A high-level tableau of the factors driving progress in cryptoeconomic systems -- consensus, scalability, identity, oracles, privacy, smart contracts, and governance.
Note to readers: This text was originally written in 2017. Some parts remain obviously true, others have evolved considerably, and some were not quite there. The retrospective reading is still of interest -- hence the publication.
Bitcoin as a system is much more than a slow, suboptimal shared ledger. It is a decentralised system at global scale syncing its state every 10 minutes. A feat and a marvel of our time.
Since its inception in 2009, other systems have emerged -- open or closed, permissioned or not, centralised or decentralised, more or less censorship resistant. Key computer science and game theory concepts are being applied to these systems which, coupled with decentralised and institutional economics, will bring about new structures that will compete, and sometimes win, against current centralised systems, firms, organisations, and institutions.
It is only the beginning, and I found it useful to review the various high-level factors which, combined, will unfold into a truly global scaled-out network of decentralised cryptoeconomic systems.
Reasons to read this and to provide feedback:
Let's go.
Quantum resistance, homomorphic encryption, zero knowledge proofs
Most systems rely on mathematical algorithms, such as the discrete logarithm problem, that may be broken by quantum computing.1 Elliptic Curve Cryptography (ECC), as used today, will need to be upgraded2 with new quantum-resistant algorithms.
The second aspect showing promise in applied cryptography is the use of homomorphic properties to enable more privacy. Mimblewimble3, for instance, uses Pedersen commitments (which are additively homomorphic) alongside Schnorr signatures4 -- the latter now part of a Bitcoin BIP.5 Full homomorphic encryption is progressing significantly6 and will offer opportunities to improve privacy of transactions and contracts, and fungibility of coins.
One of the key advances in cryptography is related to Computational Integrity research.7 In the short term, open blockchains will support zero knowledge proof (zkp) protocols. These protocols provide cryptographic proofs to third parties without revealing private information. This is a mind-boggling concept -- significant implementation hurdles remain -- but it is a key aspect for progress in the upcoming years.
Welcome my son, welcome to the machine
One of the key components of decentralisation is decentralised consensus technology. It has to resist multiple types of attacks and let the "network" decide the "truth": a valid state (change) of the global machine. It must converge to finality8 within a given timeframe -- i.e. not "hesitate" too long between two or multiple "digital realities." No one should be able to enforce "truth," hence the necessity of a crowd, a very decentralised level where any single party would have a hard time beating or cheating the multitude.
Currently, Bitcoin consensus works with Proof of Work. It has proven its security and faces two main criticisms: one, it consumes a vast amount of electricity to run the mining farms; two, miners might form a cartel, capturing the governance (the evolution of Bitcoin) from other players (users, devs), to maximise their present and future profit. In Bitcoin, miners have power (pun intended) because they made the capital expenditure and they protect their investment (mining farms). For example, they would want to see a correlation between their reward (in bitcoin creation or in transaction fees) and the number and value of transactions. They would deter more miners from coming in, and the way to do this is to increase hash power, leading to mining pools/cartels to capture the rent (this has a positive effect of increasing the security of Bitcoin). At the same time, users would want miners to process more transactions faster at minimal (marginally zero) cost.
As a result, alternative consensus methods are explored and deployed at smaller or private scale. To date, the question of whether alternative consensus protocols may resist in open "trustless" networks has no definitive answer. Proof of Stake (PoS), which seems to be the most likely candidate, is widely criticised. This is why the deployment of Casper9, the new Proof of Stake protocol for Ethereum, was so critical. Tezos10 has also deployed a delegated PoS as the preferred consensus mechanism and enables governance mechanisms to manage the evolution of interests from stakeholders.
Consensus protocols are at the heart of cryptoeconomic systems. They operate mechanisms where all participants are incentivised to act and collaborate for what "the governance" has agreed is the "common good," and where non-collaborative behaviour is punished.11 This is why the whole discussion about governance12 is necessary, as this problem relates to the tragedy of the commons.13
The key innovation in these cryptoeconomic systems is the use of game theory combined with cryptology to design games/systems that maintain a (decentralised) equilibrium and resist attacks, from the inside or the outside of the system. This is a topic on which much progress is expected as more research is performed. Currently, there are not many simulation tools available to model and simulate such games.
The Bitcoin wars have raged on this very topic; Ethereum was overloaded in June 2017 by a few ICOs and some CryptoKitties. As usage grows, including for petty transactions, blocks are filled and many transactions may remain unconfirmed for a long time. Some users actually flooded the network to make the point. This issue led Bitcoin to a "near fork experience" after the SegWit 2x proposal "locked in" and Bitcoin Cash (BCH) was forked.
A variety of techniques -- such as pegged sidechains14, state channels15, or sharding16 -- are likely to bring scalability. This comes with a price: it may fragment resistance (a given sidechain can be compromised and settle on the main chain). Sharding creates limits17 for smart contract execution (across shards) and needs some mechanism to maintain coherence.
"Metachains" or parachains may federate multiple blockchains providing transaction settlement, netting, and "world" confirmation of blockchain-to-blockchain (or DAG18, or anything) transactions. In this regard, the Polkadot project19, headed by Dr Gavin Wood (Web3 Foundation), or Cosmos20, from Tendermint, have paved the way for blockchains of blockchains. Plasma21, supported by Joseph Poon and Vitalik Buterin, transposes a Lightning Network22-like approach to smart contracts, enabling high-throughput validation of smart contract states without requiring continuous validation on the main Ethereum blockchain. Raiden23 is also a payment channel for Ethereum, with high potential throughput and fast confirmation, derived from the Lightning Network protocol.
Self-sovereign identity is a human right, right?
One of the favourite books of the "crypto" community is The Sovereign Individual by James Dale Davidson and Lord William Rees-Mogg. This connects directly with The Road to Serfdom by Friedrich Hayek and the strong historical current of liberalism, where liberty prevails over equality. The whole discussion on self-sovereign identity takes place in a context where individuals challenge and distrust public and private institutions.
The notion of self-sovereign identity is well described by Christopher Allen24 and Joe Andrieu.25 For the sake of simplification, it means that individuals manage their identities and the related attributes attached to them. They can decide what identity attributes they share with whom, and for how long.
Decentralised cryptoeconomic systems need to deal with identity, and not just authentication, if they are to be connected to the "fiat" world: the world of institutions. These institutions -- enforcing property laws, access to courts of justice, and liabilities of parties involved in exchanges of goods and services -- are based on proof of identities. These institutions may have flaws, limited efficiency, and may sometimes be corrupted, but it will be difficult to scale cryptoeconomic systems at a global level without establishing direct links with them. The difficulty is to avoid projecting current institutional arrangements onto the new decentralised systems; it would likely end up delivering only marginal benefits and lead to centralisation. That is one of the phenomena that may limit the value of "private blockchains" by (centralised) firms or by cartels of actors.
Reciprocally, institutions will (have to) adapt to the new paradigm of decentralised and self-sovereign identity. Centralised identity systems defeat the very purpose of decentralised systems, which is to avoid takeover and manipulation of information by any central entity. One step further is to affirm that identity is a human right. Another step would be to affirm that any legal entity should exist and be referenced at global level and be the verifiable outcome of a governed organisation of individuals through an open constitution. These entities can now be created and governed on decentralised systems, where rules of engagement, responsibilities, decisions and rewards of managers, directors, and shareholders would be auditable.
It is possible to derive a public and open decentralised registry (Entity Naming System) of legal entities at global level from the current LEI system.26 This would help reduce transaction costs (onboarding costs; counterparty risks; AML/KYC red tape) for businesses.
A contrario, the negation of identity in transactions defeats the notions of property, responsibility, and liability. Some decentralised systems will still operate on their own and may remain "just experiments," forming a layer open to anyone with a connection and censorship resistant. The two worlds will coexist and cooperate.
Bottom line: Expect global decentralised identity systems to emerge, and current centralised authentication systems (Certificate Authorities, Public PKIs, DNS, Directories) to be challenged. This trend is only being accelerated by regulations on privacy such as GDPR, and by policies enacted to fight terrorism and money laundering. Identities and attributes will help improve the governance of delegations, entitlements, signing, and access control in firms and between firms.
Who's Zed? Zed's dead, baby. Zed's dead. -- Pulp Fiction
Oracles are real-life "trusted" facts that need to be attested and verified before being used as triggers for events in the systems. Cryptoeconomic systems and their action rules or "smart contracts" operate from signed transactions. There is a strong necessity to connect the real world -- i.e. represent trusted facts into these systems -- that may otherwise be corrupted.
As long as actions in the cryptoeconomic sphere cannot be taken from verified facts, or worse, can be taken from unverified facts, these systems will be exposed to "fake news" attacks, causing flash failures, which may become "the truth" once validated through consensus, requiring hard or soft forking, etc.
Therefore, oracles -- signed contracts certifying the occurrence of physical "real life" events -- are critical to the wide adoption of blockchain and smart contract technologies. This is again connected to identity and liability. And this is one of the most important applications needed to connect trusted objects to cryptoeconomic systems.
Who is going to verify facts in a decentralised manner? Will we need to reinvent third parties in order to reach a level of certitude about the reality of a fact? What would be the incentive mechanism to have fact verifiers tell the truth and put a measurable level of diligence in their verification?
One of the technologies used for capturing real-world data is hardware secure enclaves, such as those used by Ledger, Intel (SGX) for Sawtooth Lake, or smartphone TrustZones. Those secure enclaves should be audited to avoid known pitfalls.27
Privacy is required by many protocols of exchange and used to protect properties. It is also one of the key attributes to enable true fungibility of tokens (i.e. it is not possible to identify former owners and previous usage of tokens). There will be no mainstream take-off without privacy, fungibility, and censorship protection.
The current state of cryptoeconomic systems offers various levels of privacy, but most public ones expose transactions and script or contract code (and it is necessary to trust the system). This is one reason why private blockchains or distributed ledgers have been created -- to expose code/scripts and transactions only to those entitled (back to the identity discussion). These settings defeat both the decentralisation and the censorship-resistant nature of these systems. They become a shared registry, bringing marginally more cooperation than in centralised existing systems. They are vulnerable to collusion attacks by subsets of authorised validating authorities.
Very significant progress in the specialised field of Computational Integrity has been achieved, leading to the development of "zero knowledge proofs." This provides a way for a "prover" to compute a proof that can be verified by a verifier without disclosing more information than what is in the proof. For example, the verifier can check that the prover has enough money to pay for a good, without knowing how much is owned by the owner or where the coins came from. This is opening a new area of fast-paced innovations which will be implemented in cryptoeconomic systems.
The first implementation of zk-SNARK28 (zero knowledge -- succinct non-interactive argument of knowledge) occurred in Zcash, launched on 28 October 2016. Ethereum announced support for zk-SNARK in Metropolis/Byzantium. Tezos included zk-STARK in their roadmap. zk-SNARK offers a level of protection with one caveat: the certainty that the central private key has been destroyed, alongside all elements that would enable its reconstruction.29 The existence of this trusted setup introduces a doubt which, applied to self-interested agents who would control the trusted setup ceremony, has been a showstopper. This is why the development of zk-STARK (T stands for Transparent), as described by Dr Eli Ben-Sasson30, is a significant advance, as it provides a way to avoid a non-transparent trusted setup ceremony.
This progress will cause a lot of debate since it can provide a way to obfuscate transactions on a public cryptoeconomic system. How do you allow surveillance, regulation, investigations in these systems? Or do you?
Code is Law? Not yet, still wet.
The notion of smart contracts was described by Nick Szabo31 back in 1996. It has led enthusiasts to inflated expectations: implemented in a cryptographic ledger, it could be used to execute terms of contracts, bringing down the transaction cost of executing the contract. It met the famous quote from Lawrence Lessig: "code is law."32 Real life proved this preposterous. Lawyers explain why. Smart contracts are scripts that run in a cryptographic environment, providing proofs of execution on terms that have been signed by parties. They are nowhere near a legal contract, lacking currently many attributes. So far, there is no system of dispute management nor accountability enforcement, or legally sound framework to attach (property of) assets to a given coin that may be enforced by jurisdictions. Nevertheless, this situation is evolving quickly and this is one of the most fundamental aspects of progress that will disseminate the technology in many areas of law, regulations, and institutions.
The emergence of smart contracts -- simple scripts with Bitcoin, or more sophisticated code with Ethereum, Symbiont, Rootstock (on BTC) -- has made the blockchain and distributed ledger technology more generative. However, any failure or exploit in the execution of these scripts causes more than a mere "blue screen of death"; it can be exploited right away to drain millions of coins. No need to re-explain the mishaps of The DAO or the repeated multisig wallet bug in Parity.
As a result, serious progress is going to happen to harden the infrastructure code and the audit of scripts, very much like what is done with software in mission-critical applications (aerospace, public transport, etc.). To this end, new languages -- such as Michelson for Tezos33 -- and tools are emerging, and formal verification of code will become the norm. It will be key to use more strongly typed languages, such as Rust versus C++, as in Parity. Yet, much currently deployed code in C++ (wallets) or untested Solidity smart contracts deployed quickly through ICOs may cause serious damages (back to the liability discussion).
See also: the intersection of Ricardian and smart contracts.34
While many private blockchain efforts have focused on the ledger itself and on the utility of a shared, somewhat decentralised, append-only database, an essential paradigm has emerged on public blockchains: tokens.
Unfortunately, this has been known by the general public as a way to "invest" in a decentralised application or platform through the now (in)famous Initial Coin Offerings (ICOs). This paradigm has been used to fund valid startups, but many of these ICOs are scams or promises from deluded people. This ICO mania -- reaching 1.2 bn$ in the first half of 2017 only35 (update: 4 bn$ as of Dec 2017) -- was an excess that would deflate violently in 2018.
But tokens have a more profound interest and might be a huge opportunity to reshape key economic and institutional processes such as property rights, allowance of usage, voting, or sophisticated algorithmic exchange of value "systems to systems." This is a domain to be explored beyond the heated debates around ICOs.
Tokens are a new nature of programmable private currency, used to transfer utility within a community of "players with a skin in the game," while creating a way to transfer value from inside or outside of the system. Ultimately, tokens are managed through rules and are used to create equilibria that will provide the long-term development of the system. They are a technical vehicle of transferable utility36, which is so important to define equilibria in game theory through the Vickrey-Clarke-Groves mechanism37 -- an essential setting to have truthfulness as a dominant strategy and a socially optimised outcome.
Therein is the tragedy. Each man is locked into a system that compels him to increase his herd without limit -- in a world that is limited. Ruin is the destination towards which all men run, each pursuing his own best interest in a society that believes in the freedom of the common. -- Garrett Hardin, 1968
Beyond the mere exchange of coins, decentralised cryptoeconomic systems show a rare property: decentralisation. In 1968, Garrett Hardin published a famous article in Science.38 It showed that if you want to regulate the use of a common resource (a scarce resource in open access shared by a community, of which you want to avoid its extinction), you must choose between public or private control -- e.g. having a central authority to regulate the access and use of the common resource through coercion and rules.
It became accepted as a dominant institutional arrangement that a community would need to centralise the governance associated with the usage of common and scarce resources. At the same time, in political economy, many examples of governance and institutional failures demonstrated that centralised governance was inherently subject to attacks, flaws, and led to capture attempts by coalitions at the expense of the community. Delegated centralisation led to principal-agent39 failures and therefore institutions were created to control and regulate these agents. In open markets, regulators had to create coordination bodies to regulate and control each other, and detect attempts from colluded parties to "capture" regulators. This has led to an inflation of regulation, a burden for society.
In 1990, Elinor Ostrom's seminal work Governing the Commons40 demonstrated that decentralised and secular human communities have managed to design institutional settings that could function and find equilibrium without centralisation, and that these institutional arrangements presented a common set of principles.
A very summarised description of these principles:
Ostrom's work is part of New Institutional Economics41, a very influential and somewhat heterodox school of economists challenging neoclassics, where you'll find four Nobel prizes -- Ronald Coase, Oliver Williamson, Douglass North, and Elinor Ostrom.
The art of association then becomes, as I said above, the mother science; everyone studies it and applies it. -- Alexis de Tocqueville, Democracy in America
There is a strong possibility that the organisation of large groups of humans through decentralised cryptoeconomic systems, based initially on incentives and deriving from self-interested dominant strategies, might result in the emergence of new organisations -- creating a new kind of firms, unions, or governments that will compete with established and centralised institutions.
Ronald Coase's insight in The Nature of the Firm42 was that firms exist because they lower the transaction costs of coordinating through markets. If cryptoeconomic systems can dramatically lower those transaction costs -- through self-executing contracts, trustless settlement, decentralised identity, and transparent governance -- then the boundary of the firm shifts. Some of its functions may be represented in a "state machine" as a "nexus of contracts,"43 putting the Ricardian and smart aspects of these contracts right in the system, thereby offering opportunities to optimise delegation and the very structure of the firm.
As a result, corporations may take a few levels of bureaucracy out of their current organisation and shrink internal audits and controls. The question is no longer whether decentralised institutions will emerge, but what the equilibrium between old and new structures will look like.
Shor, P. "Algorithms for quantum computation." Proceedings of the 35th Annual Symposium on Foundations of Computer Science, 1994. Wikipedia ↩
Proos, J. & Zalka, C. "Shor's discrete logarithm quantum algorithm for elliptic curves." arXiv, 2003. arXiv:quant-ph/0301141 ↩
Maxwell, G. "The power of Schnorr." Bitcoin Magazine, 2016. Article ↩
Ben-Sasson, E. et al. "Computational Integrity." ePrint, 2016. PDF ↩
Buterin, V. "On settlement finality." Ethereum Blog, 2016. Article ↩
Zamfir, V. "The History of Casper -- Part 1." Medium, 2017. Article ↩
Buterin, V. "Minimal slashing conditions." Medium, 2017. Article ↩
Hardin, G. "The Tragedy of the Commons." Science 162, no. 3859 (1968): 1243--1248. Wikipedia ↩
Back, A. et al. "Enabling Blockchain Innovations with Pegged Sidechains." Blockstream, 2014. PDF ↩
"Sharding the Blockchain." Scaling Bitcoin, 2016. Transcript ↩
Wood, G. "Polkadot: Vision for a Heterogeneous Multi-Chain Framework." Web3 Foundation, 2016. PDF ↩
Kwon, J. & Buchman, E. "Cosmos Whitepaper." Tendermint, 2016. cosmos.network ↩
Poon, J. & Buterin, V. "Plasma: Scalable Autonomous Smart Contracts." 2017. PDF ↩
Poon, J. & Dryja, T. "The Bitcoin Lightning Network." 2016. lightning.network ↩
Raiden Network. raiden.network ↩
Allen, C. "The Path to Self-Sovereign Identity." Life With Alacrity, 2016. Article ↩
Andrieu, J. "A Technology-Free Definition of Self-Sovereign Identity." Rebooting the Web of Trust, 2016. PDF ↩
GLEIF. "Introducing the Legal Entity Identifier." gleif.org ↩
Schneier, B. "Using Intel's SGX." Schneier on Security, 2017. Article ↩
Tezos. "Michelson: the Language of Smart Contracts in Tezos." PDF ↩
Grigg, I. "The Intersection of Ricardian and Smart Contracts." iang.org ↩
Hardin, G. "The Tragedy of the Commons." Science 162, no. 3859 (1968): 1243--1248. Full text ↩
Ostrom, E. Governing the Commons: The Evolution of Institutions for Collective Action. Cambridge University Press, 1990. PDF ↩
Coase, R. "The Nature of the Firm." Economica 4, no. 16 (1937): 386--405. ↩
Jensen, M. & Meckling, W. "Theory of the Firm: Managerial Behavior, Agency Costs and Ownership Structure." Journal of Financial Economics 3, no. 4 (1976): 305--360. ↩