New blockchains are born all the time. Bitcoin was the lone blockchain for years, but now there are hundreds. The problem is, if you want to use the features offered on another blockchain, you have to buy the tokens for that other blockchain.
But all that may soon change. One developing technology called sidechains promises to make it easier to move tokens across blockchains and, as a result, open the doors to a world of possibilities, including building bridges to the legacy financial systems of banks.
In October 2017, Aggelos Kiayias, professor at the University of Edinburgh and chief scientist at blockchain research and development company IOHK; Andrew Miller, professor at the University of Illinois at Urbana-Champaign; and Dionysis Zindros, researcher at the University of Athens, released the paper “Non-Interactive Proofs of Proof-of-Work” (NiPoPoW), introducing a critical piece to the sidechains puzzle that had been missing for three years. This is the story of how they got there.
But, first, what exactly is a sidechain?
Same Coin, Different Blockchain
A sidechain is a technology that allows you to move your tokens from one blockchain to another, use them on that other blockchain and then move them back at a later point in time, without the need for a third party.
In the past, the parent blockchain has typically been Bitcoin, but a parent chain could be any blockchain. Also, when a token moves to another blockchain, it should maintain its same value. In other words, a bitcoin on an Ethereum sidechain would remain a bitcoin.
The biggest advantage of sidechains is that they would allow users to access a host of new services. For instance, you could move bitcoin to another blockchain to take advantage of privacy features, faster transaction speeds and smart contracts.
Sidechains have other uses, too. A sidechain could offer a more secure way to upgrade a protocol, or it could serve as a type of security firewall, so that in the event of a catastrophic disaster on a sidechain, the main chain would remain unaffected. “It is a kind of limited liability,” said Zindros in a video explaining how the technology works.
Finally, if banks were to create their own private blockchain networks, sidechains could enable communications with those networks, allowing users to issue and track shares, bonds and other assets.
Early dialogue about sidechains first appeared in Bitcoin chat rooms around 2012, when Bitcoin Core developers were thinking of ways to safely upgrade the Bitcoin protocol.
One idea was for a “one-way peg,” where users could move bitcoin to a separate blockchain to test out a new client; however, once those assets were moved, they could not be moved back to the main chain.
“I was thinking of this as a software engineering tool that could be used to make widespread changes,” Adam Back, now CEO at blockchain development company Blockstream, said in an interview with Bitcoin Magazine. “You could say, we are going to make a new version [of Bitcoin], and we think it will be ready in a year, but in the meantime, you can opt in early and test it.”
According to Back, sometime in the following year, on the Bitcoin IRC channel, Bitcoin Core developer Greg Maxwell suggested an idea for a “two-way peg,” where value could be transferred to the alternative chain and then back to Bitcoin at a later point.
A two-way peg addressed another growing concern at the time. Alternative coins, like Litecoin and Namecoin, were becoming increasingly popular. The fear was these “altcoins” would dilute the value of bitcoin. It made sense, Bitcoin Core developers thought, to keep bitcoin as a type of reserve currency, and relegate new features to sidechains. That way, “if you wanted to use a different feature, you wouldn’t have to buy a speculative asset,” said Back.
To turn the concept of sidechains into a reality, Back along with Maxwell and a few other Bitcoin Core developers formed Blockstream in 2014. In October that year, the group released “Enabling Blockchain Innovations with Pegged Sidechains,” a paper describing sidechains at a high level. Miller appears as a co-author on that paper as well.
How Sidechains Work
One important component of sidechains is a simplified payment verification (SPV) proof that shows that tokens have been locked up on one chain so validators can safely unlock an equivalent value on the alternative chain. But to work for sidechains, an SPV proof has to be small enough to fit into a single coinbase transaction, the transaction that rewards a miner with new coins. (Not to be confused with the company Coinbase.)
At the time the Blockstream researchers released their paper, they knew they needed a compressed SPV proof to get sidechains to work, but they had not yet developed the cryptography behind it. So they outlined general, high-level ideas.
The Blockstream paper describes two types of two-way pegs: a symmetric two-way peg, where both chains are independent with their own mining; and an asymmetric two-way peg, where sidechain miners are full validators of the parent chain.
In a symmetric two-way peg, a user sends her bitcoins to a special address. Doing so locks up the funds on the Bitcoin blockchain. That output remains locked for a contest period of maybe six blocks (one hour) to confirm the transaction has gone through, and then an SPV proof is created to send to the sidechain.
At that point, a corresponding transaction appears on the sidechain with the SPV proof, verifying that money has been locked up on the Bitcoin blockchain, and then coins with the same value of account are unlocked on the sidechain.
Coins are spent and change hands and, at a later point, are sent back to the main chain. When the coins are returned to the main chain, the process repeats. They are sent to a locked output on the sidechain, a waiting period goes by, and an SPV proof is created and sent back to the main blockchain to unlock coins on the main chain.
In an asymmetric two-way peg, the process is slightly different. The transfer from the parent chain to the sidechain does not require an SPV proof, because validators on the sidechain are also aware of the state of the parent chain. An SPV proof is still needed, however, when the coins are returned to the parent chain.
Search for a Compact Proof
In a sidechain, a compact SPV proof needs to contain a compressed version of all the block headers in the chain where funds are locked up from the genesis block through the contest period, as well as transaction data and some other data. In this way, an SPV proof can also be thought of as a “proof of proof-of-work” for a particular output.
Inspiration for the compact SPV proof comes from a linked-list-like structure known as a “skip list” developed 25 years ago. In applying this structure to a compact SPV proof, the trick was in finding a way to skip block headers while still maintaining a high level of security so that an adversary would not be able to fake a proof.
In working through the problem, Blockstream showed an early draft of its sidechains paper to Miller, who had been mulling over compact SPVs for a few years already.
In August 2012, in a post on a BitcoinTalk forum titled “The High-Value-Hash Highway,” Miller described an idea for a “merkle skip list” that a Bitcoin light client could use to quickly determine the longest chain and begin using it. In that post, he described the significance of the data structure as “absolutely staggering.”
When Miller read through the Blockstream draft, he spotted a vulnerability in the compact SPV proof described in the paper. Discussions ensued, but they “couldn’t find a way to solve that problem without compromising efficiency,” Miller said.
Miller’s non-trivial contributions to the Blockstream paper ended up being a few paragraphs in Appendix B that describe the challenges in creating a compact SPV proof.
It should “be possible to greatly compress a list of headers while still proving the same amount of work,” the section reads, but “optimising these tradeoffs and formalising the security guarantees is out of scope for this paper and the topic of ongoing work.”
That ongoing work remained stuck for three years.
Making It Non-interactive
During that ensuing time, researchers at IOHK began taking a more serious interest in sidechains. Plans were taking shape for Cardano, a new proof-of-stake blockchain that IOHK had been contracted to build.
Cardano would consist of two layers: a settlement layer, launched in September 2017, where the money supply would be kept, and a smart contract layer. Those two layers would be two sidechain-enabled blockchains. In this way, the settlement could remain simple and secure from any attacks that might occur on the smart contract layer. But if IOHK was to get Cardano to work as intended, it needed to solve sidechains.
In February 2016, Kiayias, then a professor at the University of Athens, and two of his students, Nikolaos Lamprou and Aikaterini-Panagiota Stouka, released “Proofs of Proofs of Work with Sublinear Complexity” (PoPoW).
The paper was the first to formally address a compact SPV proof. Only, the proof described in the paper was interactive; whereas, to work for sidechains, it needed to be non-interactive.
In an interactive proof, the prover and the verifier enter into a back-and-forth conversation, meaning there could be more than one round of messaging. In contrast, a non-interactive proof would be a simple, short string of text that would fit neatly into a single transaction on the blockchain.
The PoPoW paper was presented at BITCOIN’16, a workshop affiliated with the International Financial Cryptography Association’s (IFCA) Financial Cryptography and Data Security conference. Miller, who was at the conference, approached Kiayias and shared an idea for making the protocol non-interactive.
It was a “nice observation,” Kiayias told Bitcoin Magazine, but making the proof secure was “not obvious at all” and would require significant work.
Zindros, who had just started working on his PhD under Kiayias, was also at the conference, and he needed a topic for his thesis. Kiayias saw a good fit, “so we pressed on, the three of us, and adapted the PoPoW protocol and its proof of security to the non-interactive setting,” Kiayias said.
In October 2016, Kiayias officially joined IOHK, and a year later, Kiayias, Miller and Zindros released “Non-Interactive Proofs of Proof-of-Work,” introducing a compact SPV proof five years after sidechains had first been talked about on Bitcoin forums.
“If it were interactive, I don’t know if it would have worked; with a non-interactive proof, it is really smooth,” Zindros told Bitcoin Magazine.
More Work to Be Done
Even with NiPoPoW, sidechains are still not fully specified. Several questions remain, including, how small can the proofs be made? After a transaction is locked up on one chain, how much time needs to pass before it can be spent on the other? And, will it be possible to move a token from a sidechain directly to another sidechain?
“A lot of theory still needs to be defined,” IOHK CEO Charles Hoskinson said in speaking to Bitcoin Magazine.
Also, while NiPoPoW is designed to work for proof-of-work blockchains, some believe that if blockchains are to take their place in the world on a grand scale, the future rests in proof-of-stake protocols like Ouroboros, Algorand or Snow White, which promise to be more energy-efficient than Bitcoin.
In particular, if Cardano, which is based on Ouroboros, is to work according to plan, IOHK researchers still need to discover a non-interactive proof of proof-of-stake (NiPoPoS).
Hoskinson is confident. “We can definitely do that,” he said. “We can definitely have a NiPoPoS. The question is how many megabytes or kilobytes is it going to be? Can we bring it down to 100 KB? That is really the question.”