First up, I want to recognize that this is an uncomfortable topic! Bitcoin is inevitably changing towards user-pays, and that's not all positive. But facts we don't like are still facts: can't engineer a solution if we can't think about the problems.
There are three kinds of bitcoiners.
A. Those who can afford any fee.
B. Those who can afford a UTXO, but not often.
C. Those who can't afford a UTXO.
Nobody worries about the A group (and in the early days, that was everyone). Obviously Lightning (my area!) caters to the B group, and we want it to be as large as possible. To do this we can (1) make lightning as resiliant as we can so onchain spends are rare, (2) make bitcoin as efficient as possible so we can cram as much as we can into what we have.
(1) Making lightning more resilient and reliable is engineering. Lots of people working on this, even before we get soft-forks which could help further.
(2) More efficiency has two benefits: obviously if your own onchain spends are 20% smaller, that's 20% cheaper. But if *everyone's* onchain spends are 20% smaller, that means fees are lower *for everyone* too (and it's non-linear). So we really care about all Bitcoin usage! Some things are obvious wins: Taproot so you can avoid even putting the script onchain in many cases, FROST so you can cram your 2 of 3 or other scheme into a single key and signature. We know we want to get more aggressive with sharing one signature across multiple inputs (Cross Input Signature Aggregation), but that needs a lot more research, and a soft-fork.
But even with all these, the math is clear: some people, even if you somehow gave them their wealth in a UTXO, it couldn't afford its own fees to spend. The C group is real. Spoiler alert: we don't have an answer for this! But let's look at some approaches people have tried.
Firstly, there are attempts to move these people into the B group: give them long enough that maybe fees will reach a point they can afford. This seems unlikely to me:
1. As fees increase everyone will start doing the work to take advantage of low fee times, and that itself means that low-fee times won't be so low.
2. These schemes tend to increase onchain footprints, so they need fees to drop a lot to overcome that (typical is 2x the transaction size, so you need fees to halve to gain anything).
3. If you really can't afford the fee, you probably also can't afford to wait.
4. You still haven't actually dealt with those who really, really can't afford the fees. Ever.
Another suggestion is that someone (e.g. a lightning service provider) will lock up funds which would cover fees, in case something goes wrong. This doesn't work economically, because nobody is paying $100 for a $5 user (not at scale), but it doesn't even work mathematically: the reason some people will have small UTXOs is because there are not enough sats for 10 billion people with any realistic distribution.
There are two basic approaches left:
1. Group people, so they fall into the B category (i.e. onchain tx is possible, but expensive).
2. Trust someone, but rely on incentives.
1. Grouping people is possible, but they need to work together if somenthing goes wrong. So grouping inside a community is probably better than grouping with randos.
For example, there are various tree-of-transaction schemes where you go onchain only if the coordinator fails/goes rogue, and how much it costs you depends on whether anyone near you in the tree pays to get themselves out. These are basically free if nothing goes wrong (one UTXO required for thousands of users!). But this is subject to ghettoization, where the coordinator makes sure all the C people are grouped together, knowing none of them can afford the transactions they need to get their funds back. It's particularly bad because the coordinator can insert its own fake "whales" to make it look like it's not ghettoized.
You can play with incentives here, too: more research needed. The details matter!
2. Relying on incentives.
As a simple example, lightning-connected e-cash mints. They can't rug individuals very easily, they have to rug everyone together (or go fractional and rug the last ones to exit). Maybe with enough anonymity and reputation, these would be Good Enough.
More ambitious would be a single UTXO held for multiple people by a coordinator. Can we make it so that if a coordinator is dishonest, you can force them to burn your funds? Maybe burn more than your funds (ie. a bond)? Won't get your money, but it aligns incentives so they're not motivated to rug you. The details here really matter!
There's a cute scheme which has been proposed where the coordinator pays a temporary bond, and asserts that they actually have everyone's signature to transfer the funds. If nobody challenges within a week, they get the bond back and the funds move. If someone challenges, all the signatures are put onchain, and if they're not all valid, the bond gets half-burned and half-given to the (successful) challenger. This is hard to make work, though. Someone needs to get the money to challenge (hard if you don't have the money in the first place, plus it's hard to prove to someone you *didn't* sign something!), and then make sure nobody gets the challenge bond before them (in particular, a dishonest coordinator, seeing the game is up, completes the successful challenge *themselves* and gets half their bond back), and make sure someone can't grief and delay the settlement indefinitely or bankrupt the coordinator.
More research needed, here, too.
Summary
A longer post than I had expected to write. And it's buried in the middle of a thread nobody will read. (I do this sometimes. I suck at marketing I guess!)
Sub-fee bitcoin amounts will have tradeoffs, involving trusting someone who has more money than you (at least, in someone's competence, even if their *financial* incentives can be made to match yours). This is difficult to build well, and not a very exciting thing to build today, so it hasn't really happened (custodial things are much, much easier!).
This is also a key reason I believe we need to make Bitcoin more expressive: if we can do *more* with our own UTXOs, we can build better solutions. And by "we" I mean "someone smarter than me" of course!
Feedback welcome!
Replies (46)
I read it, but way too technical for me, so I’m glad you’re thinking about the problem!
In 2. Relying on incentives.
A system that can rug everyone is kinda bad isn't it? Eg: I don't put lots of funds in Wallet of Satoshi. If WOS rugges everyone, I lose a little money. But WOS rugging everyone is attractive isn't it. There's a lots of bitcoin locked in them.
Also, I'm wondering is it hard for entity like WOS to implement ecash into their system as a default. I'm already trusting them with a little money, if they turn everything into ecash, it least I can get privacy.
Great note. The grouping (with right incentives) that we can do right now is to open some channels on Liquid and bridge the payments. It's one network. The peg ins are essentially the grouped UTXOs.
Here's how to do it:
Expanding the Lightning network to serve billions – a quick win strategy – Juraj Bednar
I loved the incentives part. Especially how to hinder "cannibalism", where a single actor challenges themselves and make it look like a contest.
Don't trust all you see, huh?
Liquid is a "trust someone" solution. There are precautions to avoid targeting particular users (confidential amounts and assets) similar to ecash, but it's still a custodian.
We can certainly argue it's a "good enough" custodian, given the number, reputation and legal consequences of failure, but it's still a custodian.
Yes. If you're going to use a custodian, ecash is a win.
Summary of how Bitcoin devs are thinking about the future
Rusty Russell
First up, I want to recognize that this is an uncomfortable topic! Bitcoin is inevitably changing towards user-pays, and that's not all positive. But facts we don't like are still facts: can't engineer a solution if we can't think about the problems.
There are three kinds of bitcoiners.
A. Those who can afford any fee.
B. Those who can afford a UTXO, but not often.
C. Those who can't afford a UTXO.
Nobody worries about the A group (and in the early days, that was everyone). Obviously Lightning (my area!) caters to the B group, and we want it to be as large as possible. To do this we can (1) make lightning as resiliant as we can so onchain spends are rare, (2) make bitcoin as efficient as possible so we can cram as much as we can into what we have.
(1) Making lightning more resilient and reliable is engineering. Lots of people working on this, even before we get soft-forks which could help further.
(2) More efficiency has two benefits: obviously if your own onchain spends are 20% smaller, that's 20% cheaper. But if *everyone's* onchain spends are 20% smaller, that means fees are lower *for everyone* too (and it's non-linear). So we really care about all Bitcoin usage! Some things are obvious wins: Taproot so you can avoid even putting the script onchain in many cases, FROST so you can cram your 2 of 3 or other scheme into a single key and signature. We know we want to get more aggressive with sharing one signature across multiple inputs (Cross Input Signature Aggregation), but that needs a lot more research, and a soft-fork.
But even with all these, the math is clear: some people, even if you somehow gave them their wealth in a UTXO, it couldn't afford its own fees to spend. The C group is real. Spoiler alert: we don't have an answer for this! But let's look at some approaches people have tried.
Firstly, there are attempts to move these people into the B group: give them long enough that maybe fees will reach a point they can afford. This seems unlikely to me:
1. As fees increase everyone will start doing the work to take advantage of low fee times, and that itself means that low-fee times won't be so low.
2. These schemes tend to increase onchain footprints, so they need fees to drop a lot to overcome that (typical is 2x the transaction size, so you need fees to halve to gain anything).
3. If you really can't afford the fee, you probably also can't afford to wait.
4. You still haven't actually dealt with those who really, really can't afford the fees. Ever.
Another suggestion is that someone (e.g. a lightning service provider) will lock up funds which would cover fees, in case something goes wrong. This doesn't work economically, because nobody is paying $100 for a $5 user (not at scale), but it doesn't even work mathematically: the reason some people will have small UTXOs is because there are not enough sats for 10 billion people with any realistic distribution.
There are two basic approaches left:
1. Group people, so they fall into the B category (i.e. onchain tx is possible, but expensive).
2. Trust someone, but rely on incentives.
1. Grouping people is possible, but they need to work together if somenthing goes wrong. So grouping inside a community is probably better than grouping with randos.
For example, there are various tree-of-transaction schemes where you go onchain only if the coordinator fails/goes rogue, and how much it costs you depends on whether anyone near you in the tree pays to get themselves out. These are basically free if nothing goes wrong (one UTXO required for thousands of users!). But this is subject to ghettoization, where the coordinator makes sure all the C people are grouped together, knowing none of them can afford the transactions they need to get their funds back. It's particularly bad because the coordinator can insert its own fake "whales" to make it look like it's not ghettoized.
You can play with incentives here, too: more research needed. The details matter!
2. Relying on incentives.
As a simple example, lightning-connected e-cash mints. They can't rug individuals very easily, they have to rug everyone together (or go fractional and rug the last ones to exit). Maybe with enough anonymity and reputation, these would be Good Enough.
More ambitious would be a single UTXO held for multiple people by a coordinator. Can we make it so that if a coordinator is dishonest, you can force them to burn your funds? Maybe burn more than your funds (ie. a bond)? Won't get your money, but it aligns incentives so they're not motivated to rug you. The details here really matter!
There's a cute scheme which has been proposed where the coordinator pays a temporary bond, and asserts that they actually have everyone's signature to transfer the funds. If nobody challenges within a week, they get the bond back and the funds move. If someone challenges, all the signatures are put onchain, and if they're not all valid, the bond gets half-burned and half-given to the (successful) challenger. This is hard to make work, though. Someone needs to get the money to challenge (hard if you don't have the money in the first place, plus it's hard to prove to someone you *didn't* sign something!), and then make sure nobody gets the challenge bond before them (in particular, a dishonest coordinator, seeing the game is up, completes the successful challenge *themselves* and gets half their bond back), and make sure someone can't grief and delay the settlement indefinitely or bankrupt the coordinator.
More research needed, here, too.
Summary
A longer post than I had expected to write. And it's buried in the middle of a thread nobody will read. (I do this sometimes. I suck at marketing I guess!)
Sub-fee bitcoin amounts will have tradeoffs, involving trusting someone who has more money than you (at least, in someone's competence, even if their *financial* incentives can be made to match yours). This is difficult to build well, and not a very exciting thing to build today, so it hasn't really happened (custodial things are much, much easier!).
This is also a key reason I believe we need to make Bitcoin more expressive: if we can do *more* with our own UTXOs, we can build better solutions. And by "we" I mean "someone smarter than me" of course!
Feedback welcome!
View quoted note →
Great points!
I’d encourage everyone to read
@Lyn Alden‘s book Broken Money. There is anthropological evidence that “2. rely on incentives” works. Specifically Chapter 4 “A unified theory of money”.
Ecash community banks in local high-trust environments are basically a social credit system. Or a “proof of punch” system to quote
@npub1kp7j...487l.
This is in contract to global low-trust environments that requires final settlement of commodity money. This would map to Bitcoin over Lightning (between banks and self-custody solutions).
8B people could use bitcoin today without a soft-fork with 10M community banks at an average of 800 users per bank. In reality things would obviously look much more heterogeneous with people using self-custody wallets, full custodians, ETFs and everything in between. But I don’t see why local community banks couldn’t be a part of the solution.
This is also how banking works in many places today. For example Germany has a very decentralized banking model with about 1500 banks. 70% of deposits are held at local community banks and credit unions (Volksbanken Raiffeisenbanken).
My point is with all these technical discussions about scaling, we shouldn’t forget about human nature. People are more likely to adopt bitcoin if it works in a way they’re used to. We should learn from history and not ignore anthological evidence. That means relying on local trust and incentives where appropriate.
This is excellent Rusty .. thanks 🙏
Currently this sounds like a place for #CashuMints to feel at home in ^^
Very detailed and real problem for those who can’t UTXOs. I don’t know much about this and hope a solution is found. Thanks
Rusty are you not underselling 2 here? Where we can of course get 10 / 20% gains with improvements like taproot and Frost lightning can represent 90-95% efficiency gain over the lifetime of an individuals bitcoin usage.
We still have the limitation of the # of satoshis that exist and the # of UTXOs that can exist, but this pushes against blockspace driving the threshold of subfee UTXOs as well
Too long didn't read
doing self-mint = running LN node
Thanks for sharing all this Rusty. It's nice to have some high quality content amongst all the noise 😃
Innovations on upper layers are welcome but changes to the core L1 protocol should be a last resort, to solve some existential problem that cannot be solved in any other way.
We don’t have a scaling problem yet. We probably will in the future, but we don’t have one now. We don’t need to rush out solutions ahead of time. We should just do R&D and deploy candidate proposals elsewhere to other working systems to gain experience with them.
When we do face a scaling problem, we should allow the pain of it to motivate solutions on upper layers before we entertain changes to the core protocol. Necessity is always the mother of invention and the pain of the actual problem may motivate solutions we didn’t consider before.
We also need to keep in mind that L1 transactions are not for buying coffee. L1 is for safeguarding the world’s money. We can’t continue to mess it up (eg. witness discount). Future generations are counting on us.
Last time I watched 4Sats/vB, currently 7.
We have no current scaling problem.
Don't touch the baselayer!
Lighting will succeed. It's better than most think.
I like the direction this is going in. Consider that larger transactions can afford higher fees for priority inclusion.
Perhaps one needs to accept that there will always be a Group C, and nothing can be done to prevent that. So, the goal should be to expand Group B as much as possible.
As long as people keep pondering the subject the answers will come
I read it.
unaffordable if you think in terms of fiat.
If you think in bitcoin terms, 2 to 3% transaction fees for an inmutable store of value is nothing.
Even in real estate you have to pay 5% to the broker and 2% transfer tax paid to the state and city.
If your house is worth 500k, you have to pay $35,000 in fees.
Bitcoin is a much better store of value, so paying 5 to 7% is still a bargain
Some good points here but it’s ‘Maths’ not ‘Math’
IMO your #2 incentives based system will happen inevitably. Like a new free banking system based on BTC. Some will be good, some will take too much risk, some will be crooks. If there are enough options then the good win out overall and the overextended/crooks fail often and early enough for the system to remain healthy on the whole
C group worst case can use custodial bitcoin .
You could have custodial services that accepts being audited on permannant basis
This is still 100X better than FIAT
This is why I believe there is a use case for silver coinage used for in-person, everyday, transactions. Private, bearer assets
British vs American English, sorry.
Indeed, that's the current effort, in every direction. But it definitely has limits.
It's hard to get exact numbers, but a significant fraction of the world will not have enough money at one time to spend a single UTXO. This is clear from the uneven distribution of wealth and the inevitable rise in Bitcoin fees.
Great thinking
Does drivetrain a la Paul Sztorc theoretically improve this in any way?
Not really, that I can tell. The custodian you are trusting there is the miners.
I somewhat agree: "trust somebody" can be quite efficient. But it's prone to bad incentives (undeclared fractional reserve) which can drive out good actors (who are not as profitable) *then* collapse. I know
@calle has thought about this a fair bit, and has a rotating ecash solution which may address it well enough?
You can have public and private bookmarks on Amethyst ... works well!
Great comment Rusty!
Just the basic idea of identifying that there are 3 groups of people (can afford; can sometimes afford; and cannot afford a UTXO whatsoever) is a huge upgrade over past conversations, which tend to jump straight into technical details and gloss over the actual user profiles and market demand.
Personally, I agree that more research is warranted. I’m not particularly optimistic on UTXO-sharing as a solution for people who can’t afford standalone UTXOs at all because of the group coordination cost, “Tragedy of the Commons”issue (LN counterparties are heavily incentivized to police their LN channel state, whereas in a Timeout Tree you can freeride others to do the policing for you, leading to no one doing it at all), “ghettorization” issue as you mentioned, and the inevitable complexity of any such solution. Secondly, did anyone bother to ask whether users like sharing at all? Why would they opt for a complex sharing solution when they can use something like gold for savings.
I’m slightly more bullish on locally-run ecash mints where people fall back to long-built relationships and hard-earned reputation to prevent cheating. Basically, use the social layer to address a technical limitation.
I like your quote here: “can’t engineer a solution if we can’t think about the problems.” That’s a great way to think about it. As someone else once said, the most common mistake engineers often make is to “optimize for something that shouldn’t really exist”. I’ve seen it happen way too many times, being an engineer myself. Just because UTXO-sharing with large N is possible, doesn’t mean it is ideal or will actually have a market.
In the spirit of thinking deeply about the problem (and not the solutions), it would be wise to also visit assumptions such as there will be 10 billion people who want sovereign UTXOs and the responsibilities that come with it. I think that assumption is highly unrealistic. IMO the actual demand will remain well below 500 million people, realistically more in the range of 100-200 million people. Being your own bank, as it turns out, is quite a heavy burden.
So if you believe in these numbers, Bitcoin does not have a scaling problem. At the very least, it’s not urgent at all. The math might work out by just making current things as efficient as possible.
This is only a problem for maximalists.
We have several ways of scaling vertically (what you described) and horizontally (through other chains e.g. XMR,...)
We already go for Max node decentralisation in BTC, so other chains don't need to go to full extremes.
I think it's a great breakdown. And ultimately, the answer partially comes down to 1) trust+incentives and 2) grouping.
However, I would add one more important variable to your bitcoiner kinds analysis: the desire to have a UTXO, or the lack thereof.
Engineers/developers often start with the scaling problem assessment by saying, "okay assuming all 8 billion people want to use bitcoin non-custodially..." which might not be a valid assumption.
So to recap your list:
"There are three kinds of bitcoiners.
A. Those who can afford any fee.
B. Those who can afford a UTXO, but not often.
C. Those who can't afford a UTXO."
I would expand that by saying there are six kinds. There are each of those three categories, and then also a yes/no for each of them for whether they want a UTXO in the first place. (And in reality, a bit more nuanced than that, as there are certain contexts where they might want a UTXO or not, or levels of desire to have a UTXO.)
We don't yet know what percentage of people will want to have some sort of cryptographic control (and thus ultimate responsibility) over their money, either for personal reasons, or situational reasons, etc. For many people, a custodian with proof of reserves and external auditors and rule of law in a good jurisdiction, and someone to call for support if there's a problem, is what they want. And, maybe an ecash wallet run by a federation of power users they trust as their daily spender wallet if they (hopefully) value privacy.
Others are power users by choice, or they're in a more uncertain/hostile environment where they need to become a power user, and thus they want to acquire some or all control over their funds.
So I tend to look at the problem set in terms of optionality. Ideally there should be plenty of reasonably easy-to-use methods for people to gain more control and/or privacy over their funds.
The solution set is already quite large and growing, and every fee spike incentivizes and accelerates more scaling for those solutions. And even with more expressivity, there are still inherently limits on being able to enforce scaling layers back down to the UTXO for the smallest users of those layers, which means there will always be a use for the social layer, and the various trust/incentive/grouping economies of scale that come with that. Division of labor.
(Hi, Lyn, long time fan!)
I'd push back on this, a little. There are definitely cases where I won't have a UTXO, but all the cryptographic solutions I've seen to handle others' failure (malice or incompetence) devolve to me obtaining a UTXO.
In times (and places) of high trust people may forgo this security, but if you can afford it, why would you? "Verify, don't trust" is our entire motto at Blockstream, and while I am not my employer, it resonates.
In my mind, forgoing cryptographic protection for your Bitcoin, if enough people do it, is akin to detaching your issued currency from gold. Seemingly a minor technical detail which has no immediate effect, perhaps. Obviously nobody would be foolish enough to do that, though! 😬
Some layman’s thoughts here… could a system be created whereby users in group B or C could send their small trapped amounts to a single depository address, run by a charitable mining pool/org, with zero or close to zero transaction fee.
Miners in general wouldn’t pick up these low value transactions, but the mining org would know that they were for processing and would then mine those transactions and refund the amount to a Lightning address. So the original user can then use their otherwise trapped funds.
There would have to be some benevolence here from the mining pool/org, (as priority is given to low value transactions from the mempool) but it does mean consolidation of trapped UTXOs, and perhaps a small fee can be taken (so 95% is returned).
This could be seen as a “for the health of the network” and “improving adoption” initiative that bitcoiners as a collective could support.
Mints for group C sound great, but how does a sub-fee UTXO get to a mint in the first place? Only way I see is you earn your first sats from a mint, ie never have a UTXO. Am I missing something?
In that model, you never have full custody. Someone sends money into the mint and they hold it on your behalf.
The ability to transfer channels without an on-chain transaction is on the way.
When you can rent instant liquidity when needed, and return it when it's no longer needed, all without any on-chain transactions, a lot of the current problems with onboarding new users with non-custodial wallets will be solved.
Lightning is cool, but still very much beta software and not ready for mass consumption by people that use 0000 as their PIN.
For some people, right now, a custodial wallet where someone in support can help them when they forget their password is not a bad compromise.
Great topic. My talk at BTC Prague was in this vein ( The three groups are a good start, but we can push much further and look at income-level categories around the world, prioritize use cases based on impact, estimate efficiencies tech improvements will bring, etc, and then construct possible futures from that. My talk was not about finding final answers, that would require a much more comprehensive effort (which I'd love to see), but about digging layers deeper than the conversations I've seen happen. More of this please.
Getting me thinking! 🤔 TY
