The Burst Dymaxion · The Burst Dymaxion — 2/23 Figure 1. Cap Gemini/BNP Paribas: Number of Worldwide Non-Cash Transactions 2010-2020 (est.) Despite their technical elegance and

CryptoGuru PoC SIG 2017-12-27Public Domain v100

The Burst DymaxionAn Arbitrary Scalable Energy Efficient and Anonymous Transaction Network Based on Colored Tangles

Seaacuten Gauld1 Franz von Ancoina Robert Stadler2

AbstractWe describe the concept and implementation of a proposed layer to the Burstcoin cryptocurrency called ldquoThe BurstDymaxionrdquo This layer implements an arbitrary scalable energy efficient and anonymous transaction network basedon colored tangles Tangles are DAGs that can be seen as generalization of the blockchain Coloring is a simpletagging technique used in cryptocurrencies to allow for coexistence of various instances of a class in a common datacontext The Burstcoin network has several unique properties that make it our premier choice for implementationits Proof-of-Capacity (PoC) consensus algorithm is energy efficient fair and anti-centralistic the blockchain is verycompact and implements data scrubbing to reduce blockchain bloat and it has smart contracts The coin has over 3years of heritage and a community to bootstrap with yet it is small enough to allow for significant improvementswithout a long and paralyzing scaling debate The original Burstcoin blockchain is used as underlying layer to openand close an arbitrary number of general purpose transaction channels similar to the Lightning Network proposalof Bitcoin but using IOTA-like tangles for propagation and verification Each of these channels is not limited interms of capacity and number of transactions This concept takes the best traits of the original Burstcoin IOTAMonero ZCash and the newest Bitcoin proposals to create a currency suitable for truly global use It allows egbanks clearing houses remittance processors and virtually all other market participants to use quasi-private yetdecentral and trustless transaction channels with desired properties

KeywordsBurstcoin ndash DAG ndash Dymaxion ndash Lightning-Network ndash PoC ndash Ring-Signature ndash Scaling ndash Tangle ndash zk-SNARK

1PoC Consortium - a CryptoGuru SIG2Stronzo Bestiale Institute of TechnologyCorresponding author dymaxioncryptoguruorg

Contents

Introduction 1

1 Building Blocks 3

11 Burstcoin Blockchain 312 Smart Contracts 313 DAGs and The Tangle 414 zk-SNARK vs Ring Signature 415 Blockchain Binding with ACCTs 516 Lightning Network 617 Coloring 6

2 Putting it All Together 7

21 Dymaxion Tangle vs IOTA Tangle 722 Blockchain-Dymaxion Interaction 723 Using Nodes P2P for ad-hoc DLs 824 Dymaxion Anonymity 9

3 Implementation Details 10

31 Opening a DL 1032 A Transaction within a DL 1133 Closing a DL 12

34 Blockchain Enforcing 12

4 Security Considerations 12

41 Collusive Nodes Attack 1242 Spamming and DoS Scenarios 13

5 Results and Discussion 13

51 Prototype Performance 1352 Adoption Process 15

Acknowledgments 15

A SpaceMint Paper Errata 16B The BurstQora ACCT Process 17C Burstcoin CIPs 17

References 23

IntroductionCryptographic currencies or cryptocurrencies for short havebeen around for about 8 years now After an existence on thefringes they are being perceived increasingly as disruptivetechnology that may change the way how we will see and usemoney in the future

The Burst Dymaxion mdash 223

Figure 1 Cap GeminiBNP Paribas Number of Worldwide Non-Cash Transactions 2010-2020 (est)

Despite their technical elegance and possibilities cryptocur-rencies lack mass adoption because of two critical factors us-ability and scalability While usability can be addressed withsufficient engineering and development effort scalability isoften a theoretical problem of its own

The inherent features of a good cryptocurrency - decentral-ization and trustless design - often go contrary to traditionalmethods of upscaling centralistic processes While Bitcoinrsquospioneer achievement the blockchain solved the problem of adecentralized trust its inventor certainly left much headroomfor scaling that concept for a truly global use

In fact speaking of ldquotruly global userdquo letrsquos fathom the scaleof this concept Assume you would like to support one hundredmillion people world-wide to be able to use a cryptocurrencylike Bitcoin with an average of just 1 transactions per day (about

15 of the global non-cash transaction volume - see also figure1) You would need a 400MiB blocksize to meet that demandThis would imply a blockchain growth of over 56GiB per day

Aside from the feasibility considerations it is questionableif a transaction for the acquisition of a sack of rice made inChina 2017 should be kept for all eternity on the blockchain andthus in memory or on mass storage of all participating nodesworld-wide

A concept to overcome many of the restrictions a typicalblockchain imposes on scalability was presented in the IOTAwhite paper[1] In this novel system transactions are not broad-cast over a network of participating nodes some of which(miners) try to put them into a block Instead network nodescan validate transactions and by this validation work actuallyearn the right to perform transactions themselves The nodes

have unified roles and form a kind of systolic array[2] for dataprocessing The data being a transaction propagated along adirected acyclic graph

Due to itrsquos success and thus increasing usage Bitcoin startedto experience scalability issues now commonly hitting its the-oretical txs limit A long scaling debate about pushing thislimit and removing other protocol constraints continues to thepresent day One of the suggested extensions to the Bitcoinprotocol is called the Lightning Network (LN)1 It is basicallya network of two-party ledger entries for participants who havesubscribed to a bidirectional payment channel While a LNsolves many of the problems associated with high transactionvolume micropayments and their cost it is not a silver bulletEg it does quite little to increase the limits on the number ofconcurrent users[3]

Dymaxion is a term that Richard Buckminster Fuller as-sociated with much of his work It is a portmanteau of thewords dynamic maximum and tension and sums up the goalof his study maximum gain of advantage from minimal energyinput

We use this term for the Burst Dymaxion to honor theachievements and influence of this true generalist and also be-cause the geodesic dome - a structure Fuller helped to popular-ize - has very similar properties to what is proposed in this paperfor transaction propagation Elements of the dome - while eachlimited in resilience - distribute mechanical stress throughoutthe whole structure making geodesic domes able to withstandvery heavy loads for their size In our proposal the Dymaxionis a set of tangle-based lightning networks each single one usedfor propagating transactions Each single of these networksdistributes ldquotransactional stressrdquo among its whole network ofparticipating nodes allowing for arbitrary scalability The morenodes participate the higher the transactional capacity of eachof the currently active networks becomes As any number ofthese tangle-based LNs can co-exist at the same time we speakof Dymaxion layers (DL)

We therefore present nothing short of an energy-efficientcryptocurrency that is able to sustain the total global load ofnon-cash transactions

Below all of this is a small and very moderately growingenergy-efficient blockchain with Proof-of-Capacity consensusused for bookkeeping the opening and closing of the Dymaxionlayers above it See also central figure 7

1 Building Blocks

11 Burstcoin BlockchainBurstcoin is a digital cryptocurrency and payment system de-rived from the Nxt cryptocurrency As such it is based on theblockchain technology (Figure 2 shows the general concept ofa blockchain with the most essential terms explained) but isusing a special class of consensus algorithm called proof-of-capacity (PoC) This algorithm allows for the usage of storagespace instead of raw computational power as is being used in

1Ethereum has a very similar concept under the name Raiden Network

Proof-of-Work (PoW) systems and is responsible for makingBurstcoin energy efficient Efficiency - while similar to Proof-of-Stake (PoS) systems is still achieved by a low barrier toentry where you do not need to acquire a significant stake ofthe currency in order to be able to participate in the miningconsensus[4]

Figure 2 The main chain (black) consists of the longest seriesof blocks from the genesis block (green) to the current block(orange) Orphan blocks (purple) exist outside of the mainchain on so called forksdagger

12 Smart ContractsA blockchain can be seen as a distributed database that is en-suring consistency and validity by verification work done bya majority of participating nodes in this blockchains networkWhile cryptocurrencies such as Bitcoin speak of the blockchainas a public ledger others such as Ethereum put an emphasis onsmart contracts - and not only monetary transactions - to storein their blockchain

A smart contract is a procedural way usually done by a com-puter program to facilitate verify or enforce the negotiation

or performance of a contract Compared to their ldquoinanimaterdquopaper-based ancestors smart contracts also fulfill the role ofotherwise needed lawyers (verification) notaries (validation)and executors (enforcing) For this very reason smart contractsare seen as a disruptive technology to future digital economies

Burstcoin has been given a smart contract system in 2014The formalism used is called AT (Automated Transaction) andhas been proposed and implemented by CIYAM[5]

As turing-complete formalism ATs are both powerful (ex-pressiveness) and dangerous (verifiability) and have been usedonly sparsely as templates to facilitate simpler smart contracts(SCs) such as lotteries crowdfunding and an asset exchangeBecause of the expressiveness of the formalism other possibleapplications are basically limitless yet have to be designedwith great care to avoid situations such as the DAO debaclethat led to the hard fork and community split of Ethereum andEthereum Classic2

13 DAGs and The TangleA directed acyclic graph (DAG) is a restricted form of a finitedirected graph that has no directed cycles In short it is adata structure with interesting computational properties andwidespread use in computer science We assume the reader hasbasic understanding of graph theory and encourage to acquireit otherwise Figure 3 shows an example of a simple DAG

Figure 3 A simple directed acyclic graph consisting of 5vertices (a-e) and 8 edges connecting them The arrows standfor a direction and there are no loops - therefore acyclic

The IOTA white paper [1] describes a blockchain-less ap-proach of ensuring transactions in a cryptocurrency with theuse of a so called ldquoTanglerdquo which is in essence a DAG The

2httpswwwcoindeskcomethereum-classic-explained-blockchain

main proposition of this concept is its feasibility to provide agood infrastructure for microtransactions mainly targeted atthe IoT industry

Any microtransaction-capable infrastructure seeks to over-come the problem of paying a fee that is larger than the amountof value being transferred The smaller the value of a micro-transaction becomes the more applications open up to it (tip-ping machine-to-machine transactions microservices spamprotection etc) but the harder it gets to lower the transactioncost below the value being transferred Ideally the transactioncost would be zero but then again - what would the incentivefor a transaction processor be

IOTA answers this dilemma by unifying the roles of net-work participants There is no more discrimination between atransaction (tx) issuer and a tx verifier - a node has both theseroles The cost for issuing a tx is to provide the verification toat least two other txs Doing this the network security is keptup by issuing transactions It is assumed that the nodes checkif the approved transactions are not conflicting If a node findsthat a transaction is in conflict with the tangle history the nodewill not approve the conflicting transaction If a node issuesa new transaction that approves conflicting transactions thenit risks that other nodes will not approve its new transactionwhich will fall into oblivion

While not discussing the implementation the IOTA whitepaper suggests there being a hidden PoW in the validationprocess

For a node to issue a valid transaction the nodemust solve a cryptographic puzzle similar to thosein the Bitcoin blockchain This is achieved byfinding a nonce such that the hash of that nonceconcatenated with some data from the approvedtransaction has a particular form

The ldquoincentive to participaterdquo for a node (assume a nodehas no need to perform transactions so why should it validateother transactions) is achieved by nodes keeping statistics ontheir peers eg how many new transactions are received froma neighbor If one particular node is ldquotoo lazyrdquo it will bedropped by its neighbors Therefore even if a node does notissue transactions and hence has no direct incentive to sharenew transactions that approve its own transaction it still hasincentive to participate

14 zk-SNARK vs Ring SignatureThe acronym zk-SNARK stands for ldquoZero-Knowledge Suc-cinct Non-Interactive Argument of Knowledgerdquo and refers to aproof construction where one can prove possession of certain in-formation eg a secret key without revealing that informationand without any interaction between the prover and verifier

A ring signature is a type of digital signature that can beperformed by any member of a group of users that each havekeys (to sign messages) Therefore a message signed with aring signature is endorsed by someone in a particular group ofpeople One of the security properties of a ring signature is that

it should be computationally infeasible to determine which ofthe group membersrsquo keys was used to produce the signature

Both concepts are central elements of cryptocurrencies witha high focus on anonymity namely ZCash[6] (zk-SNARKs)and Monero[7] (ring signatures)

Figure 4 Rivest Shamir Tauman ring signature scheme

Ring signatures as referenced by figure 4 are a pretty plainand straightforward way of a multi-sig application Given nentities each with pubpriv keys (P1S1)(P2S2) (PnSn)Party i can compute a ring signature σ on a message m oninput (mSiP1Pn) Anyone can check the validity of a ringsignature given σ m and the public keys involved P1Pn If aring signature is properly computed it should pass the check

Compared to this zk-SNARKs seem outright ldquomagicalrdquo atfirst glance You can verify the correctness of computationswithout having to execute them and you will not even learnwhat was executed ndash just that it was done correctly In real-ity zk-SNARKs can be dissected into four relatively simpleingredients

1 represent as a polynomial problem2 random sample for succinct check3 homomorphic encoding encryption4 zero knowledge by checking structure

We will not explain these in full here but encourage thereader to visit good introductions and explaining blogs for zk-SNARKs[8] [9]

We will not discuss the concrete implementation of bothconcepts here as there are already off-the-shelf implementa-tions on github3 4

3httpsgithubcomapuljainLinkable-Ring-Signature

4httpsgithubcomscipr-lablibsnark

Both ring signatures as well as zk-SNARKs do have theiradvantages and drawbacks in anonymizing transactions whichleaves either of these functionalies as optional feature in thesetup parameter space for created tangles

15 Blockchain Binding with ACCTsAtomic Cross-Chain Trading (ACCT) is a mechanism wheretwo (or more) parties own coins in separate cryptocurrenciesand want to exchange them without having to trust a third partyThe term ldquoatomicrdquo here means indivisible and refers to the factthat sending coins on one chain and sending other coins on theother chain cannot be performed independent of each other

If these transactions could be performed independent ofeach other then while one party could fulfil their side of thebargain and send some coins on one chain the other partywould have the option of going back on his end of the bargainand simply not following through with the protocol ending upwith both coins

A decentral exchange where two parties A and B want toexchange tokens can be based on the following process5

1 A generates some random data (called the secret) x

2 A generates T x1 (the payment) containing an output withthe chain-trade smart contract in it It allows coin releaseeither by signing with the two keys (Ak and Bk) or with(secret x Bk) This transaction is not broadcast Thechain release script contains hashes not the actual secretsthemselves

3 A generates T x2 (the contract) which spends T x1 andhas an output going back to Ak It has a lock time in thefuture and the input has a sequence number of zero so itcan be replaced A signs T x2 and sends it to B who alsosigns it and sends it back

4 A broadcasts T x1 and T x2 B can now see the coins butcannot spend them because it does not have an outputgoing to him and the tx is not finalized anyway

5 B performs the same scheme in reverse on the alternativechain The lock time for B should be much larger than thelock time for A Both sides of the trade are now pendingbut incomplete

6 Since A knows the secret A can claim his coins imme-diately However A in the process of claiming his coinreveals the secret x to B who then uses it to finish theother side of the trade with (x Bk)

ACCTs have the disadvantage that both chains need toimplement the ACCT (of course in addition to being capable toprovide smart contracts) in order for this to work

If Burst was to provide some ACCT with - say - Bitcointhe ACCT handling would have to be implemented not only on

5see Appendix B for a visualization

Figure 5 BurstQora ACCT prototype

the Burstcoin side but also in Bitcoin client(s) While not en-tirely impossible it is unlikely to get arbitrary cryptocurrenciesdevelopment teams to provide that kind of interoperability Ifon the other hand the implementation of ACCTs happened ina situation where the same development team exercises controlover both ldquochainsrdquo in question then this approach certainlyseems viable

Burst already does have a prototype ACCT implementation6

with the cryptocurrency Qora - see figure 5

16 Lightning NetworkThe term ldquoLightning Networkrdquo became widely known in 2016from a publication by Poon and Dryja[10] in the context of theBitcoin scaling debate In essence it is an off-chain protocolrunning on a P2P network of nodes for making micropaymentsof digital currencies Said nodes form a scale-free networkof bidirectional payment channels without delegating custodyof funds or trust to third parties Yet these payment channelsare bound by smart contracts to the underlying blockchain toensure enforcability in case of uncooperative participants

At the basis of this mechanism are so called Hash Time-Locked Contracts (HTLC) implemented as smart contracts onthe blockchain When opening a payment channel participantsmust commit an amount in a transaction which is registered onthe blockchain This can be seen a collateral and guaranteesenforcability of transactions (so-called commitments) done off-chain in the payment channel Given their similarity ACCTsare probably the origin of the technique now called HTLCs

As introduced for Bitcoin this system is conceptually notan independent overlay network it is more a deferral of state onthe standard blockchain as the enforcement is still occurringon the blockchain itself (albeit deferred to future dates andtransactions)

Because the payment channels are bi-directional betweentwo parties only forming a network where n parties can par-ticipate in transactions between each other depends on findingldquopathsrdquo between two parties that can go through intermediaries

6based on httpciyamorgatat_atomichtml

In a way the formation of a lightning network relies on transi-tive properties of separate P2P communications

The problem with this approach is similar to the problemof premonetary trade Achieving transitive pathways for m outof n network participants becomes increasingly difficult if nis not much larger than m The old explanation why moneywas invented in the first place holds true for a LN itself If Ahad twenty hens and wanted to exchange them for one pig heeither had to find someone willing to do exactly that trade ortwo other people - say B and C - where C might have had apig wanting two goats and finally B wanting twenty hens andhaving two goats The categories in that example translate toincompatible monetary volume and time in a LN

It is possible that operation of a LN is well feasible withthe help of powerful intermediariesfacilitators who commandlarge financial resources In this case however we can expectthe LN to exhibit a decentral and not a distributed topology -compare figures 6 and 8

17 ColoringIn an abstract sense coloring is a simple tagging techniqueused to allow distinction thus coexistence of various instancesof a class in a common data context

In cryptocurrencies colored coins is a concept that allowsattaching metadata to transactions and by this leveraging thecoins infrastructure for issuing and trading immutable digitalassets that can represent real world value

Colored coins[11] are a method to track the origin of Burstcoins so that a certain set of coins can be set aside and con-served allowing a party to acknowledge them in various waysSuch coins can be used to represent arbitrary digital tokenssuch as stocks bonds smart property and can even representreal-world objects

When a coin is colored it can be traded on the Burstnetwork just like any other coin in the system This allowsBURST to be exchanged for whatever object the colored coinrepresents This concept forms the basis for the Burst AssetExchange

Figure 6 Decentral (left) vs distributed topology

Since 2014 it has been suggested that various colouredcoin protocols could be of interest to banks and major finan-cial institutions7 because of its inherent applicability to theirrequirements to use self-issued quasi-private yet decentral andtrustless transaction channels with desired properties

Since then various implementations like CoinSpark8 andMultiChain9 have evolved from the original concept by Rosen-feld

While our proposed combination of Colored Coins andtangle-based Lightning Network (which we call colored tan-gles) is a brand new concept prototype implementations forthe Bitcoin LN do already exist10

2 Putting it All Together

As we have seen all building blocks for our proposal are alreadyin place not only as theoretical concepts but well developedand even tested in real-world application use These are solvedproblems

The realization of the Burst Dymaxion therefore seemsmore like an engineering rather than a research task but themajor contribution of this paper is the seamless integrationof said components into a new framework with significantsynergistic gains

7httpsisgdvz3oiN8httpcoinsparkorgdevelopers9httpswwwmultichaincom

10httpsisgd7RcPqf

21 Dymaxion Tangle vs IOTA TangleWhile DAGs have been used as part of graph theory for severaldecades now and are mathematically well understood todaytheir use in cryptocurrencies as generalization of the blockchainis a novelty

We are convinced of the advantages tangles bring to ques-tions of scalability and decentral design but not every aspectof the current iri (IOTA reference implementation) seems to bethe best possible design choice[12]

Our biggest concern is the cryptographic hash function usedin IOTA Curl The IOTA vulnerability report[13] has shownalready practical signature forgery attacks and while IOTA nolonger uses the Curl hash function to hash transactions as part ofthe IOTA signing process Curl is still used for other purposesin IOTA

Similarly disturbing seems the claim of one of the IOTAfounders to have placed that vulnerability into Curl on purposeto be able to shut down copycats Even leaving the ethicalaspect aside - publishing IOTA source under GPL3 licenseand allegedly placing a cryptographic vulnerability in its corehash function - experience shows that control over backdoorsand vulnerabilities seldom remains in the ldquoright handsrdquo Byextension this puts IOTA itself at risk

It seems more apropriate to use the iri only as design guid-ance in some aspects using standard libraries and standardhashing algorithms complemented by own peer-reviewed im-plementation

Moreover the biggest difference being the underlying Burstblockchain allowing Dymaxion tangles to be opened and closedagainst a point of reference as well as the existence of anarbitray number of logically separated (colored) Dymaxiontangles compared to just one IOTA tangle A future IOTA couldvery well live within the Dymaxion maybe even in its nativeform

22 Blockchain-Dymaxion InteractionFigure 7 is the top-level view on the presented concept TheBurst blockchain acts as a fundamental bookkeeping chainwhere opening and closing of the Dymaxion layer is recordedPayment processors banks exchanges etc may use ACCTs(ACTTs really) to open and close payment channels with de-sired properties (network size validation reqirements etc) andkeep them open for a certain period (TTL) - eg one day fordaytrading on Wallstreet

The tangles work asynchronously with no inherent clocksignal contrary to the 4-minute target time for block generationin the Burst blockchain Transaction latency in a Dymaxionlayer is effectively network latency plus validation latency

ttx = tnl + tvl (1)

with network latency effectively being the packet time betweentwo peers as sum of network-hop latencies often measuredin milliseconds and validation time being PoW PoC or PoSruntime on the node - measured in seconds

Figure 7 Dymaxion Top-Level view set of colored tangles over the Burst blockchain Each tangle representing an independentLightning Network for P2P transaction channels Block 92 is magnified to show inner structure containing transactions some ofwhich are opening and closing tangle LNs

With the average block time on the Burst blockchain beingsaid 240 seconds this can lead to a situation of potentiallyshort-lived tangles that can be opened and closed intra-blockie within one and the same block on the Burst blockchain (seegreen tangle) The application for this could be a voting wheresome hundred or a thousand globally distributed voters wouldhave to give their vote within a short period

Some tangles might live for a day or longer and bear thetransactional load of a financial institute or an exchange andonly at the end of the day or the respective period close andrecord that state in the blockchain

As mentioned in section 15 ACCT stands for Atomic CrossChain Transaction We will use a slightly modified ACTT -for Atomic Chain-Tangle Transaction from now on Of coursefigure 7 is a very simplified view if you consider that basi-cally every block pictured potentially could - without any Burstblockchain scaling CIP - have up to 255 incoming or outgoingACTTs We see only three ACTTs for block 92 one incomingACTT for blocks 90 and 95 and one outgoing for block 91and even this simplification already suggests a multiple of thetraditional blockchain-only transaction capacity

We will discuss the implementation details (opening clos-ing enforcing) in section 3

23 Using Nodes P2P for ad-hoc DLsEach cryptocurrency network consists of nodes and each ofthese nodes has contact to other nodes which from its perspec-

tive are called peers This infrastructure is already in placefor Burst and there is a communication protocol between thesenodes to ensure transactions are propagated blocks are down-loaded for new or outdated nodes (blockchain syncing) etc - seehttpsburstwikiorgwikiThe_Burst_API

Similar to the Lightning Network Daemon (lnd11) we im-plement a Burst Dymaxion Daemon (bdd) that can - but doesnrsquotneed to be - an integral part of the Burst wallet12

In any case the bdd would be active on nodes that doparticipate in specific colored tangle networks The decisionwhether to participate or not would be defined on dynamic nodecapabilities as defined in the respective CIP - see appendix C

One particular detail of the DL network infrastructure ac-quisition - node discovery - is presented in the next section (see31) A tangle-based network is made for a high degree of de-centralization and transaction performance but has a problemupon startup if there is not a network of sufficient size in place

The Burst Dymaxion solves this problem by effectivelyproviding the equivalent of a cloud service for nodes Figure 8shows the Burstcoin core network - running the PoC blockchainprotocol This base network has been running for over 3 yearsnow and will always form a source of nodes potentially avail-able upon DL initiation

11httpsgithubcomlightningnetworklnd12BRS - Burst Reference Software httpsgithubcom

PoC-Consortiumburstcoin

Figure 8 Burst cryptocurrency core network of nodes as of December 22nd Node discovery by recursive descent

24 Dymaxion AnonymityBoth ring signatures as well as zk-SNARKs are part of theDL implementation and upon opening a DL can be chosen- optionally - to conceal transactions that do happen withinthat specific DL This has consequences for the respective DLrecord (see section 33 as well as for monetary supply on theDL

For various reasons there are no plans to bring RS or zk-SNARK anonymity on-chain Due to the cutting edge nature ofZK-Snarks in our opinion there is not enough peer-review ofthe underlying cryptography to make it mandatory or part of thebase chain Participants of a DL who desire anonymity can limitthe value-at-stake by providing zero collateral An applicationscenario would be dissidents that had to carry only clearingcost for on-chain operations and use the DL for encryptedcommunication voting or similar

We believe a global payment system should be agnostic ofany moral legal monetary or social requirements as these aremost often not global in nature Thatrsquos why groups wanting touse the DL for anonymous value-transfer activities can do soEnabling the anonymity features of a DL is supposed to be theresult of a cost-benefit consideration

One such potential cost to anonymous DL mode of opera-tion comes from the fact that

In Zcash where there is no ldquocertain scarcityrdquo andif god forbid Zcash had a bug that allowed for peo-ple to generate more Zcash coins than the intendedmoney supply then it is possible that nobody could

tell If it were a severe bug potentially somebodycould inflate the money supply by hundreds of mil-lions of dollars making a profit while lowering theprice of Zcash for speculators There are severalexamples of major cryptocurrency bugs that haveled to a massive misallocation of the quantity ofcryptocurrency that should have been in circula-tion13

Contrary to this even in the worst case of a bug in theanonymity functions due to the TTL of a DL any possibledamage is contained and limited to the collaterals used whenforming the DL Even if a ldquoDL goes wrongrdquo this has no effecton other past present or future DLs and certainly not on thebase chain

While zk-SNARKs and the Pinocchio protocol[14] do allowfor concealment of even the value being transferred said prob-lem with an uncontrolled supply of tokens may not be worththe risk

Ring Signatures provide a very nice alternative for com-plementary scenarios with anonymity requirements There isno risk of uncontrolled supply and in case the DL has a largernumber of members RS can guarantee a sufficient level ofanonymity with good transaction performance levels

While anonymity on-tangle can be covered for a large pa-rameter space of requirements on-chain anonymity is some-what weak by itself Many addresses are re-used and even

13httpzcoiniozcoin-and-zcash

named Their connection to on-tangle transactions (via collater-als) can prevent any anonymization effort on-tangle

Fortunately there are two mechanisms to improve on-chainanonymity The somewhat crude approach is a mixing ser-vice that theoretically can provide sufficient concealment ofsource and target payment streams but from a cryptographicpoint of view it is more an obfuscation functionality than realanonymization

The other mechanism for on-chain anonymity is a little-known feature of CIYAM AT anonymous ACCTs

One might think that anonymous ACCTs are not possiblebecause the AT itself has no secrets but with slight changes tothe process it can be altered to allow just that

Normally an ACCT would involve putting the same hashinto two ATs (each residing on a different blockchain or in ourcase chain and tangle) and then sending the secret to unlockboth in order to make the transaction take place - see appendixB

It turns out there is no need for the secret to be ldquoidenticalrdquo- so the on-chain AT would store the hash

e47823401ae24e6885de22e1c427c9dfe477ce5e1095f3c2bf4dcbc35f2c7ee0

while the AT on-tangle could store

0d5a2b016e90b3db4d42d5a4c420f75bb131bb4465bdfebb8037daadf0174a54

Both hashes seem completely unrelated and to some ob-server they are yet the ATs do have the knowledge that oneis a SHA256 of ldquoBurst123rdquo while the other is the SHA256of ldquoTangle123rdquo (this is of course a trivial example of how todo this - the in-production version does use a more elaboratedcallenge-response process than just using fixed strings withsome concatenated id)

Assuming we will have numerous ATs operating across nu-merous blockchain-tangle DLs all doing transfers at around thesame time it is pretty clear that any observer aiming for ldquototalawarenessrdquo would have to record the total global sum of trans-actions the Dymaxion is performing It seems highly unlikelyfor this to succeed when observing a ldquoglobally decentralizedtransaction machinerdquo

3 Implementation DetailsThe life cycle of a Dymaxion Layer consists of the followingsteps

1 Initiation

(a) Initiator set up(b) Creating the DL (Node Discovery AT)(c) Subscribe Phase

2 Operation

3 Closing

(a) Node DL shutdown broadcast(b) Clearing

31 Opening a DLOpening a Dymaxion Layer (DL) is the main operation fora tangle to spring into existence While more complex theoperation is conceptually very similar to an ACCT creating anasset or the BTC Lightning Network initiation process

DL InitiationA Tangle Initiator creates an on-chain ACTT (which is effec-tively a HTLC) with several tangle parameters including butnot limited to

Consensus Type PoC PoW and PoS will be supported PoCis the preferred way for full nodes with attached storage(ldquoPlotsrdquo) PoW and PoS available for various applica-tion scenarios where small tangle nodes (IoT) possiblycannot perform PoC or some even PoW

Time-To-Live (TTL) Global Time-Lock for the tangle Apoint in the future where the tangle will fold Maxi-mum TTL could be decades but we propose in a firstrelease a max TTL of 217 blocks on the Burst blockchain(ca 1 year) Must be bigger than the Subscribe-Time

Subscribe-Time Deadline for subscribers to sign their collat-erals on-tangle Maximum 360 blocks (ca 24h)

Collateral Collateral in BURST by the tangle initiator Thiscollateral is used as backing for whatever Units (see be-low) the initiator issues The collateral can be as low as0 but then any currency asset bonds futures sharesor whatever the issued Units represent must be backedby other means (promises - similar to current Burst As-set exchange) and might not have as much trust as acollateral-backed issuance The collateral is blocked andunspendable for the issuer until the tangle folds Techni-cally the collateral is defined by the BURST address anditrsquos UTXo which the initiator names and signs

Features A DL can be created with more parameters defin-ing its behavior The most significant probably beinganonymous transactions and their type where the partici-pants (initiator and subscribers) can perform transactionsusing ring signatures or zk-SNARKs (see 14) In thiscase records of the tangle transactions (see 33) can bekept but do not contain any information to make theparticipants of the tangle identifiable

Units Number and types of units issued can be applied egfor different types of stocks like common preferred foran IPO issuance Other than that each type of Unit canbe a 64bit number of Quants

Subscribers Optional list of addresses who are subscribers tothe tangle - the participants This is a pull operation thatcan happen without interaction of the subscriber himselfIt has no effect on the availability of the funds on theseparticular addresses All are spendable or can receivemore BURST Until the subscriber himself does not sign

his participation on-tangle the particular address is stilldetached from the tangle If this parameter is given wespeak of a private DL else it is a public DL - open toeverybody in which case tx fees for clearing of balancesupon folding are paid by the subscribers themself

Cost Creating a tangle implies a minimum transaction feewhich is independent of the collateral It consists of afixed and a variable part The fixed part being a constantfee going to the miners in the block where the tangleopening was recorded The variable part depends on thenumber of subscribers - see equation 2 - and is locked toa time until the tangle folds This fee is intended to coverthe tx cost for clearing operations for the participants

Fvar = Nsubscribers lowastFordinaryminuspayment (2)

Although the on-chain accounts are protected from anyform of hijacking - simply being referenced by the tangle initia-tor has no effect - an initiator has also no motivation to referencean arbitrary number of on-chain accounts as this will raise thetangle opening fee Unspent tx fee (reserved for a subscriberwho never signed on-tangle) is forfeited for the tangle initiatorand goes to the miners of the Burst blockchain block where thefolding of the tangle is recorded

The tangle initiator is technically just the first subscriber tothe tangle therefore his collateral is defined the same way asfor all subsequent subscribers by providing a signature for therespective Burst address with X funds at the time of signing

By successfully recording the tangle to the Burst blockchainit will get a unique ID - its ldquocolorrdquo - and by definition all unitson this colored tangle are limited to this context As of nowthere is no inter-tangle transaction possible all value transferdesired to happen between two different colored tangles has togo over the Burst blockchain as intermediary

Node discoveryFigure 9 shows the step immediately following the DL initia-tion node discovery In this step a DL initiation requirement isbroadcast to the peers of the node that got the tangle initiationrequirement (not necessarily the node of the tangle initiator)

The peers record this requirement broadcast it to theirpeers and check the DL parameters against their own capabilityconfiguration (see C) and in case the nodersquos configuration doesallow for handling the requested DL the node becomes part ofthe DL network

In section 51 we discuss the latency and throughput bench-marks for tangle initiation under various connectivity scenariosand geographic situation

DL SubscriptionWithin the Subscribe Time as defined by the tangle initiatoreach subscriber must sign his address on-tangle to becomeparticipant of the newly formed DL If a list of subscribers hasbeen given the subscriber must be part of that list (private DL)and the respective tangle can be seen as an invite-only If nosuch list has been given the DL is open to everyone with anaddress on the Burst blockchain

Figure 9 Parallel node discovery for 3 colored tangles (DLnetwork infrastructure acquisition) Peer lookup check againstnode capabilities

While there are defined maximum values for TTL and sub-scribe time there is no minimum time given except the con-straint

tttl gt tst (3)

must be met This allows for short lived dymaxion layers thatcan be opened and closed within one block and its approx 240seconds life time Naturally these kind of short-lived DLs areprobably more suited for machine2machine IoT transactionsinstead

32 A Transaction within a DLFor consistency reasons to describe a transaction process on theDL we would like to use parts of the IOTA terminology sitesare transactions represented on the tangle graph The networkis composed of nodes which issue and validate transactions

As in IOTA the main idea of the tangle is the following toissue a transaction nodes must work to approve other transac-tions Therefore nodes that issue a transaction are contributingto the networkrsquos security

So the price for a transaction on-tangle is not named in feesbut in validation work done for other transactions IOTA usessome kind of ldquolow-effort PoWrdquo to validate a transaction Thisdesign choice makes sense if you target IoT devices and lotsof them The problem is it works only with sufficient securityif such a large scale tangle network is already in place

The Burst Dymaxion implementation will support all threetypes of consensus algorithms but we will start off with justPoC until the network has reached sufficient size and moreexperience from network operation is gained

The on-tangle PoC validation will be quite similar to BURSTmining and also using regular PoC2 plot files although the re-

quirements for the plot size of a node will be much lower - inthe order of 1-5 GB plot size The node will validate transac-tions also by finding deadlines to the tx hash of the transactionto validate

In case it canrsquot find a deadline below a certain threshold thevalidation has failed and the node canrsquot validate that particulartransaction

If a node manages to validate two transactions this way itcan use its solution to send a transaction itself and the cyclerepeats (with another set of on-tangle nodes)

Because this type of validation is verifiable (nodes canverify the PoC validation solution found by other nodes) thereis no need for a central entity to issue any specific transactionsas this is currently the case with the IOTA coordinator

Moreover there is no gain for nodes to amass more PoCspace for validation as it will not give them more ldquovalidationpowerrdquo The PoC validation is a minimum-threshold satisfi-ability problem which is either met or not Should a minerwith several hundred TB of PoC2 plots decide to use these foron-tangle tx validation (which we assume will be more the rulethan the exception) it will not give him any more power than aregular 1-5 GB node has as the tx validation PoC2 search is a1st fit

33 Closing a DLWhen a Dymaxion layer is closed we speak of the tanglefolding This is because upon initiation of closing the layerclearing of all participantsrsquo (initiator and subscribers) balanceshappens and after the final balances are in the Burst blockchainas ordinary payment transactions with the respective fee fromthe tangle setup cost - the whole structure of the tangle isscrapped As of now there are two possible conditions when atangle will fold

bull the tangle TTL has expired

bull there are no subscribers (except initiator) to the tangleafter the subscribe-time

The first condition is defined by the tangle intiator whencreating the dymaxion layer whereas the second condition is de-fined by the subscribers who either do not show up (subscribe)on the tangle at all or who unsubscribe

Unsubscribing from a tangle does not free up the sub-scribers funds on-chain or on-tangle These still remain lockeduntil the tangle folds

Tangle recordsIf a tangle participant chooses to keep the records he is free todo so but these are of no relevance to the funds that are nowon the Burst blockchain

Some participants most often the initiator if itrsquos a financialinstitution are required by law to keep these records and theycan do so but these records have no impact on blockchain size

On the other hand the Burst blockchain can serve as war-rant of validity of these privately kept records as the tangleentry and exit points are stored The final tangle state is being

recorded with its hash value so forging the records althoughthey may have been archived by a single entity only is consid-ered impossible This attribute of immutability is an importantlegal requirement in archiving financial documentation

Even if all tangle participants choose or are required to keepthe tangle records (similar to bank statements) the storage isin their responsibility and thus only of their local interest Theblockchain is free to just record openings and closings of thetangles working above it and sustaining the high-volume trans-actional load Tangle storage is left completely to the privatedomain only to those who have interest keeping the records yetthese recordsrsquo immutability is ensured by the decentral Burstblockchain

34 Blockchain EnforcingSecurity of off-chain transactions is enforced by blockchainsmart-contracts without creating an on-blockchain transactionfor individual payments

The blockchain serves the function of an arbiter so it ispossible to conduct transactions off-blockchain without limita-tions Transactions can be made off-chain with confidence ofon-blockchain enforceability and deterministic results

Enforcing the transfer of collaterals after folding of the tan-gle does not require cooperation from any counterparty Clear-ing operations are solely on the ACTT running both on-chainas well as on-tangle

While subscribed parties can choose to not participate inany on-tangle transactions their on-chain collaterals remainfrozen until the tangle is folded

4 Security Considerations

41 Collusive Nodes AttackIn a tangle network a possible attack scenario is a set of collu-sive nodes causing either double spends ot modifying transac-tions along the graph while validating them for each other andcausing a so called parasite chain - see [1] pg 20

The IOTA paper introduces a family of Markov ChainMonte Carlo (MCMC) algorithms to counter the problems ofbad tip selection from collusive attackers

The Dymaxion implementation uses instead a ByzantineConsensus Algorithm From a mathematical model point ofview attackers in the network can be considered ldquofaultsrdquo ina distributed computing protocol Byzantine fault tolerance(BFT) is achieved if the non-malicious nodes have a majorityagreement on their strategy like handling or default values formissing or corrupted messages

We use the BFT-SMaRt14 - a Byzantine fault-tolerant statemachine replication library to build dependable protocols Givenf as the number of faulty nodes the total number of nodesneeds to be 3 f minus 1 for a correct operation of the transactionpropagation on the tangle (2 f minus1 honest nodes)

This puts an upper boundary for the maximum tolerableportion of malevolent nodes at almost 33 If there are more

14httpsbft-smartgithubiolibrary

than 13rd malevolent nodes trustable transaction validationon-tangle is not possible without further security precautions

While we believe that an attack with such a high numberof colluding nodes is infeasible for large global networks thistheoretical limit also exists for the IOTA network as a wholeno matter the tip selection algorithm used

Contrary to this a Dymaxion layer has additional securitymeasures in place As described in section 31 the node discov-ery run picks potentially from the total set of nodes in the Burstnetwork a subset suitable and available for the initiated coloredtangle Given N as the total number of nodes in the Burstcoinnetwork and T as the number of available and suitable nodesfor the Dymaxion layer tangle where T sub N (T is proper sub-set of N) collusive nodes would have to take up to 33 of thewhole Burst network N and not only a subset T

We also would like to point out that all members of setN are constantly vetted as part of the Burst network and oncemisbehaving are blacklisted by other nodes in the networkwhich effectively bars them from being chosen into set T

Even if a tangle initiator would work in collusion with sucha network the tangle initiation parameters cannot be set in away that would favor the preferred choice of malicious nodesand by this lure the tangle subscribers into a trap to steal theircollaterals

42 Spamming and DoS ScenariosTransactions on-tangle are free from fees If they were trulyzero-cost transactions there would be nothing at stake for someattacker who would like to issue a huge amount of transactionsfor some own benefit (spamming) or to simply congest thenetwork and hinder other transactions to be validated (DoS) Inthe worst case the attacker could amass a processing power thatwould allow him to execute a whole class of majority attackswith dire consequences to the network as such

IOTA currently counters this problem by the use of a so-called Coordinator - a specific node run by the IOTA foundationto make specific transactions called Milestones - to stabilize thenetwork until it has reached a size that would make majorityattacks infeasible

The Burst Dymaxion design starts at a much better initialsituation Instead of a centralized entity to rely on the under-lying Burst network and the blockchain form already pointsof reference upon entry and exit of a tangle Moreover nodespropagating on-tangle transactions are required to perform aPoC for tx validation

PoS and PoW consensus algorithms for on-tangle transac-tions will be added as DLs will run on devices not capable toperform a PoC consensus (or are defined for a low resourcerequirement operation see C) but the initial mode of operationwill allow for the network to grow in a decentralized mannerwithout any entity to exercise central control over any aspect ofit

As mentioned in section 41 nodes in the Burst networkare vetted and blacklisted when misbehaving (eg spamming)already This is actually a functionality that has been added and

battle-tested in the wake of the spamming attacks that occuredin July 2017

5 Results and Discussion51 Prototype PerformanceWe performed various benchmarks with prototypes for DLinitiation consisting of node discovery latency timings inter-node communication throughput and various cost metrics

The benchmarks are done with a scripted prototype and arepreliminary As such they can be expected to improve but asyou can clearly see from the numbers perfomance is good evenin the worst case scenario with many adverse effects cominginto play

Latency

Figure 10 Node discovery at reference point(walletburstcryptoguruorg)

Figure 10 shows node discovery latency from our pointof reference the PoCC online wallet hosted as some germanISP and representing currently the best case scenario for theprototype As you can see the maximum response time froma peer answering (a potential tangle node) is below 08s withthe majority of peers having answered within 01s This can beconsidered the best case scenario where a broadcasting nodewith a good connectivity is also in a region of dense Burst nodespresence

For comparison figure 10 shows discovery latencies froma node with regular internet connectivity (cable) for a homenetwork situated near a region with good Burst nodes coveragebut no nodes in the own country yet This can be consideredthe standard situation in areas where the Burst network starts toproliferate The PoCC network observer gives a good overviewof areas with dense Burst nodes presence and their neighboringregions

Even in this case almost half of the answering peers remainunder 01s with the slowest peer answering with a latency of

Figure 11 Node discovery from a Burst node situated inPrague - home network

around 800ms Even for the very specific case of a flash tan-gle to be formed and folded within one Burst block (ca 240seconds) this would leave over

nv = (240minus timinus t f )tavg (4)

validation steps within the tangle for transactions ti being thetangle initation time t f the tangle folding time tavg being themedian response time per node 0085228s in the ldquoPraguerdquo caseDepending on the width of the tangle w = nn2 this allows forat least

nv lowastw (5)

on-tangle transactions until folding the tangle potentially in thesame block (2380085228)lowast10 = 27925 transactions in thiscase

So even some pathologically small tangle consisting of only20 nodes could perform intra-block almost 28k transactions ina 240s time window (over 10 million tx per day) This is thegreen tangle depicted in figure 7

While this number isnrsquot even the best possible case letrsquoslook at some worst case scenarios Tangle initiation foldingand operation from a region far away from dense Burst nodespresence Once Burst nodes proliferate to form a truly globaland omnipresent network such a situation may not even existbut it is always good to have a limnrarrinfinxn estimate

Figure 12 shows the situation for a node far away fromother Burst nodes We can see a maximum of 1094ms latencywith the median being at 582ms In this case our formulas 4and 5 resolve to roughly (2370582)lowast10 = 4072 transactionsduring a regular Burst block time (146 million tx per day)15

The most exiled node the PoCC could benchmark is situ-ated in Sydney Australia Measured latencies from this node

15theoretically 237812 seconds but we are rounding to account for furtherprocessing delays

Figure 12 Node discovery from a Burst node situated inTokyo - ISP network

Figure 13 Node discovery from a Burst node situated inSydney - ISP network

with a tangle formed in Europe are shown in figure 13 Themaximum latency is 1147ms the median is 631ms which re-sults to (2370631)lowast10 = 3756 transactions during a singleBurst block time (135 million tx per day)

ThroughputBesides latency we measured throughput for the peer initiatedto form a DL Table 1 shows the results for the prototype im-plementation The results are representative but measuringthroughput for long-distance node-node communication is nat-urally highly volatile as time of day global network load orregional ISP activity can have an influence

ldquoOne-offrdquo measurements handle one tx validation (connectvalidate) then exit so we can rule out any network cachingeffects although we can assume for a long-running tanglebetter network throughput performance as peer connectionswill be in router caches

The high performance between ldquoSydneyrdquo and ldquoTokyordquo nodesis probably due to the fact that these - while geographically

min max Germany Prague Tokyo Sydney

Germany ndash 2230 9870 6860Prague 1170 ndash 382 324Tokyo 8180 326 ndash 15200

Sydney 5240 263 15000 ndash

Table 1 one-off node-node connection throughput in Mbits

distributed - are operated by the same ISP and evidently have adedicated connectivity

The poor connectivity between the ldquoPraguerdquo node and thetwo ldquoSydneyrdquo and ldquoTokyordquo nodes suggests that it is probablynot a good idea to initiate a tangle from your home network Infact we assume tangle initiation will be done by large corpo-rations or institutions with dedicated hardware and excellentconnectivity

Still letrsquos examine what throughput-limited performancewe could expect if a tangle was to be formed between geograph-ically distributed nodes such as in this case The payload for anordinary non-anonymous transaction is roughly 200byte Ananonymous ring signature takes up to 3 kB while zk-SNARKtx is roughly 2kB

Even in our worst-case scenario (Prague-Sydney) we cansee that throughput is not a limiting factor Theoretically evena 263 Mbits throughput (33664 kBs) could allow for

bull 1683 txs ordinary payments

bull 168 txs RS-anonymous transactions

bull 112 txs zk-SNARK-anonymous transactions

However compared to the latency-limited 3756 tx per Burstblock time - giving us ldquoonlyrdquo 15 txs for a pathologically smalland excessively relocated tangle throughput limits are not theissue

52 Adoption ProcessBurst has been around since 2014 yet it is still small enough toallow for significant improvements without a long and paralyz-ing scaling debate It is natural if cryptocurrencies with largemarket capitalization have to be very conservative with theirchanges to the code base given the amounts at stake

While Burst is more flexible in this aspect as a cryptocur-rency there are certain principles development must adhere toChanges to the code base must have the approval of the major-ity of users which in this case are walletnode operators (notminers) Blindly forking the coin can result in community splitand is undesireable in general

Establishing The Burst Dymaxion will be an incrementalprocess consisting of the implementation of several Burst CIPs(see section C - partially C) Each of these steps will carefullyadhere to a well defined and transparent process with evidentbenefits resulting from its adoption

Because the Burst Dymaxion is a layer on top of the Burstblockchain virtually all essential components of Burst will re-main unchanged and if there is a change backward-compatibility

is always considered the premier option (eg PoC2 CIP in sec-tion C)

If more rigorous changes are required with significant conse-quences (hard-forking re-plotting) the cost-benefit evaluationmust weigh significantly in favor to the benefit aspect

It is evident the Dymaxion as whole represents the mostsignificant update to the Burst cryptocurrency The claim is toprovide a cryptocurrency capable of sustaining the total globalload of non-cash transactions To the best of our knowledgeany Burst stakeholder section should root for this to happen

In general each change should undergo the CIP workflow(see also C) Each feature would have two thresholds that needto be met in order for it to become active 1) an activation blockheight which should be set far enough in the future so everynode operator has enough time to prepare for it and 2) a definedpercentage of signalling nodes to support this feature whichwould by definition be Burst nodes capable of the feature inquestion

AcknowledgmentsThe authors would like to thank many members of the crypto-graphic community for their support and valuable input AntonYip provided great insight into Burst CIYAM ATs and theirapplicability to ACCTs Burstcoin community member Quibustook the time for a forensic dilligence of the Burst plotting andmining process Also his proposal of a backward-compatibleand un-gameable PoC2 can be considered a milestone for BurstTom Creacuteance (Gadrah) helped with the visual representationof some figures Sergey Blagodarenko for providing insightand code on the PoC1 gameability problem We also wouldlike to express our gratitude to the numerous authors of BitcoinIOTA Monero and ZCash Without the giants who kindly letus stand on their shoulders we would not have had the buildingblocks necessary for the Burst Dymaxion

Appendices

A SpaceMint Paper ErrataSpaceMint A Cryptocurrency Based on Proofs of Space[15]is a paper about a proposed cryptocurrency named SpaceMintwhich is based on a rdquoproof of spacerdquo concept - some of theauthors presented in another paper[16]

In section 2 Related Work the authors make some claimsabout Burstcoin as it is the only coin implementing a Proof-of-Capacity consensus - somewhat related to the Proof-of-Spacedescribed in the paper In particular they make 3 claims aboutBurst weaknesses

bull By requiring the examination of a constant fraction (024)of reserved disk space Burst is - according to the authors- inefficient compared to SpaceMint which requires onlya logarithmically proportional amount of examination

bull Verification is problematic in Burstcoin because ldquoa minerhas to verify 8 million blocks to verify another minersclaimrdquo

bull Burstcoin being susceptible to time-memory tradeoffsthus allowing miners to mine using PoW and using just asmall fraction of space to be at the same rate as ldquohonestminersrdquo

We would like to clarify and refute some of these claimsbecause they seem to have originated in the SpaceMint authorsrsquoincomplete understanding of the Burstcoin PoC and even somesimple arithmetic mistakes

Ad ldquoinefficient examinationrdquo It is correct that Burstcoinrequires per round - each block every 240 seconds - 14096th ofthe space reserved on disk to examine16 The authors also pointout correctly this being 0024 Unfortunately in their modelcomparison with SpaceMint using a 1TB mining space theytransform this 0024 into 24 gigabyte of data to be examinedfor Burst while SpaceMint allegedly requires only 24 megabyteto be examined

Due to lack of availability we were not able to verify theclaimed requirements for SpaceMint but 0024 of 1TB cor-rectly translates into 240 megabyte thus a factor of 100 lowerthan the authorsrsquo wrong comparison value We therefore be-lieve that the claim of Burst inefficiency merely exists due tothis error in the SpaceMint paper

Ad ldquoproblematic verificationrdquo The authors avow that theirassessment of the Burst plotting and mining process is onlytheir best guess based on the - admittedly - sparse and informalspecification at the time of writing the paper They base theirclaims mainly on the old and even at the time of its publicationnot exact MiningPlotting diagram17

The biggest deviation from the actual situation results fromthe fact that in order to compute one scoop (64 bytes) two

16a so called Scoop17See also httpsisgdbwPjCb

SHABAL256 operations have to be performed as each SHA-BAL256 delivers a 32byte (256bit) hash value only

Because the amount of input data that is being given to theSHABAL256 is capped at 4096 bytes itrsquos also not 8 million256bit blocks that are being hashed in total to get all scoops ina nonce but exactly 33292288 bytes therefore a total 1040384of 256bit blocks So roughly 1

8 th of the claimed value in theSpaceMint paper

Ad ldquotime-memory tradeoffsrdquo As mentioned in the previousparagraph many estimates of the authors are based on theinsufficient information about how Burstcoin works at the timeavailable to them This results in certain follow-up errors thatskew the computations Eg there are 8192 hashes computedand not 4097 So for the attack as described by the authorsthere is actually only 18192th of the total plot space needed(the final 32 bytes to perform the XOR)[4]

Now with the current PoC used with Burstcoin there indeedare time-memory tradeoffs possible roughly as the authorsdescribe The Burstcoin developers have been aware of thispossibility to use less Capacity and invest more Work for aspecific range of Scoops (at this moment the highest 64 Scoops4096 - 4032 are prone to this attack in a somewhat viable way)

This attack on PoC mining fairness was possible in theorybut not feasible economically because the PoW required forthis mode of operation consumed far more energy than a PoCmining style However recent advancements in hardware andGPU performance do show that economical feasibility is just amatter of time

Therefore this situation must be addressed A PoC2 CIP(see C) is underway to ensure the Burstcoin blockchain is notgameable in any way - not even with the advent of any theoreti-cal SHABAL256 ASIC devices postulated by the SpaceMintauthors

Summary Burst is neither inefficient in plot examination dur-ing the mining process nor is the load put on a verifier ldquotoohighrdquo We agree that there is a small theoretical possibilityfor ldquotime-memory tradeoffsrdquo but as of this moment its securityimpact is low Burst will undergo a series of upgrades and thisissue will be addressed by a PoC2 CIP (see section C)

We would also like to add that reducing mining and verifica-tion effort is not necessarily the ultimate goal The SpaceMintauthors are aware of so called Nothing-at-stake problems

When replacing PoW with a different type of proofthat is computationally easy to generate (such asPoSpace) a series of problems arise which arecollectively known as nothing-at-stake problemsIntuitively because mining is cheap miners can(1) mine on multiple chains and (2) try multipleblocks per chain at very little additional cost (3)These two problems potentially allow for double-spending attacks and slow down consensus

We believe the Burst mining process is a premier example

Figure 14 Proof-of-Capacity 20 backward-compatible plots with scoops consisting of interleaved SHABAL256 hashesPreventing time-memory tradeoff for high-range scoops

of an equilibrium between energy-efficiency and nothing-at-stake problem prevention

Figure 15 BurstQora ACCT step 1 Alice deploys an ACCTAT on Burst that will contain the responderrsquos address quantitypassword and expiration time Two hashes are made of thepassword key and lock

Figure 16 BurstQora ACCT step 2 Upon examining AlicesAT Bob deploys an ACCT AT on Qora with the initiatorrsquosaddress quantity lock sent from Alice and expiration time(less than than what Alice set)

B The BurstQora ACCT ProcessThe general process of an ACCT is described in section 15For the concrete BurstQora realization which to the best ofour knowledge was the 1st ACCT ever realized please see thedepicted reference below

Figure 17 BurstQora ACCT step 3 Alice sends afterexamining the AT from Bob the key to the Qora AT

bull Alice (the Initiator) wants to trade Burst for Qora

bull Bob (the Responder) wants to trade Qora for Burst

Now there are only 4 steps necessary to be provided by theAT mechanism running on both the Burst and the Qora chains -see figure 15 to 18 The communication between Initiator andResponder like sending the details of the generated ATs andINitiator to Resipient key in case everything went well is ofcourse done off-chain and the mode of operation depends onwhat communication channels are established (website phoneface to face)

C Burstcoin CIPsBurstcoin Capability Improvement Proposals18 establish a pro-cess defined by the Burst community similar to BIPs19 (Bit-coin Improvement Proposals) and EIPs20 (Ethereum)

CIPs (short for Capability Improvement Proposal or evenCoin Improvement Proposal) are meant to advance furtherdevelopment of Burstcoin and describe proposed standards forthe Burstcoin platform including core protocol specificationsclient APIs nomenclature and contract standards

18httpsburstwikiorgwikiCIP19httpsenbitcoinitwikiBitcoin_Improvement_

Proposals20httpsgithubcomethereumEIPs

Figure 18 BurstQora ACCT step 4 The Qora AT sends theAmount to Alicersquos address and reveals the key to Bob for theBurst AT Bob sends the key to the Burst AT and receives thepayment

Whatrsquos not covered by CIPs are changes or improvementsto the coin that can be done without any change to the protocolor API such as UI or usability improvements Improved wallet-UI or initializing a Burst address with a public key without anoutgoing transaction fall into that category

PoC2The ldquotime-memory tradeoffsrdquo mentioned in the SpaceMint pa-per are real and show a weakness of the PoC (henceforth PoC1)consensus used in Burst A proof-of-concept implementationexists (see figure 19) - improving its speed is only an engineer-ing task While they currently do not represent a fatal threat toBurstcoin (one can assume around 2 of all mining capacitygoing to dishonest miners) it is good practice for a cryptocur-rency as well as a sign of responsible development to addresssuch issues in a timely manner Moreover a Burst blockchainbeing the backbone of many high-volume payment channelsmust address security issues even if they havenrsquot yet crossedthe threshold to practical applicability

Therefore several Burst core developers discussed ways toaddress this problem in a way that would not only fix the issuebut also do so with minimum impact to the current stakeholdersin this specific case miners who are vested with a large capacityof plots

The PoC2 proposal is a minimally invasive way to achievetime-memory tradeoff resistance while keeping the currentlyused plots functional Figure 14 shows the concept of hashinterleaving to re-shuffle SHABAL256 hashes in scoops in away so that each scoop represents an equal amount of hashingeffort

Software used for the mining process can operate on bothPoC1 as well as PoC2 format where PoC1 requires twice thereads compared to PoC2 and works on both optimized as wellas unoptimized PoC1 plots

For better PoC2 performance a PoC1 rarr PoC2 converterwill be offered

Figure 19 PoC1 time-memory tradeoff PoW miner speedY-axis shows noncesminute on 1 CPU core X-axis the noncenumber source Sergey Blagodarenko

As can be seen in figure 20 PoC1 optimized plots providesignificant advantages compared to unoptimized plots Thenumber of seeks of a unoptimized PoC1 plot is basically n-times the number of nonces in that plot which can be in themillions

Compared to this the difference between seek times ofa PoC1 plot interpreted as a PoC2 (unoptimized PoC2) andldquonativerdquo PoC2 is merely a factor of 2 as for each PoC2 scooptwo PoC1 scoops have to be read (consisting of the two 32-byteSHABAL256 hashes)

This factor 2 applies to both unoptimized as well as opti-mized PoC1 plots

Burst Units NomenclatureBurst is divisible similar to many other cryptocurrencies into100 million parts Up to now BURST had an equivalent valuein the low cent range so nomenclature of fractions of BURSTseemed not important

Similar to the nomenclature of Bitcoin units21 we proposea simple naming scheme for the fractions of BURST - see table2

While the canonical SI-names milliBURST (mBURST) andmicroBURST (microBURST or uBURST) are probably best usedin technical documentation and protocol specifications themore intuitive names like Burst-cent (BCrarr ldquoBessierdquo) insteadof centi-BURST or 1

1000 th of this (MilliBessierarr ldquoMaybelrdquo)can be used for human2human communication

We denote the smallest unit of BURST as ldquoPlanckrdquo21httpsenbitcoinitwikiUnits

Figure 20 PoC1 unoptimized and optimized plots Optimizedplots reduce HDD seek time significantly by an order ofmagnitude equal to the number of nonces present

Decimal (BURST) Canonical Name Alternate Name

100000000 BURST Burst001000000 cBURST Bessie000100000 mBURST ndash000001000 ndash Maybel000000100 uBURST ndash000000001 ndash Planck

012345678 digit reference ndash

Table 2 Units of BURST and its fractions

Dynamic Block Size and Tx CostCurrently the minimum tx fee is 1 Burst and the maximumnumber of transactions that can go in a block is 255 Both thesehard-coded values do work well only for a narrow parameterspace of Burst value and transactional load on the network

If we imagine a scenario where Burst rises to a value of 110 100 USD - or even BTC levels an immutable transactionfee of 1 Burst would certainly be inhibitory to network usageWhile that might not be a big problem in a future scenario whereBurst is used as (valuable) collateral in opening and closingDymaxion layers there are other arguments against keepingthese values as-is

Hard-capping the lower bound of tx cost to 1 Burst effec-tively dismisses possible Burst microtransactions because atransaction of 00012 Burst with transaction cost of 1 Burst isillogical

On the other hand simply lowering transactional cost couldlead to spam attacks on the network The low value of Bursttogether with fixed cost per transaction independent of transac-tion size in bytes already did enable a spamming attack in July2017 disturbing network operation significantly

At this moment the transaction fee possible for one blockare in the range from 0 Burst (for empty blocks) to 255 000Burst (for a block filled with 255 generated assets) There is no

Figure 21 Comparison constant and linear-progressive feestructure inclusion guideline A linear-progressive fee structuredoes allow for microtransactions while preventing spammingand ensuring miner rewards in same height as in theconstant-fee system under high-load conditions

way tx fees could be above this upper limit and there is no way- even if users would like to spend more than the minimum of 1BURST per transaction - to get more than 255 transactions intoa block

We propose to make transaction cost and block size dy-namic values to be better able to cope with varying transactionalload on the Burst blockchain

Given the Burst blockchain is stored in a relational databasevarying block size is not much of an issue Yet space on theblockchain is to be considered a scarce thus precious resourceCost of a transaction should therefore depend on how muchspace it will occupy within a block and thus on the blockchain

Furthermore the cost of a transaction should depend onnetwork load which by extension means fill state of forgedblocks Currently values for the number of transactions andthe maximum block payload are hard coded in the burst walletsource

MAX_NUMBER_OF_TRANSACTIONS = 255MAX_PAYLOAD_LENGTH =

MAX_NUMBER_OF_TRANSACTIONS 176

If we assume a regular block filled with the current maxcapacity of 255 ordinary payments the total tx fee would be255 Burst and the payload would be 255lowast176 = 44800 bytes

This means the current protocol expects - roughly withoutheaders - to be paid 1 BURST per 176 byte of tx payloadCompared to this the bitcoin network22 offers a fee structure of

22httpsbitcoinfeesearncom

1 to 430 Satoshi per byte with best-case 0-block delay startingat 270 Satoshibyte

As of December 2017 the transaction cost structure com-parison between Burstcoin and Bitcoin (1 BURST = ca 150Sat) shows 085 SatoshiByte in the Burstcoin network andtherefore a roughly 317x higher cost for Bitcoin block spaceand ca 900x higher cost for network transactions as a Bitcointransaction is roughly 500 bytes in size23

In Fiat this means that at a price of around 3 US-cent perBURST one byte of payload costs 0017 cent in the Burstcoinnetwork and around 54 cent in the Bitcoin network

If the hardcoded tx cost for the Burst network was to remainat 1 BURST minimum Burst would reach the same level oftx cost that Bitcoin has today at a price of 176 lowast 54 = 9504US-cent therefore around $950

Tx no Tx fee Total fees

1 000735 000735100 073500 3711750255 187425 23990400510 374850 95774175765 562275 215351325

1020 749700 382721850

Table 3 Progressive Tx fee reference per-tx fee and totalblock tx-fee for various number of transactions in a maximum1020 txblock model

If we look at todays price levels Burstcoin miners wereensuring the network for a maximum payment of 91800 Burstdaily On average the network has been doing around 5000txday So in addition to the block reward the transaction feereward per day for the whole Burstcoin network is around $150in December 2017

In order to cope with future development of BURST priceand transaction volume we propose a progressive tx fee struc-ture guideline where wallets can decide and priorize whattransaction to include in the current block depending on thefill-state of the current block and memory pool backlog - seefigure 21 The area of the blue rectangle and triangle is roughlythe same (255 vs 240) In order to be included in the nextblock a transaction currently in mempool must provide a highertx fee than the currently free slot in the block requires If thetransaction can fulfill this requirement it is included in theblock if it canrsquot it will wait in mempool for the next blockwhere this process repeats

The progressive approach opens the door for more on-chainscalability Instead of limiting the max number of transac-tions to 255 we could now theoretically have an open limitand solve much of the scalability issues blockchains have perse Instead we propose a conservative extension of the maxnumber of txtransactions to 1020 (4-fold) With the same linearprogressive rule the reference values for a 1020-tx ldquotrianglerdquoare shown in table 3

23httpsenbitcoinitwikiTransaction_fees

Together these two modifications (linear-progressive feeand max 1020 txblock) would ensure that nominally minerearnings will remain the same ldquoNominallyrdquo meaning samenetwork load same price

Moreover micro-transactions should be possible and underhigh-load conditions miner profit would be a multiple of whatit is now By enabling limited micro-transaction capability on-chain now Burst would open to new applications and marketsStill with the progressive fee structure spamming would be outof the question and financially strong market participants couldbasically ldquothrow money at the problemrdquo when eg a financialinstitute would need to open a Dymaxion layer in the currentblock it most probably could do so at a premium

Dynamic Node CapabilitiesThe network consisting of P2P nodes will never be homogenousas hardware capabilities of the nodes will always differ In ouropinion it is not desireable to make artificial (1-dimensional)distinction between so-called ldquosuper-nodesrdquo and ldquoregular-nodesrdquoas some cryptocurrencies do Neither does it seem to be theright design decision if some minimum capability requirementson nodes are imposed to all nodes (such as available memory)thus leaving potential capacities unused

We believe a fine-grained configurability of nodes extend-ing on current principles has to be implemented While todaythe BRS configuration options allow to allocate number ofCPUs - or enabling GPU support to the processing capacity andalso define how much network traffic and peers a node is willingto cope with more fundamental settings are not possible

In the wke of the spam attacks limits on mempool havebeen hard-coded in the wallet While this proved to be a veryeffective measure against memory DoS attacks - what the spamattack effectively was - it prevents nodes with higher resourcesto make use of their full potential to support the network Wepropose the mempool size being configurable to better adjustto the node capabilities

Other parameters similar to packet introspection of routingprotocols but in this case applying to parameters of transactiondatagrams could define policies for nodes eg which trans-actions to relay and which not This is common practice egin the Bitcoin network where a node can decide to supportlow-fee transactions (by forwarding them) or not

We believe a structure in the network will evolve from theseparameters better adapted to the underlying node capabilities -or what node operators are willing to provide - forming natu-rally a hierarchy of nodes with backbones and super-backbonesemerging from that

On the other end of the scale it will also allow nodes toparticipate which are not capable of doing so today Very smallembedded devices from the ubiquitous IoT that can supportthe network serving even merely as repeaters with very littleresource requirements

In section C we talked about transactions that have to re-main in mempool in case they could not be included in thecurrent block Because nodes have limits for mempool sizetransactions with the lowest fees are being discarded from mem-

pool first if maximum mempool size is reached Acting as aspam prevention this also ensures a priorization of high-feepriority transactions

Nodes with more resources and higher mempool storageparameters will still have these low-fee transactions in mempoolwhile others may have already discarded them So while it willnot be impossible for a low-fee transaction to ldquosurviverdquo untilit gets included in a block (dip in traffic volume) tx-fee iscertainly proportional to chance of being included in a timelymanner or at all

DymaxionThe Burst Dymaxion is not only the most significant update tothe Burst cryptocurrency it is the biggest technological updateany cryptocurrency has ever received Each of the compo-nents features a full outstanding protocol feature by itself soestablishing the Dymaxion as a whole needs to be done as anincremental process split up into several separate CIPs

bull adding ring signatures library

bull adding zk-SNARKs library

bull adding parts of the IOTA iri

bull adding ACCT (ACTT) templates

As mentioned earlier all of these components are alreadyin place and some may be at the time of the publication part ofthe BRS repository The integration and enabling of these fea-tures will be subject to a community-approved roadmap definedby block-height and adoption rate (percentage of supportingwallets in use) for the features as described in section 52

Also the features themself will be establishen in an incre-mental process While there is support for all major consensusalgorithm types only PoC - as already present - will be enabledin the first instance of the Dymaxion

Post-Dymaxion PoC3The advantages of PoC in comparison to PoW or PoS havebeen mentioned and examined under multiple perspectivesalready While PoC and its designated successor PoC2 areenergy-efficient which in our opinion is the only sustainableway for a cryptocurrency with global impact the space usedfor the PoC consensus is of no other use than to perfom miningand tx validation for the Burst blockchain

Critics have pointed out that the disk space used for Burstis ldquolostrdquo or ldquowastedrdquo otherwise as plots are not really usablefor anything else This is formally true and because of this wepropose establishing a Proof-of-Capacity 30 consensus sometime after the Dymaxion comes to full effect

This PoC3 will exist in parallel to PoC2 It will be basedon dual-use data instead of the Burst mining-only plots of PoCand PoC2 Dual-use means real-world data like movies audioWikipedia archive files OpenStreetMap GIS data and more Ingeneral large immutable files of permanent interest to all - notthe private word document holiday picture or browser cache

Figure 22 Symmetric Feistel cipher transformation forindividualization of a PoC3 plot fileDagger

The protocol would allow these files to be announced to thenetwork (SHA256 size) and voted on by nodes for validationinclusion If a very high percentage (say 95 threshold) of thenodes would vote in favor of adding these files to the pool ofldquodual-use plotsrdquo which also implies storing these files themselfeach node would find deadlines in these files based on a suc-cinct test of values of a virtual hard-to-pebble[17] trees laidover individualised versions of these files Once in the poolof accepted plots PoC3 plots would need to remain there be-cause while for mining their presence is optional for ab-initiovalidation of the blockchain when resyncing their presence ismandatory24

First each PoC3-accepted file would undergo a Feistel ci-pher transformation (fig 22) with the numeric Id of an accountto individualize it as plot and counter grinding attacks Themining process would assume the file being mapped on a RB-Tree(figure 23) layout as seen in figure 24

Let the basic operation of the Feistel encryption with theround function F and sub-keys K0K1 Kn for the rounds01 n be as follows

Split the plaintext block into two equal pieces (L0R0) inour case two 32-byte chunks

24For the future we can picture a situation with a distinction of ldquofull PoCnodesrdquo containing all PoC3 and being able to make such a resync and ldquorestrictedPoC nodesrdquo being able to sync blockchain from the full nodes

Figure 23 Red-Black binary tree structure for traversing PoC3plots Each node being a 64-byte data chunk each depthrepresents next level as depicted in the data layout of the nextfigure

Figure 24 Data layout of a PoC3 ldquoplotrdquo Each level twice thesize maximum 64 levels allow for a plot size of up to 2 YiB(yobibyte)

For each round i = 01 n compute

Li+1 = Ri

Ri+1 = LioplusF(RiKi)

Then the ciphertext is Rn+1Ln+1) Decryption of a ci-phertext (Rn+1Ln+1) is accomplished by computing for i =nnminus1 0

Ri = Li+1

Li = Ri+1oplusF(Li+1Ki)

Then (L0R0) is the plaintext again Of course by ldquoplaintextrdquoin cryptography nomenclature we mean the more generic termoriginal data

Similar to the current Burst mining process a scoop woulddefine the starting point in the data layout (index in the lowestlevel) The algorithm would traverse the RB tree of 64-bytescoops where the path decision (start then red or black foreach level) would simply be defined by the bit sequence of theprevious block-id 1=B 0=R

A maximum of 64 steps allows for a maximum PoC3 plotfile size of 2 YiB (yobibyte) The values along the traversed pathwould be concatenated and hashed All values along the path aswell as their hash value are then broadcast to the network whereany nodes can take over the validation of the submitted dataAs the length of the path defines the size of the underlying plot

in a logarithmic way also the position of a submitted deadlineon this path modifies this deadline logarithmically (in the caseof this binary tree structure this resolves to simply halving thevalue for each level n v = 1

2nminus1 so 12 for level 2 1

4 for level 3etc

Using Feistel ciphers allows for individualization yet loss-less retrieval of arbitrary data The symmetry guarantees thecipher being of same length as the original data paving the wayfor a dual-use Proof-of-Capacity consensus

The Burst blockchain will thus not only form the funda-mental layer for a truly global transaction network it can alsotake over a custodian role in globally distributed redundantstorage This means it can be used for the safe preservation ofall information that has been acquired by our civilization andthat is of permanent interest

References[1] Serguei Popov The Tangle httpsiotaorgIOTA_Whitepaperpdf 2017 [Online accessed 21-October-

2017][2] N Petkov Systolic Parallel Processing Elsevier Science Inc New York NY USA 1992[3] John Ratcliff The Lightning Network Glass is Half Full Post httpcodesuppositoryblogspotcom2016

03the-lightning-network-glass-is-halfhtml 2016 [Online accessed 22-October-2017][4] Quibus Technical information about mining and block forging httpsburstwikiorgwikiTechnical_

information_about_mining_and_block_forging 2017 [Online accessed 27-November-2017][5] CIYAM Developers Automated transactions documentation index httpciyamorgat [Online accessed

16-November-2017][6] Eli Ben-Sasson Alessandro Chiesa Christina Garman Matthew Green Ian Miers Eran Tromer and Madars Virza Zerocash

Decentralized Anonymous Payments from Bitcoin (extended version)[7] Nicolas van Saberhagen Cryptonote v 2 0 HYPERLINK httpscryptonoteorgwhitepaperpdf 2013[8] httpszcashtechnologyzksnarkshtml 2017 [Online accessed 27-November-2017][9] Christian Reitwiessner httpsblogethereumorg20161205zksnarks-in-a-nutshell 2016

[Online accessed 27-November-2017][10] Joseph Poon and Thaddeus Dryja The bitcoin lightning networkscalable off-chain instant payments https

lightningnetworklightning-network-paperpdf[11] Meni Rosenfeld Overview of colored coins httpsbitcoilcoilBitcoinXpdf 2012[12] Nick Johnson Why i find iota deeply alarming httpshackernooncom

why-i-find-iota-deeply-alarming-934f1908194b[13] Ethan Heilman Neha Narula Thaddeus Dryja and Madars Virza Iota vulnerability report Cryptanalysis of the curl hash

function enabling practical signature forgery attacks on the iota cryptocurrency httpsgithubcommit-dcitangled-curlblobmastervuln-iotamd

[14] Bryan Parno Jon Howell Craig Gentry and Mariana Raykova Pinocchio Nearly practical verifiable computation In IEEESymposium on Security and Privacy pages 238ndash252 IEEE Computer Society 2013

[15] Sunoo Park Krzysztof Pietrzak Albert Kwon Joeumll Alwen Georg Fuchsbauer and Peter Gazi Spacemint A cryptocurrencybased on proofs of space IACR Cryptology ePrint Archive 2015528 2015

[16] Stefan Dziembowski Sebastian Faust Vladimir Kolmogorov and Krzysztof Pietrzak Proofs of space IACR CryptologyePrint Archive 2013796 2013

[17] Vivek Bhupatiraju John Kuszmaul and Vinjai Vale Exploring proof of space with hard-to-pebblegraphs httpsmathmiteduresearchhighschoolprimesmaterials2016conf10-220Bhupatiraju-Kuszmaul-Valepdf 2016

Licensesdagger original file Theymos from Bitcoin wiki vectorization Own work (httpscommonswikimediaorgwikiFileBlockchainsvg) bdquoBlockchainldquo modified httpscreativecommonsorglicensesby30legalcodeDagger Feistel_cipher_diagramsvg Amirki derivative work (httpscommonswikimediaorgwikiFileFeistel_cipher_diagram_ensvg) bdquoFeistel cipher diagram enldquo modified httpscreativecommonsorglicensesby-sa30legalcode

ChangelogErratabull initial version

Introduction

Building Blocks

Burstcoin Blockchain

Smart Contracts

DAGs and The Tangle

zk-SNARK vs Ring Signature

Blockchain Binding with ACCTs

Lightning Network

Coloring

Putting it All Together

Dymaxion Tangle vs IOTA Tangle

Blockchain-Dymaxion Interaction

Using Nodes P2P for ad-hoc DLs

Dymaxion Anonymity

Implementation Details

Opening a DL

A Transaction within a DL

Closing a DL

Blockchain Enforcing

Security Considerations

Collusive Nodes Attack

Spamming and DoS Scenarios

Results and Discussion

Prototype Performance

Adoption Process

Acknowledgments

SpaceMint Paper Errata

The BurstQora ACCT Process

Burstcoin CIPs

References

Figure 1 Cap GeminiBNP Paribas Number of Worldwide Non-Cash Transactions 2010-2020 (est)

Despite their technical elegance and possibilities cryptocur-rencies lack mass adoption because of two critical factors us-ability and scalability While usability can be addressed withsufficient engineering and development effort scalability isoften a theoretical problem of its own

The inherent features of a good cryptocurrency - decentral-ization and trustless design - often go contrary to traditionalmethods of upscaling centralistic processes While Bitcoinrsquospioneer achievement the blockchain solved the problem of adecentralized trust its inventor certainly left much headroomfor scaling that concept for a truly global use

In fact speaking of ldquotruly global userdquo letrsquos fathom the scaleof this concept Assume you would like to support one hundredmillion people world-wide to be able to use a cryptocurrencylike Bitcoin with an average of just 1 transactions per day (about

15 of the global non-cash transaction volume - see also figure1) You would need a 400MiB blocksize to meet that demandThis would imply a blockchain growth of over 56GiB per day

Aside from the feasibility considerations it is questionableif a transaction for the acquisition of a sack of rice made inChina 2017 should be kept for all eternity on the blockchain andthus in memory or on mass storage of all participating nodesworld-wide

A concept to overcome many of the restrictions a typicalblockchain imposes on scalability was presented in the IOTAwhite paper[1] In this novel system transactions are not broad-cast over a network of participating nodes some of which(miners) try to put them into a block Instead network nodescan validate transactions and by this validation work actuallyearn the right to perform transactions themselves The nodes

1 Building Blocks

10httpsisgd7RcPqf

ttx = tnl + tvl (1)

1 Initiation

2 Operation

3 Closing

tttl gt tst (3)

Latency

nv lowastw (5)

Appendices

1 000735 000735100 073500 3711750255 187425 23990400510 374850 95774175765 562275 215351325

1020 749700 382721850

Li+1 = Ri

Ri = Li+1

4 for level 3etc

Introduction

Building Blocks


Smart Contracts

DAGs and The Tangle



Lightning Network

Coloring





Dymaxion Anonymity


Opening a DL


Closing a DL







Adoption Process

Acknowledgments



Burstcoin CIPs

References

1 Building Blocks

10httpsisgd7RcPqf

ttx = tnl + tvl (1)

1 Initiation

2 Operation

3 Closing

tttl gt tst (3)

Latency

nv lowastw (5)

Appendices

1 000735 000735100 073500 3711750255 187425 23990400510 374850 95774175765 562275 215351325

1020 749700 382721850

Li+1 = Ri

Ri = Li+1

4 for level 3etc

Introduction

Building Blocks


Smart Contracts

DAGs and The Tangle



Lightning Network

Coloring





Dymaxion Anonymity


Opening a DL


Closing a DL







Adoption Process

Acknowledgments



Burstcoin CIPs

References

10httpsisgd7RcPqf

ttx = tnl + tvl (1)

1 Initiation

2 Operation

3 Closing

tttl gt tst (3)

Latency

nv lowastw (5)

Appendices

1 000735 000735100 073500 3711750255 187425 23990400510 374850 95774175765 562275 215351325

1020 749700 382721850

Li+1 = Ri

Ri = Li+1

4 for level 3etc

Introduction

Building Blocks


Smart Contracts

DAGs and The Tangle



Lightning Network

Coloring





Dymaxion Anonymity


Opening a DL


Closing a DL







Adoption Process

Acknowledgments



Burstcoin CIPs

References

10httpsisgd7RcPqf

ttx = tnl + tvl (1)

1 Initiation

2 Operation

3 Closing

tttl gt tst (3)

Latency

nv lowastw (5)

Appendices

1 000735 000735100 073500 3711750255 187425 23990400510 374850 95774175765 562275 215351325

1020 749700 382721850

Li+1 = Ri

Ri = Li+1

4 for level 3etc

Introduction

Building Blocks


Smart Contracts

DAGs and The Tangle



Lightning Network

Coloring





Dymaxion Anonymity


Opening a DL


Closing a DL







Adoption Process

Acknowledgments



Burstcoin CIPs

References

10httpsisgd7RcPqf

ttx = tnl + tvl (1)

1 Initiation

2 Operation

3 Closing

tttl gt tst (3)

Latency

nv lowastw (5)

Appendices

1 000735 000735100 073500 3711750255 187425 23990400510 374850 95774175765 562275 215351325

1020 749700 382721850

Li+1 = Ri

Ri = Li+1

4 for level 3etc

Introduction

Building Blocks


Smart Contracts

DAGs and The Tangle



Lightning Network

Coloring





Dymaxion Anonymity


Opening a DL


Closing a DL







Adoption Process

Acknowledgments



Burstcoin CIPs

References

10httpsisgd7RcPqf

ttx = tnl + tvl (1)

1 Initiation

2 Operation

3 Closing

tttl gt tst (3)

Latency

nv lowastw (5)

Appendices

1 000735 000735100 073500 3711750255 187425 23990400510 374850 95774175765 562275 215351325

1020 749700 382721850

Li+1 = Ri

Ri = Li+1

4 for level 3etc

Introduction

Building Blocks


Smart Contracts

DAGs and The Tangle



Lightning Network

Coloring





Dymaxion Anonymity


Opening a DL


Closing a DL







Adoption Process

Acknowledgments



Burstcoin CIPs

References

1 Initiation

2 Operation

3 Closing

tttl gt tst (3)

Latency

nv lowastw (5)

Appendices

1 000735 000735100 073500 3711750255 187425 23990400510 374850 95774175765 562275 215351325

1020 749700 382721850

Li+1 = Ri

Ri = Li+1

4 for level 3etc

Introduction

Building Blocks


Smart Contracts

DAGs and The Tangle



Lightning Network

Coloring





Dymaxion Anonymity


Opening a DL


Closing a DL







Adoption Process

Acknowledgments



Burstcoin CIPs

References

1 Initiation

2 Operation

3 Closing

tttl gt tst (3)

Latency

nv lowastw (5)

Appendices

1 000735 000735100 073500 3711750255 187425 23990400510 374850 95774175765 562275 215351325

1020 749700 382721850

Li+1 = Ri

Ri = Li+1

4 for level 3etc

Introduction

Building Blocks


Smart Contracts

DAGs and The Tangle



Lightning Network

Coloring





Dymaxion Anonymity


Opening a DL


Closing a DL







Adoption Process

Acknowledgments



Burstcoin CIPs

References

1 Initiation

2 Operation

3 Closing

tttl gt tst (3)

Latency

nv lowastw (5)

Appendices

1 000735 000735100 073500 3711750255 187425 23990400510 374850 95774175765 562275 215351325

1020 749700 382721850

Li+1 = Ri

Ri = Li+1

4 for level 3etc

Introduction

Building Blocks


Smart Contracts

DAGs and The Tangle



Lightning Network

Coloring





Dymaxion Anonymity


Opening a DL


Closing a DL







Adoption Process

Acknowledgments



Burstcoin CIPs

References

tttl gt tst (3)

Latency

nv lowastw (5)

Appendices

1 000735 000735100 073500 3711750255 187425 23990400510 374850 95774175765 562275 215351325

1020 749700 382721850

Li+1 = Ri

Ri = Li+1

4 for level 3etc

Introduction

Building Blocks


Smart Contracts

DAGs and The Tangle



Lightning Network

Coloring





Dymaxion Anonymity


Opening a DL


Closing a DL







Adoption Process

Acknowledgments



Burstcoin CIPs

References

Latency

nv lowastw (5)

Appendices

1 000735 000735100 073500 3711750255 187425 23990400510 374850 95774175765 562275 215351325

1020 749700 382721850

Li+1 = Ri

Ri = Li+1

4 for level 3etc

Introduction

Building Blocks


Smart Contracts

DAGs and The Tangle



Lightning Network

Coloring





Dymaxion Anonymity


Opening a DL


Closing a DL







Adoption Process

Acknowledgments



Burstcoin CIPs

References

Latency

nv lowastw (5)

Appendices

1 000735 000735100 073500 3711750255 187425 23990400510 374850 95774175765 562275 215351325

1020 749700 382721850

Li+1 = Ri

Ri = Li+1

4 for level 3etc

Introduction

Building Blocks


Smart Contracts

DAGs and The Tangle



Lightning Network

Coloring





Dymaxion Anonymity


Opening a DL


Closing a DL







Adoption Process

Acknowledgments



Burstcoin CIPs

References

nv lowastw (5)

Appendices

1 000735 000735100 073500 3711750255 187425 23990400510 374850 95774175765 562275 215351325

1020 749700 382721850

Li+1 = Ri

Ri = Li+1

4 for level 3etc

Introduction

Building Blocks


Smart Contracts

DAGs and The Tangle



Lightning Network

Coloring





Dymaxion Anonymity


Opening a DL


Closing a DL







Adoption Process

Acknowledgments



Burstcoin CIPs

References

Appendices

1 000735 000735100 073500 3711750255 187425 23990400510 374850 95774175765 562275 215351325

1020 749700 382721850

Li+1 = Ri

Ri = Li+1

4 for level 3etc

Introduction

Building Blocks


Smart Contracts

DAGs and The Tangle



Lightning Network

Coloring





Dymaxion Anonymity


Opening a DL


Closing a DL







Adoption Process

Acknowledgments



Burstcoin CIPs

References

Appendices

1 000735 000735100 073500 3711750255 187425 23990400510 374850 95774175765 562275 215351325

1020 749700 382721850

Li+1 = Ri

Ri = Li+1

4 for level 3etc

Introduction

Building Blocks


Smart Contracts

DAGs and The Tangle



Lightning Network

Coloring





Dymaxion Anonymity


Opening a DL


Closing a DL







Adoption Process

Acknowledgments



Burstcoin CIPs

References

1 000735 000735100 073500 3711750255 187425 23990400510 374850 95774175765 562275 215351325

1020 749700 382721850

Li+1 = Ri

Ri = Li+1

4 for level 3etc

Introduction

Building Blocks


Smart Contracts

DAGs and The Tangle



Lightning Network

Coloring





Dymaxion Anonymity


Opening a DL


Closing a DL







Adoption Process

Acknowledgments



Burstcoin CIPs

References

1 000735 000735100 073500 3711750255 187425 23990400510 374850 95774175765 562275 215351325

1020 749700 382721850

Li+1 = Ri

Ri = Li+1

4 for level 3etc

Introduction

Building Blocks


Smart Contracts

DAGs and The Tangle



Lightning Network

Coloring





Dymaxion Anonymity


Opening a DL


Closing a DL







Adoption Process

Acknowledgments



Burstcoin CIPs

References

1 000735 000735100 073500 3711750255 187425 23990400510 374850 95774175765 562275 215351325

1020 749700 382721850

Li+1 = Ri

Ri = Li+1

4 for level 3etc

Introduction

Building Blocks


Smart Contracts

DAGs and The Tangle



Lightning Network

Coloring





Dymaxion Anonymity


Opening a DL


Closing a DL







Adoption Process

Acknowledgments



Burstcoin CIPs

References

1 000735 000735100 073500 3711750255 187425 23990400510 374850 95774175765 562275 215351325

1020 749700 382721850

Li+1 = Ri

Ri = Li+1

4 for level 3etc

Introduction

Building Blocks


Smart Contracts

DAGs and The Tangle



Lightning Network

Coloring





Dymaxion Anonymity


Opening a DL


Closing a DL







Adoption Process

Acknowledgments



Burstcoin CIPs

References

Li+1 = Ri

Ri = Li+1

4 for level 3etc

Introduction

Building Blocks


Smart Contracts

DAGs and The Tangle



Lightning Network

Coloring





Dymaxion Anonymity


Opening a DL


Closing a DL







Adoption Process

Acknowledgments



Burstcoin CIPs

References

Li+1 = Ri

Ri = Li+1

4 for level 3etc

Introduction

Building Blocks


Smart Contracts

DAGs and The Tangle



Lightning Network

Coloring





Dymaxion Anonymity


Opening a DL


Closing a DL







Adoption Process

Acknowledgments



Burstcoin CIPs

References

Introduction

Building Blocks


Smart Contracts

DAGs and The Tangle



Lightning Network

Coloring





Dymaxion Anonymity


Opening a DL


Closing a DL







Adoption Process

Acknowledgments



Burstcoin CIPs

References

Documents

The Burst Dymaxion · The Burst Dymaxion — 2/23 Figure 1. Cap Gemini/BNP Paribas: Number of Worldwide Non-Cash Transactions 2010-2020 (est.) Despite their technical elegance and