Nexa’s Instant Transactions and Transaction Finality
What if a customer purchases something small, say a cup of coffee, with Nexa? Can the merchant let the customer leave the store with the coffee before the transaction has been confirmed (commonly called 0-conf)?
This question is all about transaction finality. “Transaction finality” refers to when the transaction is irreversibly committed to the blockchain or another database, such as what is used by your bank.
First, a warning: Transaction finality has actually been proven to be unsolvable in anonymous, decentralized permissionless systems, via a few famous (in computer science anyway) papers. Search for “the FLP impossibility result”, and “the CAP theorem” for more information. So, what about all those blockchains that claim rapid finality? Probably due to incompetence, intentional lying, not actually being a decentralized, anonymous, permissionless blockchain, or a combination of all three.
So why do we claim that a merchant can allow a customer to make small purchases with 0-conf transactions? Our claim is based on 2 technologies which detect and punish double spends rather than solving transaction finality.
The first is called “doublespend proofs”, which was first conceived by Tom Zander and then funded by us (Bitcoin Unlimited) to convene a small conference and pay for the software development.
A “doublespend” is when a customer uses the same money to buy something from 2 different merchants. Or, the customer sends the same money to both a merchant and then back to themselves. If this is confusing, think of it as writing multiple $10 checks when you only have $10 left in your bank account, or writing 1 check and then dashing to the bank and withdrawing.
In this case, only one of the two transactions will be added to the blockchain (only 1 check will be honored), so in the first case one merchant is not paid, and in the second case, the merchant may not be paid depending on which transaction is chosen (which is theoretically random, but tends to be the first transaction “seen” by network participants).
With “doublespend proofs”, all the honest nodes in the network are watching for a double spend. Doublespends are easy to identify, because they spend the same UTXO (blockchain ledger) entries. However, in traditional Bitcoin, transactions that are doublespends are dropped (ignored). The reason they are dropped is so that miners won’t be given both transactions and get to choose the one with the biggest fee (which of course is invariably the cheating one). However, this means that a merchant may not ever see the double spend since it does not propagate through the network.
In Nexa, if a doublespend is detected, a proof of that doublespend is extracted out of both transactions. This proof does NOT contain either of the doublespend transactions so announcing the proof does not spread the “bad” transaction around. I don't want to go into the technical details about this, but basically, the proof says "look, this person just signed 2 messages sending this money to 2 different places! I'm not going to tell you what those messages are but I'm going to give you enough info to prove that I'm not lying".
This doublespend proof is a high priority message that is broadcast to all full nodes and interested light clients. So the coffee selling merchant will get a notification in seconds if a doublespend is attempted.
Presumably the point-of-sale device then pops up a big red warning box (there’s almost no “accidental” way a doublespend can happen), and so the merchant then just politely asks the customer to step aside while the transaction confirms. With Nexa’s 2 minute average block time, this is inconvenient but not in the same category as making someone wait for 10 minutes!
Ok, this works fine UNLESS the doublespend is hidden. But if it’s hidden, how can it be mined? It can't unless the doublespender is ALSO a miner. If the doublespender is a miner, they can hide the doublespend and it will succeed at whatever fraction of the hash power that miner has.
So the argument goes "ok if you have a million dollar crypto mine, maybe you could reliably doublespend coffee...". But there are very few people who could do that, AND you are tangling your entire million dollar crypto mine into criminal activity. This is a very important concept. If the CEO of that crypto mine steals coffee just by running out of the store without paying, the fact that they own a crypto mine is irrelevant. But if the crypto mine itself is used to facilitate criminal activity, the entire operation typically is forfeit (of course, this depends on your jurisdiction and the details of the case, but this is why you see the government auctioning off drug dealers’ sports cars).
So what major miner is going to risk their entire operation for free coffee?
But this is why anyone accepting (say) 100,000 USD in crypto should wait for several confirmations. Maybe a miner would risk the mine for that kind of money.
Doublespend proofs are currently deployed in the Nexa network.
The second technology is something called double-spend forfeits (https://gist.github.com/awemany/619a5722d129dec25abf5de211d971bd). Doublespend forfeits work like this: you put $20 in an envelope and say "hey, if someone catches me trying to cheat anyone else, they can take the money." Except that this is done in a provable, decentralized, permissionless, trustless fashion. In the case of doublespend forfeits, it’s the miners who can take the money if you cheat.
But even if you are a miner (and could therefore "win" your own forfeit), it’s a lot harder to cheat. To understand this, suppose you have 25% of the hash power. So you will get your $5 coffee (and capture your own $20 penalty, so $5 gain) 1/4 of the time. But 75% of the time you lose $20 (I'm not counting paying for the $5 coffee as a loss because presumably you wanted the coffee).
So if you do this many times, your averaged win is $1.25 and loss is $15, resulting in a $13.75 average loss per attempt.
Of course, the honest customer uses the same $20 for every payment every day so it’s kind of like just keeping an extra emergency $20 in your wallet, because you can always remove that $20 from its role in the doublespend forfeit protocol and spend it.
Note that the merchant who was cheated typically would not receive the forfeit (unless they happen to also be a miner and mine the next block). So the system isn’t perfect, but it would dramatically discourage cheating.
So depending on the amount of money put up as a forfeit, a merchant can reliably accept larger payments as zero-conf.
Doublespend forfeits are enabled on the Nexa blockchain by the CHECKDATASIG opcode that I designed. So they are possible in the Nexa and Bitcoin Cash blockchains. However, a wallet-level protocol is required to actually implement them, and as far as I know, no wallet does so yet.
Web Wallet: https://wallet.otoplo.com
How to Mine: https://www.nexa.org/mining