Byteball: A Decentralized System for Storage and Transfer ... · 1 Byteball: A Decentralized System...
49
1 Byteball: A Decentralized System for Storage and Transfer of Value Anton Churyumov [email protected] Abstract Byteball is a decentralized system that allows tamper proof storage of arbitrary data, including data that represents transferrable value such as currencies, property titles, debt, shares, etc. Storage units are linked to each other such that each storage unit includes one or more hashes of earlier storage units, which serves both to confirm earlier units and establish their partial order. The set of links among units forms a DAG (directed acyclic graph). There is no single central entity that manages or coordinates admission of new units into the database, everyone is allowed to add a new unit provided that he signs it and pays a fee equal to the size of added data in bytes. The fee is collected by other users who later confirm the newly added unit by including its hash within their own units. As new units are added, each earlier unit receives more and more confirmations by later units that include its hash, directly or indirectly. There is an internal currency called ‘bytes’ that is used to pay for adding data into the decentralized database. Other currencies (assets) can also be freely issued by anyone to represent property rights, debt, shares, etc. Users can send both bytes and other currencies to each other to pay for goods/services or to exchange one currency for another; the transactions that move the value are added to the database as storage units. If two transactions try to spend the same output (double-spend) and there is no partial order between them, both are allowed into the database but only the one that comes earlier in the total order is deemed valid. Total order is established by selecting a single chain on the DAG (the main chain) that is attracted to units signed by known users called witnesses. A unit whose hash is included earlier on the main chain is deemed earlier on the total order. Users choose the witnesses by naming the user-trusted witnesses in every storage unit. Witnesses are reputable users with real-world identities, and users who name them expect them to never try to double-spend. As long as the majority of witnesses behave as expected, all double-spend attempts are detected in time and marked as such. As witnesses-authored units accumulate after a user’s unit, there are deterministic (not probabilistic) criteria when the total order of the user’s unit is considered final. Users store their funds on addresses that may require more than one signature to spend (multisig). Spending may also require other conditions to be met, including conditions that are evaluated by looking for specific data posted to the database by other users (oracles). Users can issue new assets and define rules that govern their transferability. The rules can include spending restrictions such as a requirement for each transfer to be cosigned by the issuer of the asset, which is one way for financial institutions to comply with existing regulations. Users can also issue assets whose transfers are not published to the database, and therefore not visible to third parties. Instead, the information about the transfer is exchanged privately between users, and only a hash of the transaction and a spend proof (to prevent double-spends) are published to the database.
Transcript of Byteball: A Decentralized System for Storage and Transfer ... · 1 Byteball: A Decentralized System...
1
Byteball:ADecentralizedSystemforStorageandTransferofValue
AbstractByteballisadecentralizedsystemthatallowstamperproofstorageofarbitrarydata,includingdatathatrepresentstransferrablevaluesuchascurrencies,propertytitles,debt,shares,etc.Storageunitsarelinkedtoeachothersuchthateachstorageunitincludesoneormorehashesofearlierstorageunits,whichservesbothtoconfirmearlierunitsandestablishtheirpartialorder.ThesetoflinksamongunitsformsaDAG(directedacyclicgraph).Thereisnosinglecentralentitythatmanagesorcoordinatesadmissionofnewunitsintothedatabase,everyoneisallowedtoaddanewunitprovidedthathesignsitandpaysafeeequaltothesizeofaddeddatainbytes.Thefeeiscollectedbyotheruserswholaterconfirmthenewlyaddedunitbyincludingitshashwithintheirownunits.Asnewunitsareadded,eachearlierunitreceivesmoreandmoreconfirmationsbylaterunitsthatincludeitshash,directlyorindirectly.
Thereisaninternalcurrencycalled‘bytes’thatisusedtopayforaddingdataintothedecentralizeddatabase.Othercurrencies(assets)canalsobefreelyissuedbyanyonetorepresentpropertyrights,debt,shares,etc.Userscansendbothbytesandothercurrenciestoeachothertopayforgoods/servicesortoexchangeonecurrencyforanother;thetransactionsthatmovethevalueareaddedtothedatabaseasstorageunits.Iftwotransactionstrytospendthesameoutput(double-spend)andthereisnopartialorderbetweenthem,bothareallowedintothedatabasebutonlytheonethatcomesearlierinthetotalorderisdeemedvalid.TotalorderisestablishedbyselectingasinglechainontheDAG(themainchain)thatisattractedtounitssignedbyknownuserscalledwitnesses.Aunitwhosehashisincludedearlieronthemainchainisdeemedearlieronthetotalorder.Userschoosethewitnessesbynamingtheuser-trustedwitnessesineverystorageunit.Witnessesarereputableuserswithreal-worldidentities,anduserswhonamethemexpectthemtonevertrytodouble-spend.Aslongasthemajorityofwitnessesbehaveasexpected,alldouble-spendattemptsaredetectedintimeandmarkedassuch.Aswitnesses-authoredunitsaccumulateafterauser’sunit,therearedeterministic(notprobabilistic)criteriawhenthetotalorderoftheuser’sunitisconsideredfinal.
Usersstoretheirfundsonaddressesthatmayrequiremorethanonesignaturetospend(multisig).Spendingmayalsorequireotherconditionstobemet,includingconditionsthatareevaluatedbylookingforspecificdatapostedtothedatabasebyotherusers(oracles).
Userscanissuenewassetsanddefinerulesthatgoverntheirtransferability.Therulescanincludespendingrestrictionssuchasarequirementforeachtransfertobecosignedbytheissueroftheasset,whichisonewayforfinancialinstitutionstocomplywithexistingregulations.Userscanalsoissueassetswhosetransfersarenotpublishedtothedatabase,andthereforenotvisibletothirdparties.Instead,theinformationaboutthetransferisexchangedprivatelybetweenusers,andonlyahashofthetransactionandaspendproof(topreventdouble-spends)arepublishedtothedatabase.
2
1. IntroductionInOrwell’s1984,theprotagonistWinstonSmithworksintheRecordsDepartmentoftheMinistryofTruthasaneditor,revisinghistoricalrecords,tomakethepastconformtotheever-changingpartylineanddeletingreferencestounpersons–peoplewhohavebeen"vaporised,"i.e.notonlykilledbythestatebutdeniedexistenceeveninhistoryormemory[1].Whatwepresenthereisdatastoragethatisnotrewritable.Itisadistributeddecentralizeddatabasewhererecordscanneitherberevisednordeletedentirely.
Bitcoin[2]wasthefirstsystemtointroducetamperproofrecordsdesignedforthespecificpurposeoftrackingtheownershipofelectroniccurrencyunitsknownasbitcoins.InBitcoin,alltransfersofthecurrencyarerepresentedastransactionsthataredigitallysignedbythecurrentownerofthecoin,transactionsarebundledintoblocks,andblocksarelinkedintoachain(blockchain)securedbyproofofwork(PoW)thatassuresthatlargecomputingresourceshavebeeninvestedintobuildingthechain.Anyattempttorewriteanythingcontainedinthechainwouldthereforerequireevenlargercomputingresourcesthanthosethathavealreadybeenexpended.
SoonafterBitcoinappeared,itbecameclearthatthiswasmorethanjustatrust-freeP2Pelectroniccurrency.Itstechnologybecameasourceofnewideasforsolvingotherproblems.Atthesametime,Bitcoin’sdeficienciesandlimitationsequallybecameclear.ByteballisdesignedtogeneralizeBitcointobecomeatamperproofstorageofanydata,notsolelytransfersofasingleelectroniccurrency,andremovesomeofthemostpressingdeficienciesthatimpedeawideradoptionandgrowthofBitcoin.
Blocks.InBitcoin,transactionsarebundledintoblocks,andblocksarelinkedintoasinglechain.Sincetheblocksarelinkedlinearly,theirspacingintimeandtheirsizeareoptimizedfornear-synchronyamongnodes,sothatthenodescanshareanewblockwitheachothermuchfasterthanittypicallytakestogenerateanewblock.Thisensuresthatnodesmostlikelyseethesameblockasthelastblock,andorphaningisminimized.AsBitcoingrows,blocksbecomeincreasinglyunwieldy.Theyareeithercappedinsize,inwhichcasethegrowthisalsocapped,ortheytaketoolongtopropagatetoallnodesofthenetwork,inwhichcasethereisgreateruncertaintyaboutwhichblockislast,andmoreresourcesarewastedonextendingchainsthatwouldlaterbeorphaned.InByteball,therearenoblocks,transactionsaretheirownblocks,andtheyneednotconnectintoasinglechain.Insteadatransactionmaybelinkedtomultipleprevioustransactions,andthewholesetoftransactionsisnotachainbutaDAG(directedacyclicgraph).DAG-baseddesignshavereceivedmuchattentionrecently[3-5].
Cost.BitcointransactionsaresecurebecauseitisprohibitivelyexpensivetoredoallthePoWincludedintheblockscreatedafterthetransaction.ButthatalsomeansthatitisnecessarytopaytobuildthelegitimatePoWthatisstrongenoughtowardoffanyattackers.ThispaymentisspentfortheelectricityrequiredtobuildthePoW.Whatisimportanttonotehere,isthatthismoneygoesoutsidetheBitcoinecosystem–toenergycompanies–meaningthatthecommunityofBitcoinholdersasawholeisbleedingcapital.InByteball,thereisnoPoW,insteadweuse
3
anotherconsensusalgorithmbasedonanoldideathatwasknownlongbeforeBitcoin.
Finality.TransactionfinalityinBitcoinisprobabilistic.Therearenostrictandsimplecriteriaforwhenyoucansaythatatransactionwillneverbereversed.Rather,youcanonlyarguethattheprobabilityofatransactionbeingreversedexponentiallydecaysasmoreblocksareadded.Whilethisconceptisperfectlycleartothoseversedinmath,itmightbeadifficultselltoanaverageJoewhoisusedtoexpectingablack-or-whitepictureinmattersofmoneyownership.Tocomplicatethingsevenfurther,transactionfinalityalsodependsonitsamount.Iftheamountissmall,youcanbereasonablysurenobodywilltrytodouble-spendagainstyou.However,iftheamountatstakeisgreaterthantheblockreward(12.5BTCatthetimeofwriting),youmightspeculatethatthepayercouldtemporarilyrenthashpowertomineanotherchainofblocksthatdoesn’tcontainthetransactionthatpaystoyou.Therefore,youhavetowaitformoreconfirmationsbeforebeingsureenoughthatahigh-valuetransactionisfinal.InByteball,therearedeterministiccriteriaforwhenatransactionisdeemedfinal,nomatterhowlargeitwas.
Exchangerate.TheBitcoinpriceisknowntobequitevolatile.Thebiggerproblemisthatthispriceisnotonlyvolatile,itisnotboundtoanything.Shareandcommoditypricesarealsoveryvolatilebuttherearefundamentalsbehindthem.Sharepriceislargelyafunctionofcompanyearnings,revenue,debt-to-capitalratio,etc.Commoditypricesdepend,amongotherfactors,oncostsofproductionwithvarioussuppliers.Forexample,iftheoilpricefallsbelowtheproductioncostsofsomesuppliersforalongtime,thesesupplierswilleventuallyshutdown,decreasingproductionandcausingthepricetogoup.Thereisanegativefeedbackloop.InBitcoin,therearenofundamentals,andnonegativefeedback.ABitcoinpriceof$500isnomorejustifiedthanapriceof$50,000or$5.IftheBitcoinpricemovesfromwhereitisnow,thismovementalonewillnotcreateanyeconomicforcesthatwouldpushthepriceback.It’sjustwild.InByteball,thebasecurrency,bytes,isusedtopayforaddingdataintotheByteballdatabase.Youpay1,000bytestoadd1Kbofdata.Itisameasureoftheutilityofthestorageinthisdatabase,andactualuserswillhavetheiropiniononwhatisareasonablepriceforthis.Ifthepriceofbyterisesabovewhatyouthinkisreasonableforyourneeds,youwillfindwaystostorelessbytes,thereforeyouneedtobuylessbytes,demanddecreases,andthepricefalls.Thisisnegativefeedback,commonforallgoods/serviceswhosedemandisdrivenbyneed,notspeculation.Besidespayinginbytes,onecanissueotherassetsandusethemasmeansofpayment.Theseassetsmightrepresent,forexample,debtexpressedinfiatcurrenciesorinnaturalunits(suchaskWhorbarrelsofoil).Thepriceofsuchassetsisnaturallyboundtotheunderlyingcurrenciesorcommodities.
Privacy.AllBitcointransactionsandbalancesofalladdressesarevisibleontheblockchain.Althoughtherearewaystoobfuscateone’stransactionsandbalances,itisnotwhatpeoplehavecometoexpectfromacurrency.Transactionsinbytes(thebasecurrency)inByteballareequallyvisible,butthereisasecondcurrency(blackbytes),whichissignificantlylesstraceable.
Compliance.Bitcoinwasdesignedasananonymouscurrencywherepeoplehaveabsolutecontrolovertheirmoney.Thatgoalwasachieved;however,itmade
4
Bitcoinincompatiblewithexistingregulations,andhenceinappropriateforuseinthefinancialindustry.InByteball,onecanissueassetswithanyrulesthatgoverntheirtransferability,fromnorestrictionsatall,likeBitcoin,toanythinglikerequiringeverytransfertobecosignedbytheissuer(e.g.thebank)orrestrictedtoalimitedsetofwhitelistedusers.
2. DatabasestructureWhenauserwantstoadddatatothedatabase,hecreatesanewstorageunitandbroadcastsittohispeers.Thestorageunitincludes(amongotherthings):
• Thedatatobestored.Aunitmayincludemorethanonedatapackagecalledamessage.Therearemanydifferenttypesofmessages,eachwithitsownstructure.Oneofthemessagetypesispayment,whichisusedtosendbytesorotherassetstopeers.
• Signature(s)ofoneormoreuserswhocreatedtheunit.Usersareidentifiedbytheiraddresses.Individualusersmay(andareencouragedto)havemultipleaddresses,likeinBitcoin.Inthesimplestcase,theaddressisderivedfromapublickey,againsimilartoBitcoin.
• Referencestooneormorepreviousunits(parents)identifiedbytheirhashes.Referencestoparentsiswhatestablishestheorder(onlypartialordersofar)
ofunitsandgeneralizestheblockchainstructure.Sincewearenotconfinedtoone-parent–one-childrelationshipsbetweenconsecutiveblocks,wedonothavetostrivefornear-synchronyandcansafelytoleratelargelatenciesandhighthroughputs:we’lljusthavemoreparentsperunitandmorechildrenperunit.Ifwegoforwardinhistoryalongparent-childlinks,we’llobservemanyforkswhenthesameunitisreferencedbymultiplelaterunits,andmanymergeswhenthesameunitreferencesmultipleearlierunits(developersarealreadyusedtoseeingthisingit).Thisstructureisknowningraphtheoryasdirectedacyclicgraph(DAG).Unitsarevertices,andparent-childlinksaretheedgesofthegraph.
Inthespecialcasewhennewunitsarriverarely,theDAGwilllookalmostlikeachain,withonlyoccasionalforksandquickmerges.
Figure1.StorageunitsconnectedintoaDAG.Arrowsarefromchildtoparent,Gisthegenesisunit.
G
5
Likeinblockchainswhereeachnewblockconfirmsallpreviousblocks(andtransactionstherein),everynewchildunitintheDAGconfirmsitsparents,allparentsofparents,parentsofparentsofparents,etc.Ifonetriestoeditaunit,hewillalsohavetochangeitshash.Inevitably,thiswouldbreakallchildunitswhoreferencethisunitbyitshashasbothsignaturesandhashesofchildrendependonparenthashes.Therefore,itisimpossibletoreviseaunitwithoutcooperatingwithallitschildrenorstealingtheirprivatekeys.Thechildren,inturn,cannotrevisetheirunitswithoutcooperatingwiththeirchildren(grandchildrenoftheoriginalunit),andsoon.Onceaunitisbroadcastintothenetwork,andotherusersstartbuildingtheirunitsontopofit(referencingitasparent),thenumberofsecondaryrevisionsrequiredtoeditthisunithencegrowslikeasnowball.That’swhywecallthisdesignByteball(oursnowflakesarebytesofdata).
Unlikeblockchainswhereissuingablockisarareeventandonlyaprivilegedcasteofusersisinpracticeengagedinthisactivity,inanewByteballunitstartsaccumulatingconfirmationsimmediatelyafteritisreleasedandconfirmationscancomefromanyone,everytimeanothernewunitisissued.Thereisnotwo-tiersystemofordinaryusersandminers.Instead,usershelpeachother:byaddinganewunititsauthoralsoconfirmsallpreviousunits.
UnlikeBitcoin,whereanattempttoreviseapasttransactionrequiresalargecomputationaleffort,anattempttoreviseapastrecordinByteballrequirescoordinationwithalargeandgrowingnumberofotherusers,mostofwhomareanonymousstrangers.Theimmutabilityofpastrecordsisthereforebasedonthesheercomplexityofcoordinatingwithsuchalargenumberofstrangers,whoaredifficulttoreach,havenointerestincooperation,andwhereeverysingleoneofthemcanvetotherevision.
Byreferencingitsparents,aunitincludestheparent.Itdoesn’tincludethefullcontentoftheparent;rather,itdependsonitsinformationthroughtheparent’shash.Inthesameway,theunitindirectlydependsonandthereforeincludestheparentsoftheparent,theirparents,andsoon,andeveryunitultimatelyincludesthegenesisunit.
Thereisaprotocolrulethataunitcannotreferenceredundantparents–thatissuchparentsthatoneparentincludesanother.Forexample,ifunitBreferencesunitA,thenunitCcannotreferencebothunitsAandBatthesametime.Aisalready,inaway,containedwithinB.Thisruleremovesunnecessarylinksthatdon’taddanynewusefulconnectivitytothegraph.
3. Nativecurrency:bytesNext,weneedtointroducesomefrictiontoprotectagainstspammingthedatabasewithuselessmessages.Thebarriertoentryshouldroughlyreflecttheutilityofstoragefortheuserandthecostofstorageforthenetwork.Thesimplestmeasureforbothoftheseisthesizeofthestorageunit.Thus,tostoreyourdataintheglobaldecentralizeddatabaseyouhavetopayafeeininternalcurrencycalledbytes,andtheamountyoupayisequaltothesizeofdatayouaregoingtostore(includingallheaders,signatures,etc).Similartopoundsterling,whichwasequaltoonepoundofsilverwhenitwasfirstintroduced,thenameofthecurrencyreflectsitsvalue.
6
Tokeeptheincentivesalignedwiththeinterestsofthenetwork,thereisoneexceptioninsizecalculationrules.Forthepurposesofcalculatingunitsize,itisassumedthattheunithasexactlytwoparents,nomattertherealnumber.Therefore,thesizeoftwohashesofparentunitsisalwaysincludedintheunitsize.Thisexceptionensuresthatuserswillnottrytoincludejustoneparentinanefforttominimizecost.Thecostisthesamenomatterhowmanyparentsareincluded.
TokeeptheDAGasnarrowaspossible,weincentivizeuserstoincludeasmanyparentsaspossible(asmentionedbefore,thisdoesnotnegativelyaffectpayablesize),andasrecentparentsaspossible,bypayingpartoftheunit’sfeestothosewhoarefirsttoincludeitasaparent.We’lldefinelaterwhatexactlyis‘first’.
Bytescanbeusednotonlyforpaymentofstoragefees(alsocalledcommissions),butalsocanbesenttootheruserstopayforgoodsorservicesorinexchangeforotherassets.Tosendapayment,theusercreatesanewunitthatincludesapaymentmessagesuchasthefollowing(fromnowon,weuseJSONtodescribedatastructures):{
inputs: [ {
unit: "hash of input unit", message_index: 2, // index of message where this utxo was created output_index: 0 // index of output where this utxo was created
}, …
], outputs: [
{ address: "RECEIVER ADDRESS", amount: 15000 // in bytes
}, …
] }
Themessagecontains:• Anarrayofoutputs:oneormoreaddressesthatreceivethebytesandthe
amountstheyreceive.• Anarrayofinputs:oneormorereferencestopreviousoutputsthatare
usedtofundthetransfer.Theseareoutputsthatweresenttotheauthoraddress(es)inthepastandarenotyetspent.
Thesumofinputsshouldbeequaltothesumofoutputspluscommissions(inputamountsarereadfrompreviousoutputsandarenotexplicitlyindicatedwhenspending).Theunitissignedwiththeauthor’sprivatekeys.
Thetotalnumberofbytesincirculationis1015,andthisnumberisconstant.Allbytesareissuedinthegenesisunit,thentransferredfromusertouser.Feesarecollectedbyotheruserswhohelptokeepthenetworkhealthy(moredetailsaboutthatlater),sotheystayincirculation.Thenumber1015wasselectedasthelargestroundintegerthatcanberepresentedinJavaScript.Amountscanonlybeonlyintegers.Largerunitsofthecurrencyarederivedbyapplyingstandardprefixes:1kilobyte(Kb)is1,000bytes,1megabyte(Mb)is1millionbytes,etc.
7
4. Double-spendsIfausertriestospendthesameoutputtwice,therearetwopossiblesituations:
1. Thereispartialorderbetweenthetwounitsthattrytospendthesameoutput,i.e.oneoftheunits(directlyorindirectly)includestheotherunit,andthereforecomesafterit.Inthiscase,itisobviousthatwecansafelyrejectthelaterunit.
2. Thereisnopartialorderbetweenthem.Inthiscase,weacceptboth.Weestablishatotalorderbetweentheunitslateron,whentheyareburieddeepenoughundernewerunits(seebelowhowwedoit).Theonethatappearsearlieronthetotalorderisdeemedvalid,whiletheotherisdeemedinvalid.
Thereisonemoreprotocolrulethatsimplifiesthedefinitionoftotalorder.Werequire,thatifthesameaddresspostsmorethanoneunit,itshouldinclude(directlyorindirectly)allitspreviousunitsineverysubsequentunit,i.e.thereshouldbepartialorderbetweenconsecutiveunitsfromthesameaddress.Inotherwords,allunitsfromthesameauthorshouldbeserial.
Ifsomeonebreaksthisruleandpoststwounitssuchthatthereisnopartialorderbetweenthem(nonserialunits),thetwounitsaretreatedlikedouble-spendseveniftheydon’ttrytospendthesameoutput.Suchnonserialsarehandledasdescribedinsituation2above.
Ifauserfollowsthisrulebutstilltriestospendthesameoutputtwice,thedouble-spendsbecomeunambiguouslyorderedandwecansafelyrejectthelateroneasinsituation1above.Thedouble-spendsthatarenotnonserialsatthesametimearehenceeasilyfilteredout.
Thisruleisinfactquitenatural.Whenausercomposesanewunit,heselectsthemostrecentotherunitsasparentsofhisunit.Byputtingthemonhisparentslist,hedeclareshispictureoftheworld,whichimpliesthathehasseentheseunits.Hehasthereforeseenallparentsofparents,parentsofparentsofparents,etcupuntilthegenesisunit.Thishugesetshouldobviouslyincludeeverythingthathehimselfhasproduced,andthereforehasseen.
Bynotincludingaunit(evenindirectly,throughparents)theuserdeniesthathehasseenit.Ifweseethatbynotincludinghisownpreviousunitauserdenies
Figure2.Double-spends.Thereisnopartialorderbetweenthem.
G
8
havingseenit,we’dsayit’sodd,somethingfishyisgoingon.Wediscouragesuchbehavior.
5. ThemainchainOurDAGisaspecialDAG.Innormaluse,peoplemostlylinktheirnewunitstoslightlylessrecentunits,meaningthattheDAGgrowsonlyinonedirection.Onecanpictureitasathickcordwithmanyinterlacedwiresinside.Thispropertysuggeststhatwecouldchooseasinglechainalongchild-parentlinkswithintheDAG,andthenrelateallunitstothischain.Alltheunitswilleitherliedirectlyonthischain,whichwe’llcallthemainchain,orbereachablefromitbyarelativelysmallnumberofhopsalongtheedgesofthegraph.It’slikeahighwaywithconnectingsideroads.
Onewaytobuildamainchainistodevelopanalgorithmthat,givenallparentsofaunit,selectsoneofthemasthe“bestparent”.Theselectionalgorithmshouldbebasedonlyonknowledgeavailabletotheunitinquestion,i.e.ondatacontainedintheunititselfandallitsancestors.Startingfromanytip(achildlessunit)oftheDAG,wethentravelbackwardsinhistoryalongthebestparentlinks.Travelingthisway,webuildamainchainandeventuallyarriveatthegenesisunit.Notethatthemainchainbuiltstartingfromaspecificunitwillneverchangeasnewunitsareadded.Thisisbecauseoneachstepwearetravelingfromchildtoparent,andanexistingunitcanneveracquirenewparents.
Ifwestartfromanothertip,we’llbuildanothermainchain.Ofnotehereisthatifthosetwomainchainseverintersectwhiletheygobackinhistory,theywillbothgoalongthesamepathaftertheintersectionpoint.Intheworstcase,themainchainswillintersectonlyingenesis.Giventhattheprocessofunitproductionisnotcoordinatedamongusers,however,onemightexpecttofindaclassofmainchainsthatdoconvergenottoofarfromthetips.
Oncewehaveamainchain(MC),wecanestablishatotalorderbetweentwoconflictingnonserialunits.Let’sfirstindextheunitsthatliedirectlyonthemainchain.Thegenesisunithasindex0,thenextMCunitthatisachildofgenesishas
Figure3.Mainchainsbuiltfromdifferentchildlessunitsintersectandthengoalongthesamepath.Ofthetwodouble-spends,theonewiththelowermainchainindex(5)wins,whiletheother(withMCI=6)isdeemedinvalid.
G 1
42
2
2
33
4
4
5
6
57
67
8
9
index1,andsoontravelingforwardalongtheMCweassignindexestounitsthatlieontheMC.ForunitsthatdonotlieontheMC,wecanfindanMCindexwherethisunitisfirstincluded(directlyorindirectly).Insuchaway,wecanassignanMCindex(MCI)toeveryunit.
Then,ofthetwononserials,theonethathasalowerMCIisconsideredtocomeearlieranddeemedvalid,whiletheotherisinvalid.IfbothnonserialshappentohavethesameMCI,thereistiebreakerrulethattheunitwiththelowerhashvalue(asrepresentedinbase64encoding)isvalid.Notethatwekeepallversionsofthedouble-spend,includingthosethateventuallylose.DagCoin[3]wasthefirstpublishedworkthatsuggestedstoringallconflictingtransactionsanddecidingwhichonetotreatasvalid.
TheMCbuiltfromaspecificunittellsuswhatthisunit’sauthorthinksabouttheorderofpastevents,i.e.hispointofviewaboutthehistory.Theorderthenimplieswhichnonserialunittoconsidervalid,asdescribedabove.Notethatbychoosingthebestparentamongallparentsofagivenunit,wearesimultaneouslymakingachoiceamongtheirMCs:theMCoftheunitinquestionwillbetheMCofitsbestparentextendedforwardbyonelink.
Recognizingthatmany(orevenall)parentunitsmightbecreatedbyanattacker,andrememberingthatthechoiceofbestparentisessentiallythechoiceamongversionsofhistory,weshouldrequirefromourbestparentselectionalgorithmthatitfavorshistoriesthatare“real”fromthepointofviewofthechildunit.Wehenceneedtodevisea“realitytest”thatouralgorithmwouldrunagainstallcandidateMCstoselecttheonethatscoresbest.
6. WitnessesLookingfora“realitytest”,observethatsomeoftheparticipantsofournetworkarenon-anonymousreputablepeopleorcompanieswhomighthavealongestablishedreputation,ortheyarebusinessesinterestedinkeepingthenetworkhealthy.We’llcallthemwitnesses.Whileitisreasonabletoexpectthemtobehavehonestly,itisalsounreasonabletototallytrustanysinglewitness.IfweknowtheByteballaddressesofseveralwitnesses,andalsoexpectthemtopostfrequentlyenough,thentomeasuretherealityofacandidateMConemighttravelalongtheMCbackintimeandcountthewitness-authoredunits(ifthesamewitnessisencounteredmorethanonce,heisnotcountedagain).Wewouldstoptravelingassoonaswehadencounteredthemajorityofwitnesses.Wewouldthenmeasurethelengthofthelongestpathonthegraphfromthepointatwhichwestoppedtothegenesis.We’llcallthislengththeleveloftheunitwherewestopped,andthewitnessedleveloftheparentwhoseMCwearetesting.ThecandidateMCthatyieldsthegreaterwitnessedlevelisconsideredmore“real”,andtheparentbearingthisMCisselectedasbestparent.Incasethereareseveralcontenderswithamaximumwitnessedlevel,wewouldselecttheparentwhoseownlevelisthelowest.Ifthetiepersists,wewouldselecttheparentwiththesmallestunithash(inbase64encoding).
ThisalgorithmallowstheselectionoftheMCthatgravitatestounitsauthoredbywitnesses,andthewitnessesareconsideredtoberepresentativeofreality.If,forexample,anattackerforksfromthehonestpartofthenetworkand
10
secretlybuildsalongchainofhisownunits(shadowchain),oneofthemcontainingadouble-spend,andlatermergeshisforkbackintothehonestDAG,thebestparentselectionalgorithmatthemergerpointwillchoosetheparentthatdrivestheMCintothehonestDAG,asthisiswherethewitnesseswereactive.Thewitnesseswerenotabletopostintotheshadowchainsimplybecausetheydidn’tseeitbeforethemerger.ThisselectionofMCreflectstheorderofeventsasseenbythewitnessesandtheuserwhoappointedthem.Aftertheattackisover,theentireshadowchainwilllandontheMCatonepoint,andthedouble-spend
containedintheshadowchainwillbedeemedinvalidbecauseitsvalidcounterpartcomesearlier,beforethemergerpoint.
Thisexampleshowswhythemajorityofwitnesseshastobetrustedtopostonlyserially.Themajorityshouldnotcolludewiththeattackerandpostonhisshadowchain.Notethatwetrustthewitnessesonlytobesignsofrealityandtonotpostnonserialunitsonanyshadowchains.Wearenotgivinganyofthemcontroloverthenetworkoranypartthereof.Evenforthissmallduty,itisuserswhoappointthewitnessesandtheycanchangetheirdecisionsatanytime.
Theideaoflookingatsomeknownentityasasignofrealityisnotnew.Ithaslongbeenknown,andsomecompanieshaveengagedinsuchactivity,thattoprovethatsomedataexistedbeforeaspecificdate,onecanhashthedataandpublishthehashinsomehard-to-modifyandwidelywitnessedmedia,likeprintednewspaper[6].WitnessesinByteballservethesamefunctionasthenewspaper.Likenewspapers,theyarewellknownandtrusted.Asfornewspaperswheretrustislimitedtotrustingthemtopublishthedatatheyaregiven,witnessesinByteballareonlytrustedtopostserially,andnotmuchmore.Likenewspapers,witnessesdon’tknowwhat’sbehindthehashestheyarewitnessingandhavefewreasonsto
Figure4.WhenanattackerrejoinshisshadowDAGintothelitDAG,hisunitslosecompetitiontobecomebestparentasthechoicefavorsthosepathsthathavemorewitnesses(markedwithw).
G w
42
2
2
33
w
4
5
6
57
w7
89
9
9999
9999
99
99
bestparent
11
care.Newspapersarehardtomodify(butpossible,andin1984theydoit),whileeverythingproducedbywitnessesisprotectedbydigitalsignatures,whichmakesanymodificationsimpossible.Forreliability,wehaveseveralwitnesses,notjustone,andforspeedandconvenience,theseareonline.
Havingdecidedonalistofwitnesses,wecanthenselectbesttheparentandthecorrespondinghistorythatbestfitsthedefinitionofrealityas“somewherewherethesewitnesseslive”.Atthesametime,theparentsthemselvesmighthavedifferentwitnesslistsandconsequentlydifferentdefinitionsofreality.Wewantthedefinitionsofreality,andhistoriesthatfollowfromthem,toconvergearoundsomethingcommon.Toachievethis,weintroducethefollowingadditionalprotocolrule.
The“near-conformityrule”:bestparentsmustbeselectedonlyamongthoseparentswhosewitnesslistdiffersfromthechild’switnesslistbynomorethanonemutation.ThisruleensuresthatwitnesslistsofneighboringunitsontheMCaresimilarenough,thereforetheirhistoriesmostlyagreewithoneanother.Theparentswhosewitnesslistdiffersby0or1mutationwillbecalledcompatible(withtheunitthatincludesthemdirectly),whiletheothersareincompatible.Incompatibleparentsarestillpermitted,buttheyhavenochanceofbecomingbestparent.Iftherearenocompatiblepotentialparentsamongchildlessunits(anattackercouldfloodthenetworkwithhisunitsthatcarryaradicallydifferentwitnesslist),oneshouldselectparentsfromolderunits.
Theabovemeansthateachunitmustlistitswitnessessothattheycanbecompared.Werequirethatthenumberofwitnessesisexactly12.Thisnumber12wasselectedbecause:
• itissufficientlylargetoprotectagainsttheoccasionalfailuresofafewwitnesses(theymightprovedishonest,orbehacked,orgoofflineforalongtime,orlosetheirprivatekeysandgoofflineforever);
• itissufficientlysmallthathumanscankeeptrackofallthewitnessestoknowwhoiswhoandchangethelistwhennecessary;
• theoneallowedmutationissufficientlysmallcomparedwiththe11unchangedwitnesses.Incaseauserthinksthatanyofthewitnesseshaslosthiscredibility,orthere
arejustbettercandidates,theusercanreplacethewitnesswithanewwitnessinhislist,bearinginmindthathiswitnesslistmaynotdifferfromthatofotherunitsbymorethanoneposition.Thismeansthatanychangescanhappenonlygradually,andageneralconsensusisrequiredforachangebiggerthanoneposition.
7. FinalityAsnewunitsarrive,eachuserkeepstrackofhiscurrentMCwhichisbuiltasifheweregoingtoissueanewunitbasedonallcurrentchildlessunits.ThecurrentMCmaybedifferentatdifferentnodesbecausetheymayseedifferentsetsofchildlessunits.WerequirethatthecurrentMCbebuiltwithoutregardofwitnesslists,i.e.theuser’sownwitnesslistdoesn’tmatterandevenincompatibleparentscanbeselectedasbestparents.Thatmeansthatiftwousershavethesamesetofchildlessunits,buthavedifferentwitnesslists,theircurrentMCswillstillbe
12
identical.ThecurrentMCwillconstantlychangeasnewunitsarrive.However,asweareabouttoshow,apartofthecurrentMCthatisoldenoughwillstayinvariant.
Weexpectwitnesses(orratherthemajoritythereof)tobehavehonestly,thereforenecessarilyincludetheirpreviousunitinthenextunitauthoredbythesamewitness.Thismeansthatwhenawitnesscomposesanewunit,onlyrecentunitsarecandidatestobechosenasparents.Wemightexpect,therefore,thatallfuturecurrentMCswillconvergenofarther(whentravelingbackintime)thanaparticularstabilitypoint.Indeed,thegenesisunitisanaturalinitialstabilitypoint.AssumewehavebuiltacurrentMCbasedonthecurrentsetofchildlessunits,andtherewassomepointonthisMCthatwaspreviouslybelievedtobestable,i.e.allfuturecurrentMCsarebelievedtoconvergeonorbeforethispoint(again,whentravelingbackintime),andthentravelalongthesameroute.Ifwecanfindawayofadvancingthispointforward(awayfromthegenesis),wecanprovebyinductionthatastabilitypointexists.
Notethatifweforgetaboutallparentsexceptthebestparent,ourDAGwillbereducedtoatreethatconsistsonlyofbestparentlinks.Obviously,allMCswillgoalongthebranchesofthistree.Wethenneedtoconsidertwocases–whenthetreedoesbranchinthecurrentstabilitypointandwhenitdoesnot–anddecideifwecanadvancethestabilitypointtothenextMCI.
First,assumethetreedoesnotbranch.Wethenneedtoconsiderthe
possibilitythatanewbranchwillstillbeaddedandsomehowsupportedbythewitnessessothatitoutgrowstheexistingbranch.Theotherpossibilityisthatthewitnessesputsomuchweightinsupportoftheexistingbranch,thattherequirementofincludingone’spreviousunitleavesthemnooptionsbutcontinuesupportingtheexistingbranch.Let’squantifythelatterpossibility.Rememberthatbestparentisselectedastheparentwiththegreatestwitnessedlevel.Let’stravelbackintimealongthecurrentMCfromthetipuntilwemeetthemajorityofwitnesses(wearereferringtowitnessesasdefinedbytheunitlyingonthecurrentstabilitypoint).Ifatleastoneofthemliesearlierthanthecurrentstabilitypoint,
Figure5.Atreecomposedofbest-parentlinks.Allbutonebranchesstopgrowingaftersomepoint.
G
13
wedonottrytoadvancethestabilitypoint,otherwiseweproceed.Inthiscase,allthesewitnessesarealready“invested”intothecurrentMC.Amongthesewitnesses,wefindtheminimumwitnessedlevelmin_wl.Whenanyofthesewitnessespostsanewunit,thisunitmighthaveparentswhoseMCleadstothecurrentMCandparentswhoseMCleadstoacompetingbranch,andtheparentwiththehighestwitnessedlevelwillbeselectedasbestparentandwilldefinethedirectionofthenextcurrentMC.Sincethewitnesshastoincludeitspreviousunit,thewitnessedleveloftheparentleadingtothecurrentMCwillbeatleastmin_wl.Thewitnessedlevelofanyparentleadingtothealternativebranchwillneverexceedthelevelofthecurrentstabilitypoint,evenifallremaining(minority)witnessesflocktothealternativebranch.Therefore,ifthecurrentMCgrowsfarenoughsothatmin_wlisgreaterthanthelevelofthecurrentstabilitypoint,themajorityofwitnesseswillhavetoincreasesupportfortheexistingcurrentMC,thealternativebranchhasthenlostallchancestowin,andwecanmovethestabilitypointforwardtothenextMCI.
Next,assumethetreedoesbranch.WeneedtofindaconditionwherethealternativebrancheswillloseanychancetooutgrowthecurrentMC.Let’sstartbydefiningmin_wlasinthepreviouscase.Amongallunitsonthealternativebranches,wethenselectthosethatincreasethewitnesslevel,i.e.theirownwitnessedlevelisgreaterthanthatofeveryparent.Amongthese,wefindthemaximumlevel.Then,evenifalltheremaining(minority)witnessesgatheronthealternativebranches,thewitnessedlevelonthealternativebrancheswillneverexceedthismaximumlevel.Therefore,ifthismaximumlevelislessthanmin_wl,gameisoverforthealternativebranches,andwecanadvancethestabilitypointalongthecurrentMC.
Thus,thereisapointonthecurrentMCbeforewhichtheMCwillneverchange(assumingthemajorityofwitnessesdon’tpostnonserialunits).ThetotalorderdefinedrelativetothisMCisthereforealsofinal.Ifwehadnonserials,ourdecisionaboutwhichoneofthemisvalid,isfinalaswell.IfanewnonserialeverappearsthatconflictswithanythingalreadyonthestableMC,thenewnonserialunitwilldefinitelybeorderedaftertheoldcounterpart,andthenewonewillbedeemedinvalid.Therefore,anypaymentmadeintheunitincludedonthestableMCisalreadyirreversible.UnlikeBitcoinwheretransactionfinalityisonlyprobabilistic,thisisdeterministictransactionfinality.
Everyuserbuildshisown(subjective)currentMCbasedontheunitsthathesees.Sincethepropagationofnewunitsisnotinstant,andtheymayarriveindifferentordertodifferentusers,theuserswillhavedifferentcurrentMCsanddifferentopinionsaboutthelaststablepointoftheMCatanygiventime.However,sincethecurrentMCisdefinedsolelybythesetofunitsknowntotheuser,incaseuserBhasn’tyetadvancedhisstabilitypointtothesameMCIasuserA,hewillinevitablydothatlater–i.e.assoonashereceivesthesameunitsasuserA,ormore.Thustheopinionsofdifferentusersaboutthestateofanygivenunitareeventuallyconsistent.
14
8. StorageofnonserialunitsWhenwedecidethataunitisanonserial,westillhavetostoreit.However,partofitsdataisreplacedwithahashofthedata.Thisruleservestwopurposes.First,toreducestorageconsumedbyaunitthatnobodypaidfor(theentirecontentofthenonserialunitisdeemedinvalid,includingitspaymentofcommissions).Second,toreducetheutilityofthenonserialtotheuserwhosentit,becausethehashreplacesallusefuldatathattheauthorwantedtostore(forfree).Thispreventsattackersfromabusingnonserialsasawaytostorelargeamountsofdataforfree.
Thehashthatisstoredinsteadofthefullcontentstillhassomeutilitytotheattacker,ashecanstoretheoriginaldatahimselfandusethehashtoprovethatthedataexisted.Butrememberthat:
1. Hestillhastopayforoneunitthatisdeemedvalid2. Iftheattackerisalreadyinternallystoringmetadatathatisnecessaryto
interpretByteballdata,hecoulddoequallywellbyjustcombiningallhisdataintoaMerkletreeandusingByteballtostoreonlyitsMerklerootforthecostofonesmallunit.
Underthisdesign,thereisthereforenoself-interestintryingtosendnonserials.Itoughttobementionedthatwecannotjustrejectnonserialsthefirsttime
weseethem.Ifwedid,anattackercouldsendhisnonserialstodifferentusersindifferentorder.Differentuserswouldthensticktotheversionstheyfirstreceivedandrejecteverythingbasedontheotherversion,sotheattackerwouldsucceedinpartitioningthenetwork.That’swhywehavetostorebothversionsandthendecideontheirorder.Evenmore,usersshouldforwardnonserialstopeersjustlikeanyotherunits,asthesoonerpeerslearnaboutthenonserialsthebetter.
Westilltrytoavoidincludingnonserialsifpossible:theparentselectionalgorithmexcludesnonserialsaslongastheyarechildless.Forthisreason,it’sdesirabletohelppeerslearnaboutnonserialsassoonaspossible.
9. BallsAfteraunitbecomesstable(i.e.itisincludedonthestablepartoftheMC)wecreateanewstructurebasedonthisunit,wecallitaball:ball: {
unit: "hash of unit", parent_balls: [array of hashes of balls based on parent units], is_nonserial: true, // this field included only if the unit is nonserial skiplist_balls: [array of earlier balls used to build skiplist]
}
Everyballincludesinformationaboutallitsancestorballs(viaparents),hencetheamountofinformationitdependsongrowslikesnowball.Wealsohaveaflagintheballthattellsusifitendedupbeinginvalid(nonserial),andwehavereferencestoolderballsthatwe’lluselatertobuildproofsforlightclients.
Wecanonlybuildaballwhenthecorrespondingunitbecomesstableandweknowforcertainwhetheritisserial.SincethecurrentMCsasviewedbydifferentusersareeventuallyconsistent,theywillallbuildexactlythesameballbasedonthesameunit.
15
10. LastballToprotecttheballs(mostimportantly,theis_nonserialflag)frommodification,werequireeachnewunittoincludeahashofthelastballthattheauthorknowsabout(whichistheballbuiltfromthelaststableunit,anditliesontheMC).Thisway,thelastballwillbeprotectedbytheauthor’ssignature.Lateron,thenewunititselfwillbe(directlyorindirectly)includedbywitnesses.
Ifsomeonewhodoesn’thavetheentireByteballdatabasewantstoknowifaparticularunitisserial,hewouldgiveusalistofwitnesseshetruststobehavehonestly,andwewouldbuildachainofrecentunitsthatincludesthemajorityofthesaidwitnesses,thenreadlastballfromtheoldestunitofthechain,anduseballstobuildahashtreethathasthelastballatthetopandincludestherequestedunitsomewherebelow.ThishashtreeissimilartoaverytallMerkletree,withadditionaldatafedinateachnode.Thetreecanbeoptimizedusingtheskiplist.
ThereferencetothelastballalsoletsusersseewhattheirpeersthinkaboutthestabilitypointoftheMCandcompareitwiththeirownvision.
Wealsorequirethatthelastballliesnosoonerthanlastballofeveryparent.ThisensuresthatthelastballeitheradvancesforwardalongtheMCorstaysinthesameposition,butneverretreats.
Tofurtherreducethedegreesoffreedomofadversaries,weaddonemorerequirement:aunit’switnesslistmustbecompatiblewiththatofeachunitthatliesonthetrailingpartoftheunit’sMCbetweenthisunitandthelastball’sunit.Thisrequirementensuresthatallchangestothewitnesslistfirstreachstabilitypointbeforetryinganotherchange.Otherwise,anattackermightinjectasignificantlymodifiedwitnesslistontotheMCandstoppostingfromtheaddressesofthenewwitnesses.Insuchinstances,thestabilitypointwouldnotbeabletoadvancepastthestretchoccupiedbytheattacker’switnesses.
Therequirementthatwitnesslistsofallcontemporaryunitsaremostlysimilarmeansthatallusershavemostlysimilarviewsaboutwhocanbetrustedtoserveaslighthousesforthecommunityatthecurrenttime.Thisissimilartobiology,whereorganismsofthesamespecieshavetohavemostlythesamegenes.Smallvarianceofthewitnesslistallowsforevolutionarychangethatstillpreservestheintegrityofthesystem.
11. WitnesslistunitItisexpectedthatmanyuserswillwanttouseexactlythesamewitnesslist.Inthiscase,tosavespace,theydon’tlisttheaddressesofall12witnesses.Rather,theygiveareferencetoanotherearlierunit,whichlistedthesewitnessesexplicitly.Thewitnesslistunitmustbestablefromthepointofviewofthereferencingunit,i.e.itmustbeincludedintothelastballunit.
12. UnitstructureThisisanexampleofaunit:{
version: '1.0', alt: '1',
16
messages: [ { app: 'payment', payload_location: 'inline', payload_hash: 'AegecfpDzh8xvdyIABdynrcP6CTd4Pt42gvRiv0Ftjg=', payload: {
inputs: [{ unit: '7yctnKyuAk5P+mFgFQDdDLza88nkceXYjsTs4e3doQA=', message_index: 0, output_index: 1
} ], outputs: [
{ address: 'DJ6LV5GPCLMGRW7ZB55IVGJRPDJPOQU6', amount: 208 }, { address: 'Z36JFFX2AH7X5JQ2V2C6AQUUOWFESKZ2', amount: 3505 }
] }
} ], authors: [ {
address: 'DJ6LV5GPCLMGRW7ZB55IVGJRPDJPOQU6', authentifiers: {
r: '3eQPIFiPVLRwBwEzxUR5thqn+zlFfLXUrzAmgemAqOk35UvDpa4h79Fd6TbPbGfb8VMiJzqdNGHCKyAjl786mw=='
} } ], parent_units: [
'B63mnJ4yNNAE+6J+L6AhQ3EY7EO1Lj7QmAM9PS8X0pg=', 'D6O1/D9L8vCMhv+8f70JecF93UoLKDp3e2+b92Yh2mI=', 'ZxqzWP6q6hDNF50Wax8HUK212lH/KSIRdW5a6T9h3DM='
], last_ball: '8S2ya9lULt5abF1Z4lIJ4x5zYY9MtEALCl+jPDLsnsw=', last_ball_unit: 'bhdxFqVUut6V3N2D6Tyt+/YD6X0W+QnC95dMcJJWdtw=', witness_list_unit: 'f252ZI2MN3xu8wFJ+LktVDGsay2Udzi/AUauE9ZaifY='
}
Here:• versionistheprotocolversionnumber.Theunitwillbeinterpreted
accordingtothisversionoftheprotocol;• altisanidentifierofalternativecurrency,we’lldiscussthislater;• messagesisanarrayofoneormoremessagesthatcontainactualdata;
o appisthetypeofmessage,e.g.‘payment’forpayments,‘text’forarbitrarytextmessages,etc;
o payload_locationsayswheretofindthemessagepayload.Itcanbe‘inline’ifthepayloadisincludedinthemessage,‘uri’ifthepayloadisavailableataninternetaddress,‘none’ifthepayloadisnotpublishedatall,isstoredand/orsharedprivately,andpayload_hashservestoproveitexistedataspecifictime;
o payload_hashisahashofthepayloadinbase64encoding;o payloadistheactualpayload(sinceitis‘inline’inthisexample).The
payloadstructureisapp-specific.Paymentsaredescribedasfollows:
17
§ inputsisanarrayofinputcoinsconsumedbythepayment.Allownersoftheinputcoinsmustbeamongthesigners(authors)oftheunit;
• unitishashoftheunitwherethecoinwasproduced.Tobespendable,theunitmustbeincludedinlast_ball_unit;
• message_indexisanindexintothemessagesarrayoftheinputunit.Itindicatesthemessagewherethecoinwasproduced;
• output_indexisanindexintotheoutputsarrayofthemessage_index’thmessageoftheinputunit.Itindicatestheoutputwherethecoinwasproduced;
§ outputsisanarrayofoutputsthatsaywhoreceivesthemoney;
• addressistheByteballaddressoftherecipient;• amountistheamounthereceives;
• authorsisanarrayoftheauthorswhocreatedandsignedthisunit.Allinputcoinsmustbelongtotheauthors;
o addressistheauthor’sByteballaddress;o authentifiersisadatastructurethatprovestheauthor’s
authenticity.MostcommonlytheseareECDSAsignatures;• parent_unitsisanarrayofhashesofparentunits.Itmustbesorted
alphabetically;• last_ballandlast_ball_unitarehashesoflastballanditsunit,respectively;• witness_list_unitishashoftheunitwhereonecanfindthewitnesslist.
Allhashesareinbase64encoding.Notethatthereisnotimestampfieldintheunitstructure.InByteball,there
arenoprotocolrulesthatrelyonclocktime.it’ssimplynotneeded,asitisenoughtorelyontheorderofeventsalone.
Timestampisstilladdedtounitswhentheyareforwardedfromnodetonode.However,thisisonlyadvisoryandusedbylightclientstoshowinwalletstheapproximatetimewhenaunitwasproduced,whichmaysignificantlydifferfromthetimeitwasreceivedaslightclientsmaygoofflineforextendedperiodsoftime.
13. CommissionsAsmentionedbefore,thecosttostoreaunitisitssizeinbytes.Thecommissionissplitintotwoparts:headerscommissionandpayloadcommission.Payloadcommissionisequaltothesizeofmessages;headerscommissionisthesizeofeverythingelse.Thetwotypesofcommissionsaredistributeddifferently.
Headerscommissiongoestooneofthefutureunitswhichtakesthepayerunitasparent.Thereceiverisselectedonlyafterboththepayerunit’sMCIandthenextMCIbecomestable.Todeterminethereceiver,wetakethosechildrenwhoseMCIisequaltoor1morethantheMCIofthepayer.ThehashesofeachofthesechildrenareconcatenatedwiththehashoftheunitlyingonthenextMCI(relativetothepayer),andthechildwiththesmallesthashvalue(inhex)winstheheaders
18
commission.ThishashingwiththenextMCunitisdesignedtointroduceunpredictability(thenextMCunitisnotknownbeforehand)andrenderuselessanyattemptstoimproveone’schancesofreceivingcommissionbyplayingwithone’sownunithash.Atthesametime,restrictingcandidatestothosewhoseMCIisnomorethan1greaterthantheMCIofthepayer,incentivizestheselectionofthemostrecentunitsasparents.ThisisusefultokeeptheDAGasnarrowaspossible.
Wepayonlytheheaderscommissionandnottheentirecommissiontothosewhoarequicktopickourunitasparent,forthefollowingreason.Ifwedidpaytheentirecommission,wewouldhaveincentivizedabusivebehavior:splitone’sdataintoseveralchunksandbuildalongchainofone’sownunitsstoringonechunkperunit.Allthecommissionspaidinapreviousunitwouldthenbeimmediatelycollectedbythesameuserinthenextunit.Aswepayonlytheheaderscommission,suchbehaviorisnotprofitablebecausetoproduceeachadditionalelementofthechainonehastospendadditionalheaderscommission–roughlythesameasoneearns.Weusetheremaining(payload)commissiontoincentivizeotherswhoseactivityisimportantforkeepingthenetworkhealthy.
Payloadcommissiongoestowitnesses.Toincentivizewitnessestopostfrequentlyenough,wesplitpayloadcommissionequallyamongallwitnesseswhoarequickenoughtopostwithin100MCindexesafterthepayingunit(thefastertheypost,thefasterthisunitbecomesstable).Ifall12witnesseshavepostedwithinthisinterval,eachreceives1/12ofthepayloadcommission.Ifonlyonewitnesshasposted,hereceivestheentirepayloadcommission.Inthespecialcasethatnowitnesshaspostedwithinthisinterval,theyallreceive1/12ofpayloadcommission.Ifthedivisionproducesafractionalnumber,itisroundedaccordingtomathematicalrules.Becauseofthisrounding,thetotalcommissionpaidouttowitnessesmaynotbeequaltothetotalpayloadcommissionreceivedfromtheunit’sauthor(s),sothetotalmoneysupplywillchangeslightlyaswell.Obviously,thedistributionhappensonlyafterMCI+100becomesstable,whereMCIistheMCIofthepayingunit.
Tospendtheearnedheaderscommissionsorwitnessingcommissions,thefollowinginputisused:inputs: [
{ type: "headers_commission", from_main_chain_index: 123, to_main_chain_index: 196
}, {
type: "witnessing", from_main_chain_index: 60, to_main_chain_index: 142
}, …
]
Suchinputssweepallheadersorwitnessingcommissionsearnedbytheauthorfromcommissionpayingunitsthatwereissuedbetweenmainchainindexesfrom_main_chain_indexandto_main_chain_index.Naturally,to_main_chain_indexmustbestable.
19
Whenaunitsignedbymorethanoneauthorearnsheaderscommission,thereissofarambiguityastohowthecommissionissplitamongtheauthors.Toremovetheambiguity,eachunitthatissignedbymorethanoneauthormustincludeadatastructurethatdescribestheproportionsofrevenuesharing:unit: {
… earned_headers_commission_recipients: [
{address: "ADDRESS1", earned_headers_commission_share: 30}, {address: "ADDRESS2", earned_headers_commission_share: 70}
], …
}
Theaddresseswhoreceivethecommissionsneedn’tbethesameastheauthoraddresses–thecommissioncanbesenttoanyaddress.Eveniftheunitissignedbyasingleauthor,itcanincludethisfieldtoredirectheaderscommissionselsewhere.
14. ConfirmationtimeConfirmationtimeisthetimefromaunitenteringthedatabasetoreachingstability.Itdependsonhowoftenthewitnessespost,sincetoreachstabilityweneedtoaccumulateenoughwitness-authoredunitsontheMCafterthenewlyaddedunit.Tominimizetheconfirmationperiod,thewitnessesshouldpostfrequentlyenough(whichtheyarealreadyincentivizedtodoviacommissiondistributionrules)butnottoofrequently.Iftwoormorewitnessesissuetheirunitsnearlysimultaneously(fasterthanittypicallytakestopropagateanewunittootherwitnesses),thismaycauseunnecessarybranchingofthetreecomposedofbest-parentlinks,whichwoulddelaystability.Forthisreason,thebestconfirmationtimesarereachedwhenthewitnessesarewellconnectedandrunonfastmachinessothattheyareabletoquicklyvalidatenewunits.Weestimatethebestconfirmationtimestobearound30seconds;thisisonlyreachableiftheflowofnewunitsislargeenoughsothatthewitnessesearnmorefromwitnessingcommissionsthantheyspendforpostingtheirownunits.
Despitetheperiodoffullconfirmationbeingratherlong,anodethattrustsitspeerstodeliverallnewunitswithoutfilteringmaybereasonablysurethatonceaunitwasincludedbyatleastonewitness,plusatypicallatencyhaselapsed(thetimeittakesanewunittotravelfrompeertopeer),theunitwillmostlikelyreachfinalityandbedeemedvalid.Evenifadouble-spendappearslater,itwillbelikelyorderedafterthisunit.
15. PartitioningriskThenetworkofByteballnodescanneverbepartitionedintotwopartsthatwouldbothcontinueoperatingwithoutnoticing.Evenintheeventofaglobalnetworkdisruptionsuchasasub-AtlanticratcuttingthecablethatconnectsEuropeandAmerica,atleastoneofthesidesofthesplitwillnoticethatithaslostthemajorityofwitnesses,meaningthatitcan’tadvancethestabilitypoint,andnobodycanspendoutputsstuckintheunstablepartoftheMC.Evenifsomeonetriestosenda
20
double-spend,itwillremainunstable(andthereforeunrecognized)untiltheconnectionisrestored.Theotherpartofthesplitwherethemajorityofwitnesseshappenstobe,willcontinueasnormal.
16. CensorshipBydesign,itisalreadyimpossibletomodifyoreraseanypastrecordsinByteball.Itisalsoquitehardtostopanyparticulartypesofdatafromenteringthedatabase.
First,thedataitselfcanbeconcealedandonlyitshashbeactuallypostedtothedatabasetoprovethatthedataexisted.Thedatamayonlyberevealedafterthehashisstoredanditsunithasbeenincludedbyotherunitssothatithasbecomeunrevisable.
Second,evenwhenthedataisopen,thedecisiontoincludeornotincludeitinthedatabaseisdelegatedtonumerousanonymoususerswhomight(andinfactareincentivizedto)takethenewunitasaparent.Someonewhotriestocensorundesirableunitswillhavetonotonlyavoidincludingthemdirectly(asparents)butalsoindirectly,throughotherunits.(ThisisdifferentfromBitcoinwhereminersorminingpoolscan,anddo,filterindividualtransactionsdirectly.Besides,Bitcoinusershavenosayinwhoistobecomeaminer.)Asthenumberofunitswhichincludethe“offending”unitsnowballs,anyattempttoavoiditwouldentailcensoringoneself.Onlythemajorityofwitnessescaneffectivelyimposeforbiddencontentrules–ifuserschoosesuchwitnesses.
17. ChoosingwitnessesRelianceonwitnessesiswhatmakesByteballrootedintherealworld.Atthesametime,itmakesithighlydependentonhumandecisions.Thehealthofthesystemdependsonusersresponsiblysettingthelistsofwitnessestheydotrust.Thisprocesscannotbesafelyautomated,forexampleifmostusersstartauto-updatingtheirwitnessliststomatchthelistsofmostrecentlyobservedunits,justtobecompatible,thiscanbeeasilyexploitedbyanattackerwhofloodsthenetworkwithhisownunitsthatgraduallychangethepredominantwitnesslisttosomethingoftheattacker’schoosing.
Whilethemaximalistrecommendationcouldbe“onlyeditwitnesslistsmanually”,whichistooburdensomeformostusers,amorepracticalapproachtowitnesslistmanagementistrackingandsomehowaveragingthewitnesslistsofafew“captainsofindustry”whoeitherhaveinterestincaringforthenetworkhealthorwhohaveearnedagoodreputationinactivitiesnotnecessarilyconnectedwithByteball.Someofthemmaybeactingwitnessesthemselves.Unlikewitnesslists,thelistsofcaptainsofindustrydon’thavetobecompatible,andfailingtoupdatethelistfrequentlyenoughdoesn’thaveanyimmediatenegativeimplicationssuchasbeingunabletofindcompatibleparentsandpostanewunit.Weexpectthatmostuserswilluseoneofarelativelysmallnumberofmostpopularwallets,andsuchwalletswillbesetupbydefaulttofollowthewitnesslistofthewalletvendor,whointurnlikelywatchesthewitnesslistsofotherprominentplayers.
21
Witnessesalsohavetheirwitnesslists,anditisrecommendedthatuserselectthosewitnesseswhotheytrusttokeeptheirwitnesslistsrepresentativeofordinaryusers’beliefs.Thisisveryimportantbecausenochangetothepredominantwitnesslistcanpasswithoutapprovalofthemajorityofthecurrentwitnesses.Itisrecommendedthatwitnessesandwould-bewitnessespubliclydeclaretheirwitnesslistpolicy(suchasfollowingandaveragingwitnesslistsofotherreputableusers),andthatusersevaluatetheirfitnessforthejobbasedonthispolicy,amongotherfactors.Anybreachofthedeclaredpolicywillbeimmediatelyvisibleandwilllikelytriggerawitnessreplacementcampaign.Thesameistrueforanunjustifiedamendmenttothepolicy.Thepolicybindsthewitnessandmakeshimfollowpublicopinion,evenwhenitturnsagainstthewitnesshimselforhisfriends.
Asmentionedbefore,ourprotocolrulesrequirethat:1. bestparentisselectedonlyamongparentswhosewitnesslisthasnomore
than1mutation;2. thereshouldbenomorethan1mutationrelativetothewitnesslistofthe
lastballunit;3. thereshouldbenomorethan1mutationrelativetothewitnesslistsofall
theunstableMCunitsuptothelastballunit;4. thestabilitypointadvancesonlywhenthecurrentwitnesses(asdefinedin
thecurrentstabilitypoint)postenoughunitsafterthecurrentstabilitypoint.
Theserulesaredesignedtoprotectagainstmaliciousandaccidentalforks.Atthesametime,theyimplythatanychangesofthepredominantwitnesslisthavetobegradual,andeachstephastobeapprovedbythemajorityofthecurrentwitnesses.Aone-positionchangehastofirstreachstabilityandrecognitionofthemajorityofoldwitnessesbeforeanotherchangecanbeundertaken.Ifthecommunitydecidesabruptlythattwowitnessesneedtobereplacedimmediately,thenafteronechangemakesitswayontotheMC,thesecondchangewillbeblockedbyrule3aboveuntilthefirstchangereachesstability.
Despitealltherecommendationsaboveitisstillpossiblethatduetothenegligenceofindustryleaders,suchwitnessesareelectedwholaterformacartelandcollectivelyblockallattemptstoreplaceanyoneoftheminanattempttokeeptheprofitstheyareearningfromwitnessingcommissions.Iftheydobehavethisway,itwillbeevidenttoeverybodybecausetheirwitnesslistswillremainunchanged,whilethewitnesslistsofmostotherindustryleaderswilldifferbyonemutation(themaximumallowedtoremaincompatible).Iftheoldwitnessesdonotgiveindespitesuchevidentpressure,theonlyrecourseofthepro-changeusersisa“revolution”–i.e.tostartanewcointhatinheritsallthebalances,useraddresses,etcfromtheoldcoinatsomepointbutstartswithanewwitnesslistandaddsaspecialprotocolruletohandlethisincompatiblechangeatthemomentoftheschism.Todistinguishfromtheoldcoin,theywouldthenassignanewvaluetothe‘alt’field(thiswhat‘alt’isfor)anduseitinallunitsissuedunderthenewcoin.Asaresult,userswillholdtwocoins(theoldalt=”1”,andthenewe.g.alt=”2”)andwillbeabletospendbothindependently.Ifthesplitwasjustified,theoldcoinwillprobablybeabandoned,butallthedataaccumulatedpriortotheschismwillbeavailableasnormalinthenewcoin.Sincetheprotocolisalmost
22
identical(exceptfortherulethathandlestheschismandthechangeofalt),itwillbeeasytoupdatesoftwareinstalledonalluserandmerchantdevices.
Ifsomeonejustwantstostartanewcointoexperimentwithanothersetofprotocolrules,hecanalsousethe‘alt’fieldtoinheriteverythingfromtheoldcoin,maketheswitchcomfortableforusers,andhavealargesetofuserswithbalancesfromdayone.
18. SkiplistSomeoftheballscontainaskiplistarraywhichenablesfasterbuildingofproofsforlightclients(seebelow).OnlythoseballsthatliedirectlyontheMC,andwhoseMCindexisdivisibleby10,haveaskiplist.TheskiplistliststhenearestpreviousMCballswhoseindexhasthesameorsmallernumberofzerosattheend.Forexample,theballatMCI190hasaskiplistthatreferencestheballatMCI180.TheballatMCI3000hasaskiplistthatreferencestheballsatMCIs2990,2900,and2000.
19. LightclientsLightclientsdonotstoretheentireByteballdatabase.Instead,theydownloadasubsetofdatatheyareinterestedin,suchasonlytransactionswhereanyoftheuser’saddressesarespendingorbeingfunded.
Lightclientsconnecttofullnodestodownloadtheunitstheyareinterestedin.Thelightclienttellsthefullnodethelistofwitnessesittrusts(notnecessarilythesamewitnessesitusestocreatenewunits)andthelistofitsownaddresses.Thefullnodesearchesforunitsthelightclientisinterestedinandconstructsaproofchainforeachunitinthefollowingway:
1. WalkbackintimealongtheMCuntilthemajorityofrequestedwitnessesaremet.CollectalltheseMCunits.
2. Fromthelastunitinthisset(whichisalsotheearliestintime),readthelastball.
3. Startingfromthislastball,walkbackintimealongtheMCuntilanyballwithaskiplistismet.Collectalltheseballs.
4. Usingtheskiplist,jumptoanearlierballreferencedfromtheskiplist.Thisballalsohasaskiplist,jumpagain.Wherethereareseveralballsinskiplistarray,alwaysjumpbythelargestdistancepossible,soweacceleratejumpingfirstby10indexes,thenby100,thenby1000,etc.
5. Ifthenextjumpbytheskiplistwouldthrowusbehindthetargetball,deceleratebyjumpingbyasmallerdistance.Ultimately,leavetheskiplistandwalkalongtheMConeindexatatimeusingjustparentlinks.
Thischainhaswitness-authoredunitsinthebeginning,makingittrustworthyfromthelightclient’spointofview.Alltheelementsofthechainarelinkedbyeitherparentunitlinks(whileaccumulatingthewitnesses),orbylastballreference,orbyparentballlinks,orbyskiplistlinks.Attheendofthechain,wehavetheunitwhoseexistencewastobeproved.
23
20. MultilateralsigningAunitcanbesignedbymultipleparties.Insuchinstances,theauthorsarrayintheunithastwoormoreelements.
Thiscanbeuseful,forexample.iftwoormorepartieswanttosignacontract(aplainolddumbcontract,notasmartone).Theywouldbothsignthesameunitthatcontainsatextmessage(app=’text’).Theydon’thavetostorethefulltextofthecontractinthepublicdatabase,andpayforit–ahashwouldsuffice(payload_location=’none’),andthepartiesthemselvescanstorethetextprivately.
Anotherapplicationofmultilateralsigningisanexchangeofassets.AssumeuserAwantstosendassetXtouserBinexchangeforassetY(thenativecurrency‘bytes’isalsoanasset–thebaseasset).Thentheywouldcomposeaunitthatcontainstwopaymentmessages:onepaymentsendsassetXfromAtoB,theotherpaymentsendsassetYfromBtoA.Theybothsignthedual-authoredunitandpublishit.Theexchangeisatomic–thatis,eitherbothpaymentsexecuteatthesametimeorbothfail.Ifoneofthepaymentsappearstobeadouble-spend,theentireunitisrenderedinvalidandtheotherpaymentisalsodeemedvoid.
Thissimpleconstructionallowsuserstoexchangeassetsdirectly,withouttrustingtheirmoneytoanycentralizedexchanges.
21. AddressesUsersareidentifiedbytheiraddresses,transactionoutputsaresenttoaddresses,and,likeinBitcoin,itisrecommendedthatusershavemultipleaddressesandavoidreusingthem.Insomecircumstances,however,reuseisnormal.Forexample,witnessesareexpectedtorepeatedlypostfromthesameaddress.
Anaddressrepresentsadefinition,whichisaBooleanexpression(remotelysimilartoBitcoinscript).Whenausersignsaunit,healsoprovidesasetofauthentifiers(usuallyECDSAsignatures)which,whenappliedtothedefinition,mustevaluateittotrueinordertoprovethatthisuserhadtherighttosignthisunit.WewritedefinitionsinJSON.Forexample,thisisthedefinitionforanaddressthatrequiresoneECDSAsignaturetosign:["sig",{"pubkey":"Ald9tkgiUZQQ1djpZgv2ez7xf1ZvYAsTLhudhvn0931w"}]
Thedefinitionindicatesthattheowneroftheaddresshasaprivatekeywhosepubliccounterpartisgiveninthedefinition(inbase64encoding),andhewillsignallunitswiththisprivatekey.Theabovedefinitionevaluatestotrueifthesignaturegiveninthecorrespondingauthentifierisvalid,orotherwisefalse.Thesignatureiscalculatedoveralldataoftheunitexcepttheauthentifiers.
Givenadefinitionobject,thecorrespondingaddressisjustahashoftheinitialdefinitionobjectplusachecksum.Thechecksumisaddedtoavoidtypingerrors.Unlikeusualchecksumdesigns,however,thechecksumbitsarenotjustappendedtotheendoftheunchecksummeddata.Rather,theyareinsertedintomultiplelocationsinsidethedata.Thisdesignmakesithardtoinsertlongstringsofillegaldatainfieldswhereanaddressisexpected.Theaddressiswritteninbase32encoding.TheabovedefinitioncorrespondstoaddressA2WWHN7755YZVMXCBLMFWRSLKSZJN3FU.
24
Whenanaddressisfunded,thesenderofthepaymentknowsandspecifiesonlytheaddress(thechecksummedhashofthedefinition)inthepaymentoutput.Thedefinitionisnotrevealedanditremainsunknowntoanyonebuttheowneruntiltheoutputisspent.
Whenausersendshisfirstunitfromanaddress,hemustrevealitsdefinition(soastomakesignatureverificationpossible)intheauthorsarray:unit: {
… authors: [ {
address: 'DJ6LV5GPCLMGRW7ZB55IVGJRPDJPOQU6', definition: [
"sig", {"pubkey":"AsnvZ3w7N1lZGJ+P+bDZU0DgOwJcGJ51bjsWpEqfqBg6"}
], authentifiers: {
r: '3eQPIFiPVLRwBwEzxUR5thqn+zlFfLXUrzAmgemAqOk35UvDpa4h79Fd6TbPbGfb8VMiJzqdNGHCKyAjl786mw=='
} } ], …
}
Iftheusersendsasecondunitfromthesameaddress,hemustomitthedefinition(itisalreadyknownonByteball).Hecansendthesecondunitonlyafterthedefinitionbecomesstable,i.e.theunitwherethedefinitionwasrevealedmustbeincludedinthelastballunitofthesecondunit.
Userscanupdatedefinitionsoftheiraddresseswhilekeepingtheoldaddress.Forexample,torotatetheprivatekeylinkedtoanaddress,theuserneedstopostaunitthatcontainsamessagesuchas:unit: {
… messages: [
… {
app: "address_definition_change", definition_chash: "I4Z7KFNIYTPHPJ5CA5OFC273JQFSZPOX"
}, …
], …
}
Here,definition_chashindicatesthechecksummedhashofthenewaddressdefinition(whichisnotrevealeduntillater),andtheunititselfmustbesignedbytheoldprivatekeys.Thenextunitfromthisaddressmust:
• includethisaddress_definition_changeunitinitslastballunit,i.e.itmustbealreadystable;
• revealthenewdefinitionintheauthorsarrayinthesamewayasforthefirstmessagefromanaddress.
25
Afterthechange,theaddressisnolongerequaltothechecksummedhashofitscurrentdefinition.Rather,itremainsequaltothechecksummedhashofitsinitialdefinition.
Thedefinitionchangeisusefuliftheuserwantstochangethekey(s)(e.g.whenmigratingtoanewdevice)whilekeepingtheoldaddress,e.g.ifthisaddressalreadyparticipatesinotherlong-liveddefinitions(seebelow).
21.1. Definitionsyntax
21.1.1. LogicaloperatorsAdefinitioncaninclude“and”conditions,forexample:["and", [
["sig", {pubkey: "one pubkey in base64"}], ["sig", {pubkey: "another pubkey in base64"}]
]]
whichisusefulwhen,inordertosigntransactions,signaturesfromtwoindependentdevicesarerequired,forexample,fromalaptopandfromasmartphone.
“Or”conditions,suchasthis:["or", [
["sig", {pubkey: "laptop pubkey"}], ["sig", {pubkey: "smartphone pubkey"}], ["sig", {pubkey: "tablet pubkey"}]
]]
areusefulwhenauserwantstousethesameaddressfromanyofhisdevices.Theconditionscanbenested:
["and", [ ["or", [
["sig", {pubkey: "laptop pubkey"}], ["sig", {pubkey: "tablet pubkey"}]
]], ["sig", {pubkey: "smartphone pubkey"}]
]]
Adefinitioncanrequireaminimumnumberofconditionstobetrueoutofalargerset,forexample,a2-of-3signature:["r of set", {
required: 2, set: [
["sig", {pubkey: "laptop pubkey"}], ["sig", {pubkey: "smartphone pubkey"}], ["sig", {pubkey: "tablet pubkey"}]
] }]
(“r”standsfor“required”)whichfeaturesboththesecurityoftwomandatorysignaturesandthereliability,sothatincaseoneofthekeysislost,theaddressisstillusableandcanbeusedtochangeitsdefinitionandreplacethelost3rdkeywithanewone.
Also,differentconditionscanbegivendifferentweight,ofwhichaminimumisrequired:
26
["weighted and", { required: 50, set: [
{weight: 40, value: ["sig", {pubkey: "CEO pubkey"}] }, {weight: 20, value: ["sig", {pubkey: "COO pubkey"}] }, {weight: 20, value: ["sig", {pubkey: "CFO pubkey"}] }, {weight: 20, value: ["sig", {pubkey: "CTO pubkey"}] }
] }]
21.1.2. DelegationtootheraddressesAnaddresscancontainreferencetoanotheraddress:["and", [
["address", "ADDRESS 1 IN BASE32"], ["address", "ADDRESS 2 IN BASE32"]
]]
whichdelegatessigningtoanotheraddressandisusefulforbuildingsharedcontroladdresses(addressescontrolledbyseveralusers).Thissyntaxgivestheuserstheflexibilitytochangedefinitionsoftheirowncomponentaddresseswhenevertheylike,withoutbotheringtheotheruser.
21.1.3. SignaturesandauthentifiersInmostcases,adefinitionwillincludeatleastonesignature(directlyorindirectly):["sig", {pubkey: "pubkey in base64"}]
Insteadofasignature,adefinitionmayrequireapreimageforahashtobeprovided:["hash",{"hash":"value of sha256 hash in base64"}]
whichcanbeusefulforcross-chainexchangealgorithms[7].Inthiscase,thehashpreimageisenteredasoneoftheauthentifiers.
ThedefaultsignaturealgorithmisECDSAoncurvesecp256k1(sameasBitcoin).Initially,itistheonlyalgorithmsupported.Ifotheralgorithmsareaddedinthefuture,algorithmidentifierwillbeusedinthecorrespondingpartofthedefinition,suchasforthequantumsecureNTRUalgorithm:["sig", {algo: "ntru", pubkey: "NTRU public key in base64"}]
Multisignaturedefinitionsallowonetosafelyexperimentwithunprovensignatureschemeswhentheyarecombinedwithmoreconventionalsignatures.
Theauthentifiersobjectinunitheaderscontainssignaturesorotherdata(suchashashpreimage)keyedbythepathoftheauthentifier-requiringsubdefinitionwithintheaddressdefinition.Forasingle-sigaddresssuchas["sig", {pubkey: "pubkey in base64"}]
thepathissimply“r”(rstandsforroot).Iftheauthentifier-requiringsubdefinitionisincludedwithinanotherdefinition(suchasand/or),thepathisextendedbyanindexintothearraywherethissubdefinitionisincluded,andpathcomponentsaredelimitedbyadot.Forexample,foraddressdefinition:["and", [
["sig", {pubkey: "one pubkey in base64"}],
27
["sig", {pubkey: "another pubkey in base64"}] ]]
thepathsare“r.0”and“r.1”.Foradeepernesteddefinition:["and", [
["or", [ ["sig", {pubkey: "laptop pubkey"}], ["sig", {pubkey: "tablet pubkey"}]
]], ["sig", {pubkey: "smartphone pubkey"}]
]]
thepathsare“r.0.0”,“r.0.1”,and“r.1”.Whenthereareoptionalsignatures,suchas2-of-3,thepathstelluswhichkeyswereactuallyused.
21.1.4. DefinitiontemplatesAdefinitioncanalsoreferenceadefinitiontemplate:["definition template", [
"hash of unit where the template was defined", {param1: "value1", param2: "value2"}
]]
Theparametersspecifyvaluesofvariablestobereplacedinthetemplate.Thetemplateneedstobesavedbefore(andasusual,bestablebeforeuse)withaspecialmessagetypeapp=’definition_template’,thetemplateitselfisinmessagepayload,andthetemplatelookslikenormaldefinitionbutmayincludereferencestovariablesinthesyntax@param1,@param2.Definitiontemplatesenablecodereuse.Theymayinturnreferenceothertemplates.
21.1.5. CosigningAsubdefinitionmayrequirethattheunitbecosignedbyanotheraddress:["cosigned by", "ANOTHER ADDRESS IN BASE32"]
21.1.6. QueryingwhetheranaddresswasusedAnotherpossiblerequirementforasubdefinition:thatanaddresswasseenasauthorinatleastoneunitincludedintothelastballunit:["seen address", "ANOTHER ADDRESS IN BASE32"]
21.1.7. DatafeedsOneveryusefulconditioncanbeusedtomakequeriesaboutdatapreviouslystoredinByteball:["in data feed", [
["ADDRESS1", "ADDRESS2", …], "data feed name", "=", "expected value"
]]
Thisconditionevaluatestotrueifthereisatleastonemessagethathas"datafeedname"equalto"expectedvalue"amongthedatafeedmessagesauthoredbythelistedaddresses"ADDRESS1","ADDRESS2",..(oracles).Datafeedisamessagetypethatlookslikethis:unit: {
28
… messages: [
… {
app: "data_feed", payload_location: "inline", payload_hash: "hash of payload", payload: {
"data feed name": "value", "another data feed name": "value2", …
} }, …
], …
}
Datafieldscanbeusedtodesigndefinitionsthatinvolveoracles.Iftwoormorepartiestrustaparticularentity(theoracle)toprovidetruedata,theycansetupasharedcontroladdressthatgivesthepartiesdifferentrightsdependingondatapostedbytheoracle(s).Forexample,thisaddressdefinitionrepresentsabinaryoption:["or", [
["and", [ ["address", "ADDRESS 1"], ["in data feed", [["EXCHANGE ADDRESS"], "EURUSD", ">", "1.1500"]]
]], ["and", [
["address", "ADDRESS 2"], ["in data feed", [["TIMESTAMPER ADDRESS"], "datetime", ">", "2016-10-01 00:00:00"]]
]] ]]
Initially,thetwopartiesfundtheaddressdefinedbythisdefinition(toremoveanytrustrequirements,theyusemultilateralsigningandsendtheirstakesinasingleunitsignedbybothparties).TheniftheEUR/USDexchangeratepublishedbytheexchangeaddresseverexceeds1.1500,thefirstpartycansweepthefunds.Ifthisdoesn’thappenbeforeOct1,2016andthetimestampingoraclepostsanylaterdate,thesecondpartycansweepallfundsstoredonthisaddress.Ifbothconditionsaretrueandtheaddressbalanceisstillnon-empty,bothpartiescantrytotakethemoneyfromitatthesametime,andthedouble-spendwillberesolvedasusual.
Thecomparisonoperatorscanbe"=","!=",">",">=","<",and"<=".Thedatafeedmessagemustcomebeforethelastballunitasusual.Toreducetherisksthatariseincaseanysingleoraclesuddenlygoesoffline,severalfeedprovideraddressescanbelisted.
Anotherexamplewouldbeacustomerwhobuysgoodsfromamerchantbuthedoesn’tquitetrustthatmerchantandwantshismoneybackincasethegoodsarenotdelivered.Thecustomerpaystoasharedaddressdefinedby:["or", [
["and", [
29
["address", "MERCHANT ADDRESS"], ["in data feed", [["FEDEX ADDRESS"], "tracking", "=", "123456"]]
]], ["and", [
["address", "BUYER ADDRESS"], ["in data feed", [["TIMESTAMPER ADDRESS"], "datetime", ">", "2016-10-01 00:00:00"]]
]] ]]
ThedefinitiondependsontheFedExoraclethatpoststrackingnumbersofallsuccessfullydeliveredshipments.Iftheshipmentisdelivered,themerchantwillbeabletounlockthemoneyusingthefirstcondition.Ifitisnotdeliveredbeforethespecifieddate,thecustomercantakehismoneyback.
ThisexampleissomewhatcrazybecauseitrequiresFedExtoposteachandeveryshipment.
21.1.8. MerkledatafeedsForamorerealisticwaytoachievethesamegoal,thereisanothersyntax:["in merkle", [
["ADDRESS1", "ADDRESS2", …], "data feed name", "hash of expected value"
]]
whichevaluatestotrueifthespecifiedhashofexpectedvalueisincludedinanyofthemerklerootspostedinthedatafeedfromaddresses"ADDRESS1","ADDRESS2",…Usingthissyntax,FedExwouldonlyperiodicallypostmerklerootsofallshipmentscompletedsincethepreviousposting.Tospendfromthisaddress,themerchantwouldhavetoprovidethemerklepaththatprovesthatthespecifiedvalueisindeedincludedinthecorrespondingmerkletree.Themerklepathissuppliedasoneoftheauthentifiers.
21.1.9. Self-inspectionAdefinitioncanalsoincludequeriesabouttheunititself.Thissubdefinition['has', {
what: 'input'|'output', asset: 'assetID in base64 or "base" for bytes', type: 'transfer'|'issue', own_funds: true, amount_at_least: 123, amount_at_most: 123, amount: 123, address: 'INPUT OR OUTPUT ADDRESS IN BASE32'
}]
evaluatestotrueiftheunithasatleastoneinputoroutput(dependingonthe‘what’field)thatpassesallthespecifiedfilters,withallfiltersbeingoptional.
Asimilarcondition‘hasone’requiresthatthereisexactlyoneinputoroutputthatpassesthefilters.
The‘has’conditioncanbeusedtoorganizeadecentralizedexchange.Previously,wediscussedtheuseofmultilateralsigningtoexchangeassets.
30
However,multilateralsigningalonedoesn’tincludeanymechanismforpricenegotiation.Assumethatauserwantstobuy1,200unitsofanotherassetforwhichheiswillingtopaynomorethan1,000bytes.Also,heisnotwillingtostayonlineallthetimewhileheiswaitingforaseller.Hewouldratherjustpostanorderatanexchangeandletitexecutewhenamatchingsellercomesalong.Hecancreatealimitorderbysending1,000bytestoanaddressdefinedbythisdefinition:["or", [
["address", "USER ADDRESS"], ["and", [
["address", "EXCHANGE ADDRESS"], ["has", {
what: "output", asset: "ID of alternative asset", amount_at_least: 1200, address: "USER ADDRESS"
}] ]]
]]
Thefirstor-alternativeletstheusertakebackhisbyteswheneverhelikes,thuscancellingtheorder.Thesecondalternativedelegatestheexchangetherighttospendthefunds,providedthatanotheroutputonthesameunitpaysatleast1,200unitsoftheotherassettotheuser’saddress.Theexchangewouldpubliclylisttheorder,asellerwouldfindit,composeaunitthatexchangesassets,andmultilaterallysignitwiththeexchange.
Onecanalsousethe‘has’conditionforcollateralizedlending.Assumeaborrowerholdssomeilliquidassetandneedssomebytes(oranotherliquidasset).Theborrowerandalendercanthenmultilaterallysignaunit.Onepartoftheunitsendsthebytesheneedstotheborrower,theotherpartoftheunitlockstheilliquidassetintoanaddressdefinedby:["or", [
["and", [ ["address", "LENDER ADDRESS"], ["in data feed", [["TIMESTAMPER ADDRESS"], "datetime", ">", "2017-06-01 00:00:00"]]
]], ["and", [
["address", "BORROWER ADDRESS"], ["has", {
what: "output", asset: "base", amount: 10000, address: "LENDER ADDRESS"
}] ]], ["and", [
["address", "LENDER ADDRESS"], ["address", "BORROWER ADDRESS"]
]] ]]
Thefirstor-alternativeallowsthelendertoseizethecollateraliftheloanisnotpaidbackintime.Thesecondalternativeallowstheborrowertotakebackthe
31
collateralifhealsomakesapaymentof10,000bytes(theagreedloansizeincludinginterest)tothelender.Thethirdalternativeallowsthepartiestoamendthetermsiftheybothagree.
Thefollowingrequirementcanalsobeincludedinasubdefinition:['has equal', {
equal_fields: ['address', 'amount'], search_criteria: [
{what: 'output', asset: 'asset1', address: 'BASE32'}, {what: 'input', asset: 'asset2', type: 'issue', own_funds: true, address: 'ANOTHERBASE32'}
] }]
Itevaluatestotrueifthereisatleastonepairofinputsoroutputsthatsatisfythesearchcriteria(thefirstelementofthepairissearchedbythefirstsetoffilters;thesecondbythesecond)andsomeoftheirfieldsareequal.
Asimilarcondition‘hasoneequal’requiresthatthereisexactlyonesuchpair.
Anothersubdefinitionmaycomparethesumofinputsoroutputsfilteredaccordingtocertaincriteriatoatargetvalueorvalues:['sum', {
filter: { what: 'input'|'output', asset: 'asset or base', type: 'transfer'|'issue', own_funds: true, address: 'ADDRESS IN BASE32'
}, at_least: 120, at_most: 130, equals: 123
}]
21.1.10. NegationAnyconditionthatdoesnotinclude“sig”,“hash”,“address”,“cosignedby”,or“inmerkle”canbenegated:["not", ["in data feed", [["NOAA ADDRESS"], "wind_speed", ">", "200"]]]
Sinceitislegaltoselectveryoldparents(thatdidn’tseethenewerdatafeedposts),oneusuallycombinesnegativeconditionssuchastheabovewiththerequirementthatthetimestampisafteracertaindate.
21.2. GeneralrequirementsAddressdefinitionmusthaveatleastone“sig”,explicitlyorimplicitly(such
asthroughan“address”).Toavoidconsumingtoomanyresourcesforvalidation,thetotalnumberof
operationsislimitedto100perdefinition,includingoperationsinreferenceddefinitionssuchas“address”and“definitiontemplate”.
Thisnumberisoneofjust9arbitraryconstantsthatwehaveinByteball,theother8being:totalnumberofwitnesses:12;maxallowedmutations:1;maxnumberofMCindexesforawitnesstogetpaid:100;numberofparentscounted
32
forheadersize:2;maxnumberofmessagesperunit:128;maxnumberofinputsoroutputspermessage:128;maxnumberofauthorsperunit:16;andtotalmoneysupply:1015.Forcomparison,Bitcoinhasatleast17constants[8],whileEthereumdefines30constantsforfeeschedulealone[9].
Notethatthedefinitionlanguagedescribedaboveisdeclarativeandconsists
entirelyofBooleanstatements,whichputsitclosertothelanguageofconventionallegalcontracts.However,intermsofitsexpressivepower,thelanguagedoesnotcomeanywhereclosetoEthereumsmartcontractslanguage.Infact,itdoesn’tevenallowforatrivial‘Helloworld’programtobewritten.Thiswasnotourgoal.TheByteballdefinitionlanguagewasnotdesignedtobecomprehensive;rather,itisdesignedtobecomprehensibletothegreatestpossiblenumberofpeople,whoarenotnecessarilyprogrammers.Itsstraightforwardsyntaxallowseveryonetointerpretandcomposesimpledefinitionswithoutthehelpofadeveloper(a“lawyer”fortheeraofsmartcontracts),andchancesofmistakesareminimized.
22. ProfilesUserscanstoretheirprofilesonByteballiftheywant.Theyuseamessagelikethis:unit: {
… messages: [
…. {
app: "profile", payload_location: "inline", payload_hash: "hash of payload", payload: {
name: "Joe Average", emails: ["[email protected]", "[email protected]"], twitter: "joe"
} }, …
], …
}
Theamountofdatatheydiscloseaboutthemselves,aswellasitsveracity,isuptotheusersthemselves.Tobeassuredthatanyparticularinformationaboutauseristrue,onehastolookforattestations.
23. AttestationsAttestationsconfirmthattheuserwhoissuedtheattestation(theattestor)verifiedsomedataabouttheattesteduser(thesubject).Attestationsarestoredinmessageslikethis:unit: {
… messages: [
33
… {
app: "attestation", payload_location: "inline", payload_hash: "hash of payload", payload: {
address: "ADDRESS OF THE SUBJECT" profile: {
name: "Joe Average", emails: ["[email protected]"]
} }
}, …
], …
}
Theinformationincludedintheattestationneednotbethesameasinuser’sself-publishedprofile.Indeed,theself-publishedprofilemightnotevenexistatall.
Thejobofattestorsissimilartothatofmoderncertificationauthoritieswhoverifythereal-worldidentitiesofsubjectsandcertifythataparticularpublickey(orByteballaddress)doesbelongtoapersonororganization.WeexpectthemtocontinuethesameactivityinByteballandchargeafeefromthosewhowanttoprovealinkbetweentheirreal-worldandByteballidentities.Witnessesandwould-bewitnesseswilllikelywanttoreceivesomeattestationstoincreasetheirtrust.Certainassettypesmayrequireattestationstotransactwiththeasset(seebelow).
Forapplicationswhereanattestationisrequiredbutthenameofthesubjectisnotimportant,itispossibletoomitthenameorotherpersonallyidentifiableinformationintheattestedprofile.Theattestedprofilemayevennotincludeanymeaningfulinformationaboutthesubjectatall,thusleavinghimanonymoustoeverybodybuttheattestor.Theattestorwillstillkeeprecordsaboutthesubjectandmaydisclosethemundercertaincircumstances,asspecifiedintheattestor’stermsorifrequiredbylaw.
24. AssetsWehavedesignedadatabasethatallowsimmutablestorageofanydata.Ofallclassesofdata,themostinterestingforstorageinacommondatabasearethosethathavesocialvalue,i.e.thedatathatisvaluableformorethanoneortwousers.Onesuchclassisassets.Assetscanbeownedbyanybodyamongalargenumberofpeople,andthepropertiesofimmutabilityandtotalorderingofeventsthatwehaveinByteballareveryimportantforestablishingthevalidityoflongchainsofownershiptransfers.AssetsinByteballcanbeissued,transferred,andexchanged,andtheybehavesimilarlytothenativecurrency‘bytes’.Theycanrepresentanythingthathasvalue,forexampledebt,shares,loyaltypoints,airtimeminutes,commodities,otherfiatorcryptocurrencies.
Todefineanewasset,thedefiningusersendsamessagelikethis:unit: {
…
34
messages: [ … {
app: "asset", payload_location: "inline", payload_hash: "hash of payload", payload: {
cap: 1000000, is_private: false, is_transferrable: true, auto_destroy: false, fixed_denominations: false, issued_by_definer_only: true, cosigned_by_definer: false, spender_name_attested: true, attestors: [
"2QLYLKHMUG237QG36Z6AWLVH4KQ4MEY6", "X5ZHWBYBF4TUYS35HU3ROVDQJC772ZMG"
] }
}, …
], …
}
Here:• capisthemaximumamountthatcanbeissued.Forcomparisonwiththe
predefinednativecurrencybytes,thebytescapis1015;• is_privateindicatesiftheassetistransferredprivatelyorpublicly(see
below).Bytesarepublic;• is_transferrableindicatesiftheassetcanbetransferredbetweenthird
partieswithoutpassingthroughthedefineroftheasset.Ifnottransferrable,thedefinermustalwaysbeeithertheonlysenderortheonlyreceiverofeverytransfer.Bytesaretransferrable;
• auto_destroyindicatesiftheassetisdestroyedwhenitissenttothedefiner.Bytesarenotauto-destroyed;
• fixed_denominationsindicatesiftheassetcanbesentinanyintegeramount(arbitraryamounts)oronlyinfixeddenominations(e.g.1,2,5,10,20,etc),whichisthecaseforpapercurrencyandcoins.Bytesareinarbitraryamounts;
• issued_by_definer_onlyindicatesiftheassetcanbeissuedbydefineronly.Forbytes,theentiremoneysupplyisissuedinthegenesisunit;
• cosigned_by_definerindicatesifeverytransfermustbecosignedbythedefineroftheasset.Thisisusefulforregulatedassets.Transfersinbytesneedn’tbecosignedbyanybody;
• spender_attestedindicatesifthespenderhastobeattestedinordertospend.Ifhehappenedtoreceivetheassetbutisnotyetattested,hehastopassattestationwithoneoftheattestorslistedunderthedefinition,inordertobeabletospend.Thisrequirementisalsousefulforregulatedassets.Bytesdonotrequireattestation;
35
• attestorsisthelistofattestoraddressesrecognizedbytheassetdefiner(onlyifspender_attestedistrue).Thelistcanbelateramendedbythedefinerbysendingan‘asset_attestors’messagethatreplacesthelistofattestors;
• denominations(notshowninthisexampleandusedonlyforfixed_denominationsassets)listsallalloweddenominationsandtotalnumberofcoinsofeachdenominationthatcanbeissued;
• transfer_conditionisadefinitionofaconditionwhentheassetisallowedtobetransferred.Thedefinitionisinthesamelanguageastheaddressdefinition,exceptthatitcannotreferenceanythingthatrequiresanauthentifier,suchas“sig”.Bydefault,therearenorestrictionsapartfromthosealreadydefinedbyotherfields;
• issue_conditionisthesameastransfer_conditionbutforissuetransactions.Therecanbenomorethan1‘asset’messageperunit.Aftertheassetis
defined,itisidentifiedbythehashoftheunitwhereitwasdefined(hencethe1assetperunitrequirement).
Atransferofanassetlookslikeatransferofbytes,thedifferencebeingthatthereisanextrafieldfortheassetID:unit: {
… messages: [
… {
app: "payment", payload_location: "inline", payload_hash: "hash of payload", payload: {
asset: "hash of unit where the asset was defined", inputs: [
{ unit: "hash of source unit", message_index: 0, output_index: 1
}, …
], outputs: [
{ address: "BENEFICIARY ADDRESS", amount: 12345
}, …
] }
}, …
], …
}
Beforeitcanbetransferred,anassetiscreatedwhenausersendsanissuetransaction.Issuetransactionshaveaslightlydifferentformatforinputs:
36
unit: { … messages: [
… {
app: "payment", payload_location: "inline", payload_hash: "hash of payload", payload: {
asset: "hash of unit where the asset was defined", inputs: [
{ type: "issue", amount: 1000000, serial_number: 1, address: "ISSUER ADDRESS" // only when multi-authored
}, …
], outputs: [
{ address: "BENEFICIARY ADDRESS", amount: 12345
}, …
] }
}, …
], …
}
Theentiresupplyofcappedarbitrary-amountsassetsmustbeissuedinasingletransaction.Inparticular,allbytesareissuedinthegenesisunit.Iftheassetiscapped,theserialnumberoftheissuemustbe1.Ifitisnotcapped,theserialnumbersofdifferentissuesbythesameaddressmustbeunique.
Anassetisdefinedonlyonceandcannotbeamendedlater,onlythelistofattestorscanbeamended.
It’suptothedefineroftheassetwhatthisassetrepresents.Ifitisissuer’sdebt,itisreasonabletoexpectthattheissuerisattestedorwaiveshisanonymitytoearnthetrustofthecreditors.
Whileendusersarefreetouseornottouseanasset,assetdefinerscanimposeanyrequirementsontransactionsinvolvingtheasset.
Bycombiningvariousassetpropertiesthedefinercandeviseassetsthatsatisfyawiderangeofrequirements,includingthosethatregulatedfinancialinstitutionshavetofollow.Forexample,byrequiringthateachtransferbecosignedbythedefiner,financialinstitutionscaneffectivelyvetoallpaymentsthatcontradictanyregulatoryorcontractualrules.Beforecosigningeachpayment,thefinancialinstitution(whoisalsothedefinerandtheissuer)wouldcheckthattheuserisindeeditsclient,thattherecipientofthefundsisalsoaclient,thatbothclientshavepassedalltheKnowYourClient(KYC)procedures,thatthefundsare
37
notarrestedbyacourtorder,aswellascarryoutanyotherchecksrequiredbytheconstantlychanginglaws,regulations,andinternalrules,includingthosethatwereintroducedaftertheassetwasdefined.
24.1. BankissuedassetsHavingthesecurityofbeingfullycompliant(andalsoassuredinthefamiliardeterministicfinalityofallfundstransfers),bankscanissueassetsthatarepeggedtonationalcurrenciesandbackedbythebank’sassets(whichareproperlyauditedandmonitoredbythecentralbanks).Thelegalnatureofanyoperationswithsuchassetsisexactlythesameaswithallotherbankmoney,andisfamiliartoeverybody.TheonlynoveltyisthatthebalancesandtransfersaretrackedinByteballdatabaseinsteadofthebank’sinternaldatabase.BeingtrackedinByteballdatabasehastwoconsequences:
• (anotsowelcomeone)alloperationsarepublic,whichisfamiliarfromBitcoinandmitigatedbyusingmultiplesemi-anonymousaddressesofwhichonlythebankknowstherealpersonsbehindtheaddresses.Anothermorerobustwaytopreserveprivacyisprivatepayments,whichwe’lldiscusslater;
• (agoodone)thebank-issuedassetcanbeexchangedforbytesorotherassetson-chain,inapeer-to-peermanner,withouthavingtotrustanythirdpartiessuchasexchanges.
ThebanksherearesimilartoRipplegateways.Intheexchangescenarioabove,onelegoftheexchangeispaymentfromone
usertoanotheruserinabank-issuedasset.Ifbothusersareclientsofthesamebank,thisprocessisstraightforward.Whenusersholdaccountsatdifferentbanks,thebanksmayfacilitatetheinterbanktransfersbyopeningcorrespondentaccountsateachother.Let’sassumeuserU1wantstotransfermoneytouserU2incircumstanceswhereuserU1holdsanaccountatbankB1anduserU2holdsanaccountatbankB2.BankB2alsoopensanaccountatB1.U1thentransfersthemoneytoB2’saccountatB1(itisaninternalbanktransferwithinB1whichiscosignedbyB1).Atthesametime,B2(whichhasjustincreaseditsassetsatB1)issuesnewmoneytoitsuserU2.Allthismustbeatomic.Allthreeparticipants:(U1,B1,andB2)mustthereforesignasingleunitthatbothtransfersB1’smoneyfromU1toB2andissuesB2’smoneytoU2.
ThenetresultisthatU1decreasedhisbalanceatB1,U2increasedhisbalanceatB2,andB2increasedhisbalanceatB1.ThebankB1willalsohaveacorrespondentaccountatB2,thebalanceofwhichwillgrowasreversepaymentsareprocessedfromusersofB2tousersofB1.Themutualobligations(B1atB2andB2atB1)canbepartiallycancelledbythebanksmutuallysigningatransactionthatsendsequalamountstotherespectiveissuer(itisconvenienttohavethemoneyauto-destroyedbysendingittotheissuer).Whatisnotcancelledcanbeperiodicallysettledthroughtraditionalinterbankpayments.Totriggerthesettlement,thebankwithapositivenetbalancesendshisbalancetotheissuerbank,andsincethereisnoreversetransferinthesametransaction,thistriggersatraditionalpaymentinfiatmoneyfromtheissuertotheholderbank.
Whentherearemanybanks,settingupdirectcorrespondentrelationswitheachpeerbankcanbecumbersome.Insuchinstances,thebanksagreeabouta
38
centralcounterpartyC(alargememberbankoranewinstitution)andpassallpaymentsexclusivelythroughthiscentralcounterpartyandsettleonlywithit.ThesametransferfromU1toU2willthenconsistof3transactions:
1. U1sendsmoneytoC’saccountatB1;2. CissuesownmoneytoB2(orCdestroysB2’smoneyitheldbyreturningit
toB2);3. B2issuesitsownmoneytoU2.
All3transactionsarebundledintoasingleunitandsignedbyU1,B1(astherequiredcosignerforallU1’stransactions),C,andB2.
24.2. Non-financialassetsOtherapplicationsthatarenotnecessarilyfinancialcanuseByteballassetsinternally.Forexample,loyaltyprogramsmayissueloyaltypointsasassetsanduseByteball’sexistinginfrastructuretoallowpeopletotransactinthesepoints,includingpeer-to-peer(ifallowedbytheprogram’srules).Thesameistrueforgamedevelopers,whocantrackgameassetsonByteball.
24.3. BondsBusinessescanissuebondsonByteball.Thelegalstructureoftheissueisthesameasforconventionalbonds,theonlydifferencebeingthatthedepositorywillnowtrackbondownershipusingByteballratherthananinternaldatabase(similartobanksabove).HavingbondsinByteballenablestheirholderstotradedirectly,withoutacentralizedexchange.WhenbankmoneyisalsoonByteball,aninstantdeliveryversuspayment(afiatpaymentinthiscontext)becomespossible,withoutcounterpartyriskandwithoutanycentralinstitution.Thetitletothebondandpaymentareexchangedsimultaneouslyasthepartiessignthesameunitthatperformsbothtransfers.
Bonds,ifliquidenough,canalsobeusedbythirdpartiesasameansofpayment.
Whenabondisissued,theissuerandtheinvestorwouldmultilaterallysignacommonunitthatsendsthenewlyissuedbondstotheinvestorandatthesametimesendsbytes(oranotherassetusedtopurchasethebonds,suchasabank-issuedfiat-peggedasset)fromtheinvestortotheborrower.Whenthebondisredeemed,theysignanothermultilateralunitthatreversestheexchange(mostlikely,atadifferentexchangerate).Thepriceofthebondpaidduringredemptionisitsfacevalue,whilethepriceitissoldforwhenissuedmustbelowerthanthefacevaluetoreflectinterest(assumingzerocouponbondforsimplicity).Duringitslifetime,thesecondarymarketpriceofthebondstaysbelowfacevalueandgraduallyapproachesit.
Inagrowingeconomywheretherearemanyprojectstofinance,bondsandotherdebtissuedonByteballtofinanceinvestmentwillbeissuedmoreoftenthantheyareredeemed.Whentheeconomyslowsdown,thetotalsupplyofallbondsshrinks,astherearefewerprojectstofinance.Thus,thetotalsupplyofbondsselfregulates,whichisimportantiftheyareactivelyusedasameansofpayment.
Iftwobusinessestransactonnet-30terms,bothbuyerandsellerhavetheoptiontosecuritizethetradecreditduringthe30-dayperiod.Forexample,thebuyercanissue30-daybondsandusethemtopaythesellerimmediately.Thesellercantheneitherwaitforthe30daystopassandredeemthebonds,orusethe
39
bondsasameansofpaymenttoitsownsuppliers.Inthiscase,itwillbethesupplierswhoredeemthebondswhentheymature.
24.4. CommoditybondsBondscanbeissuedinnaturalunits,notjustincurrencies.Forexample,a100-barrelbondentitlesitsholdertoreceive100barrelsofoilwhenthebondmatures;a1kWhbondentitlestheholdertoreceive1kWhofelectricity.Theholdermayalsochoosetoreceivethemonetaryequivalentofthe100barrelsor1kWhatthepricethatiscurrentonthematuritydate.
Suchbonds(commoditybonds)areinfactveryusefulforhedgingrisks.Consideranewoilprojectthattakesmanyyearsandlargeinvestmentbeforeitevenstartscommercialoperation.Iffinancingissoughtonlyinnationalcurrencies,theprojectmayneverbefinancedbecauseofuncertainoilpricesatthetimethenewfacilitystartssellingoil.Thecreditorshavetoconsidertheriskthatthepricewillbetoolow,andasaresulttheborrowerwillhavetodefault.Creditorswanttheriskpricedintotheinterestrate,whichmeanstheinterestratebecomestoohigh,andtheprojectneverhappens.
However,iftheprojectoperatorcouldborrowinbarrels,theriskofdefaultdrasticallydecreases.Now,theprojectwilllikelystartasplannedandwilllikelyproducetheplannedvolumeofoil.Itwillhencebeabletoproduceandrepayalltheborrowedbarrelswithinthespecifiedtime.Therearestillotherrisks,butonehugerisk–themarketrisk–isremoved.Itisremovedfromtheborrowerbutshiftedtothelenderswhonowhavetoconsiderthechancesthatoilpricesgodownandtheyreceiveless(incurrencyterms)thaninvested.Ontheotherhand,ifthepricesgoup,thelendersgetadditionalprofitfromthepricedifference(notethatbyborrowinginbarrels,theborrowerwaivesthisupsidepotential),andtherearealwaysinvestorswillingtotakeapositioninacommodity.SincethebondistradedonByteball,thelenderscaneasilysellitwhenevertheylike.Unlikeoilfutures,whosetradingisazero-sumgame,theinvestmentincommoditybondsdoesfinancetheindustry.Also,oilfuturesareashort-terminstrument,whilecommoditybondsallowonetobuyandhold,whichismoresuitabletolongterminvestors.
Thereisanothercategoryofpotentiallenders–thosewhohedgeagainsttheoppositerisk.Forexample,airlineswouldliketohedgeagainstanincreaseofoilprices,andonewaytodothatisbybuyingcommoditybondsofoilproducingcompanies,whichoneexpectstocorrelatewithoilprices.
Theaboveistrueforanycommodity,e.g.electricity,ironore,gold,othermetals,crops,etc.
Fromtheborrower’sperspective,commoditybondscanbethoughtofasawaytosellfutureproductionattoday’sprices.Forthelender,itisawaytobuyfuturesuppliesattoday’sprices.
Ifasubstantialpartoftheeconomyrunsoncommoditybonds,theleveragecycleisnaturallysmoothedoutevenwithoutgovernmentinterventionsinceduringrecessionsfallingcommoditypricesautomaticallyreducetheamountofdebt.
40
24.5. FundsForindividualusers,itmightbedifficulttotrackthehugenumberofbondsthatareavailableonthemarket.Instead,theywouldratherchoosetoinvestinfundsthatareprofessionallymanagedandholdalargediversifiedportfolioofbonds.Thefundwouldissueitsownassetthattrackstheaggregatevalueofthefund’sportfolio.Everytimeaninvestorbuysanewlyissuedassetofthefund,thefundwouldusetheproceedstobuybonds.Whenauserexits,thefundsellssomeofthebondsitheldanddestroysthefund-issuedassetsreturnedbytheuser.Thefund’sassetisnotcapped;itstotalsupplyvariesasinvestorsenterandexit.ItsvalueiseasilyauditableasallthebondsheldbythefundarevisibleonByteball.Beingmoreliquidthantheunderlyingbonds,thefund’sassethashigherchancesofbecomingameansofpayment.
24.6. SettlementsAgroupofbankscanuseassetsforinterbanksettlements.Someofthelargerbanksissuefiat-peggedassetsthatcanonlybeusedbyattestedusers,andonlygroupmemberscanbeattested.Theassetisbackedbytheissuingbank’sreserves.Whenasmallerbankwantstosettlewithanothersmallerbank,itjustsendstheasset.Thereceivingbankcanusetheassetinthesamewaytosettlewithotherbanks,orredeemitforfiatcurrencywiththeissuingbank.ThebankscanalsoexchangeUSD-peggedassetsforEUR-peggedassetsorsimilar.Allsuchtransfersandtradesaresettledimmediately,theyarefinalandirrevocable.InSWIFT,banksexchangeonlyinformationaboutpayments,whiletheactualtransferofmoneyisaseparatestep.InByteball,informationismoney.
25. PrivatepaymentsSofar,wehaveconsideredonlypaymentsthataresentintheopen,i.e.theirpayloadsareincludedinlineandvisibletoeverybody.RememberthatByteballallowsthepostingofprivatepayloads:theuserkeepsthepayloadprivate(payload_location=’none’)butpostsonlyitshashtobeabletoprovethatthepayloadexistedataspecifictime.Toapplythattopayments,thesenderofthefundsalsoneedstosendtheprivatepayloadtotherecipientviaprivatecommunicationchannels.TherecipientwouldneedtolookupthepayloadhashinByteballtoconfirmthatitexisted.However,thatisnotenoughashavingconcealedthepayloadcontentfromotherByteballnodeswealsoremovedtheirabilitytoverifythatthesameoutputisnotspenttwice.Torestorethisability,weaddanadditionalpublicfieldintotheunit.Thisfieldiscalledspendproof,anditisconstructedinsuchwaythat:
• itdependssolelyontheoutputbeingconsumed,sothatanattempttospendthesameoutputagainwillproducethesamespendproof;
• itdoesn’trevealanythingabouttheoutputbeingspent.Itiseasytoseethatthisconstructionsatisfiestheaboverequirements:spend_proof = hash({
asset: payload.asset, unit: input.unit, message_index: input.message_index, output_index: input.output_index,
41
address: src_output.address, amount: src_output.amount, blinding: src_output.blinding
})
Here,payload.assetistheIDoftheassetbeingprivatelytransferred,inputreferstotheinputthatconsumesapreviousoutputsrc_output.Privateoutputsshouldhaveanextrafieldcalledblinding,whichisjustarandomstringdesignedtomakeitimpossibletopre-imagetheconsumedoutputknowingitsspendproof(alltheotherfieldscomefromarathernarrowsetofpossiblevaluesthatcanbeiteratedthroughwithinareasonabletimeframe).
Theabovespendproofconstructionappliestotransfers.Forissues:spend_proof = hash({
asset: payload.asset, address: "ISSUER ADDRESS", serial_number: input.serial_number, // always 1 for capped assets amount: input.amount, // issue amount denomination: 1 // always 1 for arbitrary-amounts payments
})
Notethatspendproofforissuetransactiondoesnotincludeanyblindingfactor.Assuchitispossibletolearnthatacoinwasissued,buttherecipientofthecoinisstillhiddenfromthirdparties.Also,fortransfertransactions,sincethepayerknowstheblindingfactor,hecancalculatethespendproofthat’llbepublishedwhenthecoinisspent.Thismeansthathecanknowwhenthepayeespendsthecoin,buthewillnotseetherecipient(s)northenewblindingfactor(s)–andhencewillnotbeabletotrackthecoinanyfurther.
Spendproofsareaddedintotheunit:unit: {
… spend_proofs: [
{ spend_proof: "the above hash in base64", address: "SPENDING ADDRESS" // only if multi-authored
}, …
], …
}
Thus,tosendaprivatepayment,thesendingusershould:• addarandomblindingfactortoeachoutput;• notpublishthepayloadbutsendittothepayeeprivately,alongwiththe
hashoftheunitwherethispayloadcanbefound;• foreachinput,addthecorrespondingspendproofintotheunit.
Allvalidatorsshouldrejectaunitiftheyseethesamespendproofpostedfromthesameaddressagain(providedthattheaddresspostsserially,ofcourse).Thepayeeshouldcheckthat(1)thepayloadhereceivedprivatelydoeshashtopayload_hashpostedtoByteballbythepayerand(2)thespendproofsderivedfromprivatepayloadinputsmatchthoseincludedintheunit.
42
Whenauserwhoreceivedaprivatepaymentwantstospenditsoutputs,hehastoforwardtheprivatepayloadshehasreceivedtothenewpayee,sothatthenewpayeecanverifytheentirechainofownershiptransfers(thehistory)backtothepointwheretheassetwasissued.Thelengthofthehistorywillgrowwitheachtransfer.
Notethatwiththeformatofpaymentwehaveconsideredsofar,eachunitcanmergeoutputsfromseveralpreviousunitsandproduceseveralnewoutputs(mostoften,two).Eachpreviousunit,inturn,dependsonseveralevenearlierunits,andeachoutputwillbelatersplitintoseveralnewoutputs.Therefore,thenumberoffutureunitsthathaveatleastsome“blood”oftheinitialunitgrowsexponentiallywithtime.Conversely,thenumberofancestorsthatcontributetotheunit’sinputsgrowsexponentiallywiththenumberofstepsbackinhistory.Toavoidsuchrapidgrowthofhistories,weneedtolimitthedivisibilityofthecoins,andthisiswhereanassettypewithfixed_denominationspropertysettotrueprovesuseful.
26. FixeddenominationsassetsAfixeddenominationsassetexistsasasetofindivisibleunmergeablecoins,verysimilartothemintedcoinsandbanknotesthateverybodyisfamiliarwith.
Theamountofeverycoinmustbeoneofasmallsetofalloweddenominations,whichshouldbeselectedsothatitisconvenienttorepresentanypracticalamountwithmaximumaccuracyandthesmallestnumberofcoins.Mostmoderncurrencysystemshavedenominationsthatfollowa1-2-5pattern:1,2,5,10,20,50,100,200,500,etc.ThispatternisalsorecommendedforfixeddenominationassetsonByteball.
Thecoinsareinitiallygroupedintopacks,similartopacksofpaperbanknotes.Thepackscanbesplitintosmallersubpacksorindividualcoins,butnotre-merged.Thismeansthateachtransfermusthaveexactlyoneinput(becausemergingisdisallowed),andoutputamountsmustbemultiplesofthecoindenomination(becausethedenominationisthesmallestindivisibleamount).
Eachtransaction,issueortransfer,dealswithcoinsofonlyonedenomination.Itcannotissueortransfercoinsofdifferentdenominationsatthesametime(buteachstorageunitcanincludemultiplesuchtransactions).Afixeddenominationstransactionhasalmostthesameformatasatransactionwitharbitrary-amountsassets,thedifferencebeingthatonlyoneinputisallowed,theamountsmustbemultiplesofoneofthedenominations,andadenominationfieldisadded:payload: {
asset: "hash of unit where the asset was defined", denomination: 100, inputs: [ // exactly one input
{ type: "issue", amount: 1000000, serial_number: 1, // always 1 for capped assets address: "ISSUER ADDRESS" // only when multi-authored
} ],
43
outputs: [ {
address: "BENEFICIARY ADDRESS", amount: 800 // multiple of 100
}, {
address: "CHANGE ADDRESS", amount: 999200 // multiple of 100
} ]
}
Iftheassetiscapped,theentiresupplyofeachdenominationmustbeissuedwithinasingletransaction.Thus,iftheassethase.g.16denominations,it’lltake16transactionstofullyissuetheasset.Iftheassetisnotcapped,theserialnumbersofdifferentissuesofthesamedenominationbythesameaddressmustbeunique.
Ifseveralcoinsneedtobeissuedortransferred(whichisusuallythecase),thepayerincludesseveralsuchmessagesinthesameunit.Fortransfers,thecoinisidentifiedbytheunit,messageindex,andoutputindexwhereitwaspreviouslytransferredtothecurrentowner.
Forprivatepayments,thepayloadgoesseparatelyandadditionallyhidestherecipientsofalloutputsexcepttheonethatismeantforthepayee:payload: {
asset: "hash of unit where the asset was defined", denomination: 200, inputs: [{
unit: "hash of source unit", message_index: 2, output_index: 0
}], outputs: [
{ output_hash: "hash of hidden part of output that includes address and blinding factor", amount: 800
}, …
] }
Theinformationthatisopenintheoutputsallowstherecipienttoverifythatthesumofalloutputsdoesmatchtheinput.Thesingleoutputthatismeantforthepayeeisrevealedtohimasfollows:output: {
address: "BENEFICIARY ADDRESS", blinding: "some random string"
}
Thisenablesthepayeetoverifytheoutput_hashaswellasconstructthefuturespendproofwhenhedecidestospendtheoutput.
InByteball,wehaveaprivatefixeddenominationsassetblackbytesthatisdefinedbytheseproperties:{
44
cap: 2,111,100,000,000,000, is_private: true, is_transferrable: true, auto_destroy: false, fixed_denominations: true, issued_by_definer_only: true, cosigned_by_definer: false, spender_name_attested: false, denominations: [
{denomination: 1, count_coins: 10,000,000,000}, {denomination: 2, count_coins: 20,000,000,000}, {denomination: 5, count_coins: 10,000,000,000}, {denomination: 10, count_coins: 10,000,000,000}, {denomination: 20, count_coins: 20,000,000,000}, {denomination: 50, count_coins: 10,000,000,000}, {denomination: 100, count_coins: 10,000,000,000}, {denomination: 200, count_coins: 20,000,000,000}, {denomination: 500, count_coins: 10,000,000,000}, {denomination: 1000, count_coins: 10,000,000,000}, {denomination: 2000, count_coins: 20,000,000,000}, {denomination: 5000, count_coins: 10,000,000,000}, {denomination: 10000, count_coins: 10,000,000,000}, {denomination: 20000, count_coins: 20,000,000,000}, {denomination: 50000, count_coins: 10,000,000,000}, {denomination: 100000, count_coins: 10,000,000,000}
] }
Notethatwehavedoublethenumberof2-denominationcoinsbecauseweneedthemmoreoften.Forexampleweneedtwo2sforamounts4(2+2)and9(5+2+2).
Spendproofsfortransfersandissuesofprivateindivisible(fixeddenominations)assetsareexactlythesameasforarbitrary-amountsassets,exceptthatforissuesthedenominationisnotnecessarily1.
Unlikedivisiblepayments,eachfixeddenominationcoinisnevermergedwithothercoins.Thereforewhenthecoinistransferredprivately,itshistorygrowslinearlywithtimeratherthanexponentially,andremainsmanageable(giventhatcomputingresourcessuchasstorage,bandwidth,andCPUpowercontinuegrowingexponentiallyfortheforeseeablefuture).
Asthehistorygrows,sodoestheexposureofprivatepayloadstothirdpartieswhoarefutureownersofthesamecoin.Asdiscussedpreviously,thegrowthisratherslow,andthevalueofprivatepayloadstoadversariesarguablydecreaseswithtime.However,oneshouldrememberthatlargemerchantsandexchangeswhosendandreceivemanypaymentseverydaywillprobablyaccumulateverylarge(butstillfragmented)histories.Oneshouldhencestillavoidaddressreuse,evenforprivatepayments.
Notethatinsomecasesthirdpartiescaninferimportantinformationevenfromprivatepayments.Forexample,aftermostpacksarealreadysplitintoindividualcoins,whenausersendsalargenumberofprivatepaymentmessagesinthesameunit,anobservermightarguethattheuserissendingcoinsofmaximumdenominationbecausetosendanamountthatissignificantlylargerthanthemaximumdenomination,onewouldprobablysendmultiplemaximumdenominationcoins.Fromthis,theobservermightinfertheapproximateamountofthetransfer(butnothingmore).Toavoidleakingsuchinformation,itis
45
recommendedtospreadlargeamountsacrossmultipleaddressesandtosendtheminseparateunits.
Thespendproofapproachthatwehavechosenisnottheonlyonepossible.Toprovetotherecipientthatthemoneyhereceiveshasnotbeenspentbefore,thepayercouldjustsendhimalltheprivatepayloadseversentfromhisaddress.Thepayeecouldthencheckeachoneandverifythattherearenodouble-spends.Wechosenottogothiswaybecauseitinvolvesunnecessaryprivacyleakageandaddscomplexitytothelightclientcode.Instead,wechosetosomewhatincreasespaceusagebutmaketheverificationsimpler.
27. TextsOnecanstorearbitrarytextsusing‘text’messagetype:unit: {
… messages: [
… {
app: "text", payload_location: "inline", payload_hash: "hash of payload", payload: "any text"
}, …
], …
}
Theinterpretationofthetextisuptotheauthorandhisintendedaudience;Byteballnodesdon’tvalidateitexcepttocheckthatitisastring.Onecouldusethismessagetype,forexample,tosendinerasabletweets.Thepayloadmaybeprivate,anditcanbeuseful,forexample,forstoringhashesofusers’intellectualpropertyorforstoringhashesofcontracttextsthatonlyafewpartiesneedtoknow.
28. ArbitrarystructureddataOnecanstorearbitrarystructureddatausing‘data’messagetype:unit: {
… messages: [
… {
app: "data", payload_location: "inline", payload_hash: "hash of payload", payload: {
key: "value", another_key: {
subkey: "other value", another_subkey: 232
}
46
} }, …
], …
}
Theinterpretationofthisdataisuptotheauthorandhispartnersthatneedtoseethedata,Byteballnodesdon’tvalidateitexcepttocheckthatitisanobject.Forexample,thismessagetypecanbeusedtopostEthereumcodeforthesubsetofnodeswhounderstandit,butrememberthattheycannotrejecttheunitevenifthecodeisinvalidbyEthereumrules.
Like‘payment’and‘text’,‘data’messagescanbeprivate,inwhichcaseonlyitshashisstored.ContinuingourEthereumexample,Ethereumcontractscanberunprivatelyifthecorrespondingspendproofsarealsodevisedwherenecessary.
29. VotingAnyonecansetupapollbysendingamessagewithapp=’poll’:unit: {
… messages: [
… {
app: "poll", payload_location: "inline", payload_hash: "hash of payload", payload: {
question: "Should the United Kingdom remain a member of the European Union or leave the European Union?", choices: ["Leave", "Remain"]
} }, …
], …
}
Tocastvotes,userssend‘vote’messages:unit: {
… messages: [
… {
app: "vote", payload_location: "inline", payload_hash: "hash of payload", payload: {
unit: "hash of the unit where the poll was defined", choice: "Leave"
} }, …
47
], …
}
Determiningwhichvotesqualifyisuptotheorganizerofthepoll.Byteballdoesn’tenforceanythingexceptthestipulationthatthechoicesarewithintheallowedset.Forexample,theorganizermightacceptonlyvotesfromattestedusersorvotesfromapredeterminedwhitelistofusers.Unqualifiedvoteswouldhencestillberecorded,butshouldbeexcludedbytheorganizerwhenhecountsthevotes.
Weightingthevotesandinterpretingresultsisalsouptotheorganizerofthepoll.Ifusersvotebytheirbalances,oneshouldrememberthattheycanmovethebalancetoanotheraddressandvoteagain.Suchvotesshouldbehandledproperly.
30. PrivatemessagingForprivatepaymentstowork,usersneedawaytosecurelydeliverprivatepayloadstoeachother.Users,orrathertheirdevices,alsoneedtocommunicatetoassemblesignaturesformulti-sigaddresses.
Sincewecannotexpectuserdevicestobeconstantlyonlineandeasilyreachable(mostofthemwillbebehindNAT),weneedastore-and-forwardintermediarythatisalwaysonline,easilyreachable,andabletotemporarilystoreanydataaddressedtoauserdevice.
InByteball,suchanintermediaryiscalledthehub,anditsoperationissimilartoemail.AhubisaByteballnodethatadditionallyoffersaserviceofstoringandforwardingprivatemessagestoconnecteddevices.Therecanbemanyhubs.Eachdevicethatrunsawalletcodesubscribestoahubofitschoice,andcanbereachedviathishub(thehomehub).Thechoiceofhomehubcanbechangedatanytime.Eachdevicehasapermanentprivatekeythatisuniquetothedevice.Thehashofthecorrespondingpublickey(moreprecisely,thehashofthesingle-sigdefinitionbasedonthispublickey)iscalledthedeviceaddress,anditiswritteninbase32likethepaymentaddresses.Thefulldeviceaddress,includingitscurrenthub,canbewrittenasDEVICEADDRESSINBASE32@hubdomainname.com.Ifthedevicemovestoanotherhub,[email protected],thenamecannotbealready“taken”.
Everydeviceconnectstoitshomehubusingwebsockets.Thehubsendsthenewmessagestothedeviceandthedevicestaysconnectedtothehub,sothatifanewmessagearriveswhilethedeviceisconnectedthenewmessageisdeliveredimmediately.Thehubdoesn’tkeepcopiesofthemessagesthatweresuccessfullyacceptedbythedevice.TheconnectiontothehubisTLSencrypted.
Whenadevicewantstosendsomethingtoanotherdevice,itconnectstotherecipient’shubandsendsthemessage.Unlikeemail,thereisnorelay–thesenderconnectsdirectlytotherecipient’shub.Allcommunicationbetweendevicesisend-to-endencryptedanddigitallysignedsothateventhehub(whoistheonlymaninthemiddle)cannotseeormodifyit.WeuseECDSAforsigningandECDH+AESforencryption.
Beforeexchangingencryptedmessagesthedevicesmustbepaired,i.e.learneachother’spublickey.Thiscanhappeninvariousways,e.g.byscanningaQR
48
codethatencodesthepublickeyandhubdomainnameofoneofthedevices,bysendingthisinformationoveremail,orbyclickingabyteball://linkonasecurewebsite.
Forforwardsecurity,everydevicegeneratesatemporaryprivatekeyanduploadsthecorrespondingpublickeytoitshomehub.Afterwards,thedevicerotatesthekeyfromtimetotimebutkeepsacopyofthepreviouskeyincasesomeonesentamessagetothepreviouskeywhilethehubwasreplacingit.Thehubkeepsonlyoneversionofthetemporarypublickeypersubscribeddevice.Thesendingdevicefollowsthesestepstosendamessage:
1. connectstotherecipient’shub;2. receivesthecurrenttemporarypublickeyoftherecipientfromthehub;3. generatesitsownone-timeephemeralkeypair;4. derivesECDHsharedsecretfromtherecipient’stemporarypublickeyand
ownephemeralprivatekey;5. AES-encryptsthemessageusingthissharedsecret;6. addsitsownephemeralpublickey;7. signsthepackagewithitsownpermanentkey;and8. sendsittothehub.Therecipientdeviceverifiesthesignature,derivesECDHsecretusingthe
peer’sephemeralpublickeyandowntemporaryprivatekey,anddecryptsthemessage.
Ifthesendingdevicefailstoconnecttotherecipient’shub,itencryptsthemessagetotherecipient’spermanentkey(thisencryptionisnotforwardsecuresinceitusesapermanentkey)andstorestheencryptedmessagelocallyforfutureretries.Thepurposeofthisencryptionistoavoidhavingunencryptedmessageslyingaround.Afterconnectiontotherecipient’shubsucceeds,thedevicesendsthisencryptedmessage,thusencryptingitagain(thistime,withforwardsecurity),sothemessageisdouble-encrypted.Notethatthisisnotbecausesingleencryptionisinsufficient,butbecausewedon’twanttostoreunencryptedcontentforanindefinitetimewhiletheconnectionsareretried.
Notethatthecommunicationisamongdevices,notusers.Usersmay(andarerecommendedto)holdseveraldevices,suchasalaptop,asmartphone,andatablet,andsetupmultisigaddresseswithredundancy(suchas2-of-3)thatdependonkeysstoredonmultipledevices.Whenauserneedstosignatransaction,heinitiatesitononeofhisdevices.Thisdevicethensendsthepartiallysignedtransactiontotheotherdevicesusingprivatemessages,collectsallthesignatures,andpublishesthetransaction.Theprivatekeysstoredoneachdeviceshouldneverleavethatdevice.Whentheuserreplacesoneofhisdevicesina2-of-3address,hejustusestheother2devicestochangetheaddressdefinitionandreplacethekeyoftheolddevicewiththekeyofanewdevice.
Theprivatemessagescanalsobeusedforencryptedtextingbetweendevices.Thesemessagesarestrictlypeer-to-peer,nevergointotheByteballdatabase,andcanbesafelydiscardedaftertheyareread.
Whenuserspayinblackbytesorotherprivateassets,theyhavetosendprivatepayloadsandabsolutelyneeddevicesthatcancommunicate.Theyneedtoknoweachother’sdeviceaddressesbeforetheyevenlearneachother’spaymentaddresses.Oncetheirdeviceshaveestablishedcommunication,thepayeecan
49
sendhispaymentaddresstothepayerviachatmessage.Suchapaymentscenarioalsomakesiteasytogenerateauniquepaymentaddressforeveryincomingpayment.Amerchantcanrunachatbotthatcommunicateswithusersviatextmessages.Whentheuserisreadytopaythebotgeneratesanewpaymentaddressandsendsittotheuserinachatmessage.
31. ConclusionWehaveproposedasystemfordecentralizedimmutablestorageofarbitrarydata,includingdataofsocialvaluesuchasmoney.Everynewunitofdataimplicitlyconfirmstheexistenceofallpreviousunits.Revisionofpastrecordssimilartothatin1984becomesimpossible,aseverynewunitalsoimplicitlyprotectsallpreviousunitsfrommodificationandremoval.Thereisaninternalcurrencythatisusedtopayforinclusionofdatainthedecentralizeddatabase.Thepaymentisequaltothesizeofthedatatobestored,andotherthanthispaymenttherearenorestrictionsonaccesstothedatabase.Otherassetscanalsobeissuedandtheirownershipcanbetrackedonthedatabase.Whentrackingpaymentsintheinternalcurrencyandotherassets,double-spendsareresolvedbychoosingtheversionofhistorythatwaswitnessedbyknownreputableusers.Settlementfinalityisdeterministic.Assetscanbeissuedwithanyrulesthatgoverntheirtransferability,allowingregulatedinstitutionstoissueassetsthatmeetregulatoryrequirements.Atthesametime,transferscanbehiddenfromthirdpartiesbysendingtheircontentprivately,directlyfrompayertopayee,andpublishingspendproofstoensurethateachcoinisspentonlyonce.
References1. QuotedfromWikipediahttps://en.wikipedia.org/wiki/Nineteen_Eighty-
Four.2. SatoshiNakamoto.Bitcoin:APeer-to-PeerElectronicCashSystem,
https://bitcoin.org/bitcoin.pdf,2008.3. SergioDemianLerner.DagCoin,
https://bitslog.files.wordpress.com/2015/09/dagcoin-v41.pdf,2015.4. SergueiPopov.TheTangle,http://iotatoken.com/IOTA_Whitepaper.pdf,
2016.5. TomHolden.Transaction-DirectedAcyclicGraphs,
https://bitcointalk.org/index.php?topic=1504649.0,2016.6. Linkedtimestamping,https://en.wikipedia.org/wiki/Linked_timestamping.7. Atomiccross-chaintrading,https://en.bitcoin.it/wiki/Atomic_cross-
chain_trading.8. https://github.com/bitcoin/bitcoin9. GavinWood.Ethereum:ASecureDecentralisedGeneralisedTransaction
Ledger,http://gavwood.com/Paper.pdf.
