Multisig in Bitcoin has historically involved having multiple signatures added to a transaction input. With the addition of Schnorr signatures to Bitcoin, this is no longer the case. Thanks to the linearity of the Schnorr scheme, we can combine partial signatures from multiple parties into a single...

If you're having a difficult time wrapping your head around Schnorr signatures, you're not alone. In this post, I make an attempt at explaining Schnorr signatures at a level that I myself appreciate, and hopefully, you'll find it valuable too.

What's Schnorr?

Schnorr is a new signature scheme in...

There’s more than one way to skin a cat. This is certainly true for Bitcoin double spends. I will explain what I call the "the 1,000 Lego sets attack" in this article. It’s a way a miner could perform a double spend attack, that I haven't given much thought until now. But first, I’ll explain what...

During the last few weeks, a lot of discussion has been going on about Bitcoin's energy consumption and how it relates to the fiat system's energy consumption. I've read a few articles about it and some are really good. I added some links at the end of this post.

Most of them come to the conclusio...

I've been very silent on this blog lately. Sorry about that! The reason is that I'm working hard on a new book, Grokking Bitcoin. The book will be published on Manning Publications during spring 2018.

This book is a very technical book, intended primarily for technically interested people that...

This is a follow-up post on my series on sidechains. I recommend reading SPV proofs and reorg proofs in sidechains and Compact SPV proofs in order to understand this post. But if you're already familiar with sidechains, just go ahead!

There is a risk that miners collude to steal sidechained co...

This is a follow-up on my SPV proofs and compact SPV proofs posts. While SPV proofs are interesting and the only way to move funds from one chain to another, moving funds takes time. Typically it would take on the order of days to complete a transfer between chains. Atomic swaps, as described in...

My last blog post was about sidechains and how SPV proofs and reorg proofs were the key ingredients for transferring funds from one chain to another. In this post I will talk about "compact SPV proofs". As usual, I'm writing to educate myself, and it's my hope that it'll be useful for others too....

I've been reading the sidechains paper, and I find it really fascinating. There are a few things that I had a hard time understanding in this paper, and the Internet fell short on explaining. Therefore I'm writing this blog post to educate myself and hopefully others, as well as to validate my und...

I've been looking at weak blocks and I'm trying to sort out the good and the bad about it.

How it works

Weak blocks are blocks that does not appear in the blockchain, only in the p2p network. Miners produce these blocks with reduced difficulty, for example 1/20 of the strong block target difficu...

In this post I'll try to explain some design choices for BIP 120, Proof of Payment, and also comment on some critique against it.

Basically a Proof of Payment looks exactly like a Bitcoin transaction:

Proof of Payment datastructure

Note how Pop(T) in indistiguashable from a Bitcoin transaction. If it would be broadcast on...

Recent months, I've been pretty confused over all the different flavors of Replace By Fee (RBF). There's RBF, FSS-RBF, RBF scorched earth, opt-in RBF and possibly heaps of other variants. This blog post aims at bringing clarity (to me) what all this means and what's actually being implemented into B...

Last week I attended Scaling Bitcoin in Hong Kong. I will try to summarize my main takeaways from that.

Segregated witness

separation-474x234

The talk that caused most buzz was Pieter Wuille on segregated witness. This is a really interesting idea that's actually implemented (sort of) into bitcoin core. It's m...

Hong_Kong_Skyline_Restitch_-_Dec_2007

I'm attending Scaling Bitcoin in Hong Kong to present my and Rusty Russell's work on IBLT and Weak Blocks. We'll start on the 7th at 12:15 local time, or 04:00 UTC. Schedule here.

My part of the talk will cover IBLT specific statistical analyses, most of which can be found on this blog....

Mycelium has implemented Proof of Payment (BIP120 and BIP121), and I'm really glad they did. It's one of the most popular wallets out there. Plus, I implemented most of it. I'd like to show you how smooth the user experience can be when PoP is used poperly! If you would like to play with this, p...

I have written two BIPs (Bitcoin Improvement Proposal), BIP120 and BIP121, that specify how a wallet can prove that it has made a payment. This blog post takes a stab at explaining this process.

If you want to play with this, install Mycelium on android and go to my demo site and try it ou...

<< Part IV | This is Part V of a multi-part series on Bitcoin block propagation with IBLT.

Rusty Russell has dumped mempool data from 4 different nodes around the globe. It covers a week's worth of data. The purpose of the dumps was to get an idea on how similar the mempools are. The effectiven...

<< Part III | This is Part IV of a multi-part series on Bitcoin block propagation with IBLT. | Part V >>

Failure probability will increase when we squeeze more differences into the IBLT. Basically, I want to answer the following question:

How will failure probability increase when difference...

<< Part II | This is Part III of a multi-part series on Bitcoin block propagation with IBLT. | Part IV >>

I want to get idea on how failure probability, the probaility that decoding of the IBLT fails, depends on cellCount. So the question is

How fast does failure probability drop when the IB...

<< Part I | This is Part II of a multi-part series on Bitcoin block propagation with IBLT. | Part III >>>

In part I of this IBLT series, Bitcoin block propagation with IBLT, Part I: infographic, I used 3 hash functions and a value size of 64 bytes. Where did I get those numbers from?

Well, I...

This is Part I of a multi-part series on Bitcoin block propagation with IBLT. | Part II >>

Skip boring text and go straight to infographic!

Late 2014 I started looking into IBLT (Invertible Bloom Lookup Tables) applied to Bitcoin block propagation, after reading a github gist written by Gavin...