This is a follow-up on https://old.reddit.com/Bitcoin/comments/hqzp14/technical_the_path_to_taproot_activation/
Taproot! Everybody wants it!! But... you might ask yourself: sure, everybody else
wants it, but why would I
, sovereign Bitcoin HODLer, want it? Surely I can be better than everybody else
because I swapped XXX fiat for Bitcoin unlike all those nocoiners?
And it is important for you to know the reasons why you, o sovereign Bitcoiner, would want Taproot activated. After all, your nodes (or the nodes your wallets use, which if you are SPV, you hopefully can pester to your wallet vendoimplementor about) need to be upgraded in order for Taproot activation to actually succeed instead of becoming a hot sticky mess.
First, let's consider some principles of Bitcoin.
- You the HODLer should be the one who controls where your money goes. Your keys, your coins.
- You the HODLer should be able to coordinate and make contracts with other people regarding your funds.
- You the HODLer should be able to do the above without anyone watching over your shoulder and judging you.
I'm sure most of us here would agree that the above are very important principles of Bitcoin and that these are principles we would not be willing to remove. If anything, we would want those principles strengthened (especially the last one, financial privacy, which current Bitcoin is only sporadically strong with: you can
get privacy, it just requires effort to do so).
So, how does Taproot affect those principles?
Taproot and Your /Coins
Most HODLers probably HODL their coins in singlesig addresses. Sadly, switching to Taproot would do very little for you (it gives a mild discount at spend time, at the cost of a mild increase in fee at receive time (paid by whoever sends to you, so if it's a self-send from a P2PKH or bech32 address, you pay for this); mostly a wash).
(technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash, so the Taproot output spends 12 bytes more; spending from a P2WPKH requires revealing a 32-byte public key later, which is not needed with Taproot, and Taproot signatures are about 9 bytes smaller than P2WPKH signatures, but the 32 bytes plus 9 bytes is divided by 4 because of the witness discount, so it saves about 11 bytes; mostly a wash, it increases blockweight by about 1 virtual byte, 4 weight for each Taproot-output-input, compared to P2WPKH-output-input).
However, as your HODLings grow in value, you might start wondering if multisignature k-of-n setups might be better for the security of your savings. And it is in multisignature that Taproot starts to give benefits!
Taproot switches to using Schnorr signing scheme. Schnorr makes key aggregation -- constructing a single
public key from multiple public keys -- almost as trivial as adding numbers together. "Almost" because it involves some fairly advanced math instead of simple boring number adding, but hey when was the last time you added up your grocery list prices by hand huh?
With current P2SH and P2WSH multisignature schemes, if you have a 2-of-3 setup, then to spend, you need to provide two different signatures from two different public keys. With Taproot, you can create, using special moon math, a single public key that represents your 2-of-3 setup. Then you just put two of your devices together, have them communicate to each other (this can be done airgapped, in theory, by sending QR codes: the software to do this is not even being built yet, but that's because Taproot hasn't activated yet!), and they will make a single
signature to authorize any spend from your 2-of-3 address. That's 73 witness bytes -- 18.25 virtual bytes -- of signatures you save!
And if you decide that your current setup with 1-of-1 P2PKH / P2WPKH addresses is just fine as-is: well, that's the whole point of a soft
fork: backwards-compatibility; you can receive from Taproot users just fine, and once your wallet is updated for Taproot-sending support, you can send to Taproot users just fine as well!
(P2WPKH and P2WSH -- SegWit v0 -- addresses start with bc1q; Taproot -- SegWit v1 --- addresses start with bc1p, in case you wanted to know the difference; in bech32 q is 0, p is 1)
Now how about HODLers who keep all, or some, of their coins on custodial services? Well, any custodial service worth its salt would be doing at least
2-of-3, or probably something even bigger, like 11-of-15. So your custodial service, if it switched to using Taproot internally, could save a lot more (imagine an 11-of-15 getting reduced from 11 signatures to just 1!), which --- we can only hope! --- should translate to lower fees and better customer service from your custodial service!
So I think we can say, very accurately, that the Bitcoin principle --- that YOU are in control of your money --- can only be helped by Taproot (if you are doing multisignature), and, because P2PKH and P2WPKH remain validly-usable addresses in a Taproot future, will not be harmed by Taproot. Its benefit to this principle might be small (it mostly only benefits multisignature users) but since it has no drawbacks with this (i.e. singlesig users can continue to use P2WPKH and P2PKH still) this is still a nice, tidy win!
(even singlesig users get a minor benefit, in that multisig users will now reduce their blockchain space footprint, so that fees can be kept low for everybody; so for example even if you have your single set of private keys engraved on titanium plates sealed in an airtight box stored in a safe buried in a desert protected by angry nomads riding giant sandworms because you're the frickin' Kwisatz Haderach, you still gain some benefit from Taproot)
And here's the important part: if P2PKH/P2WPKH is working perfectly fine with you and you decide to never use Taproot yourself, Taproot will not affect you detrimentally
. First do no harm!
Taproot and Your Contracts
No one is an island, no one lives alone. Give and you shall receive. You know: by trading with other people, you can gain expertise in some obscure little necessity of the world (and greatly increase your productivity in that little field), and then trade the products of your expertise for necessities other people have created, all of you thereby gaining gains from trade.
So, contracts, which are basically enforceable agreements that facilitate trading with people who you do not personally know and therefore might not trust.
Let's start with a simple example. You want to buy some gewgaws from somebody. But you don't know them personally. The seller wants the money, you want their gewgaws, but because of the lack of trust (you don't know them!! what if they're scammers??) neither of you can benefit from gains from trade.
However, suppose both of you know of some entity that both of you trust. That entity can act as a trusted escrow. The entity provides you security: this enables the trade, allowing both of you to get gains from trade.
In Bitcoin-land, this can be implemented as a 2-of-3 multisignature. The three signatories in the multisgnature would be you, the gewgaw seller, and the escrow. You put the payment for the gewgaws into this 2-of-3 multisignature address.
Now, suppose it turns out neither of you are scammers (whaaaat!). You receive the gewgaws just fine and you're willing to pay up for them. Then you and the gewgaw seller just sign a transaction --- you and the gewgaw seller are 2, sufficient to trigger the 2-of-3 --- that spends from the 2-of-3 address to a singlesig the gewgaw seller wants (or whatever address the gewgaw seller wants).
But suppose some problem arises. The seller gave you gawgews instead of gewgaws. Or you decided to keep the gewgaws but not sign the transaction to release the funds to the seller. In either case, the escrow is notified, and if it can sign with you to refund the funds back to you (if the seller was a scammer) or it can sign with the seller to forward the funds to the seller (if you were a scammer).
Taproot helps with this: like mentioned above, it allows multisignature setups to produce only one signature, reducing blockchain space usage, and thus making contracts --- which require multiple people, by definition, you don't make contracts with yourself --- is made cheaper (which we hope enables
more of these setups to happen for more gains from trade for everyone, also, moon and lambos).
(technology-wise, it's easier to make an n-of-n than a k-of-n, making a k-of-n would require a complex setup involving a long ritual with many communication rounds between the n participants, but an n-of-n can be done trivially with some moon math. You can, however, make what is effectively a 2-of-3 by using a three-branch SCRIPT: either 2-of-2 of you and seller, OR 2-of-2 of you and escrow, OR 2-of-2 of escrow and seller. Fortunately, Taproot adds a facility to embed a SCRIPT inside a public key, so you can have a 2-of-2 Taprooted address (between you and seller) with a SCRIPT branch that can instead be spent with 2-of-2 (you + escrow) OR 2-of-2 (seller + escrow), which implements the three-branched SCRIPT above. If neither of you are scammers (hopefully the common case) then you both sign using your keys and never have to contact the escrow
, since you are just using the escrow public key without coordinating with them (because n-of-n is trivial but k-of-n requires setup with communication rounds), so in the "best case" where both of you are honest traders, you also
get a privacy boost, in that the escrow never learns you have been trading on gewgaws, I mean ewww, gawgews are much better than gewgaws and therefore I now judge you for being a gewgaw enthusiast, you filthy gewgawer).
Taproot and Your Contracts, Part 2: Cryptographic Boogaloo
Now suppose you want to buy some data instead of things. For example, maybe you have some closed-source software in trial mode installed, and want to pay the developer for the full version. You want to pay for an activation code.
This can be done, today, by using an HTLC. The developer tells you the hash of the activation code. You pay to an HTLC, paying out to the developer if it reveals the preimage (the activation code), or refunding the money back to you after a pre-agreed timeout. If the developer claims the funds, it has to reveal the preimage, which is the activation code, and you can now activate your software. If the developer does not claim the funds by the timeout, you get refunded.
And you can do that, with HTLCs, today.
Of course, HTLCs do have problems:
- Privacy. Everyone scraping the Bitcoin blockchain can see any HTLCs, and preimages used to claim them.
- This can be mitigated by using offchain techniques so HTLCs are never published onchain in the happy case. Lightning would probably in practice be the easiest way to do this offchain. Of course, there are practical limits to what you can pay on Lightning. If you are buying something expensive, then Lightning might not be practical. For example, the "software" you are activating is really the firmware of a car, and what you are buying is not the software really but the car itself (with the activation of the car firmware being equivalent to getting the car keys).
- Even offchain techniques need an onchain escape hatch in case of unresponsiveness! This means that, if something bad happens during payment, the HTLC might end up being published onchain anyway, revealing the fact that some special contract occurred.
- And an HTLC that is claimed with a preimage onchain will also publicly reveal the preimage onchain. If that preimage is really the activation key of a software than it can now be pirated. If that preimage is really the activation key for your newly-bought cryptographic car --- well, not your keys, not your car!
- Trust requirement. You are trusting the developer that it gives you the hash of an actual valid activation key, without any way to validate that the activation key hidden by the hash is actually valid.
Fortunately, with Schnorr (which is enabled by Taproot), we can now use the Scriptless Script constuction by Andrew Poelstra
. This Scriptless Script allows a new construction, the PTLC or Pointlocked Timelocked Contract. Instead of hashes and preimages, just replace "hash" with "point" and "preimage" with "scalar".
Or as you might know them: "point" is really "public key" and "scalar" is really a "private key". What a PTLC does is that, given a particular public key, the pointlocked branch can be spent only if the spender reveals the private key of the given public key to you.
Another nice thing with PTLCs is that they are deniable
. What appears onchain is just a single 2-of-2 signature between you and the developemanufacturer. It's like a magic trick. This signature has no special watermarks, it's a perfectly normal signature (the pledge). However, from this signature, plus some datta given to you by the developemanufacturer (known as the adaptor signature
) you can derive the private key of a particular public key you both agree on (the turn). Anyone scraping the blockchain will just see signatures that look just like every other signature, and as long as nobody manages to hack you and get a copy of the adaptor signature or the private key, they cannot get the private key behind the public key (point) that the pointlocked branch needs (the prestige).
(Just to be clear, the public key you are getting the private key from, is distinct from the public key that the developemanufacturer will use for its funds. The activation key is different from the developer's onchain Bitcoin key, and it is the activation key whose private key you will be learning, not the developer's/manufacturer's onchain Bitcoin key).
- Privacy: PTLCs are private even if done onchain. Nobody else can learn what the private key behind the public key is, except you who knows the adaptor signature that when combined with the complete onchain signature lets you know what the private key of the activation key is. Somebody scraping the blockchain will not learn the same information even if all PTLCs are done onchain!
- Lightning is still useful for reducing onchain use, and will also get PTLCs soon after Taproot is activated, but even if something bad happens and a PTLC has to go onchain, it doesn't reveal anything!
- Trust issues can be proven more easily with a public-private keypair than with a hash-preimage pair.
- For example, the developer of the software you are buying could provide a signature signing a message saying "unlock access to the full version for 1 day". You can check if feeding this message and signature to the program will indeed unlock full-version access for 1 day. Then you can check if the signature is valid for the purported pubkey whose private key you will pay for. If so, you can now believe that getting the private key (by paying for it in a PTLC) would let you generate any number of "unlock access to the full version for 1 day" message+signatures, which is equivalent to getting full access to the software indefinitely.
- For the car, the manufacturer can show that signing a message "start the engine" and feeding the signature to the car's fimrware will indeed start the engine, and maybe even let you have a small test drive. You can then check if the signature is valid for the purported pubkey whose privkey you will pay for. If so, you can now believe that gaining knowledge of the privkey will let you start the car engine at any time you want.
- (pedantry: the signatures need to be unique else they could be replayed, this can be done with a challenge-response sequence for the car, where the car gathers entropy somehow (it's a car, it probably has a bunch of sensors nowadays so it can get entropy for free) and uses the gathered entropy to challenge you to sign a random number and only start if you are able to sign the random number; for the software, it could record previous signatures somewhere in the developer's cloud server and refuse to run if you try to replay a previously-seen signature.)
Taproot lets PTLCs exist onchain because they enable Schnorr, which is a requirement of PTLCs / Scriptless Script.
(technology-wise, take note that Scriptless Script works only for the "pointlocked" branch of the contract; you need normal Script, or a pre-signed nLockTimed transaction, for the "timelocked" branch. Since Taproot can embed a script, you can have the Taproot pubkey be a 2-of-2 to implement the Scriptless Script "pointlocked" branch, then have a hidden script that lets you recover the funds with an OP_CHECKLOCKTIMEVERIFY after the timeout if the seller does not claim the funds.)
Now if you were really
paying attention, you might have noticed this parenthetical:
(technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash...)
So wait, Taproot uses raw 32-byte public keys, and not public key hashes? Isn't that more quantum-vulnerable??
Well, in theory yes. In practice, they probably are not.
It's not that hashes can be broken by quantum computes --- they're still not. Instead, you have to look at how you spend from
a P2WPKH/P2PKH pay-to-public-key-hash.
When you spend from
a P2PKH / P2WPKH, you have to reveal the public key. Then Bitcoin hashes it and checks if this matches with the public-key-hash, and only then actually validates the signature for that public key.
So an unconfirmed transaction, floating in the mempools of nodes globally, will show, in plain sight for everyone to see, your public key.
(public keys should be public, that's why they're called public keys, LOL)
And if quantum computers are fast enough to be of concern, then they are probably fast enough that, in the several minutes to several hours from broadcast to confirmation, they have already cracked the public key that is openly broadcast with your transaction. The owner of the quantum computer can now replace your unconfirmed transaction with one that pays the funds to itself. Even if you did not opt-in RBF, miners are still incentivized to support RBF on RBF-disabled transactions.
So the extra hash is not as significant a protection against quantum computers as you might think. Instead, the extra hash-and-compare needed is just extra validation effort.
Further, if you have ever, in the past, spent from
the address, then there exists already a transaction indelibly stored on the blockchain, openly displaying the public key from which quantum computers can derive the private key. So those are still vulnerable to quantum computers.
For the most part, the cryptographers behind Taproot (and Bitcoin Core) are of the opinion that quantum computers capable of cracking Bitcoin pubkeys are unlikely to appear within a decade or two.
- Current quantum computers can barely crack prime factorization problem for primes of 5 bits.
- The 256-bit elliptic curve use by Bitcoin is, by my (possibly wrong) understanding, equivalent to 4096-bit primes, so you can see a pretty big gap between now (5 bit primes) and what is needed (4096 bit primes).
- A lot of financial non-Bitcoin systems use the equivalent of 3072-bit primes or less, and are probably easier targets to crack than the equivalent-to-4096-bit-primes Bitcoin.
- Quantum computers capable of cracking Bitcoin are still far off.
- Pay-to-public-key-hash is not as protective as you might think.
- We will probably see banks get cracked before Bitcoin, so the banking system is a useful canary-in-a-coal-mine to see whether we should panic about being quantum vulnerable.
For now, the homomorphic and linear properties of elliptic curve cryptography provide a lot of benefits --- particularly the linearity property is what enables Scriptless Script and simple multisignature (i.e. multisignatures that are just 1 signature onchain). So it might be a good idea to take advantage of them now while we are still fairly safe against quantum computers. It seems likely that quantum-safe signature schemes are nonlinear (thus losing these advantages).
- If you are a singlesig HODL-only Bitcoin user, Taproot will not affect you positively or negatively. Importantly: Taproot does no harm!
- If you use or intend to use multisig, Taproot will be a positive for you.
- If you transact onchain regularly using typical P2PKH/P2WPKH addresses, you get a minor reduction in feerates since multisig users will likely switch to Taproot to get smaller tx sizes, freeing up blockspace for yours.
- If you are using multiparticipant setups for special systems of trade, Taproot will be a positive for you.
- Remember: Lightning channels are multipartiicpiant setups for special systems of lightning-fast offchain trades!
I Wanna Be The Taprooter!
So, do you want to help activate Taproot? Here's what you
, mister sovereign Bitcoin HODLer, can do!
- If you have developer experience especially in C, C++, or related languages
- Review the Taproot code! There is one pull request in Bitcoin Core, and one in libsecp256k1. I deliberately am not putting links here, to avoid brigades of nontechnical but enthusiastic people leaving pointless reviews, but if you are qualified you know how to find them!
- But I am not a cryptographeBitcoin Core contributomathematician/someone as awesome as Pieter Wuille
- That's perfectly fine! The cryptographers have been over the code already and agree the math is right and the implementation is right. What is wanted is the dreary dreary dreary software engineering: are the comments comprehensive and understandable? no misspellings in the comments? variable names understandable? reasonable function naming convention? misleading coding style? off-by-one errors in loops? conditions not covered by tests? accidental mixups of variables with the same types? missing frees? read-before-init? better test coverage of suspicious-looking code? missing or mismatching header guards? portability issues? consistent coding style? you know, stuff any coder with a few years of experience in coding anything might be able to catch. With enough eyes all bugs are shallow!
- If you are running a mining pool/mining operation/exchange/custodial service/SPV server
- Be prepared to upgrade!
- One of the typical issues with upgrading software is that subtle incompatibilities with your current custom programs tend to arise, disrupting operations and potentially losing income due to downtime. If so, consider moving to the two-node setup suggested by gmax, which is in the last section of my previous post. With this, you have an up-to-date "public" node and a fixed-version "private" node, with the public node protecting the private node from any invalid chainsplits or invalid transactions. Moving to this setup from a typical one-node setup should be smooth and should not disrupt operations (too much).
- If you are running your own fullnode for fun or for your own wallet
- Be prepared to upgrade! The more nodes validating the new rules (even if you are a non-mining node!), the safer every softfork will be!
- If you are using an SPV wallet or custodial wallet/service (including hardware wallets using the software of the wallet provider)
- Contact your wallet provider / SPV server and ask for a statement on whether they support Taproot, and whether they are prepared to upgrade for Taproot! Make it known to them that Taproot is something you want!
But I Hate Taproot!!
- Raise your objections to Taproot now, or forever hold your peace! Maybe you can raise them here and some of the devs (probably nullc, he goes everywhere, even in rbtc!) might be able to see your objections! Or if your objections are very technical, head over to the appropriate pull request and object away!
- Maybe you simply misunderstand something, and we can clarify it here!
- Or maybe you do have a good objection, and we can make Taproot better by finding a solution for it!
Discussions About Taproot Activation
(if you would like to add information or see mistakes, just comment below and I will credit you) What is Cardano?
Cardano is an open source and permissionless "Third Generation" blockchain project being developed by IOHK. Development and research started in 2015, with the 1.0 mainnet launching in 2017. Cardano blockchain is currently being developed into two layers. The first one is the ledger of account values, and the second one is the reason why values are transferred from one account to the other.
- Cardano Settlement Layer (CSL) - The CSL acts as the ledger of account or balance ledger. This is an idea created as an improvement of bitcoin blockchain. It uses a proof-of-stake consensus algorithm known as Ouroboros to generate new blocks and confirm transactions.
- Cardano Computation Layer (CCL) - The CCL contains the data how values are transferred. Since the computation layer is not connected to balance ledger, users of the CCL can create customized rules (smart contracts) when evaluating transactions. (https://support.bitkub.com/hc/en-us/articles/360006678892-What-are-the-two-layers-of-Cardano-)
IOHK has the contract with an undisclosed party to develop the project until the end of 2020, at which point the community may elect another development team - on the assumption that the voting infrastructure has been completed. However CEO Charles Hoskinson has stated that they will develop the project until it is completed, and they are simply financed until the end of 2020.
Cardano was the first project built on a peer-reviewed scientific development method, resulting in dozens of research papers produced by IOHK. Among these papers is Ouroboros Genesis, proving that a Proof of Stake protocol can be just as secure as Proof of Work - which was originally developed for Bitcoin, and refined for Ethereum. This PoS protocol considerably lowers the resources cost to maintain network while still maintaining security and network speed.
Cardano as a financial infrastructure is not yet completed, With significant development to be rolled out. What were the other two generations of blockchain?
Gen 1 was Bitcoin. It exists by itself and talks to nobody but Bitcoin. It is capable of peer to peer transactions without a third party in such a way that you cannot cheat the system. This was a major step forward for the E-cash concept that people have been working on for the 20 years prior.
Gen 2 was Ethereum and other smart-contract platforms that allow other coins and platforms to be built on top of their infrastructure. These coins can interact with others on the platform, but cannot interact with other platforms. Meaning it is still not truly interoperable. Most Gen 2 blockchains are also using Proof of Work likes Bitcoin, which effects scaling. Also missing is a built-in method to pay for upgrades and voting mechanics for decision making.
Gen 3 blockchains are a complete package designed to replace the current financial infrastructure of the world. Cardano is using Proof of Stake to ensure security and decentralisation(Shelley). Scaling through parallel computation (Hydra in Basho), Sidechains to allow the platform to interact with other platforms (Basho), and also include mechanisms for voting for project funding, changes to the protocol and improvement proposals (Voltaire). Finally smart contracts platform for new and established projects that are developer friendly (Goguen). Who is the team behind Cardano?
There are three organisations that are contributing to the development of Cardano. The first is the Cardano Foundation, an objective, non-profit organisation based in Switzerland. Its core responsibilities are to nurture, grow and educate Cardano users and commercial communities, to engage with authorities on regulatory and commercial matters and to act as a blockchain and cryptocurrency standards body. The second entity is IOHK, a leading cryptocurrency research and development company, which holds the contract to develop the platform until 2020. The final business partner is Emurgo, which invests in start-ups and assists commercial ventures to build on the Cardano blockchain. www.Cardano.org www.emurgo.io https://cardanofoundation.org/en/ What is the difference between Proof of Work and Proof of stake?
Both these protocols are known as “consensus protocols” that confirm whether a transaction is valid or invalid without a middleman like Visa or your bank. Every node (active and updated copy of the blockchain) can agree that the transaction did take place legitimately. If more than half validators agree, then the ledger is updated and the transaction is now secured. Proof-of-Work (PoW) happens when a miner is elected to solve an exceptionally difficult math problem and gets credit for adding a verified block to the blockchain. Finding a solution is an arduous guessing game that takes a considerable amount of computing power to compete for the correct answer. It is like “pick a number between 1 and one trillion” and when you get it right, you get $30,000 in Bitcoin, so the more computers you have working on it, the faster you can solve it. Also the more people who are trying to solve the same block, the harder the algorithm, so it may become 1 in 20 trillion. The downside is the massive amounts of power required to run the computers that run the network, and the slow pace that blocks are solved. To “Hack” a PoW system, you need 51% of the computing power, which would allow you to deny transactions, or spend the same coin twice. At the moment there are 8 main mining operations for bitcoin, and 4 of them make up more that 51% of the mining power. PoS
instead selects a coin at random that already exists, and the person who owns that coin is elected to put the work in to validate the block. This means there is no contest and no guessing game. Some computer power is required, but only a fraction of a PoW system. The complex nature of selecting a coin that exists on the correct and longest chain and is owned by someone who can complete the block, AND in such a way that it is secure AND that computer currently running AND that person also having an incentive to complete the work, has made the development of PoS very slow. However only a few years ago it wasn’t even possible. In this method, the more of the coin (ADA) you stake, the more likely you are to be selected to close a block. Cardano also allows you to delegate your stake to someone else to validate the block so they do the work, and you share in the reward for doing so.
To “hack” a PoS blockchain you need to own 51% of the tokens, which is significantly harder than owning 51% of the computing power. What is ADA and how is it different to Cardano?
Cardano is the name of the network infrastructure, and can be thought of like a rail network. ADA is the native token that has been developed alongside Cardano to facilitate the network operation. This helps confusion and maintains distinction, compared to Ethereum being the native token of Ethereum. Similar to bitcoin or any other token, ADA can be sent peer to peer as payment, but is also the reward for running the network, and what is taken as transaction fees.
In this metaphor “Cardano” is the train tracks, that everything runs on. A stake pool would be the locomotive, facilitating transactions on the network while ADA is the coal that powers the locomotive. The train carriages are Decentralised applications (Dapps) that are also running on cardano tracks, but are not actively powering the network. What is staking
Cardano is a Proof of Stake protocol, and uses already existing coins like a marker to ensure security. The protocol chooses a coin at random and the owner of that coin is elected to validate a block of transactions. Staking is the process of adding your ADA coins to a Pool that has the resources to run the network. If the pool you have chosen to "delegate" your stake to is chosen to close/validate a block, then you get a portion of the rewards. The ADA never leaves your wallet, and you can "undelegate" whenever you like. this increases stability of the network and also gives an incentive to pool operators to invest the time and hardware required to run a pool. What is a stake-pool and how does it work? Cardano.org FAQ on the issue goes into much more detail
A stake pool is where the computing power of the network takes place. During ITN there was 1200 registered stake pools while 300 were creating blocks. You can manage your own stake-pool or delegate your ADA to an already registered pool. Rewards are determined by the protocol, however the pool may elect to charge fee Percentages, or flat rate fee to upkeep their pool. Can I Stake my ADA right now?
The staking testnet has closed, If you participated in the Incentivised Test Net and earned rewards, instructions to check the balance are here
However if you have just purchased some or it was held on an exchange, then you will need to wait until the Shelley mainnet launch happening at the end of July 2020. Where do I stake my ADA?
Daedalus Flight wallet, and Yoroi Wallet (as a chrome extension) are the current best options. Adalite and several other third-party wallets also exist. Coinbase will also allow staking as a custodial service, and many exchanges may offer “staking as a service” so you can leave your coins on the exchange and still earn rewards if you enjoy trading. I do not recommend leaving coins on an exchange unless you are actively trading. What are the staking rewards now and what can I expect on a return in the future?
The Incentivised Test Net (ITN) Delivered 10%-15%pa returns on average. The future of staking will most likely be lower, but will depend on the amount of ADA staked across the network and the amount of network traffic.
for a clearer picture. what is a Pledge?
To stop one person operating many pools, the rewards that a pool earns will vary depending on the amount of personal ADA they “pledge” to open the pool. This means that 50 pools with a 1,00ADA pledge each will be overall less profitable than 1-2 pool with the max ADA pledge (unknown but likely around 300k). Even if the 50 pools have the same over stake delegated by other users and have a better chance of being selected to close a block, the 50 pools may receive lower rewards.. (at least that is the theory) Who is IOHK?
IOHK is a for-profit software engineering company founded by CEO Charles Hoskinson and Jeremy Wood in 2015 that has taken a scientific approach to the development of blockchain. IOHK started with “first principles” and looked at questions like “what is a blockchain” and “what should a blockchain be able to do” rather than accepting the established paradigm of Bitcoin and Ethereum. IOHK was originally Input Output Hong Kong, but is now Input Output Global and is based in Wyoming USA employing over 230 staff. IOHK has established research labs in several universities in order to complete the Cardano project, and is also developing Ethereum Classic, Atala, Mantis and possibly other Blockchain related programs and infrastructure. Who is Charles?
Charles Hoskinson is an early adopter of cryptocurrencies, American entrepreneur and cryptocurrency specialist. Charles Co-founded Ethereum with Vitalik Buterin and 5-8 others, However he only worked on that project for approximately six-months. Charles is now the CEO of IOHK and the director of The Bitcoin Education Project. Why isn’t ADA on coinbase?
Cardano and coinbase have recently connected in a big way. With IOHK turning over all their ADA to the custodial services of Coinbase. This means that Cardano and Coinbase have been working together for some time and there is a strong partnership forming. Staking and cold storage will be available and trading on Coinbase will most likely become available after the release of Shelley (although no official word yet) Why Doesn’t Cardano have a Wikipedia Page?
Wikipedia has strict guidelines on what can be turned into an article. As there has been no coverage of Cardano from mainstream media or “noteworthy” sources, there is no article yet. Wikipedia will also not accept sources from IOHK as they are not considered “reliable” and must come from a third party. This will most likely change soon.
Cardano does have a dedicated community driven wiki https://cardanowiki.info/wiki/Home What is Atala and why do I care?
Atala is a suite of services being developed on top of the cardano blockchain by IOHK that focusses on credential certification, for things like education, work history and degrees (Atala Prism). Product counterfeiting protection through registering products on a blockchain and create taper-proof provenance. This does not only apply to Gucci handbags, but also medication, art, and anything that can be counterfeited (Atala Scan). As well as supply chain tracking to see issues and inefficiencies with greater transparency(Atala Trace). Im new, how much is a good investment?
Cardano is still a speculative market and although there is amazing potential here, it is still only potential. When investing in any High risk market like Crypto, only every invest what you are willing to lose. Cardano may be testing the 10c barrier now. But in March it dumped to 1.7c. And if you suddenly need your money back during the dump then you are out of luck. Do your research before you FOMO in. Start with a small amount and send it between wallets and exchanges to understand how the system works. Store your private keys offline (or online cloud service but encrypted) with a method that is unlikely to be damaged AND have multiple copies. So in the case of a house fire or a blow to the head, or the cloud service being shutdown/destroyed, you do not lose your money. Timelines https://roadmap.cardano.org/en/ Shelley Decentralisation rollout and news Goguen smart contract rollout
Voltaire Voting mechanics – no official roll out timeline (though promised for 2020)
Basho scaling and sidechains – no official roll out time line (most likely 2021)
Dear Groestlers, it goes without saying that 2020 has been a difficult time for millions of people worldwide. The groestlcoin team would like to take this opportunity to wish everyone our best to everyone coping with the direct and indirect effects of COVID-19. Let it bring out the best in us all and show that collectively, we can conquer anything.
The centralised banks and our national governments are facing unprecedented times with interest rates worldwide dropping to record lows in places. Rest assured that this can only strengthen the fundamentals of all decentralised cryptocurrencies and the vision that was seeded with Satoshi's Bitcoin whitepaper over 10 years ago. Despite everything that has been thrown at us this year, the show must go on and the team will still progress and advance to continue the momentum that we have developed over the past 6 years.
In addition to this, we'd like to remind you all that this is Groestlcoin's 6th Birthday release! In terms of price there have been some crazy highs and lows over the years (with highs of around $2.60 and lows of $0.000077!), but in terms of value– Groestlcoin just keeps getting more valuable! In these uncertain times, one thing remains clear – Groestlcoin will keep going and keep innovating regardless. On with what has been worked on and completed over the past few months.
UPDATED - Groestlcoin Core 2.18.2
This is a major release of Groestlcoin Core with many protocol level improvements and code optimizations, featuring the technical equivalent of Bitcoin v0.18.2 but with Groestlcoin-specific patches. On a general level, most of what is new is a new 'Groestlcoin-wallet' tool which is now distributed alongside Groestlcoin Core's other executables. NOTE: The 'Account' API has been removed from this version which was typically used in some tip bots. Please ensure you check the release notes from 2.17.2 for details on replacing this functionality.
- Builds are now done through Gitian
- Calls to getblocktemplate will fail if the segwit rule is not specified. Calling getblocktemplate without segwit specified is almost certainly a misconfiguration since doing so results in lower rewards for the miner. Failed calls will produce an error message describing how to enable the segwit rule.
- A warning is printed if an unrecognized section name is used in the configuration file. Recognized sections are [test], [main], and [regtest].
- Four new options are available for configuring the maximum number of messages that ZMQ will queue in memory (the "high water mark") before dropping additional messages. The default value is 1,000, the same as was used for previous releases.
- The rpcallowip option can no longer be used to automatically listen on all network interfaces. Instead, the rpcbind parameter must be used to specify the IP addresses to listen on. Listening for RPC commands over a public network connection is insecure and should be disabled, so a warning is now printed if a user selects such a configuration. If you need to expose RPC in order to use a tool like Docker, ensure you only bind RPC to your localhost, e.g. docker run [...] -p 127.0.0.1:1441:1441 (this is an extra :1441 over the normal Docker port specification).
- The rpcpassword option now causes a startup error if the password set in the configuration file contains a hash character (#), as it's ambiguous whether the hash character is meant for the password or as a comment.
- The whitelistforcerelay option is used to relay transactions from whitelisted peers even when not accepted to the mempool. This option now defaults to being off, so that changes in policy and disconnect/ban behavior will not cause a node that is whitelisting another to be dropped by peers.
- A new short about the JSON-RPC interface describes cases where the results of anRPC might contain inconsistencies between data sourced from differentsubsystems, such as wallet state and mempool state.
- A new document (https://github.com/groestlcoin/groestlcoin/blob/mastedoc/groestlcoin-conf.md) about the groestlcoin.conf file describes how to use it to configure Groestlcoin Core.
- A new document introduces Groestlcoin Core's BIP174 interface, which is used to allow multiple programs to collaboratively work to create, sign, and broadcast new transactions. This is useful for offline (cold storage) wallets, multisig wallets, coinjoin implementations, and many other cases where two or more programs need to interact to generate a complete transaction.
- The output script descriptor (https://github.com/groestlcoin/groestlcoin/blob/mastedoc/descriptors.md) documentation has been updated with information about new features in this still-developing language for describing the output scripts that a wallet or other program wants to receive notifications for, such as which addresses it wants to know received payments. The language is currently used in multiple new and updated RPCs described in these release notes and is expected to be adapted to other RPCs and to the underlying wallet structure.
- A new --disable-bip70 option may be passed to ./configure to prevent Groestlcoin-Qt from being built with support for the BIP70 payment protocol or from linking libssl. As the payment protocol has exposed Groestlcoin Core to libssl vulnerabilities in the past, builders who don't need BIP70 support are encouraged to use this option to reduce their exposure to future vulnerabilities.
- The minimum required version of Qt (when building the GUI) has been increased from 5.2 to 5.5.1 (the depends system provides 5.9.7)
- getnodeaddresses returns peer addresses known to this node. It may be used to find nodes to connect to without using a DNS seeder.
- listwalletdir returns a list of wallets in the wallet directory (either the default wallet directory or the directory configured bythe -walletdir parameter).
- getrpcinfo returns runtime details of the RPC server. Currently, it returns an array of the currently active commands and how long they've been running.
- deriveaddresses returns one or more addresses corresponding to an output descriptor.
- getdescriptorinfo accepts a descriptor and returns information aboutit, including its computed checksum.
- joinpsbts merges multiple distinct PSBTs into a single PSBT. The multiple PSBTs must have different inputs. The resulting PSBT will contain every input and output from all the PSBTs. Any signatures provided in any of the PSBTs will be dropped.
- analyzepsbt examines a PSBT and provides information about what the PSBT contains and the next steps that need to be taken in order to complete the transaction. For each input of a PSBT, analyze psbt provides information about what information is missing for that input, including whether a UTXO needs to be provided, what pubkeys still need to be provided, which scripts need to be provided, and what signatures are still needed. Every input will also list which role is needed to complete that input, and analyzepsbt will also list the next role in general needed to complete the PSBT. analyzepsbt will also provide the estimated fee rate and estimated virtual size of the completed transaction if it has enough information to do so.
- utxoupdatepsbt searches the set of Unspent Transaction Outputs (UTXOs) to find the outputs being spent by the partial transaction. PSBTs need to have the UTXOs being spent to be provided because the signing algorithm requires information from the UTXO being spent. For segwit inputs, only the UTXO itself is necessary. For non-segwit outputs, the entire previous transaction is needed so that signers can be sure that they are signing the correct thing. Unfortunately, because the UTXO set only contains UTXOs and not full transactions, utxoupdatepsbt will only add the UTXO for segwit inputs.
- getpeerinfo now returns an additional minfeefilter field set to the peer's BIP133 fee filter. You can use this to detect that you have peers that are willing to accept transactions below the default minimum relay fee.
- The mempool RPCs, such as getrawmempool with verbose=true, now return an additional "bip125-replaceable" value indicating whether thetransaction (or its unconfirmed ancestors) opts-in to asking nodes and miners to replace it with a higher-feerate transaction spending any of the same inputs.
- settxfee previously silently ignored attempts to set the fee below the allowed minimums. It now prints a warning. The special value of"0" may still be used to request the minimum value.
- getaddressinfo now provides an ischange field indicating whether the wallet used the address in a change output.
- importmulti has been updated to support P2WSH, P2WPKH, P2SH-P2WPKH, and P2SH-P2WSH. Requests for P2WSH and P2SH-P2WSH accept an additional witnessscript parameter.
- importmulti now returns an additional warnings field for each request with an array of strings explaining when fields are being ignored or are inconsistent, if there are any.
- getaddressinfo now returns an additional solvable Boolean field when Groestlcoin Core knows enough about the address's scriptPubKey, optional redeemScript, and optional witnessScript for the wallet to be able to generate an unsigned input spending funds sent to that address.
- The getaddressinfo, listunspent, and scantxoutset RPCs now return an additional desc field that contains an output descriptor containing all key paths and signing information for the address (except for the private key). The desc field is only returned for getaddressinfo and listunspent when the address is solvable.
- importprivkey will preserve previously-set labels for addresses or public keys corresponding to the private key being imported. For example, if you imported a watch-only address with the label "coldwallet" in earlier releases of Groestlcoin Core, subsequently importing the private key would default to resetting the address's label to the default empty-string label (""). In this release, the previous label of "cold wallet" will be retained. If you optionally specify any label besides the default when calling importprivkey, the new label will be applied to the address.
- getmininginfo now omits currentblockweight and currentblocktx when a block was never assembled via RPC on this node.
- The getrawtransaction RPC & REST endpoints no longer check the unspent UTXO set for a transaction. The remaining behaviors are as follows:
- If a blockhash is provided, check the corresponding block.
- If no blockhash is provided, check the mempool.
- If no blockhash is provided but txindex is enabled, also check txindex.
- unloadwallet is now synchronous, meaning it will not return until the wallet is fully unloaded.
- importmulti now supports importing of addresses from descriptors. A desc parameter can be provided instead of the "scriptPubKey" in are quest, as well as an optional range for ranged descriptors to specify the start and end of the range to import. Descriptors with key origin information imported through importmulti will have their key origin information stored in the wallet for use with creating PSBTs.
- listunspent has been modified so that it also returns witnessScript, the witness script in the case of a P2WSH orP2SH-P2WSH output.
- createwallet now has an optional blank argument that can be used to create a blank wallet. Blank wallets do not have any keys or HDseed. They cannot be opened in software older than 2.18.2. Once a blank wallet has a HD seed set (by using sethdseed) or private keys, scripts, addresses, and other watch only things have been imported, the wallet is no longer blank and can be opened in 2.17.2. Encrypting a blank wallet will also set a HD seed for it.
- signrawtransaction is removed after being deprecated and hidden behind a special configuration option in version 2.17.2.
- The 'account' API is removed after being deprecated in v2.17.2 The 'label' API was introduced in v2.17.2 as a replacement for accounts. See the release notes from v2.17.2 for a full description of the changes from the 'account' API to the 'label' API.
- addwitnessaddress is removed after being deprecated in version 2.16.0.
- generate is deprecated and will be fully removed in a subsequent major version. This RPC is only used for testing, but its implementation reached across multiple subsystems (wallet and mining), so it is being deprecated to simplify the wallet-node interface. Projects that are using generate for testing purposes should transition to using the generatetoaddress RPC, which does not require or use the wallet component. Calling generatetoaddress with an address returned by the getnewaddress RPC gives the same functionality as the old generate RPC. To continue using generate in this version, restart groestlcoind with the -deprecatedrpc=generate configuration option.
- Be reminded that parts of the validateaddress command have been deprecated and moved to getaddressinfo. The following deprecated fields have moved to getaddressinfo: ismine, iswatchonly,script, hex, pubkeys, sigsrequired, pubkey, embedded,iscompressed, label, timestamp, hdkeypath, hdmasterkeyid.
- The addresses field has been removed from the validateaddressand getaddressinfo RPC methods. This field was confusing since it referred to public keys using their P2PKH address. Clients should use the embedded.address field for P2SH or P2WSH wrapped addresses, and pubkeys for inspecting multisig participants.
- A new /rest/blockhashbyheight/ endpoint is added for fetching the hash of the block in the current best blockchain based on its height (how many blocks it is after the Genesis Block).
- A new Window menu is added alongside the existing File, Settings, and Help menus. Several items from the other menus that opened new windows have been moved to this new Window menu.
- In the Send tab, the checkbox for "pay only the required fee" has been removed. Instead, the user can simply decrease the value in the Custom Fee rate field all the way down to the node's configured minimumrelay fee.
- In the Overview tab, the watch-only balance will be the only balance shown if the wallet was created using the createwallet RPC and thedisable_private_keys parameter was set to true.
- The launch-on-startup option is no longer available on macOS if compiled with macosx min version greater than 10.11 (useCXXFLAGS="-mmacosx-version-min=10.11" CFLAGS="-mmacosx-version-min=10.11" for setting the deployment sdkversion)
- A new groestlcoin-wallet tool is now distributed alongside Groestlcoin Core's other executables. Without needing to use any RPCs, this tool can currently create a new wallet file or display some basic information about an existing wallet, such as whether the wallet is encrypted, whether it uses an HD seed, how many transactions it contains, and how many address book entries it has.
- Since version 2.16.0, Groestlcoin Core's built-in wallet has defaulted to generating P2SH-wrapped segwit addresses when users want to receive payments. These addresses are backwards compatible with all widely used software. Starting with Groestlcoin Core 2.20.1 (expected about a year after 2.18.2), Groestlcoin Core will default to native segwitaddresses (bech32) that provide additional fee savings and other benefits. Currently, many wallets and services already support sending to bech32 addresses, and if the Groestlcoin Core project sees enough additional adoption, it will instead default to bech32 receiving addresses in Groestlcoin Core 2.19.1. P2SH-wrapped segwit addresses will continue to be provided if the user requests them in the GUI or by RPC, and anyone who doesn't want the update will be able to configure their default address type. (Similarly, pioneering users who want to change their default now may set the addresstype=bech32 configuration option in any Groestlcoin Core release from 2.16.0 up.)
- BIP 61 reject messages are now deprecated. Reject messages have no use case on the P2P network and are only logged for debugging by most network nodes. Furthermore, they increase bandwidth and can be harmful for privacy and security. It has been possible to disable BIP 61 messages since v2.17.2 with the -enablebip61=0 option. BIP 61 messages will be disabled by default in a future version, before being removed entirely.
- The submitblock RPC previously returned the reason a rejected block was invalid the first time it processed that block but returned a generic "duplicate" rejection message on subsequent occasions it processed the same block. It now always returns the fundamental reason for rejecting an invalid block and only returns "duplicate" for valid blocks it has already accepted.
- A new submitheader RPC allows submitting block headers independently from their block. This is likely only useful for testing.
- The signrawtransactionwithkey and signrawtransactionwithwallet RPCs have been modified so that they also optionally accept a witnessScript, the witness script in the case of a P2WSH orP2SH-P2WSH output. This is compatible with the change to listunspent.
- For the walletprocesspsbt and walletcreatefundedpsbt RPCs, if thebip32derivs parameter is set to true but the key metadata for a public key has not been updated yet, then that key will have a derivation path as if it were just an independent key (i.e. no derivation path and its master fingerprint is itself).
- The -usehd configuration option was removed in version 2.16.0 From that version onwards, all new wallets created are hierarchical deterministic wallets. This release makes specifying -usehd an invalid configuration option.
- This release allows peers that your node automatically disconnected for misbehaviour (e.g. sending invalid data) to reconnect to your node if you have unused incoming connection slots. If your slots fill up, a misbehaving node will be disconnected to make room for nodes without a history of problems (unless the misbehaving node helps your node in some other way, such as by connecting to a part of the Internet from which you don't have many other peers). Previously, Groestlcoin Core banned the IP addresses of misbehaving peers for a period (default of 1 day); this was easily circumvented by attackers with multiple IP addresses. If you manually ban a peer, such as by using the setban RPC, all connections from that peer will still be rejected.
- The key metadata will need to be upgraded the first time that the HDseed is available. For unencrypted wallets this will occur on wallet loading. For encrypted wallets this will occur the first time the wallet is unlocked.
- Newly encrypted wallets will no longer require restarting the software. Instead such wallets will be completely unloaded and reloaded to achieve the same effect.
- A sub-project of Bitcoin Core now provides Hardware Wallet Interaction (HWI) scripts that allow command-line users to use several popular hardware key management devices with Groestlcoin Core. See their project page for details.
- This release changes the Random Number Generator (RNG) used from OpenSSL to Groestlcoin Core's own implementation, although entropy gathered by Groestlcoin Core is fed out to OpenSSL and then read back in when the program needs strong randomness. This moves Groestlcoin Core a little closer to no longer needing to depend on OpenSSL, a dependency that has caused security issues in the past. The new implementation gathers entropy from multiple sources, including from hardware supporting the rdseed CPU instruction.
- On macOS, Groestlcoin Core now opts out of application CPU throttling ("app nap") during initial blockchain download, when catching up from over 100 blocks behind the current chain tip, or when reindexing chain data. This helps prevent these operations from taking an excessively long time because the operating system is attempting to conserve power.
How to Upgrade?
If you are running an older version, shut it down. Wait until it has completely shut down (which might take a few minutes for older versions), then run the installer.
If you are running an older version, shut it down. Wait until it has completely shut down (which might take a few minutes for older versions), run the dmg and drag Groestlcoin Core to Applications.
Other Linux http://groestlcoin.org/forum/index.php?topic=97.0
Download Download the Windows Installer (64 bit) here Download the Windows Installer (32 bit) here Download the Windows binaries (64 bit) here Download the Windows binaries (32 bit) here Download the OSX Installer here Download the OSX binaries here Download the Linux binaries (64 bit) here Download the Linux binaries (32 bit) here Download the ARM Linux binaries (64 bit) here Download the ARM Linux binaries (32 bit) here
ALL NEW - Groestlcoin Moonshine iOS/Android Wallet
Built with React Native, Moonshine utilizes Electrum-GRS's JSON-RPC methods to interact with the Groestlcoin network.
GRS Moonshine's intended use is as a hot wallet. Meaning, your keys are only as safe as the device you install this wallet on. As with any hot wallet, please ensure that you keep only a small, responsible amount of Groestlcoin on it at any given time.
- Groestlcoin Mainnet & Testnet supported
- Bech32 support
- Multiple wallet support
- Electrum - Support for both random and custom peers
- Encrypted storage
- Biometric + Pin authentication
- Custom fee selection
- Import mnemonic phrases via manual entry or scanning
- RBF functionality
- BIP39 Passphrase functionality
- Support for Segwit-compatible & legacy addresses in settings
- Support individual private key sweeping
- UTXO blacklisting - Accessible via the Transaction Detail view, this allows users to blacklist any utxo that they do not wish to include in their list of available utxo's when sending transactions. Blacklisting a utxo excludes its amount from the wallet's total balance.
- Ability to Sign & Verify Messages
- Support BitID for password-free authentication
- Coin Control - This can be accessed from the Send Transaction view and basically allows users to select from a list of available UTXO's to include in their transaction.
- Ability to Broadcast raw transactions
Download iOS Android
ALL NEW! – HODL GRS Android Wallet
HODL GRS connects directly to the Groestlcoin network using SPV mode and doesn't rely on servers that can be hacked or disabled.
HODL GRS utilizes AES hardware encryption, app sandboxing, and the latest security features to protect users from malware, browser security holes, and even physical theft. Private keys are stored only in the secure enclave of the user's phone, inaccessible to anyone other than the user.
Simplicity and ease-of-use is the core design principle of HODL GRS. A simple recovery phrase (which we call a Backup Recovery Key) is all that is needed to restore the user's wallet if they ever lose or replace their device. HODL GRS is deterministic, which means the user's balance and transaction history can be recovered just from the backup recovery key.
- Simplified payment verification for fast mobile performance
- No server to get hacked or go down
- Single backup phrase that works forever
- Private keys never leave your device
- Import password protected paper wallets
- Payment protocol payee identity certification
Download Main Release (Main Net) Testnet Release
ALL NEW! – GroestlcoinSeed Savior
Groestlcoin Seed Savior is a tool for recovering BIP39 seed phrases.
This tool is meant to help users with recovering a slightly incorrect Groestlcoin mnemonic phrase (AKA backup or seed). You can enter an existing BIP39 mnemonic and get derived addresses in various formats.
To find out if one of the suggested addresses is the right one, you can click on the suggested address to check the address' transaction history on a block explorer.
- If a word is wrong, the tool will try to suggest the closest option.
- If a word is missing or unknown, please type "?" instead and the tool will find all relevant options.
Live Version (Not Recommended) https://www.groestlcoin.org/recovery/
ALL NEW! – Vanity Search Vanity Address Generator NOTE: NVidia GPU or