Are off-chain transactions necessary to keep Bitcoin unbroken?

[nameface]

Is this statement correct:

"The limit of the blocksize is 1MB, transactions are fixed at 7/sec, so off-chain transactions are good because you can process transactions instantly without worrying about the fee, and they will still appear on the Bitcoin blockchain at a later point."

Or are these transactions kepy off the chain forever!?

Even if offchain transactions work, won't we still have a huge problem if the amount of transactions per second increases significantly? How do these transactions ever get on the blockchain? Is it just supposed to work like a Bitcoin version of ACH?

[1715563040]

1715563040

[1715563040]

1715563040

[1715563040]

1715563040

[1715563040]

1715563040

[1715563040]

1715563040

[DeathAndTaxes]

The transaction limit is CURRENTLY limited to 7tps.  This can be raised with a hard fork.  I don't want to trivialize it (as some do) but I find it hard to believe this limit will last forever.  I mean imagine if in 1970s someone had said CPU will never break the 1Ghz barrier or 1TB of storage will never exist, or nobody will need more than 640KB of RAM.  It would seem logical in the short term but almost idiotic in the long term.

Eventually the 7tps "limit" will constrain future growth of Bitcoin and as such there will be increased pressure by stakeholders (users, bitcoin related companies, developers, miners, merchants, etc) to raise the limit.  While miners don't want to see unlimited tx volume (as that means no fee pricing power) they also don't want to see Bitcoin die.  With ASICs they can't simply switch to LTC so they have a very vested interest in ensuring Bitcoin adapts.

My guess is either Bitcoin dies out or the limit is eventually raised.  Either way that means the 7tps is a non-issue.  We will solve it or Bitcoin will by default ( 0 tps < 7 tps).

As for how can off chain tx work.  Currently you can pay someone on MtGox or someone on coinbase with off chain tx.  Either entity simply updates a ledger.  If Mtgox (clients) have a combined sum of 1,000,000 BTC and you transfer 1 BTC from your account to another MtGox account holder then MtGox clients still have a combined sum of 1,000,000 BTC.  There is no need to EVER record a block chain tx.

However today this is limited to a single entity.  It only works if you and your receiver are both on MtGox.  However look forward a couple years and say you have a MtGox account and someone else has a coinbase tx.  In theory MtGox and Coinbase could extend reciprocal lines of credit so MtGox notifies coinbase and coinbase instantly reflects your new balance.  Once a day MtGox and coinbase "settle" the books with a single blockchain tx.  Just to be clear this does NOT currently exist but it could.  Eventually a network of these entities could exist.  In someways this resembles a banking network with one SIGNIFICANT difference.  Today you can't be your own fiat bank (well at least not with any reasonable cost) but you can choose to be your own Bitcoin bank.  All you need the ability to run a full node and willingness to put all tx on the blockchain.

Disclaimer:  hopefully that made sense.  I broke open a bottle of port, LBV 2005 so while the above made sense I can't guarantee it will make sense to anyone else.

[🏰 TradeFortress 🏰]

If Bitcoin is still used in X years of time and the size ceiling is being hit, the block size limit will be increased. Imagine if SMTP had a 4 KB email limit which was fine decades ago, but completely silly today.

The question is not raising it too much so that mining power doesn't become even more centralized, and getting everyone to migrate.

[nameface]

I mean imagine if in 1970s someone had said...

I bet some jackass was saying that 

If Mtgox (clients) have a combined sum of 1,000,000 BTC and you transfer 1 BTC from your account to another MtGox account holder then MtGox clients still have a combined sum of 1,000,000 BTC.  There is no need to EVER record a block chain tx.

Ok I'm putting it together. If they take in 1k BTC in the form of 1k centralized clientside transactions, then they can add a single 1k BTC transaction to the blockchain, and all of the transaction data is owned by the third party, and does not appear on the blockchain. I think that's a terrible application of Bitcoin tbh.

Disclaimer:  hopefully that made sense.  I broke open a bottle of port, LBV 2005 so while the above made sense I can't guarantee it will make sense to anyone else.

“To alcohol! The cause of... and solution to... all of life's problems”
― Matt Groening

[Peter Todd]

FWIW I gave a talk at the Bitcoin conference talking about how off-chain systems can be audited, as well as how to setup systems where operators of them are punished for fraud and other losses: http://www.youtube.com/watch?v=4d3LA8KpdMQ

[jdbtracker]

why would we want to police off-chain transactions?
In fact why is it necessary to have off chain transactions?
If the ECDSA encryption is the most compact available is there a way to further decrease the transaction size or make multiple input transactions more efficient? I think I saw a 20kb transaction once... that is a lot of inputs.

we could make it so that all off chain transactions are handled in a mini-blockchain that is later integrated into the network for validity... it would be necessary, but then again... I can just send the private key of a recently made wallet over bitmessage with no cost and still lots of security.

[nameface]

FWIW I gave a talk at the Bitcoin conference talking about how off-chain systems can be audited, as well as how to setup systems where operators of them are punished for fraud and other losses: http://www.youtube.com/watch?v=4d3LA8KpdMQ

Very nice presentation Mr.Todd. I guess the debates will be forever ongoing... Thanks for helping me get more plugged in.
BTW I'm quoting something cool you said in an article that will be published on LetsTalkBitcoin.com soon after they relaunch their website.

[nameface]

we could make it so that all off chain transactions are handled in a mini-blockchain that is later integrated into the network for validity... it would be necessary, but then again... I can just send the private key of a recently made wallet over bitmessage with no cost and still lots of security.

Wouldn't the recipient lack the assurance that you would not spend the coins first?

[gmaxwell]

Global blockchains have bad scalability. It turns out computers are @#$@# fast these days, so bad can take you pretty far.  But fundamentally having to communicate your transactions _with the whole world_  puts upper bounds on the kinds of stuff you can do and how cheap you can do it for. If nothing else, the speed of light putts upper bounds on what you can do which can never be resolved even with infinite bandwidth and infinitely fast computers and infinite storage.

Bitcoin transactions are laudably small (though we'll see how laudably small they are in the future with cryptographic upgrades), indeed. But you know whats smaller than 100 bytes (about the minimum size of a transaction)?  Zero bytes. Zero bytes are infinitely smaller than 100 bytes.  Zero bytes is the amount of data you need to communicate globally for a transaction in a series which can be collapsed externally. Zero is the risk to your privacy of a transaction which is not known to the outside world. Zero is the power of third party agents to censor activity they cannot prove exists. Not all transactions can be made to have zero global impact, but some can, and so some should be.

Off-chain transactions exist today and they will always exist. The only question is how good they are, how well they integrate and interop, and how much we use them. A decentralized global block chain is a tremendous and useful thing, but its strengths necessarily imply some weaknesses.  By using multiple solutions we can have the best of all of them. Not accepting and embracing off-chain solutions means that the one which do exist will be less secure, more centralized, and less interoperable but they will still be widely used.

If you try to force Bitcoin to be good at things it is fundamentally not good at you risk making it bad at everything. You risk introducing centralization which would make Bitcoin worthless to the world. Good engineering solutions tend to be middle of the road compromises, not trying to force one tool onto all cases.

[EmperorBob]

FWIW I gave a talk at the Bitcoin conference talking about how off-chain systems can be audited, as well as how to setup systems where operators of them are punished for fraud and other losses: http://www.youtube.com/watch?v=4d3LA8KpdMQ

Some neat ideas there, but I don't think it really solves the fundamental trust problem:
- A third party who can sign transactions on your behalf can seize your funds.
- If you can't spend without a third party's participation, they can freeze your funds.

That's always true. You can't get around it. Trusted computing/hardware just changes who the third party(ies) is/are to some extent. And just because I know that a service is running a specific piece of code doesn't mean I've audited that code against key leakage and other backdoors disguised as bugs.

Fraud proofs only work against someone who wants to target specific users out of their entire base. It won't work against what we've already seen happening with off-chain services, which is wholesale service shutdown and funds seizure.

Fidelity bonds just increase the cost of setting up a trusted service, but any fraudulent wallet service is already going to be a long con, just to maximize the amount it rakes in. The bonds will realistically always be a tiny fraction of total deposits, and so they don't really change the incentive structure.

I think the popularity of blockchain.info relative to other web wallets demonstrate that, at least to the early adopters, funds that cannot be stolen or frozen are a desired quality.

[gmaxwell]

The bonds will realistically always be a tiny fraction of total deposits, and so they don't really change the incentive structure.

I think Petertodd actually had proposed that they actually be equal to the sum of deposits, and have this enforced in software.  Though it's far from clear to me that this is necessary to go that far, esp if the funds are controlled by an N-of-M multisig.

I think a point you're missing here is parties that have a degree of trust are already ubiquitous in the Bitcoin ecosystem, even where they could be trivially avoided— e.g. no one does in-chain escrow, instead they deposit funds to trusted escrow.  ... And also that the overwhelming bulk of transactions are small, the economic impact of a long con talking your daily lunch money for the next month isn't that substantial.  I don't think anyone suggests that offchain systems are a complete replacement for Bitcoin transactions.

[Anon136]

no matter what adaptations we make to bitcoin in the future small transactions will have to be handled off chain and i really dont think there is anything wrong with that at all. one just hopes that ordinary people will always be able to afford to purchase space on the blockchain for larger transactions.

it is also possible that great decentralized (albeit less decentralized than the block chain) trust free (mostly) solutions can be built ontop of the existing infrastructure that can use the blockchain for clearing. see posts about ot federated chaum banks. if these sorts of services come into existence and really work well than perhaps bitcoin could stay at 7tps for ever and this would never negatively impact any of us in any significant way.

[gmaxwell]

it is also possible that great decentralized (albeit less decentralized than the block chain) trust free (mostly) solutions can be built ontop of the existing infrastructure that can use the blockchain for clearing. see posts about ot federated chaum banks. if these sorts of services come into existence and really work well than perhaps bitcoin could stay at 7tps for ever and this would never negatively impact any of us in any significant way.

See also: CoinWitness for an idea how many kinds of external system to be bound into Bitcoin in a more zero-trust way.

One interesting challenge is— given all these super snazzy external systems (which will exist whether we like them or not!) what will keep demand for blockchain space up high enough that transaction fees are great enough to actually support adequate POW security?

[edmundedgar]

FWIW I gave a talk at the Bitcoin conference talking about how off-chain systems can be audited, as well as how to setup systems where operators of them are punished for fraud and other losses: http://www.youtube.com/watch?v=4d3LA8KpdMQ

Some neat ideas there, but I don't think it really solves the fundamental trust problem:
- A third party who can sign transactions on your behalf can seize your funds.
- If you can't spend without a third party's participation, they can freeze your funds.

That's always true. You can't get around it. Trusted computing/hardware just changes who the third party(ies) is/are to some extent. And just because I know that a service is running a specific piece of code doesn't mean I've audited that code against key leakage and other backdoors disguised as bugs.

Fraud proofs only work against someone who wants to target specific users out of their entire base. It won't work against what we've already seen happening with off-chain services, which is wholesale service shutdown and funds seizure.

Fidelity bonds just increase the cost of setting up a trusted service, but any fraudulent wallet service is already going to be a long con, just to maximize the amount it rakes in. The bonds will realistically always be a tiny fraction of total deposits, and so they don't really change the incentive structure.

I think the popularity of blockchain.info relative to other web wallets demonstrate that, at least to the early adopters, funds that cannot be stolen or frozen are a desired quality.

Also, the problems with intermediary-based systems that Satoshi mentions in the whitepaper aren't just, or even mainly, about not trusting the intermediary. The really big issue - and the reason why payments on the internet still suck - is that the intermediary can be regulated and/or litigated against. Hence:
 

Commerce on the Internet has come to rely almost exclusively on financial institutions serving as trusted third parties to process electronic payments. While the system works well enough for most transactions, it still suffers from the inherent weaknesses of the trust based model. Completely non-reversible transactions are not really possible, since financial institutions cannot avoid mediating disputes. The cost of mediation increases transaction costs, limiting the minimum practical transaction size and cutting off the possibility for small casual transactions, and there is a broader cost in the loss of ability to make non-reversible payments for non-reversible services. With the possibility of reversal, the need for trust spreads. Merchants must be wary of their customers, hassling them for more information than they would otherwise need. A certain percentage of fraud is accepted as unavoidable. These costs and payment uncertainties can be avoided in person by using physical currency, but no mechanism exists to make payments over a communications channel without a trusted party.

What is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party.

http://bitcoin.org/bitcoin.pdf

[gmaxwell]

Also, the problems with intermediary-based systems that Satoshi mentions in the whitepaper aren't just, or even mainly, about not trusting the intermediary. The really big issue - and the reason why payments on the internet still suck - is that the intermediary can be regulated and/or litigated against. Hence:

Off-chain by itself doesn't automatically mean an intermediary or an intermediary with any specific coercion exposure (e.g. it may some quorum system reachable via anonymity networks, or something else entirely).

Though you also have to be careful what you're comparing alternatives to: To the best of my knowledge most Bitcoin (the payment network) users use a webwallet service which doesn't even have SPV security, they use centralized exchanges, they have only about 3500 public listening full nodes in total which meet the DNS seeds standards for good performance/availability, and a majority of hashing power is under the control of approximately three to four people.  Bitcoin decentralization will never be cheaper than it is today, and yet it's arguably not an ideal of decentralization even now, so the trust gap to even trust-based off chain systems may be sadly smaller than you assume— especially if your comparison point is a world where most transactions are on chain and thus the cost of running a full node is much higher.

[Dabs]

Some existing off-chain transactions now:

1. All bitcoin exchanges: mtgox, bitstamp, btc-e, etc.
2. Some gambling websites that allow transfer of coins to other gamblers, chips, tokens, etc. (poker, dice, casinos, etc.)
3. Some online web based wallets: inputs, blockchain?, etc.
4. Investments on bitcoin securities exchanges: bitfunder, btc.co, etc.
5. Shared wallets.
6. TOR hosted hidden services: Silk Road? (I've never used it but I'm guessing you can create accounts that store bitcoins?)

Just to give you an idea.

Also, bitcoin mining, while large percentages are among 3 or 4 big players, there are thousands of little people running USB mini miners, and thousands more running GPU rigs until today. It's as decentralized as it gets.

[gmaxwell]

Also, bitcoin mining, while large percentages are among 3 or 4 big players, there are thousands of little people running USB mini miners, and thousands more running GPU rigs until today. It's as decentralized as it gets.

Practically none of those parties are miners from the perspective of the Bitcoin system: They're people selling computing power to big far away miners in exchange for Bitcoin. They don't participate in the consensus, they don't validate blocks, they don't select transactions. They are miners in a similar sense that AMD is a miner, although they do have the ability to pick which of several masters they serve, they only do so relatively slowly.

[DeathAndTaxes]

Practically none of those parties are miners from the perspective of the Bitcoin system: They're people selling computing power to big far away miners in exchange for Bitcoin. They don't participate in the consensus, they don't validate blocks, they don't select transactions. They are miners in a similar sense that AMD is a miner, although they do have the ability to pick which of several masters they serve, they only do so relatively slowly.

I think this is an important distinction.  While the term miner is casually used if you are a worker for a traditional mining pool you really are a contracted provider of computing power, nothing more.  You provide x units of computing power and in return the pool provides you a contracted reward (based on pools reward method). 

Using the term "miner" to refer to both those creating the coinbase tx (and rest of block structure) and those who merely attempt to find a solution to that problem is vague at best.  This may have implications beyond just network security.  FinCEN's guidance on miners (as illogical as it may be) puts a distinction on the entity "creating" currency units.  A legal argument could be made that Satoshi created all the currency units and miners (true miners, pools, solominers, p2pool members) are merely being rewarded them for block completion.  However even if that argument fails it would seem that pool workers wouldn't be creating currency units regardless.

[jgarzik]

Using the term "miner" to refer to both those creating the coinbase tx (and rest of block structure) and those who merely attempt to find a solution to that problem is vague at best.  This may have implications beyond just network security.  FinCEN's guidance on miners (as illogical as it may be) puts a distinction on the entity "creating" currency units.  A legal argument could be made that Satoshi created all the currency units and miners (true miners, pools, solominers, p2pool members) are merely being rewarded them for block completion.  However even if that argument fails it would seem that pool workers wouldn't be creating currency units regardless.

+1   this will become relevant in the future.

Two years ago, I speculated on the legal ramificiations of running a mining pool -- that is, being the one who selects the coinbase payouts, and in turn, transmits a bunch of bitcoins to a bunch of others.  Solo miners have one level of risk (coinbase payouts), and mining pools have an additional level of risk (coinbase payouts + miner payouts).

I wouldn't be surprised if mining pools in the US required KYC/AML verification.

The best argument can be made for the end-of-line miners.  They do not control the coinbase nor payouts, and the best case may be made for them as providing a computing service, in exchange for bitcoins.

[Anon136]

it is also possible that great decentralized (albeit less decentralized than the block chain) trust free (mostly) solutions can be built ontop of the existing infrastructure that can use the blockchain for clearing. see posts about ot federated chaum banks. if these sorts of services come into existence and really work well than perhaps bitcoin could stay at 7tps for ever and this would never negatively impact any of us in any significant way.

See also: CoinWitness for an idea how many kinds of external system to be bound into Bitcoin in a more zero-trust way.

One interesting challenge is— given all these super snazzy external systems (which will exist whether we like them or not!) what will keep demand for blockchain space up high enough that transaction fees are great enough to actually support adequate POW security?

mind = blown

[Peter Todd]

However today this is limited to a single entity.  It only works if you and your receiver are both on MtGox.  However look forward a couple years and say you have a MtGox account and someone else has a coinbase tx.  In theory MtGox and Coinbase could extend reciprocal lines of credit so MtGox notifies coinbase and coinbase instantly reflects your new balance.  Once a day MtGox and coinbase "settle" the books with a single blockchain tx.  Just to be clear this does NOT currently exist but it could.  Eventually a network of these entities could exist.  In someways this resembles a banking network with one SIGNIFICANT difference.  Today you can't be your own fiat bank (well at least not with any reasonable cost) but you can choose to be your own Bitcoin bank.  All you need the ability to run a full node and willingness to put all tx on the blockchain.

Don't forget that because Bitcoin is based on cryptography, you can audit that Bitcoin bank and prove they, for instance, hold funds they claim they do, whereas in the real world you just can't get absolute, mathematical proof.

inputs.io, for example, have told me they are planning on implementing proof-of-ownership soon. Essentially that means they will prove to their customers that the funds held by them on their behalf really are backed 100% by coins on the blockchain. Of course, that doesn't stop them from taking the funds, but it means if they do they will be quickly caught. In the future mechanisms can be implemented like fidelity bonds and trusted hardware that make even stealing the money unprofitable - much like Bitcoin itself is designed so that miners have economic incentives to "mine honestly"

FWIW I keep a few BTC worth of "day-to-day" spending money at inputs.io, as well as easywallet, even without any auditing. To me the privacy is worth the risk of the funds getting stolen. (I lost about $100 worth at instawallet)

[n8rwJeTt8TrrLKPa55eU]

One interesting challenge is— given all these super snazzy external systems (which will exist whether we like them or not!) what will keep demand for blockchain space up high enough that transaction fees are great enough to actually support adequate POW security?

mind = blown

Yet more evidence that Satoshi comes from the future and the 1MB hard limit might actually be an optimal number

And circa 2040 we'll all be proactively soliciting gambling services to please use the blockchain as a notification mechanism.

[justusranvier]

Yet more evidence that Satoshi comes from the future and the 1MB hard limit might actually be an optimal number

So why did he start it out at 16 MB?

[Peter Todd]

Yet more evidence that Satoshi comes from the future and the 1MB hard limit might actually be an optimal number

So why did he start it out at 16 MB?

32MiB, and the way that limit was implemented suggests it was an accident that it even existed and he hadn't thought through the implications at the time.

Rule of thumb: believe it or not, Satoshi was just a smart guy like you or I, he was far from infallible.

[n8rwJeTt8TrrLKPa55eU]

Yet more evidence that Satoshi comes from the future and the 1MB hard limit might actually be an optimal number

So why did he start it out at 16 MB?

He wanted to give future generations something to argue about on Bitcointalk, and figured some archeological blocksize ambiguity was just the ticket.  And if you record his whitepaper onto vinyl and play it backwards, it's also revealed that he planted the Tecaxic-Calixtlahuaca head in Toluca.

[astutiumRob]

Some existing off-chain transactions now

Internal accounting systems, irrespective of the currency, have no need to be on the blockchain anyway.
If 'size' is a worry, then the ability to merge addresses within the same wallet, and to discard addresses and more importantly have a point-in-time-balance would solve the chainsize issue and download time.

[Dabs]

Some existing off-chain transactions now

Internal accounting systems, irrespective of the currency, have no need to be on the blockchain anyway.
If 'size' is a worry, then the ability to merge addresses within the same wallet, and to discard addresses and more importantly have a point-in-time-balance would solve the chainsize issue and download time.

I suggested something like that last year. Apparently, that idea has been around and discussed several times. Bitcoin doesn't work that way, and I get it now. Merging addresses means sending all your coins (gathering all unspent outputs) and sending it all to another address or into one specific address.

Not many people are going to do that. And you can't ask them to. They will do it on their own, but they don't need to for amounts larger than 1 bitcoin-day.

[sidazhang]

However today this is limited to a single entity.  It only works if you and your receiver are both on MtGox.  However look forward a couple years and say you have a MtGox account and someone else has a coinbase tx.  In theory MtGox and Coinbase could extend reciprocal lines of credit so MtGox notifies coinbase and coinbase instantly reflects your new balance.  Once a day MtGox and coinbase "settle" the books with a single blockchain tx.  Just to be clear this does NOT currently exist but it could.  Eventually a network of these entities could exist.  In someways this resembles a banking network with one SIGNIFICANT difference.  Today you can't be your own fiat bank (well at least not with any reasonable cost) but you can choose to be your own Bitcoin bank.  All you need the ability to run a full node and willingness to put all tx on the blockchain.

Don't forget that because Bitcoin is based on cryptography, you can audit that Bitcoin bank and prove they, for instance, hold funds they claim they do, whereas in the real world you just can't get absolute, mathematical proof.

inputs.io, for example, have told me they are planning on implementing proof-of-ownership soon. Essentially that means they will prove to their customers that the funds held by them on their behalf really are backed 100% by coins on the blockchain. Of course, that doesn't stop them from taking the funds, but it means if they do they will be quickly caught. In the future mechanisms can be implemented like fidelity bonds and trusted hardware that make even stealing the money unprofitable - much like Bitcoin itself is designed so that miners have economic incentives to "mine honestly"

FWIW I keep a few BTC worth of "day-to-day" spending money at inputs.io, as well as easywallet, even without any auditing. To me the privacy is worth the risk of the funds getting stolen. (I lost about $100 worth at instawallet)

Peter, how does this proof of ownership work. Does it require the wallet to disclose all the addresses that they own so that people can check?