A whole lot of shills have been posting a whole lot of mostly valid criticisms of Bitcoin, and I have been silently suppressing them, because I doubt their capability and willingness to have a genuinely informative discussion of Bitcoin, rather than randomly and unresponsively spewing fear, uncertainty, and doubt from scripts compiled by morons who did not understand these problems in the first place.
But the issues need discussion anyway.
When Bitcoin was just a gleam in Satoshi’s eye, the scaling problem was foreseen, and in 2016-2017, it bit.
If we don’t do anything to fix it, then Bitcoin scales by everyone having only a custodial wallet, because only banks and megacorporations can afford the transaction fees, and Bitcoin by slow and imperceptible degrees becomes a CBDC, as was foreseen from the beginning. And since Satoshi had his idea, we have been casting about for solutions. And since the scaling crisis started to bite, casting around for quick fixes to get a bit more scaling to postpone the crisis for a few more years, Lightning Bitcoin being one such quick fix, and L-BTC another.
But high transaction fees are biting Lightning. The number of channels has stopped growing, and more and more people are using custodial lightning wallets. (Partly because genuinely self custodial full routing lightning wallets are really bad, and are designed for someone with good linux administration skills who generally uses the command line, and has a dozen linux computers in his basement without screens or keyboard, with which he interacts over his home network by ssh and xrdp. Partly because setting up a bunch of routing channels is expensive, and rapidly getting more expensive. Partly because existing tools for setting up a useful set of channels are not very useful. These lightning tools are designed by a small group of insiders working full time at lightning related jobs to be used by a small group of insiders working full time at lightning related jobs.)
Lightning, like the bitcoin base layer, is turning into a custodial solution.
L-BTC works, and Blockstream plans to use it to take down SWIFT. But they have a permission and trust based consensus system, which centralisation makes a whole lot of scaling easy, but unlimited scaling hard. The more you scale that, the more it turns into a CBDC.
Well: Now we know in principle how to solve the problem. The final and permanent solution being recursive snarks, and the use of recursive snarks to shard the reliable broadcast channel. Which Polygon is planning to implement for the Ethereum ecosystem, but has not yet quite implemented.
Litecoin’s bulletproofs, which are almost snarks, and are based on the same technology (polynomial commitments) also support sharding in principle, though not in Litecoin as implemented today, but no one has quite figured out how to support contracts on bulletproofs, other than contracts which are purely scriptless scripts.
Polygon’s alarmingly centralised and anti privacy solution scales without limit.
Giap’s blog has the latest hot information about the latest and greatest techniques for polynomial commitments and all that stuff, but unfortunately very little information as to how fast these actually work on real world problems and how big the proofs are, because as yet very few of these techniques have actually been applied to the real world problems we need to solve.
There are three kinds of useful polynomial commitments. (I am ignoring DARKS as useless)
KZG10, used by Polygon, is based on pairing elliptic curves which have constant time scaling. Unfortunately operations on pairing curves are very slow, and operations on pairing curves with useful security are very very slow. So Polygon has gone with a pairing curve of only eighty bits security, which is not enough. Breaking this requires the breaker to search approximately 280 cases. Which is breakeable in reasonable time for a vast system of special purpose asics analogous to the bitcoin mining network.
Also KGZ10 requires trusted setup to establish a special trusted set of curve parameters. It is very difficult to do trusted setup in a way that anyone should trust, and Polygon has not even tried to do so.
FRI, also used by Polygon and Starkware to implement zkstarks, which are a kind of snark, are fast, because hashes are so much faster than elliptic curves and vastly faster than pairing curves, but inconveniently large. So you don’t want to communicate them over the internet as part of your protocol, and in Polygon’s implementation, they always get passed around in a big data center, hence centralisation. And they scale as log(d)2, which for problems of interest is apt to get inconveniently larger, so Polygon combines them with KZG10 to control the size.
IPA uses ordinary elliptic curves, which are reasonably fast, even though vastly slower than FRI’s hashes, small enough to be passed around over the regular internet, though much bigger that KZG10, and need no trusted setup, and scale as log(d). These are used by Litecoin for bulletproofs.
The relevant libraries for IPA based proofs are Halo2 and NOVA. Which are not exactly libraries, more like technology demonstrations. You have to write your own library. The available source code is not really in a useful state. You have to pull it out of Litecoin and Elements. To implement recursive snarks over a Merkle tree with the snark recursion paralleling the Merkle tree recursion it would be necessary to extract Polygon’s code for doing hashes inside the proof engine, move it to IPA and HALO2, and then implement recursion using NOVA.
Monero does not scale. Litecoin’s mweb addresses are not scalable, but would not be hard to make scalable by sharding the hogex. It would be necessary to introduce yet another new form of address, which would be the same as an mweb address except that it would run on a sharded reliable broadcast channel.
Polygon’s aggregated blockchain is shardable because of recursive snarks, but Litecoin’s bulletproofs, though they have lesser capabilities that snarks (hard to do contracts in a bulletproof) have most of the capabilities of snarks, among them sharding.
You can prove anything with bulletproofs, including, as in Halo2, snarks, but it is apt to be slow and the proofs large. So you have to optimise for a particular use case, and when you have optimized, your bulletproof based system is no longer general purpose, thus its commits are no longer snarks. Which ties your hands if you want contracts.
Litecoin addresses the contract problem by pegging money into and out of the hogex. Which if combined with sharding would mean that contracts could only function within a single shard. But that is acceptable for a whole lot of contract applications, and you could always connect a regular contract to a scriptless script, which can operate between shards and between separate blockchains.
Litecoin’s bulletproofs have no trusted setup, and 126 bits cryptographic security, which should suffice for a few centuries. I have not really looked at Blockstream’s Elements yet.