjustincurrencies.Forexample,a100-barrelbondentitlesitsholdertoreceive100barrelsofoilwhenthebondmatures;a1kWhbondentitlestheholdertoreceive1kWhofelectricity.Theholdermayalsochoosetoreceivethemonetaryequivalentofthe100barrelsor1kWhatthepricethatiscurrentonthematuritydate.

Suchbonds(commoditybonds)areinfactveryusefulforhedgingrisks.Consideranewoilprojectthattakesmanyyearsandlargeinvestmentbeforeitevenstartscommercialoperation.Iffinancingissoughtonlyinnationalcurrencies,theprojectmayneverbefinancedbecauseofuncertainoilpricesatthetimethenewfacilitystartssellingoil.Thecreditorshavetoconsidertheriskthatthepricewillbetoolow,andasaresulttheborrowerwillhavetodefault.Creditorswanttheriskpricedintotheinterestrate,whichmeanstheinterestratebecomestoohigh,andtheprojectneverhappens.

However,iftheprojectoperatorcouldborrowinbarrels,theriskofdefaultdrasticallydecreases.Now,theprojectwilllikelystartasplannedandwilllikelyproducetheplannedvolumeofoil.Itwillhencebeabletoproduceandrepayalltheborrowedbarrelswithinthespecifiedtime.Therearestillotherrisks,butonehugerisk–themarketrisk–isremoved.Itisremovedfromtheborrowerbutshiftedtothelenderswhonowhavetoconsiderthechancesthatoilpricesgodownandtheyreceiveless(incurrencyterms)thaninvested.Ontheotherhand,ifthepricesgoup,thelendersgetadditionalprofitfromthepricedifference(notethatbyborrowinginbarrels,theborrowerwaivesthisupsidepotential),andtherearealwaysinvestorswillingtotakeapositioninacommodity.SincethebondistradedonByteball,thelenderscaneasilysellitwhenevertheylike.Unlikeoilfutures,whosetradingisazero-sumgame,theinvestmentincommoditybondsdoesfinancetheindustry.Also,oilfuturesareashort-terminstrument,whilecommoditybondsallowonetobuyandhold,whichismoresuitabletolongterminvestors.

Thereisanothercategoryofpotentiallenders–thosewhohedgeagainsttheoppositerisk.Forexample,airlineswouldliketohedgeagainstanincreaseofoilprices,andonewaytodothatisbybuyingcommoditybondsofoilproducingcompanies,whichoneexpectstocorrelatewithoilprices.

Theaboveistrueforanycommodity,e.g.electricity,ironore,gold,othermetals,crops,etc.

Fromtheborrower’sperspective,commoditybondscanbethoughtofasawaytosellfutureproductionattoday’sprices.Forthelender,itisawaytobuyfuturesuppliesattoday’sprices.

Ifasubstantialpartoftheeconomyrunsoncommoditybonds,theleveragecycleisnaturallysmoothedoutevenwithoutgovernmentinterventionsinceduringrecessionsfallingcommoditypricesautomaticallyreducetheamountofdebt.

40

24.5. FundsForindividualusers,itmightbedifficulttotrackthehugenumberofbondsthatareavailableonthemarket.Instead,theywouldratherchoosetoinvestinfundsthatareprofessionallymanagedandholdalargediversifiedportfolioofbonds.Thefundwouldissueitsownassetthattrackstheaggregatevalueofthefund’sportfolio.Everytimeaninvestorbuysanewlyissuedassetofthefund,thefundwouldusetheproceedstobuybonds.Whenauserexits,thefundsellssomeofthebondsitheldanddestroysthefund-issuedassetsreturnedbytheuser.Thefund’sassetisnotcapped;itstotalsupplyvariesasinvestorsenterandexit.ItsvalueiseasilyauditableasallthebondsheldbythefundarevisibleonByteball.Beingmoreliquidthantheunderlyingbonds,thefund’sassethashigherchancesofbecomingameansofpayment.

24.6. SettlementsAgroupofbankscanuseassetsforinterbanksettlements.Someofthelargerbanksissuefiat-peggedassetsthatcanonlybeusedbyattestedusers,andonlygroupmemberscanbeattested.Theassetisbackedbytheissuingbank’sreserves.Whenasmallerbankwantstosettlewithanothersmallerbank,itjustsendstheasset.Thereceivingbankcanusetheassetinthesamewaytosettlewithotherbanks,orredeemitforfiatcurrencywiththeissuingbank.ThebankscanalsoexchangeUSD-peggedassetsforEUR-peggedassetsorsimilar.Allsuchtransfersandtradesaresettledimmediately,theyarefinalandirrevocable.InSWIFT,banksexchangeonlyinformationaboutpayments,whiletheactualtransferofmoneyisaseparatestep.InByteball,informationismoney.

25. PrivatepaymentsSofar,wehaveconsideredonlypaymentsthataresentintheopen,i.e.theirpayloadsareincludedinlineandvisibletoeverybody.RememberthatByteballallowsthepostingofprivatepayloads:theuserkeepsthepayloadprivate(payload_location=’none’)butpostsonlyitshashtobeabletoprovethatthepayloadexistedataspecifictime.Toapplythattopayments,thesenderofthefundsalsoneedstosendtheprivatepayloadtotherecipientviaprivatecommunicationchannels.TherecipientwouldneedtolookupthepayloadhashinByteballtoconfirmthatitexisted.However,thatisnotenoughashavingconcealedthepayloadcontentfromotherByteballnodeswealsoremovedtheirabilitytoverifythatthesameoutputisnotspenttwice.Torestorethisability,weaddanadditionalpublicfieldintotheunit.Thisfieldiscalledspendproof,anditisconstructedinsuchwaythat:

• itdependssolelyontheoutputbeingconsumed,sothatanattempttospendthesameoutputagainwillproducethesamespendproof;

• itdoesn’trevealanythingabouttheoutputbeingspent.Itiseasytoseethatthisconstructionsatisfiestheaboverequirements:spend_proof = hash({

asset: payload.asset, unit: input.unit, message_index: input.message_index, output_index: input.output_index,

41

address: src_output.address, amount: src_output.amount, blinding: src_output.blinding

})

Here,payload.assetistheIDoftheassetbeingprivatelytransferred,inputreferstotheinputthatconsumesapreviousoutputsrc_output.Privateoutputsshouldhaveanextrafieldcalledblinding,whichisjustarandomstringdesignedtomakeitimpossibletopre-imagetheconsumedoutputknowingitsspendproof(alltheotherfieldscomefromarathernarrowsetofpossiblevaluesthatcanbeiteratedthroughwithinareasonabletimeframe).

Theabovespendproofconstructionappliestotransfers.Forissues:spend_proof = hash({

asset: payload.asset, address: "ISSUER ADDRESS", serial_number: input.serial_number, // always 1 for capped assets amount: input.amount, // issue amount denomination: 1 // always 1 for arbitrary-amounts payments

})

Notethatspendproofforissuetransactiondoesnotincludeanyblindingfactor.Assuchitispossibletolearnthatacoinwasissued,buttherecipientofthecoinisstillhiddenfromthirdparties.Also,fortransfertransactions,sincethepayerknowstheblindingfactor,hecancalculatethespendproofthat’llbepublishedwhenthecoinisspent.Thismeansthathecanknowwhenthepayeespendsthecoin,buthewillnotseetherecipient(s)northenewblindingfactor(s)–andhencewillnotbeabletotrackthecoinanyfurther.

Spendproofsareaddedintotheunit:unit: {

… spend_proofs: [

{ spend_proof: "the above hash in base64", address: "SPENDING ADDRESS" // only if multi-authored

}, …

], …

}

Thus,tosendaprivatepayment,thesendingusershould:• addarandomblindingfactortoeachoutput;• notpublishthepayloadbutsendittothepayeeprivately,alongwiththe

hashoftheunitwherethispayloadcanbefound;• foreachinput,addthecorrespondingspendproofintotheunit.

Allvalidatorsshouldrejectaunitiftheyseethesamespendproofpostedfromthesameaddressagain(providedthattheaddresspostsserially,ofcourse).Thepayeeshouldcheckthat(1)thepayloadhereceivedprivatelydoeshashtopayload_hashpostedtoByteballbythepayerand(2)thespendproofsderivedfromprivatepayloadinputsmatchthoseincludedintheunit.

42

Whenauserwhoreceivedaprivatepaymentwantstospenditsoutputs,hehastoforwardtheprivatepayloadshehasreceivedtothenewpayee,sothatthenewpayeecanverifytheentirechainofownershiptransfers(thehistory)backtothepointwheretheassetwasissued.Thelengthofthehistorywillgrowwitheachtransfer.

Notethatwiththeformatofpaymentwehaveconsideredsofar,eachunitcanmergeoutputsfromseveralpreviousunitsandproduceseveralnewoutputs(mostoften,two).Eachpreviousunit,inturn,dependsonseveralevenearlierunits,andeachoutputwillbelatersplitintoseveralnewoutputs.Therefore,thenumberoffutureunitsthathaveatleastsome“blood”oftheinitialunitgrowsexponentiallywithtime.Conversely,thenumberofancestorsthatcontributetotheunit’sinputsgrowsexponentiallywiththenumberofstepsbackinhistory.Toavoidsuchrapidgrowthofhistories,weneedtolimitthedivisibilityofthecoins,andthisiswhereanassettypewithfixed_denominationspropertysettotrueprovesuseful.

26. FixeddenominationsassetsAfixeddenominationsassetexistsasasetofindivisibleunmergeablecoins,verysimilartothemintedcoinsandbanknotesthateverybodyisfamiliarwith.

Theamountofeverycoinmustbeoneofasmallsetofalloweddenominations,whichshouldbeselectedsothatitisconvenienttorepresentanypracticalamountwithmaximumaccuracyandthesmallestnumberofcoins.Mostmoderncurrencysystemshavedenominationsthatfollowa1-2-5pattern:1,2,5,10,20,50,100,200,500,etc.ThispatternisalsorecommendedforfixeddenominationassetsonByteball.

Thecoinsareinitiallygroupedintopacks,similartopacksofpaperbanknotes.Thepackscanbesplitintosmallersubpacksorindividualcoins,butnotre-merged.Thismeansthateachtransfermusthaveexactlyoneinput(becausemergingisdisallowed),andoutputamountsmustbemultiplesofthecoindenomination(becausethedenominationisthesmallestindivisibleamount).

Eachtransaction,issueortransfer,dealswithcoinsofonlyonedenomination.Itcannotissueortransfercoinsofdifferentdenominationsatthesametime(buteachstorageunitcanincludemultiplesuchtransactions).Afixeddenominationstransactionhasalmostthesameformatasatransactionwitharbitrary-amountsassets,thedifferencebeingthatonlyoneinputisallowed,theamountsmustbemultiplesofoneofthedenominations,andadenominationfieldisadded:payload: {

asset: "hash of unit where the asset was defined", denomination: 100, inputs: [ // exactly one input

{ type: "issue", amount: 1000000, serial_number: 1, // always 1 for capped assets address: "ISSUER ADDRESS" // only when multi-authored

} ],

43

outputs: [ {

address: "BENEFICIARY ADDRESS", amount: 800 // multiple of 100

}, {

address: "CHANGE ADDRESS", amount: 999200 // multiple of 100

} ]

}

Iftheassetiscapped,theentiresupplyofeachdenominationmustbeissuedwithinasingletransaction.Thus,iftheassethase.g.16denominations,it’lltake16transactionstofullyissuetheasset.Iftheassetisnotcapped,theserialnumbersofdifferentissuesofthesamedenominationbythesameaddressmustbeunique.

Ifseveralcoinsneedtobeissuedortransferred(whichisusuallythecase),thepayerincludesseveralsuchmessagesinthesameunit.Fortransfers,thecoinisidentifiedbytheunit,messageindex,andoutputindexwhereitwaspreviouslytransferredtothecurrentowner.

Forprivatepayments,thepayloadgoesseparatelyandadditionallyhidestherecipientsofalloutputsexcepttheonethatismeantforthepayee:payload: {

asset: "hash of unit where the asset was defined", denomination: 200, inputs: [{

unit: "hash of source unit", message_index: 2, output_index: 0

}], outputs: [

{ output_hash: "hash of hidden part of output that includes address and blinding factor", amount: 800

}, …

] }

Theinformationthatisopenintheoutputsallowstherecipienttoverifythatthesumofalloutputsdoesmatchtheinput.Thesingleoutputthatismeantforthepayeeisrevealedtohimasfollows:output: {

address: "BENEFICIARY ADDRESS", blinding: "some random string"

}

Thisenablesthepayeetoverifytheoutput_hashaswellasconstructthefuturespendproofwhenhedecidestospendtheoutput.

InByteball,wehaveaprivatefixeddenominationsassetblackbytesthatisdefinedbytheseproperties:{

44

cap: 2,111,100,000,000,000, is_private: true, is_transferrable: true, auto_destroy: false, fixed_denominations: true, issued_by_definer_only: true, cosigned_by_definer: false, spender_name_attested: false, denominations: [

{denomination: 1, count_coins: 10,000,000,000}, {denomination: 2, count_coins: 20,000,000,000}, {denomination: 5, count_coins: 10,000,000,000}, {denomination: 10, count_coins: 10,000,000,000}, {denomination: 20, count_coins: 20,000,000,000}, {denomination: 50, count_coins: 10,000,000,000}, {denomination: 100, count_coins: 10,000,000,000}, {denomination: 200, count_coins: 20,000,000,000}, {denomination: 500, count_coins: 10,000,000,000}, {denomination: 1000, count_coins: 10,000,000,000}, {denomination: 2000, count_coins: 20,000,000,000}, {denomination: 5000, count_coins: 10,000,000,000}, {denomination: 10000, count_coins: 10,000,000,000}, {denomination: 20000, count_coins: 20,000,000,000}, {denomination: 50000, count_coins: 10,000,000,000}, {denomination: 100000, count_coins: 10,000,000,000}

] }

Notethatwehavedoublethenumberof2-denominationcoinsbecauseweneedthemmoreoften.Forexampleweneedtwo2sforamounts4(2+2)and9(5+2+2).

Spendproofsfortransfersandissuesofprivateindivisible(fixeddenominations)assetsareexactlythesameasforarbitrary-amountsassets,exceptthatforissuesthedenominationisnotnecessarily1.

Unlikedivisiblepayments,eachfixeddenominationcoinisnevermergedwithothercoins.Thereforewhenthecoinistransferredprivately,itshistorygrowslinearlywithtimeratherthanexponentially,andremainsmanageable(giventhatcomputingresourcessuchasstorage,bandwidth,andCPUpowercontinuegrowingexponentiallyfortheforeseeablefuture).

Asthehistorygrows,sodoestheexposureofprivatepayloadstothirdpartieswhoarefutureownersofthesamecoin.Asdiscussedpreviously,thegrowthisratherslow,andthevalueofprivatepayloadstoadversariesarguablydecreaseswithtime.However,oneshouldrememberthatlargemerchantsandexchangeswhosendandreceivemanypaymentseverydaywillprobablyaccumulateverylarge(butstillfragmented)histories.Oneshouldhencestillavoidaddressreuse,evenforprivatepayments.

Notethatinsomecasesthirdpartiescaninferimportantinformationevenfromprivatepayments.Forexample,aftermostpacksarealreadysplitintoindividualcoins,whenausersendsalargenumberofprivatepaymentmessagesinthesameunit,anobservermightarguethattheuserissendingcoinsofmaximumdenominationbecausetosendanamountthatissignificantlylargerthanthemaximumdenomination,onewouldprobablysendmultiplemaximumdenominationcoins.Fromthis,theobservermightinfertheapproximateamountofthetransfer(butnothingmore).Toavoidleakingsuchinformation,itis

45

recommendedtospreadlargeamountsacrossmultipleaddressesandtosendtheminseparateunits.

Thespendproofapproachthatwehavechosenisnottheonlyonepossible.Toprovetotherecipientthatthemoneyhereceiveshasnotbeenspentbefore,thepayercouldjustsendhimalltheprivatepayloadseversentfromhisaddress.Thepayeecouldthencheckeachoneandverifythattherearenodouble-spends.Wechosenottogothiswaybecauseitinvolvesunnecessaryprivacyleakageandaddscomplexitytothelightclientcode.Instead,wechosetosomewhatincreasespaceusagebutmaketheverificationsimpler.

27. TextsOnecanstorearbitrarytextsusing‘text’messagetype:unit: {

… messages: [

… {

app: "text", payload_location: "inline", payload_hash: "hash of payload", payload: "any text"

}, …

], …

}

Theinterpretationofthetextisuptotheauthorandhisintendedaudience;Byteballnodesdon’tvalidateitexcepttocheckthatitisastring.Onecouldusethismessagetype,forexample,tosendinerasabletweets.Thepayloadmaybeprivate,anditcanbeuseful,forexample,forstoringhashesofusers’intellectualpropertyorforstoringhashesofcontracttextsthatonlyafewpartiesneedtoknow.

28. ArbitrarystructureddataOnecanstorearbitrarystructureddatausing‘data’messagetype:unit: {

… messages: [

… {

app: "data", payload_location: "inline", payload_hash: "hash of payload", payload: {

key: "value", another_key: {

subkey: "other value", another_subkey: 232

}

46

} }, …

], …

}

Theinterpretationofthisdataisuptotheauthorandhispartnersthatneedtoseethedata,Byteballnodesdon’tvalidateitexcepttocheckthatitisanobject.Forexample,thismessagetypecanbeusedtopostEthereumcodeforthesubsetofnodeswhounderstandit,butrememberthattheycannotrejecttheunitevenifthecodeisinvalidbyEthereumrules.

Like‘payment’and‘text’,‘data’messagescanbeprivate,inwhichcaseonlyitshashisstored.ContinuingourEthereumexample,Ethereumcontractscanberunprivatelyifthecorrespondingspendproofsarealsodevisedwherenecessary.

29. VotingAnyonecansetupapollbysendingamessagewithapp=’poll’:unit: {

… messages: [

… {

app: "poll", payload_location: "inline", payload_hash: "hash of payload", payload: {

question: "Should the United Kingdom remain a member of the European Union or leave the European Union?", choices: ["Leave", "Remain"]

} }, …

], …

}

Tocastvotes,userssend‘vote’messages:unit: {

… messages: [

… {

app: "vote", payload_location: "inline", payload_hash: "hash of payload", payload: {

unit: "hash of the unit where the poll was defined", choice: "Leave"

} }, …

47

], …

}

Determiningwhichvotesqualifyisuptotheorganizerofthepoll.Byteballdoesn’tenforceanythingexceptthestipulationthatthechoicesarewithintheallowedset.Forexample,theorganizermightacceptonlyvotesfromattestedusersorvotesfromapredeterminedwhitelistofusers.Unqualifiedvoteswouldhencestillberecorded,butshouldbeexcludedbytheorganizerwhenhecountsthevotes.

Weightingthevotesandinterpretingresultsisalsouptotheorganizerofthepoll.Ifusersvotebytheirbalances,oneshouldrememberthattheycanmovethebalancetoanotheraddressandvoteagain.Suchvotesshouldbehandledproperly.

30. PrivatemessagingForprivatepaymentstowork,usersneedawaytosecurelydeliverprivatepayloadstoeachother.Users,orrathertheirdevices,alsoneedtocommunicatetoassemblesignaturesformulti-sigaddresses.

Sincewecannotexpectuserdevicestobeconstantlyonlineandeasilyreachable(mostofthemwillbebehindNAT),weneedastore-and-forwardintermediarythatisalwaysonline,easilyreachable,andabletotemporarilystoreanydataaddressedtoauserdevice.

InByteball,suchanintermediaryiscalledthehub,anditsoperationissimilartoemail.AhubisaByteballnodethatadditionallyoffersaserviceofstoringandforwardingprivatemessagestoconnecteddevices.Therecanbemanyhubs.Eachdevicethatrunsawalletcodesubscribestoahubofitschoice,andcanbereachedviathishub(thehomehub).Thechoiceofhomehubcanbechangedatanytime.Eachdevicehasapermanentprivatekeythatisuniquetothedevice.Thehashofthecorrespondingpublickey(moreprecisely,thehashofthesingle-sigdefinitionbasedonthispublickey)iscalledthedeviceaddress,anditiswritteninbase32likethepaymentaddresses.Thefulldeviceaddress,includingitscurrenthub,canbewrittenasDEVICEADDRESSINBASE32@hubdomainname.com.Ifthedevicemovestoanotherhub,thepartofitsfulladdressbefore@staysthesame.Unlikeemail,thenamecannotbealready“taken”.

Everydeviceconnectstoitshomehubusingwebsockets.Thehubsendsthenewmessagestothedeviceandthedevicestaysconnectedtothehub,sothatifanewmessagearriveswhilethedeviceisconnectedthenewmessageisdeliveredimmediately.Thehubdoesn’tkeepcopiesofthemessagesthatweresuccessfullyacceptedbythedevice.TheconnectiontothehubisTLSencrypted.

Whenadevicewantstosendsomethingtoanotherdevice,itconnectstotherecipient’shubandsendsthemessage.Unlikeemail,thereisnorelay–thesenderconnectsdirectlytotherecipient’shub.Allcommunicationbetweendevicesisend-to-endencryptedanddigitallysignedsothateventhehub(whoistheonlymaninthemiddle)cannotseeormodifyit.WeuseECDSAforsigningandECDH+AESforencryption.

Beforeexchangingencryptedmessagesthedevicesmustbepaired,i.e.learneachother’spublickey.Thiscanhappeninvariousways,e.g.byscanningaQR

48

codethatencodesthepublickeyandhubdomainnameofoneofthedevices,bysendingthisinformationoveremail,orbyclickingabyteball://linkonasecurewebsite.

Forforwardsecurity,everydevicegeneratesatemporaryprivatekeyanduploadsthecorrespondingpublickeytoitshomehub.Afterwards,thedevicerotatesthekeyfromtimetotimebutkeepsacopyofthepreviouskeyincasesomeonesentamessagetothepreviouskeywhilethehubwasreplacingit.Thehubkeepsonlyoneversionofthetemporarypublickeypersubscribeddevice.Thesendingdevicefollowsthesestepstosendamessage:

1. connectstotherecipient’shub;2. receivesthecurrenttemporarypublickeyoftherecipientfromthehub;3. generatesitsownone-timeephemeralkeypair;4. derivesECDHsharedsecretfromtherecipient’stemporarypublickeyand

ownephemeralprivatekey;5. AES-encryptsthemessageusingthissharedsecret;6. addsitsownephemeralpublickey;7. signsthepackagewithitsownpermanentkey;and8. sendsittothehub.Therecipientdeviceverifiesthesignature,derivesECDHsecretusingthe

peer’sephemeralpublickeyandowntemporaryprivatekey,anddecryptsthemessage.

Ifthesendingdevicefailstoconnecttotherecipient’shub,itencryptsthemessagetotherecipient’spermanentkey(thisencryptionisnotforwardsecuresinceitusesapermanentkey)andstorestheencryptedmessagelocallyforfutureretries.Thepurposeofthisencryptionistoavoidhavingunencryptedmessageslyingaround.Afterconnectiontotherecipient’shubsucceeds,thedevicesendsthisencryptedmessage,thusencryptingitagain(thistime,withforwardsecurity),sothemessageisdouble-encrypted.Notethatthisisnotbecausesingleencryptionisinsufficient,butbecausewedon’twanttostoreunencryptedcontentforanindefinitetimewhiletheconnectionsareretried.

Notethatthecommunicationisamongdevices,notusers.Usersmay(andarerecommendedto)holdseveraldevices,suchasalaptop,asmartphone,andatablet,andsetupmultisigaddresseswithredundancy(suchas2-of-3)thatdependonkeysstoredonmultipledevices.Whenauserneedstosignatransaction,heinitiatesitononeofhisdevices.Thisdevicethensendsthepartiallysignedtransactiontotheotherdevicesusingprivatemessages,collectsallthesignatures,andpublishesthetransaction.Theprivatekeysstoredoneachdeviceshouldneverleavethatdevice.Whentheuserreplacesoneofhisdevicesina2-of-3address,hejustusestheother2devicestochangetheaddressdefinitionandreplacethekeyoftheolddevicewiththekeyofanewdevice.

Theprivatemessagescanalsobeusedforencryptedtextingbetweendevices.Thesemessagesarestrictlypeer-to-peer,nevergointotheByteballdatabase,andcanbesafelydiscardedaftertheyareread.

Whenuserspayinblackbytesorotherprivateassets,theyhavetosendprivatepayloadsandabsolutelyneeddevicesthatcancommunicate.Theyneedtoknoweachother’sdeviceaddressesbeforetheyevenlearneachother’spaymentaddresses.Oncetheirdeviceshaveestablishedcommunication,thepayeecan

49

sendhispaymentaddresstothepayerviachatmessage.Suchapaymentscenarioalsomakesiteasytogenerateauniquepaymentaddressforeveryincomingpayment.Amerchantcanrunachatbotthatcommunicateswithusersviatextmessages.Whentheuserisreadytopaythebotgeneratesanewpaymentaddressandsendsittotheuserinachatmessage.

31. ConclusionWehaveproposedasystemfordecentralizedimmutablestorageofarbitrarydata,includingdataofsocialvaluesuchasmoney.Everynewunitofdataimplicitlyconfirmstheexistenceofallpreviousunits.Revisionofpastrecordssimilartothatin1984becomesimpossible,aseverynewunitalsoimplicitlyprotectsallpreviousunitsfrommodificationandremoval.Thereisaninternalcurrencythatisusedtopayforinclusionofdatainthedecentralizeddatabase.Thepaymentisequaltothesizeofthedatatobestored,andotherthanthispaymenttherearenorestrictionsonaccesstothedatabase.Otherassetscanalsobeissuedandtheirownershipcanbetrackedonthedatabase.Whentrackingpaymentsintheinternalcurrencyandotherassets,double-spendsareresolvedbychoosingtheversionofhistorythatwaswitnessedbyknownreputableusers.Settlementfinalityisdeterministic.Assetscanbeissuedwithanyrulesthatgoverntheirtransferability,allowingregulatedinstitutionstoissueassetsthatmeetregulatoryrequirements.Atthesametime,transferscanbehiddenfromthirdpartiesbysendingtheircontentprivately,directlyfrompayertopayee,andpublishingspendproofstoensurethateachcoinisspentonlyonce.

References1. QuotedfromWikipediahttps://en.wikipedia.org/wiki/Nineteen_Eighty-

Four.2. SatoshiNakamoto.Bitcoin:APeer-to-PeerElectronicCashSystem,

https://bitcoin.org/bitcoin.pdf,2008.3. SergioDemianLerner.DagCoin,

https://bitslog.files.wordpress.com/2015/09/dagcoin-v41.pdf,2015.4. SergueiPopov.TheTangle,http://iotatoken.com/IOTA_Whitepaper.pdf,

2016.5. TomHolden.Transaction-DirectedAcyclicGraphs,

https://bitcointalk.org/index.php?topic=1504649.0,2016.6. Linkedtimestamping,https://en.wikipedia.org/wiki/Linked_timestamping.7. Atomiccross-chaintrading,https://en.bitcoin.it/wiki/Atomic_cross-

chain_trading.8. https://github.com/bitcoin/bitcoin9. GavinWood.Ethereum:ASecureDecentralisedGeneralisedTransaction

Ledger,http://gavwood.com/Paper.pdf.