Bitcoin Fungibility: The Most Important Feature?

What if every Bitcoin is different from every other Bitcoin? Pete Rizzo was asked this question while reporting from the Scaling Bitcoin conference in Milan. It is indeed an important question because if every Bitcoin is different from every other Bitcoin, Bitcoin is dead.

Bitcoin’s fungibility has been discussed as its main advantage. As defined, ‘Fungibility is a property of a good or property whereby individual units can be substituted for one another. That is, it is a property of goods whereby they can be substituted for one another.’

Fungibility is a core property of all successful currencies. For example, the $20 I paid the waiter at the bar yesterday has the same value as the $20 I will pay for lunch tomorrow. If it were not the same, the $20 bill, and even the dollar, would lose its status as a safe currency.

Gold is the world's most discussed fungible commodity. If you melt down a kilogram of gold and make it into a one-kilogram gold bar, the value of the gold is exactly the same.

However, Bitcoin’s fungibility is in jeopardy because, in an increasing number of cases, one Bitcoin is no longer equivalent to another.

Blockstream CEO Adam Back said at the Scaling Bitcoin conference:

“Some exchanges and custodial wallets are using tracking services and are four hops away, so if you are associated with Silk Road or something like that, they will freeze your account.”

He summed it up perfectly:

"Other people's behavior - it has no essential and potential relationship with you. Four jumps is a long distance for you."

As much as I hate to admit it, I understand why these exchanges and custodial wallets are using these tracking services. Companies like Coinbase and Circle are forced to deal with local country regulations. And because Bitcoin is a public ledger that allows you to track the whereabouts of every coin, and at some point drug-related funds may have flowed through these companies' services, they are under the spotlight of regulators.

However, this sets a dangerous precedent for those who believe in the potential of Bitcoin. If the average user cannot trust that the Bitcoin they hold is usable, then they are unlikely to trust Bitcoin as a whole. If I can’t trust that my $20 is generally accepted, then why would I trust dollars?

Balancing Interchangeability and Scaling

There are many altcoins that place great emphasis on fungibility and privacy. For example, one of them is Monero, which is famous for using ring signatures. Ring signatures are:

“A digital signature that can be performed by any member of a group of users who possesses a secret key. Thus, a message signed with a ring signature is one that has been approved by a select group of people.”

The appeal of ring signatures is that 'computationally, it is possible to determine which member's key was used to generate the signature.'

In other words, if 10 of us send a transaction, only one person's signature is actually signed on the transaction. And because only one signature is used, basically no one knows whose it is.

Unfortunately, ring signatures are not implemented perfectly. According to Greg Maxwell, co-founder of Blockstream and Core developer, 'I don't think ring signatures are something that will have a significant impact because they are not conducive to scaling (it adds an ever-growing collector of payment coins, making the UTXO set ever-evolving.)'

In other words, as the UTXO setting continues to evolve, the number of transactions that can be accommodated in a block will decrease.

Observe the above diagram. In Transaction 0, there is an output-0 and output-1. Then, they are included in TX1 and TX2. The larger these outputs are, the larger these transactions will be, thus reducing the number of transactions that can be accommodated in the block.

Therefore, this creates a problem in the balance between scalability and fungibility. In order to improve privacy, we may have to reduce fungibility.

Or don’t have to…

Schnorr Signatures: Improving Fungibility and Scalability

Schnorr signatures are an incredibly innovative way to manage signatures that enable both scalability and fungibility.

Consider the above diagram of a transaction propagation with all the inputs of a new Bitcoin transaction. Let’s assume there are 5 inputs in total. Schnorr signatures essentially create a single signature to represent all the signatures, the aggregate signature. So 5 separate signatures become 1 signature.

How does this help with scaling?

When you reduce the number of signatures from 5 to one, you can fit more transactions into a block. Signatures make up a large portion of the transaction size; therefore, when you reduce the total number of signatures, you are in an advantageous position.

In his in-depth explanation of Schnorr, Aaron van Wirdum provides the following math to explain the benefits of Schnorr signatures:

“If aggregated Schnorr signatures reduce the total size of witness data from, say, 1 megabyte to 0.5 megabyte. That 0.5 byte will be discounted to 0.125 megabyte, leaving up to 0.875 megabytes for the original block.”

The benefits of Schnorr signatures are easy to understand: Segregated Witness already increases block capacity, but if combined with Schnorr signatures, this capacity increase will be even greater.

But what about interchangeability?

Remember, the reason these exchanges and custodial wallets are able to ban someone is because they can easily track transactions. If you make that tracking harder, it becomes much harder to ban someone.

Greg Maxwell has the answer. By using CoinJoin, multiple people can group their transactions together to make a joint payment. Therefore, it becomes almost impossible to match every input with every output.

Combine this with the Schnorr signature, and if there are multiple inputs from multiple people, then there is only one signature that can be used for analysis.

The beauty of this particular implementation is that there is an economic incentive for the adoption of Schnorr signatures and CoinJoin - by combining signatures into a new signature, it reduces transaction fees for everyone.

Therefore, the cost of sending Bitcoin will be lower, and interchangeability will be greatly improved. Each block can contain more transactions.

Maxwell hopes that Schnorr signatures can be implemented into Bitcoin next year, however, there are many factors that may affect this implementation.

Mimblewimble to the rescue?

I’m only going to give one solution here that I find very attractive. One question that Schnorr signatures and CoinJoin have yet to answer is how to create an automated user experience. I use a Ledger Nano wallet; therefore, I think that to really make this work, developers will have to implement these capabilities into their software.

Fortunately, there is a lot of work going on towards interchangeability, and there are various proposals, many of which may not work, but some of which are very promising.

One proposal that has been discussed a lot recently is Mimblewimble. This solution effectively uses Schnorr signatures and combines it with a technology called Confidential Transaction (CT).

CT essentially implements a system where only the sender and receiver can see the amount of money transferred. The problem is that CT requires proof of every output; these proofs are very important, so they may cause block bloat.

But by aggregating the signatures of these secret transactions into a new signature, we effectively get a very lean, very private transaction. Ultimately, this leads to what we are looking for: good fungibility and the ability to add more transactions to the blockchain.

However, there is a problem: Mimblewimble requires changing the scripting language that Bitcoin is using , and the only way to do this is to hard fork . Although I am not sure about hard forks, the current situation does not support the use of hard forks to solve this problem, especially with the previous experience of Ethereum's failed hard fork.

Interchangeability must be feasible

If Bitcoin is to succeed and continue to exist, people need to trust that the Bitcoin they receive is the same as every other Bitcoin. Otherwise, they will not be able to use Bitcoin.

I believe a solution will be found. Although I am particularly optimistic about the hybrid solution of Schnorr signatures and CoinJoin, this is not the only option. Other solutions will definitely be proposed in the future

That moment has not arrived yet, but it will soon. And it will make Bitcoin even more powerful.