CLASS ZZ: AN INTEROPERABLE BLOCKCHAIN FOR MASS...

CLASS ZZ: AN INTEROPERABLE BLOCKCHAIN FOR MASS ADOPTION

NICOLAS BOURBAKI

[email protected]

ABSTRACT. We present the initial design for a mass adoptable and interoperable block chain called Class ZZ.We identify three road blocks preventing us from reaching mass adoption of blockchain technology: interoper-ability, fairness, and the lack of an economic model (hence price volatility). We also identify 5G communicationnetwork and quantum computing as the two major technological advances in the coming decade.

Class ZZ will leverage on the 5G network to simultaneously achieve security, high throughput and decentral-ization. We invented the capsule protocol that will allow instant verification of payments. Quantum computingis a threat to all blockchain projects that rely on elliptic curve cryptography. By leveraging on the interoperabil-ity aspects of the Class ZZ network, we will provide a post-quantum address system not only for ourselves, butalso help every mainstream blockchain such as Bitcoin, Ethereum etc., to make the post quantum transition.

CONTENTS

1. Introduction 31.1. Background 31.2. Token issuance 42. Basics 53. The importance of decentralization and the impossible triangle 64. Communication model 75. Capsule exchange 96. Secure channel communication 117. Economics of Proof of Work 127.1. Background 127.2. Mining economics 127.3. Security economics 148. Interoperability 159. Staking 169.1. NUMS address 169.2. Registration 1810. Community exchange 1910.1. Inbound exchange 1910.2. Outbound exchange 20Date: May 20th, 2020.

1

Class ZZ: An interoperable blockchain for mass adoption Version 1.3

10.3. Asset management 2210.4. Listing process 2311. ASIC resistance 2311.1. Background 2311.2. Data-growth regime 2512. Digital signature extension 2613. Post-quantum cryptography 2713.1. Misconceptions of quantum supremacy 2813.2. Types of post quantum algorithms 2813.3. Class ZZ 2914. Future directions 1References 1


1. INTRODUCTION

1.1. Background. With the development of distributed systems, the invention ofblockchain technology has caught widespread attention. It has broad applicationprospects in many fields such as finance, cloud computing, storage and charity.The special consensus mechanism and data structure of the blockchain makes itimmutable, sequential, permissionless and decentralized. These characteristicsform the cornerstone of the application of blockchains.

The initial design of a cryptocurrency was made public by [1]. Two decadeslater in 2008, Satoshi Nakamoto introduced bitcoin [6], where a blockchain wasused as a public ledger. The basic unit of a blockchain is a block, and each blockcontain a header and a bit of data (e.g. transactions). The blocks are connected toeach other by a hash, and a pointer referencing to the hash of the previous block,forming an abstract chain structure. Through this structure, different transactionsare linked together in an order. The consensus mechanism protects the uniquenessof this order and solves the double-spend attack in a permissionless environment.

A decade later, bitcoin and other cryptocurrency technologies still find them-selves having a long way to go before gaining any mainstream traction. We haveidentified the following road blocks,

(1) Difficult to use. These include, low transaction throughput, high confirma-tion times, lack of interoperability. User may also have security concerns,such as difficulty in securely managing private key for an amateur.

(2) Fairness. Almost all cryptocurrency projects these days would pre-mine alarge proportion of the network’s tokens, and distribute them to the foundersand early investors. This process is extremely unfair for the later comers,and therefore making the project unattractive for mass adoption.

(3) Price volatility. The basic law of economics dictate that the price of anythingis determined by supply and demand. Whether you are an early miner ofbitcoin, or a founder / early institutional investor of an ICO, chances areyou were able to obtain tokens at near-zero-cost. Regardless what awesomefunctionalities the token may undertake in the future, existence of near-zero-cost tokens means extremely high price volatility is built in.

Our solutions to issues 1) and 2) will be covered in sections 2 – 7 of this whitepaper. Our approach to issue 3) will be covered in sections 8 – 10. Section 11 willbriefly describe our approach to ASIC resistance mining. Sections 12 and 13 will


introduce our proposition for the blockchain community to transition to the postquantum world.

CZZ is designed to become a medium of exchange and a storage of value.There’s actually no dichotomy between the two, where the former usually impliesthe latter. The capsule protocol and the secure communication channel (see section4, 5) will provide a basic infrastructure for decentralized e-commerce conductedon the CZZ network, where goods and services must be transacted using CZZ. Thepathway toward this future starts by solving the three roadblock aforementioned.

1.2. Token issuance. We list some basic facts about the CZZ token:(1) Consensus: Proof of Work(2) Mining algorithm: Bora Bora(3) Block interval: 30s(4) Max block size: 8m(5) Min mining difficulty: 1 mh/s(6) Initial block reward: 1000 CZZ(7) Of the 1000 CZZ, 800 goes to the miner, 190 goes to the community ex-

change pool (see section ), and 10 goes to the community reward pool (seesection ).

(8) Reward decay: Let t be the block height. For t ∈ [106(n − 1) + 1, 106n),Reward(t) = max

(b1000n c, 1

)The CZZ network will produce approximately 1 million blocks a year. The

supply of CZZ token will undergo a logarithmic growth for the first 100 years,eventually decaying to 1 CZZ per block from the 501st year onward. Total supplyof CZZ is theoretically infinite, but it grows at a ever slower pace.

Here’s the quantity of CZZ in total supply,Year CZZ supply (billions)10 2.92720 3.54030 3.98350 4.479100 5.142500 6.569


2. BASICS

First, we briefly describe the basics, much of which will be similar to the stan-dard setup of [6].

Definition 1. LetH be a collision resistant hash function[8]. Let B = (B0,B1,B2, ...)be a collection of objects. We call B a chain and Bi a block, if for each i > 0, Bi

contains the following,(1) Parent hash: h−1, so that

Bi(h−1) = Bi−1(h).

(2) Block hash: h = H(h−1, r, η) is the hash value of the block.(3) Difficulty: D , adaptively updated according total network hash power H

and time stamp t.(4) Random nonce: η, computed by proof of work node so that

H(h−1, r, η) <1

D.

(5) Time: t, time stamp of the block.(6) Transaction message: m, list of transactions included in the block.(7) Transaction root: r, hash root of the Merkle tree of the transaction list.(8) UTXO root: Ψ, Hash root of the UTXO set after verifying all transactions

in this block.We call B0 the genesis block whose parent hash is pre-determined, and thus do

not require to satisfy the relation Bi(h−1) = Bi−1(h).

In later sections where we analyze the security economics of a block chain net-work, we reserve H to denote the total hash power of a network and h (or hi ) todenote the hash power of a node i . For this reason, we have chosen H to denotethe collision resistant hash function and h to denote the actual hash value of eachblock.

Transactions of CZZ will largely follow the UTXO framework of bitcoin [6].

Definition 2. A transaction is a message containing the following data(1) Name: Output of a collision resistant hash function for unique transaction

ID(2) Input: List of previous transactions, digitally signed, whose output will be

used to pay for this transaction. The previous transactions listed here iscalled the reference of this transaction.


(3) Output: Beneficiaries of this transaction.With the condition that, each output can only be referenced once as the input of

another transaction.

Anyone can add additional blocks to the blockchain provided that they havechecked all transactions included in the block are valid, and they have found an η(by trial and error) such that H(h−1, r, η) < 1

D . In order to speed up validation,each node will keep a list of unspent transaction outputs, or the UTXO set. TheMerkle root of the UTXO snapshot, after executing all transactions of a block, willbe stored in that block.

A slight departure from the original bitcoin design of [6] is that, instead of re-quiring an ECDSA signature for every line of input, we only require one line ofEC Schnorr signature [10] for the whole input list to guarantee the same level ofsecurity. The upshot is that we can expect a decrease in bytes per transaction byabout 25% - 33%.

3. THE IMPORTANCE OF DECENTRALIZATION AND THE IMPOSSIBLETRIANGLE

The bull market of 2017 have demonstrated that neither bitcoin nor ethereumis able to handle high volumes of transactions, as they should, if mass adoptionoccurs. Transactions per second (tps) will need to improve by at least 100x beforethey can handle day to day transaction volume. Some contenders proposed toadopt other consensus mechanisms, such as delegated proof of stake (DPoS) -most notably with EOS and TRON. They do attain a higher tps figure, only atthe expense of decentralization and security. Other projects such as the lighteningnetwork, while it would improve transaction rate of the bitcoins through otherforms of centralization, it does little to enhance the bitcoin main net.

The daunting task of simultaneously achieving security, decentralization andefficiency for a public chain is called the “impossible triangle”. Meaning, you canobtain any 2/3 of the qualities, but never all three at the same time. Moreover, iteven seemed fashionable to suggest that decentralization is the least important ofthe three qualities. In this section, we present an argument to counter this assertion.

If we take a step back and ask what is the fundamental value add with blockchaintechnology? We might get two diverging opinions. One camp would argue thatthe blockchain technology is revolutionary and it would forever change the world,


while the other camp would argue that blockchain technology is just incremental,merely being yet another data structure. We think that both camps are correct.

If we view blockchain as just a distributed ledger, then this technology is in-cremental. It will have book keeping applications in large enterprises, but itwill not fundamentally change how the enterprise would operate. The part aboutblockchain that is revolutionary is the “trust machine” aspect of a permissionlesspublic chain. In fact, we can do better than trust, we prefer “proof” over “trust”.

Why is trust important you may ask? If you look at traditional financial institu-tions, the credibility of an entity is determined by the merits of that entity. Entitiesdeemed as “credit-worthy”, such as governments and large corporations, receivecredit at a much lower interest rate than small businesses and individuals. Some-times certain assets must be set aside as collaterals in order to obtain a line ofcredit (e.g. in purchasing of a property). Under the rules of the old universe, howis it possible for an pseudonym like “Satoshi Nakamoto”, that nobody knows theidentity of, been able to pull off a project like bitcoin with an astronomical marketcap? The answer is simple, a new dimension of credibility was found when peo-ple trusted proof of work, as opposed to the credibility of some individual or someinstitution.

With this in mind, we see that it is decentralization and the permissionless natureof blockchains that is truly revolutionary. You may as well start a company and runyour business like an enterprise, if you are willing to give away decentralizationfor sake of higher tps.

4. COMMUNICATION MODEL

In this white paper, we will examine another dimension - a node communicationmodel, that could potentially achieve 100x in tps, without sacrificing any decen-tralization whatsoever. In fact, the CZZ blockchain will be more decentralized andmore secure than any public chain running to date, including bitcoin and ethereum.

A “blockchain network” is a collection of nodes agreeing to update their chainaccording a predetermined consensus. The state which a chain exist locally at eachnode is called a view. A network is said to be “permissionless” if anyone can joinand leave at any time. Upon joining a network, there are no central authority to saywhich node is preferred over another. Since each node only see their local view,due to network delays, the views between nodes may be different for the most


recent blocks. Hence, the network in general will be at an asynchronous state,consistency only happens before the last Λ blocks, where Λ is a natural number.

Definition 3. Let view(chain(t), i)) denote the view of chain at time t, from nodei . We say a network is “consistent” if there exist λ > 0, independent of t, suchthat view(chain(t − λ), i) is a constant function with respect to i .

Definition 4. Let TX(t, j) be valid transactions presented to an honest node j attime t. We say a network has “liveness” if there exist ω > 0, independent of t,such that TX(t, i) ⊆ view(chain(t + ω), i) for all honest nodes i .

The aforementioned security requirements must be guaranteed with overwhelm-ing probability. Let (Ω,F ,P) be a probability space. Let S = S(D,H ,ω) be aF-measurable random variable to represent the time between each block update.It is written as a function of mining difficulty D , total network hash power H andω ∈ Ω. Note that the ω term drops out [12], whenever we integrate S over an aF-measurable set with respect to the probability measure P.

To guarantee consistency, we require that for any ε > 0, there exists D largeenough so that

P(S(D,H) < λ) < ε.

Since D is required to be large to guarantee consistency, we see a widespreadmisconception that, high mining difficulty in proof of work has led to the slowtps and long confirmation times. Blocks are generally difficult to mine, becausewe need mining as a kill-time mechanism so various nodes around the world cansynchronize their block sequences, thus achieving consistency.

Indeed the conundrum faced by all main net projects today is that they can-not scale up performance without sacrificing security or decentralization of somesorts. However, with the development of new radio frequencies and massiveMIMO and beamforming, especially the emergence of 5G mobile networks, wecan expect a quantum leap in the direction of high bandwith and low latency.For 5G networks, ITU-R have defined three main types of usage scenario: En-hanced Mobile Broadband (eMBB), Ultra Reliable Low Latency Communications(URLLC), and Massive Machine Type Communications (mMTC). 5G networksachieve much higher data rates than current cable internet, and 100 times fasterthan 4G LTE, up to 10 gigabits per second (Gbits/s). In addition, the network la-tency will be much lower, below 1 millisecond (ms), compared with 30 - 70 msfor 4G. In this scenario, the blockchain of next generation with high throughputand low latency, without sacrificing any decentralization could be proposed.


Take bitcoin for example, it takes 10 minutes to produce a block, and each blockcontain at most 6000 transactions, giving 10 tps. Under the data rate of 5G mobilenetwork, we can safely make block size 8mb, and block interval 30s to achievea throughput of 1600 tps. This is comparable to the VISA whose average rate is2000 tps, and it’s achieved without introducing any of the centralizing scheanani-gans like master nodes or Byzantine committee.

Another issue we have to address is confirmation time. Take Bitcoin for exam-ple, finality happens after 7 blocks. Since each block takes 10 minutes to create,confirmation time theoretically can take more than an hour. If a user wants tobuy a cup of coffee, that transaction may take up to an hour to confirm. Thisbrings us to our second big idea, edge computing. We’ve created a protocol whereif the transaction happened between two pruned nodes, the payer and the payeecan co-validate each other and get instant confirmation before the transaction ap-pear in any block. This was not possible in the previous networks, because it wasvery difficult to have nodes with any verification capabilities running on mobiledevices.

5. CAPSULE EXCHANGE

In this section, we describe what is a pruned node, and how can they validateeach other through a process called “capsule exchange”.

With the bandwidth enhancement of 5G mobile network, it becomes possiblefor mobile devices to constantly receive and update blocks. Assuming each blockis 8mb, and every mobile stores the 20 latest blocks, this will only take 160 mb ofdisk space, which is less than the size of most mobile games. Blocks before that,they only need to store the hash root.

Definition 5. A pruned node is a digital device where it is(1) receiving and updating the latest blocks(2) storing the last 20 blocks(3) storing the Merkle root of every historical block

Each pruned node can use their hash root to validate every block in the blockchain,thereby making every user a guardian of chain integrity. We could potentially havemillions of pruned nodes, as opposed to thousands in bitcoin and ethereum, andless than 100 for EOS and TRON. This alone makes CZZ magnitudes safer than


almost all existing blockchain projects, where end clients usually only runs on alight wallet (or store coins in an exchange) maintained by a full node in a central-ized manner.

Suppose Alice and Bob are pruned nodes, and Alice want to send Bob 20 CZZ,we call this transaction TX . The two important part Bob need to verify are:

(1) The authenticity of the EC Schnorr signature, this part is easy.(2) The TX inputs have not been previously spent, this part is hard.Traditionally in the bitcoin setting, if Bob is not a mining node, he won’t have

enough information to verify if TX is valid. Therefore, he will have to rely onother miners to verify TX , package in a block and wait for block finality.

Miracle happens when a transaction take place between two pruned nodes. Inaddition to TX , Alice can send Bob the Merkle branch of her transaction inputs ofthe UTXO tree from a recent block (acquired from a full node). Then,

(1) Assuming current block height is t, Bob can verify that Alice’s transactioninputs are in fact unspent up to a recent block Bt−u.

(2) Assuming u is small, Bob will have stored all of the blocks Bt−u+1, ...,Bt .Hence, he can locally check if TX ’s input have been spent up to block heightt.

(3) Check mempool for any transactions with the same referenced input. mempoolis typically only a few megabytes big.

Having inspected the validity of TX , Bob has the option to sign off acknowl-edging the transaction recipient’s honor, which we call a “capsule”, before sub-mitting to mempool. Hence, Alice and Bob get almost instant confirmation of TXwith each other, which will be extremely useful for frequent transactions of smallamounts.

The advantage of using capsules is that, should there be two transactions refer-encing to the same input in mempool, miners are directed to accept the capsulewith recipient’s signature. This will mitigate the possibility of a double spend at-tack by Alice - she can instantiate multiple TX ’s with other users, all of which arevalid up to block Bt . The first recipient who acknowledges will get preferentialtreatment by PoW nodes. We acknowledge there is still the risk of two capsulesarriving very close to one another, rendering the transaction invalid. Hence, it isadvised that for large transactions, the payer should still wait for confirmation onthe block chain.


Algorithm 1: Capsule generation process

1 Alice send 10 CZZ to Bob2 Alice’s action:3 Send TX = TX .inputlist,TX .outputlist4 branchlist = ∅5 foreach input ∈ inputlist do6 branchlist.append(UTXOtree.branch(input))7 Send branchlist.8 Send t − u. (block height of the UTXO used for branchlist)9 Bob’s action:

10 Upon receiving TX and branchlist from Alice,11 foreach input ∈ inputlist do12 (Hash calculation)13 Verify(input) ∈ UTXO at height t − u.14 for θ = t − u, ..., t do15 (Block propagation)16 Verify(input) 6∈ Bθ.17 Verify(input) 6∈ mempool.18 Sign and broadcast capsule, or reject transaction.

6. SECURE CHANNEL COMMUNICATION

In the previously section, we described how if Alice could send Bob the Merklebranch of UTXO’s, then Bob can establish by himself the validity of Alice’s trans-action input up to a certain block height. We skimmed over how this communica-tion could be made. Since the Merkle branch could be quite big, relative to trans-action data, broadcasting it using the gossip protocol could generate unnecessarycongestion. Therefore, the ability to establish a secure communication channelbetween pruned nodes is central to the success of capsule protocol.

The idea are based on [3],

(1) Alice broadcast her communication parameters1, encrypted using Bob’s pub-lic key.

1Such as IP, port, endpoint etc.


(2) Upon receiving this message, Bob can decrypt it and start p2p session withAlice, where Alice will send Bob the main body of Merkle branches (or anyother large file transfer).

(3) All other participants of the blockchain will be unable to decrypt, so Alicestill maintain her privacy to the public.

This will save a huge amount of network traffic in the capsule generation pro-cess. At the same time, it would allow future developers to create decentralizedchat programs, and other decentralized services.

7. ECONOMICS OF PROOF OF WORK

7.1. Background. In this section we present a detailed analysis between the eco-nomic model of miners, and the security they provide to the network. Under cer-tain regularity assumptions on participant’s behavior, this will explain how certainmechanisms in current blockchain projects are systematically contributing to in-creased volatility in market prices. We acknowledge that the underlying assump-tion we make may not reflect what happens in the real world, and we hope that oureffort will stimulate future research interest in this direction.

7.2. Mining economics. First, let’s analyze the potential revenue stream minersreceive from the mining a blockchain. Let B = (B0,B1, ...) be a blockchain, as perDefinition 1. We call B λ-asynchronous if the function view(chain(t−λ), i) (as perDefinition 3) is constant with respect to i . Suppose that B produces 1 block everyτ seconds, where the parameter τ is pre-determined so that B has consistency andliveness.

In a world where there are n PoW nodes, contributing to a total compute powerof H hashes per second, mining difficulty D is then adaptively set (according toa pre-determined update formula) so that 1 block is expected mined in τ seconds.Hence, we have

D ∝ τH

and for any fixed η,

P(H(h−1, r, η) <

1

D

)∝ 1

τH.


Suppose that R tokens are awarded to the successful miner for each block, andeach token has a subjective value of s dollars to the miner. Moreover, when consid-ered over all mining community, the subjective value becomes a random variableS , with a probability density function fS(s), expected value µS , variance σ2S . Ifthe token is listed on the exchange, then we can expect µS to be very close to thecurrent traded price, and σ2S have a somewhat similar value to the price volatilityon the market.

A miner will also bare the following costs: sunk cost (sc), being the depreciationof mining equipment spread over its useful life T ; and operating cost over a timeinterval of length t, denoted by oc(t) (e.g. electricity cost). Suppose a machinecosting sc that produces h hashes per second. Over a period of T seconds, thatmachine will likely to mine Th

Hτ blocks, receiving rThHτ tokens, worth srTh

Hτ to theminer.

A parameter that’s particularly important to the mining community is the periodθ such that srθh

Hτ > sc +oc(θ). This is the period it takes to recover the sunk cost ofthe miner. All tokens earned after this point, less electricity bills, are consideredto be net profit for this mining venture. Because there are multiple competingprojects to mine these days, the θ value of each chain is typically a constant plusrisk premium.

Next, we axiomtize the behavior of rational miners.

Axiom 1. Rational miners will exhibit the following behavior,(1) He will start mining over the period of length T (T is typically the useful

life of a miner), if he predict srThHτ > sc + oc(T ).

(2) He will continue mining on existing machines over the period of t (t istypically a small increment of time), if srth

Hτ > oc(t).(3) He will stop mining if srth

Hτ < oc(t).

Assume overwhelmingly that the majority of miners exhibit the above behavior,we are ready to state our first main theorem.

Theorem 1. (Fundamental Theorem of Mining Economics)Suppose that token price is fixed at $s over a time period of lenght t, and that

cost per hash is also fixed2. If a blockchain B releases a total of R(t) tokens, thecost of aggregate hash power sustaining the network, in equilibrium, will equal to$sR(t).

2i.e. no substantial improvement in mining equipment


Proof. See appendix. Equilibrium easy to establish.

Corollary 1. Assume no significant improvement in mining equipment, unit hash• If the token price s appreciate by a factor of λ, the aggregate hashpower of

the underlying blockchain will also increase by λ.• There exists Λ > 0, such that if the token price s depreciate by a factor ofλ < Λ, the aggregate hashpower of the underlying blockchain will see nochange.• If the token price s depreciate by more than Λ, then at least one miner have

reached shutdown point, and aggregate hashpower will thus decrease.

7.3. Security economics. It is well known from [6] that a blockchain is vulner-able to 51% attacks. This happens when a malicious party controls 51% of thehashpower in a blockchain. Therefore, a good way to measure the security of ablockchain is by the cost to carry out such an attack.

Definition 6. We call a blockchain is “economically S-secure” if it cost $S tocontrol 51% of the hash power.

Next, we analyze the life cycle of PoW miners. Under normal circumstances,miners typically have a useful life of about 2 - 3 years, before they get supersededby more efficient equipment. In special circumstances when there’s a significantreduction in mining reward, whether it’s due to a significant drop in token value,or a scheduled reduction in mining reward, existing miners might go idle. This isbecause mining revenue have now fallen below operating cost. In such circum-stances, miners can be sold extremely cheap in second hand markets. Hence, idleminers are a security bomb before they go obsolete.

Theorem 2. Let α < 0, onsider a PoW blockchain where the token reward halvesover a fixed period. Further suppose that the token value follows a jump diffusionprocess St , such that for any finite T , E (|St |) < ∞). Then, for arbitrarily smallε > 0 and δ > 0, there exist a finite Tω such that the blockchain B is less thanδ-secure before Tω with probability at least 1− ε.

Proof. See appendix. Rough idea, the adversary will attempt to hoard idle minersas mining reward diminishes. The proportion of idle miners

Corollary 2. Bitcoin must double its price once every 4 years to maintain the samelevel of economic security.


In light of theorem 2, the mining reward of CZZ will be proportional to 1t , when

block height is between [1000000(t−1)+1, 1000000t]. Summing over all blocks,we find that this harmonic series sums to infinity. Roughly speaking, the first 3years will feel very similar to exponential decay, while after 5 years it would feellike constant reward. Since the total supply of CZZ is infinite, the variance in costof acquisition among CZZ holders will be very low in the long run. Hopefully,this will bring about stability in the market price.

8. INTEROPERABILITY

In the previous sections, we have laid the ground work for a blockchain networkwhere

• Achieves high transaction performance without compromising any decen-tralization, therefore solving the “impossible triangle problem”.• Instant finality between payer and payee achieved via the capsule protocol.• Secure communication network that enables decentralized commerce.

We have also explained that the value of a token will necessarily be volatile if,through whatever mechanism (premined or otherwise etc), the network containsa supply of near-zero-cost tokens. CZZ has introduced a counter measure to thisproblem by insisting that

• There are ZERO CZZ tokens premined, all CZZ tokens are created throughproof of work.• CZZ has introduced a minimum mining difficulty, so that no CZZ tokens

can be mined at near-zero-cost, particularly toward the beginning.

The aforementioned mechanism can be summed up as “supply side measures”of CZZ. From this section onward, we will start to focus on demand side measures.Through a staking process by beacon nodes, the CZZ token will act as a mediumof exchange between various other crypto currencies. Each time the exchange isused, a certain amount of CZZ tokens will be “burned”, taking them permanentlyout of circulation, and the remaining CZZ token would theoretically increase invalue. This point being that this mechanism provide a clear correlation betweenthe business volume conducted on the Class ZZ network, and the fundamentalvalue of the underlying CZZ token.


Moreover, we would like the whole process to be completely decentralized.Currently, this is transacted through centralized exchanges, which in our opin-ion remain to be the weakest link in the crypto market. Centralized exchangesare subject to hacking and fraud, they are at risk of being shutdown by centralauthorities.

The reason why we need centralized exchanges are as follows. Suppose Alicewould like to exchange 10000 USDT for 1 BTC. She need to find a counter partyBob, who is willing to accept such a deal. Moreover, the exchange require bothAlice and Bob to conduct a transaction, and they may not necessarily trust oneanother. Therefore, the key problem we need to solve is find a protocol so thatAlice can complete her acquisition of 1 BTC without having to trust a counterparty (Bob, or an centralized exchange).

Let UVW and XYZ be hypothetical tokens of another blockchain, we break upthe problem in two parts:

(1) Exchange of XYZ to CZZ in a decentralized manner(2) Exchange of CZZ to XYZ (or UVW) in a decentralized manner

The following sections will describe how the above is achieved through a stakingprocess of beacon nodes.

9. STAKING

9.1. NUMS address. Let XYZ be a blockchain network whose public key arepoints on the elliptic curve Secp256k1. The equation of this curve is given byy 2 = x3 + 7 over the finite field of Zp, where p = 2256− 232− 29− 28− 27− 26−24−1. Points on this curve are tuples of (x , y) where x , y are 64-digit hexadecimalnumbers. Public and private keys are obtained from the x coordinate of a point onthe curve.

Definition 7. Let addr(A,XYZ ) denote the address on blockchain network XYZcorresponding to the public key A.


Definition 8. We use Ai to denote the 64-digit hexadecimal number i . For example,

A0 = 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000

A1 = 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000001

A2 = 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000002

A3 = 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000003

Definition 9. Let transXYZ (Θ → Γ, a) denote the transaction on XYZ networksent from Θ to Γ, for the amount of a tokens of XYZ , where Θ and Γ are validaddresses of XYZ . The quantity a may be abbreviated in future reference whenit’s clearly not necessary.

Definition 10. Let A0,A1, ...,Ak be public keys, their corresponding private keyis provably unknown to everybody, except a probability of (k + 1)2−256. This isknown as the NUMS (nothing up my sleeves) principle. Let i be a small integer(e.g. i < 100), we call addresses addr(Ai , .) “NUMS address”.

Assets under a NUMS address can be considered as a public good, because nosingle individual would have access to the private key. Assets can be moved outof a NUMS address under a predetermined special written consensus. They are asfollows,

(1) addr(A0,CZZ ) is the incinerator, PoW miners will never process any trans-actions coming out of this address.

(2) addr(A1,CZZ ) is the community exchange pool. Miners will form a specialconsensus to send CZZ tokens out of this address ONLY when conditionslisted in section have been met.

(3) addr(A2,CZZ ) is the community reward pool. Miners will form a specialconsensus to send CZZ tokens out of this address ONLY when conditionslisted in section have been met.

(4) addr(A10,CZZ ) to addr(A99,CZZ ) are addresses of beacon nodes. Minerwill form special consensus to send CZZ tokens out of this address in accor-dance to the rules and regulations described in section .

(5) To move CZZ tokens in all other addresses, the only acceptable consensusis through verification of the ECDSA signature.

The following theorem provide the basis of our cross chain protocol.

Theorem 3. If ABC and XYZ are two blockchain networks based on the sameelliptic curve digital signature scheme (e.g. both uses Secp256k1), then if (φ,ψ)


are public-private key pairs on one blockchain, the pairing relationship continueto hold on the other.

Corollary 3. If a person is able to conduct the transaction

transABC (Θ→ ., .),

then she is also able to conduct the transcation

transXYZ (Θ→ ., .).

Therefore, any assets sent to addr(Θ,XYZ ) is assumed to be under the sameownership as the person who made the transaction transABC (Θ→ ., .). This formsthe basis of our cross chain exchange.

9.2. Registration. A beacon node is an address whose public key is between A10

and A99. They will act as liquidity providers for the Class ZZ network. In anideal decentralized world we should not have an upper limit on the total numberof beacon nodes. However, as stated in theorem 3, the probability of somebodyrandomly knowing the private key to a beacon node is given by n2−256, wheren is the total number of beacon nodes. To maintain a robust level of blockchainintegrity, we must put an upper limit to n, which is currently set to 90.

To register for a beacon node, one must make the following transaction:

transCZZ (addr(θ,CZZ )→ addr(Ai ,CZZ ), a).

Here, θ is the public key of the user’s own address, i ∈ [10, 99] and a is a positivemultiple of 1,000,000. This transaction will be a permanent record in establish-ing the correspondence between the beacon address addr(Ai , Secp256k1) and theuser’s own address addr(θ, Secp256k1) across all blockchains (such as, bitcoin,ethereum etc) that uses the same elliptic curve. We call (θ,Ai) a “beacon pair”.

Therefore, any transaction on an alien blockchain (e.g. bitcoin) that involves theaddress addr(θ, Secp256k1), the PoW miners of the Class ZZ network would auto-matically execute the predetermined consensus on addr(Ai , Secp256k1) regardingthe alien network transaction. Hence, the addresses addr(Ai , Secp256k1) can bethought of as “beacons of light” that connects various blockchains in a otherwisedark universe.

The amount of CZZ tokens need to be staked correspond to the volume of trans-actions a beacon node is undertaking. Beacon nodes are encouraged to engage inprofit seeking activities, such as charging a commission and earning community


reward. They must also honor their obligation or they will be punished through areduction of their staking.

The beacon node can also increase their staking by a′ by making

transCZZ (addr(θ,CZZ )→ addr(Ai ,CZZ ), a′).

Transactions from any other address to addr(Ai ,CZZ ) will be rejected by miners,once the public key correspondence is established. The beacon node can alsosubmit an application to decrease or terminate their staking, and their decreasedstake will be sent back via

transCZZ (addr(Ai ,CZZ )→ addr(θ,CZZ )

(and only this address) via miner consensus.

10. COMMUNITY EXCHANGE

In this section, we will describe the interoperable cross chain protocols thatenable the Class ZZ network to function as a decentralized exchange. Since theexchange is operated and governed solely by the decentralized community, wewill call it the “community exchange”.

The community exchanged is structured in two parts,(1) Facilitate the exchange from XYZ to CZZ, which we call “inbound ex-

change”.(2) Facilitate the exchange from CZZ to UVW, which we call “outbound ex-

change”.where XYZ and UVW are tokens from alien blockchains.

10.1. Inbound exchange. Let XYZ be another blockchain based on the ellipticcurve Secp256k1. Suppose Alice would like to exchange m quantity of XYZ forn quantity of CZZ. She can initiate an inbound exchange by making the followingtransaction:

trans(addr(φ,XYZ )→ addr(ξ,XYZ ))

on the XYZ network, where(1) φ is Alice’s public key, which is identical on both CZZ and XYZ.(2) There exists integer i ∈ [10, 99], such that (ξ,Ai) is a beacon pair on the

Class ZZ network.


If the transaction is old enough to have reached finality on XYZ (e.g. if XYZwas the bitcoin network, finality would mean after 7 blocks), the sender can applyfor an inbound exchange by broadcasting

• The block height of the trans(addr(φ,XYZ )→ addr(ξ,XYZ )).• The transaction hash of trans(addr(φ,XYZ )→ addr(ξ,XYZ )).

Upon hearing this broadcast, the PoW nodes on CZZ will validate the following,

(1) Check that trans(addr(φ,XYZ ) → addr(ξ,XYZ )) does in fact exist, andhave reached finality as per standards set out by XYZ.

(2) Check that trans(addr(φ,XYZ )→ addr(ξ,XYZ )) have not been previouslyprocessed in order to avoid double exchange.

If her transaction on XYZ is confirmed to be valid, PoW miners will create an“inbound transaction” trans(addr(A1,CZZ ) → addr(φ,CZZ )), this transactionwill be validated by every other node, and a consensus can be formed amongstminers without requiring any digital signatures. Miners would also issue Alicea receipt so she could later on conduct an outbound transaction with the samebeacon node within a certain time frame.

By corollary 3, the owner of addr(φ,CZZ ) and the person who signed off thetransaction trans(addr(φ,XYZ )→ addr(ξ,XYZ )) can be assumed being the sameperson. The security of the Class ZZ network will remain intact as long as thesecurity of alien network shall remain intact.

Therefore, by simply making a transaction on the XYZ network, and broadcast-ing back the finalized network hash, Alice was able to receive her exchanged CZZwithout anyone else operating on anything.

10.2. Outbound exchange. Let’s suppose Alice now would like to change herCZZ tokens to UVW, thereby completing her exchange of XYZ tokens to UVWtokens. Alice would proceed with the following protocol.

(1) Alice would send n CZZ tokens to the incinerator address A0 = addr(0,CZZ ),and broadcast.

(2) Alice would indicate which beacon node she would like to conduct her out-bound transaction with using her outbound certificate, and what crypto assetshe would like to receive.

(3) The beacon node must send her the indicated crypto asset on the alienblockchain, and publish the block height and transaction hash back to theClass ZZ block chain.


Algorithm 2: Community exchange

1 Registration2 Establish (ξ,Ai) as a beacon pair.3 transCZZ (addr(ξ,CZZ )→ addr(Ai ,CZZ ), a).4

5 Inbound exchange6 while EffectiveStake > b do7 Alice: trans(addr(φ,XYZ )→ addr(ξ,XYZ ), b)8 Alice: Publish alien transaction hash9 Miners: Verify alien transaction hash

10 Miners: trans(addr(A1,CZZ , β)→ addr(φ,CZZ ))11 Miners: Issue a receipt to Alice for her inbound exchange of β CZZ

tokens.12 Note: The exchange rate β/b is a pre-published quantity.13 Net effect:14 Alice: Sent alien tokens and received CZZ15 Beacon node: Received alien token from Alice16 Exchange pool addr(A1,CZZ ): Sent CZZ token to Alice17

18 Outbound exchange19 while γ > β do20 Alice: trans(addr(φ,CZZ )→ addr(0,CZZ ), γ)21 Miners: Verify the above transaction and include it in block h on CZZ.22 Beacon node:23 while BlockHeight < h + 3000 do24 trans(addr(ξ,XYZ )→ addr(φ,XYZ ), c)25 Broadcast transaction hash to Class ZZ network26 Miners:27 if No valid alien txhash before BlockHeight < h + 3000 then28 Penalty: trans(addr(Ai ,CZZ )→ addr(0,CZZ ), γ)29 Compensation: trans(addr(Ai ,CZZ )→ addr(φ,CZZ ), γ)

30 Note: The exchange rate γ/c is a pre-published quantity.31 Net effect:32 Alice: Sent CZZ tokens to the incinerator and alien tokens.33 Beacon node: Sent alien tokens to Alice.


(4) If the above is not performed within 3000 block height (around 1 day), thenthe beacon node will be penalized as follows• An amount of n CZZ is removed from the staking address and sent to

the incinerator: transCZZ (addr(Ai ,CZZ )→ addr(0,CZZ )• An amount of n CZZ is removed from the staking address and to com-

pensate for Alice’s loss: transCZZ (addr(Ai ,CZZ )→ addr(φ,CZZ )(5) If beacon node does indeed complete the outbound transaction, it would also

receive a community reward: transCZZ (addr(A2,CZZ )→ addr(Ai ,CZZ ).Because there are no pre-mining on the Class ZZ network, all CZZ tokens are

obtained at a significant cost to everyone, whether its through mining or purchase.Therefore, the prospect of losing CZZ tokens would be a strong deterrence forbeacon nodes to uphold their obligations.

10.3. Asset management. After establishing a beacon node through staking, theClass ZZ network have effectively provided the owner a “deposit taking right” ofassets from alien blockchains. The expectation is that the owner must uphold theirobligation during the phase of outbound exchange. Particularly, the beacon nodeis expected to hold on to their alien assets until an outbound exchange order arises,or if the customer’s inbound receipt had expired.

The community is incentivized to deploy surveillance bots to monitor for mis-management of alien blockchain assets. Specifically,

(1) Every beacon node may list up to 4 whitelist addresses for each type ofalien asset. They may freely transact between the whitelist addresses, butthe whitelist addresses cannot participate in inbound exchange.

(2) Only transactions involving outbound exchange are allowed when sendingfund out of whitelist addresses.

When an illegal transaction is discovered, anyone can broadcast the tx hashback to the Class ZZ network, and the beacon node will be punished accordingly.Specifically, if b units of XYZ was mismanaged, and suppose β/b is the prevail-ing exchange rate, then β units of CZZ will be rewarded to the whistle blower,and a further β units of CZZ will be sent to the incinerator. In summary, thesetransactions will be executed:

transCZZ (addr(ξ,CZZ )→ addr(0,CZZ ), β)

transCZZ (addr(ξ,CZZ )→ addr(ζ,CZZ )

where addr(ζ,CZZ ) is the address of the whistle blower.


The net effect will be,(1) Beacon node lose 2β units of CZZ(2) Whistle blower gain β units of CZZ(3) β units of CZZ goes in the incinerator.

10.4. Listing process. The initial batch of assets supported by the communityexchange are• CZZ• BTC• USDT(Omni)• LTC• BCH• BSV• DOGE

It is expected that around when Ethereum is completing the Eth 2.0 upgrade,Class ZZ network would have the capability to support ETH and all ERC20 tokens.The community exchange will support,• ETH• USDT (ERC20)

The decision to list other ERC 20 tokens will be up to weighted communityvoting. Owners of beacon nodes are allowed to participate and the weight ofvoting is proportional to the amount of CZZ staked. Projects that receive strictlymore than 67% of the weighted vote will be listed.

11. ASIC RESISTANCE

11.1. Background. One of CZZ’s main supply side economic policies is that wetry to eliminate all near-zero-cost tokens in the system. One such possibility comefrom the advantage in ASIC mining (particularly the early days). Therefore, theCZZ mining algorithm aims to be ASIC resistant, or at least have ASICs unfeasi-bly expensive to make. In this section, we demonstrate how that can be achieved.

Previous attempts at coming up with ASIC resistant hash functions have gener-ally been futile [insert citation]. Two mechanisms that people came up with are,introduction of

(1) Memory hard functions, and


Algorithm 3: Ordinary mining algorithm

1 Build block header from: h−1, r2 Initialize: mined = false3 while mined == false do4 v = concat(h−1, r, η)5 h = H(v)6 η = η + 17 if h < 1/D then8 mined = true9 broadcast block

(2) Bandwidth hard functions.Their common observation is that the common Sha256d ASIC is just a hard

coded hash calculator, incapable of any memory storage nor does it offer any databandwidth. Hence, by introducing a function with one of these components, anyarchitect based on the SHA256d ASIC will be deemed useless.

However, in the advent of lucrative financial incentives, it turned out that througha myriad of innovation by ASIC manufacturers have completely crushed theseobstacles. The Bitmain E3 miner for example, placed a ring of DDR3 SDRAMchips around the actual ASIC. This enabled the table lookup step in EThash to beexecuted with significant efficiency over the GPU. Had Ethereum not gone PoS,the next generation of DDR chips will render Ethash’s ASIC resistance completelyuseless.

We ask the question, is there a fundamental mechanism that we can leverageupon, to make our hash mechanism ASIC resistant over time? A straightforwardapproach is simply change your hash in regular block intervals. This was preciselywhat Monero did in order to fend off the onslaught of Bitmain X3. There are twodownsides with Monero’s approach,

(1) Rules of mining feels incomplete, with human intervention at regular inter-vals.

(2) Monero core team (or whoever with significant sway on the vote) can neverprove that they have in fact pre-manufactured an ASIC to mine the new hash.

Another approach is to have a set of pre-determined hash functions and ran-domly recombine between them, and this was more or less what Dash and Raven


Algorithm 4: Bora Bora mining algorithm

1 Running hash2 Build block header from: h−1, r3 Pick any g ∈ GL20484 So V = Z2048

2 and ρV (g) ∈ End(Z20482 ,Z2048

2 )5 Initialize: mined = false6 while mined == false do7 tmpv = concat(h−1, r, η)8 v = concat(tmpv , ..., tmpv)9 (so v ∈ V )

10 h = H(ρ(g16) ∗ ... ∗ ρ(g3) ∗ (ρ(g2) ∗ (ρ(g1) ∗ v1 + v2) + v3)... + v16)11 (Note, ρV (g) ∗ v ∈ V , andH can be applied to any element in V )12 η = η + 113 if h < 1/D then14 mined = true15 broadcast block

tried to do. However, Dash was recombining from a set of 11 different hashes,which makes it possible for ASIC manufacturers to simply exhaust all options -which was exactly how Bitmain D3 was built.

11.2. Data-growth regime. We came up with the following for our ASIC resis-tance,

(1) There exist a large pool of potential mining algorithms that is unfeasible tohard code each of them to an ASIC chip.

(2) The mining algorithm relies on a memory or bandwidth bottleneck that willbe very expensive for ASIC production.

(3) The hurdle put forward for ASIC resistance (such as memory hardness orbandwidth hardness) must grow with respect to technological development.

In the following subsections, we describe in detail

(1) How to generate a large space of collision resistant hash functions(2) How to generate new hash with increasing memory and bandwidth compli-

cation.


11.2.1. Generating hash space. Classically, mining algorithms would loop throughthe nonce η and repeatedly compute h = H(v(η)), until h < 1/D . Let G be a largegroup (e.g. GL2048), and ρV : G → End(V ,V ) be a homomorphism from G to theendomorphism group of V , we call ρ the representation of G . That is, for everyg ∈ G , ρV (g) is a linear map from V to V . Since the hash function H can beapplied to any element in V , we can compute instead, the modified hash function,H(ρV (g) ∗ v(η)).

We can make the above algorithm more complicated by randomly generating16 such group elements g1, ..., g16 and 16 vectors v1, ..., v16 on 22048. Rather thanlooping throughH(ρV (g) ∗ v), we compute instead

H(ρ(g16) ∗ ... ∗ ρ(g3) ∗ (ρ(g2) ∗ (ρ(g1) ∗ v1 + v2) + v3)... + v16).

Computing this hash is both memory hard and bandwidth hard, as the above ma-trix multiplications must be repeatedly performed for every iteration of the hashcomputation.

Moreover, every time we change a group element g to g ′, we get a completelydifferent hash algorithm, whereH(ρV (g)∗v(η)) is replaced withH(ρV (g ′)∗v(η)).SinceH is assumed to be collision resistant, we have a one-to-one correspondencebetween a hash algorithm and a group element. With this in mind, we can makethe matrix arbitrarily big to catch up to technological innovation.

Leveraging on the above results, CZZ plan to double the dataset size once every12 months. For ASICs to be competitive in computing Bora Bora, SRAM will bea key component. Periodically doubling the dataset size would imply that ASICmanufacturers are forced to use the most advanced SRAM, thereby rendering anyASICs prohibitively expensive.

12. DIGITAL SIGNATURE EXTENSION

One limitation of the community exchange described in section 10 is the in-ability to interoperate with blockchains whose digital signature is not based onthe elliptic curve Secp256k1. Prominent examples include, Libra (Curve25519),DC/EP (SM2), EOS (Secp256r1), Monero (Ed25519). Therefore, it’s in the inter-est of the Class ZZ community, for our network be able to interoperate with theseother blockchains.

On the other hand, there is no reason why PoW miners on the Class ZZ networkcannot verify more than one type of digital signature. Recall that with bitcoin, to


get from public key to the bitcoin address, it was simply a repeated compositionof the functions ripemd160 and sha256d. We could easily create a new hash, by arepeated composition with a phase translation. Class ZZ addresses generated bypoints of other elliptic curves can be indexed by such transition, providing minerswith enough cryptographic data to verify their relationship.

Specifically, we will use the following phase translation parameters. Let q be alarge prime,

Curve Phase translationSecp256k1 0Curve25519 sha256d(seed1)

SM2 sha256d(seed2)Secp256r1 sha256d(seed3)Ed25519 sha256d(seed4)

The exact values of seed1 to seed4 is yet to be determined. This would allow thedigital signatures of CZZ addresses to span over multiple elliptic curves.

Next, we briefly illustrate how the community exchange works over multipleelliptic curves. We would essentially inherit the same staking and exchange rulesas described in section 9 and 10. The only difference is, we would allocate anextra 90 NUMS address for each elliptic curve.

Curve NUMS AddressSecp256k1 addr(i ,CZZ )99i=10

Curve25519 addr(i ,CZZ )199i=110

SM2 addr(i ,CZZ )299i=210

Secp256r1 addr(i ,CZZ )399i=310

Ed25519 addr(i ,CZZ )499i=410

This would allow us to extend the community exchange to essentially cover allknown crypto assets today.

13. POST-QUANTUM CRYPTOGRAPHY

It is well known from the algorithm by Peter Shor[11] that both prime num-ber factorization and discrete logarithm can be solved in polynomial time using aquantum computer. Therefore, cryptographic protocols like ECC or RSA, whose


security rely on the difficulty in solving such problems, are no longer safe[9].Other quantum algorithms such as [4], would offer significant computation advan-tage on the hash function.

On the other hand, we are also in process toward developing industrial stan-dards for post-quantum cryptographic scheme [7]. It is expected that by 2030,post quantum encryption would replace RSA and ECC in the most basic layer ofencryption protocols. Therefore, it is imperative for the blockchain community tostart planning for such a transition.

In this section, we will briefly talk about the outstanding issues for post quantumencryption, and particularly, how these issue may impact the blockchain commu-nity.

13.1. Misconceptions of quantum supremacy. People often equivocate quan-tum computers as simply “massively parallel” classical computers. Since a quan-tum bit can occupy both 0 and 1 simultaneously, a n-bit quantum computer can bein 2n states at the same time, hence able to compute NP-complete problems ex-tremely fast. Unfortunately this is a misconception, as measuring a quantum statewould destroy all information of the quantum system that was not measured.

Success of the Shor’s algorithm was particularly “misleading” because only 1solution was required in the final output, and the issue of quantum state annihi-lation was quietly suppressed. If the underlying problem had multiple solutions,each time we measure the computer’s quantum state, it would only output onecandidate solution x , with probability proportional to the wave function amplitudeax . In the special case of factoring, the one solution was all that you needed.

Let BQP be the class of problems solvable in polynomial time by a quantumcomputer. It has been shown in [2] that NP 6⊂ BQP. Particularly, they showed thatany quantum algorithm that searches an unordered database of N items for a singlelabeled item, must query the database O(

√N) times. If we interpret the space of

2n possible assignments to a Boolean formula ϕ as a database, and the satisfyingassignments of ϕ as labeled items, then the result of [2] would imply that anyquantum algorithm need at least O(2N/2) steps to find a satisfying assignment,with high probability. Hence, there is no “brute force” quantum algorithm to solveNP-complete problems in polynomial time.

13.2. Types of post quantum algorithms. Post quantum cryptography is thestudy of crypto systems running on classical computers that are secure against


a quantum adversary. NIST has already start a process to establish industry stan-dards of such systems, and is currently reviewing the second round of submissions.It is not the intent of this project to conduct any original research in the field of postquantum cryptography. Rather, the Class ZZ community will be assessing whichof the published post quantum algorithm is best suited for blockchain applications.

There are five different approaches, to date

• Lattice based• Multivariate based• Hash based• Code based• Supersingular isogeny

We won’t go through the technical details of each one, and we refer the reader to[7] for more information. What we will instead focus on are current outstandingissues and how their impact on blockchain applications.

In the UTXO setting, a transaction would typically consist of

• Input: 1 address• Output: several addresses• Digital signature

If the size of each transaction is big, the number of transactions we can fit ina block would become severely limited. In some cases where public key size areclose to 1 mb, you can only fit 1 transaction per bitcoin block, rendering bitcoin tpsto the order of 10 minutes per transaction. Since the address length is correlatedto the size of public key, and there is an inverse correlation between the public keyand signature size, it is difficult to simultaneously get the two to be in reasonablesize.

On the other hand, with the advances in communication technology such as 5G,it is possible that our network speed could be 100x faster than what’s currentlyavailable today. Perhaps this would allow us to make some compromises on thekey / signature size, and simply settle for larger blocks in the future.

Supersingular isogenies is one example where both key and signature size aresmaller than their peers, and it has advantages in providing forward secrecy. How-ever it suffers from the drawback of long computation time. This issue may beovercome in the future by ever advancing specialized hardware such as [5].

13.3. Class ZZ. Our approach to post quantum encryption are as follows,


• 2020 - 2025: Observation phase. The Class ZZ community will be activelyengaged with the post quantum research. A post quantum test net may bedeveloped during this period.• 2026 - 2028: Class ZZ will hard fork to a version with digital signature

extension (see section 12) of a post quantum scheme. There will a smoothtransition period of CZZ going from ECC based encryption to post quantumencryption.• 2028 - 2030: Leveraging on the cross chain interoperability, Class ZZ net-

work will provide post quantum address extension to traditional blockchainssuch as bitcoin. As the quantum threat become ever close to reality, we hopeto provide the bridge for the entire blockchain community to transition topost quantum blockchain.

Signature NUMS Address... ...

Post quantum algo 1 addr(i ,CZZ )599i=510

Post quantum algo 2 addr(i ,CZZ )699i=610

... ...

14. FUTURE DIRECTIONS

We are open to suggestions and recommendations on how this could be im-proved.

REFERENCES

[1] Anonymous. How to make a mint: The cryptography of anonymous electronic cash. URLhttps://groups.csail.mit.edu/mac/classes/6.805/articles/money/nsamint/nsamint.htma, 1996.

[2] B. G. V. U. Bennett C, Bernstein E. Strengths and weaknesses of quantum computing. In htts://arxiv.org/abs/quant-ph/9701001.

[3] K. D. Ford B, Srisuresh P. Peer-to-peer communication across network address translators. 2015.[4] L. Grover. A fast quantum mechanical algorithm for database search. In Proc. 28th Ann ACM Symposium on Theory of

Computing, pp 212 - 219.[5] M.-K. M. Koziel B, Azarderakhsh R. Fast hardware architectures for supersingular isogeny diffie-hellman key exchange on

fpga. https://eprint.iacr.org/2016/1044.pdf, 2016.[6] S. Nakamoto. Bitcoin: A peer-to-peer electronic cash system. URL http://bitcoin.org/bitcoin.pdf, 2008.[7] NIST. Post quantum cryptography - round 2 submissions. In https://csrc.nist.gov/projects/post-quantum-cryptography/round-

2-submissions.[8] R. Pass. Lecture 21: Collision-resistant hash functions and general digital signature scheme. In

https://www.cs.cornell.edu/courses/cs6830/2009fa/scribes/lecture21.pdf. Cornell university COMS 6830.[9] Z. C. Proos J. Shor’s discrete logarithm quantum algorithm for elliptic curves. In https://arxiv.org/abs/quant-ph/0301141.

[10] C. P. Schnorr. Efficient identification and signatures of smart cards. In Proceedings of CRYPTO ’89, 1989.[11] P. Shor. Algorithms for quantum computation: Discrete logarithms and factoring. In Proc 35th IEEE Symposium on Founda-

tions of Computer Science, pp 124 - 134.[12] T. Tao. An introduction to measure theory. In Providence, R.I.: American Mathematical Society. ISBN 9780821869192, 2011.

CLASS ZZ: AN INTEROPERABLE BLOCKCHAIN FOR MASS...

Documents

Transcript of CLASS ZZ: AN INTEROPERABLE BLOCKCHAIN FOR MASS...