This is Kristen O'Brien, Managing Editor at NFX, and this is the founder list. Audible versions of essays from technology's most important leaders selected by the founder community. The Ethereum white paper. This introductory paper was originally published in 2013 by Vitalik Buterin, the founder of Ethereum, before the project's launch in 2015. It's worth noting that Ethereum like many community driven open source software projects has evolved since its initial inception.
While several years old, we maintained this paper because it continues to serve as a useful reference and an accurate representation of Ethereum and its vision. Red by NFX. A next generation smart contract and decentralized application platform. Satoshi Nakamoto's development of Bitcoin in 2009 has often been hailed as a radical development in money and Currier.
Being the first example of a digital asset, which simultaneously has no backing or intrinsic value and no centralized issuer or controller. However, another arguably more important part of the Bitcoin experiment is the underlying blockchain technology as a tool of distributed consensus and attention is rapidly starting to shift to this other aspect of Bitcoin.
Commonly cited alternative applications of blockchain technology include using on blockchain digital assets represent custom currencies and financial instruments, colored coins, the ownership of an underlying physical device, smart property, non fungible assets such as domain names, namecoin, as well as more complex applications involving having digital assets being directly controlled by a piece of code implementing arbitrary rules, smart
contracts, or even blockchain based decentralized autonomous organizations, DAOs. What Ethereum intends to provide is a blockchain with a built in fully fledged Turing Pete programming language that can be used to create contracts that can be used to encode arbitrary state transaction functions. Allowing users to create any of the systems previously mentioned, as well as many others that we've not yet imagined simply by writing up the logic in a few lines of code.
Introduction of Bitcoin and existing concepts. History. The concept of decentralized digital currency as well as alternative applications like property registries has been around for decades. The anonymous e cash protocols of the 19 eighties and the 19 nineties mostly reliant on a cryptographic primitive known as Chomi and Blinding provided a currency with a high degree of privacy, but the protocols largely failed to gain traction because of the reliance on a centralized intermediary.
In 1998, Wei Dice B Money became the first proposal to introduce the idea of creating money through solving computational puzzles as well as decentralized consensus. But the proposal was scant on details as to how decentralized consensus could actually be implemented.
In 2005, Hal Flint introduced a concept of reusable proofs of work, a system which uses ideas from B Money together with Adam Bag's computationally difficult hash cash puzzles, to create a concept for a cryptocurrency, but once again fell short of the ideal by relying on trusted computing as a back end.
In 2009, a decentralized currency was for the first time implemented in practice by Satoshi Nakamoto, combining established primitives for managing ownership through public key cryptography with a consensus algorithm for keeping track of who owns coins known as proof of work. The mechanism behind proof of work was a breakthrough in the space because it simultaneously solved 2 problems.
First, it provided a simple and moderately effective consensus algorithm, allowing nodes in the network to collectively agree on a set of canonical updates to the state of the Bitcoin ledger. 2nd, it provided a mechanism for allowing free entry into the consensus process, solving the political problem of deciding who gets to influence the consensus while simultaneously preventing civil attacks.
It does this by substituting a formal barrier to participation, such as the requirement to be registered as a unique entity on a particular Flint, with an economic Currier, the weight of a single node in the consensus voting process is directly proportional to the computing power that the node brings. Since then, an alternative approach has been proposed called proof of stake, calculating the weight of a node is being proportional to its currency holding and not computational resources.
The discussion of the relative merits of the 2 approaches is beyond the scope of this paper, but it should be noted that both approaches can be used to serve as the backbone of a cryptocurrency. Bitcoin as a state transition system.
From a technical standpoint, the ledger of a cryptocurrency such as Bitcoin can be thought of as a state transition system, where there is a state consisting of the ownership status of all existing bitcoins, an estate transition function that takes a state and a transaction and outputs a new state, which is the result. In a standard banking system, for example, The state is a balance sheet.
A transaction is a request to move x dollars from a to b, and the state transition function reduces the value in a's account by x Beller. And increases the value in b's account by the same amount. If a's account has less than x dollars in the first place, the state transition function returns an error. The state in Bitcoin is the collection of all coins, technically unspent transaction outputs or UTXO that have been mined and not yet spent.
With each UTXO having a denomination and an owner, defined by a 20 byte address, which is essentially a cryptographic public key. A transaction contains 1 or more Pete, with each input containing a reference to an existing UTXO and a cryptographic signature produced by the private key associated with the owner's address. And 1 or more outputs with each output containing a new UTXO to be added to the state. Mining.
If we had access to a trustworthy centralized service, this system would be trivial to implement. It could simply be coded exactly as described. Using a centralized server's hard drive to keep track of the state. However, with Bitcoin, we are trying to build a decentralized currency system. So we will need to combine the state transition system with a consensus system in order to ensure that everyone agrees on the order of transactions.
Bitcoin's decentralized consensus process requires nodes in the network to continuously attempt to produce packages of transactions called blocks. The network is intended to produce roughly one block every 10 minutes with each block containing a time stamp, a nonce, a reference to IE hash of the previous block, a list of all the transactions that have taken place since the previous block.
Over time, this creates a persistent ever growing block chain that constantly updates to represent the latest state of the Bitcoin ledger. Essentially, each transaction in the block must provide a valid state transition from what was the canonical state before the transaction was executed to some new state. Note that this state is not encoded in the block in any way.
It is purely an abstraction to be remembered by the validating node and can only be securely computed state and sequentially applying every transaction in every block. Merkel trees. An important scalability feature of coin is that the block is stored in a multilevel data structure.
The hash of a block is actually only the hash of the block header a roughly 200 byte piece of data that contains the time stamp, nonce, previous block hash, and the root hash of a data structure called the Merkel tree. Storing all transactions in the block.
A Merkel tree is a type of binary tree composed of a set of nodes with a large number of leaf nodes at the bottom of the tree containing the underlying data, a set of intermediate nodes where each node is the hash of its 2 children, and finally a single root node. Also formed from the hash of its 2 children, representing the top of the tree.
The purpose of the Merkel tree is to allow the data in a block to be delivered piecemeal, A node can download only the header of a block from one source, the small part of the tree relevant to them from another source and still be assured that all the data is correct. The reason why this works is that hashes propagate upward. If a malicious user attempts to swap in a fake transaction into the bottom of a Merkel tree, this change will cause a change in the note above.
And then a change in the note above that, finally changing the root of the tree and therefore the hash of the block. Causing the protocol to register as a completely different block, almost certainly with an invalid proof of work. The Merkel Tree protocol is arguably essential to long term sustainability. A full node in the Bitcoin network, one that stores and processes the entirety of every block, takes up about 15 gigabytes of disk space in the Bitcoin network as of April 2014.
And is growing by over a gigabyte per month. Currently, this is viable for some desktop computers and not phones. And later on in the future, only businesses and hobbyists will be able to participate. A protocol known as simplified payment verification SPV allows for another class of nodes to exist called Pete nodes, which download the block headers, verify the proof of work on the block headers, and then download only the branches associated with transactions that are relevant to them.
This allows light nodes to determine with a strong guarantee of security what the status of any Bitcoin transaction and their current balance is while downloading only a very small portion of the entire blockchain. Alternative blockchain applications. The idea of taking the underlying blockchain idea and applying it to other concepts also has a long history. In 1998, Nick Zabo came out with concept of secure property titles with owner authority.
A document describing how, quote, new advances in replicated database technology, unquote, will allow for a blockchain based system for storing a registry of who owns what land. Creating an elaborate framework, including concepts such as homesteading, adverse possession, and Georgian Land Tax. However, there was unfortunately no effective replicated database system available at the time, and so the protocol was never implemented in practice.
After 2009, however, once Bitcoin's decentralized consensus was developed, a number of alternative applications rapidly began to emerge. Namecoin. Created in 2010, namecoin is best described as a decentralized name registration database. In decentralized protocols like tore, Bitcoin, and bit message, there needs to be some way of identifying accounts so that other people can interact with them. But in all existing solutions, the only kind of identifier available is a pseudo random hash.
Ideally, one would like to be able to have an account with a name like George. However, the problem is that if one person can create an account named George, then someone else can use the same process to register George for themselves as well as impersonate them. The only solution is a first to file paradigm where the first register succeeds and the second fails.
A problem perfectly suited for the Bitcoin consensus protocol James coin is the oldest and most successful implementation of a name registration system using such an idea. Colored coins. The purpose of colored coins is to serve as a protocol to allow people to create their own digital Currier, or in the important trivial case of a currency with one unit, digital tokens on the Bitcoin blockchain.
In the colored coins protocol, one issues a new currency by publicly assigning a color to a specific Bitcoin UTXO. And the protocol recursively defines the color of other UTXO to be the same as the color of inputs that the transaction creating them spent. This allows users to maintain wallets containing only UTXO of a specific color and send them around much like regular Bitcoins, backtracking through the blockchain to determine the color of any UTXO that they receive. Medi coins.
The idea behind a Medi coin is to have a protocol that lives on top of Bitcoin, using Bitcoin transactions to store meta coin transactions, but having a different state transition function. This provides an easy mechanism for creating an arbitrary crypto currency protocol, potentially with advanced features that cannot be implemented inside of Bitcoin itself, but with a very low development cost since the complexities of mining and networking are already handled by the Bitcoin protocol.
Medicorns have been used to implement some classes of financial contracts, name registration, and decentralized exchange. Thus, in general, there are 2 approaches toward building a consensus protocol, building an independent network, and building a protocol on top of Bitcoin. The former approach, while recently successful in the case of applications like Namecoin, is difficult to implement. Each individual implementation needs to bootstrap an independent blockchain.
Well as building and testing all of the necessary state transition and networking code. Additionally, we predict that the set of applications for decentralized consensus technology will follow-up power law distribution where the vast majority of applications will be too small to warrant their own blockchain. And we note that there exists large classes of decentralized applications particularly DAOs that need to interact with each other.
The Bitcoin based approach on the other hand has the flaw that it does not inherit the simplified payment verification features of Bitcoin. SPV works for Bitcoin because it can use blockchain depth as a proxy for validity. At some point, once the ancestors of a transaction go far enough back, It is safe to say that they were legitimately part of the state.
Blockchain based Pete protocols on the other hand cannot force the blockchain not to include transactions that are not valid within context of their own protocols. Hence, a fully secure SPV Pete protocol implementation would need to backward scan all the way to the beginning of the Bitcoin block chain to determine whether or not certain transactions are valid. Currently, all light implementations of Bitcoin based meta protocols rely on a trusted server to provide the data.
Arguably a high suboptimal result, especially when one of the primary purposes of cryptocurrency is to eliminate the need for trust. Scripting. Even without any extensions, the Bitcoin protocol actually does facilitate a weak version of a concept of smart contracts. UTXO and Bitcoin can be owned not just by a public key, but also by a more complicated script expressed in a simple stack based programming language.
In this paradigm, a transaction spending that UTXO must provide data that satisfies the script. Indeed, even the basic public key ownership mechanism is implemented via a script. The script takes an elliptic Currier signature as input verifies against the transaction and the address that owns the UTXO and returns 1 if the verification is successful and 0 otherwise. Other more complicated scripts exist for various additional use cases.
For example, one can construct a script that requires signatures from 2 out of a given 3 private keys to validate multi sig, a setup useful for corporate accounts, secure savings accounts, and some merchant escrow situations. Scripts can also be used to pay bounties for solutions to problems.
And one can even construct a script that says something like this Bitcoin UTXO is yours if you can provide an SPV proof that you sent a Dogecoin transaction of this denomination to me, essentially allowing decentralized cross cryptocurrency exchange. However, the scripting language as implemented in Bitcoin has several important limitations. Black of Turing completeness.
That is to say while there is a large subset of computation that the Bitcoin scripting language supports, it does not nearly support everything. The main category that is missing is loops. This is done to avoid infinite loops during transaction verification. Theoretically, it is a surmountable obstacle for script programmers Since any loop can be simulated by simply repeating the underlying code many times with an if statement, but it does lead to scripts that are very space inefficient.
For example, implementing an alternative elliptic Currier signature algorithm would likely require 256 repeated multiplication rounds all individually included in the code. Value blindness. There's no way for UTXO script to provide fine grain control over the amount that can be withdrawn.
For example, one powerful use case of an Oracle contract would be a hedging contract where a and b put in $1000 worth of BTC and after 30 days, the script sends $1000 worth of BTC to a and the rest to b. This would require an oracle to determine the value of Pete BTC in US dollars. But even then, is a massive improvement in terms of trust and infrastructure requirement over the fully centralized solutions that are available now.
However, because UTXO are all or nothing, the only way to achieve this is through the very inefficient hack of having many UTXO of varying denominations and having o pick which UTXO to send to a and which to b. Lack of state. A UTXO can either be spent or unspent. There's no opportunity for multi stage contracts or scripts which keep any other internal state beyond that.
This makes it hard to make multi stage options contracts decentralized exchange offers, or 2 stage cryptographic commitment protocols necessary for secure computational bounties. It also means that UTXO can only be used to build simple, one off contracts and not more complex stateful contracts such as decentralized organizations and makes Pete protocols difficult to implement. Binary state combined with value blindness also mean that another important application withdrawal limits is impossible.
Blockchain blindness. UTXO are blind to blockchain data, such as the nonce, the timestamp, and previous block hash. This severely limits applications in gambling and several other categories by depriving the scripting language of a potentially valuable source of randomness. Thus, we see 3 approaches to building advanced applications on top of cryptocurrency, building a new blockchain, using scripting on top of Bitcoin, and building a Pete protocol on top of Bitcoin.
Building a new blockchain allows for unlimited freedom in building a feature set but at the cost of development time, bootstrapping effort, and security. Using scripting is easy to implement and standardize, but is very limited in its capabilities. And Pete protocols while easy suffer from faults and scalability.
With Ethereum, we intend to build an alternative framework that provides even larger gains in ease of development, as well as even stronger light client properties, while at the same time allowing applications to share an economic environment and blockchain security.
Ethereum. The intent of Ethereum is to create an alternative protocol for building decentralized applications, providing a different set of trade offs that we believe will be very useful for a large class of decentralized applications. With particular emphasis on situations where rapid development time, security for small and rarely used applications and the ability of different applications to very efficiently interact are important.
Ethereum does this by building what is essentially the ultimate abstract foundational layer, A blockchain with a built in Turing Pete programming language, allowing anyone to write small contracts and decentralized applications where they can create their own arbitrary rules for ownership, transaction formats, and state transition functions. A bare bones version of James coin can be written in two lines of code and other protocols like currencies and reputation systems can be built in under 20.
Smart contracts, cryptographic boxes that contain value and only unlock if certain conditions are Pete, can also be built on top of the platform with vastly more power than that offered by Bitcoin scripting because of the added powers of Turing completeness, value awareness, block chain awareness, and state. Philosophy. The design behind Ethereum is intended to follow the following principles. One, simplicity.
The Ethereum protocol should be as simple as possible, even at the cost of some data storage or time and efficiency. An average programmer should ideally be able to follow and implement the entire specification so as to fully realize the unprecedented democratizing potential that cryptocurrency brings and further the vision of Ethereum as a protocol that is open to all. Any optimization which adds complexity should not be included unless that optimization provides very substantial benefit.
2, universality. A fundamental part of Ethereum's design flaw fee is that Ethereum does not have features. Instead, Ethereum provides an internal turn complete scripting language. Which a programmer can use to construct any smart contract or transaction type that can be mathematically defined. Wanna invent your own financial derivative? With Ethereum, you can. Wanna make your own Currier? Set it up as an Ethereum contract. Wanna set up a full James or Skynet?
You may need to have a few 1000 interlocking contracts and be sure to feed them generously to do but nothing is stopping you with Ethereum at your fingertips. 3, modularity. The parts of the Ethereum protocol should be designed to be as modular and separable as possible. Over the course of development, our goal is to create a program where if one was to make a small protocol modification in one place, the application stack would continue to function without any further modification.
Innovations such as efashion, modify Patricia trees, and RLP should be and are implemented as separate feature complete libraries. This is so that even though they are using Ethereum, even if Ethereum does not require certain features, such features are still usable in other protocols as well. Ethereum development should be maximally done so as to benefit the entire cryptocurrency ecosystem, not just itself. 4, agility.
Details of the Ethereum protocol are not set in stone, although we will be extremely judicious about making modifications to high level contracts Morgan instance, with a sharding roadmap abstracting execution with only data availability enshrined in consensus, computational tests later on in the development process may lead us to discover that certain modifications, example, to the protocol architecture or the Ethereum virtual machine, EVM, will substantially improve scalability or security.
If any such opportunities are found, we will exploit them. 5, non discrimination and non censorship. The protocol should not attempt to actively restrict or prevent specific categories of usage. All regulatory mechanisms in the protocol should be designed to directly regulate the harm and not attempt to oppose specific undesirable applications.
A programmer can even run an infinite loop script on top of Ethereum for as long as they're willing to keep paying the per computational step transaction fee. Ethereum accounts. In Ethereum, the state is made up of objects called accounts, with each account having a 20 byte address and state transitions being direct transfers of value and information between accounts. An Ethereum account contains 4 fields.
The knots, a counter used to make sure each transaction can only be processed once, the account's current ether balance the account's contract code if present, and the account's storage empty by default. Ether is the main internal crypto fuel of Ethereum, as used to pay transaction fees. In general, there are 2 types of accounts, externally owned accounts controlled by private keys and contract accounts. Controlled by their contract code.
An externally owned account has no code and 1 can send messages from an externally owned account by creating and signing a transaction. In a contract account, every time the contract account receives a message, it's code activates, allowing it to read and write to internal storage and send other messages or create contracts in turn. Note that contracts in Ethereum should not be seen as something that should be fulfilled or complied with.
Rather, they're more like autonomous agents that live inside of the Ethereum execution environment. Always executing a specific piece of code when poked by a message or transaction and having direct control over their own ether balance and their own key value store to keep track of persistent variables. Messages and transactions. The term transaction is used in Ethereum to refer to the signed data package that stores a message to be sent from an externally owned account.
Transactions contain the recipient of the message, a signature identifying the sender, the amount of ether to transfer from the sender to the recipient, an optional data field, a start gas value, representing the maximum number of computational steps the transaction execution is allowed to take and a gas price value. Representing the fee the sender pays per computational step. The first three are standard fields expected in any cryptocurrency.
The data field has no function by default, but the virtual machine has an opcode which a contract can use to access the data. As an example use case, if a contract is functioning as an on blockchain domain registration service, then it may wish to interpret the data being passed to it as containing 2 fields. The first field being a domain to register and the second field being the IP address to register at 2.
The contract would read values from the message data and appropriately place them in storage. These start gas and gas price fields are crucial for Ethereum's anti denial of service model. In order to prevent accidental or hostile infinite loops or other computational wastage in code, each transaction is required to set a limit to how many computational steps of code execution it can use. The fundamental unit of computation is gas.
Usually, a computational step costs one gas, but some operations cost higher amounts of gas because they're more computationally expensive or increase the amount of data that must be stored as part of the state. There's also a fee of 5 gas for every Pete in the transaction data. The intent of the Pete system is to require an attacker to pay proportionately for every resource that they consume, including computation, bandwidth, and storage.
Hence, any transaction that leads to the network consuming a greater amount of any of these resources must have a gas fee roughly proportional to the increment. Messages. Contracts have the ability to send messages to other contracts. Messages are virtual objects that are never serialized and exist only in the Ethereum execution environment. A message contains the sender of the message implicit.
The recipient of the message the amount of ether to transfer alongside the message, an optional data field, and a start gas value. Essentially, a message is like a transaction, except it is produced by a contract and not an external actor. A message is produced when a contract currently executing code executes the call opcode. Which produces and executes a message. Like a transaction, a message leads to the recipient account running its code.
Thus, contracts can have relationships with other contracts in exactly the same way that external actors can. Note that the gas allowance assigned by a transaction or contract applies to the total gas consumed by that transaction and all sub executions. Applications. In general, there are 3 types of applications on top of Ethereum. The first category is financial applications, providing users with more powerful ways of managing and entering into contracts using their money.
This includes sub currencies, financial derivatives, hedging contracts, savings wallets, wills, and, ultimately, even some classes of full scale employment contracts. The second category is semi financial applications where money is involved, but there is also a heavy non monetary sign to what is being done. Perfect example is self enforcing bounties for solutions to computational problems.
Finally, there are applications such as online voting and decentralized governance that are not financial at all. Tokens systems.
On blockchain token systems have many applications ranging from sub currencies representing assets such as USD or gold, company stocks, individual tokens, representing smart property, secure, unforgible coupons, and even token systems with no ties to conventional value at all used as point systems for incentivization, token systems are surprisingly easy to implement in Ethereum. The key point to understanding is that a currency or token system fundamentally is a database with 1 operation.
Subtract X units from a and give X units to b. With the provision that 1, A had at least X units before the transaction, and 2, the transaction is approved by A. All that it takes to implement a token system is to implement its logic into a contract. This is essentially a literal implementation of the banking system state transition function described previously in this recording.
A few extra lines of code need to be added to provide for the initial step of distributing the currency units in the first place and a few other edge cases. And ideally a function will be added to let other contracts query for the balance of an address, but that's all there is to it. Theoretically, Ethereum based token systems acting as sub currencies can potentially include another important feature that on chain Bitcoin based Pete currencies lack.
The ability to pay transaction fees directly in that currency. The way this would be implemented is that the contract will maintain an ether balance with which it would refund ether used to pay fees to the sender, and it would refill this balance by collecting the internal currency units that it takes in fees and reselling them in a constant running auction.
Users would thus need to activate their accounts with ether, but once the ether is there, it would be reusable because the contract would be refunded each time. Financial derivatives, and stable value currencies. Financial derivatives are the most common application of a smart contract. And one of the simplest to implement in code. The main challenge in implementing financial contracts is that the majority of them require reference to an external price ticker.
For example, a very desirable application is a smart contract that hedges against the volatility of ether or another cryptocurrency with respect to the US dollar. But doing this requires the contract to know what the value of ETH over USD is. The simplest way to do this is through a data feed contract.
Maintained by a specific party, for example, Nasdaq, designed so that party has the ability to update the contract as needed and providing an interface that allows other contract to send a message to that contract and get back a response that provides the price. Given that critical ingredient, the hedging contract would look as follows.
Step 1, wait for party a to input 1000 ether, step 2, wait for party b to input 1000 ether, Step 3, record the USD value of 1000 ether calculated by querying the data feed contract in storage, say this is x Beller. And step 4, After 30 days, allow a or b to reactivate the contract in order to send X dollars' worth of ether calculated by querying the data feed contract again to get the new price. To a and the rest to b. Such a contract would have significant potential in crypto commerce.
One of the main problems cited about cryptocurrency is the fact that it's volatile. Although many users and merchants may want the security and convenience of dealing with cryptographic assets, they may not wish to face that prospect of losing 23% of the value of their funds in a single day. Up until now, the most commonly proposed solution has been issuer backed assets.
The idea is that an issuer creates a sub currency in which they have the right to issue and revoke units, provide one unit of the currency to anyone who provides them with 1 unit of a specified underlying asset. For example, gold or US Beller. The issuer then promises to provide one unit of the underlying asset to anyone who sends back one unit of the crypto asset. This mechanism allows any non cryptographic asset to be uplifted into a cryptographic asset provided that the issuer can be trusted.
In practice, however, issuers are not always trustworthy, and in some James, the banking infrastructures too weak or too hostile for such services to exist. Financial derivatives provide an alternative Here, instead of a single issuer providing the funds to back up an asset, a decentralized market of spectators betting that the price of a cryptographic reference asset will go up plays that role.
Unlike issuers, speculators have no option to default on their side of the bargain because the hedging contract holds their funds in escrow. Note that this approach is not fully decentralized because a trusted source is still needed to provide the price ticker, although arguably even still, This is a massive improvement in terms of reducing infrastructure requirements and reducing the potential for fraud. Identity and reputation systems.
The earliest alternative cryptocurrency of all, James coin, attempted to use a Bitcoin like blockchain to provide a name registration system, where users can register their names in a public database alongside other data. The major Pete of use case is for a DNS system mapping domain names like Bitcoin.org or a namecoin's case, Bitcoin.bit, to an IP address. Other use cases include email authentication and potentially more advanced reputation systems. The contract is very simple.
All it is is a database inside the Ethereum network that can be added to, but not modified or removed from. Anyone can register a name with some value, and that registration then sticks forever. A more sophisticated name registration contract will also have a function clause allowing other contracts to query it, as well as a mechanism for the owner of a name to change the data or transfer ownership. One can even add reputation and web of trust functionality on top of it.
Decentralized file storage. Over the past few years, there have emerged a number of popular online file storage startups, the most prominent being Dropbox seeking to allow users to upload a backup of their hard drive and have the service store the backup to allow the user to access it in exchange for a monthly fee. However, at this point, the file storage market is at times relatively ineffective.
A cursory look at various existing solutions shows that particularly at the uncanny valley 20 to 200 gigabyte level, at which neither free quotas nor enterprise level discounts kick in, Monthly prices for mainstream file storage costs are such that you're paying for more than the cost of the entire hard drive in a single month.
Ethereum contracts can allow for the development decentralized file storage ecosystem, where individual users can earn small quantities of money by renting out their own hard drives and unused space that can be used to further drive down the costs of file storage. The key underpinning piece of such a device would be what we have termed the decentralized Dropbox contract. This contract works as follows.
1st, one splits the desired data up into blocks, encrypting each block for privacy, and builds a miracle tree out of it. One then makes a contract with the rule that every n blocks, the contract would pick a random index in the Myrtle tree and give X E through to the first entity to supply transaction with a simplified payment verification like proof of ownership of the block at that particular index in the tree.
When a user wants to redownload their file, they can use a micro payment channel protocol. The most fee efficient approach is for the pair not to publish the transaction until the end. Instead replacing the transaction with a slightly more lucrative one, with the same nonce after every 32 kilobytes.
An important feature of the protocol is that although it may seem like one is trusting many random nodes not to decide to forget the file, One can reduce that risk down to near 0 by splitting the file into many pieces via secret sharing and watching the contracts to see each piece is still in some notes possession. If a contract is still paying out money, that provides a cryptographic proof that someone out there is still storing the file. Decentralized autonomous organizations.
The general concept of a decentralized autonomous organization is that of a virtual entity that has a certain set of members or shareholders which perhaps with the 67% majority have the right to spend the entity's funds and modify its code. The members would collectively decide on how the organization should allocate its funds. Methods for allocating a DAO's funds could range from bounties, salaries, to even more exotic mechanisms such as an internal currency to reward work.
This essentially replicates the legal trappings of a traditional company or nonprofit, but using only cryptographic blockchain technology for enforcement. So far, much of the talk around DAOs has been around the capitalist model of a decentralized autonomous corporation, DAC, with dividend receiving shareholders and tradable shares.
An alternative, perhaps described as a decentralized autonomous community would have all members have an equal share in the decision making and requires 67% of existing members to agree to add or remove a member. The requirement that one person can only have one membership would then need to be enforced collectively by the group. The simplest design for a DAO is a piece of self modifying code that changes if 2 thirds of members agree on a change.
Although code is theoretically immutable, one can easily get around this and have a de facto mutability by having chunks of the code in separate contracts and having the address of which contracts to call stored in the modifiable storage. The contract would then have clauses for each of these. It would maintain a record of all open storage changes along with a list of who voted for them. It would also have a list of all members.
When any storage change gets to 2 thirds of members voting for it, a finalizing transaction could execute the change. A more sophisticated skeleton would also have built in voting ability for features like sending a transaction, adding and removing members, and may even provide for liquid democracy style vote delegation.
This design would allow the DAO to grow organically as a decentralized community, allowing people to eventually delegate the task of filtering out who is a member to specialists. Although unlike in the current system, specialists can easily pop in and out of existence over time as individual community members change their alignments. An alternative model is for a decentralized corporation where any account can have 0 or more shares, and 2 thirds of the shares are required to make a decision.
A complete skeleton would involve asset management functionality. The ability to make an offer to buy or sell shares and the ability to accept offers preferably with an order matching mechanism inside the contract. Delegation would also exist liquid democracy style generalizing the concept of a board of directors. Further applications. 1, savings wallets. Suppose that Alice wants to keep her funds safe, but is worried that she will lose or someone will hack her private key.
She puts ether into a contract with Bob, a bank, as follows. Alice alone can withdraw a maximum of 1% of the funds per day. Bob alone can withdraw a maximum of 1% of the funds per day but Alice has the ability to make a transaction with her key shutting off this ability. Alice and Bob together can withdraw anything. Normally, 1% per day is enough for Alice. And if Alice wants to withdraw more, she can contact Bob for help.
If Alice's key gets hacked, she runs to Bob to move the funds to a new contract. If she loses her key, Bob will get the funds out eventually. If Bob turns out to be malicious, then she can turn off his ability to withdraw. 2, crop insurance. 1 can easily make a financial derivatives contract by using a data feed of the weather instead of any price index.
If a farmer in Iowa purchases a derivative that pays out inversely based on the precipitation in Iowa, then if there's a drought, the farmer will automatically receive money. And if there is enough rain, the farmer will be happy because their crops would do well. This can generally be expanded to natural disaster insurance as well. 3, a decentralized data feed. For financial contracts for difference, it may actually be possible to decentralize the data feed via a protocol called Shelling coin.
Shelling coin basically works as follows. End parties all put into the system the value of a given datum, The values are sorted and everyone between the 25th 75th percentile gets one token as a reward. Everyone has the incentive to provide the answer that everyone else will provide. And the only value that a large number of players can realistically agree on is the obvious default. The truth.
This creates a decentralized protocol that can theoretically provide any number values, including the Ethereum over USD price, the temperature in Berlin, or even the result of a particular hard computation. 4, smart multi signature escrow. Bitcoin allows multi signature transaction contracts where, for example, 3 out of a given 5 keys can spend the funds. Ethereum allows for more granularity. For example, 4 out of 5 can spend everything.
3 out of 5 can spend up to 10% per day, and 2 out of 5 can spend up to 0.5% per day. Additionally, Ethereum multi sing is asynchronous. 2 parties can register their signatures on the blockchain at different James, and the last signature will automatically send the transaction. 5, cloud computing.
The EVM technology can also be used to create a verifiable computing environment, allowing users to ask others to carry out computations and then optionally ask for proofs that Pete that certain randomly selected checkpoints were done correctly. This allows for the creation of a cloud computing market where any user can participate with their desktop, laptop, or specialized server.
And spot checking together with security deposits can be used to ensure that the system is trustworthy, I. E. Nodes cannot profitably cheat. Although such a system may not be suitable for all tasks, tasks that require a high level of interprocess communication, for example, cannot easily be done on a large cloud of nodes.
Other tasks, however, are much easier to parallelize, projects like setting at home, folding at home, and genetic algorithms can easily be implemented on top of such a platform. 6, peer to peer gambling. Any number of peer to peer gambling protocols such as Frank Stagnano and Richard Clayton's Cyber Dice can be implemented on the Ethereum blockchain.
The simplest gambling protocol is actually a contract for difference on the next block hash, and more advanced protocols can be built up from there. Creating gambling services with near zero fees that have no cheating ability. 7, prediction markets, Provided an Oracle or shelling coin, prediction markets are also easy to implement. And prediction markets together with shelling coin may prove to be the 1st mainstream application of governance protocol for decentralized organizations.
8, on chain decentralized marketplaces. Using the identity and reputation system as a base. Miscellaneous and concerns modified ghost implementation. The greedy, heaviest, observed sub tree, Ghost Protocol, is an innovation first introduced by Yonaton Somplolinski and Avi Zohar in December 2013. The motivation behind Ghost is that blockchains with fast confirmation times currently suffer from reduced security due to a high stay rate.
Because blocks take a certain time to propagate through the network. If minor a lines a block and then minor b happens to mind another block before minor a's block propagates to b, minor b's block will end up wasted and will not contribute to network security. Furthermore, there is a centralized issue. If minor a is a mining pool with 30 percent hash power and b has 10% hash power, a will have a risk of producing a stale block 70% at the time.
Since the other 30% of the time, a, produce the last block, and so will get mining data immediately, whereas b will have a risk of producing a stale block 90 percent of the time. Thus, if the block interval is short enough for the stale rate to be high, a will be substantially more efficient simply by virtue of its size.
With these two effects combined, blockchains which produce blocks quickly are very likely to lead to one mining pool having a large enough percentage of the network hash power to have de facto control over the mining process. As described by Sampolinski and Zohar, Ghost solves the first issue of network security law by including stale blocks in the calculation of which chain is the longest.
That's to say not just the parent and further ancestors of a block, but also the stale descendants of the block's ancestor in Ethereum jargon, uncles. They are added to the calculation of which block has the largest total proof of work backing it. To solve the second issue of centralization bias, we go beyond the protocol described by Sampolinski and Zohar and also provide block rewards to James.
A stale block receives 87.5 percent of the base reward, and the nephew that includes the stale block receives the remaining 12.5%. Transaction fees, however, are not awarded to uncles. Ethereum implements a simplified version of Ghost, which only goes down 7 levels. This limited version of ghost with uncles includeable only up to 7 generations was used for 2 reasons. First, unlimited ghosts would include too many complications into the calculation of which uncles for a given block are valid.
2nd, unlimited ghosts with compensation as used in Ethereum removes the incentive for a minor to mine on the main chain and not the chain of a public attacker. Fees. Because every transaction published into the blockchain imposes on the network the cost of needing to download and verify it, there's a need for some regulatory mechanism, typically involving transaction fees to prevent abuse.
The default approach used in Bitcoin is to have purely voluntary fees, relying on minors to act as the gatekeepers and set dynamic minimums. This approach has been received very favorably in the Bitcoin community, particularly because it is market based, allowing supply and demand between minors and transaction centers to determine the price. The problem with this line of reasoning is, however, that transaction processing is not a Morgan.
Although it is intuitively attractive to construe transaction processing as service that the minor is offering to the sender. In reality, every transaction that a minor includes will need to be processed by every note in the network. So the vast majority of the cost of transaction processing is born by third parties and not the minor that is making the decision of whether or not to include it. Hence, tragedy of the commons problems are very likely to occur.
However, there are several important deviations from those assumptions in reality. 1. The minor does pay a higher cost to process the transaction than the other verifying notes since the extra verification time delays block propagation and thus increases the chance block will become a stale. 2, there do exist non mining full nodes.
3, the mining power distribution may end up radically in egalitarian and prac 4, speculators, political enemies, and crazies whose utility function includes causing harm to the network do exist. And they can cleverly set up contracts where their cost is much lower than the cost paid by other verifying notes. There is another factor disincentivizing large block sizes in Bitcoin. Blocks that are large will take longer to propagate and thus have a higher probability of becoming James.
In Ethereum, highly gas consuming block can also take longer to propagate both because they're physically larger and because they take longer to process the transaction state transitions to validate. This delayed disincentive is a significant consideration in Bitcoin, but less so in Ethereum because of the ghost protocol. Hence, relying on regulated block limits provides a more stable baseline. Computation and Turing completeness.
An important note is that the Ethereum virtual machine is Turing complete. This means that EVM code can encode any computation that can be conceivably carried out, including infinite loops. EVM code allows looping in two ways. First, there is a jump instruction that allows the program to jump back to a previous spot in the code and a jump eye instruction to do conditional jumping. 2nd, contracts can call other contracts potentially allowing for looping through recursion.
This naturally leads to a problem. Kimolicious users essentially shut minors and full nodes down by forcing them to enter into an infinite loop. The issue arises because of a problem in computer science known as the halting problem. There's no way to tell in the general case whether or not a given program will ever halt. As described in the state transition section, Our solution works by requiring a transaction to set a maximum number of computational steps that it is allowed to take.
And if execution takes longer, computation is reverted, but fees are still paid. Messages work in the same way. The alternative to turn completeness is turning incompleteness, where jump and jump, I do not exist in only one copy of each contract is allowed to exist in the call stack at any given time. With this system, the fee system described and the uncertainties around the effectiveness of our solution might not be necessary. The cost of executing a contract will be bounded above by its size.
Additionally, Turing completeness is not even that big a limitation. Out of all the contract examples we've conceived internally, so far only one required a loop, and even that loop could be removed by making 26 repetitions of a one line piece of code. Given the serious implications of turn completeness and the limited benefit, why not simply have a turning incomplete language? In reality, however, turning in completeness is far from a neat solution to the problem. Mining centralization.
The Bitcoin mining algorithm works by having minors compute a 256 on slightly modified versions of the block header millions of times over and over again until eventually one node comes up with a version whose hash is less than the Morgan. Currently around 2. However, this mining algorithm is vulnerable to 2 forms of centralization. First, the mining ecosystem has come to be dominated by a 6, application specific integrated circuits.
Computer chips designed for and therefore thousands of times more efficient at the specific task of Bitcoin mining. This means that Bitcoin mining is no longer a highly decentralized and egalitarian pursuit requiring 1,000,000 of dollars of capital to effectively participate in. 2nd, most Bitcoin miners do not actually perform block validation locally. Instead, they rely on a centralized mining pool to provide the block headers. This problem is arguably worse.
As of the time of this writing, the top 3 mining pools indirectly control roughly 50% of processing power in the Bitcoin network. Although this is mitigated by the fact that minors can switch to other mining pools if a pool or coalition attempts a 51% attack.
The current intent and Ethereum is to use a mining algorithm where minors are required to fetch random data from the state, compute some randomly selected transactions from the last end blocks in the blockchain, and return the hash of the result. This has 2 important benefits. 1st, Ethereum contracts can include any kind of computation, so an Ethereum ASIC would essentially be an ASIC for general computation I e a better CPU.
2nd, mining requires access to the entire blockchain, forcing minors to store the entire blockchain and at least be capable of verifying every transaction. This removes the need for centralized mining pools. Although mining pools can still serve a legitimate role of evening out the randomness of reward distribution, This function can be served equally well by peer to peer pools with no central control.
This model is untested, and there may be difficulties along the way in avoiding certain clever optimizations when using contract execution as a mining algorithm. However, one notably interesting feature of this algorithm is that it allows anyone to poison the Beller. By introducing a large number of contracts into the blockchain specifically designed to stymie certain ASICs. The economic incentives exist for ASIC manufacturers to use such a trick to attack other.
Thus, the solution that we are developing is ultimately an adaptive economic human solution rather than a purely technical one. Scalability. One common concern about Ethereum is the issue of scalability. Like Bitcoin, Ethereum suffers from the flaw that every transaction needs to be processed by every node in the network. With Bitcoin, the size of the current blockchain rests at about 15 gigabytes, growing at about 1 megabyte per hour.
If the Bitcoin network were to process Visa's 2000 transactions per second, it would grow by 1 megabyte per 3 seconds. That's 1 gigabyte per hour and 8 terabytes per year. Ethereum is likely to suffer a similar growth Pete, orsened by the fact that there will be many applications on top of the Ethereum blockchain instead of just a currency as is the case with Bitcoin, but ameliorated by the fact that Ethereum full nodes need to store just the state instead of the entire blockchain history.
The problem with such a large blockchain size is centralization risk. If the blockchain size increases to say a 100 terabytes, then the likely scenario would be that only a very small number of large businesses would run full nodes. With all regular users using light SPV nodes. In such a situation, there arises the potential concern that the full nodes can band together and all agree to cheat in some profitable fashion. Light nodes would have no way of detecting this immediately.
Of course, at least one honest full node would likely exist. And after a few hours, information about the fraud would trickle out through channels like Reddit. But at that point, it would be too late. It would be up to the ordinary users to organize an effort to blacklist the given blocks, a massive and likely infeasible coordination problem on a similar scale as that of pulling off a successful 51% attack. In the near term, Ethereum will use 2 additional strategies to cope with this problem.
First, because of the blockchain based mining algorithms, at least every minor will be forced to be a full node, creating a lower bound on the number of full nodes. Second and more importantly, however, we will include an intermediate state tree route in the blockchain after processing each transaction. Even if block validation is centralized, as long as one honest verifying note exists, the centralization problem can be circumvented via a verification protocol.
If a minor publishes an invalid block, that block must either be badly formatted or the state is incorrect. Another more sophisticated attack would involve the malicious minors publishing incomplete blocks so the full information does not even exist to determine whether or not blocks are valid. The solution to this is a challenge response protocol, Verification nodes issue challenges in the form of target transaction indices.
And upon receiving a node, a light node treats the block as untrust until another node, whether the minor or another verifier, provides a subset of Patricia nodes as proof of validity. The Ethereum protocol was originally conceived as an upgraded version of a cryptocurrency, providing advanced features such as on blockchain escrow withdrawal limits, financial contracts, gambling markets, and the like via a highly generalized programming language.
The Ethereum protocol would not support any of the applications directly. But the existence of a Turing Pete programming language means that arbitrary contrast can theoretically be created for any transaction type or application. What is more interesting about Ethereum, however, is that the Ethereum protocol moves far beyond just currency.
Protocols around decentralized file storage decentralized computation, and decentralized prediction markets among dozens of other such concepts have the potential to substantially increase the efficiency of the computational industry. And provide a massive boost to other peer to peer protocols by locations that have nothing to do with money at all. The concept of an arbitrary state transition function as implemented by the Ethereum Protocol provides for a platform with unique potential.
Rather than being a closed ended single purpose protocol intended for a specific array of applications in data storage, gambling, or finance, Ethereum is open ended by design, and we believe it is extremely well suited to serving as a foundational layer for a very large number of both financial and non financial protocols in the years to come.
For more audio essays from the people who've built companies like Instacart, Facebook, Trello, HubSpot, and Dropbox, visit the founder list at nfx.com Omri subscribe to the n f x podcast at podcast.nfx.com Omri wherever you get your podcast. I'm Kristen O'Brien, and this is the founder list.