Fungibility is the only property of sound money that is missing from Bitcoin & Litecoin. Now that the scaling debate is behind us, the next battleground will be on fungibility and privacy.
I am now focused on making Litecoin more fungible by adding Confidential Transactions. 🚀
— Charlie Lee [LTC⚡] (@SatoshiLite) January 28, 2019
Lee recognizes that neither Litecoin nor Bitcoin yet fulfill all the properties of sound money. The main deficiency right now is a lack of fungibility, meaning that all coins are not yet interchangeable. The lack of fungibility and lack of privacy are one and the same, you cannot have one without the other. Here’s why.
Right now, due to the transparency of Litecoin, you can track coins along the blockchain. This lack of privacy means that if your coins were previously held by someone involved in illegal activity, then exchanges and merchants could treat your coins as inferior to cleaner ones, such as coinbase coins, which are those that are freshly created from the mining process. The very fact that your coins and their history are not kept private means they can be separated and are not interchangeable.
To solve this, Lee has suggested a variety of improvements that should at least somewhat solve this issue. Currently, suggestions range from Confidential Transactions (CTs) and Bulletproofs to MimbleWimble and Extension Blocks. It is likely that the final proposal will include a mixture of these features.
We are going to take a look at these different upgrades and their implications. Litecoin has a history of introducing upgrades before Bitcoin, as they did with SegWit in 2017. If the team can succeed in these efforts, then it could pave the way for similar improvements to Bitcoin.
Confidential Transactions (CTs) were initially a proposal for Bitcoin led by Adam Back, Gregory Maxwell, Pieter Wuille, and Andrew Poelstra. CTs are a form of range proof, a cryptographic method to prevent double-spending. They are able to hide both the amount and type of asset. Consequentially, one party cannot see how many coins the other has and onlookers cannot decipher the size of transactions.
In normal Litecoin transactions, all output and input values are publicly visible. As a result, it is simple to verify transactions by ensuring that the total value of inputs and outputs are equal to zero. CTs, however, hide all these values while ensuring that all other nodes can verify that the balance of outputs and inputs equals zero.
The Limitations of CTs
Unfortunately, transaction sizes in confidential transactions are significantly larger than normal ones. On their own, they stand at 3.8-5.4 KB. This is in comparison to just 300-400 bytes in a normal Litecoin transaction. As a result, both Litecoin and Bitcoin would experience a significant reduction in their throughput capacity and likely witness a large rise in fees.
What’s more, while transaction amounts are hidden, sender and receiver addresses are still visible. Ultimately, CTs demand a very large trade-off in scalability with only limited improvements to fungibility and privacy.
Bulletproofs to the Rescue
Fortunately, though, these issues can be accommodated by other changes.
Bulletproofs are a proposal to perform much more efficient range proofs. They can compress the size of CTs and thus limit the scalability limitations that CTs alone impose. Bulletproofs reduce the initial CT size of 3.8-5.4 KB down to approximately 700 bytes. Monero recently upgraded to Bulletproofs. In this regard, Litecoin would benefit from using a tested technology.
MimbleWimble is a design proposal that has been bouncing around for several years. When initially released by its anonymous creator, it challenged many of the existing assumptions around blockchain design. MimbleWimble is not just an upgrade you can stick onto Litecoin, however. It is actually an alternative to the Litecoin design itself and requires additional structures.
The Cryptographic Building Blocks
Interestingly, MimbleWimble uses a similar design to that of CTs. Both MimbleWimble and CTs derive their privacy abilities from the use of Pedersen Schemes and blinding factors.
A Pedersen Commitment Scheme is a cryptographic algorithm. Such schemes allow you to guarantee some information, such as transaction amounts, while hiding it from all other parties. The commitment ensures that you cannot change the information at a later date. The only way the information can be revealed is through disclosure of a blinding factor, which is a random sequence of numbers.
With normal CTs, the sender creates this blinding factor. In MimbleWimble, the receiver creates the factor. This factor actually serves as proof of coins.
Similarly to how CTs allow for the sum of all inputs and outputs to be proven to be equal, MimbleWimble does all this through a multisignature. In the current iteration of Litecoin, the keys for each input sign transactions. However, in MimbleWimble something akin to a multisignature key functions as a mass public key for all those involved in a transaction. This is formed by subtracting the total value of all the input keys from the total value of all the output keys.
This means that we can validate a large bunch of transactions collectively via this multisignature, similar to how CoinJoin works.
Scaling this up to a MimbleWimble block, we end up with a block consisting of just a series of inputs, outputs, and multisignatures. These multisignatures are all that you need to verify transactions. This alternative model removes the need for new nodes to download all the transaction data on the current Litecoin blockchain.
Limiting the Costs of Privacy
The result of all this is that we have massively increased privacy without enduring a large increase in the size of transactions and blocks. We can hide the number of coins in a transaction as well as making it very hard to track the sender and receiver.
What makes MimbleWimble so exciting is that it has solved the usual trade-off that we see between privacy and fungibility versus scalability. For instance, both Monero and ZCash, when used for their privacy purposes, have the trade-off of extremely large transactions and high fees. Until now, no blockchain project has been able to achieve strong privacy and fungibility without causing a major reduction in throughput. MimbleWimble, though, could be the first solution for this dilemma. In reality, this means we can now have fungible and private cryptocurrency that is ready for mass use.
One downside of this alternative design is that Litecoin scripting will not work with MimbleWimble due to the removal of signatures from individual inputs. Poelstra has stated that while this does limit many smart contract capabilities, there are ways around this by using timelock transactions, multisignature, and unidirectional payment channels. Nonetheless, it seems some trade-offs will have to be made.
Bulletproofs Strike Again
It turns out that Bulletproofs’ benefits extend beyond just those pertaining to CTs.
Bulletproofs can actually help the scripting limitations in MimbleWimble. Poelstra has demonstrated that you can bypass scripting entirely and perform certain smart contracts through a combination of bulletproofs and something called Scriptless Scripts. Scriptless Scripts use Schnorr Signatures, a more compact alternative to the current ECDSA signature scheme. These hide the information of the scripts or smart contracts.
The result of all this is that we can increase the privacy of atomic swaps and any payment channel function. Scriptless Scripts previously relied on incomplete cryptography called sigma protocols, which were not ready for use. Bulletproofs are now unlocking the full potential of these scripts. As a result, we could see some impressive and anonymized smart contract features on MimbleWimble after all thanks to Bulletproofs.
By stacking the different proposals that we have discussed so far, we are starting to gain impressive fungibility, privacy, scalability and smart contract features under one roof with far fewer trade-offs than virtually every other blockchain project seen to date. It is no wonder that the Litecoin team is so excited about the potential.
Not So Easy
The main problem with MimbleWimble is that we cannot just add it to Litecoin.
MimbleWimble is not a replacement to certain parts of the Litecoin blockchain, but rather a different architecture altogether. In fact, the only way to move forward is through either a sidechain or something called extension blocks.
Extension blocks have been around since 2013 and were an alternative Bitcoin scaling proposal to SegWit and block size increases. They are essentially additional blocks that run alongside the already existing blocks that we will call foundation blocks. Importantly, unlike foundation blocks, which are linked linearly back to each other all the way to the genesis block, foundation blocks are only linked to their parallel foundation block.
This means that you can bolt on features like MimbleWimble parallel to the original Litecoin blockchain.
The main limitation of extension blocks is that they are not backward compatible. Old nodes that do not upgrade to a softfork that introduces extension blocks would not be able to see these extension blocks. As a result, they would be severely limited in interacting with any features that would be supported on the extension blocks. In Litecoin’s case, much of the upgrades would be living on these extension blocks. In theory, there could be a major separation between old and updated nodes.
The final upgrade that might be coming to Litecoin in 2019 is Taproot. This is a Maxwell invention that, along with its brother Graftroot, is set to obfuscate regular transactions from multisig transactions. This will blur the lines between layer one and layer two transactions. Consequently, it will be impossible to differentiate between transactions on the Litecoin blockchain and those on the Lightning Network. As a result, if I pay you over the Lightning Network or execute a smart contract, the activity will be indistinguishable from me paying you with a basic Litecoin transaction.
Just like Scriptless Scripts, these upgrades are dependent on Schnorr Signatures. To this end, many Bitcoin developers are working on Bitcoin Improvement Proposals (BIPs) that combine Schnorr and Taproot.
Taproot actually builds on another upgrade called MAST (Merkelized Abstract Syntax Trees) that introduces space efficient smart contracts via scripts back into Litecoin. These smart contracts had previously been blocked because of their excessive size and the fear that they would clog up the network.
Unfortunately, MAST leaves smart contracts vulnerable because it does not sufficiently obscure them to look the same as regular blockchain transactions. Taproot solves this.
Of course, Taproot and MAST will not be compatible in any of the MimbleWimble extension blocks, since MimbleWimble cannot support scripting. Instead, these upgrades will be limited to Litecoin foundation blocks.
Despite all these breakthroughs, we are still left with the threat of quantum computing.
CTs and MimbleWimble use Pedersen Commitments in their range proofs to encrypt transaction values while preventing double-spending. Unfortunately, they are not quantum-resistant. If broken, they would allow for an infinite amount of new coins to be mined, undermining Litecoin’s inflation controls.
However, the development team has partnered with the Beam project to help integrate Switch Commitments into a MimbleWimble implementation via extension blocks on Litecoin. Switch Commitments are essentially a safety mechanism that can protect against quantum advances that threaten Pedersen Commitments.
Optional vs. Mandatory Privacy
It is unclear at this stage how many of these upgrades will be optional or mandatory. Both options are compatible with a softfork, fortunately.
An optional LIP would allow users who wanted to stay visible to do so and may mitigate some increases in fees and reductions in throughput resulting from the changes. Though, the problem with this is that unless a critical mass of users opts into these features, those who do use them can be targeted by onlookers and nefarious parties. Furthermore, if there exists a private part of the blockchain, i.e. the extension blocks, and a public part, i.e. the foundation blocks, it is possible that users could leak metadata while moving between. Onlookers could then use this data to help identify users. This is a common criticism of Zcash’s model where there is a combination of public and shielded transactions.
Balancing this dichotomy is no easy task. It may well be the most challenging question for the development team to address.
Layers of Privacy
Aside from all of these blockchain level upgrades, layer two solutions, such as Lightning Network, will provide Litecoin with further fungibility and privacy improvements.
The Lightning Network uses onion routing, the same technology used for the Tor Network. This means that nodes can only see the connection preceding and following it.
Regardless, layer two solutions are not substitutions for deficiencies on the blockchain.
Andreas Antonopoulos has made famous the idea of ossification in the Bitcoin ecosystem. It refers to the observation that it is increasingly difficult to add new protocol upgrades to the base layer. As Bitcoin’s network, ecosystem, and market capitalization grow, reaching consensus for changes to privacy and scalability is proving harder and harder. This challenge applies equally to Litecoin.
As such, it is important to prioritize those features most needed at the blockchain layer. Fungibility and privacy are surely such features.
If fungibility is only addressed at layer two, it will never be solved. At some point, either funds or contracts need to be settled on-chain. By failing to secure the privacy of the blockchain itself, we will find ourselves failing to ever properly patch this deficiency.
A Constructive Ecosystem
Fortunately, we can integrate all the aforementioned upgrades into Litecoin with a softfork.
As such, it should be relatively easy to integrate whatever combination the development team put forward as a Litecoin Improvement Proposal (LIP).
Ultimately whatever upgrades Litecoin makes this year, they will, of course, be standing on the shoulders of others. Developers from the Bitcoin ecosystem such as Poelstra and Maxwell, to the many anonymous contributors to MimbleWimble, as well as the teams at Beam and Grin will all deserve much credit.
Nevertheless, Litecoin is once again proving that it is at the forefront of implementing cutting-edge blockchain improvements. Should the development team pull off a successful upgrade from this wide variety of proposals, they will have fulfilled the final property of sound money missing from Litecoin and Bitcoin: fungibility. And with it, privacy.
Thank you to Charlie Lee for reviewing an earlier draft of this article.
Read original article at coincentral.com.
Author: Ben Whittle