Notes – Electronic Coins
By Craig Warmke
Download the Paper here
P.7
An analogy may help. Suppose you deposit $1 from your friend and $1 from your sibling in your previously empty savings account. Asking which bitcoin in A4 came from A1 and which came from A2 is like asking which of the two dollars came from your friend and which came from your sibling. The question falsely presupposes that digital dollars carry this information on the bank’s ledger. Similarly,
the Chain Definition falsely presupposes that there are individual bitcoins that carry individuating features on the bitcoin ledger.Just as there is no fact of the matter about the source of any individual digital dollar in your account,there is no fact of the matter about the source of any individual bitcoin in A4. In both cases, we have quantities without individuals.
P. 8
Mixing is important not only because it falsifies the Chain Definition. It also enhances bitcoin fungibility.The features that distinguish quantities of bitcoin from each other pre-mixing get smearedacross the quantities of bitcoin post-mixing. Now, in the Stages above, mixing occurs over a seriesof transactions. But it also frequently occurs within single transactions. The CoinJoin method developed by Gregory Maxwell [2013] has been advertised as enhancing privacy because it blurs the
connection between users and their addresses. In such a transaction,multiple users combine amounts of unspent bitcoin and split them into chunks having the same amount back to themselves across
new addresses. According toMaxwell, this blurring between user and address “is what makes Coin-Join possible.” CoinJoin enhances privacy precisely because it enhances fungibility by smearing the sources of transaction inputs across all the mixed outputs.
Within CoinJoins and other multi-output transactions, inputs do not pair up explicitly with outputs as if to say “Input 2 is the source of bitcoin in Output 3.” Although every input claims one or more previous transaction outputs as its source of bitcoin, outputs do not similarly claim inputs within transactions as their source of bitcoin. Hence, we could track bitcoin from a particular input through a particular output only if amounts of bitcoin themselves had traceable identifiers. But not a single satoshi has such a traceable identifier. So we cannot track a single satoshi in a well-constructed CoinJoin transaction froman input address to an output address. Coinjoins increase the fungibility of bitcoin because it smears the transaction history of each input across every output. But this smearing is a general feature of mixing and can also occur over a series of non-CoinJoin transactions, as we witnessed in Stages 1 through 3.
The Chain Definition fails because it falsely presupposes that the bitcoin ledger marks bitcoins as individuals. But without individual bitcoins, we don’t have entire transaction histories either. What could a bitcoin’s entire transaction history be except for the path that a specific bitcoin takes through a series of transactions? In general, a history of an individual piggy-backs ontologically on that individual. No individual, no history. So if there are no individual bitcoins, there are no entire transaction histories either. Consequently, the Chain Definition faces double jeopardy. The Chain Definition falsely presupposes that the bitcoin ledger marks bitcoins as individuals and also identifies bitcoins with transaction histories that fail to exist precisely because the ledger does not mark bitcoins as individuals.
P. 9
a system that tracks the identities of individual units faces a trade-off between scalability and divisibility. Satoshi avoided this trade-off altogether by adopting a ledger of the kind described by Wei Dai [1998] that tracks primitive quantities instead of individual units with identities. So the Chain Definition ultimately obscures one of Satoshi’s smarter engineering decisions.
P. 10
The distinction between instrument and quantity also holds for bitcoin. But if the blockchain represents quantities of bitcoin, what are the signifying financial instruments? The financial instruments are unspent transaction outputs or UTXOs. UTXOs are transaction outputs that remain unspent. They are like physical checks that have yet to be signed and deposited. Unsurprisingly, quantities of bitcoin and UTXOs differ in important ways. Whereas each UTXO has an identifier in the form of its index number and the ID of the transaction in which it appears, no quantity of bitcoin has such an identifier. Furthermore, while spending a UTXO “destroys” it, its total quantity of bitcoin persists in one or more quantities signified by one or more new UTXOs.
With the distinction between signifying instrument and signified quantity now in hand, we may begin to diagnose the Chain Definition. Given bitcoin’s prehistory, we might expect Satoshi’s definition of electronic coins to concern digitized instruments, like Chaum’s notes and Finney’s RPOW tokens. Then we could diagnose the Chain Definition with substituting the original reference to the coins, the digitized instruments we call UTXOs, with a reference to individual bitcoins. Since, as I’ve argued, the blockchain does not represent bitcoins as individuals, and since digitized instruments differ from the quantities they signify, we would expect such a substitution to fail. If only things were so simple.
In my view, ‘unspent transaction output’ is often ambiguous between the chunk of code that signifies a quantity of unspent bitcoin and the signified quantity itself. Let’s reserve ‘UTXO’ for the chunk of code. And let’s call the signified quantity of bitcoin an unspent quantity. As I previously mentioned, spending a UTXO destroys it. One spends and destroys a UTXO by providing the appropriate digital signature in another transaction’s input. So UTXOs don’t persist through a chain of digital signatures. A chains of digital signatures coincides with a trail of destroyed UTXOs. Though UTXOs don’t persist through a series of transactions, quantities of bitcoin sometimes do.
Like pouring a cup’s contents into another without spilling, early bitcoin users could often transfer a UTXO’s entire unspent quantity without spending any of it in a transaction fee. Feeless transactions occur rarely now, so a UTXO’s unspent quantity is now typically a flash in the pan. Even so, each UTXO represents an unspent quantity which has at least vacuously persisted through a chain of at least one digital signature. So, with some success, we can model a UTXO’s particular quantity of unspent bitcoin with the chain of digital signatures that has preserved that quantity back to the transaction in which it resulted by combining smaller quantities, by splitting a bigger quantity, or by serving as a mining reward. Consequently, charitably interpreting Satoshi leads us to the conclusion that the electronic coins in Satoshi’s definition are probably best understood as unspent quantities of bitcoin—not the UTXOs which contingently and often temporarily signify them.
P.11
the Chain Definition has begun to spread like an interdisciplinary wildfire. Like many wildfires, the Definition’s influence has been both destructive but understandable.
Steve Miller
Stay up to date on his research by subscribing to his newsletter.
The CFA designation is globally recognized and attests to a charterholder’s success in a rigorous and comprehensive study program in the field of investment management and research analysis.
CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.