We want merged-mined blockchains. We want them because it is possible to do things in them that aren’t doable in the normal Bitcoin blockchain because it is rightfully too expensive, but there are other things beside the world money that could benefit from a “distributed ledger” – just like people believed in 2013 –, like issued assets and domain names (just the most obvious examples).
On the other hand we can’t have – like people believed in 2013 – a copy of Bitcoin for every little idea with its own native token that is mined by proof-of-work and must get off the ground from being completely valueless into having some value by way of a miracle that operated only once with Bitcoin.
It’s also not a good idea to have blockchains with custom merged-mining protocol (like Namecoin and Rootstock) that require Bitcoin miners to run their software and be an active participant and miner for that other network besides Bitcoin, because it’s too cumbersome for everybody.
Luckily Ruben Somsen invented this protocol for blind merged-mining that solves the issue above. Although it doesn’t solve the fact that each parallel chain still needs some form of “native” token to pay miners – or it must use another method that doesn’t use a native token, such as trusted payments outside the chain.
How does it work
SIGHASH_ANYPREVOUT soft-fork1 it becomes possible to create presigned transactions that aren’t related to any previous UTXO.
Then you create a long sequence of transactions (sufficient to last for many many years), each with an
nLockTime of 1 and each spending the next (you create them from the last to the first). Since their
scriptSig (the unlocking script) will use
SIGHASH_ANYPREVOUT you can obtain a transaction id/hash that doesn’t include the previous TXO, you can, for example, in a sequence of transactions
A0-->B (B spends output 0 from A), include the signature for “spending A0 on B” inside the
scriptPubKey (the locking script) of “A0”.
With the contraption described above it is possible to make that long string of transactions everybody will know (and know how to generate) but each transaction can only be spent by the next previously decided transaction, no matter what anyone does, and there always must be at least one block of difference between them.
Then you combine it with
SIGHASH_ANYONECANPAY so parallel chain miners can add inputs and outputs to be able to compete on fees by including their own outputs and getting change back while at the same time writing a hash of the parallel block in the change output and you get everything working perfectly: everybody trying to spend the same output from the long string, each with a different parallel block hash, only the highest bidder will get the transaction included on the Bitcoin chain and thus only one parallel block will be mined.
The same thing used in.↩︎